Every company has sensitive data that it needs to protect, yet extracting value from your data means that you must use it, whether that means feeding it to a data analytics tool, sharing it with partners or contractors, or even simply storing it in the cloud or on a USB. While you can take steps to prevent unauthorized access to your network and sensitive data, what happens if a cyberattacker breaks through your defenses? It's considered an essential best practice for data loss prevention.
What is Data Encryption?
Data encryption is a widely used approach to rendering data uninterpretable should unauthorized users gain access to it. Using a data encryption algorithm, data encryption translates data from its raw, plain text form (plaintext data) — which is easily readable by anyone who accesses it — to a complex form or code (ciphertext) that's unreadable and unusable unless the user has a decryption key or password that will "decrypt" the data by translating it back to its plain text format. For example, if a cybercriminal gains access to a database containing customers' Social Security numbers, but the data is encrypted, the attacker can gain no value from it. Because they can't interpret the true Social Security numbers, they can't use the data for identity theft, and they can't sell it on the dark web.
There are two primary types of data encryption algorithms:
- Asymmetric encryption, also known as public key encryption, which uses two keys: a public key and a private key. The public key is used to encrypt the data, and the private key is used to decrypt the data. The private key is carefully protected, shared only between the sender and receiver of the data.
- Symmetric encryption, which uses the same key to encrypt and decrypt data.
A hash function is another method involved in data encryption. Hashing uses an algorithm to translate data of any size to a fixed length, resulting in a hash value, rather than the ciphertext produced by encryption algorithms. Hashing is used to verify that data has not been altered from its previous state during transmission. For example, if one person is sending a sensitive file to another user and the user needs to confirm the integrity of the data, the original person can send a hash value along with the data. The recipient can then calculate the hash value of the data they've received. If the data hasn't been altered, the two hash values will be the same.
Data encryption enables:
- Authentication: Did the data come from where it claims or appears to?
- Integrity: Is the data unchanged from before transmission?
- Non-repuditation: The sender cannot deny sending or transmitting the data.
Data encryption doesn't prevent attackers from gaining entry to your network or systems, but it does ensure that your data cannot be read or interpreted even if it's accessed by a malicious actor.
50 Data Encryption Algorithm Methods & Techniques for Effective Data Encryption
Let's take a look at some of the most well-known and commonly used data encryption algorithm methods and techniques, as well as some common hash functions. They're grouped by the type of algorithm and listed alphabetically within each category.
Asymmetric Data Encryption Algorithms
1. Blum–Goldwasser (BG) cryptosystem. The Blum-Goldwasser cryptosystem is a probabalistic public-key encryption scheme that was proposed back in 1984 by Manuel Blum and Shafi Goldwasser that comprises three algorithms, including a probabalistic encryption algorithm, a deterministic decryption algorithm, and a probabilistic key generation algorithm to produce a public key and a private key. This semantically-secure cryptosystem that has a consistent ciphertext expansion. As it uses a probabalistic algorithm, the BG cryptosystem can produce different ciphertexts each time a set of plaintext is encrypted. That is advantageous as cybercriminals intercepting data encrypted with the BG algorithm cannot compare it to known ciphertexts to interpret the data.
2. Boneh–Franklin scheme. The Boneh-Franklin scheme was the first practical identity-based encryption (IBE) scheme. Proposed in 2001 by Dan Boneh and Matthew K. Franklin, the Boneh-Franklin scheme is based on bilinear maps between groups, such as the Weil pairing on elliptic curves. The Private Key Generator (PKG) in the Boneh-Franklin scheme can be distributed so that to ensure that the master key is never available in a single location by using threshold cryptography techniques.
3. Cayley–Purser algorithm. The Cayley-Purser algorithm was developed by Sarah Flannery in 1999 and was inspired by Michael Purser's ideas for a Young Scientist competition in 1998. The algorithm is named after Purser and the mathematician who invented matrices, Arthur Cayley. Rather than modular exponentiation, the Cayley-Purser algorithm uses only modular matrix multiplication. It's about 20 times faster than RSA for a modulus consisting of 200 digits and is most other public-key algorithms for large moduli. However, it has since been discovered that data encrypted with the Cayley-Purser algorithm can be decrypted easily using knowledge of public data.
