--- /dev/null
+Output format is very simple:
+
+* "GOHPENC\n" magic string
+* 32-bit big-endian block length
+* 128-bit random salt
+
+ /-------BLOCK---------\ /-------BLOCK---------\
++-------+----------+------+------------+----------+------------+----------+----
+| MAGIC | BLOCKLEN | SALT | CIPHERTEXT | AUTH TAG | CIPHERTEXT | AUTH TAG | ...
++-------+----------+------+------------+----------+------------+----------+----
+
+There is trivial key generation:
+ keyOrdinary, keyLast = HKDF(SHA512, keySpecified, SALT, AD=MAGIC)
+
+Each block is encrypted with ChaCha20-Poly1305, using keyOrdinary and
+nonce containing 64-bit big-endian counter, starting at zero. Very last
+block is encrypted with keyLast and it may have zero length plaintext.