Part II · 1 — Symmetric primitives
One key, shared by both sides. It is the workhorse of confidentiality: fast, mature, and — when used with the right mode — secure. Here are the ciphers and, more importantly, how not to get them wrong.
1.1 Two families: block and stream
Symmetric cryptography uses the same secret key to encrypt and decrypt. There are two ways to build the cipher:
- Block cipher — operates on fixed-size blocks (AES uses 128 bits).
To encrypt data larger than one block, it needs a mode of operation (section 1.3). Examples: AES, the veteran DES (insecure today).
- Stream cipher — generates a pseudorandom keystream that is combined
(XOR) with the plaintext, bit by bit. Modern example: ChaCha20.
In practice the boundary is fluid: a block cipher in counter mode (CTR) becomes a stream cipher. What matters is not the family, it is the complete construction you use.
1.2 How a block cipher works: SPN and Feistel
A block cipher is a permutation parameterized by the key that applies Shannon's principles (confusion and diffusion) over several rounds. Two structures dominate:
- Substitution-permutation network (SPN) — each round does substitution
(S-boxes → confusion) and permutation/mixing (→ diffusion). It is the structure of AES.
- Feistel network — splits the block into two halves and processes one with a
function of the other, alternating. It lets encryption and decryption use the same circuit. It is the structure of DES.
1.3 AES and the choice of cipher
AES (Advanced Encryption Standard, 2001 — originally Rijndael) is the world's standard block cipher: 128-bit block, 128192256-bit keys, 101214 rounds. It has hardware acceleration (AES-NI instructions) on most CPUs, which makes it fast and constant-time by construction.
| Cipher | When to use |
|---|---|
| AES-256 (in AEAD mode) | General default; ideal with AES-NI in hardware. |
| ChaCha20 (in AEAD, with Poly1305) | When there is no AES-NI (mobile, embedded) — fast in pure software and resistant to cache side channels. |
Never pick "a cipher" alone. Pick a complete AEAD construction (next section) — AES-256-GCM or ChaCha20-Poly1305.
1.4 Modes of operation — where most mistakes happen
A block cipher only knows how to encrypt one block. The mode extends that to real messages — and it is the number-one source of vulnerabilities for those who implement it.
| Mode | Verdict | Why |
|---|---|---|
| ECB | ❌ never | Equal blocks → equal ciphertexts. Leaks patterns (the famous "ECB penguin"). |
| CBC | ⚠️ legacy | Chains blocks; needs a random IV and, on its own, does not authenticate (subject to padding-oracle). |
| CTR | ⚠️ only with MAC | Becomes a stream cipher; never reuse (nonce, key). No authentication by itself. |
| GCM / Poly1305 | ✅ | AEAD — encrypts and authenticates at once. The modern default. |
1.5 AEAD: encrypt and authenticate together
The most expensive lesson in the history of applied cryptography: encrypting without authenticating is insecure. An adversary who cannot read the message can often alter it usefully (malleability attacks, padding-oracle).
AEAD (Authenticated Encryption with Associated Data) solves this in a single primitive. It takes four things and returns two:
- Key — the symmetric secret.
- Nonce — number used once: public, but never repeated with the same
key. Repeating a nonce in GCM is catastrophic (it reveals the authentication secret). It is the most common fatal error.
- Plaintext — what will be encrypted.
- Associated data (AAD) — headers that need to be
authenticated but not encrypted (e.g., the recipient of a packet).
Output: the ciphertext + an authentication tag. On decryption, if the tag does not match, the operation fails entirely — no partial plaintext.
Golden rule of symmetric crypto: use AES-256-GCM or ChaCha20-Poly1305, with a nonce that never repeats per key (counter or random of 96+ bits), and let the library manage the tag. Anything below that is asking for a CVE.
Dense reference: structures, DES/3DES, all modes, and the parameters of GCMCCM are in [
04-symmetric](..08-reference/04-symmetric.md). Next: Hash, MAC, and KDF — the other half of the symmetric world, where integrity lives.