Expand description
XChaCha20-Poly1305 AEAD (draft-irtf-cfrg-xchacha).
Extension of ChaCha20-Poly1305 (RFC 8439) to a 24-byte nonce
via the HChaCha20 subkey derivation. The larger nonce makes it
safe to pick nonces randomly without tracking a counter — the
birthday bound becomes 2^96 instead of 2^48 for the 12-byte
IETF nonce.
§Construction
Given a 32-byte key K and a 24-byte nonce N:
- Split
NintoN[0..16](for HChaCha20) andN[16..24]. subkey = HChaCha20(K, N[0..16])— a 32-byte derived key.nonce' = 0x00000000 || N[16..24]— a 12-byte IETF nonce.- Run
ChaCha20-Poly1305(subkey, nonce', aad, plaintext).
Used by libsodium (crypto_aead_xchacha20poly1305_ietf_*),
Signal, Age, WireGuard handshake, and many modern protocols
that want random nonces without the 2^48 cap.
Structs§
- XCha
Cha20 Poly1305 - XChaCha20-Poly1305 AEAD with 24-byte nonce.