What Is Asymmetric Encryption?

There are a lot of different parts of cryptography. If you want to encrypt some data, though, there are two types of algorithms you can use: symmetric encryption algorithms and asymmetric encryption algorithms. The concept is the same: they can encrypt data but work on different principles and have other use cases.


The titular difference, however, describes the encryption keys. A symmetric encryption algorithm uses a single shared key to encrypt and decrypt data. An asymmetric encryption algorithm uses two linked keys, one to decrypt and one to decrypt.


Asymmetric encryption algorithms rely on the use of two distinct keys. One key can be used to encrypt data and the other to decrypt. The two encryption keys aren’t just any old two values. They are intrinsically related and need to be generated by a key generation algorithm.

An alternative name for asymmetric encryption is public key encryption. This is because it is intended that one of the two keys is public. The traditional concept is that the encryption key is publicly shared, and the decryption key is kept strictly private. For this reason, the encryption key is referred to as the public key, and the decryption key is the private key.

This configuration allows anyone to encrypt a message so only the private key owner can decrypt it. This is useful because anyone can securely communicate with the intended recipient with a single published encryption key. To securely communicate back, the recipient would need to use the public key of the original sender.

Theoretically, there’s no reason you couldn’t swap the keys around and share the decryption key while keeping the encryption key private. This could be used to verify the authenticity of the source, if not provide any meaningful security. However, this is not done in practice, as other mechanisms exist to achieve the same outcome.

Properties of Symmetric Encryption Algorithms

Asymmetrical encryption algorithms require the use of much larger keys than symmetric encryption algorithms when providing the same level of security. Generally, a symmetric encryption algorithm with a 128-bit encryption key is considered secure, though 256-bit keys are preferred. In an asymmetric encryption algorithm, 2048-bit keys are considered safe.

The 2048-bit key example applies to RSA, which has long been the standard for asymmetric encryption. Elliptic curve cryptography, however, is a newer concept that is also asymmetric but uses significantly smaller keys. A 2048-bit RSA key offers equivalent security to a 224-bit elliptic curve key.

Tip: The above values are considered secure for commercial use, but the NSA requires stronger keys for top-secret encryption. RSA keys of at least 3072-bits are needed, while 384-bit elliptic curve keys are necessary. It’s worth noting that a 3072-bit RSA key is weaker than a 384-bit elliptic curve key.

Asymmetric encryption algorithms tend to be relatively slow compared to symmetric encryption algorithms. Secure communication can be performed over an insecure channel if both parties generate an asymmetric key pair and then swap public keys. In this manner, both parties can send messages that only the other can decrypt.

In practice, at least one of the parties must verify the integrity of its public key. This is done through PKI or Public Key Infrastructure. This takes the form of Certificate Authorities that sign the keys of others to show that their identity has been verified. In this system, all certificate authorities must be trusted; without that, the system will fall apart.

Use in Practice

Asymmetric encryption algorithms are typically not used for bulk encryption, especially when time or performance is an issue. They may be used to encrypt one-time messages such as the contents of an email. However, their ability to secure an insecure channel makes them an excellent choice for a key-exchange protocol that transmits symmetric keys that can then be used for more efficient bulk encryption.

This is the use case in TLS, which provides security in HTTPS. A user connects to a web server; they then exchange public keys to encrypt small messages to each other. The server then generates a symmetric key, encrypts it with the user’s public key, and sends it to them. The user decrypts the key and can then use the symmetric key to encrypt future communications to the server efficiently.

A certificate authority in the above process verifies the server’s public key. This allows the user to be confident that they’re communicating with whom they are trying to communicate. In most cases, the user generates a one-use key, as the server doesn’t need to verify which user it is communicating with.


Asymmetric encryption algorithms utilize two distinct keys. One key is used for encryption, and the other for decryption. The keys are mathematically linked and must be generated by a key generation algorithm; random values do not work. Typically, the encryption key is shared publicly, allowing anyone to encrypt a message intended for the key pair’s owner.

As long as the decryption key remains private, only the key owner can decrypt messages encrypted with the public key. As such, asymmetric encryption is often also referred to as public key cryptography.