dropped. 24-bit counter is long enough for very long talk sessions.
Each packet is encrypted with ChaCha20 and authenticated with SipHash24.
-The keys are generated during the handshake procedure with the server
-and is shared among the other participants. The stream identifier
-together with the packet counter is used as a nonce.
+Their keys are generated from BLAKE2s-XOF, which is fed with completed
+handshake's binding value. Then they are shared among the other
+participants. The stream identifier together with the packet counter is
+used as a nonce.
It is tuned for 24Kbps bandwidth. But remember that it has additional 8B
of MAC tag, 4B VoRS, 8B UDP and 40B IPv6 headers.