AES-GCM AArch64: Store twisted Htable values

Implementations of AES-GCM in AWS-LC may use an "H-Table" to
precompute and cache common computations across multiple
invocations of AES-GCM using the same key, thereby improving
performance.

The main example of such a common precomputation is the
computation of powers of the H-value used the GHASH algorithm --
giving the H-Table its name. However, despite the name, the
structure of the H-Table is opaque to the code invoking AES-GCM,
and implementations are free to populate it with arbitrary data.

This freedom is already being leveraged: Currently, the AArch64
implementation of AES-GCM not only stores powers of H in the
HTable (H1-H8 in the code), but also their 'Karatsuba
preprocessing's, which are the EORs of the low and high halves.
Those naturally occur when using Karatsuba's algorithm to reduce a
128-bit polynomial multiplication over GF(2) to 3x 64-bit
polynomial.

This commit changes the structure of the H-Table for AArch64
implementations slightly for better performance:
It is observed that every time a power of H is loaded from the
H-Table (H1-H8), the first operation that happens to it in both
aesv8-gcm-armv8.pl and aesv8-gcm-armv8-unroll8.pl is to swap low
and high halves via `ext arg.16b, arg.16b, arg.16b, aws#8`. Those swaps
can be precomputed, and the Hi values stores in swapped form in the
HTable, thereby eliminating the swaps from the critical loop of AES-GCM.