Symmetric ciphers are fast
Authenticated symmetric encryption runs at gigabytes per second on a modern CPU, orders of magnitude faster than public-key operations. Using symmetric primitives for actual data is the only practical choice at scale.
RFC 8439 — authenticated encryption with a 192-bit nonce.
XChaCha20-Poly1305 is the authenticated symmetric cipher UltimaOS uses for every payload. Specified in RFC 8439, it combines the XChaCha20 stream cipher (a 192-bit nonce extension of ChaCha20) with the Poly1305 universal hash for authentication.
Authenticated symmetric encryption runs at gigabytes per second on a modern CPU, orders of magnitude faster than public-key operations. Using symmetric primitives for actual data is the only practical choice at scale.
Grover's algorithm gives quantum computers a square-root speedup against symmetric ciphers. A 256-bit key retains 128-bit effective security against a quantum attacker — far beyond any plausible brute-force capability.
ChaCha20 is a stream cipher designed by Daniel J. Bernstein in 2008, selected for its simplicity, performance, and resistance to side-channel attacks. It is widely used: TLS 1.3, WireGuard, OpenSSH.
Every payload on UltimaOS — chat messages, files, calendar events, AI conversations, search indexes — is encrypted with XChaCha20-Poly1305 using a 256-bit symmetric key derived from the ML-KEM-768 session.
Each conversation, file share, or call uses a fresh 256-bit symmetric key, derived from the ML-KEM-768 encapsulation. There is no long-term symmetric key on the server.
XChaCha20's 192-bit nonce (24 bytes) is large enough that random nonces can be used safely — collision probability remains negligible even after 2^64 messages with the same key.
Poly1305 computes a 16-byte authenticator over the ciphertext and any associated data. Tampering with the ciphertext or headers invalidates the tag, and the receiving client refuses to decrypt.
Files are split into chunks, each with its own nonce and Poly1305 tag. Chunks can be verified and decrypted in any order, enabling streaming download without waiting for the full file.
Modern CPUs from Intel, AMD, and ARM all include AES-NI or equivalent vector instructions. ChaCha20 is the chosen cipher for systems without hardware AES (mobile devices) or for side-channel resistance.
Nonce generation uses a per-message counter combined with the random nonce prefix. With 192-bit nonces, reuse is statistically impossible even after billions of messages per session.
Reference implementations of ChaCha20 are constant-time, eliminating side-channel leakage of key material through timing or cache analysis.
The reference implementations come from libsodium, BoringSSL, and the RustCrypto crates. All are independently audited annually; the audit reports are referenced on the security disclosure page.
XChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) cipher. It combines the XChaCha20 stream cipher (24-byte nonce variant of ChaCha20) with the Poly1305 MAC for authentication. It is specified in RFC 8439. (RFC 8439)
Both are excellent ciphers. XChaCha20 has the practical advantage of constant-time software implementations without requiring hardware AES instructions, making it more robust against side-channel attacks on mobile devices. The 192-bit nonce also makes random-nonce constructions safe.
Grover's algorithm provides a quadratic speedup against symmetric ciphers. A 256-bit key retains 128-bit effective quantum security, which is far beyond any plausible brute-force capability — including by quantum computers.
XChaCha20 uses a 192-bit nonce (24 bytes) instead of ChaCha20's 96-bit nonce (12 bytes). The extra nonce bits are derived by running ChaCha20 with a derived key. The longer nonce allows safe random nonce generation without exhaustion concerns.
Poly1305 is a fast universal hash function designed by Daniel J. Bernstein. In AEAD constructions like XChaCha20-Poly1305, Poly1305 computes a 16-byte authenticator over the ciphertext that proves the ciphertext was not tampered with.
Yes. TLS 1.3 (RFC 8446) supports ChaCha20-Poly1305 as a cipher suite. WireGuard VPN uses ChaCha20-Poly1305 exclusively. OpenSSH has used ChaCha20-Poly1305 since version 6.5.
Poly1305 is a universal hash; its output is unforgeable under standard cryptographic assumptions. Even if a collision occurred (probability ~2^-128), it would not allow forgery without breaking Poly1305 itself, which would imply breaking AES.