Comment on page



HChaCha20 is a pseudorandom function (PRF) based on ChaCha20 and HSalsa20. It takes a 512-bit input and produces a 256-bit output. This makes it suitable for fast key derivation from high-entropy input keying material, as done for XChaCha20.
You probably want BLAKE2b instead because it is much more flexible. Argon2id MUST be used for password-based key derivation.



Fills a span with output keying material derived from high-entropy input keying material, a nonce, and an optional personalization constant for domain separation.
HChaCha20.DeriveKey(Span<byte> outputKeyingMaterial, ReadOnlySpan<byte> inputKeyingMaterial, ReadOnlySpan<byte> nonce, ReadOnlySpan<byte> personalization = default)


outputKeyingMaterial has a length not equal to OutputSize.
inputKeyingMaterial has a length not equal to KeySize.
nonce has a length not equal to NonceSize.
personalization has a length greater than 0 but not equal to PersonalSize.


These are used for validation and/or save you defining your own constants.
public const int OutputSize = 32;
public const int KeySize = 32;
public const int NonceSize = 16;
public const int PersonalSize = 16;


HChaCha20 is NOT a general-purpose hash function. Use BLAKE2b.
The input keying material MUST be a uniformly random key, NOT a password, public key, or X25519 shared secret.
Last modified 6mo ago