ChaCha Usage & Deployment

Updated: October 30, 2024

Here's a list of protocols and software that implement ChaCha, the superfast, super secure stream cipher by Dan Bernstein. Note that most implementations use ChaCha20, the full 20-round variant.

This page is organized by Protocols, Networks, Operating Systems, Hardware, Software, SSH Software, WireGuard Software, TLS Libraries, Libraries, Cryptographic Functions, Miscellaneous, Timeline notes, and Support coming soon.

You may also be interested in this list of Salsa20 deployment. ChaCha is a variant of Salsa20 from the same author.

Protocols

• SSH, via chacha20-poly1305@openssh.com
• Noise — a framework for crypto protocols based on Diffie-Hellman key agreement
• QUIC — a secure transport protocol
• WireGuard — fast, modern, secure VPN tunnel
• netcode — A simple protocol for creating secure client/server connections over UDP
• OTRv4 — Off-the-Record Messaging protocol, version 4
• S/MIME 4.0 — Secure/Multipurpose Internet Mail Extensions
• PASETO — a specification and reference implementation for secure stateless tokens
• TLS — Transport Layer Security

Networks

• Lightning Network

Operating Systems

• OpenBSD — used in random number generation, as well as in OpenSSH, OpenSMTPD, OpenIKED, LibreSSL, and WireGuard
• Linux — used in both random number generation, and WireGuard
• Dragonfly BSD — used in random number generation and OpenSSH
• FreeBSD — used in random number generation, WireGuard, and OpenSSH
• Android — ships with Chrome, which uses ChaCha20 in TLS and QUIC; will also use ChaCha in Adiantum for disk encryption
• NetBSD — used in random number generation, OpenSSL, and in NetBSD's WireGuard implementation
• illumos gate — supports ChaCha-based arc4random from OpenBSD
• Redox — uses chacha in librand because Rust stdlib uses chacha in librand
• Sortix — a small self-hosting operating-system aiming to be a clean and modern POSIX implementation
• OPNsense — an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform
• Fuchsia — used in random number generation
• Any OS that ships with OpenSSL 1.1.0+
• Any operating system that ships with OpenSSH 6.5+, OpenSMTPD, or LibreSSL, all from the OpenBSD project

