While you did not mention the source, here one. Actually, XSalsa family is described in Bernstein's paper;
Does the "X" in XSalsa20Poly1305 just mean a 192 bit nonce?
Yes, it means the nonce sizes of XSalsa is 192-bit while Salsa has 64-bit. This is so huge that even for random nonces one has to generate $2^{96}$ uniform nonces so that a collision occurs with 50% probability. This is very important in the long-term keys. If a (key,nonce) pair is resued then the confidentiality is lost. The 192-bit prevents this. It is an almost never-going-to-happen event for Cryptography.
Is there a significant advantage of using XSalsa20Poly1305?
OpenSSL comparisons (ChaCha not Salsa);
| type |
16 bytes |
64 bytes |
256 bytes |
1024 bytes |
8192 bytes |
16384 bytes |
| chacha20 |
361334.62k |
665775.85k |
1334323.20k |
2750173.87k |
2945690.28k |
2972353.50k |
| aes-128-ctr NI |
525049.40k |
1867614.12k |
3840132.18k |
5231174.31k |
5816388.27k |
5875471.70k |
| aes-128-ctr |
190707.84k |
228983.55k |
236486.66k |
243153.92k |
242283.86k |
242614.27k |
Also, note that in the paper Bernstein provided security proof; if Salsa20 is secure then XSalsa, too.
It is proven that 15 rounds of the Salsa20 is secure against differential attacks.
Note that there is a new variant of the Salsa family; the ChaCha family. ChaCha family is aimed to increase the diffusion per round with almost the same speed. ChaCha family is adapted more than the Salsa family, TLS 1.3 uses ChaCha20-Pol1305.
ChaCha20 has also XChaCha20-Poly1305 (ietf draft) that uses the same 192-bit nonce sizes. It is preferable to XSalsa20-Poly1305. Note that the ChaCha family is less studied than the Salsa family due to the fact that Salsa is represented in eSTREAM project.
Prefer XChaCha20-Poly1305 if you can.
Note that Authenticated encryption is a must on transmit, it is advisable for data on the rest.
