Implement the client-side of client authentication for onion services

We should implement the ed25519-based client authentication algorithm of section 3.4 in rend-spec-v3.txt.

Part of the challenge here is

1. getting the isolation right
2. getting the api right
3. getting the ux right

Have a look at what C tor does here, but ask around for info about the ways in which C tor falls short, and try to do better.

We will need the ability to configure keys for specific services; to add them programmatically; to use keys for specific requests; and more.