From 1e8c539dba28f730ba01458bc4c8475a1cfc642f Mon Sep 17 00:00:00 2001
From: root <sina@snix.ir>
Date: Sun, 24 Jul 2022 04:38:03 +0000
Subject: git add files

---
 Readme.md                        |   73 ++
 _example/Readme.md               |   14 +
 _example/file_encrypt/main.go    |  134 ++
 _example/file_encrypt/plain.txt  | 2522 ++++++++++++++++++++++++++++++++++++++
 _example/secure_conn/main.go     |  138 +++
 _example/secure_conn/secure_conn |  Bin 0 -> 2686633 bytes
 aead_test.go                     |  412 +++++++
 applap.go                        |   18 +
 chunk.go                         |  214 ++++
 chunkio.png                      |  Bin 0 -> 23961 bytes
 cipher.go                        |  128 ++
 cover.html                       |  782 ++++++++++++
 cover.out                        |  150 +++
 genlap.go                        |   18 +
 go.mod                           |   10 +
 go.sum                           |    6 +
 helper.go                        |   35 +
 ioaead.go                        |  268 ++++
 seal.png                         |  Bin 0 -> 34976 bytes
 19 files changed, 4922 insertions(+)
 create mode 100644 Readme.md
 create mode 100644 _example/Readme.md
 create mode 100644 _example/file_encrypt/main.go
 create mode 100644 _example/file_encrypt/plain.txt
 create mode 100644 _example/secure_conn/main.go
 create mode 100755 _example/secure_conn/secure_conn
 create mode 100644 aead_test.go
 create mode 100644 applap.go
 create mode 100644 chunk.go
 create mode 100644 chunkio.png
 create mode 100644 cipher.go
 create mode 100644 cover.html
 create mode 100644 cover.out
 create mode 100644 genlap.go
 create mode 100644 go.mod
 create mode 100644 go.sum
 create mode 100644 helper.go
 create mode 100644 ioaead.go
 create mode 100644 seal.png

diff --git a/Readme.md b/Readme.md
new file mode 100644
index 0000000..8b3336e
--- /dev/null
+++ b/Readme.md
@@ -0,0 +1,73 @@
+# rabaead
+rabbit128 poly1305 aead cipher package for golang, this package implement aead (authenticated encryption with associated data) cipher
+with associated io chunk and io stream interfaces.
+
+### aead methods:
+- **seal**: seals a plaintext into the rabbit aead ciphertext. **panic** occurs if nonce len is not equal to IVXLen (8byte) or zero
+- **open**: opens a rabbit aead ciphertext. **panic** occurs if nonce len is not equal to IVXLen (8byte) or zero
+
+<p align="center">
+   <img src="seal.png" alt="seal"/>
+</p>
+
+
+
+### io interfaces:  
+- **chunkReader**: read and open() data in chunks, there is 8byte + 16byte overhead per chunk. read data can be used safely. this reader has a chunk size in-memory buffer, large chunk size can make application to runs out of memory, thus this is most suitable for sliced data, like network data transmit and so..
+
+- **chunkReader**: seal() and write data in chunks, there is 8byte + 16byte overhead per chunk. this writer has a chunk size in-memory buffer, large chunk size can make application to runs out of memory, thus this is most suitable for sliced data, like network data transmit and so..
+<p align="center">
+   <img src="chunkio.png" alt="chunkio"/>
+</p>
+
+- **streamReader**: this reader open() and read aead ciphertext which have 16-byte poly1305 tag overhead. **read data is unreliable until underlying reader returns EOF**, after that Read return EOF or ErrAuthMsg if integrity of data has been compromised. in such a case, you need to unread data. a simple demonstration would be to delete or truncate the file if ErrAuthMsg is returned
+
+
+- **streamWriter**: this writer seal() and write aead plaintext which have 16-byte poly1305 tag overhead, running Close() is necessary in order to calculate and write tag at the end of the write.
+
+
+### how to use?
+rabaead lives on both [github](github.com/sina-ghaderi/rabaead) and [snix](git.snix.ir/rabaead) git services, you can simply import this package 
+by using either `import "snix.ir/rabaead"` or `import "github.com/sina-ghaderi/rabaead"`
+
+
+### examples
+check out [_example](_example) directory which contains real-world use cases of rabaead cipher, in addition you may want to look at test unit files.  
+
+```go
+// aead open() and seal() methods
+func rabbitPoly1305() {
+	key := []byte{
+		0x01, 0x01, 0x01, 0x01,
+		0x01, 0x01, 0x01, 0x01,
+		0x01, 0x01, 0x01, 0x01,
+		0x01, 0x01, 0x01, 0x01,
+	}
+	ivx := []byte{
+		0x01, 0x01, 0x01, 0x01,
+		0x01, 0x01, 0x01, 0x01,
+	}
+	buff := []byte("plain-text")
+	aead, err := rabaead.NewAEAD(key)
+	if err != nil {
+		panic(err)
+	}
+	ctxt := aead.Seal([]byte{}, ivx, buff, nil)
+	fmt.Printf("aead data: %x\n", ctxt)
+	ptxt, err := aead.Open([]byte{}, ivx, ctxt, nil)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("plaintext: %s\n", string(ptxt))
+}
+
+```
+
+### licence and contribute
+feel free to email me sina@snix.ir if you want to contribute to this project.
+GNU General Public [License](LICENSE) v3
+
+
+
+
+
diff --git a/_example/Readme.md b/_example/Readme.md
new file mode 100644
index 0000000..3f96563
--- /dev/null
+++ b/_example/Readme.md
@@ -0,0 +1,14 @@
+### file encrypt
+a simple tool to encrypt or decrypt files with rabbit poly1305 aead cipher, working on linux only. 
+windows users can modify [main.go](_example/file_encrypt/main.go) file and remove [unlink()](https://man7.org/linux/man-pages/man2/unlink.2.html) syscall, then run `go build` to build the binary
+
+usage encrypt: `./file_encrypt encrypt -key sina1234sina1234 -ivx abcd1234 -file plain.txt`  
+usage decrypt: `./file_encrypt decrypt -key sina1234sina1234 -ivx abcd1234 -file enc_plain.txt`  
+
+
+
+### secure conn
+secure net transmit data with rabbit poly1305 aead cipher, execute `go build` to build the binary. server write its own time on client connection
+encrypted with chunkWriter, and client reads cipherdata from connection with chunkReader  
+server: `./secure_conn server -key sina1234sina1234 -ivx abcd1234 -net 127.0.0.1:7894`  
+client: `./secure_conn client -key sina1234sina1234 -ivx abcd1234 -net 127.0.0.1:7894`
diff --git a/_example/file_encrypt/main.go b/_example/file_encrypt/main.go
new file mode 100644
index 0000000..c83cd8a
--- /dev/null
+++ b/_example/file_encrypt/main.go
@@ -0,0 +1,134 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"strings"
+
+	"golang.org/x/sys/unix"
+	"snix.ir/rabaead"
+)
+
+const prefix = "enc_"
+
+func main() {
+	encFlag := flag.NewFlagSet("encrypt", flag.ExitOnError)
+	decFlag := flag.NewFlagSet("decrypt", flag.ExitOnError)
+	flag.Usage = flagUsage
+	if len(os.Args) < 2 {
+		flag.Usage()
+		os.Exit(1)
+	}
+
+	switch os.Args[1] {
+	case "encrypt":
+		encrypt(encFlag)
+	case "decrypt":
+		decrypt(decFlag)
+	default:
+		flag.Usage()
+		os.Exit(1)
+	}
+}
+
+func encrypt(flagset *flag.FlagSet) {
+	plain := flagset.String("file", "plain.txt", "file to encrypt with RabbitPoly1305 aead")
+	keyva := flagset.String("key", "", "rabbit key string, must be 16-byte len")
+	ivxva := flagset.String("ivx", "", "rabbit iv string, must be 8-byte or nothing")
+	flagset.Parse(os.Args[2:])
+
+	file, err := os.Open(*plain)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	defer file.Close()
+
+	dest, err := os.OpenFile(prefix+file.Name(), os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0644)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	defer dest.Close()
+
+	cipw, err := rabaead.NewStreamWriter(dest, []byte(*keyva), []byte(*ivxva), nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	n, err := io.Copy(cipw, file)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// calc and write poly1305 tag at the end of write
+	if err := cipw.Close(); err != nil {
+		log.Fatal(err)
+	}
+
+	if err := unix.Unlink(file.Name()); err != nil {
+		log.Printf("syscall unlink(): %v", err)
+	}
+
+	log.Printf("file %s encrypted to %s, bytes written: %d", file.Name(), dest.Name(), n)
+}
+
+func decrypt(flagset *flag.FlagSet) {
+	dectx := flagset.String("file", "enc_plain.txt", "file to decrypt with RabbitPoly1305 aead")
+	keyva := flagset.String("key", "", "rabbit key string, must be 16-byte len")
+	ivxva := flagset.String("ivx", "", "rabbit iv string, must be 8-byte or nothing")
+	flagset.Parse(os.Args[2:])
+
+	file, err := os.Open(*dectx)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	defer file.Close()
+
+	name := strings.TrimPrefix(file.Name(), prefix)
+
+	dest, err := os.OpenFile(name, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0644)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	defer dest.Close()
+
+	cipr, err := rabaead.NewStreamReader(file, []byte(*keyva), []byte(*ivxva), nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	n, err := io.Copy(dest, cipr)
+	if err != nil {
+		if err := unix.Unlink(dest.Name()); err != nil {
+			log.Printf("syscall unlink(): %v", err)
+		}
+		log.Fatal(err)
+	}
+
+	if err := unix.Unlink(file.Name()); err != nil {
+		log.Printf("syscall unlink(): %v", err)
+	}
+
+	log.Printf("file %s encrypted to %s, bytes written: %d", file.Name(), dest.Name(), n)
+}
+
+func flagUsage() {
+	fmt.Printf(`usage of %v: commands <args...|help>
+commands:
+
+   encrypt <args...>     encrypt files with rabbit poly1305 aead cipher
+   decrypt <args...>     decrypt files with rabbit poly1305 aead cipher
+
+
+Copyright (c) 2022 snix.ir, All rights reserved.
+Developed BY <Sina Ghaderi> sina@snix.ir
+This work is licensed under the terms of GNU General Public license.
+Github: github.com/sina-ghaderi and Source: git.snix.ir
+`, os.Args[0])
+}
diff --git a/_example/file_encrypt/plain.txt b/_example/file_encrypt/plain.txt
new file mode 100644
index 0000000..4aadbd1
--- /dev/null
+++ b/_example/file_encrypt/plain.txt
@@ -0,0 +1,2522 @@
+
+
+
+
+
+
+Internet Research Task Force (IRTF)                               Y. Nir
+Request for Comments: 7539                                   Check Point
+Category: Informational                                       A. Langley
+ISSN: 2070-1721                                             Google, Inc.
+                                                                May 2015
+
+
+                ChaCha20 and Poly1305 for IETF Protocols
+
+Abstract
+
+   This document defines the ChaCha20 stream cipher as well as the use
+   of the Poly1305 authenticator, both as stand-alone algorithms and as
+   a "combined mode", or Authenticated Encryption with Associated Data
+   (AEAD) algorithm.
+
+   This document does not introduce any new crypto, but is meant to
+   serve as a stable reference and an implementation guide.  It is a
+   product of the Crypto Forum Research Group (CFRG).
+
+Status of This Memo
+
+   This document is not an Internet Standards Track specification; it is
+   published for informational purposes.
+
+   This document is a product of the Internet Research Task Force
+   (IRTF).  The IRTF publishes the results of Internet-related research
+   and development activities.  These results might not be suitable for
+   deployment.  This RFC represents the consensus of the Crypto Forum
+   Research Group of the Internet Research Task Force (IRTF).  Documents
+   approved for publication by the IRSG are not a candidate for any
+   level of Internet Standard; see Section 2 of RFC 5741.
+
+   Information about the current status of this document, any errata,
+   and how to provide feedback on it may be obtained at
+   http://www.rfc-editor.org/info/rfc7539.
+
+Copyright Notice
+
+   Copyright (c) 2015 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with respect
+   to this document.
+
+
+
+Nir & Langley                 Informational                     [Page 1]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+Table of Contents
+
+   1. Introduction ....................................................3
+      1.1. Conventions Used in This Document ..........................4
+   2. The Algorithms ..................................................4
+      2.1. The ChaCha Quarter Round ...................................4
+           2.1.1. Test Vector for the ChaCha Quarter Round ............5
+      2.2. A Quarter Round on the ChaCha State ........................5
+           2.2.1. Test Vector for the Quarter Round on the
+                  ChaCha State ........................................6
+      2.3. The ChaCha20 Block Function ................................6
+           2.3.1. The ChaCha20 Block Function in Pseudocode ...........8
+           2.3.2. Test Vector for the ChaCha20 Block Function .........9
+      2.4. The ChaCha20 Encryption Algorithm .........................10
+           2.4.1. The ChaCha20 Encryption Algorithm in Pseudocode ....11
+           2.4.2. Example and Test Vector for the ChaCha20 Cipher ....11
+      2.5. The Poly1305 Algorithm ....................................13
+           2.5.1. The Poly1305 Algorithms in Pseudocode ..............15
+           2.5.2. Poly1305 Example and Test Vector ...................15
+      2.6. Generating the Poly1305 Key Using ChaCha20 ................17
+           2.6.1. Poly1305 Key Generation in Pseudocode ..............18
+           2.6.2. Poly1305 Key Generation Test Vector ................18
+      2.7. A Pseudorandom Function for Crypto Suites based on
+           ChaCha/Poly1305 ...........................................18
+      2.8. AEAD Construction .........................................19
+           2.8.1. Pseudocode for the AEAD Construction ...............21
+           2.8.2. Example and Test Vector for
+                  AEAD_CHACHA20_POLY1305 .............................22
+   3. Implementation Advice ..........................................24
+   4. Security Considerations ........................................24
+   5. IANA Considerations ............................................26
+   6. References .....................................................26
+      6.1. Normative References ......................................26
+      6.2. Informative References ....................................26
+   Appendix A. Additional Test Vectors ...............................29
+     A.1. The ChaCha20 Block Functions ...............................29
+     A.2. ChaCha20 Encryption ........................................32
+     A.3. Poly1305 Message Authentication Code .......................34
+     A.4. Poly1305 Key Generation Using ChaCha20 .....................40
+     A.5. ChaCha20-Poly1305 AEAD Decryption ..........................41
+   Appendix B. Performance Measurements of ChaCha20 ..................44
+   Acknowledgements ..................................................45
+   Authors' Addresses ................................................45
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                     [Page 2]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+1.  Introduction
+
+   The Advanced Encryption Standard (AES -- [FIPS-197]) has become the
+   gold standard in encryption.  Its efficient design, widespread
+   implementation, and hardware support allow for high performance in
+   many areas.  On most modern platforms, AES is anywhere from four to
+   ten times as fast as the previous most-used cipher, Triple Data
+   Encryption Standard (3DES -- [SP800-67]), which makes it not only the
+   best choice, but the only practical choice.
+
+   There are several problems with this.  If future advances in
+   cryptanalysis reveal a weakness in AES, users will be in an
+   unenviable position.  With the only other widely supported cipher
+   being the much slower 3DES, it is not feasible to reconfigure
+   deployments to use 3DES.  [Standby-Cipher] describes this issue and
+   the need for a standby cipher in greater detail.  Another problem is
+   that while AES is very fast on dedicated hardware, its performance on
+   platforms that lack such hardware is considerably lower.  Yet another
+   problem is that many AES implementations are vulnerable to cache-
+   collision timing attacks ([Cache-Collisions]).
+
+   This document provides a definition and implementation guide for
+   three algorithms:
+
+   1.  The ChaCha20 cipher.  This is a high-speed cipher first described
+       in [ChaCha].  It is considerably faster than AES in software-only
+       implementations, making it around three times as fast on
+       platforms that lack specialized AES hardware.  See Appendix B for
+       some hard numbers.  ChaCha20 is also not sensitive to timing
+       attacks (see the security considerations in Section 4).  This
+       algorithm is described in Section 2.4
+
+   2.  The Poly1305 authenticator.  This is a high-speed message
+       authentication code.  Implementation is also straightforward and
+       easy to get right.  The algorithm is described in Section 2.5.
+
+   3.  The CHACHA20-POLY1305 Authenticated Encryption with Associated
+       Data (AEAD) construction, described in Section 2.8.
+
+   This document does not introduce these new algorithms for the first
+   time.  They have been defined in scientific papers by
+   D. J. Bernstein, which are referenced by this document.  The purpose
+   of this document is to serve as a stable reference for IETF documents
+   making use of these algorithms.
+
+   These algorithms have undergone rigorous analysis.  Several papers
+   discuss the security of Salsa and ChaCha ([LatinDances],
+   [LatinDances2], [Zhenqing2012]).
+
+
+
+Nir & Langley                 Informational                     [Page 3]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   This document represents the consensus of the Crypto Forum Research
+   Group (CFRG).
+
+1.1.  Conventions Used in This Document
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+   The description of the ChaCha algorithm will at various time refer to
+   the ChaCha state as a "vector" or as a "matrix".  This follows the
+   use of these terms in Professor Bernstein's paper.  The matrix
+   notation is more visually convenient and gives a better notion as to
+   why some rounds are called "column rounds" while others are called
+   "diagonal rounds".  Here's a diagram of how the matrices relate to
+   vectors (using the C language convention of zero being the index
+   origin).
+
+      0   1   2   3
+      4   5   6   7
+      8   9  10  11
+     12  13  14  15
+
+   The elements in this vector or matrix are 32-bit unsigned integers.
+
+   The algorithm name is "ChaCha".  "ChaCha20" is a specific instance
+   where 20 "rounds" (or 80 quarter rounds -- see Section 2.1) are used.
+   Other variations are defined, with 8 or 12 rounds, but in this
+   document we only describe the 20-round ChaCha, so the names "ChaCha"
+   and "ChaCha20" will be used interchangeably.
+
+2.  The Algorithms
+
+   The subsections below describe the algorithms used and the AEAD
+   construction.
+
+2.1.  The ChaCha Quarter Round
+
+   The basic operation of the ChaCha algorithm is the quarter round.  It
+   operates on four 32-bit unsigned integers, denoted a, b, c, and d.
+   The operation is as follows (in C-like notation):
+
+   1.  a += b; d ^= a; d <<<= 16;
+   2.  c += d; b ^= c; b <<<= 12;
+   3.  a += b; d ^= a; d <<<= 8;
+   4.  c += d; b ^= c; b <<<= 7;
+
+
+
+
+
+Nir & Langley                 Informational                     [Page 4]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   Where "+" denotes integer addition modulo 2^32, "^" denotes a bitwise
+   Exclusive OR (XOR), and "<<< n" denotes an n-bit left rotation
+   (towards the high bits).
+
+   For example, let's see the add, XOR, and roll operations from the
+   fourth line with sample numbers:
+
+   o  a = 0x11111111
+   o  b = 0x01020304
+   o  c = 0x77777777
+   o  d = 0x01234567
+   o  c = c + d = 0x77777777 + 0x01234567 = 0x789abcde
+   o  b = b ^ c = 0x01020304 ^ 0x789abcde = 0x7998bfda
+   o  b = b <<< 7 = 0x7998bfda <<< 7 = 0xcc5fed3c
+
+2.1.1.  Test Vector for the ChaCha Quarter Round
+
+   For a test vector, we will use the same numbers as in the example,
+   adding something random for c.
+
+   o  a = 0x11111111
+   o  b = 0x01020304
+   o  c = 0x9b8d6f43
+   o  d = 0x01234567
+
+   After running a Quarter Round on these four numbers, we get these:
+
+   o  a = 0xea2a92f4
+   o  b = 0xcb1cf8ce
+   o  c = 0x4581472e
+   o  d = 0x5881c4bb
+
+2.2.  A Quarter Round on the ChaCha State
+
+   The ChaCha state does not have four integer numbers: it has 16.  So
+   the quarter-round operation works on only four of them -- hence the
+   name.  Each quarter round operates on four predetermined numbers in
+   the ChaCha state.  We will denote by QUARTERROUND(x,y,z,w) a quarter-
+   round operation on the numbers at indices x, y, z, and w of the
+   ChaCha state when viewed as a vector.  For example, if we apply
+   QUARTERROUND(1,5,9,13) to a state, this means running the quarter-
+   round operation on the elements marked with an asterisk, while
+   leaving the others alone:
+
+      0  *a   2   3
+      4  *b   6   7
+      8  *c  10  11
+     12  *d  14  15
+
+
+
+Nir & Langley                 Informational                     [Page 5]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   Note that this run of quarter round is part of what is called a
+   "column round".
+
+2.2.1.  Test Vector for the Quarter Round on the ChaCha State
+
+   For a test vector, we will use a ChaCha state that was generated
+   randomly:
+
+   Sample ChaCha State
+
+       879531e0  c5ecf37d  516461b1  c9a62f8a
+       44c20ef3  3390af7f  d9fc690b  2a5f714c
+       53372767  b00a5631  974c541a  359e9963
+       5c971061  3d631689  2098d9d6  91dbd320
+
+   We will apply the QUARTERROUND(2,7,8,13) operation to this state.
