XSalsa20

XSalsa20 is a stream cipher based on Salsa20. Salsa20 uses a 64-bit nonce. XSalsa20 uses a 192-bit nonce.

XSalsa20 is a two-level generalised cascade, using the output of HSalsa20 as a key for Salsa20. XSalsa20 uses the first 128 bits of the nonce and a 256-bit key to create a subkey. The remaining 64 bits of the nonce and the subkey become the parameters of the Salsa20 function to generate the stream. The longer nonce affects efficiency but it is less than the cost of generating a single Salsa20 output block.

The crypto_box function in the NaCl crypto library uses XSalsa20 with Curve25519 and Poly1305. XSalsa is used for secret-key authenticated encryption and secret-key encryption. Poly1305 is used for one-time authentication.

XSalsa20 is immune to timing attacks. XSalsa20 provides its own 64-bit block counter to avoid incrementing the nonce after each block.