00 Cryptography

XChaCha20-Poly1305

RFC 8439 — authenticated encryption with a 192-bit nonce.

XChaCha20-Poly1305 is the authenticated symmetric cipher UltimaOS uses for every payload. Specified in RFC 8439, it combines the XChaCha20 stream cipher (a 192-bit nonce extension of ChaCha20) with the Poly1305 universal hash for authentication.

01 Overview

Section overview

Why a symmetric cipher for everything.

01

Symmetric ciphers are fast

Authenticated symmetric encryption runs at gigabytes per second on a modern CPU, orders of magnitude faster than public-key operations. Using symmetric primitives for actual data is the only practical choice at scale.

02

Quantum impact is limited

Grover's algorithm gives quantum computers a square-root speedup against symmetric ciphers. A 256-bit key retains 128-bit effective security against a quantum attacker — far beyond any plausible brute-force capability.

03

XChaCha20 is a modern stream cipher

ChaCha20 is a stream cipher designed by Daniel J. Bernstein in 2008, selected for its simplicity, performance, and resistance to side-channel attacks. It is widely used: TLS 1.3, WireGuard, OpenSSH.

02 Details

Section details

How XChaCha20-Poly1305 works in UltimaOS.

Every payload on UltimaOS — chat messages, files, calendar events, AI conversations, search indexes — is encrypted with XChaCha20-Poly1305 using a 256-bit symmetric key derived from the ML-KEM-768 session.

01

256-bit session keys

Each conversation, file share, or call uses a fresh 256-bit symmetric key, derived from the ML-KEM-768 encapsulation. There is no long-term symmetric key on the server.

02

192-bit random nonces

XChaCha20's 192-bit nonce (24 bytes) is large enough that random nonces can be used safely — collision probability remains negligible even after 2^64 messages with the same key.

03

Poly1305 authentication

Poly1305 computes a 16-byte authenticator over the ciphertext and any associated data. Tampering with the ciphertext or headers invalidates the tag, and the receiving client refuses to decrypt.

04

File streaming

Files are split into chunks, each with its own nonce and Poly1305 tag. Chunks can be verified and decrypted in any order, enabling streaming download without waiting for the full file.

03 Key points

Key takeaways

Practical considerations.

  1. 01

    Hardware acceleration is everywhere

    Modern CPUs from Intel, AMD, and ARM all include AES-NI or equivalent vector instructions. ChaCha20 is the chosen cipher for systems without hardware AES (mobile devices) or for side-channel resistance.

  2. 02

    No nonce reuse

    Nonce generation uses a per-message counter combined with the random nonce prefix. With 192-bit nonces, reuse is statistically impossible even after billions of messages per session.

  3. 03

    Constant-time implementation

    Reference implementations of ChaCha20 are constant-time, eliminating side-channel leakage of key material through timing or cache analysis.

  4. 04

    Library audits

    The reference implementations come from libsodium, BoringSSL, and the RustCrypto crates. All are independently audited annually; the audit reports are referenced on the security disclosure page.

04b References

Authoritative sources

Standards and references.

05 Frequently asked

Common questions

Questions about XChaCha20-Poly1305.

What is XChaCha20-Poly1305?
Short answer

XChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) cipher. It combines the XChaCha20 stream cipher (24-byte nonce variant of ChaCha20) with the Poly1305 MAC for authentication. It is specified in RFC 8439. (RFC 8439)

Why use XChaCha20 instead of AES-256-GCM?
Short answer

Both are excellent ciphers. XChaCha20 has the practical advantage of constant-time software implementations without requiring hardware AES instructions, making it more robust against side-channel attacks on mobile devices. The 192-bit nonce also makes random-nonce constructions safe.

What is the effective key size against quantum computers?
Short answer

Grover's algorithm provides a quadratic speedup against symmetric ciphers. A 256-bit key retains 128-bit effective quantum security, which is far beyond any plausible brute-force capability — including by quantum computers.

What is the difference between ChaCha20 and XChaCha20?
Short answer

XChaCha20 uses a 192-bit nonce (24 bytes) instead of ChaCha20's 96-bit nonce (12 bytes). The extra nonce bits are derived by running ChaCha20 with a derived key. The longer nonce allows safe random nonce generation without exhaustion concerns.

What is Poly1305?
Short answer

Poly1305 is a fast universal hash function designed by Daniel J. Bernstein. In AEAD constructions like XChaCha20-Poly1305, Poly1305 computes a 16-byte authenticator over the ciphertext that proves the ciphertext was not tampered with.

Is XChaCha20-Poly1305 used outside UltimaOS?
Short answer

Yes. TLS 1.3 (RFC 8446) supports ChaCha20-Poly1305 as a cipher suite. WireGuard VPN uses ChaCha20-Poly1305 exclusively. OpenSSH has used ChaCha20-Poly1305 since version 6.5.

What if a Poly1305 collision occurs?
Short answer

Poly1305 is a universal hash; its output is unforgeable under standard cryptographic assumptions. Even if a collision occurred (probability ~2^-128), it would not allow forgery without breaking Poly1305 itself, which would imply breaking AES.