diff --git a/script/research/x3dh/Cargo.toml b/script/research/x3dh/Cargo.toml
index 583372024..2ddc5c515 100644
--- a/script/research/x3dh/Cargo.toml
+++ b/script/research/x3dh/Cargo.toml
@@ -10,7 +10,7 @@ anyhow = "1.0.56"
 sha2 = "0.10.6"
 digest = "0.10.5"
 rand = "0.7.3"
-crypto_api_chachapoly = "0.5.0"
+aes-gcm-siv = "0.11.1"
 curve25519-dalek = "3.2.1"
 ed25519-dalek = "1.0.1"
 x25519-dalek = "1.2.0"
diff --git a/script/research/x3dh/src/main.rs b/script/research/x3dh/src/main.rs
index f96509bb4..83ef7a3ab 100644
--- a/script/research/x3dh/src/main.rs
+++ b/script/research/x3dh/src/main.rs
@@ -1,8 +1,8 @@
 //! https://signal.org/docs/specifications/x3dh/x3dh.pdf
 use std::collections::{HashMap, VecDeque};
 
+use aes_gcm_siv::{AeadInPlace, Aes256GcmSiv, KeyInit};
 use anyhow::Result;
-use crypto_api_chachapoly::ChachaPolyIetf;
 use rand::rngs::OsRng;
 use sha2::Sha256;
 use x25519_dalek::{PublicKey as X25519PublicKey, StaticSecret as X25519SecretKey};
@@ -205,7 +205,10 @@ fn main() -> Result<()> {
 
     let message = b"ohai bob";
     let mut ciphertext = vec![0u8; message.len() + AEAD_TAG_SIZE];
-    ChachaPolyIetf::aead_cipher().seal_to(&mut ciphertext, message, &ad, &sk, &[0u8; 12]).unwrap();
+    ciphertext[..message.len()].copy_from_slice(message);
+
+    let nonce = [0u8; 12][..].into();
+    Aes256GcmSiv::new(&sk.into()).encrypt_in_place(nonce, &ad, &mut ciphertext).unwrap();
 
     let initial_message = InitialMessage {
         identity_key: alice_ik_public,
@@ -264,10 +267,13 @@ fn main() -> Result<()> {
     // Finally, Bob attempts to decrypt the initial ciphertext using SK and AD.
     // If the initial ciphertext fails to decrypt, Bob aborts the protocol and
     // deletes SK.
-    let mut plaintext = vec![0_u8; initial_message.ciphertext.len() - AEAD_TAG_SIZE];
-    ChachaPolyIetf::aead_cipher()
-        .open_to(&mut plaintext, &initial_message.ciphertext, &ad, &sk2, &[0u8; 12])
-        .unwrap();
+    let mut plaintext = vec![0_u8; initial_message.ciphertext.len()];
+    plaintext.copy_from_slice(&initial_message.ciphertext);
+
+    let nonce = [0u8; 12][..].into();
+    Aes256GcmSiv::new(&sk2.into()).decrypt_in_place(nonce, &ad, &mut plaintext).unwrap();
+    plaintext.resize(plaintext.len() - AEAD_TAG_SIZE, 0);
+
     assert_eq!(plaintext, message); // Just to confirm everything's correct
 
     // If the initial ciphertext decrypts successfully, the protocol is complete