AES vs ChaCha20: Symmetric Encryption
Comparing AES-GCM and ChaCha20-Poly1305 — performance, mobile use cases, and TLS cipher selection.
Published:
Tags: AES vs ChaCha20, ChaCha20-Poly1305 vs AES-GCM, symmetric cipher comparison
AES vs ChaCha20: Symmetric Encryption AES-GCM and ChaCha20-Poly1305 are the two authenticated encryption standards in TLS 1.3. They provide equivalent security, but their performance characteristics differ based on hardware support. Understanding the tradeoffs helps you choose cipher suites and optimize for your deployment environment. --- What is Algorithm Overview? AES-256-GCM AES (Advanced Encryption Standard) is a block cipher. In GCM mode, it uses counter mode (CTR) for encryption and GHASH for authentication. Performance depends heavily on hardware: With AES-NI (Intel/AMD CPUs, Apple M-series): ~1–10 GB/s Without AES-NI (older ARM, MIPS, IoT): ~50–200 MB/s Hardware: Available on most 2010+ desktop and server CPUs ChaCha20-Poly1305 ChaCha20 is a stream cipher. It adds 32-bit words…
Frequently Asked Questions
What is ChaCha20?
ChaCha20 is a stream cipher designed by Daniel J. Bernstein, published in 2008. It is a variant of Salsa20 with improved diffusion. ChaCha20 combined with the Poly1305 MAC forms ChaCha20-Poly1305, an authenticated encryption scheme. It is standardized in RFC 7539 and is used in TLS 1.3, QUIC, WireGuard, and OpenSSH.
How does ChaCha20 compare to AES?
Both provide strong authenticated encryption. AES-GCM is faster when hardware AES-NI acceleration is available (most modern desktop and server CPUs). ChaCha20-Poly1305 is faster on hardware without AES-NI — primarily mobile devices, IoT, and older ARM processors. Security-wise, both are considered equivalent for practical purposes.
When is ChaCha20 faster than AES?
ChaCha20 is faster than AES on CPUs without dedicated AES-NI instructions. The Intel AES-NI extension (available since 2010 on Intel/AMD CPUs) allows AES to run at near-memory-speed. On ARM Cortex-A53, Cortex-A55 (common in budget Android phones), and many IoT microcontrollers, there is no hardware AES acceleration and ChaCha20 is significantly faster.
What cipher does TLS 1.3 use?
TLS 1.3 supports two AEAD cipher suites: AES-128-GCM-SHA256, AES-256-GCM-SHA384, and ChaCha20-Poly1305-SHA256. Servers and clients negotiate the best mutually supported cipher. Google Chrome prefers ChaCha20-Poly1305 on devices without AES-NI; AES-256-GCM elsewhere. Both provide equivalent security.
What is the Poly1305 MAC?
Poly1305 is a one-time message authentication code designed by Daniel J. Bernstein. It uses a 128-bit key and produces a 128-bit authentication tag. Combined with ChaCha20, it provides authenticated encryption equivalent to AES-GCM's auth tag. Poly1305 is fast in software and does not benefit from hardware acceleration the way AES-GCM does.
All articles · theproductguy.in