ChaCha20 is a stream cipher designed by Daniel J. Bernstein and standardized in RFC 8439. It improves upon the earlier Salsa20 design, providing increased per-round diffusion with no cost to performance.

ChaCha20 is lightweight and well suited to fast, constant-time software implementations. It is widely deployed in modern security protocols and systems, including TLS 1.3 (via ChaCha20-Poly1305), WireGuard, SSH, and as the basis for the CSPRNG in OpenBSD, FreeBSD, and the Linux kernel, among others.

This implementation follows the IETF ChaCha20 variant defined in RFC 8439, using a 256-bit key, a 96-bit nonce, and a 32-bit block counter. This permits encryption of up to 256 GiB of data per key/nonce pair; exceeding this limit or reusing a nonce with the same key is insecure.

Security note
ChaCha20 by itself provides confidentiality only and does not offer message authentication. An attacker can modify ciphertext without detection. For authenticated encryption, use an AEAD construction such as ChaCha20-Poly1305.

High-level API (u32 arrays)

chacha20-crypt ( data key nonce counter -- result )

Byte API (byte arrays)

chacha20-crypt-bytes ( data key-bytes nonce-bytes counter -- result )

String helpers

chacha20-encrypt-string ( string key-bytes nonce-bytes counter -- ciphertext )

chacha20-decrypt-string ( ciphertext key-bytes nonce-bytes counter -- string )

Further reading
https://cr.yp.to/chacha.html

https://www.rfc-editor.org/rfc/rfc8439.html