ChaCha20-Poly1305
What is ChaCha20-Poly1305?
ChaCha20-Poly1305An AEAD construction pairing the ChaCha20 stream cipher with the Poly1305 one-time authenticator, standardised in RFC 8439 for TLS 1.3 and WireGuard.
ChaCha20-Poly1305 is the AEAD cipher specified in RFC 8439 (formerly RFC 7539). ChaCha20 is a 256-bit-key ARX stream cipher designed by Daniel J. Bernstein, with a 96-bit nonce and 32-bit counter producing a 512-bit keystream block per invocation; Poly1305 is a 128-bit one-time MAC over the ciphertext and associated data, keyed by the first block of the ChaCha20 keystream. The pair is constant-time and fast in software without AES-NI, which is why it is the default fallback in TLS 1.3, QUIC, SSH, OpenVPN, and WireGuard. Like AES-GCM it fails catastrophically on nonce reuse and requires unique nonces per key.
● Examples
- 01
TLS 1.3 cipher suite TLS_CHACHA20_POLY1305_SHA256.
- 02
WireGuard tunnel data frames are encrypted with ChaCha20-Poly1305.
● Frequently asked questions
What is ChaCha20-Poly1305?
An AEAD construction pairing the ChaCha20 stream cipher with the Poly1305 one-time authenticator, standardised in RFC 8439 for TLS 1.3 and WireGuard. It belongs to the Cryptography category of cybersecurity.
What does ChaCha20-Poly1305 mean?
An AEAD construction pairing the ChaCha20 stream cipher with the Poly1305 one-time authenticator, standardised in RFC 8439 for TLS 1.3 and WireGuard.
How does ChaCha20-Poly1305 work?
ChaCha20-Poly1305 is the AEAD cipher specified in RFC 8439 (formerly RFC 7539). ChaCha20 is a 256-bit-key ARX stream cipher designed by Daniel J. Bernstein, with a 96-bit nonce and 32-bit counter producing a 512-bit keystream block per invocation; Poly1305 is a 128-bit one-time MAC over the ciphertext and associated data, keyed by the first block of the ChaCha20 keystream. The pair is constant-time and fast in software without AES-NI, which is why it is the default fallback in TLS 1.3, QUIC, SSH, OpenVPN, and WireGuard. Like AES-GCM it fails catastrophically on nonce reuse and requires unique nonces per key.
How do you defend against ChaCha20-Poly1305?
Defences for ChaCha20-Poly1305 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ChaCha20-Poly1305?
Common alternative names include: ChaCha20/Poly1305, RFC 8439, ChaPoly.
● Related terms
- cryptography№ 023
AES-GCM
An authenticated encryption mode that combines AES in counter mode with a GHASH-based authentication tag for confidentiality and integrity in a single pass.
- cryptography№ 1109
Stream Cipher
A symmetric cipher that encrypts data one bit or byte at a time by XORing it with a pseudorandom keystream derived from a key and nonce.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- network-security№ 1244
WireGuard
A modern, minimal VPN protocol that uses a fixed set of state-of-the-art cryptographic primitives and runs as part of the Linux kernel.
- cryptography№ 258
Curve25519
A Montgomery elliptic curve designed by Daniel J. Bernstein, used in the X25519 Diffie-Hellman function specified in RFC 7748 with ~128-bit security.