Symmetric vs Asymmetric Encryption MCQ 60 Tests With Answers (2026)

Incorrect·D: Using asymmetric encryption to securely exchange a symmetric session key, and then using that symmetric key to encrypt the bulk data payload

Hybrid encryption combines both types to exploit their complementary strengths: the key distribution advantage of asymmetric, and the speed advantage of symmetric. The process: (1) The sender generates a random symmetric session key (e.g., a 256-bit AES key). (2) The sender encrypts this symmetric key with the recipient's public key (using RSA or ECC). (3) The sender encrypts the actual data payload with the symmetric session key (using AES-GCM). (4) Both encrypted items are transmitted together. The recipient decrypts the symmetric key with their private key, then uses it to decrypt the data. TLS/HTTPS, PGP/GPG, and S/MIME all use this pattern — it is the standard architecture for all secure internet communications.

Incorrect·B: Asymmetric encryption is used first to authenticate the server and exchange keys; symmetric encryption is used thereafter to encrypt the actual web traffic

TLS (Transport Layer Security) is the canonical real-world example of hybrid encryption. Phase 1 — Handshake (Asymmetric): the client verifies the server's digital certificate (RSA or ECDSA signature checked against a trusted CA), then uses the server's public key or Diffie-Hellman to establish a shared secret. Phase 2 — Bulk Data Transfer (Symmetric): from the shared secret, both sides derive matching symmetric session keys (typically AES-256-GCM). All HTTP requests and responses are encrypted with these symmetric keys at gigabit speeds. Using asymmetric encryption for all web traffic would be impossibly slow; using only symmetric would require pre-shared keys for every website visit.

Incorrect·A: RSA requires significantly larger keys (e.g., 2048 bits) than AES (e.g., 256 bits)

The security strength of a key is measured in "bits of security." According to NIST recommendations: AES-128 = 128 bits of security. AES-256 = 256 bits of security. RSA-2048 ≈ 112 bits of security. RSA-3072 ≈ 128 bits of security. RSA-15360 ≈ 256 bits of security. To match the security of AES-256, an RSA key would need to be approximately 15,360 bits — impractically large. This disparity arises because RSA security is based on integer factorization (which has sub-exponential attack algorithms), while AES security is based on exhaustive key search (which has only exponential time complexity). This is another reason ECC (with smaller key sizes) is increasingly preferred over RSA.

Incorrect·C: To allow two parties who have no prior knowledge of each other to securely establish a shared symmetric key over an insecure channel

Diffie-Hellman (DH), published in 1976 by Whitfield Diffie and Martin Hellman, was the first public-domain solution to the key distribution problem. It allows two parties who have never communicated before to establish a shared secret over a completely insecure channel (the internet) — even if every message is intercepted by an eavesdropper. The mathematics relies on the computational difficulty of the Discrete Logarithm Problem: Alice and Bob exchange public values derived from their private random numbers; the eavesdropper sees the public values but cannot compute the shared secret without solving the discrete log problem. The shared secret is then used as (or to derive) a symmetric encryption key. DH is a key agreement protocol, not an encryption algorithm.

Incorrect·B: Non-repudiation

Non-repudiation is the property that a sender cannot later deny having sent or signed a message. Only asymmetric cryptography can provide this — specifically through digital signatures using the sender's private key. Because only Alice has access to her private key, a message signed with Alice's private key can only have come from Alice. She cannot repudiate (deny) it: anyone can verify the signature using her public key, and the mathematical proof is conclusive. Symmetric encryption cannot provide non-repudiation: if Alice and Bob share the same secret key, Bob could have produced any message encrypted with that key — so Alice cannot prove she created it specifically. Both symmetric and asymmetric encryption provide confidentiality. Integrity is provided by MACs (symmetric) and digital signatures (asymmetric).

