Why the Choice of Encryption Matters

When you entrust sensitive messages to an online service, you place implicit trust in it: that it cannot read them. But that trust should not rest on a commercial promise — it must be mathematically guaranteed.

That is the role of encryption. And not all algorithms are equal.

What Is XChaCha20-Poly1305?

XChaCha20-Poly1305 is an authenticated encryption algorithm (AEAD — Authenticated Encryption with Associated Data). It combines two components:

  • XChaCha20: a stream cipher that transforms your data into unreadable ciphertext using a key and a unique nonce.
  • Poly1305: a message authentication code (MAC) that guarantees data integrity — any tampering is immediately detected.

The X prefix in XChaCha20 denotes an extended variant of ChaCha20, with a 192-bit nonce instead of 96 bits. This virtually eliminates any risk of nonce reuse — one of the main vulnerabilities in encryption systems in practice.

Why Not AES-GCM?

AES-GCM is the most widespread algorithm. It is solid — but it has characteristics that led our choice towards XChaCha20-Poly1305:

Nonce Reuse Sensitivity

If a nonce is reused with AES-GCM, the consequences are catastrophic: the secret key can be reconstructed. XChaCha20 with its 192-bit nonces makes this mistake virtually impossible in practice.

Performance Without Hardware Acceleration

AES-GCM benefits from hardware acceleration (AES-NI) on modern processors. But not all environments have it. XChaCha20-Poly1305 is designed to be fast in pure software, offering comparable or superior performance on architectures without AES-NI.

Timing Attack Resistance

ChaCha20 is designed to run in constant time, making it more resistant to side-channel attacks (timing attacks). AES can, in certain non-hardware implementations, be vulnerable to this type of attack.

Client-Side Encryption: The Essential Difference

Using XChaCha20-Poly1305 is one thing. But what makes the real difference at EchoPass is where encryption takes place.

Most services that claim to "encrypt your data" do so server-side: your data arrives in plaintext on their servers, then is stored encrypted. Technically, they have access to your unencrypted data.

At EchoPass, encryption is entirely client-side:

  1. You type your message in the browser.
  2. Your password is used to derive a key via Argon2id.
  3. The key encrypts your message with XChaCha20-Poly1305 in your browser.
  4. Only the ciphertext is sent to our servers.

Result: we technically cannot read your messages — even if we wanted to, even under legal order, even in the event of a database breach.

Argon2id: Key Derivation

The strength of encryption also depends on the quality of the key. And the key is derived from your password — which may be relatively short or predictable.

That's where Argon2id comes in, the key derivation algorithm (KDF) that won the Password Hashing Competition. It is designed to make brute-force attacks extremely costly, even with specialised hardware (GPUs, ASICs).

Argon2id combines the advantages of two variants:

  • Argon2i: resistant to side-channel attacks
  • Argon2d: resistant to GPU attacks through intensive memory usage

What This Means for You

In concrete terms, here is what this architecture guarantees:

  • Your messages are unreadable to EchoPass at all times
  • A breach of our database does not expose your messages, only encrypted data
  • An attacker who steals your password cannot decrypt your messages without access to your local data
  • No government or legal order can compel us to reveal your messages

Security is not a promise. It is an architecture.