Awesome

XChaCha20-SIV

Deterministic/nonce-reuse resistant authenticated encryption scheme using XChaCha20, implemented on libsodium.

	XChaCha20-Poly1305	XChaCha20-SIV
Key size	256 bits	256 bits (before expansion)
Authentication tag	128 bits	256 bits
Nonce	192 bits, mandatory	Optional
Nonce reuse	Can leak plaintext	Only leaks message duplication
Speed	Fast	Slightly slower

Usage

int crypto_aead_det_xchacha20_encrypt_detached(
    unsigned char *c,
    unsigned char mac[crypto_aead_det_xchacha20_ABYTES],
    const unsigned char *m, size_t mlen,
    const unsigned char *ad, size_t adlen,
    const unsigned char *nonce,
    const unsigned char k[crypto_aead_det_xchacha20_KEYBYTES]);

Encrypt a message m of length mlen bytes using a key k, an optional nonce nonce (which can left to NULL), optionally authenticating additional data ad (if not NULL) of length adlen bytes in addition to the message itself. The IV acting as a MAC is stored into mac.

int crypto_aead_det_xchacha20_decrypt_detached(
    unsigned char *m,
    const unsigned char *c, size_t clen,
    const unsigned char mac[crypto_aead_det_xchacha20_ABYTES],
    const unsigned char *ad, size_t adlen,
    const unsigned char *nonce,
    const unsigned char k[crypto_aead_det_xchacha20_KEYBYTES]);

Decrypt a ciphertext c or length clen bytes using a key k, an optional nonce nonce (which can be left to NULL), optionally verifying additional data ad (if not NULL) of length adlen bytes in addition to the message itself, using the MAC mac.

The function returns -1 if the authentication tag didn't verify, and 0 on success, storing the decrypted message into m.

int crypto_aead_det_xchacha20_encrypt(unsigned char *c,
                                      const unsigned char *m, size_t mlen,
                                      const unsigned char *ad, size_t adlen,
                                      const unsigned char *nonce,
                                      const unsigned char  k[crypto_aead_det_xchacha20_KEYBYTES]);

Similar to encrypt_detached, but the ciphertext and MAC are concatenated.

c must be mlen + crypto_aead_det_xchacha20_ABYTES long.

int crypto_aead_det_xchacha20_decrypt(unsigned char *m,
                                      const unsigned char *c, size_t clen,
                                      const unsigned char *ad, size_t adlen,
                                      const unsigned char *nonce,
                                      const unsigned char k[crypto_aead_det_xchacha20_KEYBYTES]);

Similar to decrypt_detached, with the ciphertext and the MAC having been concatenated.

void crypto_aead_det_xchacha20_keygen(unsigned char k[crypto_aead_det_xchacha20_KEYBYTES]);

Create a 256-bit secret key.