aead::stream: improved STREAM initialization with key derivation

[tarcieri]

Currently the Encryptor and Decryptor accept an explicit nonce, which is 64-bit or 56-bit when used with IETF AEADs that use 96-bit nonces. This is too small to safely expose a generate_nonce function which generates a random nonce, but we also don't provide any additional tools for helping simplify STREAM setup.

Google's Tink library uses HKDF to derive a unique key per STREAM from the combination of some input key material and a STREAM-specific nonce (notably also generating random nonces for you).

This paper analyzes Tink's construction and suggests more parsimonious constructions which can e.g. reuse symmetric encryption primitives rather than using HKDF: https://eprint.iacr.org/2020/1019.pdf

We should probably adopt one or more of these approaches for simplifying STREAM setup. The tink-streaming-aead crate could provide some inspiration, and if we do go with HKDF, ideally it would be implemented in a Tink-compatible manner where that crate could leverage our upstream implementation.