ChaCha20 Online Encryption/Decryption
ChaCha20, ChaCha20-Poly1305 and XChaCha20 encryption/decryption tool. Supports AEAD authenticated encryption, multiple input/output formats. Secure and fast, runs entirely in browser.
Initial block counter value (usually 0 for encryption, use same value for decryption)
About ChaCha20
ChaCha20 is a modern stream cipher designed by Daniel J. Bernstein in 2008, derived from the Salsa20 cipher. It uses a 256-bit key, operates on 512-bit blocks, generating a keystream that is XORed with plaintext for encryption.
The cipher is known for its speed, security, and resistance to timing attacks, making it an excellent choice for software implementations.
Algorithm Comparison
| Algorithm | Type | Key Length | Nonce Length | Best Use Case |
|---|---|---|---|---|
| ChaCha20 | Stream Cipher | 256 bits | 96 bits (12 bytes) | Raw encryption, custom protocols |
| ChaCha20-Poly1305 | AEAD | 256 bits | 96 bits (12 bytes) | TLS 1.3, QUIC, secure messaging |
| XChaCha20 | Stream Cipher | 256 bits | 192 bits (24 bytes) | Random nonce scenarios |
| XChaCha20-Poly1305 | AEAD | 256 bits | 192 bits (24 bytes) | Most applications (recommended) |
How ChaCha20 Works
ChaCha20 performs 20 rounds of operations, applying quarter-round functions to a 4×4 matrix of 32-bit words. The initial state consists of constants, a 256-bit key, a 32-bit counter, and a 96-bit nonce.
Each round uses addition, XOR, and rotation (ARX) to permute the state, providing excellent diffusion while maintaining high software performance.
AEAD: Authenticated Encryption
ChaCha20-Poly1305 is an Authenticated Encryption with Associated Data (AEAD) construction standardized in RFC 8439. It combines ChaCha20 encryption with Poly1305 MAC authentication.
This ensures both confidentiality and integrity - any tampering with the ciphertext or AAD will be detected during decryption. The 128-bit authentication tag is computed from the ciphertext and AAD.
Key Features
- High Performance: Optimized for software implementations, 3x faster than AES on platforms without hardware acceleration
- Constant Time: Resistant to cache timing attacks, unlike table-based AES implementations
- Simple Design: Uses only ARX operations (addition, rotation, XOR), easy to implement correctly
- Wide Adoption: Used in TLS 1.3, OpenSSH, WireGuard, Signal protocol, and more
- Extended Nonce: XChaCha20 variant allows secure random nonce generation with no collision risk
Security Considerations
- Never reuse nonce under the same key - this completely breaks security
- Most applications should use AEAD variant (Poly1305) to detect tampering
- For random nonces, use XChaCha20 (192-bit) to minimize collision probability
- Use proper KDF (HKDF, Argon2) to derive keys from passwords
Real-World Usage
- TLS 1.3: Default cipher suite (TLS_CHACHA20_POLY1305_SHA256)
- WireGuard VPN: Primary encryption protocol
- Signal Protocol: End-to-end encrypted messaging
- Cloudflare: Preferred over AES-GCM for mobile clients
- Linux Kernel: CSPRNG (/dev/urandom)