+   For obvious reasons, this one is part of what is called a "diagonal
+   round":
+
+   After applying QUARTERROUND(2,7,8,13)
+
+       879531e0  c5ecf37d *bdb886dc  c9a62f8a
+       44c20ef3  3390af7f  d9fc690b *cfacafd2
+      *e46bea80  b00a5631  974c541a  359e9963
+       5c971061 *ccc07c79  2098d9d6  91dbd320
+
+   Note that only the numbers in positions 2, 7, 8, and 13 changed.
+
+2.3.  The ChaCha20 Block Function
+
+   The ChaCha block function transforms a ChaCha state by running
+   multiple quarter rounds.
+
+   The inputs to ChaCha20 are:
+
+   o  A 256-bit key, treated as a concatenation of eight 32-bit little-
+      endian integers.
+
+   o  A 96-bit nonce, treated as a concatenation of three 32-bit little-
+      endian integers.
+
+   o  A 32-bit block count parameter, treated as a 32-bit little-endian
+      integer.
+
+   The output is 64 random-looking bytes.
+
+
+
+
+
+
+Nir & Langley                 Informational                     [Page 6]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   The ChaCha algorithm described here uses a 256-bit key.  The original
+   algorithm also specified 128-bit keys and 8- and 12-round variants,
+   but these are out of scope for this document.  In this section, we
+   describe the ChaCha block function.
+
+   Note also that the original ChaCha had a 64-bit nonce and 64-bit
+   block count.  We have modified this here to be more consistent with
+   recommendations in Section 3.2 of [RFC5116].  This limits the use of
+   a single (key,nonce) combination to 2^32 blocks, or 256 GB, but that
+   is enough for most uses.  In cases where a single key is used by
+   multiple senders, it is important to make sure that they don't use
+   the same nonces.  This can be assured by partitioning the nonce space
+   so that the first 32 bits are unique per sender, while the other 64
+   bits come from a counter.
+
+   The ChaCha20 state is initialized as follows:
+
+   o  The first four words (0-3) are constants: 0x61707865, 0x3320646e,
+      0x79622d32, 0x6b206574.
+
+   o  The next eight words (4-11) are taken from the 256-bit key by
+      reading the bytes in little-endian order, in 4-byte chunks.
+
+   o  Word 12 is a block counter.  Since each block is 64-byte, a 32-bit
+      word is enough for 256 gigabytes of data.
+
+   o  Words 13-15 are a nonce, which should not be repeated for the same
+      key.  The 13th word is the first 32 bits of the input nonce taken
+      as a little-endian integer, while the 15th word is the last 32
+      bits.
+
+       cccccccc  cccccccc  cccccccc  cccccccc
+       kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
+       kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
+       bbbbbbbb  nnnnnnnn  nnnnnnnn  nnnnnnnn
+
+   c=constant k=key b=blockcount n=nonce
+
+   ChaCha20 runs 20 rounds, alternating between "column rounds" and
+   "diagonal rounds".  Each round consists of four quarter-rounds, and
+   they are run as follows.  Quarter rounds 1-4 are part of a "column"
+   round, while 5-8 are part of a "diagonal" round:
+
+   1.  QUARTERROUND ( 0, 4, 8,12)
+   2.  QUARTERROUND ( 1, 5, 9,13)
+   3.  QUARTERROUND ( 2, 6,10,14)
+   4.  QUARTERROUND ( 3, 7,11,15)
+   5.  QUARTERROUND ( 0, 5,10,15)
+
+
+
+Nir & Langley                 Informational                     [Page 7]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   6.  QUARTERROUND ( 1, 6,11,12)
+   7.  QUARTERROUND ( 2, 7, 8,13)
+   8.  QUARTERROUND ( 3, 4, 9,14)
+
+   At the end of 20 rounds (or 10 iterations of the above list), we add
+   the original input words to the output words, and serialize the
+   result by sequencing the words one-by-one in little-endian order.
+
+   Note: "addition" in the above paragraph is done modulo 2^32.  In some
+   machine languages, this is called carryless addition on a 32-bit
+   word.
+
+2.3.1.  The ChaCha20 Block Function in Pseudocode
+
+   Note: This section and a few others contain pseudocode for the
+   algorithm explained in a previous section.  Every effort was made for
+   the pseudocode to accurately reflect the algorithm as described in
+   the preceding section.  If a conflict is still present, the textual
+   explanation and the test vectors are normative.
+
+      inner_block (state):
+         Qround(state, 0, 4, 8,12)
+         Qround(state, 1, 5, 9,13)
+         Qround(state, 2, 6,10,14)
+         Qround(state, 3, 7,11,15)
+         Qround(state, 0, 5,10,15)
+         Qround(state, 1, 6,11,12)
+         Qround(state, 2, 7, 8,13)
+         Qround(state, 3, 4, 9,14)
+         end
+
+      chacha20_block(key, counter, nonce):
+         state = constants | key | counter | nonce
+         working_state = state
+         for i=1 upto 10
+            inner_block(working_state)
+            end
+         state += working_state
+         return serialize(state)
+         end
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                     [Page 8]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+2.3.2.  Test Vector for the ChaCha20 Block Function
+
+   For a test vector, we will use the following inputs to the ChaCha20
+   block function:
+
+   o  Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:
+      14:15:16:17:18:19:1a:1b:1c:1d:1e:1f.  The key is a sequence of
+      octets with no particular structure before we copy it into the
+      ChaCha state.
+
+   o  Nonce = (00:00:00:09:00:00:00:4a:00:00:00:00)
+
+   o  Block Count = 1.
+
+   After setting up the ChaCha state, it looks like this:
+
+   ChaCha state with the key setup.
+
+       61707865  3320646e  79622d32  6b206574
+       03020100  07060504  0b0a0908  0f0e0d0c
+       13121110  17161514  1b1a1918  1f1e1d1c
+       00000001  09000000  4a000000  00000000
+
+   After running 20 rounds (10 column rounds interleaved with 10
+   "diagonal rounds"), the ChaCha state looks like this:
+
+   ChaCha state after 20 rounds
+
+       837778ab  e238d763  a67ae21e  5950bb2f
+       c4f2d0c7  fc62bb2f  8fa018fc  3f5ec7b7
+       335271c2  f29489f3  eabda8fc  82e46ebd
+       d19c12b4  b04e16de  9e83d0cb  4e3c50a2
+
+   Finally, we add the original state to the result (simple vector or
+   matrix addition), giving this:
+
+   ChaCha state at the end of the ChaCha20 operation
+
+       e4e7f110  15593bd1  1fdd0f50  c47120a3
+       c7f4d1c7  0368c033  9aaa2204  4e6cd4c3
+       466482d2  09aa9f07  05d7c214  a2028bd9
+       d19c12b5  b94e16de  e883d0cb  4e3c50a2
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                     [Page 9]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   After we serialize the state, we get this:
+
+  Serialized Block:
+  000  10 f1 e7 e4 d1 3b 59 15 50 0f dd 1f a3 20 71 c4  .....;Y.P.... q.
+  016  c7 d1 f4 c7 33 c0 68 03 04 22 aa 9a c3 d4 6c 4e  ....3.h.."....lN
+  032  d2 82 64 46 07 9f aa 09 14 c2 d7 05 d9 8b 02 a2  ..dF............
+  048  b5 12 9c d1 de 16 4e b9 cb d0 83 e8 a2 50 3c 4e  ......N......P<N
+
+2.4.  The ChaCha20 Encryption Algorithm
+
+   ChaCha20 is a stream cipher designed by D. J. Bernstein.  It is a
+   refinement of the Salsa20 algorithm, and it uses a 256-bit key.
+
+   ChaCha20 successively calls the ChaCha20 block function, with the
+   same key and nonce, and with successively increasing block counter
+   parameters.  ChaCha20 then serializes the resulting state by writing
+   the numbers in little-endian order, creating a keystream block.
+
+   Concatenating the keystream blocks from the successive blocks forms a
+   keystream.  The ChaCha20 function then performs an XOR of this
+   keystream with the plaintext.  Alternatively, each keystream block
+   can be XORed with a plaintext block before proceeding to create the
+   next block, saving some memory.  There is no requirement for the
+   plaintext to be an integral multiple of 512 bits.  If there is extra
+   keystream from the last block, it is discarded.  Specific protocols
+   MAY require that the plaintext and ciphertext have certain length.
+   Such protocols need to specify how the plaintext is padded and how
+   much padding it receives.
+
+   The inputs to ChaCha20 are:
+
+   o  A 256-bit key
+
+   o  A 32-bit initial counter.  This can be set to any number, but will
+      usually be zero or one.  It makes sense to use one if we use the
+      zero block for something else, such as generating a one-time
+      authenticator key as part of an AEAD algorithm.
+
+   o  A 96-bit nonce.  In some protocols, this is known as the
+      Initialization Vector.
+
+   o  An arbitrary-length plaintext
+
+   The output is an encrypted message, or "ciphertext", of the same
+   length.
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 10]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   Decryption is done in the same way.  The ChaCha20 block function is
+   used to expand the key into a keystream, which is XORed with the
+   ciphertext giving back the plaintext.
+
+2.4.1.  The ChaCha20 Encryption Algorithm in Pseudocode
+
+     chacha20_encrypt(key, counter, nonce, plaintext):
+        for j = 0 upto floor(len(plaintext)/64)-1
+           key_stream = chacha20_block(key, counter+j, nonce)
+           block = plaintext[(j*64)..(j*64+63)]
+           encrypted_message +=  block ^ key_stream
+           end
+        if ((len(plaintext) % 64) != 0)
+           j = floor(len(plaintext)/64)
+           key_stream = chacha20_block(key, counter+j, nonce)
+           block = plaintext[(j*64)..len(plaintext)-1]
+           encrypted_message += (block^key_stream)[0..len(plaintext)%64]
+           end
+        return encrypted_message
+        end
+
+2.4.2.  Example and Test Vector for the ChaCha20 Cipher
+
+   For a test vector, we will use the following inputs to the ChaCha20
+   block function:
+
+   o  Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:
+      14:15:16:17:18:19:1a:1b:1c:1d:1e:1f.
+
+   o  Nonce = (00:00:00:00:00:00:00:4a:00:00:00:00).
+
+   o  Initial Counter = 1.
+
+   We use the following for the plaintext.  It was chosen to be long
+   enough to require more than one block, but not so long that it would
+   make this example cumbersome (so, less than 3 blocks):
+
+  Plaintext Sunscreen:
+  000  4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c  Ladies and Gentl
+  016  65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73  emen of the clas
+  032  73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63  s of '99: If I c
+  048  6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f  ould offer you o
+  064  6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20  nly one tip for
+  080  74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73  the future, suns
+  096  63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69  creen would be i
+  112  74 2e                                            t.
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 11]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   The following figure shows four ChaCha state matrices:
+
+   1.  First block as it is set up.
+
+   2.  Second block as it is set up.  Note that these blocks are only
+       two bits apart -- only the counter in position 12 is different.
+
+   3.  Third block is the first block after the ChaCha20 block
+       operation.
+
+   4.  Final block is the second block after the ChaCha20 block
+       operation was applied.
+
+   After that, we show the keystream.
+
+   First block setup:
+       61707865  3320646e  79622d32  6b206574
+       03020100  07060504  0b0a0908  0f0e0d0c
+       13121110  17161514  1b1a1918  1f1e1d1c
+       00000001  00000000  4a000000  00000000
+
+   Second block setup:
+       61707865  3320646e  79622d32  6b206574
+       03020100  07060504  0b0a0908  0f0e0d0c
+       13121110  17161514  1b1a1918  1f1e1d1c
+       00000002  00000000  4a000000  00000000
+
+   First block after block operation:
+       f3514f22  e1d91b40  6f27de2f  ed1d63b8
+       821f138c  e2062c3d  ecca4f7e  78cff39e
+       a30a3b8a  920a6072  cd7479b5  34932bed
+       40ba4c79  cd343ec6  4c2c21ea  b7417df0
+
+   Second block after block operation:
+       9f74a669  410f633f  28feca22  7ec44dec
+       6d34d426  738cb970  3ac5e9f3  45590cc4
+       da6e8b39  892c831a  cdea67c1  2b7e1d90
+       037463f3  a11a2073  e8bcfb88  edc49139
+
+   Keystream:
+   22:4f:51:f3:40:1b:d9:e1:2f:de:27:6f:b8:63:1d:ed:8c:13:1f:82:3d:2c:06
+   e2:7e:4f:ca:ec:9e:f3:cf:78:8a:3b:0a:a3:72:60:0a:92:b5:79:74:cd:ed:2b
+   93:34:79:4c:ba:40:c6:3e:34:cd:ea:21:2c:4c:f0:7d:41:b7:69:a6:74:9f:3f
+   63:0f:41:22:ca:fe:28:ec:4d:c4:7e:26:d4:34:6d:70:b9:8c:73:f3:e9:c5:3a
+   c4:0c:59:45:39:8b:6e:da:1a:83:2c:89:c1:67:ea:cd:90:1d:7e:2b:f3:63
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 12]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   Finally, we XOR the keystream with the plaintext, yielding the
+   ciphertext:
+
+  Ciphertext Sunscreen:
+  000  6e 2e 35 9a 25 68 f9 80 41 ba 07 28 dd 0d 69 81  n.5.%h..A..(..i.
+  016  e9 7e 7a ec 1d 43 60 c2 0a 27 af cc fd 9f ae 0b  .~z..C`..'......
+  032  f9 1b 65 c5 52 47 33 ab 8f 59 3d ab cd 62 b3 57  ..e.RG3..Y=..b.W
+  048  16 39 d6 24 e6 51 52 ab 8f 53 0c 35 9f 08 61 d8  .9.$.QR..S.5..a.
+  064  07 ca 0d bf 50 0d 6a 61 56 a3 8e 08 8a 22 b6 5e  ....P.jaV....".^
+  080  52 bc 51 4d 16 cc f8 06 81 8c e9 1a b7 79 37 36  R.QM.........y76
+  096  5a f9 0b bf 74 a3 5b e6 b4 0b 8e ed f2 78 5e 42  Z...t.[......x^B
+  112  87 4d                                            .M
+
+2.5.  The Poly1305 Algorithm
+
+   Poly1305 is a one-time authenticator designed by D. J. Bernstein.
+   Poly1305 takes a 32-byte one-time key and a message and produces a
+   16-byte tag.  This tag is used to authenticate the message.
+
+   The original article ([Poly1305]) is titled "The Poly1305-AES
+   message-authentication code", and the MAC function there requires a
+   128-bit AES key, a 128-bit "additional key", and a 128-bit (non-
+   secret) nonce.  AES is used there for encrypting the nonce, so as to
+   get a unique (and secret) 128-bit string, but as the paper states,
+   "There is nothing special about AES here.  One can replace AES with
+   an arbitrary keyed function from an arbitrary set of nonces to
+   16-byte strings."
+
+   Regardless of how the key is generated, the key is partitioned into
+   two parts, called "r" and "s".  The pair (r,s) should be unique, and
+   MUST be unpredictable for each invocation (that is why it was
+   originally obtained by encrypting a nonce), while "r" MAY be
+   constant, but needs to be modified as follows before being used: ("r"
+   is treated as a 16-octet little-endian number):
+
+   o  r[3], r[7], r[11], and r[15] are required to have their top four
+      bits clear (be smaller than 16)
+
+   o  r[4], r[8], and r[12] are required to have their bottom two bits
+      clear (be divisible by 4)
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 13]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   The following sample code clamps "r" to be appropriate:
+
+   /*
+   Adapted from poly1305aes_test_clamp.c version 20050207
+   D. J. Bernstein
+   Public domain.
+   */
+
+   #include "poly1305aes_test.h"
+
+   void poly1305aes_test_clamp(unsigned char r[16])
+   {
+     r[3] &= 15;
+     r[7] &= 15;
+     r[11] &= 15;
+     r[15] &= 15;
+     r[4] &= 252;
+     r[8] &= 252;
+     r[12] &= 252;
+   }
+
+   The "s" should be unpredictable, but it is perfectly acceptable to
+   generate both "r" and "s" uniquely each time.  Because each of them
+   is 128 bits, pseudorandomly generating them (see Section 2.6) is also
+   acceptable.
+
+   The inputs to Poly1305 are:
+
+   o  A 256-bit one-time key
+
+   o  An arbitrary length message
+
+   The output is a 128-bit tag.
+
+   First, the "r" value should be clamped.
+
+   Next, set the constant prime "P" be 2^130-5:
+   3fffffffffffffffffffffffffffffffb.  Also set a variable "accumulator"
+   to zero.
+
+   Next, divide the message into 16-byte blocks.  The last one might be
+   shorter:
+
+   o  Read the block as a little-endian number.
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 14]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   o  Add one bit beyond the number of octets.  For a 16-byte block,
+      this is equivalent to adding 2^128 to the number.  For the shorter
+      block, it can be 2^120, 2^112, or any power of two that is evenly
+      divisible by 8, all the way down to 2^8.
+
+   o  If the block is not 17 bytes long (the last block), pad it with
+      zeros.  This is meaningless if you are treating the blocks as
+      numbers.
+
+   o  Add this number to the accumulator.
+
+   o  Multiply by "r".
+
+   o  Set the accumulator to the result modulo p.  To summarize: Acc =
+      ((Acc+block)*r) % p.
+
+   Finally, the value of the secret key "s" is added to the accumulator,
+   and the 128 least significant bits are serialized in little-endian
+   order to form the tag.
+
+2.5.1.  The Poly1305 Algorithms in Pseudocode
+
+      clamp(r): r &= 0x0ffffffc0ffffffc0ffffffc0fffffff
+      poly1305_mac(msg, key):
+         r = (le_bytes_to_num(key[0..15])
+         clamp(r)
+         s = le_num(key[16..31])
+         accumulator = 0
+         p = (1<<130)-5
+         for i=1 upto ceil(msg length in bytes / 16)
+            n = le_bytes_to_num(msg[((i-1)*16)..(i*16)] | [0x01])
+            a += n
+            a = (r * a) % p
+            end
+         a += s
+         return num_to_16_le_bytes(a)
+         end
+
+2.5.2.  Poly1305 Example and Test Vector
+
+   For our example, we will dispense with generating the one-time key
+   using AES, and assume that we got the following keying material:
+
+   o  Key Material: 85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8:01:0
+      3:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49:f5:1b
+
+   o  s as an octet string:
+      01:03:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49:f5:1b
+
+
+
+Nir & Langley                 Informational                    [Page 15]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   o  s as a 128-bit number: 1bf54941aff6bf4afdb20dfb8a800301
+
+   o  r before clamping: 85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8
+
+   o  Clamped r as a number: 806d5400e52447c036d555408bed685
+
+   For our message, we'll use a short text:
+
+  Message to be Authenticated:
+  000  43 72 79 70 74 6f 67 72 61 70 68 69 63 20 46 6f  Cryptographic Fo
+  016  72 75 6d 20 52 65 73 65 61 72 63 68 20 47 72 6f  rum Research Gro
+  032  75 70                                            up
+
+   Since Poly1305 works in 16-byte chunks, the 34-byte message divides
+   into three blocks.  In the following calculation, "Acc" denotes the
+   accumulator and "Block" the current block:
+
+   Block #1
+
+   Acc = 00
+   Block = 6f4620636968706172676f7470797243
+   Block with 0x01 byte = 016f4620636968706172676f7470797243
+   Acc + block = 016f4620636968706172676f7470797243
+   (Acc+Block) * r =
+        b83fe991ca66800489155dcd69e8426ba2779453994ac90ed284034da565ecf
+   Acc = ((Acc+Block)*r) % P = 2c88c77849d64ae9147ddeb88e69c83fc
+
+   Block #2
+
+   Acc = 2c88c77849d64ae9147ddeb88e69c83fc
+   Block = 6f7247206863726165736552206d7572
+   Block with 0x01 byte = 016f7247206863726165736552206d7572
+   Acc + block = 437febea505c820f2ad5150db0709f96e
+   (Acc+Block) * r =
+        21dcc992d0c659ba4036f65bb7f88562ae59b32c2b3b8f7efc8b00f78e548a26
+   Acc = ((Acc+Block)*r) % P = 2d8adaf23b0337fa7cccfb4ea344b30de
+
+   Last Block
+
+   Acc = 2d8adaf23b0337fa7cccfb4ea344b30de
+   Block = 7075
+   Block with 0x01 byte = 017075
+   Acc + block = 2d8adaf23b0337fa7cccfb4ea344ca153
+   (Acc + Block) * r =
+        16d8e08a0f3fe1de4fe4a15486aca7a270a29f1e6c849221e4a6798b8e45321f
+   ((Acc + Block) * r) % P = 28d31b7caff946c77c8844335369d03a7
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 16]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   Adding s, we get this number, and serialize if to get the tag:
+
+   Acc + s = 2a927010caf8b2bc2c6365130c11d06a8
+
+   Tag: a8:06:1d:c1:30:51:36:c6:c2:2b:8b:af:0c:01:27:a9
+
+2.6.  Generating the Poly1305 Key Using ChaCha20
+
+   As said in Section 2.5, it is acceptable to generate the one-time
+   Poly1305 pseudorandomly.  This section defines such a method.
