Does symmetric-key encryption scale?

Image of a key in a lock - Destination Certification

Last week, we talked about one of the major issues that symmetric-key encryption faced, the key distribution problem. This time, we’re going to talk about a separate problem: Trying to use symmetric-key encryption at scale.

Let’s say that an office wants to set up a secure communications system for its employees. If the system used just a single key to encrypt everyone’s communications, then the system would have a single point of failure. If just one person was compromised, the key could be used to access everyone’s communications, which would be a security nightmare.

Instead, the ideal way to go about it is to have separate keys for each pair of individuals that may communicate. Under this system, only the conversation between the pair would be exposed if their key was compromised, not the communications from the whole organization.

If there were only two people in the group, you would only need a single key to encrypt the conversation. But things quickly get out of hand as we scale. A three-person group requires three separate keys:

  • A key for person A and person B.
  • A key for person A and person C.
  • A key for person B and person C.

By adding just one more person to make it four, we double the number of keys we need:

  • A key for person A and person B.
  • A key for person A and person C.
  • A key for person A and person D.
  • A key for person B and person C.
  • A key for person B and person D.
  • A key for person C and person D.

The number of keys required goes up dramatically with each extra person. We can use the following formula, where n is the number of people communicating:

Number of symmetric keys - Destination Certification

Following this formula, for secure communication:

  • 50 people would require 1,225 keys.
  • 500 people would require 124,750 keys.
  • 5,000 people would require 12,497,500 keys.
  • 50,000 people would require 1,249,975,000 keys.

As you can see, the number of keys that we need to securely store and manage quickly gets out of hand. But don’t worry, there’s a solution: public-key encryption.

How does public-key encryption solve the scalability problem?

A public-key encryption algorithm like RSA allows each user to just use two keys: their public key and their matching private key. Together, these are known as a keypair, and the two matching keys share a quirky mathematical relationship. The public key is shared openly, while the private key must be kept secret.

If someone wants to communicate with you confidentially, they simply need to find your public key, use it to encrypt their message, and then send it to you. Due to the quirky mathematical relationship, once the message has been encrypted with your public key, the only way to decrypt it is through your matching private key. As long as your private key isn’t compromised, the data is confidential. If you want to correspond securely with the sender, you would simply have to find their public key and follow the same process.

Public-key encryption makes it much easier to manage keys when we scale up. Because each person only needs two keys, 50 people would only need 100 keys, while 50,000 would only need 100,000. This falls far short of the 1,249,975,000 keys that symmetric-key encryption would require. It also avoids the security issues that stem from having a single key to secure the whole group.

Image of the author

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]