What makes Ellipticc Drive different from other cloud storage services?

Ellipticc Drive is the first cloud storage platform with post-quantum encryption using NIST-approved Kyber and Dilithium algorithms, true end-to-end encryption where keys never leave your device, and it's completely open-source.

Is Ellipticc Drive really free?

Yes, Ellipticc Drive offers 10 GB of free storage forever with no ads, no tracking, and no data selling. This is dedicated private storage, not shared limits.

How secure is Ellipticc Drive?

Ellipticc Drive uses post-quantum cryptography (Kyber + Dilithium), true end-to-end encryption, zero-knowledge file previews, and secure authentication where passwords are never sent to the server.

When will mobile apps be available?

Mobile apps for iOS and Android are coming in Q1 2026, along with desktop sync clients for macOS, Windows, and Linux.

Authenticated Encryption: Why AES-GCM and ChaCha20-Poly1305 Are the Real Heroes

Imagine sending a sealed letter to a friend. You lock it in a steel box so no one can read it. That is confidentiality. But what if someone intercepts the box, drills a tiny hole, and pours acid inside, destroying the letter? Or worse, what if they manage to replace your letter with a fake one without unlocking the box?

This is the nightmare that Authenticated Encryption (AE) fixes. It does not just hide your data; it guarantees that nobody has tampered with it.

In the modern world of HTTPS, Signal messages, and VPNs, two giants stand above the rest: AES-GCM and ChaCha20-Poly1305. These are the workhorses of the secure internet. Let’s break them down, from high-level concepts to the bitter math, and see why they are the real heroes.

Tip

TL;DR

Confidentiality hides data. Integrity proves it was not changed. Authenticity proves who sent it. AE does all three.
AES-GCM is the hardware king. It is blazingly fast on modern CPUs with AES instructions but fails catastrophically if you reuse a nonce.
ChaCha20-Poly1305 is the software champion. It is fast everywhere (even on mobile) and safer against side-channel attacks.

The Problem: Why Not Just Encrypt?

For decades, developers made a classic mistake. They thought, “I’ll just encrypt the data. If they can’t read it, they can’t change it meaningfully.”

Wrong.

In many encryption modes (like the old school CBC mode), an attacker can flip bits in the ciphertext, which causes predictable changes in the plaintext after decryption. If you are encrypting a bank transaction that says “Send $100", a bit-flip could turn it into "Send$ 900”.

The “Mac-then-Encrypt” Fiasco

Engineers tried to fix this by adding a Message Authentication Code (MAC), like HMAC. But they struggled with the order:

Encrypt-then-MAC: Encrypt data, then MAC the ciphertext. (The Gold Standard).
MAC-then-Encrypt: MAC the plaintext, then encrypt both. (Vulnerable to padding oracle attacks).
Encrypt-and-MAC: Do both in parallel. (Can leak plaintext details).

AEAD (Authenticated Encryption with Associated Data) solves this by doing it all in one single, mistake-proof API. It handles the encryption and the authentication together, securely. It also lets you authenticate unencrypted data (Associated Data), like TCP headers or routing information.

AES-GCM: The Hardware Beast

AES-GCM (Galois/Counter Mode) is the most widely deployed AEAD suite in the world. It combines AES-CTR (for encryption) and GMAC (for authentication).

How It Works

Encryption (CTR Mode): AES acts as a pseudo-random number generator. It encrypts a counter value to create a “keystream”. This keystream is XORed with your data to encrypt it.
Authentication (GMAC): The ciphertext and associated data are fed into a polynomial hash function called GHASH.

The Math (simplified)

The core of GCM is GHASH, which operates in a Galois Field $GF(2^{128})$ . This sounds scary, but it is just polynomial multiplication.

The “Auth Key” $H$ is derived by encrypting a block of structural zeros: $H = E_K(0)$ .
The data is treated as coefficients of a polynomial.
The final tag is constructed by encrypting the nonce counter to create a mask, which is XORed with the GHASH output.

Python Example

Here is how you use it securely in Python:

1
import os
2
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
3

4
# Generate a random 256-bit key
5
key = AESGCM.generate_key(bit_length=256)
6
aesgcm = AESGCM(key)
7

8
# NEVER reuse this nonce for the same key!
9
nonce = os.urandom(12)
10
data = b"Secret Message"
11
aad = b"authenticated-but-unencrypted-header"
12

13
ciphertext = aesgcm.encrypt(nonce, data, aad)
14
print(f"Ciphertext: {ciphertext.hex()}")
15

16
plaintext = aesgcm.decrypt(nonce, ciphertext, aad)
17
assert plaintext == data

The “Forbidden Attack” (Critical Warning)

AES-GCM has one fatal flaw: Nonce Reuse. If you encrypt two different messages with the same Key and the same Nonce, the security collapses.

Privacy Loss: The attacker can XOR the two ciphertexts together to recover the XOR of the plaintexts ( $C_1 \oplus C_2 = P_1 \oplus P_2$ ).
Integrity Loss (Total Break): Because of the mathematical structure of GHASH, reusing a nonce allows an attacker to solve a linear equation and recover the Auth Key $H$ . Once they have $H$ , they can forge valid authentication tags for any message.

If you reuse a nonce in AES-GCM, you don’t just leak data. You lose the ability to detect tampering forever for that key.

ChaCha20-Poly1305: The Software Maverick

AES is hard to implement securely in software encryption because it relies on lookup tables that can leak information via cache-timing side channels.

