XChaCha20-Poly1305.

An extended-nonce variant of ChaCha20-Poly1305 that uses a 192-bit nonce, making it safe to generate nonces randomly without worrying about collision and well-suited for at-rest encryption and random-nonce designs. It belongs to the Cryptography category of cybersecurity.

An extended-nonce variant of ChaCha20-Poly1305 that uses a 192-bit nonce, making it safe to generate nonces randomly without worrying about collision and well-suited for at-rest encryption and random-nonce designs.

XChaCha20-Poly1305 is an AEAD construction defined in IETF draft-irtf-cfrg-xchacha that combines XChaCha20 (an extended-nonce variant of ChaCha20) with the Poly1305 MAC. The original ChaCha20-Poly1305 specified in RFC 8439 uses a 96-bit nonce — large enough for the counter-based usage in TLS but borderline for systems that derive nonces randomly per message, where the birthday bound becomes relevant after ~2^32 messages per key. XChaCha20 extends the nonce to 192 bits by first running HChaCha20, a keyed function that mixes part of the nonce into a derived subkey, then running ChaCha20 with the rest as a regular nonce. The 192-bit nonce is large enough that random selection collides only after roughly 2^96 messages, which is effectively never. The construction is standardized in libsodium (`crypto_aead_xchacha20poly1305_ietf_*`) and widely used in disk encryption, password managers, and any context where a counter-style nonce isn't practical. Performance is identical to ChaCha20-Poly1305 except for one extra HChaCha20 call per message.

Defences for XChaCha20-Poly1305 typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: XChaCha20, Extended-nonce ChaCha20-Poly1305.