Add zeroizing to DynResidue

[AaronFeickert]

Currently, DynResidue does not support zeroizing. This PR implements it, albeit probably controversially.

Adding zeroizing suppport seems tricky, in part because modulus parameters are stored in the struct. The question becomes what to do with them. Are they left alone? Are they set internally to all zeros? Are they set to some nominal but valid modulus?

The case for Residue is more clear, since its modulus parameters are generic.

This PR makes the design choice to leave the DynResidue parameters alone, which has two potential advantages:

• The treatment of modulus parameters is somewhat unified in both Residue and DynResidue
• The zeroized DynResidue is still valid using its original parameters

However, leaving the modulus parameters in memory may not be in line with the intent of the trait.

I'd appreciate any thoughts or discussion on the best way to handle this, or if it shouldn't be implemented at all.

[AaronFeickert]

It may be worth noting that DynResidue already doesn't enforce consistent moduli for arithmetic operations.

[tarcieri]

Offhand I can't think of a cryptosystem which uses a secret modulus. Public moduli seem pretty foundational to public key cryptosystems.

But I can see someone being surprised it isn't zeroized.

Zeroize itself can't enforce invariants aren't violated, because it borrows the value rather than consuming it. This makes it possible to call from Drop handlers, where it's okay to violate invariants because the value is now out-of-scope.

[AaronFeickert]

@tarcieri: Would you advocate for a different design choice here, or do you think the PR's approach is reasonable as is? Perhaps adding a careful note to the DynResidue documentation could be useful, just in case the user expects certain behavior.

[AaronFeickert]

Rebased.