I've discovered that the copying involved in the 4-pass algorithm may be a non-negligible part of the total decrypt time.

We can eliminate some of the copying in 4 pass by putting the length and index fields at the end of the output of expand, e.g.

OLD
expand(0x484848, 7, 1) = (0x07, 0x01, 0x48, 0x48, 0x48, ....)
NEW
expand(0x484848, 7, 1) = (0x48, 0x48, 0x48, .... 0x07, 0x01)

in the likely case where server_id_len < nonce_len, this means that the decoder can just pass server_id_len bytes of left_1 to the caller, rather then copying it into a new buffer.