up:: Security Basics MOC
Encryption
Encryption is the process of transforming readable data, called plaintext, into a scrambled form, called ciphertext, using a cryptographic algorithm and a key, so that only a party holding the correct key can reverse it back to the original. It’s the primary tool cryptography uses to deliver confidentiality, the guarantee that information stays readable only to authorized parties. Encryption comes in two kinds that the quantum threat treats very differently: symmetric encryption, which uses one shared key and survives a quantum computer at larger key sizes, and public-key (asymmetric) encryption, which uses a public and private key pair and gets broken outright by a quantum computer running Shor’s algorithm. That single split is why the entire post-quantum migration is overwhelmingly a public-key story.
The short version:
- Encryption turns plaintext into ciphertext with a key, and only the matching key turns it back. It serves one security goal, confidentiality, and it does not by itself prove who sent the data or that nothing changed.
- Symmetric encryption uses one shared secret for both locking and unlocking. AES-256 is the workhorse, it’s fast, and it does the bulk work of encrypting real data.
- Public-key encryption uses a linked key pair, a public key anyone can hold and a private key kept secret. It solves the harder problem of how two strangers agree on a shared key over an open line, and RSA is the classic example.
- Real systems use both together: public-key encryption to establish a shared key, then fast symmetric encryption to protect the actual data.
- The quantum threat hits the two halves unevenly. AES-256 survives (Grover’s algorithm only halves its strength, so a bigger key restores the margin), while public-key encryption and key exchange break (Shor’s algorithm solves the math they rest on), which is exactly the step Harvest Now, Decrypt Later targets.
Picture a document run through a scrambler that can also be run in reverse, but only by someone with the exact key. With symmetric encryption, one key runs the scrambler both ways, so the sender and receiver each need a copy of that same key. With public-key encryption, the scrambler has a special one-way lock: anyone can seal a document using the owner’s public key, but only the owner’s private key can un-seal it. The quantum problem is that a large quantum computer can reconstruct that private key from the public one, so it picks the public-key lock while walking almost untouched past the shared-key scrambler.
What is encryption?
Encryption is a cryptographic transformation that takes plaintext and a key and produces ciphertext, an output that conceals the original data so it can’t be read or used without reversing the transformation. Reversing it is decryption, and it requires the correct key. NIST defines encryption in its key-management standard as the process of changing plaintext into ciphertext using a cryptographic algorithm and key, and decryption as the reverse.
Encryption serves exactly one of the core security goals: confidentiality. It keeps data secret from anyone without the key. It’s worth separating encryption (the tool) from confidentiality (the goal), because confidentiality is also protected by access control and data minimization, and encryption is the cryptographic layer that holds even when those other layers fail. Encryption does not, on its own, prove who produced a message or that nobody altered it. Those are the jobs of digital signatures and hashes, and conflating them is a common source of security bugs.
Source: NIST, “Recommendation for Key Management, Part 1 General,” SP 800-57 Part 1 Rev. 5, May 2020, SP 800-57 Part 1 Rev. 5.
How does encryption actually work?
Every encryption scheme runs the same three-part cycle, and the security rests entirely on the key staying secret rather than on the algorithm staying hidden. The algorithms are public and standardized by design, so that they can be studied and trusted; the secret is the key.
- Key generation. A key (or a linked key pair, for public-key encryption) is generated from a strong random source. The strength of the whole scheme depends on this key being unpredictable and kept secret.
- Encryption. The sender runs the plaintext and the key through the encryption algorithm, producing ciphertext. A well-designed cipher mixes the input so thoroughly that flipping one input bit changes roughly half the output, and the ciphertext reveals nothing usable about the plaintext without the key.
- Decryption. The receiver runs the ciphertext and the correct key back through the algorithm to recover the exact original plaintext. With the wrong key, the output is useless.
The reason encryption is trustworthy is that a correctly designed cipher leaves brute-forcing every possible key as the only attack, and the key space is made far too large to search. AES, the most widely deployed symmetric cipher, takes a 128-bit block of data and runs it through repeated rounds of byte substitution, row shifting, column mixing, and key addition, and NIST standardizes it in FIPS 197. Public-key encryption works differently, resting not on a searchable key space but on a hard math problem, and that difference is the whole reason the two kinds fare so differently against a quantum computer.
Source: NIST, “Advanced Encryption Standard (AES),” FIPS 197, updated May 2023, FIPS 197.
What’s the difference between symmetric and public-key encryption?