4. CEILIDH. The CEILIDH public-key cryptosystem, which is based on the ElGamal scheme and has similar security properties, was introduced by Alice Silverberg and Karl Rubin in 2003. Based on the discrete logarithm problem in algebraic torus, CEILIDH's primary advantage is its reduced key size compared to basic schemes for the same level of security. Named after Alice Silverberg's cat, this cryptosystem's name is also a Scot Gaelic word to describe a traditional Scottish gathering,
5. Cramer–Shoup cryptosystem. The Cramer–Shoup cryptosystem is an extension of the ElGamal scheme developed by Ronald Cramer and Victor Shoup in 1998. It incorporates additional elements compared to ElGamal to ensure non-malleability and was the first scheme proven to be effective at securing against chosen-ciphertext attack (CCA) in the standard model.
6. Crypto-PAn. Crypto-PAn (Cryptography-based Prefix-preserving Anonymization) is a type of format-preserving encryption that's used to anonymize IP addresses while preserving the structure of their subnets. It was invented in 2002 by Jinliang Fan, Jun Xu, Mostafa H. Ammar from Georgia Tech, along with Sue B. Moon and was inspired by Greg Minshall's TCPdpriv program in 1996, which adopted IP anonymization. Crypto-PAn has been found to be vulnerable to fingerprinting and injection attacks.
7. Diffie-Hellman. The Diffie-Hellman algorithm, developed by Whitfield Diffie and Martin Hellman in 1976, was one of the first to introduce the idea of asymmetric encryption. The general concept of communication over an insecure channel was introduced by Ralph Merkle in an undergraduate class project called Ralph's Puzzles, which is now deemed to be one of the earliest examples of public key cryptography. Also known as the Diffie-Hellman key exchange, it's a mathematical method that enables two unfamiliar parties to exchange cryptographic keys over a public channel securely. While it's a non-authenticated key-agreement protocol, it serves as the basis for numerous authenticated protocols.
8. El Gamal. The El Gamal encryption algorithm, based on the Diffie-Hellman key exchange, was developed by Taher Elgamal in 1985. The security strength of this algorithm is based on the difficulty of solving discrete logarithms. One downside is that the ciphertext generated by El Gamal is two times the length of the plaintext. However, it creates a different ciphertext each time the same plaintext is encrypted.
9. Elliptic Curve Cryptography. Elliptic Curve Cryptography (ECC) is an alternative to the Rivest-Shamir-Adleman (RSA) cryptographic algorithm. As its name suggests, it is based on the elliptic curve theory and keys are generated using elliptic curve equation properties. It's used to create smaller, more efficient encryption keys quickly. Solving elliptic curve logarithms is more difficult than factoring, making ECC more difficult to crack compared to RSA and Diffie-Hellman. ECC is commonly used for email encryption, software, and for cryptocurrency digital signatures.
10. EPOC (Efficient Probabilistic Public Key Encryption). Efficient Probabilistic Public Key Encryption, known as EPOC, is a probabilistic public-key encryption scheme with two variations: EPOC-1 and EPOC-2. Both are public-key encryption systems that use a one-way trapdoor function. EPOC-1 also uses a random hash function, while EPOC-2 also uses two hash functions and symmetric-key encryption, such as block ciphers. This encryption scheme was developed in 1999 by T. Okamoto, S. Uchiyama and E. Fujisaki, who were professionals from a Japanese telecommunications company called NTT Labs. EPOC is semantically secure against chosen ciphertext attacks.
11. Falcon. Falcon (an abbreviation for Fast Fourier lattice-based compact signatures over NTRU) is a post-quantum signature scheme developed by Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas p*rnin, Thomas Prest, Thomas Ricosset, Gregor Seiler, William Whyte, and Zhenfei Zhang, who submitted it to NIST's Post-Quantum Cryptography Project in 2017, where it was selected in the fourth round. It's based on the based on the theoretical lattice-based signature schemes framework developed by Gentry, Peikert and Vaikuntanathan. Its signatures are more compact than those of lattice-based signature schemes, yet it offers the same security. Falcon can implement thousands of signatures per second on a typical computer and verify those signatures five to ten times faster.
12. Goldwasser–Micali (GM) cryptosystem. The Goldwasser–Micali cryptosystem was developed in 1982 by Shafi Goldwasser and Silvio Micali, who proposed the definition of semantic security that's widely accepted today. It was the first probabilistic public-key encryption scheme that was proven to be secure under standard cryptographic assumptions. It's not known for its efficiency, as the ciphertexts created by the GM cryptosystem can be hundreds of times larger than the original plaintext.
13. Hidden Fields Equations (HFE). The Hidden Fields Equations, also known as HFE trapdoor function first introduced in 1996 at Eurocrypt, a cryptology research conference. It was proposed by Jacques Patarin based on the idea of the Matsumoto zeta functions and Imai system. It uses polynomials of different sizes to conceal the private-public key relationship, rather than the finite fields used by some other data encryption algorithms.
