idnits 2.17.1 draft-arciszewski-xchacha-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([RFC7539]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 167 has weird spacing: '...ccccccc ccccc...' == Line 168 has weird spacing: '...kkkkkkk kkkkk...' == Line 169 has weird spacing: '...kkkkkkk kkkkk...' == Line 170 has weird spacing: '...bbbbbbb nnnnn...' == Line 174 has weird spacing: '...ccccccc ccccc...' == (4 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (October 11, 2018) is 1996 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 272 -- Looks like a reference, but probably isn't: '2' on line 275 -- Looks like a reference, but probably isn't: '3' on line 277 -- Looks like a reference, but probably isn't: '4' on line 279 -- Looks like a reference, but probably isn't: '5' on line 281 -- Looks like a reference, but probably isn't: '6' on line 284 -- Looks like a reference, but probably isn't: '7' on line 286 -- Looks like a reference, but probably isn't: '8' on line 288 -- Looks like a reference, but probably isn't: '9' on line 290 -- Looks like a reference, but probably isn't: '10' on line 292 -- Looks like a reference, but probably isn't: '11' on line 294 -- Looks like a reference, but probably isn't: '12' on line 296 ** Obsolete normative reference: RFC 7539 (Obsoleted by RFC 8439) Summary: 4 errors (**), 0 flaws (~~), 8 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 (No Working Group) S. Arciszewski 3 Internet-Draft Paragon Initiative Enterprises 4 Intended status: Informational October 11, 2018 5 Expires: April 14, 2019 7 XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305 8 draft-arciszewski-xchacha-02 10 Abstract 12 The eXtended-nonce ChaCha cipher construction (XChaCha) allows for 13 ChaCha-based ciphersuites to accept a 192-bit nonce with similar 14 guarantees to the original construction, except with a much lower 15 probability of nonce misuse occurring. This enables XChaCha 16 constructions to be stateless, while retaining the same security 17 assumptions as ChaCha. 19 This document defines XChaCha20, which uses HChaCha20 to convert the 20 key and part of the nonce into a subkey, which is in turn used with 21 the remainder of the nonce with ChaCha20 to generate a pseudorandom 22 keystream (e.g. for message encryption). 24 This document also defines AEAD_XChaCha20_Poly1305, a variant of 25 [RFC7539] that utilizes the XChaCha20 construction in place of 26 ChaCha20. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at https://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on April 14, 2019. 45 Copyright Notice 47 Copyright (c) 2018 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (https://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 1.1. Notation and Conventions . . . . . . . . . . . . . . . . 3 64 2. AEAD_XChaCha20_Poly1305 . . . . . . . . . . . . . . . . . . . 3 65 2.1. Motivation for XChaCha20-Poly1305 . . . . . . . . . . . . 3 66 2.2. HChaCha20 . . . . . . . . . . . . . . . . . . . . . . . . 4 67 2.2.1. Test Vector for the HChaCha20 Block Function . . . . 5 68 2.3. XChaCha20 . . . . . . . . . . . . . . . . . . . . . . . . 5 69 2.3.1. XChaCha20 Pseudocode . . . . . . . . . . . . . . . . 6 70 3. