pub struct ChaCha20Poly1305;Expand description
ChaCha20-Poly1305 AEAD per RFC 8439.
Stateless tag struct – the per-message state lives in the
ChaCha20 / Poly1305 instances. Exposed as a unit struct so the
API matches the AES-GCM Gcm struct in cipher::modes.
Implementations§
Source§impl ChaCha20Poly1305
impl ChaCha20Poly1305
Sourcepub fn encrypt(
key: &[u8; 32],
nonce: &[u8; 12],
aad: &[u8],
plaintext: &[u8],
) -> (Vec<u8>, [u8; 16])
pub fn encrypt( key: &[u8; 32], nonce: &[u8; 12], aad: &[u8], plaintext: &[u8], ) -> (Vec<u8>, [u8; 16])
Encrypt and authenticate a message.
Returns (ciphertext, tag) where ciphertext.len() == plaintext.len() and tag is exactly 16 bytes. Both must
be transmitted to the receiver alongside the nonce and AAD.
Sourcepub fn decrypt(
key: &[u8; 32],
nonce: &[u8; 12],
aad: &[u8],
ciphertext: &[u8],
tag: &[u8; 16],
) -> Option<Vec<u8>>
pub fn decrypt( key: &[u8; 32], nonce: &[u8; 12], aad: &[u8], ciphertext: &[u8], tag: &[u8; 16], ) -> Option<Vec<u8>>
Decrypt and verify a ciphertext.
Returns Some(plaintext) only if tag is the correct MAC
for (aad, ciphertext) under (key, nonce). The tag is
compared in constant time – the function execution time
does not leak which byte of the tag was wrong.
Returns None if the tag does not verify. Callers MUST
NOT use the returned plaintext if None is returned, and
in particular must not log it, hash it, or branch on its
contents – the only correct response to a bad tag is to
abort the protocol.