Incorrect·D: Block ciphers encrypt data in fixed-size chunks; stream ciphers encrypt data continuously bit-by-bit

Block Ciphers (AES, 3DES, Blowfish, Twofish) divide the plaintext into fixed-size blocks (AES: 128 bits) and encrypt each block using a transformation that depends on the key. Block modes address how consecutive blocks are chained: ECB, CBC, CTR, GCM. Stream Ciphers (ChaCha20, RC4) generate a pseudo-random keystream of the same length as the message and XOR it with the plaintext bit-by-bit (or byte-by-byte). Stream ciphers are inherently suited to real-time or variable-length data (network streams, audio, video) because they do not require padding. AES in CTR or GCM mode effectively turns a block cipher into a stream cipher. RC4 (a legacy stream cipher) is now deprecated due to statistical biases. ChaCha20 is the modern, secure stream cipher.

Incorrect·A: 128 bits

AES always operates on fixed 128-bit (16-byte) blocks — this is non-negotiable and does not change regardless of the key size. The key size (128, 192, or 256 bits) affects the number of encryption rounds (10, 12, or 14 rounds respectively) and the strength against brute-force attacks, but the block size is always 128 bits. If plaintext is not a multiple of 128 bits, padding is added (PKCS#7 padding). Legacy block ciphers like DES and 3DES used 64-bit blocks — which makes them vulnerable to demonstrable birthday attacks (SWEET32) at scale. The 512-bit block size applies to some hash functions (SHA-512 internal state) but not to AES.

Incorrect·C: It manages the issuance, distribution, and revocation of digital certificates that bind public keys to specific identities

PKI (Public Key Infrastructure) solves the critical trust problem in asymmetric cryptography: how do you verify that a public key actually belongs to who it claims to belong to? Without PKI, an attacker could publish a fake public key claiming to be "amazon.com." PKI's answer: Certificate Authorities (CAs) digitally sign digital certificates that bind a public key to a verified identity (domain name, organization, or person). Your browser trusts a list of Root CAs (Mozilla, Google) — and by extension, any certificate signed by those CAs. PKI also manages certificate lifecycle: issuance (CSR → signed certificate), distribution (via HTTPS headers, OCSP, CRL), and revocation (OCSP and Certificate Revocation Lists for compromised/expired certificates).

Incorrect·B: The computational difficulty of factoring the product of two very large prime numbers

RSA security is founded on the Integer Factorization Problem: given N = p × q (the product of two large prime numbers), it is computationally infeasible to determine p and q when N is sufficiently large. RSA key generation selects two large secret primes (p and q, each ~1024 bits for RSA-2048), computes N = p × q (the public modulus), and derives the public exponent e and private exponent d from the primes' properties. Encryption uses: c = m^e mod N. Decryption uses: m = c^d mod N. The public key is (N, e); the private key is d. Factoring a 2048-bit N on classical computers would take longer than the age of the universe with current algorithms — but Shor's Algorithm on a quantum computer could factor it in polynomial time.

Incorrect·D: It provides equivalent cryptographic strength using significantly smaller key sizes, reducing computational overhead

ECC's primary advantage is achieving the same security level as RSA with dramatically smaller key sizes. Key size comparison for equivalent security: 80-bit security: RSA-1024 vs. ECC-160. 128-bit security: RSA-3072 vs. ECC-256. 256-bit security: RSA-15360 vs. ECC-521. Smaller keys mean: faster computation (critical for TLS handshakes on mobile devices), smaller certificate sizes (less bandwidth), and lower memory/storage requirements. ECC is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP) — a different mathematical structure from RSA's factorization. Note: while ECC is harder to break classically, like RSA, it is also vulnerable to Shor's Algorithm on quantum computers. Post-Quantum Cryptography (lattice-based) will replace both.

Incorrect·A: N(N-1) / 2

For N users to communicate symmetrically, every pair of users needs a unique shared key (sharing one key across all users would be insecure — any user could read any other user's messages). The number of unique pairs of N items is the combination formula: N(N-1)/2. For 3 users: 3×2/2 = 3 keys. For 10 users: 10×9/2 = 45 keys. For 100 users: 100×99/2 = 4,950 keys. For 1,000 users: 499,500 keys. This quadratic growth (O(N²)) makes symmetric key management completely unscalable for large groups. This exponential key proliferation problem is precisely what asymmetric cryptography solves: with asymmetric, each N user needs exactly 2 keys (a key pair), meaning only 2N total keys regardless of group size.

