git.sr.ht/~pingoo/stdx@v0.0.0-20240218134121-094174641f6e/crypto/chacha20/xchacha20.md (about)

     1  # XChaCha20
     2  
     3  * `key` randomly generated `[32]byte`
     4  * `nonce` `[24]byte`. Either random or counter.
     5  * `chaCha20` is the original chacha20 stream cipher, with a 64 bits blockcounter and 64 bits nonce
     6  
     7  ```
     8  chacha20Key [32]byte := HChaCha20(key, nonce[0:16])
     9  chacha20Nonce [8]byte := nonce[16:24]
    10  
    11  xChaCha20 := chaCha20.New(key = chacha20Key, nonce = chacha20Nonce)
    12  ```
    13  
    14  
    15  
    16  The key is required to be 256 bits (32 bytes)
    17  The nonce is required to be 192 bits (24 bytes)
    18  The nonce must be unique for one key for all time.
    19  
    20  The XChaCha20 stream cipher can encrypt up to 2^80 messages for each (nonce, key) pair with a random nonce.
    21  
    22  The XChaCha20 stream cipher can encrypt up to 2^192 messages for each (nonce, key) pair with a counter nonce.
    23  
    24  The XChaCha20 stream cipher can encrypt individual messages of up to 2^64 bytes
    25  
    26  XChaCha20 uses a 64 bits counter and the the following state:
    27  ```
    28  cccccccc  cccccccc  cccccccc  cccccccc
    29  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
    30  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
    31  bbbbbbbb  bbbbbbbb  nnnnnnnn  nnnnnnnn
    32  c=constant k=key b=blockcounter n=nonce
    33  ```
    34  
    35  which is different than [IETF's draft XChaCha20](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha-03)
    36  that use a 32 bits counter and the 32 remaining bits are set to "\x00\x00\x00\x00"
    37  
    38  ```
    39  cccccccc  cccccccc  cccccccc  cccccccc
    40  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
    41  kkkkkkkk  kkkkkkkk  kkkkkkkk  kkkkkkkk
    42  bbbbbbbb  00000000  nnnnnnnn  nnnnnnnn
    43  
    44  c=constant k=key b=blockcounter n=nonce
    45  ```
    46  
    47  
    48  ## Limits