Add deterministic encryption

[whs]

This PR refactors the base key management into a separate class, and add Deterministic AEAD

[whs]

Added more fixes in 00a42ae. I'm implementing a keyset store with Django models (maybe another PR once I've finished) and found the need to backports some changes:

• Wrapping lru_cache on instance methods retain the instance. To not ship another implementation Django's cached_property decorator is used instead. Unfortunately this result in API breaking change.
• Added EncryptedBinaryField. This requires opting out of force_str in decryption routine so it is refactored into to_python_prepare. This field type will be used to store binary keyset.
• Added test for nullable values. With this test, I found that the previous lookup allowlist use isinstance which does not work for class instances (per the name it only works on instance of the class and not class itself). I'm not sure what to use, but issubclass seems to work. See next comment

[whs]

Turns out searching deterministic encrypted field is harder than I think when key rotation is involved. In 0c2fed6 I instead reimplement the exact operator to be in operator with list of value encrypted with all available keys. This, however make filter(value=None) doesn't work since the in operator eliminate None values. isnull still works though and should be used instead.