- use HKDF for producing keys, nonces
- add running hmac of plaintext; sender-sign the hmac as trailer
- use header checksum as "salt" for data encryption keys, nonces
- generate explicit nonce for wrapping root keys for each recipient
(previous impl had brittleness)
- aead nonce construction is efficient (replace last 8 bytes of salt
with encoded block# and chunk-size
- increase aead nonce size to 32 bytes
- refactor errors into a separate file
- update "build" to latest version
- updated README.