diff --git a/puer.c b/puer.c
index bd49c8a..48f2d97 100644
--- a/puer.c
+++ b/puer.c
@@ -64,26 +64,6 @@ void word2bytes(unsigned char *bytes, uint32_t word) {
 	bytes[3] = word>>24;
 }
 
-void derive_subkey(uint32_t key[4], uint32_t nonce[6], uint32_t subkey[4]) {
-	// We are using an extended nonce construction with 192 bit nonces.
-	// The first 128 bits of nonce are encrypted using xxtea128 with
-	// the provided key, in order to derive a subkey that is then used
-	// alongside the remaining nonce to do the actual encryption.
-	//
-	// This is, as far as I can tell, not a standard construction. I
-	// have based it on xchacha20, with the understanding that it
-	// should not matter if the function used to derive the subkey is
-	// reversible or not, since an attacker doesn't know the original
-	// key and the original key is used only in this derivation.
-
-	subkey[0] = nonce[0];
-	subkey[1] = nonce[1];
-	subkey[2] = nonce[2];
-	subkey[3] = nonce[3];
-
-	xxtea128(key, subkey);
-}
-
 struct hashstate {
 	// A_n and B_n of the MDC-2 algorithm
 	uint32_t a[4];