Cryptography
The Secret Hidden in Plain Sight: How Modern Encryption Uses Math You Can't Undo
Every time you buy something online, your financial details are protected by a lock that anyone in the world can see — and almost no one can open.
The Idea
Most people assume secrecy requires hiding the mechanism — a cipher only the sender and receiver know. For millennia, that was true. But in 1976, Whitfield Diffie and Martin Hellman published a paper that broke this assumption completely, introducing what we now call public-key cryptography. The insight is almost philosophically strange: you can have a lock that the whole world knows how to close, but only one person knows how to open. Here's the underlying trick. Certain mathematical operations are trivially easy to perform in one direction and essentially impossible to reverse. Multiplying two large prime numbers together takes milliseconds. Factoring the resulting number back into its components — with no other information — would take a classical computer longer than the age of the universe if the primes are large enough. This asymmetry is the engine. Your browser generates a pair of mathematically linked keys: a public key (broadcast freely) and a private key (never shared). Anyone can encrypt a message using the public key. Only the private key can decrypt it. The two keys are related, but deriving one from the other requires solving a problem that is, in practice, computationally hopeless. What makes this remarkable is that secrecy no longer requires a prior secret. Two strangers who have never met, never exchanged a password, and are being actively monitored can still establish a private channel. That was previously considered impossible — and it quietly underpins almost everything you do online.
In the World
In 1977, Ron Rivest, Adi Shamir, and Leonard Adleman at MIT formalised the first practical public-key system, RSA, named after their initials. To demonstrate confidence in their method, they published an encoded message and the public key used to encrypt it, then offered a prize to anyone who could crack it. The challenge was to factor a 129-digit number — RSA-129 — into its two prime components. Rivest estimated it would take 40 quadrillion years. He was off, but not embarrassingly so. In 1994, a team coordinated by mathematician Arjen Lenstra recruited around 600 volunteers across the internet — this was early internet, a remarkable feat in itself — to divide the computational work. After eight months of combined effort spanning 20 countries and roughly 1,600 machines, they factored RSA-129. The decoded message read: "The magic words are squeamish ossifrage." It was a triumph, but also a validation: breaking RSA-129 required a global volunteer effort running for most of a year, and 129 digits is tiny by modern standards. Today's RSA keys use 2,048 or 4,096 digits. The gap between what's theoretically breakable and what's practically breakable has only widened — for now. The quiet footnote to this story is that a British intelligence agency, GCHQ, had secretly developed equivalent ideas years earlier, in work by James Ellis and Clifford Cocks that remained classified until 1997. The public and private histories of cryptography often turn out to be running in parallel, separated only by clearance levels.
Why It Matters
There is a version of the modern world without public-key cryptography, and it is not a world with slightly less privacy — it is a world without online commerce, without secure communications, without the basic architecture of digital trust. That this all rests on the difficulty of factoring large numbers is, when you sit with it, genuinely vertiginous. But there's a real tension worth holding. Quantum computers, which exploit quantum superposition to explore many computational paths simultaneously, are advancing fast enough that cryptographers are not waiting to see what happens. The problem is not that quantum computers will break today's encryption tomorrow — they won't, not yet — but that adversaries can harvest encrypted data now and decrypt it later, once the hardware matures. This is called a "harvest now, decrypt later" attack, and it's already happening. The field has responded: post-quantum cryptography is a live and urgent discipline, and new standards are being finalised right now. The lesson is that cryptographic security is never a solved problem — it is an ongoing negotiation between mathematical ingenuity and computational power, and the terms of that negotiation are quietly changing.
A Question to Ponder
If the security of nearly all digital privacy rests on a single mathematical assumption — that factoring large numbers is hard — what does it mean that this assumption has never been proven, only tested?
Get a new one of these every morning.
Start learning with Thinkable