What is Cryptography?

Depending on the algorithm, cryptography can provide confidentiality, integrity, authenticity, and non-repudiation. The two most widespread cryptosystems are symmetric and asymmetric cryptography. Even if we do not notice it, cryptography is literally everywhere in the digital era. End-to-end cryptography is becoming the norm for certain types of communication such as instant messaging. Lastly, cryptography is not magic: it is possible to break it, in particular when it is not sufficiently well implemented.

Symmetric and asymmetric cryptography are the two main cryptosystems

There is a wide variety of cryptographic methods, also known as cryptosystems, with different strength and weaknesses. This diversity allows users to choose the most appropriate method for their needs, context, resources, and other constraints. Cryptographic methods involve techniques rooted in mathematics. The two most common families of cryptographic methods, symmetric and asymmetric cryptography. Other methods include homomorphic cryptography, as well as zero-knowledge proofs, secure-multi- party computation (SMPC), lattice-based cryptography, secret sharing, obfuscation, etc.

Both symmetric and asymmetric cryptography use a simple string of bits (zeros and ones) called a cryptographic key, as an input variable provided to a cryptographic algorithm to transform data in a unique manner. The size and security of the key are critical conditions for the security of the entire cryptographic process, although not the only ones.

Symmetric and asymmetric cryptography are complementary and generally serve different purposes in different contexts. Among their differences, asymmetric cryptography is more complex technically, organisationally, and operationally than symmetric cryptography. To provide confidentiality, the data is encrypted by the sender with the receiver’s public key and decrypted by the receiver with her private key. To provide authenticity and integrity of data such as a message or file, the sender (or owner if the data is at rest) generates a digital signature by encrypting with her private key a mathematically generated unique digital code based on the message and appending the results, called a hash value, to the message before sending it to the recipient(s). The recipient(s) can then decrypt the digital signature with the sender’s public key. If the public key decrypts the digital signature, they can trust the integrity and authenticity of the data. Otherwise, it is a proof that the authenticity and integrity are broken. 

The digital signature also ensures that the sending party cannot deny having “signed” the message (i.e. non-repudiation) because the encryption process to digitally sign the data provides a very high level of assurance that it was really performed by whomever holds the private key. The confidence stems from the mathematical properties of the key pair and encryption/decryption algorithms, which make it quasi-impossible to tamper with if there are no exploitable weaknesses in the implementation of the cryptosystem.

A systematic and comprehensive risk analysis of both the cryptographic technique and how it would be implemented in each case is essential to choose the most appropriate one, and the implementation of a systematic and comprehensive risk management cycle is also crucial when cryptography is deployed and operated in practice. Naturally, participants also need to consider other factors such as cost, usability, and technical feasibility.

Asymmetric cryptography is well-suited for encrypting small amounts of data because its performance drops in proportion to the amount of data. This is why symmetric and asymmetric cryptography are often used in combination, typically in the key establishment (or agreement) process whereby two parties use asymmetric cryptography to agree on a symmetric key that they will then use during their communication. This is typically the case with hybrid protocols such as Transport Layer Security (TLS).