- use HKDF for producing keys, nonces
- add running hmac of plaintext; sender-sign the hmac as trailer
- use header checksum as "salt" for data encryption keys, nonces
- generate explicit nonce for wrapping root keys for each recipient
(previous impl had brittleness)
* Sender identity is never shared in the encrypted payload
* Sender signs the data-encryption key via Ed25519 if sender-auth is
desired; else a "signature" of all zeroes is used. In either case, this
signature is encrypted with the same data-encryption key.
* cleaned up stale code and updated tests
* all encryption now uses ephmeral curve25519 keys
* sender can identify themselves by providing a signing key
* sign/verify now uses a string prefix for calculating checksum of the
incoming message + known prefix [prevents us from verifying unknown
blobs]
* encrypt/decrypt key is now expanded with a known prefix _and_ the
header checksum
* protobuf definition changed to include an encrypted sender
identification blob (sender public key)
* moved protobuf files into an internal/pb directory
* general code rearrangement to make it easy to find files
* added extra validation for reading all keys
* bumped version to 1.0.0