Hardware

• PAx5 — a home automation platform designed to be secure, stable and extensible

Software

• Web browsers and clients
  • Chromium/Chrome — used in both TLS and QUIC as ChaCha20-Poly1305
  • Firefox — used in TLS
  • Iridium — Chromium + privacy enhancements (supports TLS and QUIC)
  • Safari — support verified in iOS 12.2 and OS X 10.14.4
  • Let's Encrypt validation server
• Web crawlers
  • Googlebot
  • Qwant
  • ArchiveBot — an IRC bot designed to automate the archival of smaller websites
  • SeznamBot — popular independent search engine (seznam.cz) in the Czech Republic
  • many others
• Web servers
  • Caddy — supports ChaCha20-Poly1305 in TLS and QUIC
  • OpenBSD httpd — a web server based on relayd. It is secure, serves static files and supports FastCGI and TLS
  • All webservers built with LibreSSL or these TLS libraries
• Password Managers
  • filosottile-passage — a fork of password-store that uses age as a backend instead of GnuPG
  • KeePass — a light-weight and easy-to-use password manager
  • pick — Minimal password manager for macOS and Linux
  • kickpass — Stupid simple password safe
  • Lumimaja — PasswordSafe with Argon2 KDF
  • kbs2 — A secret manager backed by age
  • pa — a simple password manager with encryption via age
  • gpanders-passage — a password store utilizing the age encryption library
  • HashiCorp Vault — A Tool for Managing Secrets
  • SpicyPass — A light-weight password manager with a focus on simplicity and security
  • MacPass — A native OS X KeePass client
• Messaging Software
  • Tinfoil Chat — Onion-routed, endpoint secure messaging system
  • Wire — Simple, private & secure messenger
  • cha-cha-chat — Example of ChaCha20 encrypted chat with ECDH key exchange
  • warded — Minimal passphrase manager using Chacha20-Poly1305
• Shadowsocks Software
  • Shadowsocks — A secure socks5 proxy, designed to protect your Internet traffic
  • ShadowsocksX-NG — Next Generation of ShadowsocksX
  • shadowsocks-go — go port of shadowsocks
  • shadowsocks — A fast tunnel proxy that helps you bypass firewalls
  • shadowsocks-windows — Shadowsocks for Windows
  • ShadowsocksRDroid — A ShadowsocksR client for Android4.0+, compatible with the Shadowsocks protocol
  • shadowsocks-rust — A Rust port of shadowsocks
  • myShadowsocks — test
  • my-shadowsocks-go — forked from shadowsocks/shadowsocks-go(add full UDP support, chacha20, traffic statistics, ipv4/ipv6/both)
  • go-shadowsocks2 — Next-generation Shadowsocks in Go
• Other VPN and tunneling software
  • glorytun — A small, simple and very fast VPN
  • vpncloud — Peer-to-peer VPN
  • strongSwan — IPsec-based VPN Solution
  • OpenIKED — free implementation of IKEv2 for IPsec
• OpenSMTPD — used in random number generation
• dnscrypt-proxy — A tool for securing communications between a client and a DNS resolver
• titun — Simple, fast, and cross-platform IP tunnel written in Rust. WireGuard compatible
• age — an encryption tool with small keys, no config options, and UNIX-style composability
• rage — Rust implementation of age
• Unbound — a validating, recursive, and caching DNS resolver
• dnscrypt-wrapper — add dnscrypt support to any name resolver
• Cloaker — Very simple cross-platform file encryption
• mcencrypt — Post-quantum public-key encryption/decryption tool
• OpenBSD relayd — a FREE load-balancer, application layer gateway, transparent proxy, and SSL/TLS gateway
• hashcat — advanced password recovery
• newhope-tor-testvectors — Code for generating the NewHope handshake test vectors included in Tor proposal #XXX
• quicbench — HTTP/QUIC load test and benchmark tool
• asignify — Yet another signify tool
• hpenc — High performance command line tool for stream encryption
• wireproxy — Wireguard client that exposes itself as a socks5 proxy
• quic-go — A QUIC server implementation in pure go
• codecrypt — Post-quantum cryptography tool
• dfcrypt — Experimental implementation of a maybe-better symmetric crypto API
• piknik — Copy/paste anything over the network
• argon2crypt — Encrypts or decrypts a file using a ChaCha20-Poly1305 key derived using Argon2 from a user-entered passphrase
• Rubinius Language Platform — a modern language platform that supports a number of programming languages
• tlsfuzzer — SSL and TLS protocol test suite and fuzzer
• arc — secure file archiver
• HAP-NodeJS — Node.js implementation of HomeKit Accessory Server
• sodium11 — A command line toolkit for encryption and signing of files based on libsodium
• locker — easy secure locker
• nadeko — const-time Rust experiment
• Picocrypt — a very small, very simple, and very secure file encryption tool
• safe — Password protected secret keeper
• VeraCrypt — a free open source disk encryption software for Windows, Mac OSX and Linux
• vsencrypt — Very strong encryption to keep your file securely
• DoorKeeper — An attempt to enable secure communication, authentication & authorization for my ESP8266 project
• Notesnook — fully open source & end-to-end encrypted note taking alternative to Evernote
• cacophony — Pipes for Noise-secured network connections
• detox-crypto — High-level utilities that combine under simple interfaces complexity of the cryptographic layer used in Detox project
• triops.apk — triops port to Android - Encrypt and decrypt files using CHACHA20+KECCAK
• acceptable-security-otr — experiments in OTR stuff, PURELY for educational purposes
• Android-Sqrl2 — Android implementation of a full featured SQRL client
• CryptoPipe — a fast and secure stream-encryption-utility
• zbox — encrypted embeddable file system in Rust
• crypto pouch — Plugin to encrypt a PouchDB/CouchDB database. May switch to AES-GCM depending on Node
• aenker — authenticated encryption on the commandline using a chunked construction similar to intermaclib
• mysql-sodium — Mysql UDF bindings for LibSodium
• niklata-putty — PuTTY with ChaCha20-Poly1305 and Curve25519 support (released well in advance of PuTTY's official support)
• Enchive — encrypted personal archives
• Kryptor — open source file encryption software for Windows, Linux, and macOS
• triops — a multiplatform encryption tool using CHACHA20 + KECCAK
• PoSH-Sodium — Powershell module to wrap libsodium-net methods
• YACMiner — Your Alternative Coin Miner
• crypto-bench — Benchmarks for crypto libraries (in Rust, or with Rust bindings)
• SUPERCOP — a cryptographic benchmarking suite
• Newhope
  • Newhope — Ring-LWE-based key exchange
  • newhope — Golang "Post-quantum key exchange - a new hope." (related paper)
  • luke — Erlang NIF for the post-quantum key exchange named A New Hope
  • NewHope-Golang — NewHope Post-quantum key exchange

SSH Software

• SSH software with full modern crypto support (sntrup761x25519-sha512@openssh.com, X25519, Ed25519 and ChaCha20-Poly1305)
  • OpenSSH — the premier connectivity tool for remote login with the SSH protocol
  • TinySSH — a small SSH server with state-of-the-art cryptography
• SSH software with full classic crypto support, lacking post-quantum security
  • Win32-OpenSSH — Win32 port of OpenSSH
  • PuTTY — a free implementation of SSH and Telnet for Windows and Unix platforms
  • KiTTY — a fork from version 0.70 of PuTTY with extra features
  • SecureCRT — SSH client for Windows, Mac, and Linux
  • Dropbear — an SSH server and client
  • WinSCP — a popular SFTP client for Microsoft Windows
  • asyncssh — an asynchronous SSH2 client and server atop asyncio
  • Termius — an SSH client that works on Desktop and Mobile
  • rlogin — Japanese rlogin, telnet, and ssh client
  • pssht — SSH server written in PHP

WireGuard Software

Note: please see this WireGuard software list for more tools and things in the WireGuard ecosystem.

