`ed25519-dalek`: don't use Ed25519ph for `DigestSigner/Verifier`

[daxpedda]

After RustCrypto/traits#2003, DigestSigner/Verifier has been/will be consistently applied on RustCrypto PQC curves to not mean pre-hash mode signatures. We want to make sure this is consistent across all implementations. This will include ed448-goldilocks as well.

Currently, ed25519-dalek implements DigestSigner/Verifier as pre-hash mode signatures. This issue proposes to change that to PureEdDSA.

The problem is that we have no way to ensure on a type-level that the closure provided by the user provides the same message twice, a potential security vulnerability. Which I assume is also why raw_sign_byupdate() is only implemented behind hazmat.

So unless we find a solution for that, we are stuck hiding any implementation of DigestSigner/Verifier behind hazmat.

Multiple solutions were previously discussed:

• Introduce completely separate types for pre-hash mode signatures in hazmat. This would include Signing/VerifyingKey and Signature.
• A simple ZST just for DigestSigner/Verifier in hazmat.
• Not implement DigestSigner/Verifier at all, considering raw_sign_byupdate() is already available.

Currently I'm in favor of simply removing the DigestSigner/Verifier implementation entirely, unless we are able to find a safe way to actually implement it. raw_sign_byupdate() is still there to fill the feature gap.

To fill the gap for safe pre-hash mode signatures, RustCrypto/traits#2012 is being proposed.

Previously discussed in RustCrypto/traits#2011.
Related: #828.

[tarcieri]

I think it would be good to define Ed25519ph-only key types e.g. PhSigningKey/PhVerifyingKey, rather than mixing what algorithms are used for a particular trait impl for a given key type