How Encryption Works: Symmetric, Asymmetric, and the Math Behind Digital Security
A comprehensive explanation of how encryption works — symmetric and asymmetric encryption, the mathematics of public-key cryptography, TLS/HTTPS, end-to-end encryption, and how encryption protects data in the modern digital world.
What Is Encryption?
Encryption is the process of transforming readable information (plaintext) into an unreadable format (ciphertext) using a mathematical algorithm and a key, such that only parties with the correct decryption key can recover the original information. It is the foundational technology of modern digital security — protecting communications, stored data, financial transactions, and personal information from unauthorized access.
The science of designing and analyzing encryption systems is called cryptography, from the Greek for "hidden writing." Cryptography is as old as written language — Julius Caesar used a simple letter substitution cipher to protect military communications — but modern cryptography is grounded in advanced mathematics and provides security guarantees that were simply not achievable before the computer age.
Core Concepts
- Plaintext: The original, readable data (a message, file, or any information)
- Ciphertext: The encrypted, unreadable output
- Key: A piece of data (typically a number of specific bit length) used by the encryption algorithm to transform plaintext into ciphertext
- Algorithm (cipher): The mathematical procedure that performs the transformation
- Encryption: The process plaintext → ciphertext
- Decryption: The reverse process ciphertext → plaintext (using the correct key)
Symmetric Encryption
In symmetric encryption, the same key is used for both encryption and decryption. This requires both parties to possess the same secret key before communicating securely.
How AES Works
The dominant symmetric cipher today is AES (Advanced Encryption Standard), selected by NIST in 2001 through a public competition and now used in virtually all modern encrypted communications, file storage, and hardware. AES operates on fixed-size blocks of data (128 bits) and supports key lengths of 128, 192, or 256 bits.
AES encrypts data through multiple rounds of transformations:
- SubBytes: Each byte is substituted with a corresponding value from a fixed substitution table (S-box)
- ShiftRows: Rows of the state matrix are cyclically shifted
- MixColumns: Columns are mixed using matrix multiplication in a Galois field
- AddRoundKey: Each byte is XORed with the round key (derived from the original key)
This process is repeated 10, 12, or 14 times depending on key length. AES-256 has never been broken in the decades since its adoption. The number of possible 256-bit keys (2²⁵⁶ ≈ 10⁷⁷) exceeds the estimated number of atoms in the observable universe — brute force is computationally infeasible.
The Key Distribution Problem
Symmetric encryption's weakness is the key distribution problem: how do two parties who have never met securely share a secret key? If they communicate the key over an insecure channel, an eavesdropper can intercept it. This problem was unsolved for millennia — until the 1970s.
Asymmetric (Public-Key) Encryption
In 1976, Whitfield Diffie and Martin Hellman published "New Directions in Cryptography," introducing the concept of public-key cryptography — a revolutionary idea: a key pair in which something encrypted with one key can only be decrypted with the other.
Each party has:
- A public key: Freely shared with anyone
- A private key: Kept secret
If Alice wants to send Bob a secure message, she encrypts it with Bob's public key. Only Bob's private key can decrypt it. Even Alice cannot decrypt her own message once encrypted. The keys are mathematically linked but the private key cannot be derived from the public key in a reasonable time — this is the foundation of public-key security.
RSA: The Math of Public-Key Cryptography
The most widely deployed public-key algorithm, RSA (Rivest-Shamir-Adleman, 1977), is based on the mathematical difficulty of integer factorization: multiplying two large prime numbers together is computationally trivial, but factoring the product back into its prime components is computationally infeasible for sufficiently large numbers.
In brief: RSA keys are generated by choosing two large prime numbers (p, q), computing their product n = p × q, and deriving encryption (e) and decryption (d) exponents from the relationship between e, d, and φ(n) = (p-1)(q-1). The public key is (n, e); the private key is (n, d). Encryption: ciphertext = plaintext^e mod n. Decryption: plaintext = ciphertext^d mod n.
An RSA-2048 key requires factoring a 617-digit number — currently infeasible for any classical computer.
Elliptic Curve Cryptography (ECC)
A newer public-key approach based on the algebraic structure of elliptic curves over finite fields. ECC provides equivalent security to RSA with much shorter key lengths (256-bit ECC ≈ 3072-bit RSA), making it more efficient — critical for mobile devices and IoT. Most modern TLS connections use ECDH (Elliptic Curve Diffie-Hellman) for key exchange.
How HTTPS Works: TLS in Practice
When you see the padlock icon in a browser, the connection is protected by TLS (Transport Layer Security) — the protocol that encrypts web traffic. A TLS handshake combines asymmetric and symmetric cryptography:
- Server presents certificate: Contains the server's public key, signed by a trusted Certificate Authority (CA). The browser verifies the signature using the CA's public key (pre-installed in the OS/browser).
- Key exchange: Browser and server use asymmetric cryptography (ECDH) to securely establish a shared session key without transmitting it across the network.
- Symmetric encryption begins: All subsequent communication uses AES (or similar) with the shared session key — fast and efficient for bulk data.
This hybrid approach solves the key distribution problem: asymmetric crypto securely exchanges the symmetric key; symmetric crypto handles the actual data transmission efficiently.
End-to-End Encryption (E2EE)
End-to-end encryption ensures that data is encrypted on the sender's device and only decrypted on the recipient's device — not by servers or service providers in between. This means even the company providing the messaging service cannot read message contents.
The Signal Protocol, developed by Moxie Marlinspike and Trevor Perrin (2013), is the gold standard for E2EE messaging. It combines multiple cryptographic techniques including the Double Ratchet Algorithm and X3DH (Extended Triple Diffie-Hellman) key agreement to provide forward secrecy (past messages remain secure even if current keys are compromised) and break-in recovery. Signal Protocol is used by Signal, WhatsApp, and Facebook Messenger's "secret conversations."
Encryption at Rest vs. In Transit
| Type | What It Protects | Common Technologies |
|---|---|---|
| Encryption in transit | Data moving over networks | TLS 1.3, HTTPS, VPNs (WireGuard, IPsec) |
| Encryption at rest | Stored data (files, databases, backups) | AES-256, BitLocker, FileVault, encrypted databases |
| End-to-end encryption | Data from sender to recipient only | Signal Protocol, PGP, ProtonMail |
Post-Quantum Cryptography
Quantum computers, once sufficiently powerful, could break RSA and ECC by solving factoring and discrete logarithm problems efficiently using Shor's Algorithm. This threat has prompted the development of post-quantum cryptographic algorithms — based on mathematical problems believed to be resistant to quantum attacks (lattice-based, hash-based, and others).
In 2024, NIST finalized the first set of post-quantum cryptography standards, including CRYSTALS-Kyber (key encapsulation) and CRYSTALS-Dilithium (digital signatures). Transitioning the internet's cryptographic infrastructure to these algorithms is a major ongoing effort in the field.