Skip to main content

Module aead

Module aead 

Source
Expand description

ChaCha20-Poly1305 AEAD (RFC 8439) — the symmetric seal that closes the post-quantum channel: an ML-KEM-768 handshake establishes the shared secret, HKDF derives this 32-byte key, and every wire message is sealed here. ChaCha20 is a pure Word32 ARX cipher (the same primitive the assets/std/crypto.lg chacha20Block ships in Logos); Poly1305 is the one-time authenticator in constant-time 5×26-bit limbs (no bignum). Verified against the RFC 8439 §2.4.2 / §2.5.2 / §2.8.2 known-answer vectors. The tag compare is constant-time.

Functions§

chacha20_encrypt_seq
chacha20Encrypt(key, nonce, counter, data)data ⊕ keystream. The cipher; the AEAD flow in Logos calls it for both the Poly1305 one-time key (counter 0 over 32 zeros) and the payload (counter 1).
chacha20_xor
ChaCha20 keystream XOR (RFC 8439 §2.4): data ⊕ ChaCha20(key, counter‖nonce). AVX2 (8 blocks at a time) when available, else scalar — bit-identical.
chacha20poly1305_open
AEAD open: verifies the tag (constant-time) and decrypts, or None on tamper/truncation.
chacha20poly1305_seal
AEAD seal: returns ciphertext ‖ tag[16].
poly1305
Poly1305 one-time authenticator: tag = ((Σ blockᵢ·r^(n−i)) mod (2¹³⁰−5)) + s mod 2¹²⁸. AVX2 (4 blocks/group via precomputed r¹..r⁴) for long messages, else scalar — bit-identical.
poly1305_seq
poly1305Mac(key, msg) → 16-byte tag. The MAC primitive (constant-time 5×26-bit limbs).