info@kfcipher.net

ChaCha20-Poly1305 Encryption

  1. Home
  2. ChaCha20
RFC 8439 Standard  |  256-bit key  |  AEAD — Authenticated Encryption

ChaCha20-Poly1305 Encryption

Generate secure 256-bit keys, encrypt and decrypt with AEAD authenticated stream cipher. RFC 8439 standard — used in TLS 1.3, WireGuard and Android.

Generates a cryptographically secure random 256-bit key and 96-bit nonce. Keep the key secret. Generate a new nonce for every message — never reuse the same key+nonce pair.

Decrypt with ChaCha20-Poly1305
Key parameters
ParameterValueNotes
Key size256 bits (64 hex chars)Only one key size — always 256-bit
Nonce size96 bits (24 hex chars)Must be unique per message
Auth tag128 bits (appended)Poly1305 MAC — detects tampering
Output sizeplaintext + 16 bytes16-byte authentication tag added

ChaCha20-Poly1305: Authenticated Stream Cipher Encryption

Fast, secure AEAD encryption standardized in RFC 8439

Introduction

ChaCha20-Poly1305 is an Authenticated Encryption with Associated Data (AEAD) cipher combining two primitives:

  • ChaCha20 — a stream cipher by Daniel J. Bernstein providing confidentiality
  • Poly1305 — a message authentication code (MAC) providing integrity and authenticity

It is standardized in RFC 8439 and is one of the two mandatory cipher suites in TLS 1.3 alongside AES-256-GCM.

ChaCha20-Poly1305 vs AES-256-GCM

PropertyChaCha20-Poly1305AES-256-GCM
Speed (no HW AES)FasterSlower
Speed (with HW AES)SlowerFaster
Side-channel resistanceStronger (constant-time)Requires hw support
Key size256-bit only128 / 192 / 256-bit
Nonce size96-bit96-bit
AuthenticationPoly1305 (built-in)GHASH (built-in)
StandardRFC 8439 (2018)NIST SP 800-38D
Used inTLS 1.3, WireGuard, Android, SSHTLS 1.3, HTTPS, disk encryption

How ChaCha20 works

ChaCha20 generates a keystream from the key and nonce using a quarter-round function applied 20 times:

State = [constants(4) | key(8) | counter(1) | nonce(3)]  (16 x 32-bit words)
For i in 1..10:
    QuarterRound(state)   // column rounds
    QuarterRound(state)   // diagonal rounds
Keystream  = state XOR initial_state
Ciphertext = Plaintext XOR Keystream

Security analysis

AttackResistance
Brute-force key2^256 operations — infeasible classically
Quantum (Grover)Reduces to 128-bit effective security — safe for long-term use
Nonce reuseCRITICAL — reveals keystream. Never reuse key+nonce pair
Timing attacksDesigned to run in constant time — resistant
Forgery (Poly1305)2^-106 forgery probability — negligible

Real-world usage

  • TLS 1.3 — mandatory cipher suite (RFC 8446)
  • WireGuard VPN — primary encryption algorithm
  • Android — full disk encryption on devices without hardware AES
  • OpenSSH — chacha20-poly1305@openssh.com cipher
  • Signal Protocol — message encryption
  • QUIC / HTTP3 — transport layer encryption

References

  1. RFC 8439 — ChaCha20 and Poly1305 for IETF Protocols
  2. D. J. Bernstein, "ChaCha, a variant of Salsa20" (2008)
  3. RFC 8446 — TLS 1.3
KF-Cipher
Cryptography Tools
Post Quantum Cryptography
Encoding Tools
Security Tools
Domain Tools
Resources