What's 'end-to-end encryption'?

A system where only the sender and the receiver can read the message. The service relaying the message (WhatsApp, Signal, etc.) processes only encrypted ciphertext — they couldn't read the contents even if compelled to. Compare to standard 'transport encryption' (HTTPS), where the data is encrypted between you and the service, but the service itself reads it on its servers.

Can encryption be broken?

In theory, given enough time, brute-force search of all possible keys would break any encryption. For modern AES-256 or RSA-2048, that 'enough time' is far longer than the age of the universe with all known computers combined. Realistic breaks come from flaws in implementation, key management, social engineering — never the math itself. Quantum computers, if they ever scale, could break RSA but not AES; post-quantum cryptography is actively being deployed.

Why is encryption so politically contested?

Because strong encryption makes lawful surveillance technically impossible. Governments periodically propose 'lawful access' backdoors. Cryptographers consistently argue that any backdoor weakens encryption for everyone — there's no mathematical way to create a backdoor only the 'good guys' can use. The tension between privacy and law-enforcement access has been live since the 1990s and hasn't been resolved.

How Encryption Actually Works — Padlocks Made of Math

The problem encryption solves

Suppose Alice wants to send Bob a secret message, but the only way to send it is through a channel Eve might be reading. Alice doesn't want Eve to understand the message. How?

Encryption. Alice scrambles the message using a mathematical procedure with a key. The scrambled text (called ciphertext) is unintelligible to anyone without the right key. Bob has the key; he uses it to unscramble (decrypt) and read the message. Eve sees only the ciphertext and can't make sense of it.

The math behind modern encryption is sophisticated, but the goal is simple: make the message unreadable to anyone except the intended recipient.

Two flavours of encryption

There are two fundamental approaches:

Symmetric encryption. The same key is used to encrypt and decrypt. Imagine a regular key and lock: the same key opens and closes the box. Algorithms like AES (Advanced Encryption Standard) use symmetric keys.

Asymmetric encryption (public-key cryptography). Two related keys. The public key can encrypt but not decrypt. The private key decrypts what the public key encrypted (and vice versa for signatures). Alice can publish her public key anywhere; only she has her private key. Anyone can use the public key to encrypt a message to her, but only she can read it.

Asymmetric encryption seems magical the first time you hear about it. It is, in a sense — there are mathematical operations that are easy to do in one direction and very hard to reverse without secret information. RSA is the most famous example, based on the fact that multiplying two large primes is easy, but factoring the result is computationally infeasible.

Real systems use both. Asymmetric encryption is much slower than symmetric, so:

Alice and Bob use asymmetric encryption to agree on a one-time symmetric key.
They use that symmetric key for the actual message.

This hybrid approach is how HTTPS, WhatsApp, Signal, and almost all real encryption systems work.

A worked example: HTTPS

When your browser connects to a website over HTTPS, here's roughly what happens:

TCP connection. Your browser opens a connection to the server.
Hello. Browser sends a "hello" listing the encryption methods it supports.
Certificate. Server responds with its certificate, which contains the server's public key, signed by a trusted Certificate Authority (CA).
Verify. Browser checks the certificate against its list of trusted CAs. If anything is wrong, browser shows a security warning.
Key exchange. Browser generates a random symmetric session key. Encrypts it with the server's public key. Sends it to the server. (Modern protocols often use Diffie-Hellman key exchange instead, which produces a shared key without anyone actually transmitting it.)
Decrypt. Server uses its private key to recover the session key.
Symmetric encryption. Both browser and server now have the same symmetric session key, which they use for the rest of the conversation.

The entire dance happens in milliseconds. The handshake is the asymmetric part; the actual data transfer is the symmetric (and faster) part.

How AES (symmetric) works

AES — Advanced Encryption Standard, the most widely-used symmetric cipher — works by repeatedly scrambling a block of data using a key. The standard version operates on 128-bit blocks (16 bytes at a time), repeating 10-14 rounds depending on key size.