+
+   To generate such a key pair (r,s), we will use the ChaCha20 block
+   function described in Section 2.3.  This assumes that we have a
+   256-bit session key for the Message Authentication Code (MAC)
+   function, such as SK_ai and SK_ar in Internet Key Exchange Protocol
+   version 2 (IKEv2) ([RFC7296]), the integrity key in the Encapsulating
+   Security Payload (ESP) and Authentication Header (AH), or the
+   client_write_MAC_key and server_write_MAC_key in TLS.  Any document
+   that specifies the use of Poly1305 as a MAC algorithm for some
+   protocol must specify that 256 bits are allocated for the integrity
+   key.  Note that in the AEAD construction defined in Section 2.8, the
+   same key is used for encryption and key generation, so the use of
+   SK_a* or *_write_MAC_key is only for stand-alone Poly1305.
+
+   The method is to call the block function with the following
+   parameters:
+
+   o  The 256-bit session integrity key is used as the ChaCha20 key.
+
+   o  The block counter is set to zero.
+
+   o  The protocol will specify a 96-bit or 64-bit nonce.  This MUST be
+      unique per invocation with the same key, so it MUST NOT be
+      randomly generated.  A counter is a good way to implement this,
+      but other methods, such as a Linear Feedback Shift Register (LFSR)
+      are also acceptable.  ChaCha20 as specified here requires a 96-bit
+      nonce.  So if the provided nonce is only 64-bit, then the first 32
+      bits of the nonce will be set to a constant number.  This will
+      usually be zero, but for protocols with multiple senders it may be
+      different for each sender, but should be the same for all
+      invocations of the function with the same key by a particular
+      sender.
+
+   After running the block function, we have a 512-bit state.  We take
+   the first 256 bits or the serialized state, and use those as the one-
+   time Poly1305 key: the first 128 bits are clamped and form "r", while
+   the next 128 bits become "s".  The other 256 bits are discarded.
+
+
+
+
+Nir & Langley                 Informational                    [Page 17]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   Note that while many protocols have provisions for a nonce for
+   encryption algorithms (often called Initialization Vectors, or IVs),
+   they usually don't have such a provision for the MAC function.  In
+   that case, the per-invocation nonce will have to come from somewhere
+   else, such as a message counter.
+
+2.6.1.  Poly1305 Key Generation in Pseudocode
+
+      poly1305_key_gen(key,nonce):
+         counter = 0
+         block = chacha20_block(key,counter,nonce)
+         return block[0..31]
+         end
+
+2.6.2.  Poly1305 Key Generation Test Vector
+
+   For this example, we'll set:
+
+  Key:
+  000  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f  ................
+  016  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f  ................
+
+   Nonce:
+   000  00 00 00 00 00 01 02 03 04 05 06 07              ............
+
+   The ChaCha state setup with key, nonce, and block counter zero:
+         61707865  3320646e  79622d32  6b206574
+         83828180  87868584  8b8a8988  8f8e8d8c
+         93929190  97969594  9b9a9998  9f9e9d9c
+         00000000  00000000  03020100  07060504
+
+   The ChaCha state after 20 rounds:
+         8ba0d58a  cc815f90  27405081  7194b24a
+         37b633a8  a50dfde3  e2b8db08  46a6d1fd
+         7da03782  9183a233  148ad271  b46773d1
+         3cc1875a  8607def1  ca5c3086  7085eb87
+
+  Output bytes:
+  000  8a d5 a0 8b 90 5f 81 cc 81 50 40 27 4a b2 94 71  ....._...P@'J..q
+  016  a8 33 b6 37 e3 fd 0d a5 08 db b8 e2 fd d1 a6 46  .3.7...........F
+
+   And that output is also the 32-byte one-time key used for Poly1305.
+
+2.7.  A Pseudorandom Function for Crypto Suites based on ChaCha/Poly1305
+
+   Some protocols, such as IKEv2 ([RFC7296]), require a Pseudorandom
+   Function (PRF), mostly for key derivation.  In the IKEv2 definition,
+   a PRF is a function that accepts a variable-length key and a
+
+
+
+Nir & Langley                 Informational                    [Page 18]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   variable-length input, and returns a fixed-length output.  Most
+   commonly, Hashed MAC (HMAC) constructions are used for this purpose,
+   and often the same function is used for both message authentication
+   and PRF.
+
+   Poly1305 is not a suitable choice for a PRF.  Poly1305 prohibits
+   using the same key twice, whereas the PRF in IKEv2 is used multiple
+   times with the same key.  Additionally, unlike HMAC, Poly1305 is
+   biased, so using it for key derivation would reduce the security of
+   the symmetric encryption.
+
+   Chacha20 could be used as a key-derivation function, by generating an
+   arbitrarily long keystream.  However, that is not what protocols such
+   as IKEv2 require.
+
+   For this reason, this document does not specify a PRF and recommends
+   that crypto suites use some other PRF such as PRF_HMAC_SHA2_256 (see
+   Section 2.1.2 of [RFC4868]).
+
+2.8.  AEAD Construction
+
+   AEAD_CHACHA20_POLY1305 is an authenticated encryption with additional
+   data algorithm.  The inputs to AEAD_CHACHA20_POLY1305 are:
+
+   o  A 256-bit key
+
+   o  A 96-bit nonce -- different for each invocation with the same key
+
+   o  An arbitrary length plaintext
+
+   o  Arbitrary length additional authenticated data (AAD)
+
+   Some protocols may have unique per-invocation inputs that are not 96
+   bits in length.  For example, IPsec may specify a 64-bit nonce.  In
+   such a case, it is up to the protocol document to define how to
+   transform the protocol nonce into a 96-bit nonce, for example, by
+   concatenating a constant value.
+
+   The ChaCha20 and Poly1305 primitives are combined into an AEAD that
+   takes a 256-bit key and 96-bit nonce as follows:
+
+   o  First, a Poly1305 one-time key is generated from the 256-bit key
+      and nonce using the procedure described in Section 2.6.
+
+   o  Next, the ChaCha20 encryption function is called to encrypt the
+      plaintext, using the same key and nonce, and with the initial
+      counter set to 1.
+
+
+
+
+Nir & Langley                 Informational                    [Page 19]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   o  Finally, the Poly1305 function is called with the Poly1305 key
+      calculated above, and a message constructed as a concatenation of
+      the following:
+
+      *  The AAD
+
+      *  padding1 -- the padding is up to 15 zero bytes, and it brings
+         the total length so far to an integral multiple of 16.  If the
+         length of the AAD was already an integral multiple of 16 bytes,
+         this field is zero-length.
+
+      *  The ciphertext
+
+      *  padding2 -- the padding is up to 15 zero bytes, and it brings
+         the total length so far to an integral multiple of 16.  If the
+         length of the ciphertext was already an integral multiple of 16
+         bytes, this field is zero-length.
+
+      *  The length of the additional data in octets (as a 64-bit
+         little-endian integer).
+
+      *  The length of the ciphertext in octets (as a 64-bit little-
+         endian integer).
+
+   The output from the AEAD is twofold:
+
+   o  A ciphertext of the same length as the plaintext.
+
+   o  A 128-bit tag, which is the output of the Poly1305 function.
+
+   Decryption is similar with the following differences:
+
+   o  The roles of ciphertext and plaintext are reversed, so the
+      ChaCha20 encryption function is applied to the ciphertext,
+      producing the plaintext.
+
+   o  The Poly1305 function is still run on the AAD and the ciphertext,
+      not the plaintext.
+
+   o  The calculated tag is bitwise compared to the received tag.  The
+      message is authenticated if and only if the tags match.
+
+   A few notes about this design:
+
+   1.  The amount of encrypted data possible in a single invocation is
+       2^32-1 blocks of 64 bytes each, because of the size of the block
+       counter field in the ChaCha20 block function.  This gives a total
+       of 247,877,906,880 bytes, or nearly 256 GB.  This should be
+
+
+
+Nir & Langley                 Informational                    [Page 20]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+       enough for traffic protocols such as IPsec and TLS, but may be
+       too small for file and/or disk encryption.  For such uses, we can
+       return to the original design, reduce the nonce to 64 bits, and
+       use the integer at position 13 as the top 32 bits of a 64-bit
+       block counter, increasing the total message size to over a
+       million petabytes (1,180,591,620,717,411,303,360 bytes to be
+       exact).
+
+   2.  Despite the previous item, the ciphertext length field in the
+       construction of the buffer on which Poly1305 runs limits the
+       ciphertext (and hence, the plaintext) size to 2^64 bytes, or
+       sixteen thousand petabytes (18,446,744,073,709,551,616 bytes to
+       be exact).
+
+   The AEAD construction in this section is a novel composition of
+   ChaCha20 and Poly1305.  A security analysis of this composition is
+   given in [Procter].
+
+   Here is a list of the parameters for this construction as defined in
+   Section 4 of RFC 5116:
+
+   o  K_LEN (key length) is 32 octets.
+
+   o  P_MAX (maximum size of the plaintext) is 247,877,906,880 bytes, or
+      nearly 256 GB.
+
+   o  A_MAX (maximum size of the associated data) is set to 2^64-1
+      octets by the length field for associated data.
+
+   o  N_MIN = N_MAX = 12 octets.
+
+   o  C_MAX = P_MAX + tag length = 247,877,906,896 octets.
+
+   Distinct AAD inputs (as described in Section 3.3 of RFC 5116) shall
+   be concatenated into a single input to AEAD_CHACHA20_POLY1305.  It is
+   up to the application to create a structure in the AAD input if it is
+   needed.
+
+2.8.1.  Pseudocode for the AEAD Construction
+
+      pad16(x):
+         if (len(x) % 16)==0
+            then return NULL
+            else return copies(0, 16-(len(x)%16))
+         end
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 21]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+      chacha20_aead_encrypt(aad, key, iv, constant, plaintext):
+         nonce = constant | iv
+         otk = poly1305_key_gen(key, nonce)
+         ciphertext = chacha20_encrypt(key, 1, nonce, plaintext)
+         mac_data = aad | pad16(aad)
+         mac_data |= ciphertext | pad16(ciphertext)
+         mac_data |= num_to_4_le_bytes(aad.length)
+         mac_data |= num_to_4_le_bytes(ciphertext.length)
+         tag = poly1305_mac(mac_data, otk)
+         return (ciphertext, tag)
+
+2.8.2.  Example and Test Vector for AEAD_CHACHA20_POLY1305
+
+   For a test vector, we will use the following inputs to the
+   AEAD_CHACHA20_POLY1305 function:
+
+  Plaintext:
+  000  4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c  Ladies and Gentl
+  016  65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73  emen of the clas
+  032  73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63  s of '99: If I c
+  048  6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f  ould offer you o
+  064  6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20  nly one tip for
+  080  74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73  the future, suns
+  096  63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69  creen would be i
+  112  74 2e                                            t.
+
+   AAD:
+   000  50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7              PQRS........
+
+  Key:
+  000  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f  ................
+  016  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f  ................
+
+   IV:
+   000  40 41 42 43 44 45 46 47                          @ABCDEFG
+
+   32-bit fixed-common part:
+   000  07 00 00 00                                      ....
+
+   Setup for generating Poly1305 one-time key (sender id=7):
+       61707865  3320646e  79622d32  6b206574
+       83828180  87868584  8b8a8988  8f8e8d8c
+       93929190  97969594  9b9a9998  9f9e9d9c
+       00000000  00000007  43424140  47464544
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 22]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   After generating Poly1305 one-time key:
+       252bac7b  af47b42d  557ab609  8455e9a4
+       73d6e10a  ebd97510  7875932a  ff53d53e
+       decc7ea2  b44ddbad  e49c17d1  d8430bc9
+       8c94b7bc  8b7d4b4b  3927f67d  1669a432
+
+  Poly1305 Key:
+  000  7b ac 2b 25 2d b4 47 af 09 b6 7a 55 a4 e9 55 84  {.+%-.G...zU..U.
+  016  0a e1 d6 73 10 75 d9 eb 2a 93 75 78 3e d5 53 ff  ...s.u..*.ux>.S.
+
+  Poly1305 r =  455e9a4057ab6080f47b42c052bac7b
+  Poly1305 s = ff53d53e7875932aebd9751073d6e10a
+
+   keystream bytes:
+   9f:7b:e9:5d:01:fd:40:ba:15:e2:8f:fb:36:81:0a:ae:
+   c1:c0:88:3f:09:01:6e:de:dd:8a:d0:87:55:82:03:a5:
+   4e:9e:cb:38:ac:8e:5e:2b:b8:da:b2:0f:fa:db:52:e8:
+   75:04:b2:6e:be:69:6d:4f:60:a4:85:cf:11:b8:1b:59:
+   fc:b1:c4:5f:42:19:ee:ac:ec:6a:de:c3:4e:66:69:78:
+   8e:db:41:c4:9c:a3:01:e1:27:e0:ac:ab:3b:44:b9:cf:
+   5c:86:bb:95:e0:6b:0d:f2:90:1a:b6:45:e4:ab:e6:22:
+   15:38
+
+  Ciphertext:
+  000  d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2  ...4d.`.{...S.~.
+  016  a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6  ...Q)n......6.b.
+  032  3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b  =..^..g....i..r.
+  048  1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36  .q.....)....~.;6
+  064  92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58  ....-w......(..X
+  080  fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc  ..$...u.U...H1..
+  096  3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b  ?....Kz..v.e...K
+  112  61 16                                            a.
+
+  AEAD Construction for Poly1305:
+  000  50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7 00 00 00 00  PQRS............
+  016  d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2  ...4d.`.{...S.~.
+  032  a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6  ...Q)n......6.b.
+  048  3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b  =..^..g....i..r.
+  064  1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36  .q.....)....~.;6
+  080  92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58  ....-w......(..X
+  096  fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc  ..$...u.U...H1..
+  112  3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b  ?....Kz..v.e...K
+  128  61 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00  a...............
+  144  0c 00 00 00 00 00 00 00 72 00 00 00 00 00 00 00  ........r.......
+
+   Note the four zero bytes in line 000 and the 14 zero bytes in line
+   128
+
+
+
+
+Nir & Langley                 Informational                    [Page 23]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   Tag:
+   1a:e1:0b:59:4f:09:e2:6a:7e:90:2e:cb:d0:60:06:91
+
+3.  Implementation Advice
+
+   Each block of ChaCha20 involves 16 move operations and one increment
+   operation for loading the state, 80 each of XOR, addition and Roll
+   operations for the rounds, 16 more add operations and 16 XOR
+   operations for protecting the plaintext.  Section 2.3 describes the
+   ChaCha block function as "adding the original input words".  This
+   implies that before starting the rounds on the ChaCha state, we copy
+   it aside, only to add it in later.  This is correct, but we can save
+   a few operations if we instead copy the state and do the work on the
+   copy.  This way, for the next block you don't need to recreate the
+   state, but only to increment the block counter.  This saves
+   approximately 5.5% of the cycles.
+
+   It is not recommended to use a generic big number library such as the
+   one in OpenSSL for the arithmetic operations in Poly1305.  Such
+   libraries use dynamic allocation to be able to handle an integer of
+   any size, but that flexibility comes at the expense of performance as
+   well as side-channel security.  More efficient implementations that
+   run in constant time are available, one of them in D. J. Bernstein's
+   own library, NaCl ([NaCl]).  A constant-time but not optimal approach
+   would be to naively implement the arithmetic operations for 288-bit
+   integers, because even a naive implementation will not exceed 2^288
+   in the multiplication of (acc+block) and r.  An efficient constant-
+   time implementation can be found in the public domain library
+   poly1305-donna ([Poly1305_Donna]).
+
+4.  Security Considerations
+
+   The ChaCha20 cipher is designed to provide 256-bit security.
+
+   The Poly1305 authenticator is designed to ensure that forged messages
+   are rejected with a probability of 1-(n/(2^102)) for a 16n-byte
+   message, even after sending 2^64 legitimate messages, so it is
+   SUF-CMA (strong unforgeability against chosen-message attacks) in the
+   terminology of [AE].
+
+   Proving the security of either of these is beyond the scope of this
+   document.  Such proofs are available in the referenced academic
+   papers ([ChaCha], [Poly1305], [LatinDances], [LatinDances2], and
+   [Zhenqing2012]).
+
+   The most important security consideration in implementing this
+   document is the uniqueness of the nonce used in ChaCha20.  Counters
+   and LFSRs are both acceptable ways of generating unique nonces, as is
+
+
+
+Nir & Langley                 Informational                    [Page 24]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   encrypting a counter using a 64-bit cipher such as DES.  Note that it
+   is not acceptable to use a truncation of a counter encrypted with a
+   128-bit or 256-bit cipher, because such a truncation may repeat after
+   a short time.
+
+   Consequences of repeating a nonce: If a nonce is repeated, then both
+   the one-time Poly1305 key and the keystream are identical between the
+   messages.  This reveals the XOR of the plaintexts, because the XOR of
+   the plaintexts is equal to the XOR of the ciphertexts.
+
+   The Poly1305 key MUST be unpredictable to an attacker.  Randomly
+   generating the key would fulfill this requirement, except that
+   Poly1305 is often used in communications protocols, so the receiver
+   should know the key.  Pseudorandom number generation such as by
+   encrypting a counter is acceptable.  Using ChaCha with a secret key
+   and a nonce is also acceptable.
+
+   The algorithms presented here were designed to be easy to implement
+   in constant time to avoid side-channel vulnerabilities.  The
+   operations used in ChaCha20 are all additions, XORs, and fixed
+   rotations.  All of these can and should be implemented in constant
+   time.  Access to offsets into the ChaCha state and the number of
+   operations do not depend on any property of the key, eliminating the
+   chance of information about the key leaking through the timing of
+   cache misses.
+
+   For Poly1305, the operations are addition, multiplication. and
+   modulus, all on numbers with greater than 128 bits.  This can be done
+   in constant time, but a naive implementation (such as using some
+   generic big number library) will not be constant time.  For example,
+   if the multiplication is performed as a separate operation from the
+   modulus, the result will sometimes be under 2^256 and sometimes be
+   above 2^256.  Implementers should be careful about timing side-
+   channels for Poly1305 by using the appropriate implementation of
+   these operations.
+
+   Validating the authenticity of a message involves a bitwise
+   comparison of the calculated tag with the received tag.  In most use
+   cases, nonces and AAD contents are not "used up" until a valid
+   message is received.  This allows an attacker to send multiple
+   identical messages with different tags until one passes the tag
+   comparison.  This is hard if the attacker has to try all 2^128
+   possible tags one by one.  However, if the timing of the tag
+   comparison operation reveals how long a prefix of the calculated and
+   received tags is identical, the number of messages can be reduced
+   significantly.  For this reason, with online protocols,
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 25]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   implementation MUST use a constant-time comparison function rather
+   than relying on optimized but insecure library functions such as the
+   C language's memcmp().
+
+5.  IANA Considerations
+
+   IANA has assigned an entry in the "Authenticated Encryption with
+   Associated Data (AEAD) Parameters" registry with 29 as the Numeric
+   ID, "AEAD_CHACHA20_POLY1305" as the name, and this document as
+   reference.
+
+6.  References
+
+6.1.  Normative References
+
+   [ChaCha]   Bernstein, D., "ChaCha, a variant of Salsa20", January
+              2008, <http://cr.yp.to/chacha/chacha-20080128.pdf>.
+
+   [Poly1305] Bernstein, D., "The Poly1305-AES message-authentication
+              code", March 2005,
+              <http://cr.yp.to/mac/poly1305-20050329.pdf>.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119,
+              DOI 10.17487/RFC2119, March 1997,
+              <http://www.rfc-editor.org/info/rfc2119>.
+
+6.2.  Informative References
+
+   [AE]       Bellare, M. and C. Namprempre, "Authenticated Encryption:
+              Relations among notions and analysis of the generic
+              composition paradigm", September 2008,
+              <http://dl.acm.org/citation.cfm?id=1410269>.
+
+   [Cache-Collisions]
+              Bonneau, J. and I. Mironov, "Cache-Collision Timing
+              Attacks Against AES", 2006,
+              <http://research.microsoft.com/pubs/64024/aes-timing.pdf>.
+
+   [FIPS-197] National Institute of Standards and Technology, "Advanced
+              Encryption Standard (AES)", FIPS PUB 197, November 2001,
+              <http://csrc.nist.gov/publications/fips/fips197/
+              fips-197.pdf>.
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 26]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   [LatinDances]
+              Aumasson, J., Fischer, S., Khazaei, S., Meier, W., and C.
+              Rechberger, "New Features of Latin Dances: Analysis of
+              Salsa, ChaCha, and Rumba", December 2007,
+              <http://cr.yp.to/rumba20/newfeatures-20071218.pdf>.
+
+   [LatinDances2]
+              Ishiguro, T., Kiyomoto, S., and Y. Miyake, "Modified
+              version of 'Latin Dances Revisited: New Analytic Results
+              of Salsa20 and ChaCha'", February 2012,
+              <https://eprint.iacr.org/2012/065.pdf>.
+
+   [NaCl]     Bernstein, D., Lange, T., and P. Schwabe, "NaCl:
+              Networking and Cryptography library", July 2012,
+              <http://nacl.cr.yp.to>.
+
+   [Poly1305_Donna]
+              Floodyberry, A., "poly1305-donna", February 2014,
+              <https://github.com/floodyberry/poly1305-donna>.
+
+   [Procter]  Procter, G., "A Security Analysis of the Composition of
+              ChaCha20 and Poly1305", August 2014,
+              <http://eprint.iacr.org/2014/613.pdf>.
