Implement more SCA countermeasures

[neil-smyth]

Existing countermeasures (Markku's blinding, Ziggurat pattern masking) need to be expanded as per discussions with Ayesha and from Seamus' Ziggurat work.

1. Markku's blinding will be modified to use an in-place Knuth shuffle to avoid shuffling after generation (as done now). This Knuth shuffle of a ring polynomial will also be provided as a "cheaper" option than Markku's technique - it must be constant-time.
2. Add an option to randomly discard samples at a user defined rate - to disturb statistical analysis.
3. An option will be added such that access to Gaussian LUTs will be randomly performed elsewhere in the crypto functions - perturbation to deter cache attack.
4. Where multiple Gaussian ring polynomials are generated simultaneously with the same statistical properties permit them to be randomly shuffled together - perturbation again.
5. If dynamic memory is used investigate the possibility of periodically moving LUTs to a different address.
6. Investigate the possibility of randomly changing the Gaussian sampler mechanism (e.g. switch from CDT to Ziggurat) when generating ring polynomials.
7. Investigate cleaning and expanding the previous work on multi-threaded BLISS-B where ring polynomials where generated by worker threads - displace power and time analysis by exploiting context switches, changing thread priorities, using different samplers, etc.

[neil-smyth]

There's a few places in the NTT (outside the main processing loops) that are not constant-time, this should be fixed.