Incorrect·C: 2N

In an asymmetric system, each user generates exactly one key pair: one public key + one private key = 2 keys per user. N users therefore require a total of 2N keys. For 3 users: 6 keys. For 100 users: 200 keys. For 1,000 users: 2,000 keys. This linear scaling (O(N)) is dramatically more manageable than the symmetric model's O(N²). Each user publishes their public key (freely distributable) and protects their private key. Any pair of users can communicate confidentially using each other's public keys without any pre-arranged shared secret. This linear scalability is the foundational reason the internet's secure communication infrastructure is built on asymmetric cryptography.

Incorrect·B: To digitally sign the user's public key certificate, vouching for their identity

A Certificate Authority (CA) is a trusted third party in the PKI system that vouches for the binding between a public key and an identity. The process: the domain owner generates a key pair, submits a Certificate Signing Request (CSR) containing their public key and identity information, the CA verifies the identity through Domain Validation (DV), Organization Validation (OV), or Extended Validation (EV) processes, and signs the certificate with the CA's own private key. Browsers trust a set of root CAs (DigiCert, Let's Encrypt, Comodo). When you visit HTTPS websites, your browser verifies the server's certificate chain back to a trusted root CA. If the CA's private key is compromised (DigiNotar breach, 2011), all certificates it signed must be immediately revoked.

Incorrect·A: AES-GCM (Galois/Counter Mode)

AES-GCM (Galois/Counter Mode) is the dominant AEAD mode in modern cryptographic protocols (TLS 1.3, SSH, WireGuard, QUIC, Signal Protocol). AEAD provides both: Encryption (confidentiality — the "AE" part) and Authentication via a MAC tag (integrity and authenticity — ensuring the ciphertext has not been tampered with). The "AD" part allows Additional Data (like packet headers) to be authenticated but not encrypted. AES-GCM combines AES in CTR mode (for speed and streaming capability) with a GHASH authentication function. The authentication tag detects any bit-level tampering with the ciphertext. RSA-OAEP is an asymmetric padding scheme. AES-ECB is an insecure mode (no chaining — identical blocks produce identical ciphertext). ECDHE is a key agreement protocol, not a symmetric mode.

Incorrect·D: It requires exchanging the key via a separate, secure channel (like physically meeting), which is unscalable for global internet communications

Out-of-band key exchange means the symmetric key must be transmitted through a completely separate, secure channel that is independent of the channel you intend to protect. This might mean physically meeting, sending via encrypted postal mail, or using a separate secure phone call. While feasible for a small, well-defined group of communicators, it is fundamentally unscalable for the internet: you cannot physically meet with amazon.com's servers, your bank's web server, or every email correspondent worldwide. The internet requires being able to establish secure communications with arbitrary new parties dynamically — which out-of-band symmetric key exchange architecturally cannot support. This is the core motivation for Diffie-Hellman and asymmetric PKI.

Incorrect·C: They are generated simultaneously as a mathematically linked pair using a specific algorithm

The public and private keys in asymmetric cryptography are generated together as a mathematically inseparable pair. They cannot be generated independently — the algorithm produces both simultaneously through a complex mathematical process. For RSA: two large random primes p and q are selected; N = p×q (public modulus); then public exponent e and private exponent d are derived from p, q, and e through modular arithmetic (Euler's totient function). The relationship between e and d (ed ≡ 1 mod φ(N)) means they are mathematically coupled. For ECC: a random private key scalar k is selected; the public key point P = k × G (G is the generator point of the curve). The keys are linked — but given only the public key, deriving the private key is computationally infeasible.

Incorrect·B: CBC, ECB, CTR

Block cipher modes of operation define how a block cipher (like AES) processes plaintext longer than a single block. ECB (Electronic Codebook): each block is encrypted independently — insecure because identical plaintext blocks produce identical ciphertext blocks (the ECB penguin attack). CBC (Cipher Block Chaining): each plaintext block is XORed with the previous ciphertext block before encryption, requiring an IV — vulnerable to padding oracle attacks. CTR (Counter Mode): converts AES into a stream cipher by encrypting successive counter values and XORing with plaintext; parallelizable. GCM (Galois/Counter Mode): CTR + authentication tag (AEAD). SHA-1/SHA-2/MD5 are hash functions. RSA/DSA/ECC are asymmetric algorithms. IKE/ESP/AH are IPsec protocol components.

