Score:0

How to choose between AES256-GCM, XSalsa20Poly1305 and XChaCha20Poly1305?

is flag

In libsodium, there're 3 symmetric encryption(stream cipher) which are AES256-GCM(Hardware-accelerated), XSalsa20Poly1305 and XChaCha20Poly1305(uncertain which version of libsodium add support to XChaCha20Poly1305).

Considering that AES256-GCM will be a primary choice if hardware supports it as it's an industry standard which commonly seen in file storage or any other applicable platform.

AES256-GCM was commonly seen in file storage as the server will request user's secret such as passwords/passphrase to derive a key then perform encryption/decryption.

In scenario where it uses total endpoint encryption(does not send any user's secret to the server), the encryption was done on devices instead of server.

If the device is unable to support AES256-GCM (hardware accelerated), how to choose between XSalsa20Poly1305(crypto_secretbox_easy) and XChaCha20Poly1305(secretbox_xchacha20poly1305)?

kelalaka avatar
in flag
If no hardware exist, XSalsa20 > XChaCha20 > AES-256 with 256 bit key sizes. We have tons of recommendations about this in our site. [Does ChaCha20/Salsa have the same bit strength as AES for identical key sizes?](https://crypto.stackexchange.com/q/70894/18298). And note that Salsa is the updated ChaCha and ChaCha/Salsa are faster on software. [Is ChaCha20 safer than AES with respect to side-channel attacks?](https://crypto.stackexchange.com/a/48264/18298)
kelalaka avatar
in flag
[Poly1305-AES vs AES-GCM](https://crypto.stackexchange.com/q/43112/18298). [Understanding the impact of partitioning oracle attacks on stream ciphers](https://crypto.stackexchange.com/q/88716/18298)
kelalaka avatar
in flag
Isn't it a hardware/OS specific problem? [What issues are there while using Linux's /dev/urandom for generating cryptographic keys?](https://crypto.stackexchange.com/q/85533/18298)? See libsodium page https://doc.libsodium.org/generating_random_data
Hern avatar
is flag
Alright thanks. I have learned something
cn flag
@kelalaka Actually ChaCha is newer than Salsa with improved performance.
kelalaka avatar
in flag
@LightBit that's completely true. My mistake. Salsa in 2005, ChaCha in 2008. Thanks for the notice.
Score:2
cn flag

This is kinda subjective. All options are supposed to be good.

If I would have to pick one I would pick XChaCha20Poly1305 as AES hardware support is limited. It is usually faster than software AES and safe from side channel attacks.

Only reason to use XSalsa20Poly1305 is old library support (which is probably not good idea anyway). Salsa20 is older and slightly slower on most CPUs and has slightly slower diffusion.

Hern avatar
is flag
So it's depending on how one views it. If they want to have a better tested version of stream cipher, it's better to go for XSalsa20Poly1305. If they want to have a faster and "probably" more secure version then go for XChaCha20Poly1305
cn flag
@Hern I would actually say ChaCha is better tested than Salsa, because it is also used for Blake hash function. Although Salsa was selected for eSTREAM, ChaCha is now more popular. Salsa is just 3 years older (actually it was published only 1 year before ChaCha). Google uses ChaCha. Many UNIX-like operating systems use it for random number generator.
Hern avatar
is flag
Update: Just confirmed something with the libsodium developer, they said that the existence of XChaCha20Poly1305 is only there for DNSCrypt perhaps that's the reason why they didn't bother to put the documentation on their libsodium-doc github repo and their website (https://doc.libsodium.org/)
Hern avatar
is flag
They didn't said that it will be removed so my binding can probably still have that coded in place.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.