Part II · 1 — Symmetric primitives

draft

One key, shared by both sides. It is the workhorse of confidentiality: fast, mature, and — when used with the right mode — secure. Here are the ciphers and, more importantly, how not to get them wrong.


1.1 Two families: block and stream

Symmetric cryptography uses the same secret key to encrypt and decrypt. There are two ways to build the cipher:

  • Block cipher — operates on fixed-size blocks (AES uses 128 bits).

    To encrypt data larger than one block, it needs a mode of operation (section 1.3). Examples: AES, the veteran DES (insecure today).

  • Stream cipher — generates a pseudorandom keystream that is combined

    (XOR) with the plaintext, bit by bit. Modern example: ChaCha20.

In practice the boundary is fluid: a block cipher in counter mode (CTR) becomes a stream cipher. What matters is not the family, it is the complete construction you use.


1.2 How a block cipher works: SPN and Feistel

A block cipher is a permutation parameterized by the key that applies Shannon's principles (confusion and diffusion) over several rounds. Two structures dominate:

  • Substitution-permutation network (SPN) — each round does substitution

    (S-boxes → confusion) and permutation/mixing (→ diffusion). It is the structure of AES.

  • Feistel network — splits the block into two halves and processes one with a

    function of the other, alternating. It lets encryption and decryption use the same circuit. It is the structure of DES.

SPN × Feistel: the two block-cipher structures


1.3 AES and the choice of cipher

AES (Advanced Encryption Standard, 2001 — originally Rijndael) is the world's standard block cipher: 128-bit block, 128192256-bit keys, 101214 rounds. It has hardware acceleration (AES-NI instructions) on most CPUs, which makes it fast and constant-time by construction.

Cipher When to use
AES-256 (in AEAD mode) General default; ideal with AES-NI in hardware.
ChaCha20 (in AEAD, with Poly1305) When there is no AES-NI (mobile, embedded) — fast in pure software and resistant to cache side channels.

Never pick "a cipher" alone. Pick a complete AEAD construction (next section) — AES-256-GCM or ChaCha20-Poly1305.


1.4 Modes of operation — where most mistakes happen

A block cipher only knows how to encrypt one block. The mode extends that to real messages — and it is the number-one source of vulnerabilities for those who implement it.

Mode Verdict Why
ECB ❌ never Equal blocks → equal ciphertexts. Leaks patterns (the famous "ECB penguin").
CBC ⚠️ legacy Chains blocks; needs a random IV and, on its own, does not authenticate (subject to padding-oracle).
CTR ⚠️ only with MAC Becomes a stream cipher; never reuse (nonce, key). No authentication by itself.
GCM / Poly1305 AEAD — encrypts and authenticates at once. The modern default.

1.5 AEAD: encrypt and authenticate together

The most expensive lesson in the history of applied cryptography: encrypting without authenticating is insecure. An adversary who cannot read the message can often alter it usefully (malleability attacks, padding-oracle).

AEAD (Authenticated Encryption with Associated Data) solves this in a single primitive. It takes four things and returns two:

AEAD: inputs (key, nonce, plaintext, associated data) and outputs (ciphertext, tag)

  • Key — the symmetric secret.
  • Noncenumber used once: public, but never repeated with the same

    key. Repeating a nonce in GCM is catastrophic (it reveals the authentication secret). It is the most common fatal error.

  • Plaintext — what will be encrypted.
  • Associated data (AAD) — headers that need to be

    authenticated but not encrypted (e.g., the recipient of a packet).

Output: the ciphertext + an authentication tag. On decryption, if the tag does not match, the operation fails entirely — no partial plaintext.

Golden rule of symmetric crypto: use AES-256-GCM or ChaCha20-Poly1305, with a nonce that never repeats per key (counter or random of 96+ bits), and let the library manage the tag. Anything below that is asking for a CVE.


Dense reference: structures, DES/3DES, all modes, and the parameters of GCMCCM are in [04-symmetric](..08-reference/04-symmetric.md). Next: Hash, MAC, and KDF — the other half of the symmetric world, where integrity lives.