diff --git a/src/main.js b/src/main.js
--- a/src/main.js
+++ b/src/main.js
@@ -1,17 +1,17 @@
 import * as util from "./util.js";
 import {blake2s} from "./blake.js";
 import {pbkdf2} from "./pbkdf2.js";
-import {createNonce,Chacha20,encrypt as _encrypt,decrypt as _decrypt} from "./chacha.js";
+import {Chacha20,encrypt as _encrypt,decrypt as _decrypt} from "./chacha.js";
 
 const VERSION=1;
 
 function encrypt(s,password){
 	let bs=util.str2utf8(s);
 	let pass=util.str2utf8(password);
-	let salt=createNonce();
+	let salt=util.createRandomNonce(12);
 	let [iters,key]=stretchKey(pass,salt);
-	let noncedCiphertext=_encrypt(bs,key,salt);
-	let payload=[iters].concat(noncedCiphertext);
+	let [_,ciphertext]=_encrypt(bs,key,salt);
+	let payload=[iters].concat(salt,ciphertext);
 	let signature=blake2s([VERSION].concat(payload),16,pass);
 	let arr=[VERSION].concat(signature,payload);
 	return util.bytes2base64(arr);
@@ -24,12 +24,12 @@ function decrypt(s,password){
 	let signature=arr.slice(1,17);
 	let iters=arr[17];
 	let salt=arr.slice(18,30);
-	let noncedCiphertext=arr.slice(18);
-	let check=blake2s([version].concat([iters],noncedCiphertext),16,pass);
+	let ciphertext=arr.slice(30);
+	let check=blake2s([version,iters].concat(salt,ciphertext),16,pass);
 	if(!signature.every((b,i)=>b===check[i])){return false;}
 	if(version>VERSION){return false;}
 	let key=pbkdf2(pass,salt,1<<iters,32);
-	let plainbytes=_decrypt(noncedCiphertext,key);
+	let plainbytes=_decrypt(ciphertext,key,salt);
 	return util.utf82str(plainbytes);
 }