Incorrect·D: Because the complex mathematics make it far too slow and computationally expensive for bulk data

Asymmetric encryption's performance is its critical limitation for bulk data: RSA and ECC operations involve modular exponentiation of very large numbers, which is orders of magnitude slower than AES's bitwise substitution/permutation operations. RSA-2048 can encrypt roughly 245 bytes per operation. Encrypting a 1 GB file with RSA alone would take an impractical amount of time versus milliseconds with AES. Additionally, RSA has a fundamental constraint: it can only directly encrypt data smaller than the key size minus padding (e.g., RSA-2048 with OAEP can encrypt at most ~214 bytes at once). This is why asymmetric cryptography is always used in hybrid fashion: it encrypts only the small symmetric key (AES-256 = 32 bytes), which AES then uses to encrypt the actual data.

Incorrect·A: Using temporary, ephemeral asymmetric keys for each session, ensuring that if a long-term private key is compromised, past session traffic cannot be decrypted

Perfect Forward Secrecy (PFS) — also called Forward Secrecy (FS) — addresses a critical vulnerability in traditional key exchange: if a server's long-term RSA private key is stolen (breach, legal order, or hardware seizure), an attacker who recorded past encrypted TLS sessions can retroactively decrypt all of them using that private key. PFS prevents this by generating a fresh, throwaway Diffie-Hellman or ECDHE key pair for every TLS session. The session key is derived from the ephemeral DH exchange, used for the session's symmetric encryption, and then discarded — never stored. Even if the server's long-term certificate private key is later compromised, the attacker cannot decrypt past sessions because the ephemeral keys no longer exist. PFS is mandatory in TLS 1.3; ECDHE is the standard cipher suite.

Incorrect·C: Hashing is a one-way mathematical function that cannot be decrypted or reversed, whereas encryption is specifically designed to be two-way and reversible

Hashing is fundamentally different from encryption in one critical way: a hash function is one-way (irreversible). Given a hash output (digest), it is computationally infeasible to reconstruct the original input. In contrast, both symmetric and asymmetric encryption are two-way processes designed to be reversible with the correct key. Hash functions (SHA-256, SHA-3, BLAKE2) have no key and produce a fixed-length fingerprint of arbitrary input data — any change in the input produces a completely different digest. Use cases for hashing: password storage (stored as bcrypt/Argon2 hashes, never encrypted), data integrity verification (file checksums), and the core component of digital signatures (sign the hash, not the full document). Combining a hash with a secret key gives a Message Authentication Code (HMAC).

Incorrect·C: The elliptic curve discrete logarithm problem (ECDLP)

ECC security is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP): given points P and Q on an elliptic curve where Q = k × P (k is a scalar, P is a known generator point, and × denotes elliptic curve point multiplication), compute the scalar k. While iterating the scalar multiplication in one direction (computing Q from k and P) is computationally cheap, reversing it — finding k given only P and Q — is computationally infeasible for properly sized curves. This "trapdoor function" is the security foundation of ECDH, ECDSA, and ECDHE. The discrete logarithm problem in a finite field (option B) is the foundation of original Diffie-Hellman (in Z_p), not ECC specifically. The shortest vector problem (option D) is the basis of lattice-based post-quantum cryptography.

Incorrect·A: Shor's Algorithm

Shor's Algorithm (Peter Shor, 1994) is a quantum algorithm that can solve the Integer Factorization Problem (underlying RSA) and the Discrete Logarithm Problem (underlying DH, DSA, and ECC — including ECDLP) in polynomial time on a quantum computer — compared to the sub-exponential or exponential time required on classical computers. A quantum computer with sufficient fault-tolerant qubits running Shor's Algorithm would break every currently deployed asymmetric cryptosystem. NIST finalized four Post-Quantum Cryptography standards in 2024 (ML-KEM, ML-DSA, SLH-DSA, FALCON) to replace RSA, ECC, and DH before cryptographically relevant quantum computers emerge. Grover's Algorithm is a separate quantum algorithm that threatens symmetric encryption (not asymmetric). The Euclidean Algorithm is a classical number theory algorithm used in RSA key generation — not an attack.

