Generic EdDSA implementation

[ocheron]

My attempt at resolving #212 and replacing #298.

EdDSA is implemented in Haskell using Edwards25519 primitives, which allows to
select a different hash algorithm easily, and also add "context" and "prehash" variants.

Compared to C implementation in ed25519-donna there is a performance impact of up to 18%, visible when signing an empty message:

EdDSA/EdDSA-Ed25519/sign                 mean 21.09 μs  ( +- 97.52 ns  )
EdDSA/EdDSA-Ed25519/verify               mean 57.05 μs  ( +- 530.6 ns  )
EdDSA/Ed25519/sign                       mean 17.92 μs  ( +- 39.56 ns  )
EdDSA/Ed25519/verify                     mean 55.24 μs  ( +- 515.6 ns  )

The 3 μs cost is as follows:

• 1 μs because of ScrubbedBytes backend in scalar values. This could be decreased with a mutable scalar API, or no scrubbing at all.
• 1 μs because of hashing FFI calls, notably the hash "update" function which is not marked unsafe
• 1 μs as global overhead this approach has: additional Haskell allocations, indirections and FFI roundtrips

[vincenthz]

this was some great work, and at least should be merged in.