• WireGuard — an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography
• Android: on Google Play or get an APK from wireguard.com
• FreeBSD: included in release 13.2 and later
• Go: wireguard-go
• iOS: WireGuard/iOS
• Linux: included in kernel 5.6 and later; backport modules available
• macOS: WireGuard/macOS
• NetBSD: included in release 10.0 and later; please note that Jason Donenfeld in 2020 stated that this code " simply is not a WireGuard implementation" and I don't know what has changed since then. NetBSD users may consider using the Golang userspace implementation.
• OpenBSD: included in release 6.8 and later
• Rust: wireguard-rs
• Windows: WireGuard/Windows
  • Browse Windows MSIs
• Apple developers: WireGuardKit — Swift PM package for easily building macOS/iOS apps that use WireGuard tunnels
• 3rd party: TunSafe — Experimental WireGuard Client for OSX (3rd party)
• 3rd party: WireSep — userspace WireGuard for OpenBSD with privsep and tight pledge(2) (3rd party)
• 3rd party: BoringTun — a userspace WireGuard implementation in Rust (3rd party)

TLS Libraries

• LibreSSL from the OpenBSD Project
  • mruby-tls — mruby wrapper for libtls
• OpenSSL 1.1.0+
• TabbySSL — an OpenSSL compatibility layer for the Rust SSL/TLS stack
• Python 3.6+ TLS (requires LibreSSL or OpenSSL 1.1.0+)
• Go crypto/tls
• BoringSSL from Google
• wolfSSL from wolfSSL
  • wolfSSL C# (Wrapper)
  • wolfMQTT (Message Queuing Telemetry Transport)
• fizz — C++14 implementation of the TLS-1.3 standard, by Facebook
• Botan from Jack Lloyd
• GnuTLS (disabled by default. Read the 3.4.0 release notes to enable it.)
• rustls — Embryonic Rust TLS library
• BearSSL — a smaller SSL/TLS library by Thomas Pornin
• tlspin — TLS without PKI
• Inside Secure TLS Toolkit (formerly known as MatrixSSL) — TLS in C with minimalistic system dependencies
• VbAsyncSocket — Sockets with pure VB6 impl of TLS encryption
• mbedtls-esp8266 — Updated and Upgraded mbedTLS library for the ESP8266 (probably ESP32 too)
• Leto — A managed TLS library without all the baggage
• tlslite-ng — an open source python library that implements SSL and TLS cryptographic protocols
• TLSe — Single C file TLS 1.3, 1.2, 1.1 and 1.0 implementation, using libtomcrypt as crypto library
• Java 11+ — programming language
• BoarSSL — a new, independent SSL/TLS library written in C#

PASETO libraries

Be sure to consult the PASETO website for the best information.

PASETO v4 libraries

• Go: go-paseto

PASETO v2 libraries

• C: libpaseto — C implementation of PASETO (v2 local only)
• Elixir: Paseto — An Elixir implementation of Paseto (Platform-Agnostic Security Tokens)
• Java: paseto4j — Paseto implementation for Java
• Java: paseto — Java Implementation of Platform-Agnostic Security Tokens
• Javascript: paseto.js — PASETO: Platform-Agnostic Security Tokens
• Go: paseto — Platform-Agnostic Security Tokens implementation in GO (Golang)
  • Go: go-paseto-middleware — Paseto middleware for GoLang
  • Go: pasetosession — Web session/authentication using PASETO
• Lua: paseto-lua — PASETO (Platform-Agnostic Security Tokens) for Lua
• .NET: Paseto.Net — .NET Implementation of PASETO (v2 local / public encryption)
• .NET: paseto-dotnet — Paseto.NET, a Paseto (Platform-Agnostic Security Tokens) implementation for .NET
• Python: pypaseto — PASETO for Python
• Ruby: paseto.rb — Ruby implementation of Paseto using libsodium
• Rust: paseto — A paseto implementation in rust
• Swift: swift-paseto — Platform-Agnostic Security Tokens implementation in Swift

PASETO plugins

• Phoenix authentication plug: paseto_plu — A Phoenix authentication plug that validates Paseto (Platform Agnostic Security Tokens)

