HChaCha20 to derive subkey from main key and first 128 bits of nonce
E919336
HChaCha20 is a variant of the ChaCha20 core function used as a key-derivation mechanism to produce a subkey from an existing key and part of a nonce, enabling extended-nonce constructions like XChaCha20.
Observed surface forms (1)
| Surface form | Occurrences |
|---|---|
| HChaCha20 | 0 |
Statements (49)
| Predicate | Object |
|---|---|
| instanceOf |
key derivation function
ⓘ
variant of ChaCha20 core function ⓘ |
| avoids | key reuse across different nonces ⓘ |
| basedOn | ChaCha20 core function NERFINISHED ⓘ |
| blockStructure | 16-word state matrix ⓘ |
| category | symmetric cryptography primitive ⓘ |
| constantWords | "expand 32-byte k" constants ⓘ |
| constructionType | ARX (add-rotate-xor) function ⓘ |
| definedIn | XChaCha20 specification ⓘ |
| designedFor | 128-bit nonce prefix handling ⓘ |
| deterministic | yes ⓘ |
| domainSeparation | uses nonce prefix as diversification input ⓘ |
| enables | 192-bit nonce XChaCha20 construction ⓘ |
| implementation | constant-time software implementations recommended ⓘ |
| implementedIn |
BoringSSL
NERFINISHED
ⓘ
Go crypto/x/crypto packages ⓘ libsodium NERFINISHED ⓘ |
| inputComponents |
4 constant words
ⓘ
4 nonce words ⓘ 8 key words ⓘ |
| inputKeySize | 256-bit key ⓘ |
| inputNonceSize | 128-bit nonce prefix ⓘ |
| introducedFor | safe large-nonce randomization ⓘ |
| invertible | no ⓘ |
| nonceUsage | first 128 bits of a 192-bit XChaCha20 nonce ⓘ |
| operatesOn | 4x4 matrix of 32-bit words ⓘ |
| outputComponents | 8 state words ⓘ |
| outputDistribution | pseudorandom under key secrecy ⓘ |
| outputKeySize | 256-bit subkey ⓘ |
| outputSelection | first 4 state words and last 4 state words ⓘ |
| proposedBy |
Adam Langley
NERFINISHED
ⓘ
Google researchers ⓘ |
| relatedTo |
ChaCha20
NERFINISHED
ⓘ
Poly1305 NERFINISHED ⓘ XChaCha20 NERFINISHED ⓘ |
| roundCount | 20 rounds ⓘ |
| roundStructure | 10 column and diagonal double-rounds ⓘ |
| securityAssumption | security of ChaCha20 core function ⓘ |
| securityGoal | pseudorandom subkey derivation ⓘ |
| standardizedIn | draft-irtf-cfrg-xchacha ⓘ |
| status | widely used in modern cryptographic libraries ⓘ |
| subkeyUsage | used as key for subsequent ChaCha20 encryption ⓘ |
| usedFor |
deriving a subkey from a main key and nonce
ⓘ
extended-nonce stream cipher constructions ⓘ |
| usedIn | XChaCha20 NERFINISHED ⓘ |
| usedWith |
ChaCha20 stream cipher
NERFINISHED
ⓘ
XChaCha20-Poly1305 AEAD NERFINISHED ⓘ |
| uses | ChaCha quarter-round function ⓘ |
| wordSize | 32-bit ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.
XChaCha20-Poly1305 AEAD construction
→
usesKeyDerivation
→
HChaCha20 to derive subkey from main key and first 128 bits of nonce
ⓘ