An encryption algorithm is a mathematical procedure that transforms plaintext (readable data) into ciphertext (unreadable data) using a key. Without the correct key, the ciphertext is computationally impossible to reverse back to plaintext. The algorithm defines the rules; the key provides the secret that makes each encryption unique.
Different algorithms serve different purposes. Symmetric algorithms (AES, ChaCha20) encrypt bulk data fast. Asymmetric algorithms (RSA, ECC) enable key exchange and digital signatures. Hash functions (SHA-256) provide integrity verification. Understanding which algorithm to use where is fundamental to building secure systems.
The Two Families
Symmetric Encryption (Same Key Encrypts and Decrypts)
Plaintext + Key → [Algorithm] → Ciphertext
Ciphertext + Same Key → [Algorithm] → PlaintextCharacteristics:
- Fast (hardware-accelerated, GB/s throughput)
- Key must be shared between sender and receiver (key distribution problem)
- Used for: bulk data encryption, disk encryption, TLS data transfer
Major algorithms:
| Algorithm | Key Size | Block Size | Status | Use Case |
|---|---|---|---|---|
| AES-256 | 256 bits | 128 bits | Standard (NIST) | Everything — TLS, disk, database, file |
| AES-128 | 128 bits | 128 bits | Standard | Acceptable, but prefer 256 for quantum margin |
| ChaCha20 | 256 bits | Stream | Standard | Mobile (no AES-NI), TLS alternative |
| 3DES | 168 bits | 64 bits | Deprecated | Legacy only — do not use for new systems |
| DES | 56 bits | 64 bits | Broken | Never use — brute-forceable in hours |
| RC4 | Variable | Stream | Broken | Never use — multiple practical attacks |
| Blowfish | Variable | 64 bits | Outdated | Replaced by AES |
Asymmetric Encryption (Different Keys for Encrypt/Decrypt)
Plaintext + Public Key → [Algorithm] → Ciphertext
Ciphertext + Private Key → [Algorithm] → PlaintextCharacteristics:
- Slow (1000x slower than symmetric for bulk data)
- No key distribution problem (public key is… public)
- Used for: key exchange, digital signatures, authentication
Major algorithms:
| Algorithm | Key Size | Security Level | Status | Use Case |
|---|---|---|---|---|
| RSA-2048 | 2048 bits | 112-bit | Minimum acceptable | TLS certs (legacy), signatures |
| RSA-4096 | 4096 bits | ~140-bit | Strong | CA keys, long-lived signatures |
| ECDSA P-256 | 256 bits | 128-bit | Recommended | TLS certs, code signing |
| ECDSA P-384 | 384 bits | 192-bit | High security | CA keys, government |
| Ed25519 | 256 bits | 128-bit | Recommended | SSH keys, signatures |
| X25519 | 256 bits | 128-bit | Recommended | TLS key exchange |
| DSA | 1024-3072 | Variable | Deprecated | Never use — replaced by ECDSA |
How Encryption Algorithms Work (Simplified)
AES (Advanced Encryption Standard)
AES processes data in 128-bit blocks through multiple rounds of substitution and permutation:
Input: 128-bit plaintext block + 256-bit key
Round 1-14 (for AES-256):
1. SubBytes — substitute each byte via S-box (non-linear)
2. ShiftRows — shift rows of state matrix
3. MixColumns — mix columns via matrix multiplication
4. AddRoundKey — XOR with round key (derived from main key)
Output: 128-bit ciphertext blockWith AES-NI hardware acceleration (present in all modern CPUs), AES-256-GCM encrypts at 5-10 GB/s — faster than most storage and network I/O.
RSA
RSA relies on the difficulty of factoring large numbers:
Key Generation:
Choose two large primes: p, q (each ~1024 bits)
Compute n = p × q (public modulus)
Compute φ(n) = (p-1)(q-1)
Choose e = 65537 (public exponent)
Compute d such that e×d ≡ 1 (mod φ(n)) (private exponent)
Encryption: ciphertext = message^e mod n
Decryption: message = ciphertext^d mod n
Security: factoring n back into p and q is computationally infeasibleECDSA (Elliptic Curve)
ECC uses the difficulty of the elliptic curve discrete logarithm problem:
Key Generation:
Choose curve (P-256): defines equation y² = x³ + ax + b over finite field
Choose random d (private key)
Compute Q = d × G (public key, where G is the curve's generator point)
Security: given Q and G, finding d is computationally infeasible
Advantage: 256-bit ECC key ≈ 3072-bit RSA key (same security, much smaller)Modes of Operation (How Block Ciphers Handle Data)
AES encrypts 128-bit blocks. Real data is larger. “Modes” define how blocks are chained:
| Mode | Security | Use Case | Avoid? |
|---|---|---|---|
| GCM (Galois/Counter) | Authenticated encryption (confidentiality + integrity) | TLS, disk encryption | ✅ Use this |
| CTR (Counter) | Confidentiality only (needs separate MAC) | Specific protocols | OK with HMAC |
| CBC (Cipher Block Chaining) | Confidentiality only, padding required | Legacy | ⚠️ Padding oracle risk |
| ECB (Electronic Codebook) | Each block independent — patterns leak | Never | ❌ Never use |
| XTS | Designed for disk encryption | Full disk encryption | ✅ For disks only |
Rule: Always use authenticated encryption (GCM or ChaCha20-Poly1305). Never use ECB. Avoid CBC in new systems.
