Encryption — Deep Dive

AES internals, elliptic curve math, side-channel attacks, and why quantum computers threaten RSA but not your iPhone today.

AES: What’s Actually Happening

AES (Advanced Encryption Standard) is a block cipher — it processes data in fixed 128-bit chunks, regardless of key size (128, 192, or 256 bits).

Each block goes through 10-14 rounds of four operations:

  1. SubBytes — Each byte is replaced using a fixed lookup table (the S-box), derived from the multiplicative inverse in GF(2⁸). This adds non-linearity; without it, the cipher would be breakable with linear algebra.

  2. ShiftRows — Rows of the 4×4 byte matrix are cyclically shifted left. Row 0 stays put, row 1 shifts by 1, etc. This spreads bytes across columns.

  3. MixColumns — Each column is treated as a polynomial over GF(2⁸) and multiplied by a fixed polynomial. This is the main diffusion step — one byte change in input causes ~4 bytes to change in output.

  4. AddRoundKey — XOR the block with the round key (derived from the original key via key schedule). This is where the secret actually enters.

The design principle is called confusion and diffusion (Claude Shannon, 1949): confusion obscures the relationship between key and ciphertext; diffusion ensures each input bit affects many output bits. After ~3 rounds, every output bit depends on every input bit — the avalanche effect.

Input Block (128 bits = 4×4 byte matrix)

[Round 1] SubBytes → ShiftRows → MixColumns → AddRoundKey
[Round 2] SubBytes → ShiftRows → MixColumns → AddRoundKey
     ...
[Round 10] SubBytes → ShiftRows → AddRoundKey (no MixColumns in final round)

Ciphertext Block

There is no known attack on AES-256 faster than brute force. At 2²⁵⁶ possible keys, even a computer checking 10¹⁸ keys/second would need ~3.6 × 10⁶⁰ years.

RSA: The Math Behind Public-Key Cryptography

RSA security relies on the integer factorization problem: multiplying two large primes is trivial; factoring their product is hard.

Key generation:

  1. Choose two large primes p and q (each ~2,048 bits)
  2. Compute n = p × q (the public modulus)
  3. Compute Euler’s totient: φ(n) = (p-1)(q-1)
  4. Choose e such that gcd(e, φ(n)) = 1 (commonly 65537)
  5. Compute d such that d × e ≡ 1 (mod φ(n)) — this is the private key

Encryption: ciphertext = plaintext^e mod n
Decryption: plaintext = ciphertext^d mod n

The public key is (n, e). The private key is d. Breaking RSA means finding d from n and e — which requires factoring n to recover p and q.

With a 2,048-bit modulus, the best known classical algorithm (General Number Field Sieve) would take ~10⁶ CPU-years. RSA-2048 is considered secure until at least 2030 by NIST.

Elliptic Curve Cryptography (ECC)

ECC achieves the same security as RSA with dramatically smaller keys. A 256-bit ECC key is roughly equivalent to a 3,072-bit RSA key.

An elliptic curve over a finite field is defined by:

y² = x³ + ax + b  (mod p)

Point multiplication — the core operation — is easy to compute forward but computationally hard to reverse. Given points G (public) and Q = k × G (also public), finding k (the private key) is the Elliptic Curve Discrete Logarithm Problem (ECDLP).

The curve P-256 (secp256r1) is used in TLS certificates, ECDSA signatures, and most modern HTTPS. Curve25519 (designed by Daniel Bernstein) is used in Signal, WireGuard, and SSH — favored for its resistance to implementation errors and timing attacks.

TLS 1.3: A Leaner Handshake

TLS 1.2 required 2 round-trips before data could flow. TLS 1.3 (RFC 8446, 2018) cuts this to 1 round-trip and removes a decade of legacy baggage:

  • Dropped: RSA key exchange, RC4, DES, 3DES, MD5, SHA-1, static Diffie-Hellman
  • Required: Forward secrecy (ephemeral key exchange only)
  • Added: 0-RTT resumption (replayed data — has replay attack implications)

Forward secrecy means each session uses fresh ephemeral keys. Even if someone records encrypted traffic today and steals your private key in 5 years, they still can’t decrypt past sessions. TLS 1.2 with RSA key exchange had no such protection.

