-Protocol is trivial. Both peers has shared 256-bit key. SHA3 is used to
-derive four more keys from it:
+Protocol is trivial. Both peers have shared 256-bit key.
+SHA3 is used to derive four more keys from it:
SHAKE128("go.cypherpunks.ru/udpobfs" || key) ->
256-bit InitiatorEncryptionKey ||
256-bit ResponderEncryptionKey ||
256-bit ResponderObfuscationKey
-Each side has 64-bit packet number counter, that is used as a nonce.
-That counter is kept in memory and only its lower 24 bits are sent.
-When remote side receives 24-bit counter with lower value, then it
-increments in-memory counter's remaining part. Completely the same
-as Extended Sequence Numbers are done in IPsec's ESP.
+Each side has big-endian 64-bit packet number counter, that is used as a
+nonce. That counter is kept in memory and only its lower 24 bits are
+sent. When remote side receives 24-bit counter with lower value, then it
+increments in-memory counter's remaining part. Completely the same as
+Extended Sequence Numbers are done in IPsec's ESP.
ChaCha20 is initialised with corresponding EncryptionKey and nonce equal
to the full sequence number value. Its first 256-bit of output will be