add trait for length-preserving encryption

[ericlagergren]

Sort of similar to #177 and RustCrypto/block-ciphers#48, but for tweakable SPRPs like HCTR2.

If accepted, I can provide an implementation of HCTR2.

Sample API, trait names are TBD:

pub trait Lpe {
    /// Encrypts `src` into `dst` using `tweak`
    ///
    /// In is an error if `dst` is not at least as long as `src` or if either are less
    /// than [`BLOCK_SIZE`] bytes long.
    fn seal(&self, dst: &mut [u8], src: &[u8], tweak: &[u8]) -> Result<(), Error> {
        if dst.len() < src.len() { ... }
        dst[..src.len()].copy_from_slice(src);
        match self.seal_in_place(dst, tweak) {
            Ok(()) => Ok(()),
            Err(err) => {
                    // This isn't strictly necessary, but there isn't any
                    // harm in doing it.
                    dst[..src.len()].zeroize();
                    Err(err)
            }
        }
    }

    fn open(&self, dst: &mut [u8], src: &[u8], tweak: &[u8]) -> Result<(), Error> {
         // etc
    }

    fn seal_in_place(&self, data: &mut [u8], tweak: &[u8]) -> Result<(), Error>;
    fn open_in_place(&self, data: &mut [u8], tweak: &[u8]) -> Result<(), Error>;
}
pub trait LpeMut { ... }

Some thoughts:

1. I don't like how the API returns a Result, but I'm not sure how else to express that there must be at least one block of plaintext without requiring Block, panicking, or a lot of typenum gymnastics.
2. I don't know if all LPE algorithms require the length of the plaintext to be at least one block, but I assume most do.
3. seal and open aren't strictly necessary, but encrypting from src to dst is very common and it would be a shame if doing that always required copying the entire input.