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 3.1. Normative References . . . . . . . . . . . . . . . . . . 6 72 3.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 6 73 Appendix A. Additional Test Vectors . . . . . . . . . . . . . . 7 74 A.1. Example and Test Vector for AEAD_XCHACHA20_POLY1305 . . . 7 75 A.2. Example and Test Vector for XChaCha20 . . . . . . . . . . 9 76 A.3. Developer-Friendly Test Vectors . . . . . . . . . . . . . 10 77 A.3.1. AEAD_XCHACHA20_POLY1305 . . . . . . . . . . . . . . . 10 78 A.3.2. XChaCha20 . . . . . . . . . . . . . . . . . . . . . . 11 79 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12 81 1. Introduction 83 AEAD constructions (Authenticated Encryption with Associated Data) 84 allow for message confidentiality to be assured even in the presence 85 of adaptive chosen-ciphertext attacks, but they're known to be 86 brittle to nonce-misuse conditions [1]. 88 Several nonce misuse resistant cipher constructions have been 89 proposed over the years, including AES-SIV ([RFC5297]), AES-GCM-SIV 90 [2], and several CAESAR candidates [3]. 92 However, a more straightforward strategy can prevent nonce misuse 93 conditions in environments where a large number of messages are 94 encrypted. Simply use a large enough nonce such that applications 95 can generate them randomly for each message and the probability of a 96 collision remains low. 98 To this end, we propose a solution that is already implemented in 99 many software projects that extends the nonce of ChaCha20 to 192 bits 100 and uses it to build an AEAD construction. 102 1.1. Notation and Conventions 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 106 document are to be interpreted as described in RFC 2119 [RFC2119]. 108 2. AEAD_XChaCha20_Poly1305 110 XChaCha20-Poly1305 is a variant of the ChaCha20-Poly1305 AEAD 111 construction as defined in [RFC7539] that uses a 192-bit nonce 112 instead of a 96-bit nonce. 114 The algorithm for XChaCha20-Poly1305 is as follows: 116 1. Calculate a subkey from the first 16 bytes of the nonce and the 117 key, using HChaCha20 (Section 2.2). 119 2. Use the subkey and remaining 8 bytes of the nonce (prefixed with 120 4 NUL bytes) with AEAD_CHACHA20_POLY1305 from [RFC7539] as 121 normal. The definition for XChaCha20 is given in Section 2.3. 123 XChaCha20-Poly1305 implementations already exist in WireGuard [4], 124 libsodium [5], Monocypher [6], xsecretbox [7], Tink [8], and in Go's 125 crypto/chacha20poly1305 [9] library. 127 Similarly, Google's HPolyC [10] implements XChaCha12. 129 2.1. Motivation for XChaCha20-Poly1305 131 The nonce used by the original ChaCha20-Poly1305 is too short to 132 safely use with random strings for long-lived keys. 133 XChaCha20-Poly1305 does not have this restriction. 135 By generating a subkey from a 128-bit nonce and the key, a reuse of 136 only the latter 64 bits of the nonce isn't security-affecting, since 137 the key (and thus, keystream) will be different. Additionally a re- 138 use of only the first 128 bits of the nonce isn't security-affecting, 139 as the nonce derived from the latter 64 bits is different. 