Skip to content
NeoGuard

XChaCha20

A modern symmetric encryption cipher designed for high performance and resistance to timing attacks. Used by NordPass, Cloudflare, and Google as an alternative to AES.

XChaCha20 is a symmetric encryption algorithm from the ChaCha family, originally designed by cryptographer Daniel J. Bernstein. It is an extended-nonce variant of ChaCha20, meaning it uses a larger random value (192-bit nonce) to initialize each encryption operation, which makes accidental nonce reuse virtually impossible.

How it differs from AES

AES-256 is the most widely used encryption standard, but XChaCha20 has practical advantages in certain contexts:

  • No hardware dependency: AES performance depends on dedicated CPU instructions (AES-NI). On devices without hardware acceleration (older phones, IoT devices), AES can be slow. XChaCha20 is fast in pure software on any processor.
  • Timing attack resistance: AES implementations without hardware support can leak information through execution timing. XChaCha20’s design avoids data-dependent branching, making side-channel attacks harder.
  • Simpler implementation: Fewer implementation pitfalls means fewer opportunities for subtle security bugs.

Both AES-256 and XChaCha20 are considered secure by the cryptographic community. The choice between them is about implementation context, not theoretical strength.

Where it is used

  • NordPass uses XChaCha20 for vault encryption, paired with Argon2 for key derivation from the master password.
  • Cloudflare uses ChaCha20-Poly1305 for TLS connections where AES hardware acceleration is unavailable.
  • Google adopted ChaCha20-Poly1305 in Chrome and Android for the same reason.
  • WireGuard, a modern VPN protocol, uses ChaCha20-Poly1305 as its symmetric cipher.

XChaCha20-Poly1305

In practice, XChaCha20 is almost always paired with Poly1305, a message authentication code. Together they form an AEAD (Authenticated Encryption with Associated Data) construction. This means the cipher both encrypts and verifies data integrity: if a single bit is tampered with, decryption fails. This is the same principle behind AES-GCM, the authenticated mode of AES.

Why it matters

For end users, the specific cipher matters less than the overall architecture. A password manager using XChaCha20 with zero-knowledge design is not inherently “more secure” than one using AES-256 with the same architecture. What matters is: zero-knowledge (the provider cannot read your data), proper key derivation (strong master password hashing), and independent security audits.

Related Terms

EncryptionPassword ManagerVPN (Virtual Private Network)