XChaCha20-Poly1305.

An extended-nonce variant of ChaCha20-Poly1305 that uses a 192-bit nonce, making it safe to generate nonces randomly without worrying about collision and well-suited for at-rest encryption and random-nonce designs. Es gehört zur Kategorie Kryptografie der Cybersicherheit.

An extended-nonce variant of ChaCha20-Poly1305 that uses a 192-bit nonce, making it safe to generate nonces randomly without worrying about collision and well-suited for at-rest encryption and random-nonce designs.

XChaCha20-Poly1305 is an AEAD construction defined in IETF draft-irtf-cfrg-xchacha that combines XChaCha20 (an extended-nonce variant of ChaCha20) with the Poly1305 MAC. The original ChaCha20-Poly1305 specified in RFC 8439 uses a 96-bit nonce — large enough for the counter-based usage in TLS but borderline for systems that derive nonces randomly per message, where the birthday bound becomes relevant after ~2^32 messages per key. XChaCha20 extends the nonce to 192 bits by first running HChaCha20, a keyed function that mixes part of the nonce into a derived subkey, then running ChaCha20 with the rest as a regular nonce. The 192-bit nonce is large enough that random selection collides only after roughly 2^96 messages, which is effectively never. The construction is standardized in libsodium (`crypto_aead_xchacha20poly1305_ietf_*`) and widely used in disk encryption, password managers, and any context where a counter-style nonce isn't practical. Performance is identical to ChaCha20-Poly1305 except for one extra HChaCha20 call per message.

Schutzmaßnahmen gegen XChaCha20-Poly1305 kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.

Übliche alternative Bezeichnungen: XChaCha20, Extended-nonce ChaCha20-Poly1305.