Enter ChaCha20-Poly1305.

ChaCha20: A stream cipher designed by Daniel J. Bernstein. It uses ARX (Add-Rotate-Xor) operations, which run in constant time on standard CPUs. No lookup tables, no cache leaks.
Poly1305: A one-time authenticator that is incredibly fast and mathematically elegant (operations are modulo $2^{130}-5$ ).

The Mechanics

ChaCha20 works by taking a 256-bit key, a generic constant (“expand 32-byte k”), a nonce, and a counter. It mixes them in a “Quarter Round” function 20 times (hence ChaCha20) to produce a chaotic state. This state becomes the keystream.

Python Example

1
import os
2
from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305
3

4
key = ChaCha20Poly1305.generate_key()
5
chacha = ChaCha20Poly1305(key)
6

7
nonce = os.urandom(12) # 96-bit nonce
8
data = b"Attack at dawn"
9
aad = b"header-info"
10

11
ciphertext = chacha.encrypt(nonce, data, aad)
12
decrypted = chacha.decrypt(nonce, ciphertext, aad)

Why It Is “Safer”

Side-Channel Impervious: Because it uses basic CPU math (Add, Rotate, XOR), it naturally runs in constant time. AES usually needs dedicated hardware instructions (AES-NI) to be both fast and constant-time.
Nonce Reuse (Bad, but not Fatal): If you reuse a nonce with ChaCha20-Poly1305, you still lose confidentiality (attacker sees $P_1 \oplus P_2$ ). However, unlike GCM, the authentication key is not immediately recovered, so the attacker generally cannot forge new messages. (It is still catastrophic, just slightly less so).

XChaCha20-Poly1305: The Upgrade You Probably Need

Standard ChaCha20 (defined in RFC 8439) uses a 96-bit nonce. While 96 bits is a lot, it is risky to generate them purely randomly at massive scale due to the Birthday Paradox.

If you generate billions of random nonces, you will eventually hit a collision. And as we learned, nonce collision = game over.

The Solution: Extended Nonce (192-bit)

XChaCha20 solves this by increasing the nonce size to 192 bits. This is so large that you can safely generate random nonces for centuries without ever colliding.

How It Works (Enter HChaCha20)

XChaCha20 isn’t a new cipher. It’s a clever wrapper around ChaCha20 using an intermediate step called HChaCha20.

HChaCha20 Step: It takes your 256-bit Key and the first 128 bits of your Nonce. It runs the ChaCha quarter-rounds to mix them, then spits out a new 256-bit subkey.
ChaCha20 Step: It uses this new, derived subkey and the remaining 64 bits of your Nonce to run standard ChaCha20.

This means you get the best of both worlds: massive nonce space (safety) with the same battle-tested security of the core ChaCha20 algorithm.

If you are building a new application and don’t have a strict counter system for nonces, always use XChaCha20-Poly1305. It eliminates the risk of accidental nonce reuse.

Head-to-Head Comparison

Feature	AES-GCM	ChaCha20-Poly1305
Type	Block Cipher (CTR mode)	Stream Cipher
Performance	Incredible on Desktop/Server (Hardware support)	Great everywhere, especially Mobile (ARM)
Software Security	Hard (prone to timing attacks)	Easy (inherently constant-time)
Nonce Reuse	Fatal (Auth Key recovery)	Critical (Plaintext leak)
Max Data	~64GB per Key/Nonce pair	Effectively unlimited

The Dark Side: Why Ransomware Loves These Heroes

It is an uncomfortable truth: the same algorithms that protect your bank account are also the favorite weapons of cybercriminals.

Ransomware groups like LockBit and the operators behind BlackCat/ALPHV do not use weak, home-brewed crypto. They use AES-GCM and ChaCha20-Poly1305. Why? Because of speed.

Speed is a Weapon

When ransomware infects a corporate server, it is in a race against time before IT security notices the anomaly. It needs to encrypt terabytes of data instantly.

AES-NI Abuse: Modern CPUs can encrypt AES-GCM faster than the hard drive can write data. This means the encryption adds zero latency. The victim’s server doesn’t “feel” slow until it’s too late.
Intermittent Encryption: To move even faster, sophisticated ransomware doesn’t encrypt the whole file. It might encrypt just the first 4KB of every 1MB chunk. Because AES-GCM is a stream cipher (internally), this is trivial to implement. It destroys the file’s structure just as effectively as full encryption but runs 20x faster.

The Irony of Neutral Math

Cryptography is neutral. It doesn’t care if it’s locking a thief out of your data or locking you out of your own data. The robustness of AES-GCM means that once those files are locked, there is no backdoor. No mathematician can save you. The only way back is the key - which the criminals hold.

The Verdict: Who is the Real Hero?

They both are, but for different battlefields.

AES-GCM is the hero of the data center. Your CPU almost certainly has dedicated silicon just for AES calculations. It powers everything from Amazon AWS disk encryption to the VPN tunnel you might be using right now.

ChaCha20-Poly1305 is the hero of the mobile world. Google switched Android to use it because many cheaper phones lacked AES hardware, making encryption painfully slow. With ChaCha20, encryption became cheap for everyone, everywhere.

Note

Secure Your Data with EllipticC Drive
Unbreakable encryption awaits. Ellipticc Drive uses XChaCha20-Poly1305. Secure now!