Encryption
Overview and Comparison
On this page, you will learn what...
 Symmetric Encryption (also known as Private Key Encryption),
 Asymmetric Encryption (also known as Public Key Encryption),
 Authenticated Encryption (AE)
 Authenticated Encryption with Associated Data (AEAD)
... are and where to learn more about the different algorithms that implement these.
Overview of encryption algorithms
Algorithm  Key Sizes  Type  Authentication? (AE or AEAD) 
Recommendation 

AES  128, 192 or 256 Bits  Symmetric 128 Bit Block Cipher 
✅ via GCM mode 
Recommended This algorithm is considered very secure and widely studied and deployed. GCM or CBC modes are recommended. 
ChaCha  256 Bits  Symmetric Stream Cipher 
✅ via Poly1305 
Recommended ChaCha20 is considered very secure and is widely studied and deployed. Use of Poly1305 is recommended. 
RSA  >= 1028 Bits  Asymmetric Block Cipher 
?  Recommended This algorithm is considered very secure. Usually used with an symmetric encryption algorithm, while RSA "only" encrypts the symmetric key. 
ECIES  256 Bits  Asymmetric (Hybrid) Block Cipher or Stream Cipher possible 
?  Recommended (but can be hard to implement) This encryption scheme is considered very secure. It is not a precicse defined algorithm, but instead a framework to implement encryption when knowing the receiver's Elliptic Curve public key. It can be used with symmetric encryption algorithms (recommended: AES or ChaCha20). 
Camellia  128, 192 or 256 Bits  Symmetric Block Cipher 
❌  Considered secure This algorithm is considered secure, but is not as widely studied or deployed as AES or ChaCha20 
3DES  112 or 168 Bits  Symmetric 64 Bit Block Cipher 
❌  Less secure than AES and ChaCha20 This algorithm is not inherently insecure, but it is less secure than AES or ChaCha20, and computationally more expensive. 
DES  56 Bits  Symmetric 64 Bit Block Cipher 
❌  Not recommended This algorithm is no longer considered secure 
Blowfish  32448 Bits  Symmetric 64 Bit Block Cipher  ❌  Not recommended This algorithm is no longer considered secure 
ARC4 (aka "RC4") 
402048 Bits  Symmetric Stream Cipher  ❌  Not recommended This algorithm is no longer considered secure 
IDEA  128 Bits  Symmetric 64 Bit Block Cipher  ❌  Not recommended This algorithm is no longer considered secure 
What is Encryption?
With "encryption" we mean a way to alter a given "plaintext" (although this often is not only text, but can be arbitrary data, such as files or a byte stream) to make it incomprehensible without knowing some kind of "secret". Encryption reaches one of the fundamental goals of cryptography: Confidentiality.
Modern encryption schemes  and only those are recommended on this site  also provide Authenticity, which guarantees that the ciphertext and therefore the plaintext have not been altered without knowing the secret key. This is a very important attribute of an encryption scheme, because modifying the ciphertext can be a powerful attack vector.
There are two fundamentally different approaches to encryption. One is called "Symmetric Encryption" (also known as Private Key Encryption) and the other is called "Asymmetric Encryption" (also known as Public Key Encryption).
What is Symmetric Encryption?
(Also known as Private Key Encryption)
In Symmetric Encryption, the "secret" that is used to make the "plaintext" incomprehensible (this incomprehensible form is called "ciphertext") is the same as the secret that is used to decrypt the ciphertext back into plaintext. This means that the sender and the recipient of the ciphertext need to know exactly the same secret. This secret is called the "Private Key". It is "private", because it must only be known to the peers that are allowed to know the plaintext.
The advantage of symmetric encryption is it's speed, because it only requires relatively easy calculations.
The biggest downside of symmetric encryption is that the private key needs to be shared between the sender and the recipient. This yields the problem that somehow this secret private key must be exchanged before the ciperhtext can be decrypted. This in itself can be a problem, especially when communication takes place over a public medium such as the internet or via radio frequencies.
This narrows the use case of Symmetric Encryption to situations where this secret can be securely shared between the sender and the receipient. These are some common ways to exchange the secret key:
 Presharing the key over a secured medium  e.g. separately writing the key to the system that encrypts, and the system that decrypts the data
 Key exchange algorithms such as DiffieHellman (DH) and Elliptic Curve DiffieHellman (ECDH)
 Encrypting the secret key alongside the ciphertext using an asymmetric encryption scheme
Popular Symmetric Encryption algorithms are AES, ChaCha20, 3DES and DES. While AES and ChaCha20 are stateoftheart secure, you should not use DES or 3DES anymore, because they have been provem to be breakable.
What is Asymmetric Encryption?
(Also known as Public Key Encryption)
Asymmetric Encryption does not pose the problem that a secret must be shared between the sender and the receipient, because encryption takes place with a Public Key and decryption can be done with a Private Key.^{1}. The Public Key  as the name suggests  can be shared freely and must not be transmitted securely. You can post it on the internet and it will not be a problem, because you can not decrypt ciphertext with the Public Key that was encrypted using the Public Key. Hence, when a sender wants to send a message securely to a receipient, it must know the receipient's Public Key, can encrypt a message using the Public Key, and the receipient c an decrypt it using it's Private Key.
So the advantage of Asymmetric Encryption is that it is not required for a secret to be shared between the sender and the receipient, and hence no secure channel must be established before an encrypted message can be exchanged.
But the disadvantage of asymmetric encryption is that it is compute intensive, and hence can not be used where scale or speed is of importance.
To mitigate this main disadvantage, Asymmetric Encryption is usually combined with Symmetric Encryption in a way that the shared secret (Private Key) for the Symmetric Encryption will be encrypted using Asymmetric Encryption and the actual message is then encrypted using the shared secret and a Symmetric Encryption algorithm. This way, only a tiny bit of the transported data  the shared secret (Private Key of the Symmetric Encryption)  must be encrypted using the computeexpensive Asymmetric Encryption algorithm, and the main content of the transported data can be encrypted using the fast Symmetric Encryption.
Popular Asymmetric Encryption algorithms are RSA and Elliptic Curves, but they are seldomely used alone for encryption.
What is Authenticated Encryption (AE)?
Encryption does not guarantee that the sender of a ciphertext knows the Private Key. Of course you need a Private Key to construct a plausible ciphertext, but you can also modify a ciphertext  or completely guess a ciphertext from scratch  without knowing the Private Key as an attacker. This is called CCA and usually poses a problem to an encryption system, because it can help to break the security.
Authenticated Encryption can be used to mitigate this risk, because it can authenticate the ciphertext and/or plaintext to be assembled by a sender that knows the Private Key. The decryption algorithm will not only decrypt the message, but also check a MAC against the message and only continue decryption if the MAC is constructed correctly.
It is strongly advised to only use Authenticated Encryption. When Authenticated Encryption is not feasible, it is strongly advised to separately authenticate the ciphertext using EncryptthenMAC^{2}.
A popular and very secure cipher that supports authenticated encryption is ChaCha20Poly1305.
What is Authenticated Encryption with Associated Data (AEAD)?
AEAD is an extension of AE that allows sending plaintext data alongside the ciphertext that can be read  and later authenticated by the recipient without previously knowing the private key.
One exampe could be that the associated data contains an identifier that the recipient can use to look up the private key that is required the decrypt and authenticate the message.
A popular and very secure cipher that supports AEAD is AESGCM. ...

Or the other way around: It's also possible to encrypt using the Private Key and decrypt using the Public Key  although this often does not make too much sense, because the Public Key could be available to anybody ↩

All the crypto code you’ve ever written is probably broken as blogged by Tony Arcieri. ↩