141 Assuming a secure random number generator, random 192-bit nonces 142 should experience a single collision (with probability 50%) after 143 roughly 2^96 messages (approximately 7.2998163e+28). A more 144 conservative threshold (2^-32 chance of collision) still allows for 145 2^64 messages to be sent under a single key. 147 Therefore, with XChaCha20-Poly1305, users can safely generate a 148 random 192-bit nonce for each message and not worry about nonce-reuse 149 vulnerabilities. 151 As long as ChaCha20-Poly1305 is a secure AEAD cipher and ChaCha is a 152 secure pseudorandom function (PRF), XChaCha20-Poly1305 is secure. 154 2.2. HChaCha20 156 *HChaCha20* is an intermediary step towards XChaCha20 based on the 157 construction and security proof used to create XSalsa20 [11], an 158 extended-nonce Salsa20 variant used in NaCl [12]. 160 HChaCha20 is initialized the same way as the ChaCha cipher, except 161 that HChaCha20 uses a 128-bit nonce and has no counter. 163 Consider the two figures below, where each non-whitespace character 164 represents one nibble of information about the ChaCha states (all 165 numbers little-endian): 167 cccccccc cccccccc cccccccc cccccccc 168 kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk 169 kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk 170 bbbbbbbb nnnnnnnn nnnnnnnn nnnnnnnn 172 ChaCha20 State: c=constant k=key b=blockcount n=nonce 174 cccccccc cccccccc cccccccc cccccccc 175 kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk 176 kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk 177 nnnnnnnn nnnnnnnn nnnnnnnn nnnnnnnn 179 HChaCha20 State: c=constant k=key n=nonce 181 After initialization, proceed through the ChaCha rounds as usual. 183 Once the 20 ChaCha rounds have been completed, the first 128 bits and 184 last 128 bits of the ChaCha state (both little-endian) are 185 concatenated, and this 256-bit subkey is returned. 187 2.2.1. Test Vector for the HChaCha20 Block Function 189 o Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13: 190 14:15:16:17:18:19:1a:1b:1c:1d:1e:1f. The key is a sequence of 191 octets with no particular structure before we copy it into the 192 HChaCha state. 194 o Nonce = (00:00:00:09:00:00:00:4a:00:00:00:00:31:41:59:27) 196 After setting up the HChaCha state, it looks like this: 198 61707865 3320646e 79622d32 6b206574 199 03020100 07060504 0b0a0908 0f0e0d0c 200 13121110 17161514 1b1a1918 1f1e1d1c 201 09000000 4a000000 00000000 27594131 203 ChaCha state with the key setup. 205 After running 20 rounds (10 column rounds interleaved with 10 206 "diagonal rounds"), the HChaCha state looks like this: 208 82413b42 27b27bfe d30e4250 8a877d73 209 4864a70a f3cd5479 37cd6a84 ad583c7b 210 8355e377 127ce783 2d6a07e0 e5d06cbc 211 a0f9e4d5 8a74a853 c12ec413 26d3ecdc 213 HChaCha state after 20 rounds 215 HChaCha20 will then return only the first and last rows, resulting in 216 the following 256-bit key: 218 82413b42 27b27bfe d30e4250 8a877d73 219 a0f9e4d5 8a74a853 c12ec413 26d3ecdc 221 Resultant HChaCha20 subkey 223 2.3. XChaCha20 225 XChaCha20 can be constructed from an existing ChaCha20 implementation 226 and HChaCha20. All one needs to do is: 228 1. Pass the key and the first 16 bytes of the 24-byte nonce to 229 HChaCha20 to obtain the subkey. 231 2. Use the subkey and remaining 8 byte nonce with ChaCha20 as normal 232 (prefixed by 4 NUL bytes, since [RFC7539] specifies a 12-byte 233 nonce). 