Symmetric vs asymmetric cryptography — when to use each in embedded?

Symmetric cryptography (AES-128/256, ChaCha20) uses the same key for encryption and decryption. It is fast — hardware AES accelerators on modern MCUs (STM32, nRF52, ESP32) can encrypt at hundreds of Mbps with negligible CPU load and minimal power consumption. AES-128-GCM provides both confidentiality and authentication (AEAD — Authenticated Encryption with Associated Data) in a single operation. The limitation is key distribution: both parties must possess the same secret key, which means you need a secure channel to share it initially. In embedded systems, symmetric crypto is used for bulk data encryption (sensor data, firmware images), session communication after a key has been established, and secure storage of data at rest on flash.

Asymmetric cryptography (RSA-2048/4096, ECDSA-P256, Ed25519, X25519) uses a key pair — a public key that can be freely distributed and a private key that must be protected. It solves the key distribution problem: you can verify a signature or encrypt data using only the public key, without ever sharing the private key. However, asymmetric operations are computationally expensive — an ECDSA-P256 signature verification on a Cortex-M4 without hardware acceleration takes 50-100 ms and consumes significant energy. RSA-2048 is even slower. In embedded systems, asymmetric crypto is used for secure boot (verifying firmware signatures), TLS/DTLS handshakes (establishing a session key), device authentication (proving identity to a server using a device certificate), and firmware update signature verification.

The practical pattern in embedded systems is to combine both: use asymmetric crypto for authentication and key exchange (infrequent, latency-tolerant operations), and symmetric crypto for bulk data protection (frequent, performance-sensitive operations). A TLS handshake exemplifies this: the client and server use ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) to negotiate a shared secret, derive symmetric session keys from it, and then use AES-GCM for all subsequent communication. Secure boot uses asymmetric crypto (ECDSA signature verification) once at boot time, while encrypted flash storage uses AES continuously. The interview-ready insight is understanding the tradeoff: asymmetric solves trust establishment but is too slow for data throughput; symmetric is fast but requires a pre-shared key. The combination gives you both trust and performance. Always prefer algorithms with hardware accelerator support on your target MCU to minimize the power and latency impact.