Cryptographic Primitives#

Reference of cryptographic algorithms by category, with the operator-relevant notes on safe defaults, deprecated variants, and the post-quantum migration timeline.

For PKI / TLS detail, see Network Protocols. For sanctions / export-control around crypto, see Sanctions Lists and Standards & Regulations (CNSA 2.0).

Symmetric block ciphers#

Algorithm

Notes

AES-128 / 192 /

FIPS 197; the universal default. Modes: GCM (AEAD),

256

CTR, CBC, ECB (never), CFB, OFB. AES-256 mandatory in CNSA 2.0 + most TLS profiles.

ChaCha20

RFC 7539 / 8439; ARX cipher; faster than AES on no-AESNI hardware; Google preference.

Camellia

ISO/IEC 18033; comparable to AES; rare outside JP / KR.

Serpent

AES finalist; conservative.

Twofish

AES finalist; widely embedded.

3DES

deprecated 2023 (NIST SP 800-67 Rev2 retirement).

DES

long-broken; never use.

Blowfish

avoid for new work; small block.

RC4

broken; deprecated 2015.

AEAD modes#

Mode

Notes

AES-GCM

the default for TLS 1.2+; nonce-misuse-vulnerable.

AES-GCM-SIV

RFC 8452; nonce-misuse-resistant.

ChaCha20-Poly1305

RFC 8439; default in TLS 1.3 + Wire / Signal etc.

XChaCha20-Poly1305

larger nonce; libsodium variant.

AES-CCM

constrained-device variant.

AES-OCB

RFC 7253; patent-cleared since 2021; very efficient.

AEGIS-128 / 256

Standardized RFC 9380; AES-NI-friendly.

Hash functions#

Algorithm

Notes

SHA-256 / 384 /

FIPS 180-4; the universal default; Merkle-Damgård

512

construction.

SHA-3 (Keccak)

FIPS 202; sponge construction; SHA3-224 / 256 / 384 / 512.

SHAKE-128 / 256

extendable-output (XOF); SHA-3 family.

BLAKE2b / 2s

RFC 7693; faster than SHA-256.

BLAKE3

modern; tree mode + parallelism + XOF.

SHA-1

deprecated 2017; collisions found (SHAttered, Shambles); never use for security.

MD5

broken; only checksums for non-security use.

RIPEMD-160

legacy; used in Bitcoin addresses.

MAC / KDF#

Algorithm

Notes

HMAC-SHA256

RFC 2104 + 4231; the universal MAC.

HMAC-SHA1

still secure as MAC despite SHA-1 collision attacks.

KMAC

Keccak-MAC; based on SHA-3.

Poly1305

one-time MAC; pair with ChaCha20 / AES.

HKDF

RFC 5869; the universal KDF (extract + expand).

PBKDF2

RFC 8018; password hashing; minimum 100k iterations (SHA-256) per OWASP 2024.

Argon2id

RFC 9106; modern password hashing winner.

scrypt

RFC 7914; memory-hard.

bcrypt

older but accepted password hash; cost factor 10+.

Public-key (asymmetric)#

Algorithm

Notes

RSA-2048 / 3072 /

legacy default; key sizes 2048 minimum, 3072 (SP 800-131A

4096

Rev2), 4096 in regulated estates.

ECDSA P-256

NIST curve; broadly compatible.

ECDSA P-384

CNSA 2.0 transitional.

ECDSA P-521

less common.

EdDSA Ed25519

RFC 8032; faster + safer than ECDSA in many ways; modern default for SSH / Tor / Signal / Nostr.

EdDSA Ed448

longer-key variant.

ECDH

key agreement; X25519 (Curve25519) and X448 are modern defaults.

DSA

deprecated.

DH (FFDH)

classic discrete-log; replaced by ECDH except for compliance reasons.

Post-quantum cryptography#

NIST PQC selections (FIPS 203 / 204 / 205 finalised 2024):

Algorithm

Notes

ML-KEM (Kyber)

FIPS 203; key encapsulation; the new TLS / hybrid KEM. ML-KEM-512 / 768 / 1024.

ML-DSA (Dilithium)

FIPS 204; signature; the new general-purpose PQ signature. ML-DSA-44 / 65 / 87.

SLH-DSA (SPHINCS+)

FIPS 205; stateless hash-based signature; conservative backup.

HQC

FIPS-pending; alt KEM.

Falcon

alt signature; pending standard.

NTRU / NTRUEncrypt

submitted but not selected.

McEliece

code-based; key sizes huge but conservative.

CNSA 2.0 (US national security):

Use

Algorithm + parameters

Symmetric

AES-256.

Hash

SHA-384 / SHA-512.