Choosing the Right Algorithm
For Data at Rest (Databases, Files, Disks)
Standard choice: AES-256-GCM (or AES-256-XTS for full disk)
Why: fastest symmetric cipher, hardware-accelerated, quantum-safe (256-bit)For Data in Transit (TLS, VPN)
TLS 1.3 cipher suites (in preference order):
1. TLS_AES_256_GCM_SHA384 (AES-256 with GCM)
2. TLS_CHACHA20_POLY1305_SHA256 (ChaCha20 — better on mobile without AES-NI)
3. TLS_AES_128_GCM_SHA256 (AES-128 — acceptable)
Key exchange: X25519 (ECDHE)
Authentication: ECDSA P-256 certificateFor Digital Signatures
TLS certificates: ECDSA P-256 (smallest, fastest)
Code signing: ECDSA P-256 or P-384 (long-lived signatures → higher margin)
SSH: Ed25519 (deterministic, no nonce vulnerability)
Documents: ECDSA P-256 with timestamp (long-term verifiability)For Key Exchange
TLS 1.3: X25519 (mandatory ECDHE, forward secrecy)
SSH: curve25519-sha256
VPN (IKEv2): ECDH P-256 or X25519Algorithm Strength and Quantum Impact
| Algorithm | Classical Security | Post-Quantum Security | Action |
|---|---|---|---|
| AES-256 | 256-bit | 128-bit (Grover’s) | ✅ Safe — keep using |
| AES-128 | 128-bit | 64-bit (Grover’s) | ⚠️ Upgrade to AES-256 |
| SHA-256 | 256-bit | 128-bit | ✅ Safe |
| RSA-2048 | 112-bit | Broken (Shor’s) | 🔴 Plan migration to PQC |
| ECDSA P-256 | 128-bit | Broken (Shor’s) | 🔴 Plan migration to PQC |
| X25519 | 128-bit | Broken (Shor’s) | 🔴 Use hybrid (X25519 + ML-KEM) |
| ML-KEM-768 | — | 128-bit | ✅ Post-quantum safe |
| ML-DSA-65 | — | 128-bit | ✅ Post-quantum safe |
Timeline: Quantum computers that can break RSA/ECC are estimated at 2030-2040. Symmetric algorithms (AES-256) and hash functions (SHA-256) survive quantum computing.
Common Mistakes
1. Using ECB Mode
# WRONG — ECB leaks patterns
cipher = AES.new(key, AES.MODE_ECB)
# RIGHT — GCM provides authenticated encryption
cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)2. Hardcoding Keys
# WRONG — key in source code
key = b"my-secret-key-12345678901234567"
# RIGHT — key from KMS/environment
key = kms_client.decrypt(encrypted_key)3. Using Deprecated Algorithms
# WRONG — allows weak ciphers
ssl_ciphers ALL;
# RIGHT — only strong AEAD ciphers
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';4. Reusing Nonces in GCM
# WRONG — same nonce with same key = catastrophic
nonce = b"fixed-nonce" # NEVER reuse!
# RIGHT — unique nonce per encryption
nonce = os.urandom(12) # Random 96-bit nonceFAQ
Q: What’s the strongest encryption algorithm? A: For symmetric: AES-256-GCM (no known practical attack, quantum-resistant). For asymmetric: depends on use case — ECDSA P-384 for signatures, X25519 for key exchange. “Strongest” depends on what you’re protecting and against what threat.
Q: Is AES-128 still secure? A: Against classical computers: yes (128-bit security is computationally infeasible to brute-force). Against future quantum computers: marginal (Grover’s reduces to 64-bit). Use AES-256 for new systems — the performance difference is negligible with AES-NI.
Q: Why not just use RSA for everything? A: RSA is 100-1000x slower than AES for bulk encryption, and has size limitations (can only encrypt data smaller than the key). The standard pattern: use RSA/ECC for key exchange (small data), then AES for bulk encryption (large data). This is exactly what TLS does.
Q: What’s the difference between encryption and hashing? A: Encryption is reversible (with the key). Hashing is one-way (no key, no reversal). Encryption protects confidentiality (hide data). Hashing protects integrity (detect changes). Different tools for different purposes.
Q: Which algorithm should I use for password storage? A: None of the above. Passwords should be hashed (not encrypted) with a dedicated password hashing function: bcrypt, scrypt, or Argon2id. These are intentionally slow (to resist brute-force) — unlike AES/SHA which are designed to be fast.