XChaCha20
Last updated
Last updated
is an unauthenticated stream cipher constructed using and . It takes a 256-bit key and 192-bit nonce (number used only once) to encrypt/decrypt a message.
The 64-bit internal counter can be changed from the default of 0 to access any block without computing previous ones. However, it should generally not be touched.
You probably want instead, which also ensures a message has not been tampered with. This class MUST only be used for custom constructions (e.g. ).
The nonce MUST NOT be repeated or reused with the same key. You MUST or the nonce for each plaintext message encrypted using the same key.
Fills a span with pseudorandom bytes computed from a nonce and key. This can be used to compute the Poly1305 key for constructing .
buffer has a length of 0.
nonce has a length not equal to NonceSize.
key has a length not equal to KeySize.
Error computing pseudorandom bytes.
Fills a span with ciphertext computed from a plaintext message, nonce, and key.
ciphertext has a length not equal to plaintext.Length.
nonce has a length not equal to NonceSize.
key has a length not equal to KeySize.
Encryption failed.
Fills a span with plaintext computed from a ciphertext message, nonce, and key.
plaintext has a length not equal to ciphertext.Length.
nonce has a length not equal to NonceSize.
key has a length not equal to KeySize.
Decryption failed.
These are used for validation and/or save you defining your own constants.
This is NOT an authenticated encryption algorithm. This class MUST only be used if you know what you are doing and apply authentication using keyed as a MAC.
The key MUST be uniformly random. It can either be or the output of a . Furthermore, it SHOULD be rotated periodically (e.g. a different key per file).
As a general rule, avoid compression before encryption. It can and has been the cause of .
Even with , it is recommended to encrypt data in 16-64 KiB chunks instead of as a single plaintext message. Read the for more information.