What Is Encryption? How Your Data Stays Secret in a Public Internet

The Basic Idea: Scrambling and Unscrambling

Encryption is the process of converting readable information (plaintext) into an unreadable format (ciphertext) using a mathematical algorithm and a key. Decryption reverses the process, converting ciphertext back to plaintext using the appropriate key.

The concept is ancient. Julius Caesar used a simple substitution cipher — shifting each letter three positions forward in the alphabet (A becomes D, B becomes E, etc.). The message 'ATTACK AT DAWN' becomes 'DWWDFN DW GDZQ.' Anyone who knows the shift is 3 can reverse it. This is a symmetric cipher — the same key (the number 3) is used for both encryption and decryption.

Caesar's cipher is trivially breakable — there are only 25 possible shifts to try. Modern encryption algorithms are designed so that brute-forcing the key is computationally infeasible. AES-256 (Advanced Encryption Standard with a 256-bit key) — used by governments, banks, and your iPhone — has 2²⁵⁶ possible keys. That's approximately 1.16 × 10⁷⁷ — more than the estimated number of atoms in the observable universe. Even if every computer on Earth worked together, trying every possible key would take longer than the age of the universe by incomprehensible margins.

The strength of encryption lies entirely in the key, not in the secrecy of the algorithm. AES's algorithm is publicly known — anyone can read exactly how it works. But without the correct key, the encrypted data is indistinguishable from random noise. This principle, known as Kerckhoffs's principle, is fundamental to modern cryptography: the system must be secure even if everything about it is public knowledge except the key.

Symmetric vs Asymmetric Encryption

Symmetric encryption uses the same key for both encryption and decryption. It's fast and efficient — AES can encrypt data at gigabytes per second on modern hardware. But it has a critical problem: how do you securely share the key with the other party? If you send it over the internet, anyone intercepting it can decrypt all your future messages.

Asymmetric encryption (public-key cryptography) solves this problem elegantly. Each person has two mathematically linked keys: a public key (shared openly with everyone) and a private key (kept secret). Data encrypted with someone's public key can ONLY be decrypted with their private key. You can publish your public key on a billboard — anyone can use it to encrypt messages to you, but only you (with your private key) can decrypt them.

The most widely used asymmetric algorithm is RSA (named after its inventors Rivest, Shamir, and Adleman, 1977). RSA's security relies on the difficulty of factoring large numbers. Multiplying two 300-digit prime numbers together takes milliseconds; factoring the result back into those primes is believed to require more computation than is practically available.

In practice, HTTPS (the protocol securing all modern web traffic) uses both types together. When you connect to a website, asymmetric encryption (slow but solves the key-sharing problem) is used to securely exchange a temporary symmetric key. Then symmetric encryption (fast) is used for the actual data transfer. This hybrid approach gives you the best of both worlds: security and speed.

HTTPS and End-to-End Encryption

HTTPS (Hypertext Transfer Protocol Secure) is the encrypted version of HTTP — the protocol your browser uses to communicate with websites. When you see the padlock icon in your address bar, it means your connection is encrypted using TLS (Transport Layer Security).

Here's what happens in the roughly 0.1 seconds when you connect to a secure website: Your browser and the server perform a TLS handshake. The server presents a digital certificate (verified by a trusted Certificate Authority) proving it's genuinely the website it claims to be. They negotiate which encryption algorithms to use. Using asymmetric encryption, they exchange a temporary symmetric session key. All subsequent data flows encrypted with that symmetric key. If anyone intercepts the traffic, they see only random-looking data.

End-to-end encryption (E2EE) goes further. In regular HTTPS, the service provider (like Google or Facebook) can read your data on their servers — it's only encrypted in transit. With E2EE (used by Signal, WhatsApp, and iMessage), messages are encrypted on your device and can only be decrypted on the recipient's device. Even the service provider cannot read them.

E2EE creates tension between privacy and law enforcement. Governments argue they need access to encrypted communications to investigate terrorism and child exploitation. Privacy advocates counter that any 'backdoor' for law enforcement would inevitably be exploited by hackers and authoritarian governments. This debate remains unresolved, but the mathematical reality is clear: you can't create a backdoor that only 'good guys' can use.

The Quantum Threat and the Future of Encryption

Current encryption faces a potential future threat: quantum computers. Classical computers process information in bits (0 or 1). Quantum computers use qubits that can be in superposition — effectively 0 and 1 simultaneously — enabling them to perform certain calculations exponentially faster.

In 1994, mathematician Peter Shor developed an algorithm that, running on a sufficiently powerful quantum computer, could factor large numbers efficiently — breaking RSA and similar asymmetric encryption. A quantum computer with about 4,000 stable qubits could break RSA-2048 in hours. Current quantum computers have only a few hundred noisy qubits, and stable error-corrected quantum computers at the necessary scale are estimated to be 10-20 years away. But the threat is taken seriously because encrypted data intercepted TODAY could be stored and decrypted LATER when quantum computers arrive — a strategy called 'harvest now, decrypt later.'

In response, NIST (the US National Institute of Standards and Technology) has been running a competition since 2016 to develop post-quantum cryptographic standards — encryption algorithms that are resistant to both classical and quantum attacks. In 2024, NIST finalized its first post-quantum encryption standards, including CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium for digital signatures. These are based on mathematical problems (like lattice problems) that are believed to be hard for quantum computers to solve.

Symmetric encryption (like AES) is less threatened — Grover's algorithm could halve the effective key length, but AES-256 would still have 128-bit security against quantum attacks, which remains practically unbreakable.

Sources: NIST Post-Quantum Cryptography Project, Shor (1994), Diffie & Hellman (1976), Rivest, Shamir, Adleman (1977), Let's Encrypt statistics, Signal Protocol documentation.