Document the importance of avoiding (timing) side channels

[briansmith]

When reviewing PR #47 by @stepancheg I realized that there's no documentation here about why or how we avoid leaking information about the contents of the slice held in an Input or Reader unless/until specifically requested.

ring internally uses untrusted to process secret buffers so untrusted.rs can only inspect/report/leak the value of any byte of the input if/when the caller specifically requests it. So, for example, peek() can inspect the value of the next byte but a Debug implementation cannot.

[briansmith]

Perhaps we should remove PartialEq and similar from Input? Or maybe we need a way to distinguish secret inputs from non-secret inputs that can enable such variable-time functions.