[noise] Symmetric-crypto overhaul and stateful hashing

[Loup Vaillant David]

> For example, imagine an implementation of ECDH that returns
> immediately if given an all-zeros public key. [timing attack]

Ah, timing attacks. I tend to assume constant time primitives (the
primitives I use are), so I didn't think of that.

Makes sense for a modular protocol such as Noise. Could be dangerous if
implementors add unnecessary error paths with different timings (or
even just aren't constant time).

Loup.