Sig (until 2030)

ECDSA P-384 + RSA 3072.

Sig (PQ)

ML-DSA-87 (= Dilithium-5).

KEM (PQ)

ML-KEM-1024.

TLS cipher suites (modern)#

Suite (TLS 1.3)

Notes

TLS_AES_256_GCM_SHA

384 standard.

TLS_CHACHA20_POLY13

05_SHA256 standard.

TLS_AES_128_GCM_SHA

256 standard; for older HW + low-power.

TLS_AES_128_CCM_SHA

256 constrained.

TLS_AEGIS_256_SHA38

4 / 128_SHA256 RFC 9380; nascent.

TLS 1.3 always uses ECDHE + (optional) PSK; no static RSA; no CBC; no compression; no renegotiation.

Curves#

Curve

Notes

P-256 (secp256r1)

NIST; broadly supported.

P-384 (secp384r1)

NIST; CNSA.

P-521 (secp521r1)

NIST; rare.

secp256k1

Bitcoin / Ethereum curve.

Curve25519 (X25519)

Bernstein; SSH / Tor / Signal default.

Curve448 (X448)

longer-key variant.

brainpool

European-flavoured curves; rare.

Encoding / framing#

Format

Notes

PEM

-----BEGIN ...----- base64 wrapper.

DER

binary ASN.1.

PKCS#1

RSA private key DER.

PKCS#7 / CMS

signed / encrypted message format (.p7b / .p7c).

PKCS#8

private key DER (any algorithm).

PKCS#10

CSR (certificate signing request).

PKCS#12

.p12 / .pfx; cert + key + chain bundle (password- protected).

X.509

certificate format (RFCs 5280 + family).

JOSE

JWS / JWE / JWK / JWT (RFCs 7515-7519).

COSE

CBOR Object Signing and Encryption.

OpenSSH key

base64-wrapped variant.

GPG / OpenPGP

RFC 4880 + 9580; ASCII-armored + binary.

Hashes for non-security use#

Algorithm

Notes

xxHash (XXH64 / 3)

fast non-crypto checksum.

MurmurHash3

hash-table workhorse.

CityHash / FarmHash

Google.

SipHash

keyed; hash-flooding resistance.

MD5

legacy checksum only.

CRC32 / CRC32C

integrity for Ethernet / disk.

RNG / entropy#

Concept

Notes

/dev/urandom

Linux; the right answer for nearly every userland use.

/dev/random

Linux; blocking on early-boot entropy; use only in boot scripts on old kernels.

getrandom(2)

Linux syscall; modern API.

arc4random_buf

BSD / macOS; userland CSPRNG.

BCryptGenRandom

Windows.

DRBG

NIST deterministic RNG (HMAC-DRBG, CTR-DRBG, Hash-DRBG).

ChaCha20-RNG

Linux RNG since 5.18.

seedfs / seedrng

early-boot entropy seeding.

TRNG

hardware RNG (CPU RDSEED, TPM, hardware token).

Common library choices#

Library

Notes

OpenSSL 3.x

the dominant TLS + crypto library; multiple providers.

LibreSSL

OpenBSD fork.

BoringSSL

Google fork; used in Chrome + many proxies.

WolfSSL

embedded-friendly.

mbedTLS

ARM-sponsored; embedded.

NSS

Mozilla; Firefox + Thunderbird + Linux distros.

GnuTLS

GPL; some EU gov / Telegram clients.

libsodium

opinionated NaCl-based; safer-by-default.

Tink (Google)

opinionated multi-language; deprecated 2024 (replaced by per-language libs).

Bouncy Castle

Java + .NET.

PyCryptodome / cryp

tography (Python).

Web Crypto API

browser standard.

WebAuthn

passwordless / FIDO2 web standard.

Operator notes#

  • Default to AEAD, AES-GCM, ChaCha20-Poly1305. Never invent your own composition.

  • Constant-time, key compare, MAC compare, PIN compare must use hmac.compare_digest / crypto_subtle / CRYPTO_memcmp, not ==.

  • Nonce / IV reuse with the same key under GCM is catastrophic; use random or counter; use SIV variants if in doubt.

  • Key wrap uses the AES-KW algorithm (RFC 3394) rather than encrypting keys directly.

  • PQ migration, TLS hybrid (X25519 + ML-KEM) ramping in 2024-2026; signing slower because cert chains need both roots and intermediates updated.

  • HSM / KMS, AWS KMS, GCP Cloud KMS, Azure Key Vault, HashiCorp Vault for production key management; YubiHSM / CloudHSM for hardware-rooted.

  • GPG defaults, avoid; use age (modern asymmetric file encryption) or libsodium-based tools; if you must use GPG use Ed25519 + cv25519.

References#