Libraries

• libsodium + wrappers & bindings
  • libsodium — a portable, cross-compilable, installable, packageable fork of NaCl
  • C#: NitraLibSodium
  • C++: sodiumpp
  • C++: sodium-wrapper
  • Clojure: caesium
  • Common LISP: cl-sodium
  • Crystal: sodium.cr
  • D: sodium
  • Delphi/FreePascal: libsodium-delphi
  • Dylan: sodium-dylan
  • Elixir: Savory
  • Elixir: libsalty
  • Erlang and Elixir: erlang-libsodium
  • Erlang: Erlang-NaCl
  • Erlang: Salt
  • Erlang: soda
  • Fortran: Fortium
  • Go: GoSodium
  • Go: sodium
  • Haskell: Saltine
  • Haskell: lithium
  • Idris: sodium-idris
  • Java: kalium
  • Java: jsodium
  • Java JNI: libsodium-jni
  • Java JNI: sodium-jni
  • Java JNI: libstodium
  • JavaScript: sodium-plus
  • Javascript: sodium-native
  • JavaScript: dholecrypto-js
  • Julia: Sodium.jl
  • Kotlin: kotlin-multiplatform-crypto
  • Lua: jprjr-luasodium
  • Lua: lua-sodium
  • Mruby: mruby-libsodium
  • Nativescript: nativescript-libsodium
  • NodeJS: node-sodium
  • Objective-C: NAChloride
  • OCaml: ocaml-sodium
  • Perl: Crypt-Sodium
  • Perl: crypt-nacl-sodium
  • Pharo/Squeak: Crypto-Nacl
  • PHP: php-sodium
  • PHP: libsodium-php
  • PHP: dhole-cryptography
  • Python: libnacl
  • Python: PyNaCl
  • Python: pysodium
  • Python: libsodium-python-examples
  • R: sodium
  • Racket: part of CRESTaceans
  • Ruby: RbNaCl
  • Ruby: sodium
  • Ruby: RbNaCl::Libsodium
  • Rust: Sodium Oxide
  • Rust: libsodium-ffi
  • Rust: rust_sodium
  • Swift: swift-sodium
  • Swift: NaOH
  • UWP: libsodium-uwp
• libsodium.js — The sodium crypto library compiled to pure JavaScript using Emscripten
• Robosodium — Quick scripted compilation of Libsodium for Android
• ChaCha standalone, by language:
  • ASM: chacha20.asm (tux3)
  • ASM/C: chacha-opt (Andrew Moon)
  • Bash: chacha20.sh (Jason A. Donenfeld)
  • C: chacha-avx2 (Samuel Neves)
  • C: chacha20-simple (Insane Coding)
  • C: chacha20 (shiffthq)
  • C: chacha20-c (Ginurx)
  • C: xchapolybox (Jason A. Donenfeld)
  • C++: chacha-native (Calvin Metcalf)
  • C++: ChaCha20-983 (983)
  • C++: ChaCha20 (Masashi Fujita)
  • C#: ChaCha20-csharp (Scott Bennett)
  • Elixir: chacha20_ex (Matt Miller)
  • Forth: ChaChaForth (Carl Mitchell)
  • Go: chacha20 (Coda Hale)
  • Go: chacha20 (Dmitry Chestnykh)
  • Go: go-chacha20 (wsddn)
  • Go: ChaCha (Romain Jacotin)
  • Go: chacha20 (Christopher Wood)
  • Go: chacha20 (Tom Thorogood)
  • Go: chacha20 (Andreas Auernhammer)
  • Go: chacha20poly1305 (Ivan Markin)
  • Go: rfc7539 (Aaron Scott)
  • Java: chacha20 (Jot)
  • Java: ChaCha20-kitsook (Clarence Ho)
  • JavaScript: chacha20 (Jeremie Miller)
  • JavaScript: chacha20-js (Benny Neugebauer)
  • JavaScript: Chacha20-Poly1305 (Manish Malik)
  • JavaScript: dancer (pgp.st)
  • JavaScript: js-chacha20 (Mykola Bubelich)
  • JavaScript: cc2p.js (tomaslangkaas)
  • Luajit: luajit-chacha20 (Nhữ ĐQ Phương)
  • Node: chacha-native (Calvin Metcalf)
  • PHP: PHP-ChaCha20 (Leigh)
  • PHP: PHP-AEAD-ChaCha20-Poly1305 (Leigh)
  • PHP: ChaCha20 (nipil)
  • Powershell: xenotrope-chacha20 (Toby B)
  • Rust: chacha.rs (Calvin Metcalf)
  • Verilog: chacha (Joachim Strömbergson)
  • Verilog: ChaCha20-Poly1305 (Joachim Strömbergson)
  • Verilog: chacha20-verilog (Andres Erbsen)
• Noise
  • noise — Go implementation of the Noise Protocol Framework
  • snow — Rust implementation of Noise
  • noise-rust — Rust implementation of Noise
  • noise — Python implementation of Noise protocol framework
  • The-Noise-Protocol — The Noise Protocol in python
  • noiseprotocol — Noise Protocol Framework - Python 3 implementation
  • dissononce — A python implementation for Noise Protocol Framework
  • cacophony — A Haskell library implementing the Noise protocol
  • noise-peer — Simple end-to-end encrypted, secure channels using Noise Protocol Framework and libsodium secretstream
