MySQL

How does MySQL authentication work: caching_sha2_password vs mysql_native_password?

I read an article about the new caching_sha2_password: https://mysqlserverteam.com/mysql-8-0-4-new-defaul... Got a
few questions, maybe you can help me!
The article considers two cases:
1) "when there exists a cached copy of the password hash in memory" and a picture is attached to this case, on which the word "Nonce" is present - what is it? Some random string generated by the server?

If you dig deeper, there is this phrase:
"it uses a SHA256-based challenge-response mechanism while authenticating a client ... This is faster and allows secure authentication over an unencrypted channel." - i.e. some "quick challenge-response mechanism is used to allow authentication over an insecure channel". What is the essence of this mechanism, where to read more?
2) The second case considered in this article is when there is no cache yet, in this case a "secure connection" is required: In such cases of cache invalidation, caching_sha2_password requires password exchange using a secure
connection
2.1) Why does the lack of a cache lead to a more complex mechanism? Why not use the same fast HA256-based challenge-response as in the first case?
2.2) It seems that in the picture one of the arrows is drawn in the wrong direction, as if the server sends the password to the client, or I didn’t understand something: