The types of asymmetric encryption fall into a handful of families, each built on a mathematical problem that is easy to compute in one direction but hard to reverse: integer factorization (RSA), the elliptic-curve discrete logarithm (ECC), the classic discrete logarithm (Diffie-Hellman), and lattice-based problems (the post-quantum schemes). All of them share the defining trait of public-key cryptography, which is that you hold a keypair rather than a single shared secret. One key encrypts or verifies, the other decrypts or signs, and knowing one does not let you derive the other in any feasible amount of time.
Understanding the families matters because they are not interchangeable. Picking the wrong one, or the right one with wrong parameters, is how key sizes end up too small or algorithms end up deprecated in a config file nobody revisits.
Why asymmetric encryption exists
Symmetric encryption, where both parties share one secret key, is fast and strong, but it has a chicken-and-egg problem: how do two strangers agree on that secret over an untrusted network? Asymmetric encryption solves the bootstrap. You publish your public key to the world; anyone can encrypt to you, but only your private key decrypts. In practice, the two are almost always combined. Asymmetric crypto negotiates or protects a symmetric session key, and the bulk data is then encrypted symmetrically because it is far faster. This hybrid is exactly what happens in every TLS handshake.
RSA: factoring large numbers
RSA is the family most people meet first. Its security rests on the difficulty of factoring the product of two large primes. You multiply two big primes to get a modulus; recovering those primes from the modulus alone is computationally infeasible at sufficient size.
RSA does both encryption and digital signatures. Its weakness is that security scales with key length, and secure key lengths have grown large. Current guidance puts the floor at 2048-bit keys, with 3072-bit recommended for data that must stay confidential well into the future. Those large keys make RSA slower and its ciphertexts bigger than the alternatives.
# Generate a 3072-bit RSA private key and extract its public key
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -out private.pem
openssl pkey -in private.pem -pubout -out public.pem
Elliptic curve cryptography (ECC)
ECC is built on the elliptic-curve discrete logarithm problem, and its headline advantage is efficiency. A 256-bit elliptic-curve key offers security comparable to a 3072-bit RSA key. Smaller keys mean faster operations, less bandwidth, and lower power draw, which is why ECC dominates on mobile devices, in TLS, and in modern protocols generally.
Two names you will see constantly:
- ECDSA and its modern sibling EdDSA (Ed25519) for signatures.
- ECDH for key agreement.
Curve choice matters. Widely trusted curves include Curve25519 (used by Ed25519 and X25519) and the NIST P-256 curve. The practical rule is to prefer well-vetted, widely deployed curves over exotic ones.
# Generate an Ed25519 keypair (modern elliptic-curve signatures)
openssl genpkey -algorithm ed25519 -out ed25519.pem
Diffie-Hellman key exchange
Diffie-Hellman is a key-agreement scheme rather than an encryption scheme. It lets two parties who have never met derive a shared secret over a public channel, without ever transmitting the secret itself. Classic finite-field Diffie-Hellman relies on the discrete logarithm problem in a large prime field; its elliptic-curve variant, ECDH, does the same over a curve and is what modern TLS uses.
The property you want here is forward secrecy. Using ephemeral Diffie-Hellman keys, a fresh keypair per session, means that even if a long-term private key is later stolen, past recorded sessions stay unreadable. This is why ephemeral variants (DHE and ECDHE) are the default in current TLS configurations.
Post-quantum families
A sufficiently large quantum computer running Shor's algorithm would break RSA, ECC, and Diffie-Hellman, because it can factor and solve discrete logarithms efficiently. That threat is not here yet, but data captured today could be decrypted later, so the migration has begun. The standardized post-quantum schemes rest on different hard problems, chiefly structured lattices.
The two you will hear about most are ML-KEM (the key-encapsulation mechanism standardized from CRYSTALS-Kyber) and ML-DSA (the signature scheme from CRYSTALS-Dilithium). Deployment today is typically hybrid: a classical key exchange like X25519 combined with a post-quantum KEM, so you keep classical security while adding quantum resistance. If you build software that stores long-lived secrets, this is the transition to start planning.
Choosing a family in practice
For new systems, prefer elliptic curve for both signatures and key agreement, since it gives you strong security with small, fast keys. Reserve RSA for interoperability with systems that require it, and when you do use it, do not go below 2048-bit. Use ephemeral Diffie-Hellman (ECDHE) for transport to get forward secrecy. And if your data must remain confidential for a decade or more, begin evaluating a hybrid post-quantum key exchange now.
Crypto choices tend to hide in dependencies and TLS libraries rather than your own code, which is why they drift out of date silently. Cataloguing what your build actually links against, through an SCA workflow, surfaces the outdated crypto library before an auditor does.
FAQ
What is the difference between symmetric and asymmetric encryption?
Symmetric encryption uses one shared secret key for both encrypting and decrypting, and it is fast. Asymmetric encryption uses a public/private keypair so strangers can communicate securely without pre-sharing a secret. Real systems combine them: asymmetric crypto protects a symmetric session key.
Is RSA or elliptic curve encryption better?
Elliptic curve is generally the better default for new systems because a 256-bit ECC key matches the strength of a roughly 3072-bit RSA key while being faster and smaller. Use RSA mainly where you need interoperability with systems that require it, and never below 2048 bits.
Will quantum computers break asymmetric encryption?
A large fault-tolerant quantum computer could break RSA, ECC, and Diffie-Hellman using Shor's algorithm. That hardware does not exist yet, but because captured data can be decrypted later, standardized post-quantum schemes such as ML-KEM and ML-DSA are being deployed in hybrid mode today.
What is forward secrecy and why does it matter?
Forward secrecy means each session uses an ephemeral keypair, so compromising a long-term private key later does not expose past sessions. Ephemeral Diffie-Hellman variants (ECDHE) provide it and are the modern default in TLS.