callers of the encode interface are now required to pass in the correct iv for
the ciphertext being encoded

Plus various basic instances (Eq, Show, mainly) to make testing this piece
easier.

Also some more Hedgehog generators for types related to capabilities.

Also scatter some more Eq and Show instances around to make this possible.
Also change some Show instances to elide most of the content of secrets.

We need a lot of type conversions and we'd like to be more principled than
`fromIntegral`.

We use `isolate` so we know exactly how far we've advanced, we can trivially
compute the correct position.

instead of confusing it with the segment length sometimes, which includes
padding bytes

The trick is that we don't use the IV to initialize CTR mode, we only use it
to derive the data encryption key and then use the zero IV to initialize CTR
mode.  (So is it an IV?  Not really I guess.)

The failure is due to incorrect handling of padding somewhere so we get extra
bytes on the recovered ciphertext/plaintext.

It doesn't have an assert but it prints the wrong output

* Add direct tests for signature key serialization/deserialization
* Fix the RSA Private Key serializer to use PKCS8 like Tahoe-LAFS expects.
* Fix the key generator to emit keys in this format.
* Fix the key generator to generate 2048 bit keys.
* Fix the derivation functions to make the key values internally consistent.

The test suite fails, though.

This is probably better than pulling in three different crypto libraries for
each of the difference pieces we need.  It's certainly simpler to figure out
how to make the pieces play nicely together since we avoid having multiple
kinds of AES128 key defined, multiple types named IV and PublicKey, and even
multiple implementations of the same module.

need to move the key stuff to a new branch and finish it on its own probably

k and N not confusing variable names at all...

Lots of fields left incorrectly populated but at least the erasure encoding is
working so we can probably read (without verification) real shares now.

Read Tahoe-LAFS-generated bytes, decode into a Share, re-encoded to the same
bytes.