VaultKeepR
← Back to blog

Why XChaCha20-Poly1305 Is the Future of Password Encryption

VaultKeepR Team5 min read
encryptionsecuritycryptography

Why XChaCha20-Poly1305 Is the Future of Password Encryption

When we built VaultKeepR, we had to make one of the most consequential decisions in the entire project: which encryption algorithm to use for your vault. AES-256 is the industry standard. It's NIST-approved, widely deployed, and has decades of cryptanalysis behind it.

We chose XChaCha20-Poly1305 instead. Here's why.

What Is XChaCha20-Poly1305?

XChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) construction. Let's break that down:

  • XChaCha20 — A stream cipher designed by Daniel J. Bernstein, extended to use 192-bit nonces
  • Poly1305 — A one-time authenticator that provides integrity and authenticity
  • AEAD — The combination provides both confidentiality (nobody can read your data) AND integrity (nobody can tamper with it) in a single operation

The Lineage

Salsa20 (2005, Bernstein)


  └── ChaCha20 (2008, improved diffusion)
       └── XChaCha20 (2018, extended nonce)
            └── XChaCha20-Poly1305 (AEAD construction)

Why Not AES-256?

AES-256 is secure. Let's be clear about that. But there are practical reasons to prefer ChaCha20-Poly1305 for a password manager:

1. Constant-Time by Design

AES relies on substitution boxes (S-boxes) for its non-linear component. On CPUs without hardware AES-NI instructions, software implementations of AES are vulnerable to cache-timing attacks:

  • The CPU caches S-box lookups in memory
  • An attacker sharing the same hardware (VMs, containers) can observe cache access patterns
  • These patterns leak information about the encryption key

ChaCha20 uses only additions, rotations, and XOR operations (ARX). These operations take the same amount of time regardless of the input data. No lookup tables, no cache timing vulnerabilities.

This matters especially on:

  • Mobile devices — Not all ARM chips have AES acceleration
  • IoT and embedded systems — Limited hardware support
  • Shared cloud environments — Where side-channel attacks are practical

2. 192-Bit Nonces: Nonce Collision Is Virtually Impossible

AES-GCM uses 96-bit nonces. With random nonce generation, the birthday bound means you risk nonce collision after approximately 2^48 encryptions with the same key. That's about 281 trillion — sounds like a lot, but:

  • A password manager syncing frequently across multiple devices could generate thousands of encryptions
  • If a nonce is ever reused with the same key, AES-GCM's security completely breaks — the authentication is compromised and ciphertext can be forged

XChaCha20's 192-bit nonce pushes the birthday bound to approximately 2^96 — a number so large that nonce collision is practically impossible even if you encrypt trillions of messages per second for billions of years.

This is why XChaCha20 is called "nonce-misuse resistant" in practice. You can safely generate random nonces without maintaining a counter, which simplifies implementation and reduces the risk of bugs.

3. Performance Without Hardware Acceleration

On devices with AES-NI (most modern x86 CPUs), AES-256-GCM is extremely fast. But on devices without it:

CPU TypeAES-256-GCMChaCha20-Poly1305
x86 with AES-NI~1 GB/s~0.8 GB/s
x86 without AES-NI~0.1 GB/s~0.8 GB/s
ARM without AES acceleration~0.05 GB/s~0.5 GB/s
WebAssembly (browser)VariableConsistently fast

For a password manager that runs in browsers, browser extensions, and mobile apps, consistent performance across all platforms is critical.

4. Simpler Construction, Fewer Footguns

AES-GCM is powerful but has several known "footguns" — ways that a correct-looking implementation can be catastrophically insecure:

  • Nonce reuse → Complete authentication failure
  • Ciphertext truncation → GCM tag must be checked before any plaintext is released
  • Key-commitment → AES-GCM is not key-committing — the same ciphertext can decrypt under different keys to different plaintexts

XChaCha20-Poly1305 has fewer implementation pitfalls, and VaultKeepR adds an HMAC-SHA256 commitment scheme on top to prevent ciphertext substitution attacks.

Who Else Uses ChaCha20-Poly1305?

This isn't an obscure academic cipher. It's used in production by some of the most security-critical systems:

  • WireGuard — The modern VPN protocol exclusively uses ChaCha20-Poly1305
  • Signal — The gold standard of encrypted messaging
  • Cloudflare — Serves ChaCha20-Poly1305 to mobile clients by default
  • Google Chrome — TLS cipher suite for non-AES-NI devices
  • OpenSSH — Default cipher for new connections since 2014
  • Linux kernel — Used in the kernel's random number generator

How VaultKeepR Uses XChaCha20-Poly1305

In VaultKeepR's architecture, XChaCha20-Poly1305 is the final encryption step in a multi-layered security model: 

1. User enters master password

  1. Wallet signs a deterministic message (EIP-191)
  2. Argon2id(password + signature) → 256-bit Master Key
  3. Random 192-bit nonce generated
  4. XChaCha20-Poly1305(Master Key, nonce, vault JSON) → Ciphertext
  5. HMAC-SHA256 commitment appended
  6. Ciphertext + nonce + commitment → IPFS

The key points:

  • Fresh random nonce every encryption — safe thanks to XChaCha20's 192-bit nonce space
  • Argon2id KDF — makes brute-force attacks on the master password extremely expensive
  • Wallet signature binding — the encryption key depends on something you know (password) AND something you have (wallet)
  • HMAC commitment — prevents an attacker from swapping your encrypted vault with a different valid ciphertext

The Bottom Line

AES-256 is not broken. It's still a perfectly valid choice. But for a password manager that needs to:

  • Run in browsers, extensions, and mobile apps (variable hardware)
  • Use random nonces safely without counter management
  • Resist side-channel attacks on diverse platforms
  • Minimize implementation complexity

XChaCha20-Poly1305 is the better fit. It's the cipher that security practitioners choose when they're building new systems from scratch — and that's exactly what VaultKeepR is.

Frequently Asked Questions

Is ChaCha20 quantum-resistant?

No, like AES, ChaCha20 is a symmetric cipher and is affected by Grover's algorithm, which effectively halves the key strength against quantum attacks. A 256-bit key becomes ~128-bit secure against quantum computers — still considered safe for the foreseeable future.

Can I verify which cipher VaultKeepR uses?

Yes. The @vault-keeper/core package is open source. You can inspect the encryption implementation directly on GitHub.

Is XChaCha20-Poly1305 NIST-approved?

ChaCha20-Poly1305 is standardized in IETF RFC 8439. While not part of the traditional NIST suite, it's widely accepted and recommended by security researchers. The extended nonce variant (XChaCha20) is described in a separate IETF draft and implemented in libsodium, the most widely used cryptography library.

Keep Reading

Your passwords deserve the best encryption available. VaultKeepR uses XChaCha20-Poly1305 because your security shouldn't depend on which device you're using.

Learn more about VaultKeepR's security →

Share𝕏in

Ready to take control of your passwords?

VaultKeepR is the first decentralized password manager. Zero-knowledge. Wallet-native. Yours.

Try VaultKeepR →