Add an RFC 8439-compliant ChaCha implementation

[kernelmethod]

ChaChaStream and CUDAChaChaStream both use the original implementation of ChaCha, which has a 64-bit nonce and 64-bit counter. In contrast, IETF RFC 8439 specifies that ChaCha should use a 96-bit nonce and 32-bit counter.

For CRNG purposes, the original construction makes a little more sense. A 32-bit counter only allows you to generate 256 GiB of random data before rotating the nonce, while a 64-bit counter generates 1 ZiB, which is large enough to effectively be ignored for most usecases. Nonetheless, it would be useful for us to include an RFC 8439-compliant implementation of the cipher since it's the more common version due to its usage in ChaCha20-Poly1305.

The easiest way to do this might be to add an abstract type that holds a combined nonce + counter and exposes an interface for using it in the initial ChaCha state and for incrementing it. We could then dispatch on the nonce type to support either a 64-bit nonce + 64-bit counter or 96-bit nonce + 32-bit counter. This might also make it easier to add XChaCha20 later.