Hi Martin, Your ChaCha20Poly1305 implementation when decrypting calls chacha20 decryption before it verifies the auth tag. Not only does this waste CPU cycles, but it makes it impossible to attempt decryption of cipher texts using different keys (until one is right) without creating a copy, which is unfortunate. (It also is one of the nice benefits of EtM.) Would you consider reversing the order of these operations? That is -- not performing the chacha20 step if the poly1305 tag does not verify? Thanks, Jason -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html