+
+   [RFC4868]  Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
+              384, and HMAC-SHA-512 with IPsec", RFC 4868,
+              DOI 10.17487/RFC4868, May 2007,
+              <http://www.rfc-editor.org/info/rfc4868>.
+
+   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
+              Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
+              <http://www.rfc-editor.org/info/rfc5116>.
+
+   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
+              Kivinen, "Internet Key Exchange Protocol Version 2
+              (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
+              2014, <http://www.rfc-editor.org/info/rfc7296>.
+
+   [SP800-67] National Institute of Standards and Technology,
+              "Recommendation for the Triple Data Encryption Algorithm
+              (TDEA) Block Cipher", NIST 800-67, January 2012,
+              <http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/
+              SP-800-67-Rev1.pdf>.
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 27]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   [Standby-Cipher]
+              McGrew, D., Grieco, A., and Y. Sheffer, "Selection of
+              Future Cryptographic Standards", Work in Progress,
+              draft-mcgrew-standby-cipher-00, January 2013.
+
+   [Zhenqing2012]
+              Zhenqing, S., Bin, Z., Dengguo, F., and W. Wenling,
+              "Improved Key Recovery Attacks on Reduced-Round Salsa20
+              and ChaCha*", 2012.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 28]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+Appendix A.  Additional Test Vectors
+
+   The subsections of this appendix contain more test vectors for the
+   algorithms in the sub-sections of Section 2.
+
+A.1.  The ChaCha20 Block Functions
+
+  Test Vector #1:
+  ==============
+
+  Key:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
+  Nonce:
+  000  00 00 00 00 00 00 00 00 00 00 00 00              ............
+
+  Block Counter = 0
+
+    ChaCha state at the end
+        ade0b876  903df1a0  e56a5d40  28bd8653
+        b819d2bd  1aed8da0  ccef36a8  c70d778b
+        7c5941da  8d485751  3fe02477  374ad8b8
+        f4b8436a  1ca11815  69b687c3  8665eeb2
+
+  Keystream:
+  000  76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28  v.....=.@]j.S..(
+  016  bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7  .........6...w..
+  032  da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37  .AY|QWH.w$.?..J7
+  048  6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86  jC.........i..e.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 29]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+  Test Vector #2:
+  ==============
+
+  Key:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
+  Nonce:
+  000  00 00 00 00 00 00 00 00 00 00 00 00              ............
+
+  Block Counter = 1
+
+    ChaCha state at the end
+        bee7079f  7a385155  7c97ba98  0d082d73
+        a0290fcb  6965e348  3e53c612  ed7aee32
+        7621b729  434ee69c  b03371d5  d539d874
+        281fed31  45fb0a51  1f0ae1ac  6f4d794b
+
+  Keystream:
+  000  9f 07 e7 be 55 51 38 7a 98 ba 97 7c 73 2d 08 0d  ....UQ8z...|s-..
+  016  cb 0f 29 a0 48 e3 65 69 12 c6 53 3e 32 ee 7a ed  ..).H.ei..S>2.z.
+  032  29 b7 21 76 9c e6 4e 43 d5 71 33 b0 74 d8 39 d5  ).!v..NC.q3.t.9.
+  048  31 ed 1f 28 51 0a fb 45 ac e1 0a 1f 4b 79 4d 6f  1..(Q..E....KyMo
+
+  Test Vector #3:
+  ==============
+
+  Key:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................
+
+  Nonce:
+  000  00 00 00 00 00 00 00 00 00 00 00 00              ............
+
+  Block Counter = 1
+
+    ChaCha state at the end
+        2452eb3a  9249f8ec  8d829d9b  ddd4ceb1
+        e8252083  60818b01  f38422b8  5aaa49c9
+        bb00ca8e  da3ba7b4  c4b592d1  fdf2732f
+        4436274e  2561b3c8  ebdd4aa6  a0136c00
+
+  Keystream:
+  000  3a eb 52 24 ec f8 49 92 9b 9d 82 8d b1 ce d4 dd  :.R$..I.........
+  016  83 20 25 e8 01 8b 81 60 b8 22 84 f3 c9 49 aa 5a  . %....`."...I.Z
+  032  8e ca 00 bb b4 a7 3b da d1 92 b5 c4 2f 73 f2 fd  ......;...../s..
+  048  4e 27 36 44 c8 b3 61 25 a6 4a dd eb 00 6c 13 a0  N'6D..a%.J...l..
+
+
+
+
+Nir & Langley                 Informational                    [Page 30]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+  Test Vector #4:
+  ==============
+
+  Key:
+  000  00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
+  Nonce:
+  000  00 00 00 00 00 00 00 00 00 00 00 00              ............
+
+  Block Counter = 2
+
+    ChaCha state at the end
+        fb4dd572  4bc42ef1  df922636  327f1394
+        a78dea8f  5e269039  a1bebbc1  caf09aae
+        a25ab213  48a6b46c  1b9d9bcb  092c5be6
+        546ca624  1bec45d5  87f47473  96f0992e
+
+  Keystream:
+  000  72 d5 4d fb f1 2e c4 4b 36 26 92 df 94 13 7f 32  r.M....K6&.....2
+  016  8f ea 8d a7 39 90 26 5e c1 bb be a1 ae 9a f0 ca  ....9.&^........
+  032  13 b2 5a a2 6c b4 a6 48 cb 9b 9d 1b e6 5b 2c 09  ..Z.l..H.....[,.
+  048  24 a6 6c 54 d5 45 ec 1b 73 74 f4 87 2e 99 f0 96  $.lT.E..st......
+
+  Test Vector #5:
+  ==============
+
+  Key:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
+  Nonce:
+  000  00 00 00 00 00 00 00 00 00 00 00 02              ............
+
+  Block Counter = 0
+
+    ChaCha state at the end
+        374dc6c2  3736d58c  b904e24a  cd3f93ef
+        88228b1a  96a4dfb3  5b76ab72  c727ee54
+        0e0e978a  f3145c95  1b748ea8  f786c297
+        99c28f5f  628314e8  398a19fa  6ded1b53
+
+  Keystream:
+  000  c2 c6 4d 37 8c d5 36 37 4a e2 04 b9 ef 93 3f cd  ..M7..67J.....?.
+  016  1a 8b 22 88 b3 df a4 96 72 ab 76 5b 54 ee 27 c7  ..".....r.v[T.'.
+  032  8a 97 0e 0e 95 5c 14 f3 a8 8e 74 1b 97 c2 86 f7  .....\....t.....
+  048  5f 8f c2 99 e8 14 83 62 fa 19 8a 39 53 1b ed 6d  _......b...9S..m
+
+
+
+
+Nir & Langley                 Informational                    [Page 31]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+A.2.  ChaCha20 Encryption
+
+  Test Vector #1:
+  ==============
+
+  Key:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
+  Nonce:
+  000  00 00 00 00 00 00 00 00 00 00 00 00              ............
+
+  Initial Block Counter = 0
+
+  Plaintext:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  032  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  048  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
+  Ciphertext:
+  000  76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28  v.....=.@]j.S..(
+  016  bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7  .........6...w..
+  032  da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37  .AY|QWH.w$.?..J7
+  048  6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86  jC.........i..e.
+
+  Test Vector #2:
+  ==============
+
+  Key:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................
+
+  Nonce:
+  000  00 00 00 00 00 00 00 00 00 00 00 02              ............
+
+  Initial Block Counter = 1
+
+  Plaintext:
+  000  41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74  Any submission t
+  016  6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e  o the IETF inten
+  032  64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72  ded by the Contr
+  048  69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69  ibutor for publi
+  064  63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72  cation as all or
+  080  20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46   part of an IETF
+  096  20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20   Internet-Draft
+  112  6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73  or RFC and any s
+  128  74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69  tatement made wi
+
+
+
+Nir & Langley                 Informational                    [Page 32]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+  144  74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74  thin the context
+  160  20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69   of an IETF acti
+  176  76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72  vity is consider
+  192  65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74  ed an "IETF Cont
+  208  72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20  ribution". Such
+  224  73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75  statements inclu
+  240  64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e  de oral statemen
+  256  74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69  ts in IETF sessi
+  272  6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20  ons, as well as
+  288  77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63  written and elec
+  304  74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61  tronic communica
+  320  74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e  tions made at an
+  336  79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c  y time or place,
+  352  20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65   which are addre
+  368  73 73 65 64 20 74 6f                             ssed to
+
+  Ciphertext:
+  000  a3 fb f0 7d f3 fa 2f de 4f 37 6c a2 3e 82 73 70  ...}../.O7l.>.sp
+  016  41 60 5d 9f 4f 4f 57 bd 8c ff 2c 1d 4b 79 55 ec  A`].OOW...,.KyU.
+  032  2a 97 94 8b d3 72 29 15 c8 f3 d3 37 f7 d3 70 05  *....r)....7..p.
+  048  0e 9e 96 d6 47 b7 c3 9f 56 e0 31 ca 5e b6 25 0d  ....G...V.1.^.%.
+  064  40 42 e0 27 85 ec ec fa 4b 4b b5 e8 ea d0 44 0e  @B.'....KK....D.
+  080  20 b6 e8 db 09 d8 81 a7 c6 13 2f 42 0e 52 79 50   ........./B.RyP
+  096  42 bd fa 77 73 d8 a9 05 14 47 b3 29 1c e1 41 1c  B..ws....G.)..A.
+  112  68 04 65 55 2a a6 c4 05 b7 76 4d 5e 87 be a8 5a  h.eU*....vM^...Z
+  128  d0 0f 84 49 ed 8f 72 d0 d6 62 ab 05 26 91 ca 66  ...I..r..b..&..f
+  144  42 4b c8 6d 2d f8 0e a4 1f 43 ab f9 37 d3 25 9d  BK.m-....C..7.%.
+  160  c4 b2 d0 df b4 8a 6c 91 39 dd d7 f7 69 66 e9 28  ......l.9...if.(
+  176  e6 35 55 3b a7 6c 5c 87 9d 7b 35 d4 9e b2 e6 2b  .5U;.l\..{5....+
+  192  08 71 cd ac 63 89 39 e2 5e 8a 1e 0e f9 d5 28 0f  .q..c.9.^.....(.
+  208  a8 ca 32 8b 35 1c 3c 76 59 89 cb cf 3d aa 8b 6c  ..2.5.<vY...=..l
+  224  cc 3a af 9f 39 79 c9 2b 37 20 fc 88 dc 95 ed 84  .:..9y.+7 ......
+  240  a1 be 05 9c 64 99 b9 fd a2 36 e7 e8 18 b0 4b 0b  ....d....6....K.
+  256  c3 9c 1e 87 6b 19 3b fe 55 69 75 3f 88 12 8c c0  ....k.;.Uiu?....
+  272  8a aa 9b 63 d1 a1 6f 80 ef 25 54 d7 18 9c 41 1f  ...c..o..%T...A.
+  288  58 69 ca 52 c5 b8 3f a3 6f f2 16 b9 c1 d3 00 62  Xi.R..?.o......b
+  304  be bc fd 2d c5 bc e0 91 19 34 fd a7 9a 86 f6 e6  ...-.....4......
+  320  98 ce d7 59 c3 ff 9b 64 77 33 8f 3d a4 f9 cd 85  ...Y...dw3.=....
+  336  14 ea 99 82 cc af b3 41 b2 38 4d d9 02 f3 d1 ab  .......A.8M.....
+  352  7a c6 1d d2 9c 6f 21 ba 5b 86 2f 37 30 e3 7c fd  z....o!.[./70.|.
+  368  c4 fd 80 6c 22 f2 21                             ...l".!
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 33]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+  Test Vector #3:
+  ==============
+
+  Key:
+  000  1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0  ..@..U...3......
+  016  47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0  G9..@+....\. pu.
+
+  Nonce:
+  000  00 00 00 00 00 00 00 00 00 00 00 02              ............
+
+  Initial Block Counter = 42
+
+  Plaintext:
+  000  27 54 77 61 73 20 62 72 69 6c 6c 69 67 2c 20 61  'Twas brillig, a
+  016  6e 64 20 74 68 65 20 73 6c 69 74 68 79 20 74 6f  nd the slithy to
+  032  76 65 73 0a 44 69 64 20 67 79 72 65 20 61 6e 64  ves.Did gyre and
+  048  20 67 69 6d 62 6c 65 20 69 6e 20 74 68 65 20 77   gimble in the w
+  064  61 62 65 3a 0a 41 6c 6c 20 6d 69 6d 73 79 20 77  abe:.All mimsy w
+  080  65 72 65 20 74 68 65 20 62 6f 72 6f 67 6f 76 65  ere the borogove
+  096  73 2c 0a 41 6e 64 20 74 68 65 20 6d 6f 6d 65 20  s,.And the mome
+  112  72 61 74 68 73 20 6f 75 74 67 72 61 62 65 2e     raths outgrabe.
+
+  Ciphertext:
+  000  62 e6 34 7f 95 ed 87 a4 5f fa e7 42 6f 27 a1 df  b.4....._..Bo'..
+  016  5f b6 91 10 04 4c 0d 73 11 8e ff a9 5b 01 e5 cf  _....L.s....[...
+  032  16 6d 3d f2 d7 21 ca f9 b2 1e 5f b1 4c 61 68 71  .m=..!...._.Lahq
+  048  fd 84 c5 4f 9d 65 b2 83 19 6c 7f e4 f6 05 53 eb  ...O.e...l....S.
+  064  f3 9c 64 02 c4 22 34 e3 2a 35 6b 3e 76 43 12 a6  ..d.."4.*5k>vC..
+  080  1a 55 32 05 57 16 ea d6 96 25 68 f8 7d 3f 3f 77  .U2.W....%h.}??w
+  096  04 c6 a8 d1 bc d1 bf 4d 50 d6 15 4b 6d a7 31 b1  .......MP..Km.1.
+  112  87 b5 8d fd 72 8a fa 36 75 7a 79 7a c1 88 d1     ....r..6uzyz...
+
+A.3.  Poly1305 Message Authentication Code
+
+   Notice how, in test vector #2, r is equal to zero.  The part of the
+   Poly1305 algorithm where the accumulator is multiplied by r means
+   that with r equal zero, the tag will be equal to s regardless of the
+   content of the text.  Fortunately, all the proposed methods of
+   generating r are such that getting this particular weak key is very
+   unlikely.
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 34]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+  Test Vector #1:
+  ==============
+
+  One-time Poly1305 Key:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
+  Text to MAC:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  032  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  048  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
+  Tag:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 35]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+  Test Vector #2:
+  ==============
+
+  One-time Poly1305 Key:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e  6.....`p...."z.>
+
+  Text to MAC:
+  000  41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74  Any submission t
+  016  6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e  o the IETF inten
+  032  64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72  ded by the Contr
+  048  69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69  ibutor for publi
+  064  63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72  cation as all or
+  080  20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46   part of an IETF
+  096  20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20   Internet-Draft
+  112  6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73  or RFC and any s
+  128  74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69  tatement made wi
+  144  74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74  thin the context
+  160  20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69   of an IETF acti
+  176  76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72  vity is consider
+  192  65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74  ed an "IETF Cont
+  208  72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20  ribution". Such
+  224  73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75  statements inclu
+  240  64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e  de oral statemen
+  256  74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69  ts in IETF sessi
+  272  6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20  ons, as well as
+  288  77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63  written and elec
+  304  74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61  tronic communica
+  320  74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e  tions made at an
+  336  79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c  y time or place,
+  352  20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65   which are addre
+  368  73 73 65 64 20 74 6f                             ssed to
+
+  Tag:
+  000  36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e  6.....`p...."z.>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 36]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+  Test Vector #3:
+  ==============
+
+  One-time Poly1305 Key:
+  000  36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e  6.....`p...."z.>
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
+  Text to MAC:
+  000  41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74  Any submission t
+  016  6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e  o the IETF inten
+  032  64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72  ded by the Contr
+  048  69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69  ibutor for publi
+  064  63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72  cation as all or
+  080  20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46   part of an IETF
+  096  20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20   Internet-Draft
+  112  6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73  or RFC and any s
+  128  74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69  tatement made wi
+  144  74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74  thin the context
+  160  20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69   of an IETF acti
+  176  76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72  vity is consider
+  192  65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74  ed an "IETF Cont
+  208  72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20  ribution". Such
+  224  73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75  statements inclu
+  240  64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e  de oral statemen
+  256  74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69  ts in IETF sessi
+  272  6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20  ons, as well as
+  288  77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63  written and elec
+  304  74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61  tronic communica
+  320  74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e  tions made at an
+  336  79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c  y time or place,
+  352  20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65   which are addre
+  368  73 73 65 64 20 74 6f                             ssed to
+
+  Tag:
+  000  f3 47 7e 7c d9 54 17 af 89 a6 b8 79 4c 31 0c f0  .G~|.T.....yL1..
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 37]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+  Test Vector #4:
+  ==============
+
+  One-time Poly1305 Key:
+  000  1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0  ..@..U...3......
+  016  47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0  G9..@+....\. pu.
+
+  Text to MAC:
+  000  27 54 77 61 73 20 62 72 69 6c 6c 69 67 2c 20 61  'Twas brillig, a
+  016  6e 64 20 74 68 65 20 73 6c 69 74 68 79 20 74 6f  nd the slithy to
+  032  76 65 73 0a 44 69 64 20 67 79 72 65 20 61 6e 64  ves.Did gyre and
+  048  20 67 69 6d 62 6c 65 20 69 6e 20 74 68 65 20 77   gimble in the w
+  064  61 62 65 3a 0a 41 6c 6c 20 6d 69 6d 73 79 20 77  abe:.All mimsy w
+  080  65 72 65 20 74 68 65 20 62 6f 72 6f 67 6f 76 65  ere the borogove
+  096  73 2c 0a 41 6e 64 20 74 68 65 20 6d 6f 6d 65 20  s,.And the mome
+  112  72 61 74 68 73 20 6f 75 74 67 72 61 62 65 2e     raths outgrabe.
+
+  Tag:
+  000  45 41 66 9a 7e aa ee 61 e7 08 dc 7c bc c5 eb 62  EAf.~..a...|...b
+
+   Test Vector #5: If one uses 130-bit partial reduction, does the code
+   handle the case where partially reduced final result is not fully
+   reduced?
+
+   R:
+   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   S:
+   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   data:
+   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+   tag:
+   03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+   Test Vector #6: What happens if addition of s overflows modulo 2^128?
+
+   R:
+   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   S:
+   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+   data:
+   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   tag:
+   03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 38]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   Test Vector #7: What happens if data limb is all ones and there is
+   carry from lower limb?
+
+   R:
+   01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   S:
+   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   data:
+   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+   F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+   11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   tag:
+   05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+   Test Vector #8: What happens if final result from polynomial part is
+   exactly 2^130-5?
+
+   R:
+   01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   S:
+   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   data:
+   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+   FB FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE
+   01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+   tag:
+   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+   Test Vector #9: What happens if final result from polynomial part is
+   exactly 2^130-6?
+
+   R:
+   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   S:
+   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   data:
+   FD FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+   tag:
+   FA FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 39]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   Test Vector #10: What happens if 5*H+L-type reduction produces
+   131-bit intermediate result?
+
+   R:
+   01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
+   S:
+   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   data:
+   E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00
+   33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00
+   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   tag:
+   14 00 00 00 00 00 00 00 55 00 00 00 00 00 00 00
+
+   Test Vector #11: What happens if 5*H+L-type reduction produces
+   131-bit final result?
+
+   R:
+   01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
+   S:
+   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   data:
+   E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00
+   33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00
+   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   tag:
+   13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+A.4.  Poly1305 Key Generation Using ChaCha20
+
+  Test Vector #1:
+  ==============
+
+  The key:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+
+  The nonce:
+  000  00 00 00 00 00 00 00 00 00 00 00 00              ............
+
+  Poly1305 one-time key:
+  000  76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28  v.....=.@]j.S..(
+  016  bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7  .........6...w..
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 40]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+  Test Vector #2:
+  ==============
+
+  The key:
+  000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  016  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................
+
+  The nonce:
+  000  00 00 00 00 00 00 00 00 00 00 00 02              ............
+
+  Poly1305 one-time key:
+  000  ec fa 25 4f 84 5f 64 74 73 d3 cb 14 0d a9 e8 76  ..%O._dts......v
+  016  06 cb 33 06 6c 44 7b 87 bc 26 66 dd e3 fb b7 39  ..3.lD{..&f....9
+
+  Test Vector #3:
+  ==============
+
+  The key:
+  000  1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0  ..@..U...3......
+  016  47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0  G9..@+....\. pu.
+
+  The nonce:
+  000  00 00 00 00 00 00 00 00 00 00 00 02              ............
+
+  Poly1305 one-time key:
+  000  96 5e 3b c6 f9 ec 7e d9 56 08 08 f4 d2 29 f9 4b  .^;...~.V....).K
+  016  13 7f f2 75 ca 9b 3f cb dd 59 de aa d2 33 10 ae  ...u..?..Y...3..
+
+A.5.  ChaCha20-Poly1305 AEAD Decryption
+
+   Below we see decrypting a message.  We receive a ciphertext, a nonce,
+   and a tag.  We know the key.  We will check the tag and then
+   (assuming that it validates) decrypt the ciphertext.  In this
+   particular protocol, we'll assume that there is no padding of the
+   plaintext.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 41]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+  The key:
+  000  1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0  ..@..U...3......
