/libsodium-xchacha20-siv

Deterministic/nonce-reuse resistant authenticated encryption scheme using XChaCha20, implemented on libsodium.

Primary LanguageCBSD 2-Clause "Simplified" LicenseBSD-2-Clause

XChaCha20-SIV

Deterministic/nonce-reuse resistant authenticated encryption scheme using XChaCha20, implemented on libsodium.

XChaCha20-Poly1305 XChaCha20-SIV
Key size 256 bits 256 bits (before expansion)
Authentication tag 128 bits 256 bits
Nonce 192 bits, mandatory Optional
Nonce reuse Can leak plaintext Only leaks message duplication
Speed Fast Slightly slower

Usage

int crypto_aead_det_xchacha20_encrypt_detached(
    unsigned char *c,
    unsigned char mac[crypto_aead_det_xchacha20_ABYTES],
    const unsigned char *m, size_t mlen,
    const unsigned char *ad, size_t adlen,
    const unsigned char *nonce,
    const unsigned char k[crypto_aead_det_xchacha20_KEYBYTES]);

Encrypt a message m of length mlen bytes using a key k, an optional nonce nonce (which can left to NULL), optionally authenticating additional data ad (if not NULL) of length adlen bytes in addition to the message itself. The IV acting as a MAC is stored into mac.

int crypto_aead_det_xchacha20_decrypt_detached(
    unsigned char *m,
    const unsigned char *c, size_t clen,
    const unsigned char mac[crypto_aead_det_xchacha20_ABYTES],
    const unsigned char *ad, size_t adlen,
    const unsigned char *nonce,
    const unsigned char k[crypto_aead_det_xchacha20_KEYBYTES]);

Decrypt a ciphertext c or length clen bytes using a key k, an optional nonce nonce (which can be left to NULL), optionally verifying additional data ad (if not NULL) of length adlen bytes in addition to the message itself, using the MAC mac.

The function returns -1 if the authentication tag didn't verify, and 0 on success, storing the decrypted message into m.

int crypto_aead_det_xchacha20_encrypt(unsigned char *c,
                                      const unsigned char *m, size_t mlen,
                                      const unsigned char *ad, size_t adlen,
                                      const unsigned char *nonce,
                                      const unsigned char  k[crypto_aead_det_xchacha20_KEYBYTES]);

Similar to encrypt_detached, but the ciphertext and MAC are concatenated.

c must be mlen + crypto_aead_det_xchacha20_ABYTES long.

int crypto_aead_det_xchacha20_decrypt(unsigned char *m,
                                      const unsigned char *c, size_t clen,
                                      const unsigned char *ad, size_t adlen,
                                      const unsigned char *nonce,
                                      const unsigned char k[crypto_aead_det_xchacha20_KEYBYTES]);

Similar to decrypt_detached, with the ciphertext and the MAC having been concatenated.

void crypto_aead_det_xchacha20_keygen(unsigned char k[crypto_aead_det_xchacha20_KEYBYTES]);

Create a 256-bit secret key.