What Is Public Key Cryptography?
Public key cryptography is an encryption method that uses two mathematically linked keys—a public key that anyone can share, and a private key that only the owner holds so data encrypted with one key can only be decrypted with the other. It lets two parties communicate securely and verify identity without ever having to exchange a shared secret first.
Older encryption methods (symmetric cryptography) use a single shared key for both encrypting and decrypting data. That works, but it creates a hard problem: how do two parties agree on that shared key in the first place without an eavesdropper intercepting it?
Public key cryptography, also called asymmetric cryptography, solves this by splitting the key in two. Each user generates a key pair: a public key, which they can hand out freely, and a private key, which never leaves their possession. The two keys are mathematically related, but deriving the private key from the public one is computationally infeasible with current technology.
This structure supports two distinct uses, and it's worth keeping them separate:
- Encryption for confidentiality. Anyone can encrypt a message using the recipient's public key, but only the recipient's private key can decrypt it. This is how you send someone data securely without ever needing to share a secret with them in advance.
- Digital signatures for authenticity. The sender encrypts (signs) data with their own private key. Anyone can verify it using the sender's public key, which confirms the data genuinely came from that private key holder and wasn't altered.
This is the underlying mechanism behind HTTPS/TLS (securing traffic between a browser and a website), SSH (securely accessing remote servers), PGP/GPG (encrypting and signing email), and blockchain wallets, where a private key controls funds and a public key (or an address derived from it) can be shared to receive them.
Use Cases
- Securing website traffic via HTTPS/TLS, so data between a browser and server can't be read in transit
- Verifying software or firmware updates haven't been tampered with, using a vendor's digital signature
- Authenticating SSH connections to remote servers without transmitting a password
- Authorizing blockchain transactions, where a private key signs a transfer and the network verifies it with the corresponding public key/address
- Encrypting and signing email through PGP/GPG, so only the intended recipient can read it and the sender's identity is verifiable
Best Practices
- Never transmit or store a private key in plaintext—use hardware security modules or encrypted key stores where possible
- Rotate and revoke keys promptly if a private key may have been exposed
- Use established, peer-reviewed algorithms (RSA, ECDSA, Ed25519) rather than custom cryptographic implementations
- Pair public key cryptography with a trusted certificate authority or key verification process, so a public key can be confirmed as belonging to who it claims to be
- Choose key sizes that reflect current recommended standards, since what's considered secure shifts as computing power increases
How It Works: Step-by-Step
A typical exchange looks like this:
- Recipient generates a key pair and shares only the public key
- Sender encrypts their message using that public key
- Encrypted message travels over any channel, even an insecure one
- Only the recipient's private key can decrypt it back to plaintext
For digital signatures, the direction reverses: the sender signs with their own private key, and anyone holding the sender's public key can verify the signature is authentic without that verifier ever needing access to the private key itself.
Common algorithms in production use today include RSA (widely supported, larger key sizes), ECDSA (smaller keys at equivalent security, used in Bitcoin and Ethereum), and Ed25519 (fast, modern, increasingly the default for SSH and new protocol design).
Conclusion
Public key cryptography solves a problem that older encryption methods couldn't: proving identity and exchanging data securely without ever needing to share a secret in advance. That's why it sits underneath so much of the secure internet—HTTPS, SSH, signed software, and blockchain transactions all depend on the same basic mechanism of a public key anyone can use and a private key only one party controls.
Frequently Asked Questions
Is public key cryptography secure?
Yes, when implemented with current recommended algorithms and key sizes. Security relies on certain mathematical problems (like factoring large numbers, for RSA) being computationally infeasible to reverse—"infeasible" here is a moving target, which is why key size recommendations get revised upward over time as computing power increases.
What's the difference between a public key and a private key?
A public key can be shared with anyone and is used to encrypt data meant for its owner, or to verify a signature that owner created. A private key is kept secret and is used to decrypt data sent to its owner, or to create a signature. Losing control of a private key breaks the security of everything tied to it.
What's an example of public key cryptography in everyday use?
Every time a browser connects to a site over HTTPS, public key cryptography is used to establish a secure connection before any data is exchanged. It's also what lets a cryptocurrency wallet prove a transaction was authorized by the actual owner of the funds.
Is public key cryptography the same as public key encryption?
Not exactly—public key cryptography is the broader system (the key pair and its mathematical properties), while public key encryption is one specific application of it, focused on confidentiality. Digital signatures are the other major application, focused on authenticity rather than secrecy.