CHACHA(2)                                               CHACHA(2)

     NAME
          setupChachastate, chacha_setblock, chacha_setiv,
          chacha_encrypt, chacha_encrypt2, hchacha, ccpoly_encrypt,
          ccpoly_decrypt - chacha encryption

     SYNOPSIS
          #include <u.h>
          #include <libc.h>
          #include <libsec.h>

          void setupChachastate(Chachastate *s, uchar key[], ulong
          keylen, uchar *iv, ulong ivlen, int rounds)

          void chacha_encrypt(uchar *data, ulong len, Chachastate *s)

          void chacha_encrypt2(uchar *src, uchar *dst, ulong len,
          Chachastate *s)

          void chacha_setblock(Chachastate *s, u64int blockno)

          void chacha_setiv(Chachastate *s, uchar *iv);

          void hchacha(uchar h[32], uchar *key, ulong keylen, uchar
          nonce[16], int rounds);

          void ccpoly_encrypt(uchar *dat, ulong ndat, uchar *aad,
          ulong naad, uchar tag[16], Chachastate *cs);

          int ccpoly_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong
          naad, uchar tag[16], Chachastate *cs);

     DESCRIPTION
          Chacha is D J Berstein's symmetric stream cipher, as modi-
          fied by RFC7539. It supports keys of 256 bits (128 bits is
          supported here for special purposes). It has an underlying
          block size of 64 bytes (named as constant ChachaBsize).

          SetupChachastate takes a reference to a Chachastate struc-
          ture, a key of keylen bytes, which should normally be
          ChachaKeylen, a iv or nonce of ivlen bytes (can be
          ChachaIVlen=12, 8 or XChachaIVlen=24; set to all zeros if
          the iv argument is nil), and the number of rounds (set to
          the default of 20 if the argument is zero).  With a key
          length of 256 bits (32 bytes), a nonce of 96 bits (12 bytes)
          and 20 rounds, the function implements the Chacha20 encryp-
          tion function of RFC7539.

          Chacha_encrypt encrypts len bytes of buf in place using the
          Chachastate in s. Len can be any byte length.  Encryption
          and decryption are the same operation given the same

     CHACHA(2)                                               CHACHA(2)

          starting state s.

          Chacha_encrypt2 is similar, but encrypts len bytes of src
          into dst without modifying src.

          Chacha_setblock sets the Chacha block counter for the next
          encryption to blockno, allowing seeking in an encrypted
          stream.

          Chacha_setiv sets the the initialization vector (nonce) to
          iv.

          Hchacha is a key expansion function that takes a 128 or
          256-bit key and a 128-bit nonce and produces a new 256-bit
          key.

          Ccpoly_encrypt and ccpoly_decrypt implement authenticated
          encryption with associated data (AEAD) using Chacha cipher
          and Poly1305 message authentication code as specified in
          RFC7539.  These routines require a Chachastate that has been
          setup with a new (per key unique) initialization vector
          (nonce) on each invocation. The referenced data dat[ndat] is
          in-place encrypted or decrypted.  Ccpoly_encrypt produces a
          16 byte authentication tag, while ccpoly_decrypt verifies
          the tag, returning zero on success or negative on a mis-
          match.  The aad[naad] arguments refer to the additional
          authenticated data that is included in the tag calculation,
          but not encrypted.

     SOURCE
          /sys/src/libsec

     SEE ALSO
          mp(2), aes(2), blowfish(2), des(2), dsa(2), elgamal(2),
          rc4(2), rsa(2), salsa(2), sechash(2), prime(2), rand(2)