  • noise-protocol — Javascript implementation of the Noise Protocol Framework based on libsodium
  • Noise-C — a plain C implementation of the Noise Protocol
    • noise-c.wasm — rweather/noise-c compiled to WebAssembly using Emscripten and optimized for small size
  • noise-java — Plain Java implementation of the Noise protocol
• Lazysodium — a complete Android implementation of the Libsodium library
• Other Libraries:
  • ASM/C: libpqcrypto — a new cryptographic software library produced by the PQCRYPTO project
  • C: NSS — Network Security Services, for use in TLS
  • C: Nettle — a low-level cryptographic library
    • Bindings available in Haskell, Perl, Pike, PostgreSQL, R6RS Scheme, and TCL
  • C: Monocypher — a small, secure, auditable, easy to use crypto library
    • LuaNacha — Lua wrapper for Monocypher
    • monocypher.cr — Crystal bindings for Monocypher
    • monocypher-go — Go language bindings for Monocypher
  • C: libsodium-chacha20 — a secretbox extension providing ChaCha20-Poly1305
  • C: chachablake — ChaCha stream cipher and Blake Hash implementation
  • C: calico — Strong, Fast, and Portable Authenticated Encryption
  • C: molch — An implementation of the axolotl ratchet based on libsodium
  • C: libbsd — useful functions commonly found on BSD systems, and lacking on others
  • C: Libgcrypt — a general purpose cryptographic library originally based on code from GnuPG
  • C: chacha20poly1305 — Simple Chacha20, Poly1305 and Chacha20Poly1305@openssh implementation
  • C: blobcrypt — Authenticated encryption for streams and arbitrary large files using libsodium
  • C: c20p1305 — ChaCha20 + Poly1305
  • C: opt-cryptobox — Optimized cryptobox self-contained library
  • C: liboqs — C library for quantum-safe cryptographic algorithms (includes a userspace ChaCha20-based PRNG)
  • C#: ChaCha20-BLAKE2b — an AEAD implementation using libsodium
  • C++: Botan — a crypto library for C++
  • C++: libquic — QUIC, a multiplexed stream transport over UDP
  • LiteSpeed QUIC (LSQUIC) — implementation of QUIC and HTTP/3 functionality for servers and clients
  • C++: proto-quic — intended as a standalone library for QUIC
  • C++: amber — Cryptography library. X25519, Ed25519, ChaCha20, Blake2, Poly1305, Scrypt
  • C++: yojimbo — A C++ library for creating secure client/server network protocols over UDP
  • C++: arduinolibs-Crypto — Arduino libraries and examples
    • C++: esp8266-chachapoly — Simple encapsulation library for arduinolibs
  • C++/Qt5: libQtShadowsocks — A Shadowsocks library written in C++/Qt5
  • Dart: steel_crypt — high-level, cryptographic API's, either manually defined or pulled from PointyCastle
  • Elixir: branca-elixir — Authenticated Encrypted API Tokens for Elixir
  • F*: HACL* — a formally verified cryptographic library written in F*
    • titun-hacl — Rust bindings for hacl* ChaCha20Poly1305 and Curve25519
  • Go: Package chacha20poly1305 (Golang)
  • Go: libgodium — Pure Go implementation of cryptographic APIs found in libsodium
  • Go: chacha20poly1305 — chacha20-poly1305
  • Go: xsecretbox — Go implementation of crypto_secretbox_xchacha20poly1305
  • Go: dnscrypt — A very simple DNSCrypt client library written in Go
  • Go: chap — Chacha20-Poly1305 AEAD for Go
  • Go: ChaCha20 — as defined in https://tools.ietf.org/html/rfc7539
  • Go: crypto — some additional cryptographic packages for Go
  • Go: chacha20poly1305 — Yawning Angel's implementation, adapted to support the variable tag sizes needed for QUIC
  • Go: sio-go — provable secure authenticated encryption for continuous byte streams
  • Go: chacha20poly1305 — chacha20 and poly1305 as described in RFC 7539 as a cipher.AEAD interface
  • Go: go-lioness — a golang implementation of lioness using chacha20 and blake2
  • Go: goquic — QUIC support for Go
  • Go: go-sphinxmixcrypto — golang sphinx mix net cryptography
  • Go: MAC Daddy — a Go library for encrypting and verifying messages using ChaCha20-Poly1305
