Implement Covercrypt CCA

[tbrezot]

This PR implements Covercrypt CCA as described in the latest version of the Covercrypt paper.

Changes

• ML-KEM (Kyber768 CCA) is used with AES256-GCM to build a post-quantum PKE that replaces Kyber-PKE CPA;
• the MSK does not contain post-quantum keypairs anymore since kyber::SecretKey can extract the kyber::PublicKey from within itself;
• for symmetry, only the ElGamal::Scalar is stored instead of the key-pair, this means that a boolean storing the activation status needs to be added (this information was previously contained by the presence of the elgamal::EcPoint);
• the tag and output seed are generated from hashing both the encapsulated seed and the encapsulations (the eakem_hash! macro is removed);
• a random order of the encapsulation is chosen by the encapsulator, the Encapsulation therefore replaces the HashSet by a Vec in order to conserve this order through serialization;
• the EA trait was modified to reorder parameters in a more usual fashion and EA::decrypt now returns a Zeroizing<Vec<u8>> instead of a plain Vec<u8>.

Impact on performances and sizes

• USK size significantly increases since it now stores both public and private Kyber CPA keys (both contained in the Kyber CCA private key);
• decryption performs the FO transformation and therefore encrypt after each decryption;
• since the tag is now generated by hashing all the encapsulations, more time will be spent hashing (one hybridized encapsulation is 1KB).

Note: The impact of the increased hashing time should be negligible and the encryption upon decryption should not be predominant. However, the benchmarks need to be added again in order to quantify the performance degradation.

[Adamk93]

Honestly for me is good! I don't see anything to complain about.

[Manuthor]

Great!

Could you please:

• insert the PR description in the CHANGELOG.md?
• close this PR #128 and delete the branch
• close this issue #133 when merged