14. Kyber. Kyber is a key encapsulation method (KEM) that's part of the Post Quantum Cryptography family and designed to resist cryptanalytic attacks that may someday be achieved with quantum computers. It's based on machine learning's module learning with errors (M-LWE) and cyclotomic rings. It was developed by developers from government and research institutions from Europe and North America and is derived from Oded Regev's method, which was published in 2005. Kyber is part of the Cryptographic Suite for Algebraic Lattices (CRYSTALS) and is integrated into or supported by various systems from Cloudflare, Amazon, and IBM.
15. Lenstra–Lenstra–Lovász lattice basis reduction algorithm (LLL). The Lenstra–Lenstra–Lovász lattice basis reduction algorithm was developed by Arjen Lenstra, Hendrik Lenstra and László Lovász in 1982. In one of the earliest applications of LLL, Andrew Odlyzko and Herman te Riele used it to disprove Mertens conjecture. LLL has also been used to solve coding theory and cryptanalysis problems and has successfully broken variants of RSA and DSA.
16. McEliece cryptosystem. The McEliece cryptosystem, introduced by Robert J. McEliece in 1978, was the first code-based public-key cryptosystem and the first to use randomization in the encryption process. It's a one-way system, which means that cyberattackers can't easily find a randomly chosen code word using a ciphertext and public key. Despite being introduced decades ago, it maintains relatively stable security and may have a place in post-quantum cryptography as it withstands attacks based on Shor's algorithm.
17. Merkle–Hellman Knapsack cryptosystem. The Merkle–Hellman Knapsack cryptosystem was introduced in 1978 by Ralph Merkle and Martin Hellman. This cryptosystem has been proven to be insecure, however, as Adi Shamir published a successful attack on the Merkle-Hellman cryptosystem based on Shor's algorithm in 1984. The attack decrypts messages in polynomial time without the private key.
18. Naccache–Stern cryptosystem. The Naccache–Stern cryptosystem is a hom*omorphic cryptosystem that bases its security on the higher residuosity problem. Discovered by David Naccache and Jacques Stern in 1998, it's a malleable scheme, meaning that a ciphertext can be transformed into another ciphertext that decrypts to the appropriate plaintext.
19. Naccache–Stern Knapsack cryptosystem. While the name is similar, the Naccache–Stern Knapsack cryptosystem is not the same as the Naccache-Stern cryptosystem described above. The Naccache–Stern Knapsack cryptosystem, developed in 1997 by David Naccache and Jacques Stern, is an atypical pubic-key cryptosystem that is deterministic and not semantically secure. It has not been proven secure, although it hasn't yet been fullybroken.
20. Niederreiter cryptosystem. The Niederreiter cryptosystem was developed in 1986 by Harald Niederreiter. A variation of the McEliece cryptosystem, it offers the same level of security as the McEliece scheme, but it's about ten times faster. It's based on error correcting codes and uses a syndrome for ciphertext and an error pattern for the message, the Niederreiter cryptosystem can be used for digital signature schemes.
21. NTRUEncrypt. NTRUEncrypt, also known as the NTRU encryption algorithm, is an alternative to RSA and ECC. The first version, NTRU, was introduced in 1996 by mathematicians Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman, who later founded NTRU Cryptosystems, Inc. along with David Lieman. It's based on the shortest vector problem in a lattice, which is believed to be immune to quantum computing attacks. It's faster than some other asymmetric encryption schemes.
22. Okamoto–Uchiyama cryptosystem. The Okamoto–Uchiyama (OU) cryptosystem was introduced by Tatsuaki Okamoto and Shigenori Uchiyama in 1998. It's a homeomorphic and malleable scheme, and it's semantically secure.
23. Paillier cryptosystem. The Paillier cryptosystem was introduced in 199 and is named for Pascal Paillier. It's an additive hom*omorphic cryptosystem based on the decisional composite residuosity assumption, an intractibility hypothesis. It is semantically secure against chosen plaintext attacks.
24. Rabin cryptosystem. The Rabin cryptosystem is based on a trapdoor function similar to RSA's trapdoor function, and its security is based on the difficulty of integer factorization, and it was the first digital signature scheme in which forging a signature was as difficult as factoring. The trapdoor function was originally published in 1978 by Michael O. Rabin.
