End-to-end encryption explained as if you were five by Paolo Insogna
End-to-end encryption (E2EE) fortifies data by transforming it into an unreadable format using encryption keys, ensuring only authorized endpoints can decode it. This security measure shields sensitive information — like business documents, financial records, medical data, or personal conversations — during transmission.
Its importance lies in preventing cyber threats that cost businesses millions in breaches, encompassing response expenses, revenue loss, and reputational harm. E2EE doesn’t just encrypt messages. It enables strict control over data access through a centralized policy management system.
Combined with a key management protocol, it protects information at every stage, preventing breaches and preserving customer trust while attaching to regulatory compliance. Nevertheless, skepticism persists regarding the security of this system, particularly among individuals needing more technical expertise and familiarity with technology.
During his lecture “Maths or magic? End-to-end encryption explained like I’m five” at the Full Stack Europe conference we attended in October, Paolo Insogna (Core member at Node.js) clarified misunderstandings about end-to-end encryption, highlighting that decrypting the system would take roughly 100 years, making the accessed data irrelevant.
What is end-to-end encryption?
At the beginning of our conversation, Paolo made it clear: there are only two possible forms of encryption. One is the regular one, and one is the end-to-end. He explained that the biggest difference is if we have to transfer some data from point A to point B going through somebody in the middle. Usually, what happens is that we send the data to encrypt to somebody that decrypts the data and sends it to the other party.
He continued that this technique is way more secure because the data is never decrypted and is never readable by anybody who is not supposed to be the final recipient of the message, which then means that even if the data packets are hijacked or stopped in any way, there’s nothing you can do with those data:
For instance, the authorities can’t read that data because not even the company physically holding it can access it. Companies don’t possess the key to decrypted data.
To make his point even better, Paolo gave an example that is close to all of us. If we lose the password for online accounts at, say, Google or Apple and don’t have any recovery options, those companies wouldn’t be able to decrypt our accounts:
They are not capable of decrypting the data. The data is gone forever. They do not like it, but it’s just how it works.
Why is it important?
Then, we asked Paolo if all messaging apps needed to use E2EE, and he was emphatic: They should. He explained why – given the power of the devices, there is no harm in applying encryptions because they are very fast. So encrypting a very small text message takes a few milliseconds, and the same crypt takes a few mills:
There is no good technology excuse not to use this technique. On the other hand, I am aware of the state of consciousness of contemporary society. First, we have high-level security problems like national security problems caused by governments and state institutions not encrypting their data.
Paolo points out that this is a wrong point of view because problems arise when E2EE is not used, not because the technology is bad and permeable. The mathematics behind it is so secure that not even all the computing power of Facebook can decrypt your message. That’s why companies should trust technology:
Let me put it this way: nobody doubts that if an engineer builds a bridge, the bridge will stay up. They should trust developers as well.
Is it really secure?
Asked to explain how secure end-to-end encryption is, Paolo pointed out that the point of encryption is not that data could never be decrypted. That’s because, in the long run, if someone tried all possible combinations, they would discover the right one at some point.
The core idea is to make guessing the right combination so hard that decrypting it would take so long that the data eventually encrypted would become useless:
If you try to decrypt my health data by brute forcing, so you try every possible combination, it will take you 100 years in 100 years. I’m long dead.
Will faster computers be able to decrypt it?
The only thing potentially threatening end-to-end encryption is quantum computing, as those computers are way faster than the ones we currently use:
Quantum computers are way faster, and I’m talking a million times faster than today’s computers. So it becomes possible to decrypt the data much more rapidly.
However, this scenario is only possible if we keep the data encrypted today with slower computers and use faster computers to decrypt. Paolo points out that if we have faster computers to decrypt, we will have equally fast computers to encrypt. So, he believes there will be an equalization of forces in the future.
Finally, when we asked Paolo what steps engineers should take to ensure encrypted data in the future, he replied that as soon as they see these computers happening, they should eventually keep all the data they still care about, decrypt it, and replace it with more robust encryption.