What is ChaCha20?

ChaCha20 is a performant and lightweight, yet highly secure, 256-bit stream cipher(new window) used to encrypt and decrypt data. It’s often used to secure data transmitted online, such as emails, messages, web traffic, and files being uploaded to the cloud.

You could think of ChaCha20 as a specialized, highly secure safe. When you encrypt data with ChaCha20, it’s like putting it inside a safe. This safe (ChaCha20) scrambles the contents (your data) so that it becomes unreadable to anyone who doesn’t have the key. This key is a secret code that only the sender and intended receiver know. If someone else tries to read the data without the key, all they see is gibberish.

Learn more about what encryption is and why it’s important(new window)

ChaCha20 performs a very similar function to the older and more established AES encryption cipher, and offers some (fairly minor) security improvements over it.

Learn more about AES encryption

ChaCha20 is often combined with the Poly1305 message authentication code to create the ChaCha20-Poly1305 encryption algorithm, which we explain a bit later in this article.

ChaCha20-Poly1305 and AES-GCM are the only symmetric key encryption ciphers recommended for use with TLS 1.3(new window). While the secure but somewhat aging OpenVPN protocol uses AES to secure data, the new lightweight WireGuard protocol uses ChaCha20-Poly1305. 

ChaCha20 was developed by American German mathematician, cryptographer, and computer scientist Daniel J. Bernstein(new window) in 2008, and is based on an earlier cipher also developed by Bernstein in 2005 — Salsa20(new window). Bernstein also created the Poly1305 universal hash family(new window) that ChaCha20 is often combined with, and the Curve25519(new window) elliptic curve used to secure the WireGuard key exchange. 

In 2014, Google deployed(new window) support for a TLS cipher suite using ChaCha20-Poly1305 in its Chrome browser, and this is now supported by all major browsers.

Notable features of ChaCha20

ChaCha20 is a symmetric-key algorithm

Like AES, ChaCha20 uses the same key to both encrypt and decrypt data (there may sometimes be a simple transformation between the two keys, but they are always derived from the same key). 

This is in contrast to asymmetric-key algorithms such as RSA(new window), which use separate public and private keys. Also known as public-key cryptography(new window), these allow you to securely share data over a distance by making the public key widely available for others to encrypt data with, but which can only be decrypted using the correct private key.

Asymmetric-key algorithms require a high level of computational power, which makes them relatively slow, and thus most useful for encrypting small amounts of data. RSA, for example, is used to perform the TLS key exchange that occurs when connecting to an HTTPS website.

WireGuard and modern TLS cipher suites use a newer approach to asymmetric-key encryption — elliptic-curve cryptography (ECC) — to secure key-exchanges. While more efficient than traditional algorithms such as RSA, it’s still relatively slow.

Symmetric-key algorithms such as ChaCha20, on the other hand, require much less processing power than asymmetric-key ciphers (often cited as being around 1,000 times faster). This makes them ideal for encrypting large volumes of data. 

Where large amounts of data need to be transmitted over a distance (such as over the internet), the data itself is encrypted using a symmetric-key algorithm, while the key exchange is secured using an asymmetric-key algorithm.

In the case of TLS (and therefore also OpenVPN), the symmetric-key algorithm is usually AES, with the key exchange certified using RSA. For WireGuard, ChaCha20 is used for symmetric-key encryption, and Curve25519 to secure the key exchange. 

ChaCha20 is often combined with Poly1305

Poly1305 is a type of cryptographic algorithm used to ensure the security and integrity of data — that is, to ensure data hasn’t changed during transit — using a secret key shared between a sender and recipient. It helps ensure that your secret messages remain private and unaltered during transmission, providing a way for both parties to trust the authenticity and integrity of their communication.

To use an analogy, Poly1305 is like putting a special seal on your message that only the person you’re communicating with can recognize. If the seal is intact when they receive it, they know the message is safe and from you. If someone tries to tamper with the message, the seal will break, and the receiver will know that something is wrong.

This is why, when used together, ChaCha20-Poly130 is referred to as an authenticated encryption with additional data(new window) (AEAD) algorithm. Although the math used is different, the concept is very similar to the Galois/counter (GCM) mode used by AES (which is also an AEAD algorithm). 

