POC global: add PQC ML-KEM to handshake as PSK

[aparcar]

I recently learned about Tailscale and found this article regarding PQC. If the approach suggested here would really be taken, two new message types should be added for backwards compatibility and a new option added to peer.go like pqcBasedPsk to enable this feature for chosen peers.

---

This commit extends the handshake to generate a PQC-based PSK. The NIST-approved ML-KEM (formerly Kyber) is included in the initiator and responder messages to transport the encapsulation key and ciphertext, respectively. The generated shared secrets are directly injected as a pre-shared key (PSK), since PQC resilience is the intended purpose.

The ML-KEM encapsulation key and ciphertext are piggybacked onto WireGuard message types 1 and 2, without altering the handshake itself.

As a result, the initiation and response messages grow by about 1 kB (~10x) and the handshake takes ~5x longer (0.21s vs 0.93s[^1]), however, likely negligible, since the transported data stream is unaffected.

This commit does not address PQC authentication. However, it offers a practical solution to mitigate retrospective decryption using quantum computers—namely, "store now, decrypt later" attacks. While more comprehensive approaches like "Post-quantum WireGuard"[^2] include PQC authentication and a full PQC handshake, the changes proposed here aim to be as minimal as possible, usable as soon as possible.

[^1]: Naively running go test -bench=TestNoiseHandshake -count=100 [^2]: https://eprint.iacr.org/2020/379.pdf

[aparcar]

If Tailscale switches to Go 1.24 one could use mlkem directly from crypto.