Skip to content

Latest commit

 

History

History
22 lines (14 loc) · 1.33 KB

chacha20-poly1305.md

File metadata and controls

22 lines (14 loc) · 1.33 KB

Authenticated Encryption with Additional Data using ChaCha20-Poly1305

Purpose

This operation:

  • Encrypts a message with a key and a nonce to keep it confidential
  • Computes an authentication tag. This tag is used to make sure that the message, as well as optional, non-confidential (non-encrypted) data, haven't been tampered with.

A typical use case for additional data is to store protocol-specific metadata about the message, such as its length and encoding.

The chosen construction uses encrypt-then-MAC and decryption will never be performed, even partially, before verification.

Variants

Libsodium implements two versions of the ChaCha20-Poly1305 construction:

  • The original construction can safely encrypt up to 2^64 messages with the same key, without any practical limit to the size of a message (up to 2^70 bytes).
  • The IETF variant is slightly slower. It can safely encrypt a pratically unlimited number of messages (2^96), but individual messages cannot exceed 1 terabyte.

Both are interoperable with other crypto libaries, share the same security properties and are accessible via a similar API.

The crypto_aead_chacha20poly1305_*() set of functions implements the original construction, while the crypto_aead_chacha20poly1305_ietf_*() functions implement the IETF version. The constants are the same, except for the nonce size.