  • Go: hc — HomeControl is an implementation of the HomeKit Accessory Protocol (HAP) in Go
  • Haskell: hs-nacl — Modern Haskell Cryptography
  • Haskell: cryptonite — a haskell repository of cryptographic primitives
  • Haskell: raaz — Cryptographic network library for Haskell
  • Java: Java 11+ — programming language
  • Java: Lazysodium — a complete Android implementation of the Libsodium library
  • JavaCard: jChaCha20 — Java based ChaCha20 stream cipher according to RFC7539
  • JavaCard: jChaCha20 — JavaCard based ChaCha20 stream cipher optimized for JavaCard (16-bit) environment
  • Javascript: chacha20poly1305.js — chacha20poly1305 in Javascript
  • Javascript: chacha20 — Chacha20 in Javascript, supporting draft-irtf-cfrg-chacha20-poly1305-01
  • Javascript: chacha20poly1305 — Chacha20Poly1305 AEAD
  • Javascript: cryptopeer-crypto — Crypto module for CryptoPeer
  • JavaScript: branca-js — Authenticated Encrypted API Tokens for Node.js
  • JavaScript: seasalt — A simple Javascript class for Libsodium
  • Lua: plc — Pure Lua Crypto
  • Lua: luazen — a small library with various compression, encoding and cryptographic functions
  • Mruby: mruby-httpsclient — An http(s) web client using mruby and LibreSSL's libtls
  • .NET: nsec — A modern and easy-to-use crypto library for .NET Core based on libsodium
  • Node: chacha20poly1305 — chacha20/poly1305 with the node api
  • Perl: Crypt-OpenSSH-ChachaPoly — Perl wrapper for OpenSSH Chacha20 and Poly1305 functions
  • PHP: PHP 7.2.0+ — a popular general-purpose scripting language that is especially suited to web development
  • PHP: Salt — NaCl cryptography library for PHP (not by NaCl authors)
  • PHP: phpseclib — PHP Secure Communications Library
  • PHP: Sapient — Secure API toolkit
  • PHP: encryption — Helper library for data encryption in PHP. Uses libsodium
  • PHP: branca-php — Authenticated Encrypted API Tokens for PHP
  • Python: pycryptodome — A self-contained cryptographic library for Python
  • Python: sphinxmixcrypto — python sphinx mix net cryptography
  • Python: crypturd — Library for cryptographic primitives
  • Python: pylioness — LIONESS wide block cipher for python
  • Ruby: ShadowsocksRuby — Develop your own tunnel protocol made easy!
  • Ruby: lockbox — File encryption for Ruby and Rails
  • Rust: nacl-compat — Pure Rust compatibility layer for NaCl-family libraries
  • Rust: AEADs — Authenticated Encryption with Associated Data Algorithms: high-level encryption ciphers
  • Rust: stream-ciphers — Collection of stream cipher algorithms
  • Rust: Neqo — an Implementation of QUIC written in Rust
  • Rust: orion — Easy and usable rust crypto
  • Rust: quinn — Futures-based QUIC implementation in Rust
  • Rust: Rust (standard library) — used in librand
  • Rust: rust-crypto — A (mostly) pure-Rust implementation of various cryptographic algorithms
  • Rust: Octavo — modular & configurable hash & crypto library in pure Rust
  • Rust: chacha20-poly1305-aead — A pure Rust implementation of the ChaCha20-Poly1305 AEAD from RFC 7539
  • Rust: ring — Safe, fast, small crypto using Rust & BoringSSL's cryptography primitives
  • Rust: proteus — Axolotl Protocol Implementation
  • Rust: rust-crypto-decoupled — Experiment on dividing rust-crypto into several small crates
  • Rust: nnshake — Simple ECDH handshake protocol in Rust, based on X25519 and ChaCha20-Poly1305
  • Rust: rust-lioness — rust Lioness SPRP constructed with Blake2b and Chacha20
  • Rust: Zbox — a zero-details, privacy-focused embeddable filesystem
  • Rust: branca — Authenticated and encrypted API tokens written in Rust. A secure JWT alternative
  • Rust: cryptocorrosion — Performance crypto in pure Rust
  • Swift: CryptoSwift
  • TypeScript: mipher — Mobile Cipher library written in clean TypeScript
  • Zig: the Zig standard library — ChaCha support since 0.3.0