235 XChaCha20 is a stream cipher and offers no integrity guarantees 236 without being combined with a MAC algorithm (e.g. Poly1305). 238 The same HChaCha20 subkey derivation can also be used in the context 239 of an AEAD_ChaCha20_Poly1305 implementation to create 240 AEAD_XChaCha20_Poly1305, as described in Section 2. 242 2.3.1. XChaCha20 Pseudocode 244 xchacha20_encrypt(key, nonce, plaintext): 245 subkey = hchacha20(key, nonce[0:15]) 246 return chacha20_encrypt(subkey, nonce[16:23], plaintext) 248 3. References 250 3.1. Normative References 252 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 253 Requirement Levels", BCP 14, RFC 2119, 254 DOI 10.17487/RFC2119, March 1997, 255 . 257 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 258 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 259 . 261 [RFC5297] Harkins, D., "Synthetic Initialization Vector (SIV) 262 Authenticated Encryption Using the Advanced Encryption 263 Standard (AES)", RFC 5297, DOI 10.17487/RFC5297, October 264 2008, . 266 [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF 267 Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, 268 . 270 3.2. URIs 272 [1] https://cryptologie.net/article/361/breaking-https-aes-gcm-or-a- 273 part-of-it/ 275 [2] https://eprint.iacr.org/2017/168.pdf 277 [3] https://competitions.cr.yp.to/caesar-submissions.html 279 [4] https://www.wireguard.com 281 [5] https://download.libsodium.org/doc/secret-key_cryptography/ 282 xchacha20-poly1305_construction.html 284 [6] https://monocypher.org/manual/aead 286 [7] https://github.com/jedisct1/xsecretbox 288 [8] https://github.com/google/tink 290 [9] https://godoc.org/golang.org/x/crypto/chacha20poly1305#NewX 292 [10] https://github.com/google/hpolyc 294 [11] https://cr.yp.to/snuffle/xsalsa-20110204.pdf 296 [12] https://nacl.cr.yp.to 298 Appendix A. Additional Test Vectors 300 A.1. Example and Test Vector for AEAD_XCHACHA20_POLY1305 302 Plaintext: 304 000 4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c Ladies and Gentl 305 016 65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73 emen of the clas 306 032 73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63 s of '99: If I c 307 048 6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f ould offer you o 308 064 6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20 nly one tip for 309 080 74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73 the future, suns 310 096 63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69 creen would be i 311 112 74 2e t. 313 AAD: 315 000 50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7 PQRS........ 317 Key: 319 000 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f ................ 320 016 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f ................ 322 IV: 324 000 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f @ABCDEFGHIJKLMNO 325 016 50 51 52 53 54 55 56 57 PQRSTUVW 327 32-bit fixed-common part: 329 000 00 00 00 00 .... 331 Poly1305 Key: 333 000 7b 19 1f 80 f3 61 f0 99 09 4f 6f 4b 8f b9 7d f8 {....a...OoK..}. 334 016 47 cc 68 73 a8 f2 b1 90 dd 73 80 71 83 f9 07 d5 G.hs.....s.q.... 336 Ciphertext: 338 000 bd 6d 17 9d 3e 83 d4 3b 95 76 57 94 93 c0 e9 39 .m..