diff --git a/internal/handshake/aead.go b/internal/handshake/aead.go
index 693939ae..1baf5d6b 100644
--- a/internal/handshake/aead.go
+++ b/internal/handshake/aead.go
@@ -1,13 +1,12 @@
 package handshake
 
 import (
-	"crypto/cipher"
 	"encoding/binary"
 
 	"github.com/quic-go/quic-go/internal/protocol"
 )
 
-func createAEAD(suite *cipherSuite, trafficSecret []byte, v protocol.Version) cipher.AEAD {
+func createAEAD(suite *cipherSuite, trafficSecret []byte, v protocol.Version) *xorNonceAEAD {
 	keyLabel := hkdfLabelKeyV1
 	ivLabel := hkdfLabelIVV1
 	if v == protocol.Version2 {
@@ -20,28 +19,26 @@ func createAEAD(suite *cipherSuite, trafficSecret []byte, v protocol.Version) ci
 }
 
 type longHeaderSealer struct {
-	aead            cipher.AEAD
+	aead            *xorNonceAEAD
 	headerProtector headerProtector
-
-	// use a single slice to avoid allocations
-	nonceBuf []byte
+	nonceBuf        [8]byte
 }
 
 var _ LongHeaderSealer = &longHeaderSealer{}
 
-func newLongHeaderSealer(aead cipher.AEAD, headerProtector headerProtector) LongHeaderSealer {
+func newLongHeaderSealer(aead *xorNonceAEAD, headerProtector headerProtector) LongHeaderSealer {
+	if aead.NonceSize() != 8 {
+		panic("unexpected nonce size")
+	}
 	return &longHeaderSealer{
 		aead:            aead,
 		headerProtector: headerProtector,
-		nonceBuf:        make([]byte, aead.NonceSize()),
 	}
 }
 
 func (s *longHeaderSealer) Seal(dst, src []byte, pn protocol.PacketNumber, ad []byte) []byte {
-	binary.BigEndian.PutUint64(s.nonceBuf[len(s.nonceBuf)-8:], uint64(pn))
-	// The AEAD we're using here will be the qtls.aeadAESGCM13.
-	// It uses the nonce provided here and XOR it with the IV.
-	return s.aead.Seal(dst, s.nonceBuf, src, ad)
+	binary.BigEndian.PutUint64(s.nonceBuf[:], uint64(pn))
+	return s.aead.Seal(dst, s.nonceBuf[:], src, ad)
 }
 
 func (s *longHeaderSealer) EncryptHeader(sample []byte, firstByte *byte, pnBytes []byte) {
@@ -53,21 +50,23 @@ func (s *longHeaderSealer) Overhead() int {
 }
 
 type longHeaderOpener struct {
-	aead            cipher.AEAD
+	aead            *xorNonceAEAD
 	headerProtector headerProtector
 	highestRcvdPN   protocol.PacketNumber // highest packet number received (which could be successfully unprotected)
 
-	// use a single slice to avoid allocations
-	nonceBuf []byte
+	// use a single array to avoid allocations
+	nonceBuf [8]byte
 }
 
 var _ LongHeaderOpener = &longHeaderOpener{}
 
-func newLongHeaderOpener(aead cipher.AEAD, headerProtector headerProtector) LongHeaderOpener {
+func newLongHeaderOpener(aead *xorNonceAEAD, headerProtector headerProtector) LongHeaderOpener {
+	if aead.NonceSize() != 8 {
+		panic("unexpected nonce size")
+	}
 	return &longHeaderOpener{
 		aead:            aead,
 		headerProtector: headerProtector,
-		nonceBuf:        make([]byte, aead.NonceSize()),
 	}
 }
 
@@ -76,10 +75,8 @@ func (o *longHeaderOpener) DecodePacketNumber(wirePN protocol.PacketNumber, wire
 }
 
 func (o *longHeaderOpener) Open(dst, src []byte, pn protocol.PacketNumber, ad []byte) ([]byte, error) {
-	binary.BigEndian.PutUint64(o.nonceBuf[len(o.nonceBuf)-8:], uint64(pn))
-	// The AEAD we're using here will be the qtls.aeadAESGCM13.
-	// It uses the nonce provided here and XOR it with the IV.
-	dec, err := o.aead.Open(dst, o.nonceBuf, src, ad)
+	binary.BigEndian.PutUint64(o.nonceBuf[:], uint64(pn))
+	dec, err := o.aead.Open(dst, o.nonceBuf[:], src, ad)
 	if err == nil {
 		o.highestRcvdPN = max(o.highestRcvdPN, pn)
 	} else {
diff --git a/internal/handshake/aead_test.go b/internal/handshake/aead_test.go
index 4527e3e1..d2d58a02 100644
--- a/internal/handshake/aead_test.go
+++ b/internal/handshake/aead_test.go
@@ -33,8 +33,8 @@ var _ = Describe("Long Header AEAD", func() {
 						aead, err := cipher.NewGCM(block)
 						Expect(err).ToNot(HaveOccurred())
 
-						return newLongHeaderSealer(aead, newHeaderProtector(cs, hpKey, true, v)),
-							newLongHeaderOpener(aead, newHeaderProtector(cs, hpKey, true, v))
+						return newLongHeaderSealer(&xorNonceAEAD{aead: aead}, newHeaderProtector(cs, hpKey, true, v)),
+							newLongHeaderOpener(&xorNonceAEAD{aead: aead}, newHeaderProtector(cs, hpKey, true, v))
 					}
 
 					Context("message encryption", func() {
diff --git a/internal/handshake/cipher_suite.go b/internal/handshake/cipher_suite.go
index 265231f0..d8a381da 100644
--- a/internal/handshake/cipher_suite.go
+++ b/internal/handshake/cipher_suite.go
@@ -18,7 +18,7 @@ type cipherSuite struct {
 	ID     uint16
 	Hash   crypto.Hash
 	KeyLen int
-	AEAD   func(key, nonceMask []byte) cipher.AEAD
+	AEAD   func(key, nonceMask []byte) *xorNonceAEAD
 }
 
 func (s cipherSuite) IVLen() int { return aeadNonceLength }
@@ -36,7 +36,7 @@ func getCipherSuite(id uint16) *cipherSuite {
 	}
 }
 
-func aeadAESGCMTLS13(key, nonceMask []byte) cipher.AEAD {
+func aeadAESGCMTLS13(key, nonceMask []byte) *xorNonceAEAD {
 	if len(nonceMask) != aeadNonceLength {
 		panic("tls: internal error: wrong nonce length")
 	}
@@ -54,7 +54,7 @@ func aeadAESGCMTLS13(key, nonceMask []byte) cipher.AEAD {
 	return ret
 }
 
-func aeadChaCha20Poly1305(key, nonceMask []byte) cipher.AEAD {
+func aeadChaCha20Poly1305(key, nonceMask []byte) *xorNonceAEAD {
 	if len(nonceMask) != aeadNonceLength {
 		panic("tls: internal error: wrong nonce length")
 	}