25. Rivest-Shamir-Adleman (RSA). RSA is a widely known and commonly used asymmetric encryption algorithm; in fact, it's the standard for encryption over the internet. With RSA, plaintext can be encrypted using either the public or private key. If information is encrypted using the public key, the recipient must have the private key to decrypt it, ensuring that only the intended recipient will gain access to the data. If information is encrypted using the private key, the recipient uses the sender's public key to decrypt it, which can be used to verify the sender's identity. However, using this method, the data could be stolen, read, and modified while in transit, and the recipient would have know way to verify the data's integrity.
26. Sakai–Kasahara scheme. The Sakai–Kasahara scheme, also known as the Sakai–Kasahara key encryption algorithm (SAKKE), is an IBE cryptosystem introduced in 2003 by Ryuichi Sakai and Masao Kasahara. Anyone can encrypt a message with SAKKE when having no information other than the recipient's public identity, such as their email address, so the users don't have to share public certificates.
27. Schmidt-Samoa cryptosystem. The Schmidt-Samoa cryptosystem (SSC) relies on the difficulty of the large integer factorization problem. It's as fast as Rabin and RSA for processing decryption, but encryption is much slower. Proposed by Sakai and Kasahara in 2003, and in 2005, Chen and Cheng developed an efficient IBE scheme using a simple version of the Sakai-Kasahara scheme and the Fujisaki-Okamoto transformation that was proven to be secure against chosen ciphertexts.
28. Schoof–Elkies–Atkin algorithm. The Schoof–Elkies–Atkin algorithm is primarily used in elliptic curve cryptography. It's an extension of Schoof's algorithm (discussed below) to improve efficiency developed by Noam Elkies and A. O. L. Atkin.
29. Schoof's algorithm. Schoof's algorithm was published by René Schoof in 1985 and was the first deterministic polynomial time algorithm to count points on an elliptic curve. Before Schoof's algorithm, the algorithms used for this purpose were incredibly slow.
Symmetric Data Encryption Algorithms
30. Advanced Encryption Standard (AES). The Advanced Encryption Standard (AES) is a symmetric block cipher that's used for classified information by the U.S. government. Development of AES began in 1997 by NIST in response to the need for an alternative to the Data Encryption Standard (DES, discussed below) due to its vulnerability to brute-force attacks. In its most efficient form, it uses 128-bit keys, although it also uses 192- and 256-bit keys when robust encryption is necessary.
31. Blowfish. Like AES, Blowfish was developed in 1993 by Bruce Schneier as an alternative to DES. It breaks messages into 64-bit blocks, encrypting each block separately. It's known to be fast, flexible, and has yet to be broken.
32. DES. The DES (data encryption standard) is one of the original symmetric encryption algorithms, developed by IBM in 1977. Originally, it was developed for and used by U.S. government agencies to protect sensitive, unclassified data. This encryption method was included in Transport Layer Security (TLS) versions 1.0 and 1.1. It creates two 32-bit blocks from a 64-bit block and encrypts each block separately, producing 64-bit blocks of encrypted text. DES was broken by many researchers over the years and in 2005, it was replaced by AES as the new standard.
33. Electronic Code Book (ECB). Electronic Code Book (ECB) is the simplest symmetric encryption scheme and also the weakest, producing a block of ciphertext for each block of plaintext. Like DES, it separates larger blocks into smaller blocks and encrypts them individually. It produces the same ciphertext every time the same plaintext is encrypted, meaning that it's crackable over time as hackers learn to correspond the consistent ciphertext with the equivalent plaintext values.
34. Format Preserving Encryption (FPE). As its name suggests, Format Preserving Encryption (FPE) preserves the original format of the plaintext it encrypts. This is beneficial in applications in which data must be in a particular format but also must be secure. An attack was discovered on an FPE method widely used by organizations around the world, known as FF3. As such, it's no longer considered secure.
35. IDEA. The International Data Encryption Algorithm (IDEA) was introduced in 1990 by Xuejia Lai and James Massey as an alternative to DES under a research contract with the Hasler Foundation, which became part of Ascom-Tech AG. Originally called Improved Proposed Encryption Standard (IPES), it's a revision of a previous concept called the Proposed Encryption Standard (PES).
36. MARS. Multivariate Adaptive Regression Splines (MARS) was a finalist in the NIST's Advanced Encryption Standard Process (1997-2000) in the search for a viable DES alternative. MARS was originally introduced by Jerome Friedman in 1991 as a form of regression analysis for statistics. It's well-suited for complex regression problems in which there are variable inputs and non-linear relationships between metrics.
37. QUAD. QUAD is a stream cipher with provable security. It was first introduced at Eurocrypt 2006 by Cˆome Berbain, Henri Gilbert, and Jacques Patarin.
38. RC algorithms. The original RC algorithm, RC1, was developed by Ron Rivest, albeit never published. They're also known as Rivest's cipher or Ron's code. There are several iterations in addition to RC1, including RC2, RC3, RC4, RC5, and RC6. RC5 was introduced in 1994, followed by RC6 (which was heavily based on RC5) in 1997.
39. Serpent. Serpent is another block cipher developed as a potential replacement for DES. Designed by Ross Anderson, Eli Biham and Lars Knudsen, it was a finalist in NIST's AES competition. Despite using two times the number of rounds necessary to block all known shortcut attacks, Serpent is significantly faster than DES.
40. SNOW. Developed by Thomas Johansson and Patrik Ekdahl at Lund University, SNOW is a word-based synchronous stream cipher with several iterations, including SNOW 1.0, SNOW 2.0, and SNOW 3G. Snow 3G is used on 4G networks.
41. 3DES. Also known as Triple Data Encryption Algorithm, or 3DEA, 3 DES is the successor to the original DES and was developed as a result of cyberattackers successfully breaching the original DES. It was widely used in the 1990s but eventually was upstaged by more secure algorithms.
42. Threefish. Threefish is a block cipher for the Skein hash function (discussed below) developed in 2008 by Bruce Schneier, Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker. It was one of five finalists in NIST's SHA-3 hash function competition. Praised for its speed, it withstands timing attacks by avoiding table lookups and S-Boxes.
43. Twofish. A successor to Blowfish designed by John Kelsey, Chris Hall, Niels Ferguson, David Wagner, Doug Whiting, and Bruce Schneier, Twofish encrypts data in 16 rounds regardless of the key size. Known as one of the fastest encryption algorithms in this category, it's used for many modern file encryption software tools and can be used for both hardware and software.
Hash Function Algorithms
44. HMAC. Hash Message Authentication Code (HMAC) is a message authentication code (MAC) that uses a cryptographic hash function along with a private cryptographic key. In addition to verifying the integrity of the data, HMAC can also verify the message's authentication. As the key and the message are hashed separately, it's more secure than standard MAC.
45. MD 5. MD5 (Message Digest algorithm) is a hash function algorithm that was a predecessor SHA-3 (discussed below). Developed by Ronald Rivest in 1991, MD 5 converts a message of any length to a standard 16-byte message.
46. SHA. The Secure Hashing Algorithm (SHA) is a variant of MD 5 that's used for hashing data and certificates, shortening the input data using compression functions, modular additions, and bitwise operations. SHA can verify the integrity of data because it produces a completely different hash value even if just a single character was changed from the original message. There are various forms of SHA algorithms. SHA can only be broken by brute force attacks.
47. BLAKE. Submitted to the NIST hash function competition by Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan in 2008, BLAKE is based on Daniel J. Bernstein's ChaCha stream cipher. It was one of five finalists in the NIST hash function competition. An improved version, BLAKE 2, was created in 2012 by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein as a replacement for MD5 and SHA-1.
48. Fast syndrome-based hash functions. Fast syndrome-based hash functions (FSB) were introduced in 2003 by Daniel Augot, Matthieu Finiasz, and Nicolas Sendrier. It's unique in that it is proven that it's as difficult to break as solving the regular syndrome decoding problem. Regular syndrome decoding problem is a NP-complete problem that's assumed to be unsolvable in polynomial time, meaning that it's provably secure to an extent. However, early iterations were eventually broken, but it's current iteration is deemed secure to all currently known attacks. The downside to FSB is that it uses a lot of memory and is slower than other hash functions.
49. SHA-3. Secure Hash Algorithm 3 (SHA-3) is the newest version of SHA (discussed above). It's part of the Keccak cryptographic family, which was announced as the winner of the NIST's Cryptographic Hash Algorithm Competition in 2012. NIST announced Keccak as the new hashing standard in 2015. While other SHA versions are structured similarly to MD5, SHA-3 has a different internal structure.
50. Skein. Skein is a hash function family developed by Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker and submitted to the NIST's hash algorithm competition. It is designed based on Threefish to offer speed, security, simplicity, and flexibility.
As technology advances, new data encryption algorithm methods and techniques will be developed to safeguard sensitive data. Many of the recently developed algorithms have been designed with future needs in mind, such as the ability to withstand attacks using quantum computing techniques. As new algorithms and has functions are often based on the advantages and shortcomings of existing algorithms and hashes, having an understanding of the many data encryption algorithm methods and techniques, such as ECC, RSA, SHA-3, MARS, IDEA, and others, will prove valuable when it comes to data security.
