Symmetric-key Cypher
What Is Symmetric-key Cypher?
A symmetric-key cipher is a cryptographic algorithm that uses the same secret key for both encryption and decryption. The sender applies the key and the cipher's encryption function to transform plaintext into ciphertext; the receiver applies the same key and the cipher's inverse function to recover the original message. This symmetry distinguishes the approach from asymmetric (public-key) cryptography, where separate keys are used for the two operations.
Symmetric-key ciphers are the workhorses of practical data protection. Because the computational overhead of symmetric algorithms is orders of magnitude lower than that of asymmetric algorithms for equivalent data volumes, symmetric ciphers are used for bulk encryption of files, network traffic, and stored data. Asymmetric algorithms are typically employed only to establish or transmit the shared symmetric key securely, after which the symmetric cipher takes over.
Block Ciphers
A block cipher divides plaintext into fixed-length blocks and applies a keyed transformation to each block. The Advanced Encryption Standard (AES), published as FIPS 197 by the National Institute of Standards and Technology in 2001, is the dominant block cipher in use today. AES operates on 128-bit blocks and supports key lengths of 128, 192, and 256 bits. Its design is based on a substitution-permutation network (SPN) structure that interleaves byte substitution, row permutation, column mixing, and round-key addition over 10, 12, or 14 rounds depending on key length.
Block ciphers are defined over a single block; encrypting longer messages requires a mode of operation that specifies how blocks are chained together. NIST's block cipher techniques project has standardized five main modes: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). CTR mode is particularly widely used because it is parallelizable and converts a block cipher into a stream cipher, processing each block independently with a counter value.
Before AES, the Data Encryption Standard (DES), published in 1977, was the dominant symmetric cipher. Triple DES (3DES) extended DES by applying the DES algorithm three times in succession to each block to compensate for DES's 56-bit key length proving insufficient against exhaustive key search. Triple DES remains approved for legacy applications but is deprecated for new system designs.
Stream Ciphers
A stream cipher generates a pseudorandom keystream from the secret key and combines it with plaintext bit by bit or byte by byte, typically using the XOR operation. The RC4 algorithm was widely deployed in wireless networking (WEP and early TLS), but cryptanalytic weaknesses led to its deprecation. ChaCha20, designed by Daniel Bernstein, is the principal modern stream cipher used in practice. It forms the basis of the ChaCha20-Poly1305 authenticated encryption scheme standardized in RFC 7905 and is used in TLS 1.3 and the QUIC protocol to protect internet traffic.
Stream ciphers excel in constrained environments where block-aligned processing is impractical, such as embedded systems, satellite communication links, and hardware security tokens.
Key Management and Security
The security of any symmetric cipher depends entirely on the secrecy of the shared key. Key distribution, the problem of establishing a shared key between parties who have not previously communicated, is the fundamental challenge that asymmetric cryptography was designed to solve. In practice, key exchange protocols such as Diffie-Hellman or RSA encryption of a session key establish the shared secret over an untrusted channel, after which the symmetric cipher handles the data.
The NIST Computer Security Resource Center glossary defines symmetric cryptography as any algorithm where the same secret key is used both to apply and to reverse the cryptographic transformation. Key length governs resistance to brute-force search: a 128-bit AES key provides approximately 3.4 times 10^38 possible keys, a quantity computationally infeasible to search exhaustively with foreseeable classical computing hardware.
Applications
Symmetric-key ciphers have applications across many areas of information security, including:
- Encryption of data at rest in file systems, databases, and cloud storage
- Bulk encryption of network traffic in TLS, VPN, and IPsec protocols
- Secure messaging in end-to-end encrypted communication platforms
- Payment card transaction protection and point-of-sale terminals
- Hardware security modules and trusted platform modules for key storage