RSA · Elliptic curves · Interactive

Locks without shared secrets

How two strangers agree on a secret while everyone is listening — the math behind the padlock in your browser, with knobs you can turn.

▼ scroll
01 · The problem

Whispering in a crowded room

Classic encryption is symmetric: the same key locks and unlocks. AES, the workhorse cipher that protects this very page in transit, works that way — and it's fast and essentially unbreakable with a good key.

But symmetric encryption has a bootstrap problem. Before you and a website can whisper, you both need the same key — and the only channel you share is the public internet, where anyone on the path can read every byte. Mailing keys on paper worked for embassies; it does not scale to your browser opening twenty TLS connections before breakfast.

Asymmetric (public-key) cryptography, invented in the 1970s, dissolves the problem with a strange idea: use two keys. One is public — shout it to the whole room. The other is private — it never leaves your machine. What one key locks, only the other unlocks. Nobody has to deliver a secret to anybody.

The whole trick rests on one-way functions: math that is easy to compute forward and practically impossible to reverse. This page builds that idea up from paint-mixing, through RSA, to the elliptic curves that secure most of today's internet.

02 · The intuition

Mixing paint in public

The cleanest intuition for public-key agreement is paint. Mixing two colors is easy; un-mixing a blend back into its ingredients is hopeless. That asymmetry is all you need.

Alice and Bob agree — out loud, in public — on a common starter color. Each secretly picks a private color and mixes it into the starter. They swap the resulting blends (also in public), then each stirs their own private color into the blend they received. Both end up holding starter + Alice's secret + Bob's secret — the same final color — yet the eavesdropper only ever saw the starter and the two half-blends.

▶ try it — pick the colors, watch the secret emerge

Alice

+=→ sends this publicly
+=final

Bob

+=→ sends this publicly
+=final
eavesdropper saw: — but Alice & Bob's finals match ✓

This is exactly the shape of Diffie–Hellman key exchange (1976) — the first public-key scheme ever published. Real cryptography just replaces paint with a mathematical mixing operation that is provably easy forward and believed intractable backward.

03 · One-way functions

One-way streets in math

The paint of real Diffie–Hellman is modular exponentiation — raising a number to a power on a "clock" with p positions, keeping only the remainder:

y  =  gx mod p

Computing y from x is fast even for 600-digit numbers. But going backward — given y, find the exponent x — is the discrete logarithm problem, and no efficient algorithm for it is known. On a clock, exponentiation doesn't grow smoothly; it teleports.

▶ try it — slide the exponent and watch 5x mod 23 jump around the clock
1

Notice there's no pattern to ride: going from x to x+1 flings the result anywhere on the clock. With a real 2048-bit p, the clock has more positions than there are atoms in the observable universe — and an attacker who sees y must effectively guess x.

Diffie–Hellman in one breath: Alice publishes ga mod p, Bob publishes gb mod p, each raises the other's number to their own secret, and both land on gab mod p — the same shared key. The paint demo above, with clocks instead of pigments.

04 · RSA

RSA: a lock anyone can click shut

Diffie–Hellman lets two parties agree on a key. RSA (Rivest–Shamir–Adleman, 1977) goes further: it gives you a public lock and a private key, so anyone can encrypt a message that only you can read — no conversation needed.

Its one-way street is factoring. Multiplying two primes is instant; recovering them from the product is brutally hard. A key pair is built like this:

1  pick two secret primes p, q  →  publish n = p·q
2  compute φ(n) = (p−1)(q−1)  (needs p and q — this is the trapdoor)
3  pick a public exponent e coprime to φ(n)
4  find the private exponent d with e·d ≡ 1 (mod φ(n))
encrypt: c = me mod n   ·   decrypt: m = cd mod n

Euler's theorem guarantees the round trip: raising to the e-th and then the d-th power is, modulo n, raising to a power that acts like 1. Encryption and decryption are the same operation with different exponents — one public, one private.

