ChaCha20 Encryption
Modern stream cipher with optional authentication
Client-Side Security
All encryption/decryption operations are performed locally in your browser. No data is sent to any server.
Initial block counter value (usually 0 for encryption, same value for decryption)
About ChaCha20
ChaCha20 is a modern stream cipher designed by Daniel J. Bernstein in 2008, derived from the Salsa20 cipher. It uses a 256-bit key and operates on 512-bit blocks, generating keystream that is XORed with plaintext for encryption.
The cipher is known for its speed, security, and resistance to timing attacks, making it an excellent choice for software implementations.
Algorithm Comparison
| Algorithm | Type | Key Length | Nonce Length | Best Use Case |
|---|---|---|---|---|
| ChaCha20 | Stream Cipher | 256 bits | 96 bits (12 bytes) | Raw encryption, custom protocols |
| ChaCha20-Poly1305 | AEAD | 256 bits | 96 bits (12 bytes) | TLS 1.3, QUIC, secure messaging |
| XChaCha20 | Stream Cipher | 256 bits | 192 bits (24 bytes) | Random nonce scenarios |
| XChaCha20-Poly1305 | AEAD | 256 bits | 192 bits (24 bytes) | Most applications (recommended) |
How ChaCha20 Works
ChaCha20 operates in 20 rounds, applying quarter-round functions to a 4×4 matrix of 32-bit words. The initial state consists of constants, 256-bit key, 32-bit counter, and 96-bit nonce.
Each round permutes the state using additions, XORs, and rotations (ARX), providing excellent diffusion while remaining fast in software.
AEAD: Authenticated Encryption
ChaCha20-Poly1305 is an Authenticated Encryption with Associated Data (AEAD) construction standardized in RFC 8439. It combines ChaCha20 for encryption with Poly1305 MAC for authentication.
This ensures both confidentiality and integrity - any tampering with the ciphertext or AAD will be detected during decryption. The 128-bit authentication tag is computed over the ciphertext and AAD.
Key Features
- High Performance: Optimized for software implementations, 3× faster than AES on platforms without hardware acceleration
- Constant-time: Resistant to cache-timing attacks, unlike table-based AES implementations
- Simple Design: Uses only ARX operations (add, rotate, XOR), easy to implement correctly
- Wide Adoption: Used in TLS 1.3, OpenSSH, WireGuard, Signal Protocol, and many more
- Extended Nonce: XChaCha20 variant allows safe random nonce generation without collision risk
Security Considerations
- Never reuse a nonce with the same key - this completely breaks security
- Use AEAD variants (Poly1305) for most applications to detect tampering
- For random nonces, use XChaCha20 (192-bit) to minimize collision probability
- Use proper KDF (HKDF, Argon2) to derive keys from passwords
Real-World Usage
- TLS 1.3: Default cipher suite (TLS_CHACHA20_POLY1305_SHA256)
- WireGuard VPN: Primary encryption protocol
- Signal Protocol: End-to-end encrypted messaging
- Cloudflare: Preferred over AES-GCM for mobile clients
- Linux kernel: CSPRNG (/dev/urandom)
References
- RFC 7539 - ChaCha20 and Poly1305 for IETF Protocols
- RFC 8439 - ChaCha20 and Poly1305 for IETF Protocols (updated)
- Wikipedia - ChaCha20-Poly1305
- D.J. Bernstein - ChaCha, a variant of Salsa20
FAQ
What's the difference between ChaCha20 and AES?
Both are secure symmetric ciphers. ChaCha20 is 3× faster in software without hardware acceleration and resistant to timing attacks. AES is faster with hardware support (AES-NI). ChaCha20 is preferred for mobile and embedded devices.
Why use XChaCha20 instead of ChaCha20?
XChaCha20's 192-bit nonce allows safe random nonce generation. With a 96-bit nonce, you'd need careful nonce management to avoid collisions. XChaCha20 is recommended when you can't guarantee unique sequential nonces.
What is the counter parameter for?
The counter allows encrypting messages longer than 64 bytes by incrementing for each block. For AEAD modes, it starts at 1 (block 0 generates the Poly1305 key). Usually, you can leave it at default (0).
Can I encrypt files with this tool?
This tool runs entirely in your browser and is suitable for encrypting text and small data. For large files, consider using native tools like openssl or libsodium-based applications.
Is this tool secure for production use?
This tool is for educational and development purposes. While the implementation follows standard specifications, production systems should use well-audited cryptographic libraries like libsodium, OpenSSL, or platform-provided APIs.
Related Tools
AES Encryption/Decryption
Securely encrypt and decrypt text using AES algorithm
RC Cipher Family (RC4/RC5/RC6)
RC family stream and block ciphers including RC4, RC4-Drop, RC5, and RC6 (AES finalist) with multiple modes
Blowfish Encryption/Decryption
Fast symmetric block cipher with variable key length (32-448 bits), designed by Bruce Schneier