Libsodium documentation
GitHub repositoryDownloadQuickstartLibhydrogen
Search…
Introduction
Installation
Quickstart and FAQ
Projects using libsodium
Commercial support
Bindings for other languages
Usage
Helpers
Padding
Secure memory
Generating random data
Secret-key cryptography
Public-key cryptography
Hashing
Password hashing
Key derivation
Key exchange
Advanced
SHA-2
HMAC-SHA-2
The Scrypt function
Point*scalar multiplicaton
One-time authentication
Stream ciphers
ChaCha20
XChaCha20
Salsa20
XSalsa20
Ed25519 to Curve25519
Finite field arithmetic
Custom RNG
Internals
Roadmap
Powered By GitBook
XSalsa20
XSalsa20 is a stream cipher based upon Salsa20 but with a much longer nonce: 192 bits instead of 64 bits.
XSalsa20 uses a 256-bit key as well as the first 128 bits of the nonce in order to compute a subkey. This subkey, as well as the remaining 64 bits of the nonce, are the parameters of the Salsa20 function used to actually generate the stream.
Like Salsa20, XSalsa20 is immune to timing attacks and provides its own 64-bit block counter to avoid incrementing the nonce after each block.
But with XSalsa20's longer nonce, it is safe to generate nonces using randombytes_buf() for every message encrypted with the same key without having to worry about a collision.
Sodium exposes XSalsa20 with 20 rounds as the crypto_stream operation.

Usage

int crypto_stream(unsigned char *c, unsigned long long clen,
const unsigned char *n, const unsigned char *k);
The crypto_stream() function stores clen pseudo random bytes into c using a nonce n (crypto_stream_NONCEBYTES bytes) and a secret key k (crypto_stream_KEYBYTES bytes).
int crypto_stream_xor(unsigned char *c, const unsigned char *m,
unsigned long long mlen, const unsigned char *n,
const unsigned char *k);
The crypto_stream_xor() function encrypts a message m of length mlen using a nonce n (crypto_stream_NONCEBYTES bytes) and a secret key k (crypto_stream_KEYBYTES bytes).
The ciphertext is put into c. The ciphertext is the message combined with the output of the stream cipher using the XOR operation, and doesn't include any authentication tag.
m and c can point to the same address (in-place encryption/decryption). If they don't, the regions should not overlap.
void crypto_stream_keygen(unsigned char k[crypto_stream_KEYBYTES]);
This helper function introduced in libsodium 1.0.12 creates a random key k.
It is equivalent to calling randombytes_buf() but improves code clarity and can prevent misuse by ensuring that the provided key length is always be correct.

Constants

  • crypto_stream_KEYBYTES
  • crypto_stream_NONCEBYTES
  • crypto_stream_PRIMITIVE
Previous
Salsa20
Next
Ed25519 to Curve25519
Last modified 9mo ago
Copy link
Outline
Usage
Constants