+  016  47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0  G9..@+....\. pu.
+
+  Ciphertext:
+  000  64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd  d...u...`.b...C.
+  016  5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2  ^.\.4\....g..l..
+  032  4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0  Ll..u]C....N8-&.
+  048  bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf  ...<2.....;.5X..
+  064  33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81  3/..q......J....
+  080  14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55  ...n..3.`....7.U
+  096  97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38  ...n...a..2N+5.8
+  112  36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4  6..{j|.....{S.g.
+  128  b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9  ..lv{.MF..R.....
+  144  90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e  .@...3"^.....lR>
+  160  af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a  .E4..?..[.Gq..Tj
+  176  0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a  ..+..VN..B"s.H'.
+  192  0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e  ..1`S.v..U..1YCN
+  208  ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10  ..NFm.Z.s.rv'.z.
+  224  49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30  I....6...h..w.q0
+  240  30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29  0[.......{qMlo,)
+  256  a6 ad 5c b4 02 2b 02 70 9b                       ..\..+.p.
+
+  The nonce:
+  000  00 00 00 00 01 02 03 04 05 06 07 08              ............
+
+  The AAD:
+  000  f3 33 88 86 00 00 00 00 00 00 4e 91              .3........N.
+
+  Received Tag:
+  000  ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38  ...g..."9#6....8
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 42]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   First, we calculate the one-time Poly1305 key
+
+  @@@  ChaCha state with key setup
+        61707865  3320646e  79622d32  6b206574
+        a540921c  8ad355eb  868833f3  f0b5f604
+        c1173947  09802b40  bc5cca9d  c0757020
+        00000000  00000000  04030201  08070605
+
+  @@@  ChaCha state after 20 rounds
+        a94af0bd  89dee45c  b64bb195  afec8fa1
+        508f4726  63f554c0  1ea2c0db  aa721526
+        11b1e514  a0bacc0f  828a6015  d7825481
+        e8a4a850  d9dcbbd6  4c2de33a  f8ccd912
+
+  @@@ out bytes:
+  bd:f0:4a:a9:5c:e4:de:89:95:b1:4b:b6:a1:8f:ec:af:
+  26:47:8f:50:c0:54:f5:63:db:c0:a2:1e:26:15:72:aa
+
+  Poly1305 one-time key:
+  000  bd f0 4a a9 5c e4 de 89 95 b1 4b b6 a1 8f ec af  ..J.\.....K.....
+  016  26 47 8f 50 c0 54 f5 63 db c0 a2 1e 26 15 72 aa  &G.P.T.c....&.r.
+
+   Next, we construct the AEAD buffer
+
+  Poly1305 Input:
+  000  f3 33 88 86 00 00 00 00 00 00 4e 91 00 00 00 00  .3........N.....
+  016  64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd  d...u...`.b...C.
+  032  5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2  ^.\.4\....g..l..
+  048  4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0  Ll..u]C....N8-&.
+  064  bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf  ...<2.....;.5X..
+  080  33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81  3/..q......J....
+  096  14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55  ...n..3.`....7.U
+  112  97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38  ...n...a..2N+5.8
+  128  36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4  6..{j|.....{S.g.
+  144  b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9  ..lv{.MF..R.....
+  160  90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e  .@...3"^.....lR>
+  176  af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a  .E4..?..[.Gq..Tj
+  192  0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a  ..+..VN..B"s.H'.
+  208  0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e  ..1`S.v..U..1YCN
+  224  ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10  ..NFm.Z.s.rv'.z.
+  240  49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30  I....6...h..w.q0
+  256  30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29  0[.......{qMlo,)
+  272  a6 ad 5c b4 02 2b 02 70 9b 00 00 00 00 00 00 00  ..\..+.p........
+  288  0c 00 00 00 00 00 00 00 09 01 00 00 00 00 00 00  ................
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 43]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+   We calculate the Poly1305 tag and find that it matches
+
+  Calculated Tag:
+  000  ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38  ...g..."9#6....8
+
+   Finally, we decrypt the ciphertext
+
+  Plaintext::
+  000  49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 73 20  Internet-Drafts
+  016  61 72 65 20 64 72 61 66 74 20 64 6f 63 75 6d 65  are draft docume
+  032  6e 74 73 20 76 61 6c 69 64 20 66 6f 72 20 61 20  nts valid for a
+  048  6d 61 78 69 6d 75 6d 20 6f 66 20 73 69 78 20 6d  maximum of six m
+  064  6f 6e 74 68 73 20 61 6e 64 20 6d 61 79 20 62 65  onths and may be
+  080  20 75 70 64 61 74 65 64 2c 20 72 65 70 6c 61 63   updated, replac
+  096  65 64 2c 20 6f 72 20 6f 62 73 6f 6c 65 74 65 64  ed, or obsoleted
+  112  20 62 79 20 6f 74 68 65 72 20 64 6f 63 75 6d 65   by other docume
+  128  6e 74 73 20 61 74 20 61 6e 79 20 74 69 6d 65 2e  nts at any time.
+  144  20 49 74 20 69 73 20 69 6e 61 70 70 72 6f 70 72   It is inappropr
+  160  69 61 74 65 20 74 6f 20 75 73 65 20 49 6e 74 65  iate to use Inte
+  176  72 6e 65 74 2d 44 72 61 66 74 73 20 61 73 20 72  rnet-Drafts as r
+  192  65 66 65 72 65 6e 63 65 20 6d 61 74 65 72 69 61  eference materia
+  208  6c 20 6f 72 20 74 6f 20 63 69 74 65 20 74 68 65  l or to cite the
+  224  6d 20 6f 74 68 65 72 20 74 68 61 6e 20 61 73 20  m other than as
+  240  2f e2 80 9c 77 6f 72 6b 20 69 6e 20 70 72 6f 67  /...work in prog
+  256  72 65 73 73 2e 2f e2 80 9d                       ress./...
+
+Appendix B.  Performance Measurements of ChaCha20
+
+   The following measurements were made by Adam Langley for a blog post
+   published on February 27th, 2014.  The original blog post was
+   available at the time of this writing at
+   <https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html>.
+
+     +----------------------------+-------------+-------------------+
+     | Chip                       | AES-128-GCM | ChaCha20-Poly1305 |
+     +----------------------------+-------------+-------------------+
+     | OMAP 4460                  |  24.1 MB/s  |     75.3 MB/s     |
+     | Snapdragon S4 Pro          |  41.5 MB/s  |     130.9 MB/s    |
+     | Sandy Bridge Xeon (AES-NI) |   900 MB/s  |      500 MB/s     |
+     +----------------------------+-------------+-------------------+
+
+                         Table 1: Speed Comparison
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 44]
+
+RFC 7539                   ChaCha20 & Poly1305                  May 2015
+
+
+Acknowledgements
+
+   ChaCha20 and Poly1305 were invented by Daniel J. Bernstein.  The AEAD
+   construction and the method of creating the one-time Poly1305 key
+   were invented by Adam Langley.
+
+   Thanks to Robert Ransom, Watson Ladd, Stefan Buhler, Dan Harkins, and
+   Kenny Paterson for their helpful comments and explanations.  Thanks
+   to Niels Moller for suggesting the more efficient AEAD construction
+   in this document.  Special thanks to Ilari Liusvaara for providing
+   extra test vectors, helpful comments, and for being the first to
+   attempt an implementation from this document.  Thanks to Sean
+   Parkinson for suggesting improvements to the examples and the
+   pseudocode.  Thanks to David Ireland for pointing out a bug in the
+   pseudocode, and to Stephen Farrell and Alyssa Rowan for pointing out
+   missing advise in the security considerations.
+
+   Special thanks goes to Gordon Procter for performing a security
+   analysis of the composition and publishing [Procter].
+
+Authors' Addresses
+
+   Yoav Nir
+   Check Point Software Technologies, Ltd.
+   5 Hasolelim St.
+   Tel Aviv  6789735
+   Israel
+
+   EMail: ynir.ietf@gmail.com
+
+
+   Adam Langley
+   Google, Inc.
+
+   EMail: agl@google.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nir & Langley                 Informational                    [Page 45]
diff --git a/_example/secure_conn/main.go b/_example/secure_conn/main.go
new file mode 100644
index 0000000..3104068
--- /dev/null
+++ b/_example/secure_conn/main.go
@@ -0,0 +1,138 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"os"
+	"time"
+
+	"snix.ir/rabaead"
+	"snix.ir/rabbitio"
+)
+
+func main() {
+	encFlag := flag.NewFlagSet("encrypt", flag.ExitOnError)
+	decFlag := flag.NewFlagSet("decrypt", flag.ExitOnError)
+	flag.Usage = flagUsage
+	if len(os.Args) < 2 {
+		flag.Usage()
+		os.Exit(1)
+	}
+
+	switch os.Args[1] {
+	case "server":
+		server(encFlag)
+	case "client":
+		client(decFlag)
+	default:
+		flag.Usage()
+		os.Exit(1)
+	}
+}
+
+func flagUsage() {
+
+	fmt.Printf(`usage of %v: commands <args...|help>
+commands:
+
+   server <args...>     encrypt files with rabbit poly1305 aead cipher
+   client <args...>     decrypt files with rabbit poly1305 aead cipher
+
+
+Copyright (c) 2022 snix.ir, All rights reserved.
+Developed BY <Sina Ghaderi> sina@snix.ir
+This work is licensed under the terms of GNU General Public license.
+Github: github.com/sina-ghaderi and Source: git.snix.ir
+`, os.Args[0])
+}
+
+func server(flagset *flag.FlagSet) {
+
+	plain := flagset.String("net", "127.0.0.1:7899", "network tcp listen address")
+	keyva := flagset.String("key", "", "rabbit key string, must be 16-byte len")
+	ivxva := flagset.String("ivx", "", "rabbit iv string, must be 8-byte or nothing")
+	flagset.Parse(os.Args[2:])
+
+	ivb := []byte(*ivxva)
+
+	if len(ivb) != rabbitio.IVXLen && len(ivb) != 0 {
+		log.Fatal(rabbitio.ErrInvalidIVX)
+	}
+
+	aead, err := rabaead.NewAEAD([]byte(*keyva))
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	l, err := net.Listen("tcp", *plain)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	for {
+		conn, err := l.Accept()
+		if err != nil {
+			log.Print(err)
+			continue
+		}
+
+		writer, _ := rabaead.NewChunkWriter(conn, 16, aead, ivb, nil)
+		go handleServerConn(writer, conn)
+	}
+
+}
+
+func handleServerConn(w io.WriteCloser, conn net.Conn) {
+	defer conn.Close()
+	if _, err := w.Write([]byte(time.Now().String())); err != nil {
+		log.Print(err)
+		return
+	}
+}
+
+func client(flagset *flag.FlagSet) {
+	plain := flagset.String("net", "127.0.0.1:7899", "network tcp dial address")
+	keyva := flagset.String("key", "", "rabbit key string, must be 16-byte len")
+	ivxva := flagset.String("ivx", "", "rabbit iv string, must be 8-byte or nothing")
+	flagset.Parse(os.Args[2:])
+
+	ivb := []byte(*ivxva)
+
+	aead, err := rabaead.NewAEAD([]byte(*keyva))
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	conn, err := net.Dial("tcp", *plain)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	defer conn.Close()
+
+	reader, err := rabaead.NewChunkReader(conn, 16, aead, ivb, nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	ntms := []byte{}
+	buff := make([]byte, 16)
+
+	for {
+		n, err := reader.Read(buff)
+		if err != nil {
+			if err == io.EOF {
+				ntms = append(ntms, buff[:n]...)
+				break
+			}
+			log.Fatal(err)
+		}
+		ntms = append(ntms, buff...)
+	}
+
+	log.Printf("server time: %v", string(ntms))
+
+}
diff --git a/_example/secure_conn/secure_conn b/_example/secure_conn/secure_conn
new file mode 100755
index 0000000..fdc0278
Binary files /dev/null and b/_example/secure_conn/secure_conn differ
diff --git a/aead_test.go b/aead_test.go
new file mode 100644
index 0000000..87a782e
--- /dev/null
+++ b/aead_test.go
@@ -0,0 +1,412 @@
+package rabaead_test
+
+import (
+	"bytes"
+	"io"
+	"log"
+	"testing"
+
+	"snix.ir/rabaead"
+)
+
+var key = []byte{
+	0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff,
+}
+
+var iv = []byte{
+	0xfa, 0xfa, 0xfa, 0xfa,
+	0xfa, 0xfa, 0xfa, 0xfa,
+}
+
+var ptx = []byte{
+	0x01, 0x02, 0x03, 0x04,
+	0x05, 0x06, 0x07, 0x08,
+	0x09, 0x0a, 0x0b, 0x0c,
+	0x0d, 0x0e, 0x0f, 0x10,
+}
+
+// Simple AEAD Cipher Test
+func TestNewAEAD(t *testing.T) {
+	aead, err := rabaead.NewAEAD(key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bf := aead.Seal([]byte{}, iv, ptx, []byte{0x01, 0x01, 0x01, 0x01})
+	t.Logf("aead encrypted: %x\n", bf)
+
+	bf, err = aead.Open([]byte{}, iv, bf, []byte{0x01, 0x01, 0x01, 0x01})
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("aead decrypted: %x\n", bf)
+
+	if !bytes.Equal(bf, ptx) {
+		t.Fatal("decrypted data is not same as plaintext")
+	}
+}
+
+// TestChunkIO Encrypt and decrypt with NewChunkWriter and NewChunkReader
+func TestChunkIO(t *testing.T) {
+	buf := &bytes.Buffer{}
+	aead, err := rabaead.NewAEAD(key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	w, _ := rabaead.NewChunkWriter(buf, 0x08, aead, iv, nil)
+	if _, err := w.Write(ptx); err != nil {
+		t.Fatal(err)
+	}
+	if err := w.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("aead encrypted: %x\n", buf.Bytes())
+
+	r, _ := rabaead.NewChunkReader(buf, 0x08, aead, iv, nil)
+	pbf := make([]byte, 18)
+	n, err := r.Read(pbf)
+	if err != nil {
+		if err != io.EOF {
+			t.Fatal(err)
+		}
+	}
+
+	t.Logf("aead decrypted: %x\n", pbf)
+	if !bytes.Equal(pbf[:n], ptx) {
+		t.Fatal("decrypted data is not same as plaintext")
+	}
+}
+
+// test StreamWriter and Reader
+func TestStreamIO(t *testing.T) {
+	buf := &bytes.Buffer{}
+	w, err := rabaead.NewStreamWriter(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := w.Write(ptx); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("aead encrypted: %x\n", buf.Bytes())
+
+	r, err := rabaead.NewStreamReader(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pbf := make([]byte, 16)
+	n, err := r.Read(pbf)
+	if err != nil {
+		if err != io.EOF {
+			t.Fatal(err)
+		}
+	}
+	t.Logf("aead decrypted: %x\n", pbf)
+	if !bytes.Equal(pbf[:n], ptx) {
+		t.Fatal("decrypted data is not same as plaintext")
+	}
+}
+
+func TestStreamIO2(t *testing.T) {
+	buf := &bytes.Buffer{}
+	w, err := rabaead.NewStreamWriter(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := w.Write(ptx); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("aead encrypted: %x\n", buf.Bytes())
+
+	r, err := rabaead.NewStreamReader(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pbf := make([]byte, 17)
+	n, err := r.Read(pbf)
+	if err != nil {
+		if err != io.EOF {
+			t.Fatal(err)
+		}
+	}
+
+	t.Logf("aead decrypted: %x\n", pbf)
+	if !bytes.Equal(pbf[:n], ptx) {
+		t.Fatal("decrypted data is not same as plaintext")
+	}
+}
+
+func TestStreamIO3(t *testing.T) {
+	buf := &bytes.Buffer{}
+	w, err := rabaead.NewStreamWriter(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := w.Write(ptx); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("aead encrypted: %x\n", buf.Bytes())
+
+	r, err := rabaead.NewStreamReader(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pbf := make([]byte, 27)
+	n, err := r.Read(pbf)
+	if err != nil {
+		if err != io.EOF {
+			t.Fatal(err)
+		}
+	}
+	t.Logf("aead decrypted: %x\n", pbf)
+	if !bytes.Equal(pbf[:n], ptx) {
+		t.Fatal("decrypted data is not same as plaintext")
+	}
+}
+
+func TestStreamIO4(t *testing.T) {
+	buf := &bytes.Buffer{}
+	w, err := rabaead.NewStreamWriter(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := w.Write(ptx); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("aead encrypted: %x\n", buf.Bytes())
+
+	r, err := rabaead.NewStreamReader(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pbf := make([]byte, 7)
+	vsf := make([]byte, 0)
+	for {
+		n, err := r.Read(pbf)
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			t.Fatal(err)
+		}
+		vsf = append(vsf, pbf[:n]...)
+
+	}
+	t.Logf("aead decrypted: %x\n", vsf)
+	if !bytes.Equal(vsf, ptx) {
+		t.Fatal("decrypted data is not same as plaintext")
+	}
+}
+
+func TestStreamIO5(t *testing.T) {
+	buf := &bytes.Buffer{}
+	w, err := rabaead.NewStreamWriter(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := w.Write(append(ptx, 0x02)); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("aead encrypted: %x\n", buf.Bytes())
+
+	r, err := rabaead.NewStreamReader(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pbf := make([]byte, 7)
+	vsf := make([]byte, 0)
+	for {
+		n, err := r.Read(pbf)
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			t.Fatal(err)
+		}
+		vsf = append(vsf, pbf[:n]...)
+
+	}
+	t.Logf("aead decrypted: %x\n", vsf)
+	if !bytes.Equal(vsf, append(ptx, 0x02)) {
+		t.Fatal("decrypted data is not same as plaintext")
+	}
+}
+
+// TestIOAndAEAD encrypt a plaintext and opens with AEAD Open()
+func TestIOAndAEAD(t *testing.T) {
+	buf := &bytes.Buffer{}
+	w, err := rabaead.NewStreamWriter(buf, key, iv, func() []byte { return []byte{0x01, 0x01, 0x01, 0x01} })
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := w.Write(ptx); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("aead encrypted: %x\n", buf.Bytes())
+	aead, err := rabaead.NewAEAD(key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bf, err := aead.Open([]byte{}, iv, buf.Bytes(), []byte{0x01, 0x01, 0x01, 0x01})
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("aead decrypted: %x\n", bf)
+}
+
+func TestChunkIOErr(t *testing.T) {
+	buf := &bytes.Buffer{}
+	aead, err := rabaead.NewAEAD(key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	w, _ := rabaead.NewChunkWriter(buf, 0x08, aead, iv, nil)
+	if _, err := w.Write(ptx); err != nil {
+		t.Fatal(err)
+	}
+	if err := w.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("aead encrypted: %x\n", buf.Bytes())
+
+	r, _ := rabaead.NewChunkReader(buf, 0x09, aead, iv, nil)
+	pbf := make([]byte, 18)
+	_, err = r.Read(pbf)
+
+	t.Logf("aead decrypted: %x\n", pbf)
+	if err != rabaead.ErrAuthMsg {
+		t.Fatal("err auth must returned")
+	}
+}
+
+func TestAEADAndIO(t *testing.T) {
+
+	aead, err := rabaead.NewAEAD(key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bf := aead.Seal([]byte{}, iv, ptx, []byte{0x01, 0x01, 0x01, 0x01})
+
+	buf := bytes.NewReader(bf)
+	r, err := rabaead.NewStreamReader(buf, key, iv, func() []byte { return []byte{0x01, 0x01, 0x01, 0x01} })
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("aead encrypted: %x\n", bf)
+
+	var sc = &bytes.Buffer{}
+	_, err = io.Copy(sc, r)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	t.Logf("aead decrypted: %x\n", sc.Bytes())
+}
+
+func TestStreamIOErr(t *testing.T) {
+	buf := &bytes.Buffer{}
+	f := func() []byte { return []byte{0x01} }
+	w, err := rabaead.NewStreamWriter(buf, key, iv, f)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := w.Write(ptx); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("aead encrypted: %x\n", buf.Bytes())
+
+	r, err := rabaead.NewStreamReader(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pbf := make([]byte, 16)
+	for {
+		_, err = r.Read(pbf)
+		if err != nil {
+			break
+		}
+	}
+	t.Logf("aead decrypted: %x\n", pbf)
+	if err != rabaead.ErrAuthMsg {
+		t.Fatal("err auth must returned")
+	}
+}
+
+func TestShortData(t *testing.T) {
+	buf := &bytes.Buffer{}
+	buf.Write(ptx[:15])
+	r, err := rabaead.NewStreamReader(buf, key, iv, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pbf := make([]byte, 16)
+	for {
+		_, err = r.Read(pbf)
+		if err != nil {
+			break
+		}
+	}
+
+	if err != io.ErrUnexpectedEOF {
+		t.Fatal("err io.ErrUnexpectedEOF must returned")
+	}
+
+}
diff --git a/applap.go b/applap.go
new file mode 100644
index 0000000..efe7b6f
--- /dev/null
+++ b/applap.go
@@ -0,0 +1,18 @@
+//go:build appengine
+
+package rabaead
+
+import "reflect"
+
+func anyOverlap(x, y []byte) bool {
+	return len(x) > 0 && len(y) > 0 &&
+		reflect.ValueOf(&x[0]).Pointer() <= reflect.ValueOf(&y[len(y)-1]).Pointer() &&
+		reflect.ValueOf(&y[0]).Pointer() <= reflect.ValueOf(&x[len(x)-1]).Pointer()
+}
+
+func inexactOverlap(x, y []byte) bool {
+	if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] {
+		return false
+	}
+	return anyOverlap(x, y)
+}
diff --git a/chunk.go b/chunk.go
new file mode 100644
index 0000000..3b56d62
--- /dev/null
+++ b/chunk.go
@@ -0,0 +1,214 @@
+package rabaead
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"encoding/binary"
+	"io"
+
+	"snix.ir/rabbitio"
+)
+
+const cmrk = 0x08 // chunk size indicator,
+// without this reader cannot calculate actual size of plaintext
+
+// additional data func, return value is used as AD in Seal and Open
+// nil AdFunc is harmless and equal to func()[]byte{return nil}
+type AdditionalFunc func() []byte
+
+type chunkReader struct {
+	aead  cipher.AEAD
+	csize int
+	rader io.Reader
+	buff  []byte
+	nonce []byte
+	adexe AdditionalFunc
+}
+
+type chunkWriter struct {
+	aead   cipher.AEAD
+	csize  int
+	writer io.Writer
+	buff   []byte
+	nonce  []byte
+	adexe  AdditionalFunc
+}
+
+// NewChunkReader returns a chunkReader data type, this reader reads and open() aead
+// ciphertext, each chunk has its own tag and cmrk value.
