What is Elliptic-Curve Cryptography (ECC) and what is its main advantage over RSA?
ECC does Diffie-Hellman-style key exchange (and signatures) on the group of points of an elliptic curve, rather than in Z*_p. The hard problem is the discrete log on elliptic curves (ECDLP) — which appears much harder per bit than ordinary discrete log, giving equivalent security at far smaller key sizes.
An elliptic curve has the form y² = x³ + a·x + b (with non-singularity condition 4a³ + 27b² ≠ 0). The set of points on the curve, plus a "point at infinity," forms a mathematical group. You can define point "addition" by drawing lines and intersecting — but the group operation is rich enough that "scalar multiplication" (adding a point to itself k times) is easy but recovering k is hard.
Why smaller keys? The best-known attack on ECDLP scales as O(√n), which is much worse per bit than the GNFS on plain factoring (sub-exponential). So a 256-bit elliptic curve key has roughly the same security strength as a 3072-bit RSA key.
Key size comparison:
| Security level | RSA / DH key | ECC key | Symmetric key |
|---|---|---|---|
| 80 bits | 1024 | 160 | 80 |
| 128 bits | 3072 | 256 | 128 |
| 192 bits | 7680 | 384 | 192 |
| 256 bits | 15,360 | 512 | 256 |
Consequences:
- Smaller keys & certs → less bandwidth, less storage.
- Faster signature and key-exchange operations on the same hardware.
- Smaller signatures — important for low-bandwidth IoT.
- TLS 1.3 makes ECDHE the default and the only key-exchange option.
Popular curves: P-256 (NIST), Curve25519 (Bernstein, used in WireGuard/Signal), secp256k1 (used by Bitcoin).
Tip: When designing a new system in 2024, prefer ECC over RSA unless you have a specific reason (legacy interop, FIPS compliance). Use Curve25519/Ed25519 unless your environment requires the NIST curves.