StreamingAEAD implementations don’t meet documented security goal

[NeilMadden]

The description of the StreamingAEAD primitive says that all implementations are OAE2-secure, but the implementation is of the STREAM construction that is only nOAE-secure (from section 7 “Weakening OAE2” of the linked paper).

The CHAIN construction in section 6 of the same paper does achieve OEA2 security, but only if the underlying AEAD is a pseudorandom injection such as SIV mode or AEZ. IMO you should treat this as a docs bug and relax the security goal to nOAE rather than changing the implementation.