Crypto Appendix - Fix table of approved hash functions

[randomstuff]

The crypto appendix currently has this table regarding approved hash functions:

Hash functions	Suitable for HMAC/KDF/RBG?	Reference	L1	L2	L3
SHA3-512	Y	FIPS 202		✓	✓
SHA-512	Y	FIPS 180-4		✓	✓
SHA3-384	Y	FIPS 202		✓	✓
SHA-384	Y	FIPS 180-4		✓	✓
SHA3-256	Y	FIPS 202		✓	✓
SHA-512/256	Y	FIPS 180-4		✓	✓
SHA-256	Y	FIPS 180-4	✓	✓	✓
KMAC256	N	NIST SP 800-185	✓	✓	✓
KMAC128	N	NIST SP 800-185	✓	✓	✓
SHAKE256	Y	FIPS 202	✓	✓	✓
BLAKE2s	Y		✓	✓	✓
BLAKE2b	Y		✓	✓	✓
BLAKE3	Y		✓	✓	✓

Some comments about the usage as MAC with or without HMAC:

• SHA3 is listed as suitable for HMAC and is actually approved by NIST to be used with HMAC but actually does not need to be used with HMAC. In practice, you would probably use KMAC instead (?).
• BLAKE2 and BLAKE3 already includes a MAC mode and therefore would not be used with HMAC either, I think.
• KMAC is actually a MAC so I'm not sure it makes sense to include it here. Sure you can use a MAC as a hash.

Some comments about the "suitable for KDF":

• Is it a good idea to use them as KDF (eg. SHA2) ? TLS 1.2 goes a long way to build a complex PRF on top of the hash function and TLS v1.3 uses HKDF.
• I'm not sure I would say "suitable for KDF" without further guidance.
• (On the other hand BLAKE3, can be used directly as a KDF).

Some comments about the "suitable for RBG": I don't known :)

Proposed changes:

• remove KMAC from here and include them in "approved MAC algorithms" only;
• rename "suitable for HMAC" with "Approved with HMAC";
• add a note on "SHA3 suitable for HMAC" (saying you might want to use KMAC instead);
• remove "suitable for KDF" (?) (unless further details are given);
• remove "suitable for PRF" (?) (unless further details are given);
• for BLAKE2s and BLAKE3, I think we should uncheck "approved with HMAC" (my bad).

[randomstuff]

ping @danielcuthbert