I know that the security of both are the same (only nonce size is different). But which one is faster and better to use, when encrypting a lot of files (500+, from 1MB to 200MB)?
Asked
Active
Viewed 986 times
1
-
Do you want us to try these performances? Of course, xChaCha20-Poly1305 is better since it enables longer nonces so that random nonces are secure – kelalaka Nov 14 '22 at 18:18
1 Answers
5
ChaCha20-Poly1305 is slightly more performant because there's no HChaCha20 subkey derivation. If you benchmark the two, this will be detectable. However, in the real world, the difference is negligible.
If you don't need random nonces, use ChaCha20-Poly1305 (the IETF version). Otherwise, or when unsure, use XChaCha20-Poly1305 with a random nonce each time. Just don't let the nonce repeat for a given key with either.
File encryption is often done with a unique key per file and a counter nonce that gets incremented for each chunk (e.g. the STREAM construction). This prevents chunk reordering easily. I discussed this in more detail here.
samuel-lucas6
- 1,783
- 7
- 17