Cryptographic functions

• BLAKE — SHA-3 finalist based on ChaCha
• BLAKE2 — a refinement of BLAKE which is also based on ChaCha. Many users, most notably Argon2, winner of the Password Hashing Competition, wolfSSL, Noise Protocol, libsodium, OpenSSL 1.1.0+, and WinRAR
• SPHINCS — a high-security post-quantum stateless hash-based signature scheme
• Adiantum — a construction for Android disk encryption
• scrypt-jane — a performant, flexible implementation of Colin Percival's scrypt
• An experimental LIONESS implementation
• Newhope — Ring-LWE-based key exchange
• The arc4random family of functions in OpenBSD use ChaCha20
• The /dev/*random devices on OpenBSD use arc4random, and thus ChaCha20

Userspace random number generators

Note: Whenever possible, get random numbers from arc4random_buf() or getrandom(); from NaCl randombytes() or libsodium randombytes_buf(); or /dev/urandom. A userspace RNG should be a last resort!

• Rust rand crate — A Rust library for random number generation (includes a userspace ChaCha RNG)
• libottery — A fast secure userspace pseudorandom number generator
• libottery-lite — A simple, lightweight, public-domain secure random number generator
• chacha20_drng — a complete standalone implementation of a deterministic random number generator
• Cymric — Portable secure random number generator
• cifra — A collection of cryptographic primitives targeted at embedded use
• go-rand — a cryptographically secure pseudo-random number generator built from ChaCha20
• unpredictable — Unpredictable number generator
• frand — a fast-key-erasure CSPRNG in userspace
• rand — A Rust library for random number generators and other randomness functionality
• prngs — Crystal implementations of several RNGs
• riffle — Experimental Python wrappers using stream ciphers (and more) as random number generators
• seatuna — C Implementation of Fortuna cryptographically secure pseudo-random number generator using chacha20
• mt-arc4random — a thread-aware, thread-safe version of OpenBSD arc4random (chacha20)

Miscellaneous

• Google Online Security Blog: Better performance: ChaCha20 and Poly1305 are very fast on mobile and wearable devices, as their designs are able to leverage common CPU instructions, including ARM vector instructions. Poly1305 also saves network bandwidth, since its output is only 16 bytes compared to HMAC-SHA1, which is 20 bytes. This represents a 16% reduction of the TLS network overhead incurred when using older ciphersuites such as RC4-SHA or AES-SHA.
• wolfSSL: "When using the recently released ChaCha20-Poly1305 suite and curve25519 the TLS connection time is even faster than that of the AES suite."
• Adam Langley: "ChaCha20 is very simple and even a completely naive implementation will be secure. Poly1305 is somewhat more complex to implement but again lends itself to secure implementations. Several high-quality, optimised, public domains implementations are available of each."
• Arka Rai Choudhuri and Subhamoy Maitra: Differential Cryptanalysis of Salsa and ChaCha: An Evaluation with a Hybrid Model: "Based on the assumptions and analysis, we conclude that 12 rounds of Salsa and ChaCha should be considered sufficient for 256-bit keys under the current best known attack models."
• Soatok: Cryptographic Wear-Out for Symmetric Encryption: "Compared to AES-CBC, AES-GCM gives you approximately a million times as much usage out of the same key, for the same threat profile. ChaCha20-Poly1305 and XChaCha20-Poly1305 provides even greater allowances of encrypting data under the same key. The latter is even safe to use to encrypt arbitrarily large volumes of data under a single key without having to worry about ever practically hitting the birthday bound (although the message length is still somewhat constrained)."
• Chromium Blog: "Today, roughly half of all requests from Chrome to Google servers are served over QUIC and we're continuing to ramp up QUIC traffic, eventually making it the default transport from Google clients — both Chrome and mobile apps — to Google servers."
• Jean-Philippe Aumasson: "[G]iven the information and understanding we have today, the discovery of a practical attack on AES, ChaCha, BLAKE2, or Keccak is highly unlikely."

