SPHINCS: remove SHA-256 option

[kriskwiatkowski]

That's because of "The two attacks related to SHA-256-based parameters claiming category 5 security will need to be carefully considered when selecting which parameters of SPHINCS+ to standardize. In both cases, the underlying issue is that, due to its 256-bit internal state, SHA-256 is not well designed to provide more than category 2 security in a wide variety of circumstances. While some applications of SHA-256 do appear to provide more security strength than this, gaining confidence in a SHA-256-based construction claiming more than category 2 security will require a security proof that explicitly considers that SHA-256 is a Merkle-Damg ̊ard hash with a Davies-Meyer compression function. The existing security proof for SPHINCS+ does not analyze the internal structure of the hash functions it uses. Ignoring the internal structure of the hash function is better motivated for the SHAKE256 parameter sets, due to results such as [254]."

See also "Bertoni G, Daemen J, Peeters M, Van Assche G (2008) On the indifferentiability of the sponge construction. Advances in Cryptology – EUROCRYPT 2008, ed Smart N (Springer Berlin Heidelberg, Berlin, Heidelberg), pp 181–197."