Symmetric encryption uses one shared secret key for both encryption and decryption, and public-key encryption uses a linked pair of keys where one is public and one is private. That one structural difference decides everything downstream, including speed, what job each one does, and how each survives a quantum computer.
| Property | Symmetric encryption | Public-key (asymmetric) encryption |
|---|---|---|
| Keys | One shared secret, held by both parties | A public key anyone can hold plus a matching private key |
| Speed | Fast, built for bulk data | Slow, used only for small setup steps |
| Core job | Encrypt the actual data | Establish or transport the shared key, over an open line |
| Rests on | A large key space with no exploitable structure | A hard math problem (factoring or the discrete logarithm) |
| Examples | AES-256, AES-128 | RSA, Diffie-Hellman, ECDH |
| Quantum attack | Grover’s (quadratic speedup) | Shor’s (solves the exact math) |
| Quantum verdict | Survives at larger key size | Broken, must be replaced |
The one problem symmetric encryption can’t solve by itself is the first one: how do two people who’ve never met agree on that shared key over a line a stranger is listening to? Public-key encryption exists precisely to answer that. Its public key can lock a message that only the matching private key can open, which lets a stranger send you something only you can read without either of you ever having exchanged a secret in advance. The full algorithm-by-algorithm breakdown of which classical ciphers survive lives in Classical Cryptography; this note stays at the level of the two families and the split between them.
Source: NIST, “Recommendation for Key Management, Part 1 General,” SP 800-57 Part 1 Rev. 5, May 2020, SP 800-57 Part 1 Rev. 5.
Why do real systems use both symmetric and public-key encryption together?
Almost every secure connection uses both kinds in sequence, because each one covers the other’s weakness. Public-key encryption is slow and works on small inputs, so it’s a poor fit for encrypting a whole video stream or database. Symmetric encryption is fast and handles unlimited data, but it needs both parties to already share a key. Combining them gives you the best of each, and that combined pattern is called hybrid encryption.
A TLS session, the protocol behind the browser padlock, is the canonical example, and it runs in two stages:
- Setup, using public-key. The browser and server use a key exchange or key transport (ECDH, or historically RSA key transport) to agree on a fresh shared secret over the open internet. This step is small and happens once per connection.
- Bulk work, using symmetric. Once both sides hold the shared secret, they switch to a symmetric cipher, commonly AES-256 in GCM mode, to encrypt every byte of the actual page, form, and API call.
Seeing this two-stage shape is what makes the quantum exposure concrete. A quantum computer attacks the setup step, not the bulk step. If it breaks the recorded public-key key exchange, it recovers the shared secret and reads the AES-encrypted data without ever attacking AES itself. The symmetric layer was never the weak link; the public-key channel that delivered its key is.
Source: E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.3,” RFC 8446, August 2018, RFC 8446.
Which kind of encryption does the quantum threat break?
The quantum threat breaks public-key encryption and leaves symmetric encryption standing, and this is the single most important thing to understand about encryption and quantum computing. The two halves rest on different foundations, so a quantum computer does very different damage to each.
- Symmetric encryption survives. The only relevant quantum attack on AES is Grover’s algorithm, which speeds up brute-force key search only quadratically. Searching a space of
Nkeys drops from aboutNsteps to about√Nsteps, which halves the effective key strength. AES-256 halved still leaves about 128 bits of security, far beyond any foreseeable machine, so it stays safe. AES-128 drops to about 64 bits, below the comfort line, so the response is to standardize on AES-256. NIST states the general case plainly: quantum search “can have the effect of requiring larger key sizes,” and doubling the key size compensates. There’s no new symmetric family to migrate to, just a size bump. - Public-key encryption breaks. RSA, Diffie-Hellman, and ECDH all rest on factoring or the discrete logarithm, and Shor’s algorithm solves both efficiently on a large enough quantum computer. A capable machine recovers the private key directly from the public key, which is a structural collapse rather than a shrinking margin. Bigger keys don’t rescue it, because Shor’s cost grows only polynomially with key size. The vulnerable public-key algorithms have to be replaced with post-quantum standards, chiefly ML-KEM for key establishment.
Because the break lands on the public-key step, and that step is the one that establishes the shared key, this is exactly what Harvest Now, Decrypt Later exploits. An adversary records an encrypted session today, including the public-key key exchange, and waits. Once a capable quantum computer exists, it breaks the recorded key exchange, recovers the symmetric key, and decrypts the whole session, even though the data was protected with unbreakable AES-256. The confidentiality of anything that must stay secret for years is already exposed. That’s the reason the migration is urgent now rather than when the machine arrives.
Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, NISTIR 8105.
P. W. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” SIAM Journal on Computing, 1997, quant-ph/9508027.
Where did everyday encryption come from?
