AES-GCM AArch64: Swap Htable values

Implementations of AES-GCM in AWS-LC may use an "H-Table" to
precompute and cache common computations across multiple
invocations of AES-GCM using the same key, thereby improving
performance.

The main example of such common precomputation is the
computation of powers of the H-value used in the GHASH algorithm
-- giving the H-Table its name. However, despite the name, the
structure of the H-Table is opaque to the code invoking AES-GCM,
and implementations are free to populate it with arbitrary data.

This freedom is already being leveraged: Currently, the AArch64
implementation of AES-GCM not only stores powers of H in the
HTable (H1-H8 in the code), but also their 'Karatsuba
preprocessing's, which are the EORs of the low and high halves.
Those naturally occur when using Karatsuba's algorithm to reduce a
128-bit polynomial multiplication over GF(2) to 3x 64-bit
polynomial.

This commit changes the structure of the H-Table for AArch64
implementations of AES-GCM slightly to obtain a small performance gain:

It is observed that every time a power of H is loaded from the
H-Table (H1-H8), the first operation that happens to it in both
aesv8-gcm-armv8.pl and aesv8-gcm-armv8-unroll8.pl is to swap low
and high halves via `ext arg.16b, arg.16b, arg.16b, aws#8`. Those swaps
can be precomputed, and the H{1-8} values stored in swapped form in the
HTable, thereby eliminating the swaps from the critical loop of AES-GCM.

This commit modifies the H-table precomputation ghash_init_v8 in the
simplest way possible to introduce the desired swaps, bracketing store
instructions for H-table values X with `vext.8 X, X, X, aws#8`. The resulting
initialization code is slightly slower than the original one and will
be simplified in the next commit.