The ChaCha20-Poly1305 AEAD construction

This is a composition of the ChaCha20 stream cipher and the Poly1305 polynomial MAC to form an AEAD. It’s specified for use in TLS in the form of RFC7539.

It uses a 256-bit key and a 96-bit nonce.

This is a one-shot interface.

Functions

void cf_chacha20poly1305_encrypt(const uint8_t key[32], const uint8_t nonce[12], const uint8_t *header, size_t nheader, const uint8_t *plaintext, size_t nbytes, uint8_t *ciphertext, uint8_t tag[16])

ChaCha20-Poly1305 authenticated encryption.

Parameters:

• key – key material.
• nonce – per-message nonce.
• header – header buffer.
• nheader – number of header bytes.
• plaintext – plaintext bytes to be encrypted.
• nbytes – number of plaintext/ciphertext bytes.
• ciphertext – ciphertext output buffer, nbytes in length.
• tag – authentication tag output buffer.

int cf_chacha20poly1305_decrypt(const uint8_t key[32], const uint8_t nonce[12], const uint8_t *header, size_t nheader, const uint8_t *ciphertext, size_t nbytes, const uint8_t tag[16], uint8_t *plaintext)

ChaCha20-Poly1305 authenticated decryption.

Returns:

0 on success, non-zero on error. Plaintext is zeroed on error.

Parameters:

• key – key material.
• nonce – per-message nonce.
• header – header buffer.
• nheader – number of header bytes.
• ciphertext – ciphertext bytes to be decrypted.
• nbytes – number of plaintext/ciphertext bytes.
• plaintext – plaintext output buffer, nbytes in length.
• tag – authentication tag output buffer.