Public-key cryptography relies on a mathematical trapdoor where creating a key is easy, but reversing it without the secret is computationally impossible.
This asymmetry powers every secure connection on the internet, from banking sites to private messaging apps. The problem cryptography solves is how two parties can agree on a secret without ever meeting. Before public-key systems, this required a physical exchange of keys. Now, a browser can verify a website’s identity using only a public key, while keeping the decryption key private. The mechanism depends on the fact that some math problems are easy in one direction and hard in the other.
The most common implementation uses the RSA algorithm, named for its creators Ron Rivest, Adi Shamir, and Leonard Adleman. RSA security rests on the difficulty of factoring large composite numbers. A second implementation uses Elliptic Curve Cryptography (ECC), which relies on the discrete logarithm problem over elliptic curves. Both are standards approved by the National Institute of Standards and Technology (NIST) in FIPS 186-4. The choice between them is not about security, but efficiency.
The math of the trapdoor
The core operation is simple multiplication. Take two prime numbers, 7 and 13. Multiply them to get 91. Anyone can do this. Now, give someone the number 91 and ask them to find the two primes. For 91, it is trivial. For a number with 600 digits, it is effectively impossible with current computing power.
This is the trapdoor. The public key is the large composite number (the product). The private key is the two prime factors. The security of the system relies on the time it takes to factor the public key back into its components.
NIST specifies minimum key sizes to ensure this time exceeds the lifespan of the data being protected. RSA-1024 was standard until 2013, when NIST deprecated it in SP 800-57. RSA-2048 is now the minimum. The NSA’s CNSA (Commercial National Security Algorithm) Suite, which replaced the retired Suite B in 2015, recommends RSA-3072 or ECC P-384 for classified workloads, because elliptic-curve math scales differently than factoring.
| Key Type | Bit Length | Equivalent Security (AES bits) | Approx. Factoring Time (2025) |
|---|---|---|---|
| RSA | 1024-bit | 80 | Days to Weeks |
| RSA | 2048-bit | 112 | Thousands of Years |
| RSA | 4096-bit | 150 | Billions of Years |
| ECC | 256-bit | 128 | Billions of Years |
The table shows the divergence in efficiency. A 256-bit ECC key provides roughly the same security as a 3072-bit RSA key. This means ECC keys are smaller, faster to compute, and use less bandwidth. The NSA moved to ECC in its Suite B recommendations for this specific reason: mobile devices and satellites have limited processing power, but need high security.
RSA-2048 is the baseline for web browsers. When a browser connects to a site via TLS, the server sends its RSA-2048 public certificate. The browser verifies the certificate chain against trusted root authorities, then uses the public key to encrypt a session key. The server uses its private key to decrypt that session key. Once the session key is established, the connection switches to symmetric encryption (like AES), which is faster. The public-key step is only for the handshake.
The vulnerability in this system is not the math itself, but the implementation. The random number generator used to create the keys must be truly random. If a device uses a predictable seed, two different devices might generate the same key pair. This happened in 2012 when researchers analyzed TLS certificates and found thousands of keys that shared a common factor. Those keys were immediately compromised.
The security margin depends on the key size. RSA-2048 offers 112 bits of security. This means an attacker would need to perform 2^112 operations to break it. With current silicon, this is infeasible. A quantum computer running Shor’s algorithm could break RSA-2048 in hours, but no such machine exists at that scale. The National Institute of Standards and Technology is currently running a Post-Quantum Cryptography standardization process to prepare for that day.
The tradeoff in key size
The choice between RSA and ECC is a tradeoff between compatibility and efficiency. RSA is older and supported on nearly every device manufactured in the last 20 years. ECC is newer and requires less computational power but has had implementation bugs in the past.
For most users, the default is RSA-2048. For mobile applications or blockchain systems, ECC is preferred. Bitcoin uses the secp256k1 curve, a specific elliptic curve defined by standards bodies. This allows transactions to be verified quickly on smartphones.
The bit-length matters for long-term security. Data encrypted with RSA-1024 today could be harvested and decrypted in 10 years when computing power increases. Data encrypted with RSA-2048 today will likely remain secure for 20 to 30 years. This is why financial institutions and governments require longer keys for sensitive data.
The cost of a larger key is processing time. A 4096-bit RSA key is significantly slower to generate and use than a 2048-bit key. Servers handle thousands of connections per second. Increasing the key size by 2000 bits can double the CPU load. This is why most websites stick to 2048-bit RSA or move to ECC.
The specific numbers that define trust
Security is not a binary state. It is a probability. The NIST defines security strength in bits. A 128-bit security strength means there are 2^128 possible keys. A brute-force attack would need to try half of them on average.
RSA-2048 provides approximately 112 bits of security strength. RSA-3072 provides 128 bits. ECC-256 provides 128 bits. The difference is that ECC-256 keys are 64 bytes, while RSA-3072 keys are 384 bytes. The storage and transmission savings are significant for high-volume systems.
The RSA algorithm itself is a public standard — the patent expired in 2000 — but practical key-lifetime guidance comes from the CA/Browser Forum, whose Baseline Requirements cap publicly-trusted TLS certificates at 398 days. Shorter lifetimes limit the damage if a key is compromised without the operator knowing. The rotation process is automated in modern certificate management systems like Let’s Encrypt, which issues 90-day certificates by default.
The math holds, but the keys must be kept secret. The private key never leaves the server’s secure memory. If the private key is stolen, the entire system fails. This is why hardware security modules (HSMs) are used by banks and certificate authorities. These physical devices store the private key and perform the decryption internally, never exposing the number to the operating system.
The visualization of the table above reveals the specific tradeoff. RSA-2048 is the baseline for security today, but ECC-256 offers the same protection with less overhead. The choice depends on the system’s constraints.
Doubling the RSA modulus does not double the security strength — it follows a roughly cubic curve. RSA-1024 gives ~80 bits of security, RSA-2048 gives ~112, RSA-4096 gives ~150, per NIST SP 800-57. So a 4096-bit key is secure for the foreseeable future but costs roughly 5× the CPU time of a 2048-bit key for a private-key operation. The sweet spot for most web traffic is RSA-2048 or ECC-256.
The math says RSA-2048 is secure for 30 years. The behavior of attackers says keys are stolen more often than they are broken. The compromise is to use a standard key size that balances CPU load with the NIST security strength guidelines. That specific calculation is why your browser trusts the site you are visiting right now.