General stuff
 Comparison of Symmetric Encryption Methods  Dhole Moments
 Latacora  Cryptographic Right Answers
 Block ciphers are basically keyed pseudorandom permutation functions
 Be aware of nonce reuse: initialization vector  How bad it is using the same IV twice with AES/GCM?  Cryptography Stack Exchange
 Be aware of limits on how much data/messages you can safely encrypt under the same key (“cryptographic wearout”): Cryptographic WearOut for Symmetric Encryption  Dhole Moments
AEAD ciphers
stands for “authenticated encryption with associated data”

Authenticated Encryption (AE)
 I.e. “MACs builtin to encryption”
 Prevents the ciphertext that was transmitted to you from being tampered with by a third party that doesn’t know the key. This can break the overall security of your system in unexpected ways.
 Also prevents padding oracle attacks that even recover the key.
 XML Encryption famously broke due to lacking authentication: https://www.nds.rub.de/media/nds/veroeffentlichungen/2011/10/22/HowToBreakXMLenc.pdf
 Associated Data (AD)
 Prevents the ciphertext from being “pulled out of context” by a third party that doesn’t know the key.
 A good crypto stackoverflow answer on why this can be dangerous: encryption  What is the purpose of associated authenticated data in AEAD?  Information Security Stack Exchange
Also interesting, but not captured in “AEAD” is probabilistic encryption:
 Prevents the same message to have the same ciphertext when encrypted twice with the same key.
 Usually achieved by providing a nonce (sometimes called initialization vector) that is either randomly generated or incremented for every message with a given random key.
Most ciphers are probabilistic (or “nondeterministic”). So why are some ciphers deterministic?
 You might not need additional randomness if your messages are inherently random, e.g. when you’re doing keywrapping.
 To provide nondeterminism you need to attach a random nonce to your ciphertext. Deterministic encryption ciphertexts thus tend to be shorter.