Add SLH-DSA test vectors and test-vectors documentation

[DarkaMaul]

Adds ACVP test vectors for SLH-DSA from the NIST ACVP-Server.

Parameter sets

Only the two parameter sets exposed by the BoringSSL public API are included (include/openssl/slhdsa.h @ 8313e23):

• SLH-DSA-SHA2-128s
• SLH-DSA-SHAKE-256f

Vector filtering rationale

• keyGen: all vectors for the two parameter sets are kept.
• sigVer: only pure + external interface vectors are kept. BoringSSL's SLHDSA_*_verify accepts only the external-interface and I don't think we want to support prehashing.
• sigGen: only deterministic=false + pure + external interface vectors are kept. BoringSSL's signature are non deterministic. The same pure / external interface restrictions apply as for sigVer.

Why filtering?

• Without filtering, the two files are 38 MB and 31 MB.
• With filtering, we are at 1 MB and 2 MB.

SLHDSA parameter set is expansive:

• 2 hash functions (SHA-2, SHAKE)
• 3 security levels (128 192 256)
• 2 tree / size tradeoff (small / fast)

Some notes

• The private key size is 4*n (with n the security level), so much smaller than MLKEM/MLDSA. We don't have to do the dance with seed form only there (and the standard mandates that the key is stored in full).

Key checks. [...], the owner of the private key shall check that the private key is 4𝑛
bytes in length and shall use SK.seed and PK.seed to recompute PK.root and compare the
newly generated value with the value in the private key currently held.

(FIPS 205 - Section 3.1)