Each round does four operations:

SubBytes. Replace each byte with another byte according to a fixed table.
ShiftRows. Shift the bytes in each row of the block by different amounts.
MixColumns. Combine bytes within each column using mathematical multiplication.
AddRoundKey. XOR the block with a "round key" derived from the main key.

These operations are individually simple but, composed for many rounds with a secret key, produce output that's statistically indistinguishable from random — and that can be cleanly reversed only by someone knowing the key.

AES has been heavily studied and remains unbroken. The best attacks on AES-256 still require effectively all possible keys to be tried — about 2²⁵⁶ operations, which is more than the number of atoms in the observable universe. Any actual breaches of AES-encrypted data have come from problems in key management, side-channel attacks (timing, power consumption), or implementation bugs, not from the math being weak.

How RSA (asymmetric) works

RSA, the prototypical public-key system, is based on a mathematical asymmetry: multiplying two large primes is easy; factoring the product is hard.

Setup:

Choose two large prime numbers, p and q (typically ~1024 bits each).
Compute n = p × q.
Choose an exponent e (often 65,537).
Compute a related exponent d using modular arithmetic.
Public key is (n, e). Private key is (n, d). Throw away p and q.

To encrypt a message m: compute c = m^e mod n. This is easy.

To decrypt c: compute m = c^d mod n. This is easy if you know d.

To break RSA: figure out d from the public key (n, e). This requires factoring n into p × q, which is currently believed to be hard — there's no known fast algorithm for factoring large numbers on classical computers. The best-known algorithms still take exponential time as the key grows.

RSA-2048 (where n is 2048 bits) is currently considered secure. RSA-4096 is the recommendation for very-long-term security. RSA-1024 is considered weak.

Quantum computers, if they scale up, would change this dramatically — Shor's algorithm can factor large numbers efficiently on a sufficiently large quantum computer. This is why post-quantum cryptography is now an active area, replacing RSA with algorithms based on math problems (lattice problems, code-based crypto) that quantum computers don't crack easily.

End-to-end vs transport encryption

A common distinction:

Transport encryption (e.g., HTTPS). Your data is encrypted while travelling between you and the server. But the server itself reads the data — it has to, to process your request. So the service provider can see what you're doing on their service.

End-to-end encryption (e.g., Signal, WhatsApp messages). The data is encrypted on your device and only decrypted on the recipient's device. The relay service in between processes only ciphertext. They cannot read the messages even if compelled to.

End-to-end is much stronger from a privacy perspective. It's also more controversial — governments often argue that strong end-to-end encryption hinders law enforcement, and propose various "backdoor" schemes. Cryptographers consistently argue that any backdoor for one party weakens encryption for everyone, since the backdoor mechanism becomes a target for attackers.

What encryption can't do

Encryption protects the contents of communication. It doesn't protect:

Metadata. Who's talking to whom, when, how often, for how long. Signal protects message content, but Signal-the-service can see that you sent some messages to a specific recipient at a specific time.
The endpoints. If your phone is compromised, your messages are visible to whatever has compromised your phone regardless of encryption. End-to-end is end-to-end; if your end is owned, it doesn't help.
Mistakes. Sending the wrong file. Sharing your password. Most security breaches don't break encryption; they exploit something else.

Encryption is necessary but not sufficient. A complete security posture includes encryption plus secure devices plus careful operations plus good auditing.

If you'd like a guided 5-minute course on encryption — how the math works and how to evaluate it — NerdSip can generate one.

The takeaway

Encryption scrambles a message so only the intended recipient can read it. Symmetric algorithms (AES) use the same key for both directions. Asymmetric algorithms (RSA, ECC) use related public and private keys that can encrypt to / decrypt from each other but can't reverse each other. Real systems hybrid them — asymmetric to exchange keys, symmetric for the actual data. The math is well-understood; breaches almost always come from key management or implementation issues, not the algorithms themselves. Encryption is foundational to the modern internet and is increasingly contested politically.

How Encryption Actually Works — Padlocks Made of Math

Article summary