Both of these are AEAD ciphers — Authenticated Encryption with Associated Data. An AEAD does two things at once: it keeps your data confidential (you can't read it without the key) and it guarantees integrity (you can't tamper with it without detection). That combination is the modern baseline; using a raw cipher without authentication is a well-known footgun that leads to padding oracle and related attacks. The interesting question isn't whether to use an AEAD — it's which one.
AES-GCM: The Hardware-Accelerated Standard
AES-GCM combines the AES block cipher in Galois/Counter Mode. AES itself was standardized by NIST in 2001 and is the most studied symmetric cipher in existence. GCM wraps it so that, in a single pass, you get both encryption (AES in counter mode) and an authentication tag (computed via multiplication in a Galois field).
AES-GCM's superpower is hardware. Most modern CPUs — Intel, AMD, and ARM server and desktop chips — ship dedicated instructions (AES-NI on x86, and ARM's cryptography extensions) that execute AES rounds in silicon, plus carryless-multiply instructions that accelerate GCM's authentication. On hardware that has these, AES-GCM is blisteringly fast and runs in constant time, sidestepping the timing side channels that plague software AES.
On hardware without AES acceleration, a safe AES implementation is both slower and harder to write. Naive lookup-table software AES is vulnerable to cache-timing attacks; writing constant-time software AES is genuinely difficult. AES-GCM is superb when the silicon helps you and awkward when it doesn't.
ChaCha20-Poly1305: Fast in Plain Software
ChaCha20-Poly1305 pairs Daniel J. Bernstein's ChaCha20 stream cipher with his Poly1305 message authenticator, standardized for IETF protocols in RFC 8439. It was designed from the start to be fast and safe in software, using only operations — additions, XORs, and rotations on 32-bit words, often called "ARX" — that run efficiently and in constant time on any general-purpose CPU.
That design choice is the whole point. ChaCha20 doesn't need special instructions to be fast or to resist timing attacks. It has no secret-dependent table lookups and no secret-dependent branches, so a straightforward implementation is naturally constant-time. On a device without AES hardware — many older phones, low-power embedded chips, and some IoT processors — ChaCha20-Poly1305 typically outpaces a safe AES implementation by a wide margin.
ChaCha20-Poly1305 is what you reach for when you can't assume the hardware will help you. It's fast, it's safe by construction against timing attacks, and it doesn't care what CPU it's running on.
Head to Head
| Property | AES-GCM | ChaCha20-Poly1305 |
|---|---|---|
| Speed with AES hardware | Excellent | Very good |
| Speed without AES hardware | Slow / risky in software | Excellent |
| Constant-time by design | Yes with AES-NI; hard in pure software | Yes, inherently |
| Nonce sensitivity | Catastrophic if a nonce repeats | Also bad, but the standard 96-bit nonce is large |
| Maturity / scrutiny | Two decades of analysis | Heavily analyzed, widely deployed |
The Nonce Problem They Share
Both ciphers have the same sharp edge: they must never reuse a nonce (number-used-once) with the same key. For AES-GCM this is especially dangerous — repeating a nonce doesn't just leak plaintext relationships, it can expose the authentication key, letting an attacker forge messages. ChaCha20-Poly1305 is also broken by nonce reuse but is sometimes considered slightly more forgiving in the details.
This is not a theoretical worry. Nonce-reuse vulnerabilities have appeared in real, shipped systems. It's why protocol designers increasingly favor either careful deterministic counters or "nonce-misuse-resistant" constructions. When you pick an AEAD, you're also signing up to manage its nonces correctly — a responsibility that lives in your code, not the cipher.
How TLS Chooses Between Them
You usually don't pick manually — the protocol negotiates. In TLS 1.3, both AES-GCM and ChaCha20-Poly1305 are among the standard cipher suites, and client and server agree on one during the handshake. The elegant part is how the choice tends to land:
- A modern laptop or server with AES-NI will usually prefer AES-GCM, because its hardware makes AES the fastest option.
- A mobile device without strong AES acceleration will often prefer ChaCha20-Poly1305, because pure-software ChaCha20 beats pure-software AES.
This is why the two ciphers coexist rather than one "winning." They're optimized for different hardware realities, and having both in the standard means every device — from a data-center server to a budget phone — can use a fast, safe, constant-time cipher. Diversity is also a hedge: if a serious weakness were ever found in one, the ecosystem already has a vetted alternative ready to go, which connects to the broader principle of cryptographic agility.
Which Should You Use?
For almost everyone building software, the honest answer is: use whichever your protocol and library negotiate by default, and don't roll your own. Both are excellent. If you're making an explicit choice in application code, a reasonable rule of thumb:
- Targeting modern servers and recent CPUs? AES-GCM is a fine default and usually the fastest.
- Targeting heterogeneous or low-power devices, or want predictable constant-time behavior everywhere? ChaCha20-Poly1305 is the safer bet.
- Worried about nonce management? Look at misuse-resistant options like AES-GCM-SIV before hand-rolling counters.
The deeper takeaway is that "is it secure?" is rarely the whole question for a modern cipher. AES-GCM and ChaCha20-Poly1305 are both secure. The real engineering decisions are about performance on your actual hardware, resistance to implementation mistakes like nonce reuse and timing leaks, and having a fallback if the landscape shifts. That's the kind of reasoning that goes into building anything that handles real secrets — choosing well-studied primitives, using them the way their designers intended, and never confusing "encrypted" with "encrypted correctly." It's the same discipline that underpins any tool you'd trust with your private communication.