What is XChaCha20?
An extended-nonce variant of ChaCha20 that uses a 192-bit nonce, making it safer for situations where random nonce generation is necessary.
XChaCha20 extends the ChaCha20 cipher with a larger nonce size, reducing the risk of catastrophic nonce reuse.
Why Extended Nonces Matter
- Standard ChaCha20 uses a 96-bit nonce — safe only if nonces are never reused
- XChaCha20 uses a 192-bit nonce — can safely generate random nonces
- The probability of a random collision with 192 bits is negligibly small
Where It's Used
- Libsodium (the go-to cryptography library) uses XChaCha20 by default
- Age encryption tool
- Various secure messaging implementations
Technical Detail
XChaCha20 uses the HChaCha20 hash function to derive a subkey and reduced nonce from the extended nonce and key. This is a well-understood construction called XSalsa20/XChaCha20.
Related Terms
ChaCha20-Poly1305
A modern authenticated encryption algorithm that provides both confidentiality and integrity, widely used as an alternative to AES-GCM.
Nonce
A 'number used once'—a random or sequential value that ensures cryptographic operations produce unique results even with the same key. Nonces prevent replay attacks and are critical for secure encryption modes.
Symmetric Encryption
An encryption method where the same secret key is used for both encrypting and decrypting data. While fast and efficient, the challenge lies in securely sharing the key between parties.
Have more questions?
Use our guided flow to get the right next privacy step for XChaCha20.
Open Guided Flow