CHACHA(2) CHACHA(2)
NAME
setupChachastate, chacha_setblock, chacha_setiv,
chacha_encrypt, chacha_encrypt2, hchacha, ccpoly_encrypt,
ccpoly_decrypt - chacha encryption
SYNOPSIS
#include <u.h>
#include <libc.h>
#include <libsec.h>
void setupChachastate(Chachastate *s, uchar key[], ulong
keylen, uchar *iv, ulong ivlen, int rounds)
void chacha_encrypt(uchar *data, ulong len, Chachastate *s)
void chacha_encrypt2(uchar *src, uchar *dst, ulong len,
Chachastate *s)
void chacha_setblock(Chachastate *s, u64int blockno)
void chacha_setiv(Chachastate *s, uchar *iv);
void hchacha(uchar h[32], uchar *key, ulong keylen, uchar
nonce[16], int rounds);
void ccpoly_encrypt(uchar *dat, ulong ndat, uchar *aad,
ulong naad, uchar tag[16], Chachastate *cs);
int ccpoly_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong
naad, uchar tag[16], Chachastate *cs);
DESCRIPTION
Chacha is D J Berstein's symmetric stream cipher, as modi-
fied by RFC7539. It supports keys of 256 bits (128 bits is
supported here for special purposes). It has an underlying
block size of 64 bytes (named as constant ChachaBsize).
SetupChachastate takes a reference to a Chachastate struc-
ture, a key of keylen bytes, which should normally be
ChachaKeylen, a iv or nonce of ivlen bytes (can be
ChachaIVlen=12, 8 or XChachaIVlen=24; set to all zeros if
the iv argument is nil), and the number of rounds (set to
the default of 20 if the argument is zero). With a key
length of 256 bits (32 bytes), a nonce of 96 bits (12 bytes)
and 20 rounds, the function implements the Chacha20 encryp-
tion function of RFC7539.
Chacha_encrypt encrypts len bytes of buf in place using the
Chachastate in s. Len can be any byte length. Encryption
and decryption are the same operation given the same
Page 1 Plan 9 (printed 11/17/25)
CHACHA(2) CHACHA(2)
starting state s.
Chacha_encrypt2 is similar, but encrypts len bytes of src
into dst without modifying src.
Chacha_setblock sets the Chacha block counter for the next
encryption to blockno, allowing seeking in an encrypted
stream.
Chacha_setiv sets the the initialization vector (nonce) to
iv.
Hchacha is a key expansion function that takes a 128 or
256-bit key and a 128-bit nonce and produces a new 256-bit
key.
Ccpoly_encrypt and ccpoly_decrypt implement authenticated
encryption with associated data (AEAD) using Chacha cipher
and Poly1305 message authentication code as specified in
RFC7539. These routines require a Chachastate that has been
setup with a new (per key unique) initialization vector
(nonce) on each invocation. The referenced data dat[ndat] is
in-place encrypted or decrypted. Ccpoly_encrypt produces a
16 byte authentication tag, while ccpoly_decrypt verifies
the tag, returning zero on success or negative on a mis-
match. The aad[naad] arguments refer to the additional
authenticated data that is included in the tag calculation,
but not encrypted.
SOURCE
/sys/src/libsec
SEE ALSO
mp(2), aes(2), blowfish(2), des(2), dsa(2), elgamal(2),
rc4(2), rsa(2), salsa(2), sechash(2), prime(2), rand(2)
Page 2 Plan 9 (printed 11/17/25)