Incorrect·B: It drastically reduces the brute-force time, effectively halving the security strength of the key (e.g., reducing AES-256 to AES-128 equivalent strength)

Grover's Algorithm is a quantum database search algorithm that can search an unsorted database of N items in √N steps instead of classical N/2 average steps. Applied to symmetric key brute-force: classically, breaking a 256-bit key requires 2^256 operations. Grover's Algorithm reduces this to √(2^256) = 2^128 operations — equivalent to the classical security of a 128-bit key. This effectively halves the security strength in bits. The cryptographic community's response: simply double the key size. AES-256 with Grover's Attack = 2^128 security — still considered computationally infeasible. This is why NIST recommends AES-256 (gives 128-bit post-quantum security) rather than AES-128 (which would drop to 64-bit post-quantum security — broken). Note that Grover's Algorithm is a much milder threat than Shor's: Shor's completely breaks asymmetric; Grover's only halves symmetric key security.

Incorrect·D: ECDHE provides Perfect Forward Secrecy via ephemeral keys, whereas traditional RSA key exchange does not

Traditional RSA key exchange (used in TLS 1.2 and earlier) works as follows: the client generates a random Pre-Master Secret, encrypts it with the server's long-term RSA public key (from its certificate), and sends it to the server. The server decrypts with its RSA private key. This means: if the server's private key is ever compromised (years later), every recorded TLS session protected with that key can be retroactively decrypted ("harvest now, decrypt later"). ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) generates a fresh throwaway EC key pair for every TLS session. The shared secret is derived from this ephemeral exchange and then discarded. Compromising the server's long-term certificate private key does not help decrypt past ECDHE sessions. This is Perfect Forward Secrecy. TLS 1.3 completely removed non-PFS key exchange methods (RSA key transport, static DH).

Incorrect·C: Padding Oracle Attack

The Padding Oracle Attack exploits a specific vulnerability in CBC mode encryption when the system provides different error messages (or timing differences) for invalid vs. valid padding. CBC mode requires plaintext to be padded (PKCS#7) to a multiple of the block size before encryption. When decrypting, the system validates the padding — and in a vulnerable implementation, it reveals whether the padding was valid via a distinct error message. By sending carefully crafted ciphertexts and observing padding error responses ("oracle" = an entity that answers questions), an attacker can iteratively decrypt the ciphertext byte-by-byte without knowing the key. POODLE (SSL 3.0, 2014) and BEAST (TLS 1.0, 2011) exploited CBC padding oracles. Solution: use AEAD modes (AES-GCM, ChaCha20-Poly1305) that authenticate before decrypting, eliminating padding oracle surface. Birthday attacks target hash collisions. Pass-the-Hash reuses stolen password hashes. Length extension attacks target certain hash constructions.

Incorrect·A: To inject randomization into the first block, ensuring that identical plaintexts encrypted with the same key produce completely different ciphertexts

An IV (Initialization Vector) or Nonce (Number Used Once) provides semantic security: without it, encrypting the same plaintext with the same key would always produce the same ciphertext — making traffic analysis trivial. With a random IV, every encryption of the same message produces a completely different ciphertext. The IV is generally not secret (it is transmitted with the ciphertext), but it must be unpredictable (random, not sequential) and unique for each encryption operation. Critical nonce-reuse danger: in AES-GCM, reusing a nonce with the same key allows an attacker to XOR two ciphertexts to cancel the keystream, entirely breaking both confidentiality and the authentication tag — a catastrophic failure (CVE-2016-0270 exploit pattern). ChaCha20 uses a 96-bit nonce designed for high-volume environments.

Incorrect·D: A high-value symmetric or asymmetric key used exclusively to encrypt and protect other lower-level cryptographic keys (Data Encryption Keys)

A Key Encryption Key (KEK) is a master key in a hierarchical key management architecture: it encrypts and protects Data Encryption Keys (DEKs), which in turn encrypt the actual data. This "key wrapping" hierarchy means the high-volume DEKs can be frequently rotated and stored encrypted, while the KEK — which is more rigorously protected — only needs to decrypt DEKs when re-keying is needed. Example architecture: Data → encrypted by AES-256 DEK → DEK encrypted by KEK → KEK protected in an HSM. In AWS KMS and Azure Key Vault, the Customer Master Key (CMK) functions as a KEK. In TLS session key management, an RSA or ECC public key can act as a KEK to protect the symmetric session key during the handshake.

