Harden constant-time equality on arrays and slices

[AaronFeickert]

The current implementation of ConstantTimeEquality for arrays and slices will short-circuit if the lengths are different. This PR does a constant-time length check before the componentwise check, and then uses a constant-time BitAnd for the final result.

This still strikes me as controversial, since both the existing implementation and this update leak something about length:

• The existing implementation leaks if the slices/arrays have different lengths, as well as the length itself via timing.
• The updated implementation leaks only the length via timing.

This seems like at worst no improvement, and at best a reasonable improvement.