+// this reader has a chunk size in-memory buffer, large chunk size can make application to runs
+// out of memory, thus is most suitable for sliced data, like network data transmit and so..
+func NewChunkReader(r io.Reader, chnk int, a cipher.AEAD, nonce []byte, f AdditionalFunc) (*chunkReader, error) {
+
+	if len(nonce) != rabbitio.IVXLen && len(nonce) != 0 {
+		return nil, rabbitio.ErrInvalidIVX
+	}
+
+	s := &chunkReader{
+		aead:  a,
+		buff:  []byte{},
+		nonce: make([]byte, len(nonce)),
+		csize: chnk,
+		rader: r,
+		adexe: f,
+	}
+
+	if s.adexe == nil {
+		s.adexe = func() []byte { return nil }
+	}
+	copy(s.nonce, nonce)
+	return s, nil
+}
+
+// NewChunkWriter returns a chunkWriter data type, this writer sale() and write aead
+// plaintext, each chunk has its own tag and cmrk value.
+// this writer has a chunk size in-memory buffer, large chunk size can make application to
+// runs out of memory, thus is most suitable for sliced data, like network data transmit and so..
+func NewChunkWriter(w io.Writer, chnk int, a cipher.AEAD, nonce []byte, f AdditionalFunc) (*chunkWriter, error) {
+
+	if len(nonce) != rabbitio.IVXLen && len(nonce) != 0 {
+		return nil, rabbitio.ErrInvalidIVX
+	}
+	s := &chunkWriter{
+		aead:   a,
+		buff:   []byte{},
+		nonce:  make([]byte, len(nonce)),
+		csize:  chnk,
+		writer: w,
+		adexe:  f,
+	}
+
+	if s.adexe == nil {
+		s.adexe = func() []byte { return nil }
+	}
+
+	copy(s.nonce, nonce)
+	return s, nil
+}
+
+// Close method, if there is any
+func (w *chunkWriter) Close() error {
+	if c, ok := w.writer.(io.Closer); ok {
+		return c.Close()
+	}
+	return nil
+}
+
+// Write writes plaintext chunk into the sale() and underlying writer
+// write would not report overhead data (chunk size marker and poly1305 tag) in
+// written return value. for each chunk there is 8+16 byte overhead data.
+// AdFunc will be triggered for each chunk of data
+func (w *chunkWriter) Write(b []byte) (n int, err error) {
+	w.buff = b
+	for len(w.buff) > 0 {
+		s, err := w.write()
+		if err != nil {
+			return n, err
+		}
+		n += s
+	}
+	return
+}
+
+func (w *chunkWriter) write() (int, error) {
+	size := cmrk + w.csize + w.aead.Overhead()
+	chnk := make([]byte, size)
+	var n int
+	var err error
+
+	if len(w.buff) > 0 {
+		s := copy(chnk[cmrk:len(chnk)-w.aead.Overhead()], w.buff)
+		w.buff = w.buff[s:]
+		copy(chnk[0:cmrk], uint64Little(uint64(s)))
+
+		w.aead.Seal(chnk[:0], w.nonce, chnk[:cmrk+w.csize], w.adexe())
+		_, err = w.writer.Write(chnk)
+		if err != nil {
+			return n, err
+		}
+		n += s
+	}
+
+	return n, err
+}
+
+// Read reads and open() ciphertext chunk from underlying reader
+// read would not report overhead data (chunk size marker and poly1305 tag) in its
+// return value. if the read data from underlying reader is corrupted, ErrAuthMsg
+// error will be returned. for each chunk there is 8+16 byte overhead data.
+// AdFunc will be triggered for each chunk of data
+
+func (r *chunkReader) Read(b []byte) (int, error) {
+	if len(b) <= r.csize {
+		return r.readTo(b)
+	}
+	n := 0
+	for {
+		if n+r.csize > len(b) {
+			sr, err := r.readTo(b[n:])
+			n += sr
+			if err != nil {
+				return n, err
+			}
+			break
+		}
+		sr, err := r.readTo(b[n : n+r.csize])
+		n += sr
+		if err != nil {
+			return n, err
+		}
+	}
+
+	return n, nil
+}
+
+func (r *chunkReader) readTo(b []byte) (int, error) {
+	var n int
+	if len(r.buff) > 0 {
+		n = copy(b, r.buff)
+		r.buff = r.buff[n:]
+		return n, nil
+	}
+
+	sr, err := r.read()
+	n = copy(b, r.buff[:sr])
+	r.buff = r.buff[n:]
+	return n, err
+}
+
+func (r *chunkReader) read() (int, error) {
+
+	var n int
+	size := cmrk + r.csize + r.aead.Overhead()
+	chnk := make([]byte, size)
+	chLE := uint64Little(uint64(r.csize))
+
+	si, err := io.ReadFull(r.rader, chnk)
+	if err != nil {
+		return n, err
+	}
+
+	if si > 0 {
+		_, err = r.aead.Open(chnk[:0], r.nonce, chnk, r.adexe())
+		if err != nil {
+			return n, err
+		}
+
+		if bytes.Equal(chnk[0:cmrk], chLE) {
+			n += r.csize
+			r.buff = append(r.buff, chnk[cmrk:cmrk+r.csize]...)
+		} else {
+			f := binary.LittleEndian.Uint64(chnk[0:cmrk])
+			n += int(f)
+			r.buff = append(r.buff, chnk[cmrk:cmrk+f]...)
+		}
+	}
+
+	return n, err
+}
+
+func uint64Little(n uint64) []byte {
+	b := make([]byte, cmrk)
+	binary.LittleEndian.PutUint64(b, n)
+	return b
+}
diff --git a/chunkio.png b/chunkio.png
new file mode 100644
index 0000000..c79cd0e
Binary files /dev/null and b/chunkio.png differ
diff --git a/cipher.go b/cipher.go
new file mode 100644
index 0000000..ce76755
--- /dev/null
+++ b/cipher.go
@@ -0,0 +1,128 @@
+package rabaead
+
+import (
+	"crypto/cipher"
+	"errors"
+
+	"snix.ir/poly1305"
+	"snix.ir/rabbitio"
+)
+
+const polykeylen = 0x20 // poly1305 key len: 32byte
+
+var ErrAuthMsg = errors.New("rabaead: message authentication failed")
+var erroverlap = errors.New("rabaead: invalid buffer memory overlap")
+
+type rabbitPoly1305 struct {
+	key       []byte // rabbit cipher key
+	noncesize int    // rabbit iv size
+}
+
+// NewAEAD returns a rabbit aead data-type
+// key must be 16 byte len
+func NewAEAD(key []byte) (cipher.AEAD, error) { return newRabbitAead(key) }
+
+func newRabbitAead(key []byte) (cipher.AEAD, error) {
+	if len(key) != rabbitio.KeyLen {
+		return nil, rabbitio.ErrInvalidKey
+	}
+
+	rabbitAead := &rabbitPoly1305{
+		noncesize: rabbitio.IVXLen,
+		key:       make([]byte, rabbitio.KeyLen),
+	}
+	copy(rabbitAead.key[:], key)
+	return rabbitAead, nil
+
+}
+
+// Overhead returns poly1305 tag size: 16byte
+func (c *rabbitPoly1305) Overhead() int { return poly1305.TagSize }
+
+// NonceSize returns rabbit iv len: 8byte
+func (c *rabbitPoly1305) NonceSize() int { return c.noncesize }
+
+func (c *rabbitPoly1305) sealRabbit(dst, nonce, plaintext, ad []byte) []byte {
+	ret, out := headtail(dst, len(plaintext)+poly1305.TagSize)
+	ciphertext, tag := out[:len(plaintext)], out[len(plaintext):]
+	if inexactOverlap(out, plaintext) {
+		panic(erroverlap) //should never happen
+	}
+
+	var polyKey [polykeylen]byte
+	s, err := rabbitio.NewCipher(c.key, nonce)
+	if err != nil {
+		panic(err)
+	}
+	s.XORKeyStream(polyKey[:], polyKey[:])
+	p := poly1305.New(&polyKey)
+	writePadding(p, ad)
+
+	s, err = rabbitio.NewCipher(c.key, nonce)
+	if err != nil {
+		panic(err)
+	}
+	s.XORKeyStream(ciphertext, plaintext)
+
+	writePadding(p, ciphertext)
+
+	writeUint64(p, len(ad))
+	writeUint64(p, len(plaintext))
+	p.Sum(tag[:0x00])
+
+	return ret
+}
+
+func (c *rabbitPoly1305) openRabbit(dst, nonce, ciphertext, ad []byte) ([]byte, error) {
+	tag := ciphertext[len(ciphertext)-poly1305.TagSize:]
+	ciphertext = ciphertext[:len(ciphertext)-poly1305.TagSize]
+
+	var polyKey [polykeylen]byte
+	s, err := rabbitio.NewCipher(c.key, nonce)
+	if err != nil {
+		panic(err)
+	}
+	s.XORKeyStream(polyKey[:], polyKey[:])
+
+	p := poly1305.New(&polyKey)
+	writePadding(p, ad)
+	writePadding(p, ciphertext)
+
+	writeUint64(p, len(ad))
+	writeUint64(p, len(ciphertext))
+
+	ret, out := headtail(dst, len(ciphertext))
+	if inexactOverlap(out, ciphertext) {
+		panic(erroverlap) //should never happen
+	}
+
+	// check data integrity
+	if !p.Verify(tag) {
+		return nil, ErrAuthMsg
+	}
+
+	s, err = rabbitio.NewCipher(c.key, nonce)
+	if err != nil {
+		panic(err)
+	}
+	s.XORKeyStream(out, ciphertext)
+	return ret, nil
+}
+
+// Open opens a rabbit aead ciphertext.
+// panic occurs if nonce len is not equal to IVXLen (8byte) or zero
+// if data is not verified, ErrAuthMsg will be returned
+func (c *rabbitPoly1305) Open(dst, nonce, ciphertext, ad []byte) ([]byte, error) {
+
+	if len(ciphertext) < poly1305.TagSize {
+		return nil, ErrAuthMsg
+	}
+
+	return c.openRabbit(dst, nonce, ciphertext, ad)
+}
+
+// Seal seals a plaintext into the rabbit aead ciphertext.
+// panic occurs if nonce len is not equal to IVXLen (8byte) or zero
+func (c *rabbitPoly1305) Seal(dst, nonce, plaintext, ad []byte) []byte {
+	return c.sealRabbit(dst, nonce, plaintext, ad)
+}
diff --git a/cover.html b/cover.html
new file mode 100644
index 0000000..1e93867
--- /dev/null
+++ b/cover.html
@@ -0,0 +1,782 @@
+
+<!DOCTYPE html>
+<html>
+	<head>
+		<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+		<title>rabaead: Go Coverage Report</title>
+		<style>
+			body {
+				background: black;
+				color: rgb(80, 80, 80);
+			}
+			body, pre, #legend span {
+				font-family: Menlo, monospace;
+				font-weight: bold;
+			}
+			#topbar {
+				background: black;
+				position: fixed;
+				top: 0; left: 0; right: 0;
+				height: 42px;
+				border-bottom: 1px solid rgb(80, 80, 80);
+			}
+			#content {
+				margin-top: 50px;
+			}
+			#nav, #legend {
+				float: left;
+				margin-left: 10px;
+			}
+			#legend {
+				margin-top: 12px;
+			}
+			#nav {
+				margin-top: 10px;
+			}
+			#legend span {
+				margin: 0 5px;
+			}
+			.cov0 { color: rgb(192, 0, 0) }
+.cov1 { color: rgb(128, 128, 128) }
+.cov2 { color: rgb(116, 140, 131) }
+.cov3 { color: rgb(104, 152, 134) }
+.cov4 { color: rgb(92, 164, 137) }
+.cov5 { color: rgb(80, 176, 140) }
+.cov6 { color: rgb(68, 188, 143) }
+.cov7 { color: rgb(56, 200, 146) }
+.cov8 { color: rgb(44, 212, 149) }
+.cov9 { color: rgb(32, 224, 152) }
+.cov10 { color: rgb(20, 236, 155) }
+
+		</style>
+	</head>
+	<body>
+		<div id="topbar">
+			<div id="nav">
+				<select id="files">
+				
+				<option value="file0">snix.ir/rabaead/chunk.go (83.5%)</option>
+				
+				<option value="file1">snix.ir/rabaead/cipher.go (83.3%)</option>
+				
+				<option value="file2">snix.ir/rabaead/genlap.go (100.0%)</option>
+				
+				<option value="file3">snix.ir/rabaead/helper.go (100.0%)</option>
+				
+				<option value="file4">snix.ir/rabaead/ioaead.go (90.8%)</option>
+				
+				</select>
+			</div>
+			<div id="legend">
+				<span>not tracked</span>
+			
+				<span class="cov0">not covered</span>
+				<span class="cov8">covered</span>
+			
+			</div>
+		</div>
+		<div id="content">
+		
+		<pre class="file" id="file0" style="display: none">package rabaead
+
+import (
+        "bytes"
+        "crypto/cipher"
+        "encoding/binary"
+        "io"
+
+        "snix.ir/rabbitio"
+)
+
+const cmrk = 0x08 // chunk size indicator,
+// without this reader cannot calculate actual size of plaintext
+
+// additional data func, return value is used as AD in Seal and Open
+// nil AdFunc is harmless and equal to func()[]byte{return nil}
+type AdditionalFunc func() []byte
+
+type chunkReader struct {
+        aead  cipher.AEAD
+        csize int
+        rader io.Reader
+        buff  []byte
+        nonce []byte
+        adexe AdditionalFunc
+}
+
+type chunkWriter struct {
+        aead   cipher.AEAD
+        csize  int
+        writer io.Writer
+        buff   []byte
+        nonce  []byte
+        adexe  AdditionalFunc
+}
+
+// NewChunkReader returns a chunkReader data type, this reader reads and open() aead
+// ciphertext, each chunk has its own tag and cmrk value.
+// this reader has a chunk size in-memory buffer, large chunk size can make application to runs
+// out of memory, thus is most suitable for sliced data, like network data transmit and so..
+func NewChunkReader(r io.Reader, chnk int, a cipher.AEAD, nonce []byte, f AdditionalFunc) (*chunkReader, error) <span class="cov8" title="1">{
+
+        if len(nonce) != rabbitio.IVXLen &amp;&amp; len(nonce) != 0 </span><span class="cov0" title="0">{
+                return nil, rabbitio.ErrInvalidIVX
+        }</span>
+
+        <span class="cov8" title="1">s := &amp;chunkReader{
+                aead:  a,
+                buff:  []byte{},
+                nonce: make([]byte, len(nonce)),
+                csize: chnk,
+                rader: r,
+                adexe: f,
+        }
+
+        if s.adexe == nil </span><span class="cov8" title="1">{
+                s.adexe = func() []byte </span><span class="cov8" title="1">{ return nil }</span>
+        }
+        <span class="cov8" title="1">copy(s.nonce, nonce)
+        return s, nil</span>
+}
+
+// NewChunkWriter returns a chunkWriter data type, this writer sale() and write aead
+// plaintext, each chunk has its own tag and cmrk value.
+// this writer has a chunk size in-memory buffer, large chunk size can make application to
+// runs out of memory, thus is most suitable for sliced data, like network data transmit and so..
+func NewChunkWriter(w io.Writer, chnk int, a cipher.AEAD, nonce []byte, f AdditionalFunc) (*chunkWriter, error) <span class="cov8" title="1">{
+
+        if len(nonce) != rabbitio.IVXLen &amp;&amp; len(nonce) != 0 </span><span class="cov0" title="0">{
+                return nil, rabbitio.ErrInvalidIVX
+        }</span>
+        <span class="cov8" title="1">s := &amp;chunkWriter{
+                aead:   a,
+                buff:   []byte{},
+                nonce:  make([]byte, len(nonce)),
+                csize:  chnk,
+                writer: w,
+                adexe:  f,
+        }
+
+        if s.adexe == nil </span><span class="cov8" title="1">{
+                s.adexe = func() []byte </span><span class="cov8" title="1">{ return nil }</span>
+        }
+
+        <span class="cov8" title="1">copy(s.nonce, nonce)
+        return s, nil</span>
+}
+
+// Close method, if there is any
+func (w *chunkWriter) Close() error <span class="cov8" title="1">{
+        if c, ok := w.writer.(io.Closer); ok </span><span class="cov0" title="0">{
+                return c.Close()
+        }</span>
+        <span class="cov8" title="1">return nil</span>
+}
+
+// Write writes plaintext chunk into the sale() and underlying writer
+// write would not report overhead data (chunk size marker and poly1305 tag) in
+// written return value. for each chunk there is 8+16 byte overhead data.
+// AdFunc will be triggered for each chunk of data
+func (w *chunkWriter) Write(b []byte) (n int, err error) <span class="cov8" title="1">{
+        w.buff = b
+        for len(w.buff) &gt; 0 </span><span class="cov8" title="1">{
+                s, err := w.write()
+                if err != nil </span><span class="cov0" title="0">{
+                        return n, err
+                }</span>
+                <span class="cov8" title="1">n += s</span>
+        }
+        <span class="cov8" title="1">return</span>
+}
+
+func (w *chunkWriter) write() (int, error) <span class="cov8" title="1">{
+        size := cmrk + w.csize + w.aead.Overhead()
+        chnk := make([]byte, size)
+        var n int
+        var err error
+
+        if len(w.buff) &gt; 0 </span><span class="cov8" title="1">{
+                s := copy(chnk[cmrk:len(chnk)-w.aead.Overhead()], w.buff)
+                w.buff = w.buff[s:]
+                copy(chnk[0:cmrk], uint64Little(uint64(s)))
+
+                w.aead.Seal(chnk[:0], w.nonce, chnk[:cmrk+w.csize], w.adexe())
+                _, err = w.writer.Write(chnk)
+                if err != nil </span><span class="cov0" title="0">{
+                        return n, err
+                }</span>
+                <span class="cov8" title="1">n += s</span>
+        }
+
+        <span class="cov8" title="1">return n, err</span>
+}
+
+// Read reads and open() ciphertext chunk from underlying reader
+// read would not report overhead data (chunk size marker and poly1305 tag) in its
+// return value. if the read data from underlying reader is corrupted, ErrAuthMsg
+// error will be returned. for each chunk there is 8+16 byte overhead data.
+// AdFunc will be triggered for each chunk of data
+
+func (r *chunkReader) Read(b []byte) (int, error) <span class="cov8" title="1">{
+        if len(b) &lt;= r.csize </span><span class="cov0" title="0">{
+                return r.readTo(b)
+        }</span>
+        <span class="cov8" title="1">n := 0
+        for </span><span class="cov8" title="1">{
+                if n+r.csize &gt; len(b) </span><span class="cov8" title="1">{
+                        sr, err := r.readTo(b[n:])
+                        n += sr
+                        if err != nil </span><span class="cov8" title="1">{
+                                return n, err
+                        }</span>
+                        <span class="cov0" title="0">break</span>
+                }
+                <span class="cov8" title="1">sr, err := r.readTo(b[n : n+r.csize])
+                n += sr
+                if err != nil </span><span class="cov8" title="1">{
+                        return n, err
+                }</span>
+        }
+
+        <span class="cov0" title="0">return n, nil</span>
+}
+
+func (r *chunkReader) readTo(b []byte) (int, error) <span class="cov8" title="1">{
+        var n int
+        if len(r.buff) &gt; 0 </span><span class="cov0" title="0">{
+                n = copy(b, r.buff)
+                r.buff = r.buff[n:]
+                return n, nil
+        }</span>
+
+        <span class="cov8" title="1">sr, err := r.read()
+        n = copy(b, r.buff[:sr])
+        r.buff = r.buff[n:]
+        return n, err</span>
+}
+
+func (r *chunkReader) read() (int, error) <span class="cov8" title="1">{
+
+        var n int
+        size := cmrk + r.csize + r.aead.Overhead()
+        chnk := make([]byte, size)
+        chLE := uint64Little(uint64(r.csize))
+
+        si, err := io.ReadFull(r.rader, chnk)
+        if err != nil </span><span class="cov8" title="1">{
+                return n, err
+        }</span>
+
+        <span class="cov8" title="1">if si &gt; 0 </span><span class="cov8" title="1">{
+                _, err = r.aead.Open(chnk[:0], r.nonce, chnk, r.adexe())
+                if err != nil </span><span class="cov8" title="1">{
+                        return n, err
+                }</span>
+
+                <span class="cov8" title="1">if bytes.Equal(chnk[0:cmrk], chLE) </span><span class="cov8" title="1">{
+                        n += r.csize
+                        r.buff = append(r.buff, chnk[cmrk:cmrk+r.csize]...)