ChaCha20 vs. AES

As we’ve seen, ChaCha20 fulfills a very similar purpose to the older and much more prevalent AES (as ChaCha20-Poly1305 does to AES-GCM). So which is better?

Learn more about AES encryption

Security

Legendary cryptographer Bruce Schneier(new window) once explained(new window) that “cryptography is all about safety margins. If you can break n round of a cipher, you design it with 2n or 3n rounds”. Both AES and ChaCha20 encrypt data using rounds, each consisting of a series of mathematical operations. 

AES-256 uses 14 rounds, while ChaCha20 uses 20 rounds. The number of rounds itself cannot be usefully compared, but in the highly influential paper, Too Much Crypto(new window), its authors set out to “propose numbers of rounds for which we have strong confidence that the algorithm will never be wounded, let alone broken”. Their conclusion recommends that AES-256 only needs 11 rounds (instead of the 14 it uses), while ChaCha20 only needs 8 (instead of the 20 it uses). 

This means ChaCha20 has a higher safety margin than AES-256. However, as the paper’s authors also note about the calculations from which their recommendations arise, “From these surrealist figures, it is obvious that such an attack is only a cryptanalysis exercise and does not have much to do with the real security of AES”. In other words, AES and ChaCha20 are both sufficiently secure mathematically.

But is AES vulnerable in other ways? AES has known vulnerabilities to timing attacks(new window), where the number of combinations required to make a successful brute force attack can be reduced by looking at how long a computer takes to perform an operation (although there are a number of ways to protect against this). 

Thanks to its use of add-rotate-xor (new window)operations (a highly complex mathematical procedure that makes it very hard for unauthorized users to understand or modify the information operated on), software implementations of ChaCha20 are much more resistant to such timing attacks. But again, this is all very theoretical. Properly implemented AES and AES-GCM are widely regarded as being unbreakable by any known practical attack.

Performance

AES performance is often boosted with AES-NI(new window) hardware support built into modern processors. However, even with this, ChaCha20 usually offers better performance than AES. 

The biggest gains with ChaCha-Poly1305 are on hardware that doesn’t support AES-NI acceleration, such as some ARM chips.

What is XChaCha20?

A cryptographic nonce(new window) is an arbitrary value used only once to make an operation (such as encryption or hashing) unique. eXtended-nonce ChaCa20 (XChaCha20) is a variant of ChaCha20 that uses a 192-bit nonce instead of a 96-bit nonce. This makes picking a random nonce notably safer, as there’s effectively no chance that it could be re-used.

(“Bits” refers to the size or length of the cryptographic keys. In very simple terms, the higher the bit length, the more secure the key.)

However, there is no officially recognized standard for XChaCha20, and the last attempt to establish one(new window) failed in 2020. This has led to a slow uptake of the slightly more secure variant. 

Final thoughts

ChaCha20 is a secure and performant symmetric-key algorithm that is closely comparable to the more established AES (as ChaCha20-Poly1305 is to AEA-GCM).

It offers some advantages over AES, but these are negligible enough that most major industry players see little advantage in changing over from AES. For many(new window), the main benefit of ChaCha20 is that it offers a “backup” algorithm in the highly unlikely event that a major weakness is discovered in AES (or AES-GCM). 

However, the choice of ChaCha20-Poly1305 over AEA-GCM to secure data transmitted using the WireGuard VPN protocol has given new prominence to the algorithm, which may yet have a very bright future. 

Related articles

Watch Thanksgiving Day football with Proton VPN
Here's how you can live stream this year's Thanksgiving football games using Proton VPN, whether you're watching from home or abroad.
Where to watch Macy's Thanksgiving day parade
Here's how and where to watch Macy's Thanksgiving Day Parade live from anywhere in the world with Proton VPN.
What we've been up to, and what's next
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.
Proton VPN for Windows ARM
We’re pleased to announce a new Proton VPN app with native support for Windows devices that use the ARM chipset.
What is doxing and is doxing illegal
We look at what doxing is, who does it (and why), and at how to protect yourself from doxing .
Stream securely on tvOS with Proton VPN
With the Proton VPN Apple TV app, you can easily and securely watch your favorite content on your big-screen TV no matter where you are.