Public-key encryption (also called asymmetric encryption) uses a pair of keys instead of a single shared secret. Anyone can encrypt a message using the recipient's public key, but only the person holding the matching private key can decrypt it. This solves a fundamental problem with older symmetric encryption: how to share sensitive data with someone without first exchanging a secret key in person.
The mathematics behind it relies on one-way functions: operations that are easy to perform in one direction but computationally difficult to reverse. Common algorithms include RSA (Rivest-Shamir-Adleman) and elliptic-curve cryptography (ECC). The public key is typically hundreds of digits long and completely safe to publish; the private key must stay secret.
Why it matters: public-key encryption powers HTTPS (the padlock icon in your browser), email encryption, digital signatures, and password-protected key exchanges. It enables you to communicate securely with organisations you've never met before.
Common scenarios:
- Website visitors encrypt data with a site's public key; only the website's private key can read it
- You digitally sign documents with your private key; others verify the signature using your public key, proving you created it
- Password managers and VPN services use it to protect keys in transit
Gotchas: public-key encryption is slower than symmetric encryption, so systems often use it only to exchange a symmetric key (hybrid encryption). Also, your public key isn't anonymous: someone holding it can verify your signature but cannot identify you without additional information. If you lose your private key, encrypted data becomes permanently inaccessible.