+                }</span> else<span class="cov0" title="0"> {
+                        f := binary.LittleEndian.Uint64(chnk[0:cmrk])
+                        n += int(f)
+                        r.buff = append(r.buff, chnk[cmrk:cmrk+f]...)
+                }</span>
+        }
+
+        <span class="cov8" title="1">return n, err</span>
+}
+
+func uint64Little(n uint64) []byte <span class="cov8" title="1">{
+        b := make([]byte, cmrk)
+        binary.LittleEndian.PutUint64(b, n)
+        return b
+}</span>
+</pre>
+		
+		<pre class="file" id="file1" style="display: none">package rabaead
+
+import (
+        "crypto/cipher"
+        "errors"
+
+        "snix.ir/poly1305"
+        "snix.ir/rabbitio"
+)
+
+const polykeylen = 0x20 // poly1305 key len: 32byte
+
+var ErrAuthMsg = errors.New("rabaead: message authentication failed")
+var erroverlap = errors.New("rabaead: invalid buffer memory overlap")
+
+type rabbitPoly1305 struct {
+        key       []byte // rabbit cipher key
+        noncesize int    // rabbit iv size
+}
+
+// NewAEAD returns a rabbit aead data-type
+// key must be 16 byte len
+func NewAEAD(key []byte) (cipher.AEAD, error) <span class="cov8" title="1">{ return newRabbitAead(key) }</span>
+
+func newRabbitAead(key []byte) (cipher.AEAD, error) <span class="cov8" title="1">{
+        if len(key) != rabbitio.KeyLen </span><span class="cov0" title="0">{
+                return nil, rabbitio.ErrInvalidKey
+        }</span>
+
+        <span class="cov8" title="1">rabbitAead := &amp;rabbitPoly1305{
+                noncesize: rabbitio.IVXLen,
+                key:       make([]byte, rabbitio.KeyLen),
+        }
+        copy(rabbitAead.key[:], key)
+        return rabbitAead, nil</span>
+
+}
+
+// Overhead returns poly1305 tag size: 16byte
+func (c *rabbitPoly1305) Overhead() int <span class="cov8" title="1">{ return poly1305.TagSize }</span>
+
+// NonceSize returns rabbit iv len: 8byte
+func (c *rabbitPoly1305) NonceSize() int <span class="cov0" title="0">{ return c.noncesize }</span>
+
+func (c *rabbitPoly1305) sealRabbit(dst, nonce, plaintext, ad []byte) []byte <span class="cov8" title="1">{
+        ret, out := headtail(dst, len(plaintext)+poly1305.TagSize)
+        ciphertext, tag := out[:len(plaintext)], out[len(plaintext):]
+        if inexactOverlap(out, plaintext) </span><span class="cov0" title="0">{
+                panic(erroverlap)</span> //should never happen
+        }
+
+        <span class="cov8" title="1">var polyKey [polykeylen]byte
+        s, err := rabbitio.NewCipher(c.key, nonce)
+        if err != nil </span><span class="cov0" title="0">{
+                panic(err)</span>
+        }
+        <span class="cov8" title="1">s.XORKeyStream(polyKey[:], polyKey[:])
+        p := poly1305.New(&amp;polyKey)
+        writePadding(p, ad)
+
+        s, err = rabbitio.NewCipher(c.key, nonce)
+        if err != nil </span><span class="cov0" title="0">{
+                panic(err)</span>
+        }
+        <span class="cov8" title="1">s.XORKeyStream(ciphertext, plaintext)
+
+        writePadding(p, ciphertext)
+
+        writeUint64(p, len(ad))
+        writeUint64(p, len(plaintext))
+        p.Sum(tag[:0x00])
+
+        return ret</span>
+}
+
+func (c *rabbitPoly1305) openRabbit(dst, nonce, ciphertext, ad []byte) ([]byte, error) <span class="cov8" title="1">{
+        tag := ciphertext[len(ciphertext)-poly1305.TagSize:]
+        ciphertext = ciphertext[:len(ciphertext)-poly1305.TagSize]
+
+        var polyKey [polykeylen]byte
+        s, err := rabbitio.NewCipher(c.key, nonce)
+        if err != nil </span><span class="cov0" title="0">{
+                panic(err)</span>
+        }
+        <span class="cov8" title="1">s.XORKeyStream(polyKey[:], polyKey[:])
+
+        p := poly1305.New(&amp;polyKey)
+        writePadding(p, ad)
+        writePadding(p, ciphertext)
+
+        writeUint64(p, len(ad))
+        writeUint64(p, len(ciphertext))
+
+        ret, out := headtail(dst, len(ciphertext))
+        if inexactOverlap(out, ciphertext) </span><span class="cov0" title="0">{
+                panic(erroverlap)</span> //should never happen
+        }
+
+        // check data integrity
+        <span class="cov8" title="1">if !p.Verify(tag) </span><span class="cov8" title="1">{
+                return nil, ErrAuthMsg
+        }</span>
+
+        <span class="cov8" title="1">s, err = rabbitio.NewCipher(c.key, nonce)
+        if err != nil </span><span class="cov0" title="0">{
+                panic(err)</span>
+        }
+        <span class="cov8" title="1">s.XORKeyStream(out, ciphertext)
+        return ret, nil</span>
+}
+
+// Open opens a rabbit aead ciphertext.
+// panic occurs if nonce len is not equal to IVXLen (8byte) or zero
+// if data is not verified, ErrAuthMsg will be returned
+func (c *rabbitPoly1305) Open(dst, nonce, ciphertext, ad []byte) ([]byte, error) <span class="cov8" title="1">{
+
+        if len(ciphertext) &lt; poly1305.TagSize </span><span class="cov0" title="0">{
+                return nil, ErrAuthMsg
+        }</span>
+
+        <span class="cov8" title="1">return c.openRabbit(dst, nonce, ciphertext, ad)</span>
+}
+
+// Seal seals a plaintext into the rabbit aead ciphertext.
+// panic occurs if nonce len is not equal to IVXLen (8byte) or zero
+func (c *rabbitPoly1305) Seal(dst, nonce, plaintext, ad []byte) []byte <span class="cov8" title="1">{
+        return c.sealRabbit(dst, nonce, plaintext, ad)
+}</span>
+</pre>
+		
+		<pre class="file" id="file2" style="display: none">//go:build !appengine
+
+package rabaead
+
+import "unsafe"
+
+func anyOverlap(x, y []byte) bool <span class="cov8" title="1">{
+        return len(x) &gt; 0 &amp;&amp; len(y) &gt; 0 &amp;&amp;
+                uintptr(unsafe.Pointer(&amp;x[0])) &lt;= uintptr(unsafe.Pointer(&amp;y[len(y)-1])) &amp;&amp;
+                uintptr(unsafe.Pointer(&amp;y[0])) &lt;= uintptr(unsafe.Pointer(&amp;x[len(x)-1]))
+}</span>
+
+func inexactOverlap(x, y []byte) bool <span class="cov8" title="1">{
+        if len(x) == 0 || len(y) == 0 || &amp;x[0] == &amp;y[0] </span><span class="cov8" title="1">{
+                return false
+        }</span>
+        <span class="cov8" title="1">return anyOverlap(x, y)</span>
+}
+</pre>
+		
+		<pre class="file" id="file3" style="display: none">package rabaead
+
+import (
+        "encoding/binary"
+
+        "snix.ir/poly1305"
+)
+
+func headtail(in []byte, n int) (head, tail []byte) <span class="cov8" title="1">{
+        total := len(in) + n
+
+        if cap(in) &gt;= total </span><span class="cov8" title="1">{
+                head = in[:total]
+        }</span> else<span class="cov8" title="1"> {
+                head = make([]byte, total)
+                copy(head, in)
+        }</span>
+        <span class="cov8" title="1">tail = head[len(in):]
+        return</span>
+}
+
+func writePadding(p *poly1305.MAC, b []byte) <span class="cov8" title="1">{
+        p.Write(b)
+        if rem := len(b) % 16; rem != 0 </span><span class="cov8" title="1">{
+                var buf [16]byte
+                padLen := 16 - rem
+                p.Write(buf[:padLen])
+        }</span>
+}
+
+func writeUint64(p *poly1305.MAC, n int) <span class="cov8" title="1">{
+        var buf [8]byte
+        binary.LittleEndian.PutUint64(buf[:], uint64(n))
+        p.Write(buf[:])
+}</span>
+</pre>
+		
+		<pre class="file" id="file4" style="display: none">package rabaead
+
+import (
+        "crypto/cipher"
+        "errors"
+        "io"
+
+        "snix.ir/poly1305"
+        "snix.ir/rabbitio"
+)
+
+type streamReader struct {
+        ie        *ioaead
+        cip       cipher.Stream
+        firstRead bool
+        nwr       int
+        read      io.Reader
+        buff      []byte
+        temp      []byte
+        tagc      []byte
+}
+
+type ioaead struct {
+        key            []byte // rabbit cipher key
+        nonce          []byte
+        poly           *poly1305.MAC
+        adlen          int
+        additionalData AdditionalFunc
+}
+
+type streamWriter struct {
+        ie          *ioaead
+        writer      io.Writer
+        plainWriter io.Writer
+        nwr         int
+        firstWrite  bool
+}
+
+var errunderio = errors.New("underlying io reader returns wrong read value, which is not supposed to happen")
+
+func makeioaead(key, iv []byte, adfunc AdditionalFunc) *ioaead <span class="cov8" title="1">{
+        if adfunc == nil </span><span class="cov8" title="1">{
+                adfunc = func() []byte </span><span class="cov8" title="1">{ return nil }</span>
+        }
+        <span class="cov8" title="1">str := &amp;ioaead{
+                key:   make([]byte, rabbitio.KeyLen),
+                nonce: make([]byte, len(iv)),
+        }
+
+        str.additionalData = adfunc
+        copy(str.key, key)
+        copy(str.nonce, iv)
+        var poly [polykeylen]byte
+        cph, _ := rabbitio.NewCipher(str.key, str.nonce)
+        cph.XORKeyStream(poly[:], poly[:])
+        str.poly = poly1305.New(&amp;poly)
+        return str</span>
+}
+
+func (s *ioaead) execAdFunc() <span class="cov8" title="1">{
+        additionalData := s.additionalData()
+        s.adlen = len(additionalData)
+        writePadding(s.poly, additionalData)
+}</span>
+
+func newCipherReader(r io.Reader, key, nonce []byte, f AdditionalFunc) (*streamReader, error) <span class="cov8" title="1">{
+        if len(key) != rabbitio.KeyLen </span><span class="cov0" title="0">{
+                return nil, rabbitio.ErrInvalidKey
+        }</span>
+
+        <span class="cov8" title="1">if len(nonce) != rabbitio.IVXLen &amp;&amp; len(nonce) != 0 </span><span class="cov0" title="0">{
+                return nil, rabbitio.ErrInvalidIVX
+        }</span>
+
+        <span class="cov8" title="1">v := &amp;streamReader{
+                ie:   makeioaead(key, nonce, f),
+                read: r,
+                buff: []byte{},
+                tagc: make([]byte, 16),
+                temp: make([]byte, 16),
+        }
+
+        v.cip, _ = rabbitio.NewCipher(v.ie.key, v.ie.nonce)
+        return v, nil</span>
+}
+
+// NewStreamReader returns streamReader data type, this reader open() and read aead
+// ciphertext which have 16-byte poly1305 tag overhead.
+// read data cannot be authenticated until underlying reader returns EOF
+// so you should use this reader only if you can undo your read.
+// AdFunc will be triggered at first call to read method
+func NewStreamReader(r io.Reader, key, nonce []byte, f AdditionalFunc) (*streamReader, error) <span class="cov8" title="1">{
+        return newCipherReader(r, key, nonce, f)
+}</span>
+
+// NewStreamWriter returns streamWriter data type, this writer sale() and write aead
+// plaintext which have 16-byte poly1305 tag overhead, running Close() is necessary
+// in order to calculate and write tag at the end of the write.
+// AdFunc will be triggered at first call to write method
+func NewStreamWriter(w io.Writer, key, nonce []byte, f AdditionalFunc) (*streamWriter, error) <span class="cov8" title="1">{
+        return newChipherWriter(w, key, nonce, f)
+}</span>
+
+func newChipherWriter(w io.Writer, key, nonce []byte, f AdditionalFunc) (*streamWriter, error) <span class="cov8" title="1">{
+        if len(key) != rabbitio.KeyLen </span><span class="cov0" title="0">{
+                return nil, rabbitio.ErrInvalidKey
+        }</span>
+        <span class="cov8" title="1">if len(nonce) != rabbitio.IVXLen &amp;&amp; len(nonce) != 0 </span><span class="cov0" title="0">{
+                return nil, rabbitio.ErrInvalidIVX
+        }</span>
+        <span class="cov8" title="1">v := &amp;streamWriter{
+                ie:          makeioaead(key, nonce, f),
+                plainWriter: w,
+        }
+
+        v.writer, _ = rabbitio.NewWriterCipher(
+                v.ie.key, v.ie.nonce,
+                io.MultiWriter(w, v.ie.poly),
+        )
+
+        return v, nil</span>
+}
+
+func (r *streamReader) readTo(b []byte) (int, error) <span class="cov8" title="1">{
+        var n int
+        if len(r.buff) &gt; 0 </span><span class="cov8" title="1">{
+                return r.copyBuff(b), nil
+        }</span>
+
+        <span class="cov8" title="1">sr, err := r.readBuff()
+        if err != nil </span><span class="cov8" title="1">{
+                if err == io.EOF </span><span class="cov8" title="1">{
+                        n = r.copyUntil(b, sr)
+                        return n, r.verify()
+                }</span>
+                <span class="cov8" title="1">return n, err</span>
+        }
+        <span class="cov8" title="1">return r.copyUntil(b, sr), err</span>
+}
+
+// Read reads and open ciphertext.
+// read data is unreliable until underlying reader returns EOF
+// after that Read return EOF or ErrAuthMsg if integrity of data has been compromised.
+// in such a case, you need to unread data. a simple demonstration would be to delete
+// or truncate the file if ErrAuthMsg is returned
+func (r *streamReader) Read(b []byte) (int, error) <span class="cov8" title="1">{
+        if len(b) &lt;= 16 </span><span class="cov8" title="1">{
+                return r.readTo(b)
+        }</span>
+        <span class="cov8" title="1">n := 0
+        for </span><span class="cov8" title="1">{
+                if n+16 &gt; len(b) </span><span class="cov8" title="1">{
+                        sr, err := r.readTo(b[n:])
+                        n += sr
+                        if err != nil </span><span class="cov8" title="1">{
+                                return n, err
+                        }</span>
+                        <span class="cov0" title="0">break</span>
+                }
+
+                <span class="cov8" title="1">sr, err := r.readTo(b[n : n+16])
+                n += sr
+                if err != nil </span><span class="cov8" title="1">{
+                        return n, err
+                }</span>
+        }
+        <span class="cov0" title="0">return n, nil</span>
+}
+
+func (r *streamReader) verify() error <span class="cov8" title="1">{
+        r.ie.ioPaddingTo(r.nwr)
+        if r.ie.poly.Verify(r.tagc) </span><span class="cov8" title="1">{
+                return io.EOF
+        }</span>
+        <span class="cov8" title="1">return ErrAuthMsg</span>
+}
+
+func (r *streamReader) copyUntil(b []byte, sr int) int <span class="cov8" title="1">{
+        n := copy(b, r.buff[:sr])
+        r.buff = r.buff[n:]
+        r.nwr += n
+        return n
+}</span>
+
+func (r *streamReader) copyBuff(b []byte) int <span class="cov8" title="1">{
+        n := copy(b, r.buff)
+        r.buff = r.buff[n:]
+        r.nwr += n
+        return n
+}</span>
+
+func (r *streamReader) readBuff() (int, error) <span class="cov8" title="1">{
+        if !r.firstRead </span><span class="cov8" title="1">{
+                r.ie.execAdFunc()
+                _, err := io.ReadFull(r.read, r.temp)
+                if err != nil </span><span class="cov8" title="1">{
+                        return 0, err
+                }</span>
+                <span class="cov8" title="1">r.firstRead = true</span>
+        }
+
+        <span class="cov8" title="1">var buff = make([]byte, 16)
+        n, err := r.read.Read(buff)
+        if err != nil </span><span class="cov8" title="1">{
+                return 0, err
+        }</span>
+        <span class="cov8" title="1">if n &gt; len(buff) </span><span class="cov0" title="0">{
+                return 0, errunderio
+        }</span>
+
+        <span class="cov8" title="1">copy(r.tagc, append(r.temp[n:], buff[:n]...))
+        r.buff = append(r.buff, r.temp[:n]...)
