sha3: Add derive Zeroize for Sha3State

[aewag]

Not zeroizing the Sha3State allows to recover any squeezed output. This is because the keccak permutations can be inversed. Hence, access to the complete state allows to perform this operation.

While this is security-relevant, including it would significantly increase the MSRV. Therefore, it is gated behind the zeroize feature.

@tarcieri what do you think about gating the zeroizing behind a feature?

The ascon implementation would "require" zeroizing as well. As the implementations differ, zeroizing has to be done in the sponges crate. Therefore, I would prepare a similar PR for the sponges repository targeting ascon.

[tarcieri]

Yes, behind a feature sounds good. If you avoid using the derive macro and write the impl by hand (which seems simple enough in this case), you can avoid the syn dependency as well.

[aewag]

@tarcieri Thanks for the feedback. I updated the PR and added the impl. For documentation purpose: I only zeroed the state and not the round_count, as the round_count is not security-relevant.