How Encryption Protects Data: AES, RSA, and the Math Behind Privacy

Mathematics as the Guardian of Secrets

Every time you see a padlock icon in your browser's address bar, check your bank balance on a mobile app, or send a message on WhatsApp, encryption is working invisibly to protect your data. Encryption transforms readable information (plaintext) into an unintelligible form (ciphertext) using mathematical algorithms and cryptographic keys. Without the correct key, the ciphertext reveals nothing. With it, the original plaintext is recoverable in milliseconds. Encryption does not hide the existence of communication — it hides its content — and it is the foundational technology underpinning every secure digital interaction.

Modern encryption emerged from wartime cryptography research, but its theoretical foundations shifted dramatically in the 1970s. Two developments changed everything: the publication of the Data Encryption Standard (DES) by NIST in 1977, establishing the first widely adopted civilian encryption standard; and Whitfield Diffie and Martin Hellman's 1976 paper "New Directions in Cryptography," which introduced the concept of public-key cryptography — a theoretical breakthrough that made secure communication between strangers mathematically possible for the first time.

Symmetric Encryption: One Key for Both

Symmetric encryption uses the same key to encrypt and decrypt data. The key must be kept secret and shared only between authorized parties. The central challenge of symmetric encryption is key distribution — how do two parties securely share a key without an already-established secure channel?

AES (Advanced Encryption Standard) is the dominant symmetric cipher today, adopted by NIST in 2001 after a public competition that selected the Rijndael algorithm submitted by Belgian cryptographers Joan Daemen and Vincent Rijmen. AES operates on 128-bit blocks of data using substitution-permutation network operations (SubBytes, ShiftRows, MixColumns, AddRoundKey) applied across 10, 12, or 14 rounds depending on key size.

AES-256 with a random key is practically unbreakable by brute force. A supercomputer checking one trillion (10^12) keys per second would require 3.31 × 10^56 years to exhaust all possible 256-bit keys — vastly longer than the age of the universe (13.8 × 10^9 years). No algorithmic attack has reduced the effective key space of AES below its theoretical maximum.

Asymmetric Encryption: The Public-Private Key Pair

Asymmetric (public-key) cryptography solves the key distribution problem by using mathematically linked key pairs: a public key that can be freely shared and a private key that must be kept secret. Data encrypted with the public key can only be decrypted with the corresponding private key. Digital signatures work in reverse: data signed with a private key can be verified by anyone with the public key.

RSA (Rivest-Shamir-Adleman), developed at MIT in 1977, is the most widely used asymmetric algorithm. Its security rests on the computational difficulty of factoring the product of two large prime numbers. Multiplying two primes together (e.g., 17 × 23 = 391) is trivial. Finding which primes produced a product (factoring 391 back to 17 and 23) becomes computationally infeasible when the numbers involved have thousands of digits. RSA key sizes are measured in bits corresponding to the size of the modulus:

• RSA-1024: Considered broken — factored in specialized attacks; deprecated since 2015
• RSA-2048: Current minimum recommended size; provides approximately 112 bits of effective security
• RSA-4096: Higher margin of safety; commonly used for certificate authorities and code signing

Elliptic Curve Cryptography (ECC) provides equivalent security to RSA at dramatically smaller key sizes. A 256-bit ECC key provides approximately the same security as a 3072-bit RSA key. ECC is now preferred for most new applications because of its performance advantages — smaller keys, faster computation, lower power consumption — making it the standard for TLS and mobile cryptography.

How TLS Combines Both Systems

TLS (Transport Layer Security) — the protocol behind HTTPS — demonstrates how symmetric and asymmetric encryption work together in practice. The TLS handshake uses asymmetric cryptography to establish a shared secret, then uses fast symmetric encryption (AES) for all subsequent data transfer.

Hash Functions: Integrity Verification

Cryptographic hash functions are a third pillar of modern security, distinct from encryption. A hash function takes arbitrary-length input and produces a fixed-length output (the hash or digest) with two critical properties: determinism (the same input always produces the same hash) and one-wayness (the output reveals nothing about the input, and it is computationally infeasible to reverse-engineer input from output). Small changes in input produce completely different outputs — a property called the avalanche effect.

• SHA-256 (part of the SHA-2 family): Produces a 256-bit hash; used in TLS, Bitcoin, code signing, and password storage. No practical collision attacks known.
• SHA-3 (Keccak): NIST's alternative to SHA-2; based on a different underlying construction; useful as a hedge against future SHA-2 vulnerabilities
• MD5 and SHA-1: Both deprecated; practical collision attacks exist; should not be used for security-sensitive applications

Encryption Against Quantum Computing

Quantum computers threaten RSA and ECC because Shor's algorithm — running on a sufficiently powerful quantum computer — can efficiently factor large numbers and solve the elliptic curve discrete logarithm problem, the mathematical foundations of both algorithms. AES-256 is considered quantum-resistant because Grover's algorithm (the relevant quantum attack on symmetric ciphers) only reduces effective key strength by half — from 256 bits to 128 bits, which remains computationally infeasible.

NIST completed its Post-Quantum Cryptography (PQC) standardization process in 2024, publishing four quantum-resistant algorithms: CRYSTALS-Kyber (for key encapsulation), CRYSTALS-Dilithium, FALCON, and SPHINCS+ (for digital signatures). These algorithms are based on mathematical problems believed to be hard for both classical and quantum computers. Migration to post-quantum cryptography is underway across government, financial, and technology sectors in anticipation of cryptographically relevant quantum computers within the coming decade.