Support for streaming AEAD using Rogaway's STREAM construction

[tarcieri]

This Rogaway et al paper described a provably secure construction for streaming AEAD called STREAM which does not rely on the use of NRMR and could be implemented for e.g. ChaCha20Poly1305 AEAD:

https://eprint.iacr.org/2015/189.pdf

The description of STREAM begins in Section 7 (bottom of page 16). Here's a diagram from the paper:

I think there's a real world need for a provably secure, interoperable construction for streaming AEAD (see the "A real-world need" section from the paper at the bottom of page 3). In the absence of a standard, reusable primitive for solving this problem, people are homebrewing their own solutions, poorly:

https://www.imperialviolet.org/2014/06/27/streamingencryption.html

That requires more thought before using it for real but, if you are ever building encryption-at-rest, please don't mess it up like we did 20 years ago.

However, I'd also understand if you feel this belongs in a separate library from libsodium.

[FSMaxB]

This looks like it fits in the scope of the blobcrypt library.

[jedisct1]

This is something badly needed. But I also think that this belongs to a separate library, especially in the absence of a standard.

Blobcrypt has its own construction and was more designed for encrypted filesystems, so a different project specifically for streaming would be a better fit. Blobcrypt's API can be reused, though.