>..;.vW....9 339 016 57 2a 17 00 25 2b fa cc be d2 90 2c 21 39 6c bb W*..%+.....,!9l. 340 032 73 1c 7f 1b 0b 4a a6 44 0b f3 a8 2f 4e da 7e 39 s....J.D.../N.~9 341 048 ae 64 c6 70 8c 54 c2 16 cb 96 b7 2e 12 13 b4 52 .d.p.T.........R 342 064 2f 8c 9b a4 0d b5 d9 45 b1 1b 69 b9 82 c1 bb 9e /......E..i..... 343 080 3f 3f ac 2b c3 69 48 8f 76 b2 38 35 65 d3 ff f9 ??.+.iH.v.85e... 344 096 21 f9 66 4c 97 63 7d a9 76 88 12 f6 15 c6 8b 13 !.fL.c}.v....... 345 112 b5 2e .. 347 Tag: 349 c0:87:59:24:c1:c7:98:79:47:de:af:d8:78:0a:cf:49 351 A.2. Example and Test Vector for XChaCha20 353 Plaintext: 355 000 54 68 65 20 64 68 6f 6c 65 20 28 70 72 6f 6e 6f The dhole (prono 356 010 75 6e 63 65 64 20 22 64 6f 6c 65 22 29 20 69 73 unced "dole") is 357 020 20 61 6c 73 6f 20 6b 6e 6f 77 6e 20 61 73 20 74 also known as t 358 030 68 65 20 41 73 69 61 74 69 63 20 77 69 6c 64 20 he Asiatic wild 359 040 64 6f 67 2c 20 72 65 64 20 64 6f 67 2c 20 61 6e dog, red dog, an 360 050 64 20 77 68 69 73 74 6c 69 6e 67 20 64 6f 67 2e d whistling dog. 361 060 20 49 74 20 69 73 20 61 62 6f 75 74 20 74 68 65 It is about the 362 070 20 73 69 7a 65 20 6f 66 20 61 20 47 65 72 6d 61 size of a Germa 363 080 6e 20 73 68 65 70 68 65 72 64 20 62 75 74 20 6c n shepherd but l 364 090 6f 6f 6b 73 20 6d 6f 72 65 20 6c 69 6b 65 20 61 ooks more like a 365 0a0 20 6c 6f 6e 67 2d 6c 65 67 67 65 64 20 66 6f 78 long-legged fox 366 0b0 2e 20 54 68 69 73 20 68 69 67 68 6c 79 20 65 6c . This highly el 367 0c0 75 73 69 76 65 20 61 6e 64 20 73 6b 69 6c 6c 65 usive and skille 368 0d0 64 20 6a 75 6d 70 65 72 20 69 73 20 63 6c 61 73 d jumper is clas 369 0e0 73 69 66 69 65 64 20 77 69 74 68 20 77 6f 6c 76 sified with wolv 370 0f0 65 73 2c 20 63 6f 79 6f 74 65 73 2c 20 6a 61 63 es, coyotes, jac 371 100 6b 61 6c 73 2c 20 61 6e 64 20 66 6f 78 65 73 20 kals, and foxes 372 110 69 6e 20 74 68 65 20 74 61 78 6f 6e 6f 6d 69 63 in the taxonomic 373 120 20 66 61 6d 69 6c 79 20 43 61 6e 69 64 61 65 2e family Canidae. 375 Key: 377 000 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f ................ 378 016 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f ................ 380 IV: 382 000 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f @ABCDEFGHIJKLMNO 383 016 50 51 52 53 54 55 56 58 PQRSTUVX 385 Ciphertext: 387 000 45 59 ab ba 4e 48 c1 61 02 e8 bb 2c 05 e6 94 7f EY..NH.a...,.... 388 010 50 a7 86 de 16 2f 9b 0b 7e 59 2a 9b 53 d0 d4 e9 P..../..~Y*.S... 389 020 8d 8d 64 10 d5 40 a1 a6 37 5b 26 d8 0d ac e4 fa ..d..@..7[&..... 390 030 b5 23 84 c7 31 ac bf 16 a5 92 3c 0c 48 d3 57 5d .#..1.....<.H.W] 391 040 4d 0d 2c 67 3b 66 6f aa 73 10 61 27 77 01 09 3a M.,g;fo.s.a'w..: 392 050 6b f7 a1 58 a8 86 42 92 a4 1c 48 e3 a9 b4 c0 da k..X..B...H..... 393 060 ec e0 f8 d9 8d 0d 7e 05 b3 7a 30 7b bb 66 33 31 ......~..z0{.f31 394 070 64 ec 9e 1b 24 ea 0d 6c 3f fd dc ec 4f 68 e7 44 d...$..l?...Oh.D 395 080 30 56 19 3a 03 c8 10 e1 13 44 ca 06 d8 ed 8a 2b 0V.:.....D.....+ 396 090 fb 1e 8d 48 cf a6 bc 0e b4 e2 46 4b 74 81 42 40 ...H......FKt.B@ 397 0a0 7c 9f 43 1a ee 76 99 60 e1 5b a8 b9 68 90 46 6e |.C..v.`.[..h.Fn 398 0b0 f2 45 75 99 85 23 85 c6 61 f7 52 ce 20 f9 da 0c .Eu..#..a.R. ... 