+Concatenated plaintext of those blocks hold the following stream of data:
+
+@verbatim
++-----------+--------+---------------------+--------+
+| PAYLOAD | SIZE | REST (OF PAYLOAD) | IPAD |
++-----------+--------+---------------------+--------+
+ ^
+ |
+ +-- always aligned to the beginning of block
+@end verbatim
+
+Where @code{SIZE} is following XDR structure:
+
+@multitable @columnfractions 0.2 0.3 0.5
+@headitem @tab XDR type @tab Value
+@item Payload @tab
+ unsigned hyper integer @tab
+ Full payload size. @code{len(PAYLOAD) + len(REST)}
+@item Pad @tab
+ unsigned hyper integer @tab
+ Full padding size. @code{len(IPAD) + len(OPAD)}
+@end multitable
+
+@code{SIZE} is always at the beginning of the block. So payload and rest
+of it have variable length. Block containing @code{SIZE} is encrypted
+with the different key (@code{key=size}), to distinguish it from the
+"ordinary" ones (@code{key=full}).
+
+@code{IPAD} contains zeros and is shorter than single block. Padding is fully
+optional and is used only to hide the payload full size.
+
+It is acceptable to have either @code{PAYLOAD} or @code{REST} of it of
+zero length. For example:
+
+@verbatim
++------+-------------+
+| SIZE | PAYLOAD ... |
++------+-------------+
+ \------ BLOCK -----/
+ key=size
+
++------+-------------+------+
+| SIZE | PAYLOAD ... | IPAD |
++------+-------------+------+
+ \--------- BLOCK --------/
+ key=size
+
++--------------------------+ +------+-------------------+
+| PAYLOAD | .. | SIZE | IPAD ... |
++--------------------------+ +------+-------------------+
+ \--------- BLOCK --------/ \--------- BLOCK --------/
+ key=full key=size
+
++--------------------------+ +------+-------------------+
+| PAYLOAD | .. | SIZE | PAYLOAD ... |
++--------------------------+ +------+-------------------+
+ \--------- BLOCK --------/ \--------- BLOCK --------/
+ key=full key=size
+
++--------------------------+ +------+-------------+------+
+| PAYLOAD | .. | SIZE | PAYLOAD ... | IPAD |
++--------------------------+ +------+-------------+------+
+ \--------- BLOCK --------/ \--------- BLOCK --------/
+ key=full key=size
+
++--------------------------+ +------+-------------------+ +--------------------------+
+| PAYLOAD | .. | SIZE | PAYLOAD ... | .. | PAYLOAD ... |
++--------------------------+ +------+-------------------+ +--------------------------+
+ \--------- BLOCK --------/ \--------- BLOCK --------/ \--------- BLOCK --------/
+ key=full key=size key=full
+
++--------------------------+ +------+-------------------+ +-------------+-------------+
+| PAYLOAD | .. | SIZE | PAYLOAD ... | .. | PAYLOAD ... | IPAD ... |
++--------------------------+ +------+-------------------+ +-------------+------------+
+ \--------- BLOCK --------/ \--------- BLOCK --------/ \--------- BLOCK --------/
+ key=full key=size key=full
+@end verbatim
+
+@code{OPAD} is appended if @code{IPAD} (inside the block) has not enough
+length. @code{OPAD} is just an output of the XOF function. No encryption
+and explicit authentication is applied to it. XOF is just faster and can
+be computed deterministically on both ends -- you just have to
+authenticate its length.