polyval, ghash: use powers of H to process multiple blocks at a time

[ericlagergren]

We can compute h = [H^n, H^(n-1), ..., H] and then process N blocks at a time. On a 2020 M1, a stride of 8 runs at about 0.17 cycles per byte whereas a stride of 1 runs at about 1.4 cycles per byte—an ~8x improvement.

Note that sometimes this isn't desirable. For example, HCTR-2 computes POLYVAL over single blocks and the overhead of constructing plus cleaning up an N-wide POLYVAL hurt performance. So, we probably need to offer both a "wide" and a "lite" implementation.

I'm happy to donate my implementation (x86 and aarch64).

[tarcieri]

Exciting work! The parallelism would be prospectively quite helpful for RustCrypto/AEADs#74

It'd be great if you could open a PR. Just looking over your code there are great code comments which are much better than what we currently have.