Incorrect·B: Homomorphic Encryption

Homomorphic Encryption (HE) enables computations to be performed directly on encrypted data — the result decrypts to the same value as if the computation had been performed on the plaintext. Full HE (Craig Gentry, 2009) allows arbitrary computations. Partial HE allows only specific operations (RSA is multiplicatively homomorphic; Paillier is additively homomorphic). Use cases: cloud computing on sensitive data (a cloud server computes on encrypted medical records and returns an encrypted result that only the patient can decrypt), private database queries, and encrypted machine learning inference. HE is computationally expensive — orders of magnitude slower than operating on plaintext — but the privacy guarantees enable genuinely new computing models. It is a property of asymmetric-based cryptographic constructions, not symmetric algorithms. Zero-Knowledge Proofs allow proving knowledge without revealing the knowledge. Steganography hides data within other data. QKD is a quantum key distribution protocol.

Incorrect·A: It is highly susceptible to Man-in-the-Middle (MitM) attacks because it lacks inherent endpoint authentication

Diffie-Hellman in its basic form solves the key distribution problem but not the authentication problem. A Man-in-the-Middle attacker (Mallory) can intercept the DH exchange: Mallory performs a separate DH handshake with Alice (pretending to be Bob) and another with Bob (pretending to be Alice), establishing independent shared secrets with each party. Alice and Bob believe they share a key but are actually each sharing a key with Mallory — who can decrypt, read, modify, and re-encrypt all communications. Solution: authenticated DH, where the DH public values are digitally signed with long-term asymmetric private keys (this is what ECDHE in TLS does — the server signs its ephemeral DH values with its certificate private key). Without authentication, DH provides no protection against active MitM attacks.

Incorrect·C: Optimal Asymmetric Encryption Padding (OAEP)

OAEP (Optimal Asymmetric Encryption Padding), standardized in PKCS#1 v2.1 / RFC 8017, is the required padding scheme for RSA encryption in modern systems. Without secure padding, RSA has fatal mathematical weaknesses: "textbook RSA" (raw modular exponentiation with no padding) is deterministic and malleable — the same plaintext always produces the same ciphertext, and attackers can exploit mathematical relationships. PKCS#1 v1.5 padding (an older scheme) is vulnerable to the Bleichenbacher padding oracle attack (1998) — still exploitable in poorly implemented TLS stacks (ROBOT attack, 2017). OAEP adds randomization (the message is combined with a random seed via mask generation functions before encryption) and integrity checking. RSA-OAEP is the safe choice for RSA encryption in all modern implementations. Note: CBC is a symmetric mode; PKCS#5 is a key derivation standard; GMAC is an authentication tag.

Incorrect·D: By generating an Authentication Tag (MAC) concurrently during the encryption process using Galois field multiplication

AES-GCM's authentication mechanism is its defining security advantage over non-AEAD modes. During GCM encryption, a parallel computation runs in GF(2^128) — the Galois field of 2^128 elements — operating on 128-bit blocks of ciphertext. This computation produces an Authentication Tag (typically 128 bits, can be 96-bit for efficiency). The tag is computed over both the ciphertext blocks and the Associated Data (AD), and is derived using a universal hash function (GHASH) keyed with a value derived from the encryption key. The tag is appended to the ciphertext. Decryption: the receiver computes the tag independently over the received ciphertext; if it matches the transmitted tag, the ciphertext is authentic and unmodified. Any single bit flip in the ciphertext or associated data changes the tag. This simultaneous encrypt-then-MAC approach is provably secure — unlike hash-then-encrypt or encrypt-then-hash orderings with separate primitives.