Side-Channel Attacks: When Math Isn’t Enough

A cipher can be mathematically unbreakable yet leak secrets through physical implementation.

Timing attacks (Paul Kocher, 1996): If a decryption function takes slightly different time depending on key bits, an attacker can recover the key by measuring execution time across thousands of calls. Early RSA implementations were vulnerable. Fix: constant-time implementations that take identical time regardless of input.

Power analysis: In 1999, Kocher et al. showed that a smart card’s power consumption during AES encryption leaks the key — measurable with a ~$50 oscilloscope. Simple Power Analysis (SPA) reads the key from a single trace; Differential Power Analysis (DPA) uses statistical analysis of many traces to recover keys from noisy measurements.

Cache timing (FLUSH+RELOAD): Modern CPUs cache memory. AES’s S-box lookups access different cache lines depending on key bytes. An attacker sharing CPU cache (via virtualization or Spectre-like exploits) can infer key bytes by measuring cache hit/miss timing.

Hardware security modules (HSMs) are shielded against these attacks. Software mitigation uses constant-time code and bitsliced AES implementations that avoid memory lookups entirely.

The Quantum Threat

Grover’s algorithm halves the effective key length: AES-128 effectively becomes AES-64 against a quantum computer. Response: use AES-256. Not a crisis.

Shor’s algorithm is the real threat: it solves integer factorization and discrete logarithm in polynomial time — directly breaking RSA and ECC. A sufficiently large quantum computer (millions of stable logical qubits) would render current public-key infrastructure obsolete.

Today’s best quantum computers have ~1,000-2,000 noisy physical qubits. Breaking RSA-2048 requires roughly 4,000 logical qubits — which translates to millions of physical qubits due to error correction overhead. We’re likely 10-20 years away.

Post-Quantum Cryptography (PQC): NIST finalized its first PQC standards in 2024:

  • ML-KEM (CRYSTALS-Kyber) — key encapsulation, based on module learning with errors (MLWE)
  • ML-DSA (CRYSTALS-Dilithium) — digital signatures
  • SLH-DSA (SPHINCS+) — hash-based signatures, conservative choice

Google’s Chrome began experimenting with X25519Kyber768 hybrid TLS in 2023. The strategy: run classical + post-quantum in parallel so that even if one is broken, the other holds.

Authenticated Encryption: Why Encryption Alone Isn’t Enough

Encryption protects confidentiality but not integrity. An attacker who can’t read your ciphertext can still flip bits — and without a MAC (Message Authentication Code), the recipient can’t detect tampering.

AES-GCM (Galois/Counter Mode) combines AES-CTR encryption with GHASH authentication in a single pass. It’s an AEAD (Authenticated Encryption with Associated Data) scheme — every TLS 1.3 session uses it (AES-128-GCM or AES-256-GCM).

The authentication tag is 128 bits. Forging a valid tag without the key requires ~2¹²⁸ attempts. Any bit-flip in ciphertext causes decryption to fail with an authentication error — no silent corruption.

Critical implementation caveat: AES-GCM nonces must never repeat for the same key. A repeated nonce leaks the authentication key and allows plaintext recovery. This is why TLS generates fresh session keys rather than reusing them — and why nonce-misuse-resistant schemes like AES-GCM-SIV exist for contexts where nonce uniqueness is hard to guarantee.

One Thing to Remember

Modern encryption algorithms are public and mathematically proven — the security is entirely in the key. Real-world breaks almost always come from key management failures, implementation bugs, side channels, or protocol misuse — not from cracking the math.

securitycryptographyaesrsaeccquantumtlsside-channel

See Also

  • Apis What is an API? Think of it as a waiter who takes your order and brings back exactly what you asked for.
  • Git Why do millions of programmers obsess over a tool that saves old versions of their work? Because without it, one bad day can delete months of effort.
  • Graphql Why do apps ask for exactly the data they need — and why that's a bigger deal than it sounds?

Related Topics

ab-testing How tech companies run thousands of experiments at once to improve their products — the scientific method applied to everything from button colors to recommendation algorithms. 3 levels → activation-functions Why neural networks need these tiny mathematical functions — and how ReLU's simplicity accidentally made deep learning possible. 3 levels → ai-agents-architecture How AI systems go from answering questions to actually doing things — the design patterns that turn language models into autonomous agents that browse, code, and plan. 3 levels →