This operation:
- Encrypts a message with a key and a nonce to keep it confidential
- Computes an authentication tag. This tag is used to make sure that the message, as well as optional, non-confidential (non-encrypted) data, haven't been tampered with.
A typical use case for additional data is to store protocol-specific metadata about the message, such as its length and encoding.
The chosen construction uses encrypt-then-MAC and decryption will never be performed, even partially, before verification.
Libsodium implements two versions of the ChaCha20-Poly1305 construction:
- The original construction can safely encrypt up to 2^64 messages with the same key, without any practical limit to the size of a message (up to 2^70 bytes).
- The IETF variant is slightly slower. It can safely encrypt a pratically unlimited number of messages (2^96), but individual messages cannot exceed 1 terabyte.
Both are interoperable with other crypto libaries, share the same security properties and are accessible via a similar API.
The crypto_aead_chacha20poly1305_*()
set of functions implements the original construction, while the crypto_aead_chacha20poly1305_ietf_*()
functions implement the IETF version.
The constants are the same, except for the nonce size.