ChaCha20 (without Poly1305) block counter

Matt Caswell matt at
Thu Apr 18 10:06:12 UTC 2019

On 17/04/2019 20:36, Jerry Lui wrote:
> Hi,
> I am trying to use ChaCha20 (without Poly1305)
> From RFC 7539:
> One of the inputs to ChaCha20 is:
> "A 32-bit initial counter."
> However I cannot find the function to set this. where should I input this?

>From code inspection it looks to me like our documentation is wrong. Our docs say:

  =item EVP_chacha20()

  The ChaCha20 stream cipher. The key length is 256 bits, the IV is 96 bits long.

The IV here is referring to the number of bytes in the IV field that should be
sent to EVP_EncryptInit_ex().

But what is actually implemented is a 128 bit IV with the first 32 bits being
the counter and the next 96 bits being the nonce.

Additionally the counter is in little-endian order. So a counter of 1 is
expressed as 4 bytes: 01000000

I've raised the following PR to correct this:


More information about the openssl-users mailing list