libsodium
libsodium
libsodium
libsodium
Introduction
Installation
Quickstart and FAQ
Projects using libsodium
Commercial support
Bindings for other languages
Usage
Helpers
Padding
Secure memory
Generating random data
Secret-key cryptography
Authenticated encryption
Encrypted streams and file encryption
Encrypting a set of related messages
Authentication
AEAD constructions
ChaCha20-Poly1305
Original ChaCha20-Poly1305 construction
IETF ChaCha20-Poly1305 construction
XChaCha20-Poly1305 construction
AES256-GCM
Public-key cryptography
Hashing
Password hashing
Key derivation
Key exchange
Advanced
Internals
Roadmap
Powered by GitBook

ChaCha20-Poly1305

Purpose

This operation:

  • Encrypts a message with a key and a nonce to keep it confidential

  • Computes an authentication tag. This tag is used to make sure that the message, as well as optional, non-confidential (non-encrypted) data, haven't been tampered with.

A typical use case for additional data is to store protocol-specific metadata about the message, such as its length and encoding.

The chosen construction uses encrypt-then-MAC and decryption will never be performed, even partially, before verification.

Variants

libsodium implements three versions of the ChaCha20-Poly1305 construction:

  • The original construction can safely encrypt up to 2^64 messages with the same key (even more with most protocols), without any practical limit to the size of a message (up to 2^64 bytes for a 128-bit tag).

  • The IETF variant. It can safely encrypt a practically unlimited number of messages, but individual messages cannot exceed 64*(2^32)-64 bytes (approximatively 256 GB).

  • The XChaCha20 variant, introduced in libsodium 1.0.12. It can safely encrypt a practically unlimited number of messages of any sizes, and random nonces are safe to use.

The first two variants are fully interoperable with other crypto libaries. The XChaCha20 variant is currently only implemented in libsodium, but is the recommended option if interoperability is not a concern.

They all share the same security properties when used properly, and are accessible via a similar API.

The crypto_aead_chacha20poly1305_*() set of functions implements the original construction, the crypto_aead_chacha20poly1305_ietf_*() functions implement the IETF version, and the crypto_aead_xchacha20poly1305_ietf_*() functions implement the XChaCha20 variant.

The constants are the same, except for the nonce size.

Previous
AEAD constructions
Next
Original ChaCha20-Poly1305 construction
Last updated 6 months ago
Contents
Purpose
Variants