XChaCha20-Poly1305
Qu'est-ce que XChaCha20-Poly1305 ?
XChaCha20-Poly1305An extended-nonce variant of ChaCha20-Poly1305 that uses a 192-bit nonce, making it safe to generate nonces randomly without worrying about collision and well-suited for at-rest encryption and random-nonce designs.
XChaCha20-Poly1305 is an AEAD construction defined in IETF draft-irtf-cfrg-xchacha that combines XChaCha20 (an extended-nonce variant of ChaCha20) with the Poly1305 MAC. The original ChaCha20-Poly1305 specified in RFC 8439 uses a 96-bit nonce — large enough for the counter-based usage in TLS but borderline for systems that derive nonces randomly per message, where the birthday bound becomes relevant after ~2^32 messages per key. XChaCha20 extends the nonce to 192 bits by first running HChaCha20, a keyed function that mixes part of the nonce into a derived subkey, then running ChaCha20 with the rest as a regular nonce. The 192-bit nonce is large enough that random selection collides only after roughly 2^96 messages, which is effectively never. The construction is standardized in libsodium (`crypto_aead_xchacha20poly1305_ietf_*`) and widely used in disk encryption, password managers, and any context where a counter-style nonce isn't practical. Performance is identical to ChaCha20-Poly1305 except for one extra HChaCha20 call per message.
● Exemples
- 01
A password manager encrypts each vault item with XChaCha20-Poly1305 using a random per-item nonce and stores nonce + ciphertext + tag in the database.
- 02
libsodium's `crypto_secretstream_xchacha20poly1305_*` API wraps XChaCha20-Poly1305 for streaming, large-file encryption.
● Questions fréquentes
Qu'est-ce que XChaCha20-Poly1305 ?
An extended-nonce variant of ChaCha20-Poly1305 that uses a 192-bit nonce, making it safe to generate nonces randomly without worrying about collision and well-suited for at-rest encryption and random-nonce designs. Cette notion relève de la catégorie Cryptographie en cybersécurité.
Que signifie XChaCha20-Poly1305 ?
An extended-nonce variant of ChaCha20-Poly1305 that uses a 192-bit nonce, making it safe to generate nonces randomly without worrying about collision and well-suited for at-rest encryption and random-nonce designs.
Comment fonctionne XChaCha20-Poly1305 ?
XChaCha20-Poly1305 is an AEAD construction defined in IETF draft-irtf-cfrg-xchacha that combines XChaCha20 (an extended-nonce variant of ChaCha20) with the Poly1305 MAC. The original ChaCha20-Poly1305 specified in RFC 8439 uses a 96-bit nonce — large enough for the counter-based usage in TLS but borderline for systems that derive nonces randomly per message, where the birthday bound becomes relevant after ~2^32 messages per key. XChaCha20 extends the nonce to 192 bits by first running HChaCha20, a keyed function that mixes part of the nonce into a derived subkey, then running ChaCha20 with the rest as a regular nonce. The 192-bit nonce is large enough that random selection collides only after roughly 2^96 messages, which is effectively never. The construction is standardized in libsodium (`crypto_aead_xchacha20poly1305_ietf_*`) and widely used in disk encryption, password managers, and any context where a counter-style nonce isn't practical. Performance is identical to ChaCha20-Poly1305 except for one extra HChaCha20 call per message.
Comment se défendre contre XChaCha20-Poly1305 ?
Les défenses contre XChaCha20-Poly1305 combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de XChaCha20-Poly1305 ?
Noms alternatifs courants : XChaCha20, Extended-nonce ChaCha20-Poly1305.
● Termes liés
- cryptography№ 179
ChaCha20-Poly1305
Construction AEAD associant le chiffrement en flux ChaCha20 a l'authentificateur a usage unique Poly1305, normalisee par RFC 8439 pour TLS 1.3 et WireGuard.
- cryptography№ 178
ChaCha20
Chiffrement de flot moderne conçu par Daniel J. Bernstein, utilisant une clé de 256 bits et un nonce de 96 bits, largement déployé avec Poly1305 sous la forme AEAD ChaCha20-Poly1305.
- cryptography№ 021
AEAD (Authenticated Encryption with Associated Data)
A symmetric encryption primitive that provides confidentiality, integrity, and authenticity in one operation, with the ability to bind unencrypted 'associated data' (headers, routing info) to the ciphertext's authentication tag.
- cryptography№ 025
AES-GCM
Mode de chiffrement authentifie combinant AES en mode compteur avec une etiquette d'authentification basee sur GHASH pour assurer confidentialite et integrite en une passe.
- cryptography№ 189
Cipher (chiffrement)
Algorithme qui transforme un texte clair en texte chiffre (chiffrement) et vice versa (dechiffrement), parametre par une ou plusieurs cles cryptographiques.
- cryptography№ 1227
Chiffrement par flot
Chiffrement symétrique qui chiffre les données bit par bit ou octet par octet en les combinant par XOR avec un flux pseudo-aléatoire dérivé d'une clé et d'un nonce.