Add more algorithms: ascon, aegis, eme, rijndael-256, aes-kw

[paulmillr]

1. Ascon won NIST lightweight cryptography contest ^1
2. Aegis is AES-based cipher present in linux, zig, libsodium ^2
   • https://crypto.stackexchange.com/a/106125, but unpopular
   • "We think NIST should standardize AEGIS" because it supports plaintexts up to 2EiB instead of AES-GCM 64GiB ^3
3. EME (ECB-Mix-ECB or, clearer, Encrypt-Mix-Encrypt) is a wide-block encryption mode developed by Halevi and Rogaway in 2003 eme. The reference link is also from an implementation in Go.
   • It's parallelizable. And it's used in rclone for the crypt backend. A personal reason is that I'm porting rclone to Web/Deno so having a professional implementation would be much better than my own.
   • Seems to be abandoned
4. Rijndael-256. The confidentiality of AES-GCM is far below 128-bit security ^3. Confidentiality advantage for an attacker is < $\sigma^2/2^{129}$ where $\sigma$ is the number of encrypted 128-bit chunks. Rijndael to AES is what keccak is to SHA3: previous, unstandardized version. The idea is to support 256-bit blocks instead of 128-bit blocks of AES.
5. AES Key Wrap rfc3394

It's unclear if any of these algorithms are actually worth implementing in noble.

[mirceanis]

➕ 💯 for AESKW

that would allow me to greatly simplify the dependencies in several projects I maintain, where I have to use a very heavy isomorphic-webcrypto otherwise