LLMpediaThe first transparent, open encyclopedia generated by LLMs

ChaCha20-Poly1305

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: TLS Hop 3
Expansion Funnel Raw 58 → Dedup 15 → NER 9 → Enqueued 6
1. Extracted58
2. After dedup15 (None)
3. After NER9 (None)
Rejected: 6 (not NE: 6)
4. Enqueued6 (None)
Similarity rejected: 4
ChaCha20-Poly1305
NameChaCha20-Poly1305
DesignerDaniel J. Bernstein
Introduced2008
Key size256 bits
Nonce size96 bits / 64 bits (variants)
Tag size128 bits
Block size64 bytes
StructureStream cipher + MAC (AEAD)

ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) construction that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. It provides confidentiality and integrity in a single algorithmic composition and has been widely adopted in protocols, libraries, and products across the Internet ecosystem. The design emphasizes simplicity, performance on software platforms, and resistance to timing attacks.

Introduction

ChaCha20-Poly1305 pairs a 256-bit key stream generator with a 128-bit universal hash-based authenticator to produce an AEAD primitive. It is employed by major standards bodies and protocol implementers to replace older constructions such as RC4 and to complement or substitute for AES-GCM in contexts where hardware acceleration for Advanced Encryption Standard is absent. Platforms from OpenSSH to TLS stacks and applications such as Signal (software), WhatsApp, WireGuard (protocol) and OpenVPN use the construction or variants of it.

Design and Components

The construction combines two distinct components: the ChaCha20 stream cipher and the Poly1305 authenticator. ChaCha20, designed by Daniel J. Bernstein, is a permutation-based stream cipher derived from the Salsa20 family and operates on 512-bit state blocks with ARX (add-rotate-xor) operations; it produces keystream blocks that are XORed with plaintext, akin to earlier ciphers like RC4. Poly1305, originally proposed by Daniel J. Bernstein as well, is a one-time universal hash function that computes a 128-bit tag using modular arithmetic over a prime field; it resembles constructions used in information-theoretic MACs such as Carter–Wegman MAC designs. The AEAD composition uses ChaCha20 both for encrypting the message and for deriving one-time keys for Poly1305, following the lockers used in AEAD designs like Galois/Counter Mode even though the mechanisms differ.

Security Properties and Analysis

ChaCha20-Poly1305 provides nonce-respecting confidentiality and integrity guarantees under standard assumptions about the components. Security proofs reduce forgery and distinguishing attacks to the pseudorandomness of the ChaCha20 keystream and the unforgeability of one-time Poly1305 tags, in the spirit of provable-security results associated with IND-CPA and AEAD notions used by cryptographers in academia including researchers from MIT, ETH Zurich, University of California, Berkeley, and École Polytechnique Fédérale de Lausanne. The construction resists common side-channel attacks such as timing attacks when implemented in constant-time; this property makes it attractive for deployments on general-purpose CPUs where Intel or ARM hardware AES instructions may not be available. Cryptanalysis by academic teams, industry labs like Google's security group, and standards bodies such as the Internet Engineering Task Force has not produced practical key-recovery attacks against properly used ChaCha20-Poly1305, though nonce misuse and implementation errors remain primary risks, as seen in critiques similar to those raised against AES-CTR+HMAC or SHA-1-based constructions.

Implementations and Standards

ChaCha20-Poly1305 is standardized in multiple specifications and implemented in numerous libraries and protocols. The IETF published an AEAD specification that includes ChaCha20-Poly1305 for use with TLS; the RFC 7539 and later documents formalize variants and parameter choices. Implementations are available in cryptographic libraries such as OpenSSL, BoringSSL, LibreSSL, libsodium, and NaCl (library), and in language runtimes and frameworks like Go (programming language), Rust (programming language)'s crypto libraries, OpenBSD's crypto stack, and Android (operating system) internals. Protocols that include ChaCha20-Poly1305 variants include TLS 1.3, SSH, IPsec, and DTLS, while VPN projects such as WireGuard (protocol) and OpenVPN offer support through their chosen crypto libraries.

Performance and Use Cases

ChaCha20-Poly1305 is optimized for software performance on processors lacking AES hardware acceleration, often outperforming AES-GCM on mobile and embedded devices with ARM cores and on some x86 CPUs without AES-NI. Its ARX design yields constant-time implementations that mitigate timing-based leakage, making it preferred in contexts demanding robust side-channel resistance, such as cryptocurrency wallets, Tor (anonymity network) nodes, and secure messaging clients like Signal (software). Use cases include secure transport in HTTPS through TLS, encrypted tunnels in VPNs, disk and file encryption in systems like OpenBSD's disk utilities, and authenticated message channels in distributed systems developed by organizations such as Google, Mozilla, and Cloudflare. Benchmarking across CPUs and languages by industry labs and academic teams often shows a trade-off: AES-GCM wins where AES-NI exists, while ChaCha20-Poly1305 excels on low-end, mobile, and software-only environments.

History and Adoption

The components emerged from the work of Daniel J. Bernstein; ChaCha20 evolved from Salsa20 introduced earlier in the 2000s, and Poly1305 was introduced around the same era. ChaCha20-Poly1305 gained traction after high-profile discussions in standards venues and analyses that highlighted vulnerabilities in legacy ciphers like RC4 and issues with TLS cipher suite selections. Major adopters include Google for QUIC and Chrome (web browser), the IETF for TLS recommendations, and projects such as OpenSSH and OpenVPN that sought resilient, fast software ciphers. Subsequent endorsements by platform vendors including Android (operating system), Apple Inc., and Microsoft for certain stacks accelerated deployment across consumer and enterprise infrastructure. Continued scrutiny by academic conferences such as CRYPTO, EUROCRYPT, and USENIX Security and by industry security teams has cemented its role in modern cryptographic toolkits.

Category:Stream ciphers Category:Message authentication codes Category:Authenticated encryption