LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the practical advantages of ECC over RSA, and what key sizes does BSI recommend?

ECC offers equivalent security with 10-15x shorter keys, faster key generation, and better performance on constrained devices. BSI recommends minimum 256-bit ECC (equivalent to 3072-bit RSA).

Bar chart of key sizes for equal security: RSA/DH needs 1024, 3072, 7680, 15360 bits while ECC needs only 160, 256, 384, 512 bits

* For the same security level ECC keys stay around twice the symmetric bits while RSA/DH balloon super-linearly — the headline reason to prefer ECC. *

Key size comparison (BSI 2023):

Algorithm Minimum key size Equivalent symmetric security
RSA 3072 bits ~128 bits
DH 3072 bits ~128 bits
ECC 256 bits ~128 bits
ECC (recommended) 512 bits ~256 bits

Practical advantages:

  • Shorter keys → smaller certificates, less bandwidth
  • Faster key generation → important for ephemeral keys in TLS
  • Better for constrained devices → smart cards, IoT, mobile
  • Probabilistic by nature → no OAEP-like padding needed for encryption (ElGamal on curves)

Disadvantages:

  • More complex mathematics (harder to understand and implement correctly)
  • Implementation errors can be catastrophic (e.g., Sony PS3 ECDSA bug — reused $k$)
  • Curve selection matters — some curves have backdoor concerns (Dual_EC_DRBG scandal)

Modern curves: Curve25519 (X25519 for DH, Ed25519 for signatures) by Daniel Bernstein — designed for security and implementation simplicity. Used in Signal, WireGuard, SSH.

Go deeper:

From Quiz: KRYPTOG / Elliptic Curve Cryptography | Updated: Jul 14, 2026