Incorrect·B: To develop complex mathematical algorithms (like lattice-based cryptography) that run on classical computers but are resistant to attacks from quantum computers

Post-Quantum Cryptography (PQC) — also called quantum-safe or quantum-resistant cryptography — refers to classical computer algorithms designed to be secure against attacks by both classical and quantum computers. The goal is not to use quantum hardware, but to replace current asymmetric algorithms (RSA, ECC, DH) — which are completely broken by Shor's Algorithm — with new algorithms based on mathematical problems believed to be hard for quantum computers. NIST PQC finalists standardized in 2024: ML-KEM (CRYSTALS-Kyber) for key encapsulation (replaces RSA/ECDH); ML-DSA (CRYSTALS-Dilithium) for digital signatures (replaces RSA/ECDSA); SLH-DSA (SPHINCS+) for signatures (hash-based); FALCON for signatures (NTRU lattice-based). The mathematical basis: lattice problems (Learning With Errors, Short Integer Solution), hash-based constructions, and code-based cryptography — all believed resistant to Shor's Algorithm. Simply increasing RSA key sizes does not help against Shor's Algorithm.

Incorrect·A: ChaCha20

ChaCha20-Poly1305 is a modern AEAD cipher designed by Daniel J. Bernstein as a software-optimized alternative to AES-GCM. ChaCha20 (the encryption half) is a stream cipher that generates 512-bit keystream blocks using 20 rounds of a quarter-round ARX (Add-Rotate-XOR) operation. Poly1305 (the authentication half) provides a 128-bit authentication tag using polynomial evaluation over a prime field. ChaCha20-Poly1305 was specifically designed to be fast in software on processors without AES hardware acceleration (common on older/lower-end mobile CPUs, ARM embedded devices). On such devices, ChaCha20-Poly1305 is significantly faster than AES-GCM, while providing equivalent security. It is standardized in RFC 8439 and used in TLS 1.3, QUIC, WireGuard, Signal Protocol, and iOS/Android platforms. RC4 is a broken stream cipher (statistical biases, Wi-Fi WEP attacks). Twofish and Blowfish are block ciphers, not stream ciphers.

Incorrect·C: 2DES is vulnerable to a "Meet-in-the-Middle" attack, which renders its effective security strength only slightly better than single DES

The Meet-in-the-Middle Attack (MITM, not to be confused with Man-in-the-Middle) proves that 2DES provides far less security than its apparent 112-bit key space suggests. The attack works as follows: for 2DES, the encryption is E_K2(E_K1(P)) = C. An attacker constructs two tables: one encrypting plaintext P with all 2^56 possible K1 values, and one decrypting ciphertext C with all 2^56 possible K2 values. The tables are sorted and compared for matches — a match reveals K1 and K2. This requires only 2 × 2^56 = 2^57 operations (plus substantial memory) — just slightly harder than breaking single DES at 2^56. In contrast, 3DES uses three independent keys (or two keys in EDE mode), which defeats the MITM attack and provides approximately 112-bit of effective security. 3DES is itself now deprecated (SWEET32 birthday attack, 64-bit block issues) — AES is the replacement.

Incorrect·B: A temporary key pair generated for a single session and subsequently discarded, providing forward secrecy

Ephemeral keys are temporary cryptographic keys generated fresh for each individual session (or each TLS handshake) and securely destroyed after use. They are never stored or reused. This is the core mechanism behind Perfect Forward Secrecy (PFS). In ECDHE (Elliptic Curve Diffie-Hellman Ephemeral): for each TLS handshake, a brand-new EC key pair is generated, used to derive the session's symmetric key, and then discarded. The long-term certificate key (used for authentication/signing) is separate and unrelated to the session key. Consequently, compromise of the certificate private key — even years later — cannot decrypt past sessions: the ephemeral DH private keys used to derive those session keys no longer exist on any system. TLS 1.3 mandates ephemeral key exchange (ECDHE or DHE) and has removed all non-PFS key exchange methods.

