A key-committing implementation of ChaCha20-Poly1305.
This technique is an encryption version of the padding fix discussed in How to Abuse and Fix Authenticated Encryption Without Key Commitment. Credit goes to Loup Vaillant for the idea.
The latter 32 bytes of block 0 (after the Poly1305 key) are prepended to the ciphertext as a commitment. For decryption, this commitment is checked in constant time alongside the tag, eliminating a timing difference.
This provides 128-bit key-committing security but incurs additional storage overhead. If combined with the Hash-then-Encrypt strategy (subkey = KDF(masterKey, nonce || associatedData), this should commit to all inputs.