Timeline notes

• 2008-01-28: ChaCha is introduced by Dan Bernstein
• 2013-05-22: libottery by Nick Mathewson is born
• 2013-06-05: Edward Snowden / NSA disclosures begin
• 2013-10-01: OpenBSD switches from RC4 to ChaCha20 in arc4random
• 2013-10-01: OpenSMTPD switches its internal CSPRNG to ChaCha20
• 2014-01-30: OpenSSH 6.5 adds ChaCha20 support
• 2014-02-16: First experimental TinySSH release by Jan Mojžíš
• 2014-05-01: LibreSSL, from the OpenBSD project, adds ChaCha20 support
• 2014-06-07: Nettle adds ChaCha20 support in 3.0
• 2014-06-20: BoringSSL, a Google fork of OpenSSL, is announced
• 2014-07-01: libsodium adds support for ChaCha20 in 0.6.0
• 2014-07-11: The first release of LibreSSL-portable is available
• 2014-09-12: wolfSSL adds ChaCha20-Poly1305 support in version 3.2.0
• 2014-11-25: Dragonfly BSD 4.0 uses ChaCha in its CSPRNG
• 2015-01-02: ChaCha20Poly1305 added to Botan in version 1.11.12
• 2015-02-23: Cloudflare enables ChaCha20-Poly1305 for TLS
• 2015-04-08: GnuTLS 3.4.0 supports ChaCha20-Poly1305 for TLS
• 2015-05-13: RFC 7539 is published
• 2015-07-01: OpenSSH 6.9 makes chacha20-poly1305@openssh.com the default cipher
• 2015-10-08: NetBSD 7.0 replaces RC4 with ChaCha in arc4random
• 2015-11-18: libbsd 0.8.0 replaces RC4 with ChaCha in arc4random
• 2016-04-15: Libgcrypt 1.7.0 supports ChaCha20 and ChaCha20-Poly1305
• 2016-05-09: GnuTLS 3.5.0 enables ChaCha20-Poly1305 by default
• 2016-06-02: Akamai CDN announces support for ChaCha20-Poly1305
• 2016-06-22: RFC 7905, ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS), is published
• 2016-07-18: Caddy 0.9 (announcement links, plural, removed) adds experimental QUIC support
• 2016-08-25: OpenSSL 1.1.0 supports ChaCha20-Poly1305
• 2016-10-10: Alpine Linux switches to LibreSSL
• 2016-12-23: Python 3.6.0 adds TLS support for ChaCha20-Poly1305
• 2017-01-09: KeePass 2.35 adds ChaCha20 support
• 2017-02-16: Go 1.8 adds ChaCha20-Poly1305 support to crypto/tls
• 2017-02-21: PuTTY 0.68 gets ChaCha20-Poly1305 support
• 2017-04-30: Linux 4.11 uses ChaCha20 for get_random_int/long
• 2017-05-10: Googlebot now supports ChaCha20-Poly1305 (source: webserver logs)
• 2017-06-07: dnscrypt-wrapper 0.3 gets XChaCha20 support
• 2017-08-16: Audit of libsodium finds it "is indeed a secure, high-quality library that meets its stated usability and efficiency goals."
• 2017-11-30: PHP 7.2.0 adds libsodium
• 2018-01-19: NSS 3.35 includes formally verified ChaCha20 and Poly1305
• 2018-07-26: Cloudflare reaffirms its intention to deploy QUIC for its customers
• 2018-08-01: HPolyC is introduced
• 2018-08-02: Linux will merge WireGuard into the kernel!
• 2018-08-11: RFC 8446, TLS 1.3, is published
• 2018-09-25: Java 11 adds support for ChaCha20
• 2018-12-11: FreeBSD 12 switches from RC4 to ChaCha20 in random number generation
• 2018-12-20: WireGuard for iOS - now in the App Store
• 2019-02-16: WireGuard for macOS is announced
• 2019-03-27: Cloudflare announces BoringTun
• 2019-07-17: OPNsense 19.7 includes WireGuard support
• 2019-12-08: WireGuard merged into net-next
• 2019-12-29: In Too Much Crypto, Jean-Philippe Aumasson argues in favor of ChaCha8
• 2020-03-29: Linux kernel 5.6 is released, including WireGuard
• 2020-06-21: WireGuard Merged Into OpenBSD
• 2020-07-08: Cure53 audit of Monocypher finds no serious issues
• 2020-10-18: OpenBSD 6.8 includes WireGuard support
• 2023-02-25: DragonFly BSD: Port chacha20 from FreeBSD for arc4random()
• 2023-04-11: FreeBSD 13.2 adds WireGuard support
• 2024-03-28: NetBSD 10 adds compatibility with WireGuard

ChaCha support coming soon!

• kage — WIP Kotlin implementation of the age file encryption format
• quiche — Savoury implementation of the QUIC transport protocol
• Haiku — this BeOS-inspired OS will add ChaCha-based arc4random(3)
• WireGuard in kernel for NetBSD
• Nettle — for use in TLS. Note: Nettle already supports ChaCha for non-TLS use; this will bring its support to TLS!
• mbed TLS — TLS library
• tink — a small crypto library that provides a safe, simple, agile and fast way to accomplish some common crypto tasks
• Zcash — a decentralized and open source cryptocurrency using groundbreaking cryptography
• TunSafe for OS X — a WireGuard client for OS X
• pts-dropbear — TODO: Add cipher chacha20-poly1305@openssh.com (for feature parity with tinyssh)
• sodium_compat v0.2 — will ship with chacha20poly1305 and complete (passing) static analysis coverage
• libssh2 — "the SSH library"
• Tera Term — SSH client for Windows
• CrypTech — CrypTech HSM uses ChaCha20 as its CSPRNG
• ocaml-chacha — ChaCha20, ChaCha12 and ChaCha8 encryption functions, in OCaml
• CoreFX — .NET Core foundational libraries
• antinet-before-yedino — safe decentralized network for data and contracts
• nuntius — iOS Framework for end-to-end encrypted messages
• nnathan-noiseprotocol — Noise Protocol in Python
• libssh — a mulitplatform C library implementing the SSHv2 and SSHv1 protocol for client and server implementations
• Libreswan — an IPsec implementation for Linux
• Others?

"Powered by ChaCha"