▶ try it — build a (toy) key pair and encrypt a message

🔓 public key — shout it

🔒 private key — never leaves you

Toy alert: real RSA uses 2048-bit primes and encrypts each block with random padding, never letter-by-letter — repeating chips for repeating letters, like you can see above, is exactly the leak padding prevents. The arithmetic, though, is identical to what your browser does.
05 · Why it holds

The wall: factoring

Everything public in RSA — n and e — is safe to reveal only because nobody can split n back into p and q. If they could, they'd compute φ(n), derive d, and read everything. So how hard is factoring, really? Feel it:

▶ try it — your machine vs. a semiprime (trial division)
8
press the button — this actually runs in your browser

Each extra pair of digits multiplies the work by ~10. Real algorithms (the general number field sieve) are far cleverer than trial division, but the curve still explodes: factoring a 2048-bit RSA modulus — 617 digits — is estimated to need more energy than boiling the oceans. The current public factoring record is 250 digits, and it took ~2,700 core-years.

Security here isn't a proof — it's a 50-year-old open challenge that the world's mathematicians keep failing at, with billions of dollars riding on their continued failure.

06 · Elliptic curves

A stranger, better one-way street

RSA needs enormous keys because factoring, while hard, is not maximally hard — clever algorithms chip away at it. In the 1980s cryptographers found a tougher playground: elliptic curves, the set of points satisfying

y² = x³ + ax + b

The magic is that curve points form a group: there's a geometric way to "add" two points and land on a third. Draw a line through P and Q — it hits the curve at exactly one more spot; reflect that spot across the x-axis and you've got P + Q. (Adding a point to itself uses the tangent line.)

▶ try it — drag P and Q along the curve; reshape it with a and b
-3
4

This addition looks arbitrary, but it behaves impeccably — it's associative, has an identity (a "point at infinity" straight up), and every point has an inverse (its mirror image). A full arithmetic, conjured out of geometry.

07 · Over a finite field

Now snap it to a grid

Smooth curves are lousy for computers — floating point rounds, and secrets can't survive rounding. So cryptography plays the same game modulo a prime: coordinates wrap around like clock arithmetic, and the elegant curve shatters into a cloud of scattered points. The addition law survives verbatim — same formulas, just with mod-p division.

Now pick a base point G and add it to itself k times: 2G, 3G, 4G… The hops look like random teleports around the cloud. Computing kG from k is fast (double-and-add needs only ~log k steps). Recovering k from kG is the elliptic curve discrete logarithm problem — the hardest standard problem per bit that cryptographers know.

▶ try it — y² = x³ + 2x + 3 over 𝔽₉₇ · slide k to walk k·G
1

Stare at that walk: consecutive multiples of G share no visible relationship. A real curve like Curve25519 does exactly this with p ≈ 2255 — a "grid" with more points than atoms in the universe, where your secret is just how many times G was added.

08 · Putting it together

ECDH: the paint trick, on a curve

Replace paint-mixing with point-multiplication and you have elliptic-curve Diffie–Hellman — the key exchange your browser almost certainly performed to fetch this page:

1  Alice picks secret α, publishes A = αG  ·  Bob picks secret β, publishes B = βG
2  Alice computes αB = αβG  ·  Bob computes βA = αβG
3  same point → same shared secret. Eavesdropper holds G, A, B — and the ECDLP wall.
▶ try it — pick two secrets, watch both sides land on the same point
7
23

The shared point's x-coordinate gets hashed into an AES key, and from there the fast symmetric machinery takes over. Asymmetric crypto opens the door; symmetric crypto carries the furniture.

09 · The scoreboard

RSA vs. elliptic curves today

Both systems are alive and well, but the economics differ wildly. Because the best attacks on elliptic curves are so much weaker than the best attacks on factoring, ECC buys the same security with drastically smaller keys — smaller certificates, faster handshakes, less battery:

key size needed for equivalent security (NIST SP 800-57)
ECC key bits RSA key bits
bar length ∝ key size in bits · hover a bar for the security-level details

Which is why the modern internet splits the work:

The quantum footnote: Shor's algorithm on a large quantum computer would break both factoring and discrete logs — RSA and ECC alike. That's why TLS is already deploying hybrid key exchange (X25519 mixed with the lattice-based ML-KEM), so traffic recorded today can't be decrypted by tomorrow's hardware. Different one-way street, same beautiful idea.

That's the whole machine: a problem easy in one direction, hopeless in the other, and fifty years of increasingly elegant ways to hide a trapdoor in it. Every padlock icon in your browser is one of these demos, scaled up until the sun burns out first.