HChaCha20 to derive subkey from main key and first 128 bits of nonce

E919336

HChaCha20 is a variant of the ChaCha20 core function used as a key-derivation mechanism to produce a subkey from an existing key and part of a nonce, enabling extended-nonce constructions like XChaCha20.

All labels observed (1)

How this entity was disambiguated

Statements (49)

Predicate Object
instanceOf key derivation function
variant of ChaCha20 core function
avoids key reuse across different nonces
basedOn ChaCha20 core function NERFINISHED
blockStructure 16-word state matrix
category symmetric cryptography primitive
constantWords "expand 32-byte k" constants
constructionType ARX (add-rotate-xor) function
definedIn XChaCha20 specification
designedFor 128-bit nonce prefix handling
deterministic yes
domainSeparation uses nonce prefix as diversification input
enables 192-bit nonce XChaCha20 construction
implementation constant-time software implementations recommended
implementedIn BoringSSL NERFINISHED
Go crypto/x/crypto packages
libsodium NERFINISHED
inputComponents 4 constant words
4 nonce words
8 key words
inputKeySize 256-bit key
inputNonceSize 128-bit nonce prefix
introducedFor safe large-nonce randomization
invertible no
nonceUsage first 128 bits of a 192-bit XChaCha20 nonce
operatesOn 4x4 matrix of 32-bit words
outputComponents 8 state words
outputDistribution pseudorandom under key secrecy
outputKeySize 256-bit subkey
outputSelection first 4 state words and last 4 state words
proposedBy Adam Langley NERFINISHED
Google researchers
relatedTo ChaCha20 NERFINISHED
Poly1305 NERFINISHED
XChaCha20 NERFINISHED
roundCount 20 rounds
roundStructure 10 column and diagonal double-rounds
securityAssumption security of ChaCha20 core function
securityGoal pseudorandom subkey derivation
standardizedIn draft-irtf-cfrg-xchacha
status widely used in modern cryptographic libraries
subkeyUsage used as key for subsequent ChaCha20 encryption
usedFor deriving a subkey from a main key and nonce
extended-nonce stream cipher constructions
usedIn XChaCha20 NERFINISHED
usedWith ChaCha20 stream cipher NERFINISHED
XChaCha20-Poly1305 AEAD NERFINISHED
uses ChaCha quarter-round function
wordSize 32-bit

How these facts were elicited

Referenced by (1)

Full triples — surface form annotated when it differs from this entity's canonical label.

XChaCha20-Poly1305 AEAD construction usesKeyDerivation HChaCha20 to derive subkey from main key and first 128 bits of nonce