- If you have hardware acceleration (e.g.
AES-NI), thenAES-GCMprovides better performance. On my benchmarks, it was faster by a factor of 1.28 on average.
If you do not have hardware acceleration,AES-GCMis either slower thanChaCha20-Poly1305, or it leaks your encryption keys in cache timing. AES-GCMcan target multiple security levels (128-bit,192-bit,256-bit), whereasChaCha20-Poly1305is only defined at the256-bitsecurity level.- Nonce size:
AES-GCM: Varies, but the standard is96-bit(12 bytes). If you supply a longer nonce, this gets hashed down to16 bytes.ChaCha20-Poly1305: The standardized version uses96-bitnonce (12 bytes), but the original used64-bitnonce (8 bytes).
- Wear-out of a single (key, nonce) pair:
AES-GCM: Messages must be less than2^32 – 2blocks (a.k.a.2^36 – 32 bytes, a.k.a.2^39 – 256-bit), that's roughly64GB. This also makes the security analysis ofAES-GCMwith long nonces complicated since the hashed nonce doesn’t start with the lower4 bytesset to00 00 00 02.ChaCha20-Poly1305:ChaChahas an internal counter (32-bitin the standardized IETF variant,64-bitin the original design). Max message length is2^39 - 256-bit, about256GB
- Neither algorithm is nonce misuse-resistant.
ChaChaPoly1305is better atSIMD
Both are good options. AES-GCM can be faster with hardware support, but pure-software implementations of
ChaCha20-Poly1305 are almost always fast and constant-time.