ChaCha20-Poly1305 and XChaCha20-Poly1305 — PyCryptodome 3.210b0 documentation (2024)

ChaCha20-Poly1305 is an authenticated cipher with associated data (AEAD).It works with a 32 byte secret key and a noncewhich must never be reused across encryptions performed under the same key.The cipher produces a 16 byte tag that the receiver must use to validate the message.

There are three variants of the algorithm, defined by the length of the nonce:

The API of the cipher and its finite state machine are the same as for the modern modes of operation of block ciphers.

You create a new cipher by calling Crypto.Cipher.ChaCha20_Poly1305.new().

This is an example of how ChaCha20-Poly1305 (TLS version) can encrypt and authenticate data:

>>> import json>>> from base64 import b64encode>>> from Crypto.Cipher import ChaCha20_Poly1305>>> from Crypto.Random import get_random_bytes>>>>>> header = b"header">>> plaintext = b'Attack at dawn'>>> key = get_random_bytes(32)>>> cipher = ChaCha20_Poly1305.new(key=key)>>> cipher.update(header)>>> ciphertext, tag = cipher.encrypt_and_digest(plaintext)>>>>>> jk = [ 'nonce', 'header', 'ciphertext', 'tag' ]>>> jv = [ b64encode(x).decode('utf-8') for x in (cipher.nonce, header, ciphertext, tag) ]>>> result = json.dumps(dict(zip(jk, jv)))>>> print(result){"nonce": "4EE/9uqhoZ3mQXmm", "header": "aGVhZGVy", "ciphertext": "Wmmo4Vzn+eS3tUPv2a8=", "tag": "/FgVbM8qhzssPRY80T0iVA=="}

In the example above, a 96 bit (12 byte) nonce is automatically created.It can be accessed as the nonce member in the cipher object.

This is how you decrypt the data and check its authenticity:

>>> import json>>> from base64 import b64decode>>> from Crypto.Cipher import ChaCha20_Poly1305>>>>>> # We assume that the key was securely shared beforehand>>> try:>>>  b64 = json.loads(json_input)>>>  jk = [ 'nonce', 'header', 'ciphertext', 'tag' ]>>>  jv = {k:b64decode(b64[k]) for k in jk}>>>>>>  cipher = ChaCha20_Poly1305.new(key=key, nonce=jv['nonce'])>>>  cipher.update(jv['header'])>>>  plaintext = cipher.decrypt_and_verify(jv['ciphertext'], jv['tag'])>>>  print("The message was: " + plaintext)>>> except (ValueError, KeyError):>>>  print("Incorrect decryption")

class Crypto.Cipher.ChaCha20_Poly1305.ChaCha20Poly1305Cipher(key, nonce)¶

ChaCha20-Poly1305 and XChaCha20-Poly1305 cipher object.Do not create it directly. Use new() instead.

Variables:

nonce (byte string) – The nonce with length 8, 12 or 24 bytes

decrypt(ciphertext, output=None)¶

Decrypt a piece of data.

Parameters:

ciphertext (bytes/bytearray/memoryview) – The data to decrypt, of any size.

Keyword Arguments:

output (bytes/bytearray/memoryview) – The location where the plaintextis written to. If None, the plaintext is returned.

Returns:

If output is None, the plaintext is returned as bytes.Otherwise, None.

decrypt_and_verify(ciphertext, received_mac_tag)¶

Perform decrypt() and verify() in one step.

Parameters:

• ciphertext (bytes/bytearray/memoryview) – The piece of data to decrypt.

• received_mac_tag (bytes) – This is the 16-byte binary MAC, as received from the sender.

Returns:

the decrypted data (as bytes)

Raises:

ValueError – if the MAC does not match. The message has been tampered withor the key is incorrect.

digest()¶

Compute the binary authentication tag (MAC).

Return:

the MAC tag, as 16 bytes.

encrypt(plaintext, output=None)¶

Encrypt a piece of data.

Parameters:

plaintext (bytes/bytearray/memoryview) – The data to encrypt, of any size.

Keyword Arguments:

output (bytes/bytearray/memoryview) – The location where the ciphertextis written to. If None, the ciphertext is returned.

Returns:

If output is None, the ciphertext is returned as bytes.Otherwise, None.

encrypt_and_digest(plaintext)¶

Perform encrypt() and digest() in one step.

Parameters:

plaintext (bytes/bytearray/memoryview) – The data to encrypt, of any size.

Returns:

a tuple with two bytes objects:

• the ciphertext, of equal length as the plaintext

• the 16-byte MAC tag

hexdigest()¶

Compute the printable authentication tag (MAC).

This method is like digest().

Return:

the MAC tag, as a hexadecimal string.

hexverify(hex_mac_tag)¶

Validate the printable authentication tag (MAC).

This method is like verify().

Parameters:

hex_mac_tag (string) – This is the printable MAC.

Raises ValueError:

if the MAC does not match. The message has been tampered withor the key is incorrect.

update(data)¶

Protect the associated data.

Associated data (also known as additional authenticated data - AAD)is the piece of the message that must stay in the clear, whilestill allowing the receiver to verify its integrity.An example is packet headers.

The associated data (possibly split into multiple segments) isfed into update() before any call to decrypt() or encrypt().If there is no associated data, update() is not called.

Parameters:

assoc_data (bytes/bytearray/memoryview) – A piece of associated data. There are no restrictions on its size.

verify(received_mac_tag)¶

Validate the binary authentication tag (MAC).

The receiver invokes this method at the very end, tocheck if the associated data (if any) and the decryptedmessages are valid.

Parameters:

received_mac_tag (bytes/bytearray/memoryview) – This is the 16-byte binary MAC, as received from the sender.

Raises ValueError:

if the MAC does not match. The message has been tampered withor the key is incorrect.

Crypto.Cipher.ChaCha20_Poly1305.new(**kwargs)¶

Create a new ChaCha20-Poly1305 or XChaCha20-Poly1305 AEAD cipher.

Keyword Arguments:

• key – The secret key to use. It must be 32 bytes long.

• nonce –

  A value that must never be reused for any other encryptiondone with this key.

  For ChaCha20-Poly1305, it must be 8 or 12 bytes long.

  For XChaCha20-Poly1305, it must be 24 bytes long.

  If not provided, 12 bytes will be generated randomly(you can find them back in the nonce attribute).

Return:

a Crypto.Cipher.ChaCha20.ChaCha20Poly1305Cipher object