In a nutshell, the program splits an arbitrary-size input file into strings of specifiable size (the default being 1 MiB). Each string is encrypted and authenticated as part of a stateful session, resulting in (ciphertext, tag) pairs being written to the output file.
More specifically, the program first generates a random nonce N using OS-specific secure random number generator facilities. Then, it compresses the nonce into the state for diversification and authentication. A startup tag T0 is then expanded which is used to authenticate the (key,N,T0) tuple at decipher time. In other words, if the wrong key is used or any tampering of nonce N or tag T0 occur, then it is detected before any ciphertext is handled and the session is terminated. Following the tag, enough keystream K1 is expanded to encrypt plaintext P1, both of which are XORed together to produce ciphertext C1. Ciphertext C1 is then compressed into the state and tag T1 is expanded, which authenticates not only C1 but everything compressed thus far (the nonce N). This process is repeated as many times as necessary, until the entire file has been enciphered. Because each tag authenticates all compressed strings thus far in the session, the adversary is prevented from being able to undetectably tamper with any blocks in any way imaginable. Because the last ciphertext string is known to be partial, truncation is also detected. There is no practical limit on the size of files that can be handled thanks to Xoofff's data complexity bound. Semantic security is achieved due to the random nonce: enciphering the same file repeatedly will result in entirely uncorrelated cryptograms.
The first byte of N indicates whether output armoring is applied. It uses ASCII '0' and '1' to represent 'no' and 'yes' respectively. The first plaintext block (P1) is used to store encipherment parameters: block length in bytes, input file size in bytes and a flag byte indicating whether padding has been applied. By encrypting the parameters, the adversary cannot glean useful information from the enciphered file. By compressing the parameters into the state, if the adversary tampers with the parameters block in any way, the state becomes corrupt and no subsequent tags will verify. The parameters block also configures the decipherment process so that the user need not remember what parameters were used at encipherment time. In addition, padding is intelligently handled at both encipherment and decipherment time, without any abnormal memory requirements.
The random nonce is 256 bits in length. Using a nonce of this length ensures that it would take on average about 2^128 encipherments under a single key for some pair of nonces to collide, which is simply astronomical. Tags are 128 bits in length, which means it would take on average about 2^127 attempts by the adversary to successfully forge a ciphertext string. Because forgery attempts are inherently online (i.e., such an attack requires access to a keyed decipher oracle), this attack is impractical. Instead, the adversary would likely try to brute force search for the key, which would take about 2^127 attempts on average, assuming a 128-bit key is used. Even if all of the computing power in the world was capable of testing 2^100 keys per year, which is ridiculously beyond anything capable today, it would still take more than 134 million years to find a 128-bit key on average.
A cross-platform console version also exists and has been tested under FreeBSD and Windows. It supports the same features as the GUI version, including AVX-512.