Incorrect·D: It uses polynomial interpolation to divide a master key into 'N' parts, requiring a threshold of 'K' parts to reconstruct the key

Shamir's Secret Sharing (Adi Shamir, 1979) is a (K, N)-threshold secret sharing scheme: a master secret (like a CA root private key or a master encryption key) is split into N shares, distributed to N custodians. The secret can be reconstructed only if at least K shares are brought together (K ≤ N). If fewer than K shares are combined, no information about the secret is leaked. The mathematics uses polynomial interpolation: a random polynomial of degree K-1 is constructed with the secret as the constant term; each share is a point on this polynomial. Application in cryptography: certificate authorities (CAs) use Shamir's Secret Sharing to protect root CA private keys. The key is split among multiple trusted key custodians across different organizations and geographies. This protects against both insider attacks (one compromised custodian cannot reconstruct the key) and loss (no single point of failure).

Incorrect·A: A salt is random, non-secret data appended to a password before hashing to prevent rainbow table attacks; an asymmetric key is a mathematical construct used for encryption/decryption

A cryptographic salt and an asymmetric key serve entirely different purposes. A Salt: is a random, non-secret value (typically 128+ bits) that is appended to a password before it is processed by a one-way hash function (bcrypt, Argon2, PBKDF2) and stored alongside the resulting hash in plaintext in the database. Its purpose: preventing rainbow table attacks and ensuring that two users with the same password have different hash outputs. The salt does not need to be secret — its value comes from uniqueness. An Asymmetric Key: is a mathematically derived value used for encryption, decryption, and digital signatures — used in two-way cryptographic operations. Salts are a hash-related concept; asymmetric keys are an encryption/decryption concept. They operate in entirely different cryptographic contexts.

Incorrect·B: Related-key attack

A Related-Key Attack is a form of cryptanalysis where the attacker can observe and analyze encryptions under multiple keys that have a known mathematical relationship to each other (e.g., keys that differ in only a few bits, or keys derived by known operations on a base key). By studying how the cipher's behavior changes across these related keys, the attacker can deduce structural weaknesses in the key schedule or the cipher itself. Related-key attacks are particularly dangerous when applications generate multiple keys from a single master key without sufficient separation. AES itself was shown in 2009 to have theoretical related-key weaknesses in AES-256 (Biryukov-Khovratovich), though these are non-practical academic results under idealized attack models. They prompted improvements in key derivation practices. WEP (Wi-Fi Encryption Protocol) was practically broken via related-key attacks against RC4 (the Fluhrer-Mantin-Shamir attack, 2001).

Incorrect·C: It can only be used for generating and verifying digital signatures, not for encrypting data payloads

DSA (Digital Signature Algorithm), standardized by NIST in FIPS 186, is a signature-only algorithm — its mathematical structure is specifically designed for signing and verification and cannot be used for data encryption or key encapsulation. DSA is based on the Discrete Logarithm Problem in a prime field and uses a random per-signature nonce k (critically: if k is ever reused or leaks, the private key can be computed — the PlayStation 3 hack in 2011 exploited this). RSA, by contrast, supports both encryption (RSA-OAEP) and signing (RSA-PSS or PKCS#1 v1.5). ECDSA (Elliptic Curve DSA) uses the same signature-only structure as DSA but over elliptic curves. For combined encryption + signing workflows, systems typically use separate keys: RSA or ECC for encryption, and DSA or ECDSA for signatures — or simply use RSA for both as separate operations.

Incorrect·D: To repeatedly hash a user's password with a salt thousands of times to deliberately slow down the generation of the symmetric encryption key, thwarting brute-force attacks

Key Derivation Functions (KDFs) are specifically designed to make brute-force and dictionary attacks against passwords computationally expensive. The problem they solve: a human-memorable password has low entropy (~40 bits for a strong password); a symmetric encryption key needs high entropy (128–256 bits); and most importantly, a simple fast hash of a password (MD5, SHA-256) allows attackers to test billions of candidates per second using GPUs/ASICs. KDFs solve this through: (1) Salting — appending a random unique salt to prevent precomputed rainbow tables and ensure each password hash is unique even among users with identical passwords. (2) Stretching — applying the hash function thousands (PBKDF2) or hundreds of thousands (bcrypt work factor 12 = 2^12 iterations) of times, deliberately introducing a configurable delay. Argon2 (winner of the 2015 Password Hashing Competition) additionally provides memory-hardness — requiring gigabytes of RAM to compute — defeating GPU and ASIC acceleration. The output is a key suitable for use with AES.