ChaCha20-Poly1305

[2][3] In March 2013, a proposal was made to the IETF TLS working group to include Salsa20, a winner of the eSTREAM competition[4] to replace the aging RC4-based ciphersuites.

A discussion followed in the IETF TLS mailing list with various enhancement suggestions, including using Chacha20 instead of Salsa20 and using a universal hashing based MAC for performance.

The outcome of this process was the adoption of Adam Langley's proposal for a variant of the original ChaCha20 algorithm (using 32-bit counter and 96-bit nonce) and a variant of the original Poly1305 (authenticating 2 strings) being combined in an IETF draft[5][6] to be used in TLS and DTLS,[7] and chosen, for security and performance reasons, as a newly supported cipher.

[8] Shortly after IETF's adoption for TLS, ChaCha20, Poly1305 and the combined AEAD mode are added to OpenSSH via thechacha20-poly1305@openssh.com authenticated encryption cipher[9][10] but kept the original 64-bit counter and 64-bit nonce for the ChaCha20 algorithm.

[1] The ChaCha20-Poly1305 algorithm takes as input a 256-bit key and a 96-bit nonce to encrypt a plaintext,[1] with a ciphertext expansion of 128-bit (the tag size).

[24] ChaCha20-Poly1305 usually offers better performance than the more prevalent AES-GCM algorithm, except on systems where the CPU(s) have the AES-NI instruction set extension[1].

As a result, ChaCha20-Poly1305 is sometimes preferred over AES-GCM due to its similar levels of security and in certain use cases involving mobile devices, which mostly use ARM-based CPUs.