Use the type system to enforce use of blinded keys.

Hidden services use blinded singing keys derived from the identity key to sign descriptor signing keys.

Before this patch, the hidden descriptor builder represented its blinded signing keys (blinded_id) as plain ed25519::Keypairs. This was not ideal, as there was nothing preventing the caller from accidentally initializing blinded_id with an unblinded keypair.

This introduces a new HsBlindKeypair type to represent blinded keypairs.

Signed-off-by: Gabriela Moldovan gabi@torproject.org