Encryption used to belong to governments and militaries, and the moment it reached ordinary people it arrived in exactly the hybrid, two-key shape used today. In 1991 Phil Zimmermann released Pretty Good Privacy (PGP), free email-encryption software that put strong cryptography in the hands of anyone with a computer. PGP is a clean illustration of the whole point of this note: it encrypts the actual message with a fast symmetric cipher, then encrypts that one-time symmetric key with the recipient’s public key, so the message rides on symmetric speed while the key-sharing problem is solved by public-key math. That’s the same hybrid design running under TLS every time you load a web page.
Zimmermann’s release triggered a US criminal investigation, because strong encryption was then classified as a munition for export purposes, and the case was dropped in 1996 without charges. The episode, one of the defining moments of the “crypto wars,” is documented in Simon Singh’s The Code Book. The through-line to now is direct: the public-key half that made PGP possible is exactly the half a quantum computer breaks, which is why the post-quantum migration is a public-key migration.
Source: Simon Singh, The Code Book, 1999, chapter “Pretty Good Privacy.”
Common misconceptions
- “Encryption proves who sent the data.” It doesn’t. Encryption protects confidentiality, keeping data secret. Proving origin and detecting tampering are separate jobs handled by digital signatures and hashes. A message can be perfectly encrypted and still be from an impostor.
- “Quantum computers break all encryption.” They break the public-key half. Symmetric encryption like AES-256 survives with a larger key, because the best quantum attack on it, Grover’s algorithm, gives only a quadratic speedup.
- “If my data is encrypted with AES-256, harvest-now-decrypt-later doesn’t apply.” It still applies. The attacker targets the public-key key exchange that delivered the AES key, not the AES cipher itself, so recorded traffic is exposed once that key exchange can be broken.
- “A bigger RSA key will keep my encryption quantum-safe.” Enlarging a public key defends against classical attackers, not against Shor’s algorithm, whose cost barely grows with key size. The fix for public-key encryption is a new algorithm, not a bigger key.
- “Symmetric and public-key encryption are competitors, and you pick one.” They do different jobs and almost always run together. Public-key establishes the shared key, then symmetric encrypts the data.
- “Encryption alone makes a system secure.” Encryption serves one goal. Integrity, availability, authentication, and non-repudiation need other tools, so a fully encrypted system can still fail on any of those. See the full set of security goals.
Questions people ask
What’s the difference between encryption and hashing? Encryption is reversible with the correct key, so ciphertext can be turned back into the original plaintext. A hash is a one-way fingerprint that can’t be reversed to recover the input. Encryption protects secrecy; hashing proves integrity.
Is encryption the same as a digital signature? No. They use the key pair in opposite directions and serve opposite goals. Encryption hides data using the recipient’s key, while a digital signature proves origin using the signer’s private key and hides nothing.
Does encryption prove my data wasn’t tampered with? Not by itself. Classic encryption protects confidentiality, not integrity. Modern authenticated-encryption modes like AES-GCM add an integrity check on top, but plain encryption only keeps data secret; detecting changes is the job of a hash or a MAC.
Which encryption is quantum-safe today? AES-256 is considered safe with its current key size, because Grover’s algorithm only halves its strength. The public-key algorithms that set up encryption keys, RSA, Diffie-Hellman, and ECDH, are the ones that break and need replacing.
Do I need to stop using AES? No, if you use AES-256. Move AES-128 up to AES-256 for anything long-lived, but there’s no post-quantum symmetric algorithm to adopt. It’s a key-size change, not a new family.
What replaces the broken public-key encryption? ML-KEM, NIST’s post-quantum key-encapsulation standard finalized in August 2024, takes over the key-establishment job that RSA and ECDH did. It’s usually deployed first as part of a hybrid step alongside the classical algorithm.
Why is public-key encryption the urgent part if the quantum computer doesn’t exist yet? Because of Harvest Now, Decrypt Later. An adversary can record encrypted traffic now and decrypt it years later once a quantum computer can break the recorded key exchange, so any data that must stay secret past the machine’s arrival is already at risk today.
Is my encrypted messaging app affected? Any protocol that relies on public-key key exchange to set up its encryption is affected, which is nearly all of them. The messaging vendors are the ones migrating the key-establishment step to post-quantum algorithms; the symmetric encryption doing the actual message protection stays fine.
Everything here is the map, given freely. When your team needs its own encryption found, sorted into what survives the quantum transition and what has to move, and sequenced onto a post-quantum path, that’s the work I do. Request an alignment briefing.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.