Because there is no known way for computing the prime factors of such huge integers, only the person who created the public key can also develop the private key needed for decryption. RSA is both more computationally costly and substantially slower than AES. It is often used to encrypt **tiny quantities** of data. AES is generally used to protect large files or databases.

In such a cryptosystem, the encryption key is made public, as opposed to **the decryption key**, which is kept hidden (private). This imbalance is predicated in RSA on the practical difficulty of factorizing the product of two big prime integers, known as the "factoring issue." It is relatively easy to determine whether these numbers are divisible by **some third number**; but if they are not then no solution can be found for factorization. The factoring issue does not apply to other asymmetric algorithms, such as ElGamal and ECC.

Because the encryption key is public, anyone who knows it can encrypt data for you to read later. But only you know **your decryption key**, so only you can decrypt the data.

The reason this approach is useful is that it allows people who do not want their data to be encrypted or decrypted with their keys to use the system. For example, let's say I post my encryption key on Twitter and Facebook; someone could take my word for it that I am not the one who should not have access to this data, so they begin sending me encrypted messages. I could follow suit and send them back an unencrypted message, which they would need to trust me not to forward to others.

The fact that AES is a symmetric algorithm necessitates the employment of the same key by both the encryptor and the decryptor. This means that either the encrypted data must be transmitted directly or stored in a secure manner until decrypted. AES is generally considered more secure than RSA because it uses much **larger keys** (e.g., 128 bits vs. 32 bits for RSA). However, RSA can use larger keys too; there are implementations that use 2048-bit keys. Overall, AES is preferred over RSA.

The computational complexity of factoring **big numbers** underpins RSA security. The capacity to factor larger and larger numbers grows as computing power grows and more efficient factoring methods are developed. But the fact that it is not feasible to factor large numbers in a reasonable time implies that there will never be an attack against RSA.

For the same security level, RSA encryption is often slower than **elliptic curve encryption** (which requires smaller keys with ECC). ECC is younger than RSA and is gradually gaining traction. A side note: RSA decryption is slower than **standard encryption**. However, it's faster than ECC decryption.

The main reason for this is that RSA encrypts data in blocks, while EC encrypts individual elements of a vector. This is not an issue with **standard security levels** of encryption, but if you need to process large amounts of data then it will be an issue. Also, keep in mind that modern computers can perform thousands of operations per second, so even high-speed algorithms such as RSA could delay your system significantly if you are processing large volumes of data.

There are two ways to improve performance with RSA encryption: use larger moduli or switch to elliptic curve encryption.

Larger moduli allow you to use higher numbers, which reduces block size and thus improves performance. For example, a 2048-bit key uses 8 bytes (64 bits) instead of 4 bytes (32 bits) for a 256-bit key. However, keeping modulus sizes small reduces security because there are less possible values that can be used for each key.