399 0c0 09 ab 6b 19 df 74 e7 6a 95 96 74 46 f8 d0 fd 41 ..k..t.j..tF...A 400 0d0 5e 7b ee 2a 12 a1 14 c2 0e b5 29 2a e7 a3 49 ae ^{.*......)*..I. 401 0e0 57 78 20 d5 52 0a 1f 3f b6 2a 17 ce 6a 7e 68 fa Wx .R..?.*..j~h. 402 0f0 7c 79 11 1d 88 60 92 0b c0 48 ef 43 fe 84 48 6c |y...`...H.C..Hl 403 100 cb 87 c2 5f 0a e0 45 f0 cc e1 e7 98 9a 9a a2 20 ..._..E........ 404 110 a2 8b dd 48 27 e7 51 a2 4a 6d 5c 62 d7 90 a6 63 ...H'.Q.Jm\b...c 405 120 93 b9 31 11 c1 a5 5d d7 42 1a 10 18 49 74 c7 c5 ..1...].B...It.. 407 A.3. Developer-Friendly Test Vectors 409 For the sake of usability, the above test vectors have been 410 reproduced in a format more readily usable by implementors. 412 All values below are hex-encoded, as per RFC 4648 [RFC4648]. 414 A.3.1. AEAD_XCHACHA20_POLY1305 416 Plaintext: 418 4c616469657320616e642047656e746c656d656e206f662074686520636c6173 419 73206f66202739393a204966204920636f756c64206f6666657220796f75206f 420 6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73 421 637265656e20776f756c642062652069742e 423 AAD: 425 50515253c0c1c2c3c4c5c6c7 427 Key: 429 808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f 431 IV: 433 404142434445464748494a4b4c4d4e4f5051525354555657 435 32-bit fixed-common part: 437 00000000 439 Poly1305 Key: 441 7b191f80f361f099094f6f4b8fb97df847cc6873a8f2b190dd73807183f907d5 443 Ciphertext: 445 bd6d179d3e83d43b9576579493c0e939572a1700252bfaccbed2902c21396cbb 446 731c7f1b0b4aa6440bf3a82f4eda7e39ae64c6708c54c216cb96b72e1213b452 447 2f8c9ba40db5d945b11b69b982c1bb9e3f3fac2bc369488f76b2383565d3fff9 448 21f9664c97637da9768812f615c68b13b52e 450 Tag: 452 c0875924c1c7987947deafd8780acf49 454 A.3.2. XChaCha20 456 Plaintext: 458 5468652064686f6c65202870726f6e6f756e6365642022646f6c652229206973 459 20616c736f206b6e6f776e2061732074686520417369617469632077696c6420 460 646f672c2072656420646f672c20616e642077686973746c696e6720646f672e 461 2049742069732061626f7574207468652073697a65206f662061204765726d61 462 6e20736865706865726420627574206c6f6f6b73206d6f7265206c696b652061 463 206c6f6e672d6c656767656420666f782e205468697320686967686c7920656c 464 757369766520616e6420736b696c6c6564206a756d70657220697320636c6173 465 736966696564207769746820776f6c7665732c20636f796f7465732c206a6163 466 6b616c732c20616e6420666f78657320696e20746865207461786f6e6f6d6963 467 2066616d696c792043616e696461652e 469 Key: 471 808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f 473 IV: 475 404142434445464748494a4b4c4d4e4f5051525354555658 477 Ciphertext: 479 4559abba4e48c16102e8bb2c05e6947f50a786de162f9b0b7e592a9b53d0d4e9 480 8d8d6410d540a1a6375b26d80dace4fab52384c731acbf16a5923c0c48d3575d 481 4d0d2c673b666faa731061277701093a6bf7a158a8864292a41c48e3a9b4c0da 482 ece0f8d98d0d7e05b37a307bbb66333164ec9e1b24ea0d6c3ffddcec4f68e744 483 3056193a03c810e11344ca06d8ed8a2bfb1e8d48cfa6bc0eb4e2464b74814240 484 7c9f431aee769960e15ba8b96890466ef2457599852385c661f752ce20f9da0c 485 09ab6b19df74e76a95967446f8d0fd415e7bee2a12a114c20eb5292ae7a349ae 486 577820d5520a1f3fb62a17ce6a7e68fa7c79111d8860920bc048ef43fe84486c 487 cb87c25f0ae045f0cce1e7989a9aa220a28bdd4827e751a24a6d5c62d790a663 488 93b93111c1a55dd7421a10184974c7c5 490 Author's Address 492 Scott Arciszewski 493 Paragon Initiative Enterprises 494 United States 496 Email: security@paragonie.com