XChacha20 derives from Chacha20 the same way XSalsa20 derives from
Salsa20, and benefits from the same security reduction (proven secure
as long as Chacha20 itself is secure).
-.Pp
-Authenticated encryption is equivalent to the following:
-.Bl -bullet
-.It
-Generate an XChacha20 random stream as long as the message, plus 64
-bytes.
-The parameters are the session key and the message nonce.
-.It
-Use the first 32 bytes of the stream as the authentication key.
-.It
-Discard the next 32 bytes of the stream.
-.It
-Xor the rest of the stream (starting at byte 64) with the message to
-encrypt it.
-.It
-Encode the length of the additional data and the encrypted message as 64
-bits little endian unsigned integers.
-.It
-Pad the additional data with zeroes, up to the next multiple of 16
-bytes.
-Padding length ranges from 0 to 15 bytes.
-.It
-Pad the encrypted message with zeroes, up to the next multiple of 16
-bytes.
-Padding length ranges from 0 to 15 bytes.
-.It
-Concatenate the padded additional data, the padded encrypted message,
-the encoded length of the additional data, and the encoded length of the
-encrypted message, in that order.
-Authenticate the result with Poly1305, with the authentication key
-generated above.
-This will produce a 16 byte message authentication code.
-.It
-The nonce, encrypted message, and message authentication code can now be
-sent or archived.
-Recovering the message and assessing its integrity will require the
-session key.
-.El
projects / Monocypher.git / commitdiff