The ECC is probably better for most purposes, but not for everything. In this post, I'm trying to identify the advantages and disadvantages of ECC.
The ECC's main advantage is that you can have the smaller key size for the same level of security, in particular at high levels of security AES-256 ~ ECC-512 ~ RSA-15424 (algorithms for factoring, like the Number Field Sieve).
Advantages of ECC
- Very fast key generation.
- Smaller keys, cipher-texts, and signatures.
- Fast signatures.
- Signatures can be computed in two stages, allowing latency much lower.
- Moderately fast encryption and decryption.
- Than inverse throughput.
- Right protocols for authenticated key exchange (FH-ECMQV et al.).
- Better US government support.
- Binary curves are fast in hardware.
- Unique curves with bilinear pairings allow new-fangled crypto
- Signature generation is faster with RSA.
Disadvantages of ECC
- Complicated and tricky to implement securely, mainly the standard curves.
- Standards aren't state-of-the-art, particularly ECDSA, which is a hack compared to Schnorr signatures.
- Newer algorithms could theoretically have unknown weaknesses. Binary curves are slightly scary.
- Signing with a broken or compromised random number generator compromises the key.
- Itstill has some patent problems, especially for binary curves. Itmight be costly...
- Public key operations (e.g., signature verification, as opposed to signature generation) are slow with ECC.
Don't use DUAL_EC_DRBG, since it has a back door.
If you are still considering transition to Suite B algorithms, I agree with NealKoblitz AlfredJ.Menezes recommendation not to make a significant expenditure. For many years, it has been known that both the integer factorization problem, upon which RSA is based, and the Elliptic Curve Discrete Logarithm problem, upon which ECC is based, can be solved in polynomial time by a quantum computer instead to prepare for the upcoming quantum resistant algorithm transition.... Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy”.
The question is whether discrete algorithms over an elliptical curve have the same "smoothness" property as you use in the sieve-based algorithms forfactoringthe product of large primes.
If elliptical curves aren't "smooth" (and quite a few mathematicians seem convinced they're not), then the sieve-style factoring algorithms can't be adapted to taking discrete logarithms over elliptical curves. If they are smooth (and a fair number of other mathematicians seem convinced this is likely to be true), the sieve-style algorithms could be adapted. This would be a significant "break" against ECC—you'd need to increase key sizes substantially to maintain security (probably not to quite as large as RSA for equal protection, but relatively close).
Advantages of RSA
- More comfortable to implement than ECC.
- Easier to understand.
- Signing and decryption are similar; encryption and verification are similar.
- Widely deployed, better industry support.
Disadvantages of RSA
- Very slow key generation.
- Slow signing and decryption, which are slightly tricky to implement securely.
- The two-part key is vulnerable to GCD attack if poorly implemented.
- Public key operations (e.g., signature verification, as opposed to signature generation) are faster with RSA (8000 ECDSA verifications per second, vs. 20000 RSA verifications per second).
If you considering transition to Suite B algorithms, I recommend not to make a significant expenditure. For many years, it has been known that both the integer factorization problem, upon which RSA is based, and the Elliptic Curve Discrete Logarithm problem, upon which ECC is based, can be solved in polynomial time by a quantum computer instead to prepare for the upcoming quantum resistant algorithm transition.... Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy”
The question is whether discrete logarithms over an elliptical curve have the same "smoothness" property as you use in the sieve-based algorithms for factoring the product of large primes.
If elliptical curves aren'tsmooth (and some mathematicians seem convinced they're not), then the sieve-style factoring algorithms cannot be adapted to taking discrete logarithms over ECC. If they are smooth and a objective number of mathematicians seem convinced this is likely to be true and the sieve-style algorithms could be adapted. This would be a significant "break" against ECC—you'd need to increase ECC key sizes substantially to maintain algorithm security (probably not to quite as large as RSA for equal protection, but relatively close).
Advantages of RSA
- More comfortable to implement than ECC.
- Easier to understand.
- Signing and decryption are similar; encryption and verification are similar.
- Widely deployed, better industry support.
Disadvantages of RSA
- Very slow key generation.
- Slow signing and decryption, which are slightly tricky to implement securely.
- The two-part key is vulnerable to GCD attack if poorly implemented.
- Public key operations (e.g., signature verification, as opposed to signature generation) are faster with RSA (8000 ECDSA verifications per second, vs. 20000 RSA verifications per second).
References
•Menezes, Alfred J. et al. (1996), Handbook of Applied Cryptography, CRC Press.
•C.P. Schnorr (1990), "Efficient identification and signatures for smart cards," in G. Brassard, ed. Advances in Cryptology—Crypto '89, 239-252, Springer-Verlag. Lecture Notes in Computer Science, nr 435
•Claus-Peter Schnorr (1991), "Efficient Signature Generation by Smart Cards," Journal of Cryptology 4(3), 161–174 (PS).
Elliptic curve cryptography or RSA algorithm and why ....
A RIDDLE WRAPPED IN AN ENIGMA - Cryptology ePrint Archive.
I am a cryptography expert with a deep understanding of various cryptographic algorithms and their applications. My expertise is grounded in both theoretical knowledge and practical implementation, allowing me to provide insights into the advantages and disadvantages of different cryptographic schemes. I have a comprehensive understanding of elliptic curve cryptography (ECC), RSA algorithm, and their implications in the face of emerging technologies such as quantum computing.
Now, let's delve into the concepts discussed in the article:
1. Elliptic Curve Cryptography (ECC):
Advantages of ECC:
- Smaller key size for the same level of security compared to RSA.
- Very fast key generation.
- Smaller keys, cipher-texts, and signatures.
- Fast signatures with lower latency.
- Moderately fast encryption and decryption.
- Suitable for authenticated key exchange protocols (e.g., FH-ECMQV).
- Better support from the U.S. government.
- Binary curves are fast in hardware.
Disadvantages of ECC:
- Complicated and tricky to implement securely, especially standard curves.
- Standards, particularly ECDSA, may not be state-of-the-art.
- Potential unknown weaknesses in newer algorithms.
- Concerns about binary curves.
- Vulnerability if using a compromised random number generator.
- Patent issues, especially for binary curves.
- Public key operations (e.g., signature verification) are slow.
2. RSA Algorithm:
Advantages of RSA:
- Easier to implement than ECC.
- Straightforward to understand.
- Similar processes for signing and decryption, as well as encryption and verification.
- Widely deployed with strong industry support.
Disadvantages of RSA:
- Very slow key generation.
- Slow signing and decryption, which can be tricky to implement securely.
- Vulnerable to GCD attacks if poorly implemented.
- Public key operations (e.g., signature verification) are faster compared to ECC.
Quantum Computing Considerations:
- Both RSA and ECC face the threat of being solved in polynomial time by a quantum computer.
- The growth of elliptic curve use necessitates a re-evaluation of cryptographic strategies in the face of quantum computing progress.
- The "smoothness" property of elliptic curves in the context of factoring algorithms is a crucial consideration for the security of ECC against quantum attacks.
References:
- Menezes, Alfred J. et al. (1996), "Handbook of Applied Cryptography," CRC Press.
- C.P. Schnorr (1990), "Efficient identification and signatures for smart cards," Advances in Cryptology—Crypto '89.
- Claus-Peter Schnorr (1991), "Efficient Signature Generation by Smart Cards," Journal of Cryptology 4(3), 161–174.
In conclusion, the choice between ECC and RSA involves trade-offs in terms of key size, performance, implementation complexity, and vulnerability to emerging technologies like quantum computing. Each has its merits and drawbacks, and the decision should be made based on the specific requirements and threat models of the cryptographic application.
