#aead #chacha20 #poly1305 #xchacha20 #xchacha20poly1305

no-std chacha20poly1305

Pure Rust implementation of the ChaCha20Poly1305 Authenticated Encryption with Additional Data Cipher (RFC 8439) with optional architecture-specific hardware acceleration. Also contains implementations of the XChaCha20Poly1305 extended nonce variant of ChaCha20Poly1305, and the reduced-round ChaCha8Poly1305 and ChaCha12Poly1305 lightweight variants.

27 releases

0.10.1 Aug 10, 2022
0.10.0-pre.2 Jul 20, 2022
0.10.0-pre Mar 19, 2022
0.9.0 Aug 29, 2021
0.0.0 Oct 6, 2016

#310 in Cryptography

Download history 113064/week @ 2023-08-16 132725/week @ 2023-08-23 128676/week @ 2023-08-30 127645/week @ 2023-09-06 132787/week @ 2023-09-13 126382/week @ 2023-09-20 122657/week @ 2023-09-27 129693/week @ 2023-10-04 145945/week @ 2023-10-11 145599/week @ 2023-10-18 161012/week @ 2023-10-25 153412/week @ 2023-11-01 166362/week @ 2023-11-08 212450/week @ 2023-11-15 171107/week @ 2023-11-22 136419/week @ 2023-11-29

716,165 downloads per month
Used in 750 crates (170 directly)

Apache-2.0 OR MIT

202 lines

RustCrypto: ChaCha20Poly1305

crate Docs Apache2/MIT licensed Rust Version Project Chat Build Status

Pure Rust implementation of ChaCha20Poly1305 (RFC 8439): an Authenticated Encryption with Associated Data (AEAD) cipher amenable to fast, constant-time implementations in software, based on the ChaCha20 stream cipher and Poly1305 universal hash function.

This crate also contains an implementation of XChaCha20Poly1305: a variant of ChaCha20Poly1305 with an extended 192-bit (24-byte) nonce.



ChaCha20Poly1305 is notable for being simple and fast when implemented in pure software. The underlying ChaCha20 stream cipher uses a simple combination of add, rotate, and XOR instructions (a.k.a. "ARX"), and the Poly1305 hash function is likewise extremely simple.

While it hasn't received approval from certain standards bodies (i.e. NIST) the algorithm is widely used and deployed. Notably it's mandatory to implement in the Transport Layer Security (TLS) protocol. The underlying ChaCha20 cipher is also widely used as a cryptographically secure random number generator, including internal use by the Rust standard library.

Security Notes

This crate has received one security audit by NCC Group, with no significant findings. We would like to thank MobileCoin for funding the audit.

All implementations contained in the crate are designed to execute in constant time, either by relying on hardware intrinsics (i.e. AVX2 on x86/x86_64), or using a portable implementation which is only constant time on processors which implement constant-time multiplication.

It is not suitable for use on processors with a variable-time multiplication operation (e.g. short circuit on multiply-by-zero / multiply-by-one, such as certain 32-bit PowerPC CPUs and some non-ARM microcontrollers).


Licensed under either of:

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.


~15K SLoC