General stuff
 Comparison of Symmetric Encryption Methods  Dhole Moments
 Latacora  Cryptographic Right Answers
 Block ciphers are basically keyed pseudorandom permutation functions
 Be aware of nonce reuse: initialization vector  How bad it is using the same IV twice with AES/GCM?  Cryptography Stack Exchange
 Be aware of limits on how much data/messages you can safely encrypt under the same key (“cryptographic wearout”): Cryptographic WearOut for Symmetric Encryption  Dhole Moments
AEAD ciphers
stands for “authenticated encryption with associated data”

Authenticated Encryption (AE)
 I.e. “MACs builtin to encryption”
 Prevents the ciphertext that was transmitted to you from being tampered with by a third party that doesn’t know the key. This can break the overall security of your system in unexpected ways.
 Also prevents padding oracle attacks that even recover the key.
 XML Encryption famously broke due to lacking authentication: https://www.nds.rub.de/media/nds/veroeffentlichungen/2011/10/22/HowToBreakXMLenc.pdf
 Associated Data (AD)
 Prevents the ciphertext from being “pulled out of context” by a third party that doesn’t know the key.
 A good crypto stackoverflow answer on why this can be dangerous: encryption  What is the purpose of associated authenticated data in AEAD?  Information Security Stack Exchange
Also interesting, but not captured in “AEAD” is probabilistic encryption:
 Prevents the same message to have the same ciphertext when encrypted twice with the same key.
 Usually achieved by providing a nonce (sometimes called initialization vector) that is either randomly generated or incremented for every message with a given random key.
Most ciphers are probabilistic (or “nondeterministic”). So why are some ciphers deterministic?
 You might not need additional randomness if your messages are inherently random, e.g. when you’re doing keywrapping.
 To provide nondeterminism you need to attach a random nonce to your ciphertext. Deterministic encryption ciphertexts thus tend to be shorter.
Key Commitment
A newer property is key commitment. From a paper on key commitment:
if recipient A decrypts a ciphertext with the key K_A into a valid plaintext, meaning authentication succeeds, then A knows that the ciphertext has not been modified during
transmission. Intuitively, one might mistakenly extend that integrity guarantee to keys, i.e., if some other recipient B decrypts the same ciphertext with their key K_B, then decryp
tion would fail. However, this is neither an AE design goal, nor a guaranteed property, and there are secure and globally deployed AE schemes where both recipients can successfully
decrypt the same ciphertext.
The paper both contains some examples on how to abuse nonkeycommitting encryption modes in practice as well as how to fix encryption schemes today.
In practice keycommitting encryption schemes are not widely supported.