+        r.buffAndXor()
+
+        if n &lt; 16 </span><span class="cov8" title="1">{
+                return n, err
+        }</span>
+
+        <span class="cov8" title="1">copy(r.temp, buff)
+        return n, err</span>
+}
+
+func (r *streamReader) buffAndXor() <span class="cov8" title="1">{
+        r.ie.poly.Write(r.buff)
+        r.cip.XORKeyStream(r.buff, r.buff)
+}</span>
+
+// Write writes plaintext data, in order to calculate and write tag
+// at the end of the write, running Close() is necessary
+func (w *streamWriter) Write(b []byte) (int, error) <span class="cov8" title="1">{
+        if !w.firstWrite </span><span class="cov8" title="1">{
+                w.ie.execAdFunc()
+                w.firstWrite = true
+        }</span>
+        <span class="cov8" title="1">n, err := w.writer.Write(b)
+        if err != nil </span><span class="cov0" title="0">{
+                return n, err
+        }</span>
+
+        <span class="cov8" title="1">w.nwr += n
+        return n, err</span>
+}
+
+func (p *ioaead) ioPaddingTo(nb int) <span class="cov8" title="1">{
+        if rem := nb % 16; rem != 0 </span><span class="cov8" title="1">{
+                var buf [16]byte
+                padLen := 16 - rem
+                p.poly.Write(buf[:padLen])
+        }</span>
+
+        <span class="cov8" title="1">writeUint64(p.poly, p.adlen)
+        writeUint64(p.poly, nb)</span>
+}
+
+// Close calculate and write poly1305 tag before closing the writer
+// if underlying writer does not have a Close() method, Close only
+// calculate and write poly1305 tag
+func (w *streamWriter) Close() error <span class="cov8" title="1">{
+        w.ie.ioPaddingTo(w.nwr)
+        if _, err := w.plainWriter.Write(w.ie.poly.Sum(nil)); err != nil </span><span class="cov0" title="0">{
+                return err
+        }</span>
+
+        <span class="cov8" title="1">if c, ok := w.plainWriter.(io.Closer); ok </span><span class="cov0" title="0">{
+                return c.Close()
+        }</span>
+        <span class="cov8" title="1">return nil</span>
+}
+</pre>
+		
+		</div>
+	</body>
+	<script>
+	(function() {
+		var files = document.getElementById('files');
+		var visible;
+		files.addEventListener('change', onChange, false);
+		function select(part) {
+			if (visible)
+				visible.style.display = 'none';
+			visible = document.getElementById(part);
+			if (!visible)
+				return;
+			files.value = part;
+			visible.style.display = 'block';
+			location.hash = part;
+		}
+		function onChange() {
+			select(files.value);
+			window.scrollTo(0, 0);
+		}
+		if (location.hash != "") {
+			select(location.hash.substr(1));
+		}
+		if (!visible) {
+			select("file0");
+		}
+	})();
+	</script>
+</html>
diff --git a/cover.out b/cover.out
new file mode 100644
index 0000000..f6440de
--- /dev/null
+++ b/cover.out
@@ -0,0 +1,150 @@
+mode: set
+snix.ir/rabaead/chunk.go:41.113,43.54 1 1
+snix.ir/rabaead/chunk.go:47.2,56.20 2 1
+snix.ir/rabaead/chunk.go:59.2,60.15 2 1
+snix.ir/rabaead/chunk.go:43.54,45.3 1 0
+snix.ir/rabaead/chunk.go:56.20,57.27 1 1
+snix.ir/rabaead/chunk.go:57.27,57.41 1 1
+snix.ir/rabaead/chunk.go:67.113,69.54 1 1
+snix.ir/rabaead/chunk.go:72.2,81.20 2 1
+snix.ir/rabaead/chunk.go:85.2,86.15 2 1
+snix.ir/rabaead/chunk.go:69.54,71.3 1 0
+snix.ir/rabaead/chunk.go:81.20,82.27 1 1
+snix.ir/rabaead/chunk.go:82.27,82.41 1 1
+snix.ir/rabaead/chunk.go:90.37,91.39 1 1
+snix.ir/rabaead/chunk.go:94.2,94.12 1 1
+snix.ir/rabaead/chunk.go:91.39,93.3 1 0
+snix.ir/rabaead/chunk.go:101.58,103.22 2 1
+snix.ir/rabaead/chunk.go:110.2,110.8 1 1
+snix.ir/rabaead/chunk.go:103.22,105.17 2 1
+snix.ir/rabaead/chunk.go:108.3,108.9 1 1
+snix.ir/rabaead/chunk.go:105.17,107.4 1 0
+snix.ir/rabaead/chunk.go:113.44,119.21 5 1
+snix.ir/rabaead/chunk.go:132.2,132.15 1 1
+snix.ir/rabaead/chunk.go:119.21,126.17 6 1
+snix.ir/rabaead/chunk.go:129.3,129.9 1 1
+snix.ir/rabaead/chunk.go:126.17,128.4 1 0
+snix.ir/rabaead/chunk.go:141.51,142.23 1 1
+snix.ir/rabaead/chunk.go:145.2,146.6 2 1
+snix.ir/rabaead/chunk.go:162.2,162.15 1 0
+snix.ir/rabaead/chunk.go:142.23,144.3 1 0
+snix.ir/rabaead/chunk.go:146.6,147.25 1 1
+snix.ir/rabaead/chunk.go:155.3,157.17 3 1
+snix.ir/rabaead/chunk.go:147.25,150.18 3 1
+snix.ir/rabaead/chunk.go:153.4,153.9 1 0
+snix.ir/rabaead/chunk.go:150.18,152.5 1 1
+snix.ir/rabaead/chunk.go:157.17,159.4 1 1
+snix.ir/rabaead/chunk.go:165.53,167.21 2 1
+snix.ir/rabaead/chunk.go:173.2,176.15 4 1
+snix.ir/rabaead/chunk.go:167.21,171.3 3 0
+snix.ir/rabaead/chunk.go:179.43,187.16 6 1
+snix.ir/rabaead/chunk.go:191.2,191.12 1 1
+snix.ir/rabaead/chunk.go:207.2,207.15 1 1
+snix.ir/rabaead/chunk.go:187.16,189.3 1 1
+snix.ir/rabaead/chunk.go:191.12,193.17 2 1
+snix.ir/rabaead/chunk.go:197.3,197.38 1 1
+snix.ir/rabaead/chunk.go:193.17,195.4 1 1
+snix.ir/rabaead/chunk.go:197.38,200.4 2 1
+snix.ir/rabaead/chunk.go:200.9,204.4 3 0
+snix.ir/rabaead/chunk.go:210.36,214.2 3 1
+snix.ir/rabaead/cipher.go:23.47,23.76 1 1
+snix.ir/rabaead/cipher.go:25.53,26.33 1 1
+snix.ir/rabaead/cipher.go:30.2,35.24 3 1
+snix.ir/rabaead/cipher.go:26.33,28.3 1 0
+snix.ir/rabaead/cipher.go:40.41,40.68 1 1
+snix.ir/rabaead/cipher.go:43.42,43.64 1 0
+snix.ir/rabaead/cipher.go:45.78,48.36 3 1
+snix.ir/rabaead/cipher.go:52.2,54.16 3 1
+snix.ir/rabaead/cipher.go:57.2,62.16 5 1
+snix.ir/rabaead/cipher.go:65.2,73.12 6 1
+snix.ir/rabaead/cipher.go:48.36,49.20 1 0
+snix.ir/rabaead/cipher.go:54.16,55.13 1 0
+snix.ir/rabaead/cipher.go:62.16,63.13 1 0
+snix.ir/rabaead/cipher.go:76.88,82.16 5 1
+snix.ir/rabaead/cipher.go:85.2,95.37 8 1
+snix.ir/rabaead/cipher.go:100.2,100.20 1 1
+snix.ir/rabaead/cipher.go:104.2,105.16 2 1
+snix.ir/rabaead/cipher.go:108.2,109.17 2 1
+snix.ir/rabaead/cipher.go:82.16,83.13 1 0
+snix.ir/rabaead/cipher.go:95.37,96.20 1 0
+snix.ir/rabaead/cipher.go:100.20,102.3 1 1
+snix.ir/rabaead/cipher.go:105.16,106.13 1 0
+snix.ir/rabaead/cipher.go:115.82,117.40 1 1
+snix.ir/rabaead/cipher.go:121.2,121.49 1 1
+snix.ir/rabaead/cipher.go:117.40,119.3 1 0
+snix.ir/rabaead/cipher.go:126.72,128.2 1 1
+snix.ir/rabaead/genlap.go:7.35,11.2 1 1
+snix.ir/rabaead/genlap.go:13.39,14.50 1 1
+snix.ir/rabaead/genlap.go:17.2,17.25 1 1
+snix.ir/rabaead/genlap.go:14.50,16.3 1 1
+snix.ir/rabaead/helper.go:9.53,12.22 2 1
+snix.ir/rabaead/helper.go:18.2,19.8 2 1
+snix.ir/rabaead/helper.go:12.22,14.3 1 1
+snix.ir/rabaead/helper.go:14.8,17.3 2 1
+snix.ir/rabaead/helper.go:22.46,24.34 2 1
+snix.ir/rabaead/helper.go:24.34,28.3 3 1
+snix.ir/rabaead/helper.go:31.42,35.2 3 1
+snix.ir/rabaead/ioaead.go:41.64,42.19 1 1
+snix.ir/rabaead/ioaead.go:45.2,57.12 9 1
+snix.ir/rabaead/ioaead.go:42.19,43.26 1 1
+snix.ir/rabaead/ioaead.go:43.26,43.40 1 1
+snix.ir/rabaead/ioaead.go:60.31,64.2 3 1
+snix.ir/rabaead/ioaead.go:66.95,67.33 1 1
+snix.ir/rabaead/ioaead.go:71.2,71.54 1 1
+snix.ir/rabaead/ioaead.go:75.2,84.15 3 1
+snix.ir/rabaead/ioaead.go:67.33,69.3 1 0
+snix.ir/rabaead/ioaead.go:71.54,73.3 1 0
+snix.ir/rabaead/ioaead.go:92.95,94.2 1 1
+snix.ir/rabaead/ioaead.go:100.95,102.2 1 1
+snix.ir/rabaead/ioaead.go:104.96,105.33 1 1
+snix.ir/rabaead/ioaead.go:108.2,108.54 1 1
+snix.ir/rabaead/ioaead.go:111.2,121.15 3 1
+snix.ir/rabaead/ioaead.go:105.33,107.3 1 0
+snix.ir/rabaead/ioaead.go:108.54,110.3 1 0
+snix.ir/rabaead/ioaead.go:124.54,126.21 2 1
+snix.ir/rabaead/ioaead.go:130.2,131.16 2 1
+snix.ir/rabaead/ioaead.go:138.2,138.32 1 1
+snix.ir/rabaead/ioaead.go:126.21,128.3 1 1
+snix.ir/rabaead/ioaead.go:131.16,132.20 1 1
+snix.ir/rabaead/ioaead.go:136.3,136.16 1 1
+snix.ir/rabaead/ioaead.go:132.20,135.4 2 1
+snix.ir/rabaead/ioaead.go:146.52,147.18 1 1
+snix.ir/rabaead/ioaead.go:150.2,151.6 2 1
+snix.ir/rabaead/ioaead.go:167.2,167.15 1 0
+snix.ir/rabaead/ioaead.go:147.18,149.3 1 1
+snix.ir/rabaead/ioaead.go:151.6,152.20 1 1
+snix.ir/rabaead/ioaead.go:161.3,163.17 3 1
+snix.ir/rabaead/ioaead.go:152.20,155.18 3 1
+snix.ir/rabaead/ioaead.go:158.4,158.9 1 0
+snix.ir/rabaead/ioaead.go:155.18,157.5 1 1
+snix.ir/rabaead/ioaead.go:163.17,165.4 1 1
+snix.ir/rabaead/ioaead.go:170.39,172.30 2 1
+snix.ir/rabaead/ioaead.go:175.2,175.19 1 1
+snix.ir/rabaead/ioaead.go:172.30,174.3 1 1
+snix.ir/rabaead/ioaead.go:178.56,183.2 4 1
+snix.ir/rabaead/ioaead.go:185.47,190.2 4 1
+snix.ir/rabaead/ioaead.go:192.48,193.18 1 1
+snix.ir/rabaead/ioaead.go:202.2,204.16 3 1
+snix.ir/rabaead/ioaead.go:207.2,207.19 1 1
+snix.ir/rabaead/ioaead.go:211.2,215.12 4 1
+snix.ir/rabaead/ioaead.go:219.2,220.15 2 1
+snix.ir/rabaead/ioaead.go:193.18,196.17 3 1
+snix.ir/rabaead/ioaead.go:199.3,199.21 1 1
+snix.ir/rabaead/ioaead.go:196.17,198.4 1 1
+snix.ir/rabaead/ioaead.go:204.16,206.3 1 1
+snix.ir/rabaead/ioaead.go:207.19,209.3 1 0
+snix.ir/rabaead/ioaead.go:215.12,217.3 1 1
+snix.ir/rabaead/ioaead.go:223.37,226.2 2 1
+snix.ir/rabaead/ioaead.go:230.53,231.19 1 1
+snix.ir/rabaead/ioaead.go:235.2,236.16 2 1
+snix.ir/rabaead/ioaead.go:240.2,241.15 2 1
+snix.ir/rabaead/ioaead.go:231.19,234.3 2 1
+snix.ir/rabaead/ioaead.go:236.16,238.3 1 0
+snix.ir/rabaead/ioaead.go:244.38,245.30 1 1
+snix.ir/rabaead/ioaead.go:251.2,252.25 2 1
+snix.ir/rabaead/ioaead.go:245.30,249.3 3 1
+snix.ir/rabaead/ioaead.go:258.38,260.67 2 1
+snix.ir/rabaead/ioaead.go:264.2,264.44 1 1
+snix.ir/rabaead/ioaead.go:267.2,267.12 1 1
+snix.ir/rabaead/ioaead.go:260.67,262.3 1 0
+snix.ir/rabaead/ioaead.go:264.44,266.3 1 0
diff --git a/genlap.go b/genlap.go
new file mode 100644
index 0000000..504db74
--- /dev/null
+++ b/genlap.go
@@ -0,0 +1,18 @@
+//go:build !appengine
+
+package rabaead
+
+import "unsafe"
+
+func anyOverlap(x, y []byte) bool {
+	return len(x) > 0 && len(y) > 0 &&
+		uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) &&
+		uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1]))
+}
+
+func inexactOverlap(x, y []byte) bool {
+	if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] {
+		return false
+	}
+	return anyOverlap(x, y)
+}
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..c807ff8
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,10 @@
+module snix.ir/rabaead
+
+go 1.18
+
+require (
+	snix.ir/poly1305 v0.0.0-20220719044737-9f1e98a8a5d8
+	snix.ir/rabbitio v0.0.0-20220720161359-bf1137c58b86
+)
+
+require golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..b05e1db
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,6 @@
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+snix.ir/poly1305 v0.0.0-20220719044737-9f1e98a8a5d8 h1:egIwvsVfusXetoYK/0/EuN0CIAwWuGD3sW78uNYd5os=
+snix.ir/poly1305 v0.0.0-20220719044737-9f1e98a8a5d8/go.mod h1:nSQEHcviNRcTPNlIAdrU8bm8BRwlKLgOi2NYH78kevY=
+snix.ir/rabbitio v0.0.0-20220720161359-bf1137c58b86 h1:0iTN5g6vzQi2eOYn96vUYGpQfRROkkCNRQvZ4fouKR0=
+snix.ir/rabbitio v0.0.0-20220720161359-bf1137c58b86/go.mod h1:fGdJrOtVK0uqEI8x6SBI/NPAAQmtQi/4sjwQPShasEA=
diff --git a/helper.go b/helper.go
new file mode 100644
index 0000000..8fc8ccb
--- /dev/null
+++ b/helper.go
@@ -0,0 +1,35 @@
+package rabaead
+
+import (
+	"encoding/binary"
+
+	"snix.ir/poly1305"
+)
+
+func headtail(in []byte, n int) (head, tail []byte) {
+	total := len(in) + n
+
+	if cap(in) >= total {
+		head = in[:total]
+	} else {
+		head = make([]byte, total)
+		copy(head, in)
+	}
+	tail = head[len(in):]
+	return
+}
+
+func writePadding(p *poly1305.MAC, b []byte) {
+	p.Write(b)
+	if rem := len(b) % 16; rem != 0 {
+		var buf [16]byte
+		padLen := 16 - rem
+		p.Write(buf[:padLen])
+	}
+}
+
+func writeUint64(p *poly1305.MAC, n int) {
+	var buf [8]byte
+	binary.LittleEndian.PutUint64(buf[:], uint64(n))
+	p.Write(buf[:])
+}
diff --git a/ioaead.go b/ioaead.go
new file mode 100644
index 0000000..773f641
--- /dev/null
+++ b/ioaead.go
@@ -0,0 +1,268 @@
+package rabaead
+
+import (
+	"crypto/cipher"
+	"errors"
+	"io"
+
+	"snix.ir/poly1305"
+	"snix.ir/rabbitio"
+)
+
+type streamReader struct {
+	ie        *ioaead
+	cip       cipher.Stream
+	firstRead bool
+	nwr       int
+	read      io.Reader
+	buff      []byte
+	temp      []byte
+	tagc      []byte
+}
+
+type ioaead struct {
+	key            []byte // rabbit cipher key
+	nonce          []byte
+	poly           *poly1305.MAC
+	adlen          int
+	additionalData AdditionalFunc
+}
+
+type streamWriter struct {
+	ie          *ioaead
+	writer      io.Writer
+	plainWriter io.Writer
+	nwr         int
+	firstWrite  bool
+}
+
+var errunderio = errors.New("underlying io reader returns wrong read value, which is not supposed to happen")
+
+func makeioaead(key, iv []byte, adfunc AdditionalFunc) *ioaead {
+	if adfunc == nil {
+		adfunc = func() []byte { return nil }
+	}
+	str := &ioaead{
+		key:   make([]byte, rabbitio.KeyLen),
+		nonce: make([]byte, len(iv)),
+	}
+
+	str.additionalData = adfunc
+	copy(str.key, key)
+	copy(str.nonce, iv)
+	var poly [polykeylen]byte
+	cph, _ := rabbitio.NewCipher(str.key, str.nonce)
+	cph.XORKeyStream(poly[:], poly[:])
+	str.poly = poly1305.New(&poly)
+	return str
+}
+
+func (s *ioaead) execAdFunc() {
+	additionalData := s.additionalData()
+	s.adlen = len(additionalData)
+	writePadding(s.poly, additionalData)
+}
+
+func newCipherReader(r io.Reader, key, nonce []byte, f AdditionalFunc) (*streamReader, error) {
+	if len(key) != rabbitio.KeyLen {
+		return nil, rabbitio.ErrInvalidKey
+	}
+
+	if len(nonce) != rabbitio.IVXLen && len(nonce) != 0 {
+		return nil, rabbitio.ErrInvalidIVX
+	}
+
+	v := &streamReader{
+		ie:   makeioaead(key, nonce, f),
+		read: r,
+		buff: []byte{},
+		tagc: make([]byte, 16),
+		temp: make([]byte, 16),
+	}
+
+	v.cip, _ = rabbitio.NewCipher(v.ie.key, v.ie.nonce)
+	return v, nil
+}
+
+// NewStreamReader returns streamReader data type, this reader open() and read aead
+// ciphertext which have 16-byte poly1305 tag overhead.
+// read data cannot be authenticated until underlying reader returns EOF
+// so you should use this reader only if you can undo your read.
+// AdFunc will be triggered at first call to read method
+func NewStreamReader(r io.Reader, key, nonce []byte, f AdditionalFunc) (*streamReader, error) {
+	return newCipherReader(r, key, nonce, f)
+}
+
+// NewStreamWriter returns streamWriter data type, this writer sale() and write aead
+// plaintext which have 16-byte poly1305 tag overhead, running Close() is necessary
+// in order to calculate and write tag at the end of the write.
+// AdFunc will be triggered at first call to write method
+func NewStreamWriter(w io.Writer, key, nonce []byte, f AdditionalFunc) (*streamWriter, error) {
+	return newChipherWriter(w, key, nonce, f)
+}
+
+func newChipherWriter(w io.Writer, key, nonce []byte, f AdditionalFunc) (*streamWriter, error) {
+	if len(key) != rabbitio.KeyLen {
+		return nil, rabbitio.ErrInvalidKey
+	}
+	if len(nonce) != rabbitio.IVXLen && len(nonce) != 0 {
+		return nil, rabbitio.ErrInvalidIVX
+	}
+	v := &streamWriter{
+		ie:          makeioaead(key, nonce, f),
+		plainWriter: w,
+	}
+
+	v.writer, _ = rabbitio.NewWriterCipher(
+		v.ie.key, v.ie.nonce,
+		io.MultiWriter(w, v.ie.poly),
+	)
+
+	return v, nil
+}
+
+func (r *streamReader) readTo(b []byte) (int, error) {
+	var n int
+	if len(r.buff) > 0 {
+		return r.copyBuff(b), nil
+	}
+
+	sr, err := r.readBuff()
+	if err != nil {
+		if err == io.EOF {
+			n = r.copyUntil(b, sr)
+			return n, r.verify()
+		}
+		return n, err
+	}
+	return r.copyUntil(b, sr), err
+}
+
+// Read reads and open ciphertext.
+// read data is unreliable until underlying reader returns EOF
+// after that Read return EOF or ErrAuthMsg if integrity of data has been compromised.
+// in such a case, you need to unread data. a simple demonstration would be to delete
+// or truncate the file if ErrAuthMsg is returned
+func (r *streamReader) Read(b []byte) (int, error) {
+	if len(b) <= 16 {
+		return r.readTo(b)
+	}
+	n := 0
+	for {
+		if n+16 > len(b) {
+			sr, err := r.readTo(b[n:])
+			n += sr
+			if err != nil {
+				return n, err
+			}
+			break
+		}
+
+		sr, err := r.readTo(b[n : n+16])
+		n += sr
+		if err != nil {
+			return n, err
+		}
+	}
+	return n, nil
+}
+
+func (r *streamReader) verify() error {
+	r.ie.ioPaddingTo(r.nwr)
+	if r.ie.poly.Verify(r.tagc) {
+		return io.EOF
+	}
+	return ErrAuthMsg
+}
+
+func (r *streamReader) copyUntil(b []byte, sr int) int {
+	n := copy(b, r.buff[:sr])
+	r.buff = r.buff[n:]
+	r.nwr += n
+	return n
+}
+
+func (r *streamReader) copyBuff(b []byte) int {
+	n := copy(b, r.buff)
+	r.buff = r.buff[n:]
+	r.nwr += n
+	return n
+}
+
+func (r *streamReader) readBuff() (int, error) {
+	if !r.firstRead {
+		r.ie.execAdFunc()
+		_, err := io.ReadFull(r.read, r.temp)
+		if err != nil {
+			return 0, err
+		}
+		r.firstRead = true
+	}
+
+	var buff = make([]byte, 16)
+	n, err := r.read.Read(buff)
+	if err != nil {
+		return 0, err
+	}
+	if n > len(buff) {
+		return 0, errunderio
+	}
+
+	copy(r.tagc, append(r.temp[n:], buff[:n]...))
+	r.buff = append(r.buff, r.temp[:n]...)
+	r.buffAndXor()
+
+	if n < 16 {
+		return n, err
+	}
+
+	copy(r.temp, buff)
+	return n, err
+}
+
+func (r *streamReader) buffAndXor() {
+	r.ie.poly.Write(r.buff)
+	r.cip.XORKeyStream(r.buff, r.buff)
+}
+
+// Write writes plaintext data, in order to calculate and write tag
+// at the end of the write, running Close() is necessary
+func (w *streamWriter) Write(b []byte) (int, error) {
+	if !w.firstWrite {
+		w.ie.execAdFunc()
+		w.firstWrite = true
+	}
+	n, err := w.writer.Write(b)
+	if err != nil {
+		return n, err
+	}
+
+	w.nwr += n
+	return n, err
+}
+
+func (p *ioaead) ioPaddingTo(nb int) {
+	if rem := nb % 16; rem != 0 {
+		var buf [16]byte
+		padLen := 16 - rem
+		p.poly.Write(buf[:padLen])
+	}
+
+	writeUint64(p.poly, p.adlen)
+	writeUint64(p.poly, nb)
+}
+
+// Close calculate and write poly1305 tag before closing the writer
+// if underlying writer does not have a Close() method, Close only
+// calculate and write poly1305 tag
+func (w *streamWriter) Close() error {
+	w.ie.ioPaddingTo(w.nwr)
+	if _, err := w.plainWriter.Write(w.ie.poly.Sum(nil)); err != nil {
+		return err
+	}
+
+	if c, ok := w.plainWriter.(io.Closer); ok {
+		return c.Close()
+	}
+	return nil
+}
diff --git a/seal.png b/seal.png
new file mode 100644
index 0000000..bf5995e
Binary files /dev/null and b/seal.png differ
-- 
cgit v1.2.3