Quiz Entry - updated: 2026.07.14
What are the practical advantages of ECC over RSA, and what key sizes does BSI recommend?
ECC offers equivalent security with 10-15x shorter keys, faster key generation, and better performance on constrained devices. BSI recommends minimum 256-bit ECC (equivalent to 3072-bit RSA).
* For the same security level ECC keys stay around twice the symmetric bits while RSA/DH balloon super-linearly — the headline reason to prefer ECC. *
Key size comparison (BSI 2023):
| Algorithm | Minimum key size | Equivalent symmetric security |
|---|---|---|
| RSA | 3072 bits | ~128 bits |
| DH | 3072 bits | ~128 bits |
| ECC | 256 bits | ~128 bits |
| ECC (recommended) | 512 bits | ~256 bits |
Practical advantages:
- Shorter keys → smaller certificates, less bandwidth
- Faster key generation → important for ephemeral keys in TLS
- Better for constrained devices → smart cards, IoT, mobile
- Probabilistic by nature → no OAEP-like padding needed for encryption (ElGamal on curves)
Disadvantages:
- More complex mathematics (harder to understand and implement correctly)
- Implementation errors can be catastrophic (e.g., Sony PS3 ECDSA bug — reused $k$)
- Curve selection matters — some curves have backdoor concerns (Dual_EC_DRBG scandal)
Modern curves: Curve25519 (X25519 for DH, Ed25519 for signatures) by Daniel Bernstein — designed for security and implementation simplicity. Used in Signal, WireGuard, SSH.
Go deeper:
BSI TR-02102-1 — Cryptographic mechanisms: key lengths (2026) — the authoritative recommended key sizes.
Keylength.com — key-length comparator — compare NIST / BSI / ECRYPT recommendations side by side.
Curve25519 — Wikipedia — the modern 128-bit-security curve behind Signal and WireGuard.