The ECC is probably better for most purposes, but not for everything. In this post, I'm trying to identify the advantages and disadvantages of ECC.
The ECC's main advantage is that you can have the smaller key size for the same level of security, in particular at high levels of security AES-256 ~ ECC-512 ~ RSA-15424 (algorithms for factoring, like the Number Field Sieve).
Advantages of ECC
- Very fast key generation.
- Smaller keys, cipher-texts, and signatures.
- Fast signatures.
- Signatures can be computed in two stages, allowing latency much lower.
- Moderately fast encryption and decryption.
- Than inverse throughput.
- Right protocols for authenticated key exchange (FH-ECMQV et al.).
- Better US government support.
- Binary curves are fast in hardware.
- Unique curves with bilinear pairings allow new-fangled crypto
- Signature generation is faster with RSA.
Disadvantages of ECC
- Complicated and tricky to implement securely, mainly the standard curves.
- Standards aren't state-of-the-art, particularly ECDSA, which is a hack compared to Schnorr signatures.
- Newer algorithms could theoretically have unknown weaknesses. Binary curves are slightly scary.
- Signing with a broken or compromised random number generator compromises the key.
- Itstill has some patent problems, especially for binary curves. Itmight be costly...
- Public key operations (e.g., signature verification, as opposed to signature generation) are slow with ECC.
Don't use DUAL_EC_DRBG, since it has a back door.
If you are still considering transition to Suite B algorithms, I agree with NealKoblitz AlfredJ.Menezes recommendation not to make a significant expenditure. For many years, it has been known that both the integer factorization problem, upon which RSA is based, and the Elliptic Curve Discrete Logarithm problem, upon which ECC is based, can be solved in polynomial time by a quantum computer instead to prepare for the upcoming quantum resistant algorithm transition.... Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy”.
The question is whether discrete algorithms over an elliptical curve have the same "smoothness" property as you use in the sieve-based algorithms forfactoringthe product of large primes.
If elliptical curves aren't "smooth" (and quite a few mathematicians seem convinced they're not), then the sieve-style factoring algorithms can't be adapted to taking discrete logarithms over elliptical curves. If they are smooth (and a fair number of other mathematicians seem convinced this is likely to be true), the sieve-style algorithms could be adapted. This would be a significant "break" against ECC—you'd need to increase key sizes substantially to maintain security (probably not to quite as large as RSA for equal protection, but relatively close).
Advantages of RSA
- More comfortable to implement than ECC.
- Easier to understand.
- Signing and decryption are similar; encryption and verification are similar.
- Widely deployed, better industry support.
Disadvantages of RSA
- Very slow key generation.
- Slow signing and decryption, which are slightly tricky to implement securely.
- The two-part key is vulnerable to GCD attack if poorly implemented.
- Public key operations (e.g., signature verification, as opposed to signature generation) are faster with RSA (8000 ECDSA verifications per second, vs. 20000 RSA verifications per second).
If you considering transition to Suite B algorithms, I recommend not to make a significant expenditure. For many years, it has been known that both the integer factorization problem, upon which RSA is based, and the Elliptic Curve Discrete Logarithm problem, upon which ECC is based, can be solved in polynomial time by a quantum computer instead to prepare for the upcoming quantum resistant algorithm transition.... Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy”
The question is whether discrete logarithms over an elliptical curve have the same "smoothness" property as you use in the sieve-based algorithms for factoring the product of large primes.
If elliptical curves aren'tsmooth (and some mathematicians seem convinced they're not), then the sieve-style factoring algorithms cannot be adapted to taking discrete logarithms over ECC. If they are smooth and a objective number of mathematicians seem convinced this is likely to be true and the sieve-style algorithms could be adapted. This would be a significant "break" against ECC—you'd need to increase ECC key sizes substantially to maintain algorithm security (probably not to quite as large as RSA for equal protection, but relatively close).
Advantages of RSA
- More comfortable to implement than ECC.
- Easier to understand.
- Signing and decryption are similar; encryption and verification are similar.
- Widely deployed, better industry support.
Disadvantages of RSA
- Very slow key generation.
- Slow signing and decryption, which are slightly tricky to implement securely.
- The two-part key is vulnerable to GCD attack if poorly implemented.
- Public key operations (e.g., signature verification, as opposed to signature generation) are faster with RSA (8000 ECDSA verifications per second, vs. 20000 RSA verifications per second).
References
•Menezes, Alfred J. et al. (1996), Handbook of Applied Cryptography, CRC Press.
•C.P. Schnorr (1990), "Efficient identification and signatures for smart cards," in G. Brassard, ed. Advances in Cryptology—Crypto '89, 239-252, Springer-Verlag. Lecture Notes in Computer Science, nr 435
•Claus-Peter Schnorr (1991), "Efficient Signature Generation by Smart Cards," Journal of Cryptology 4(3), 161–174 (PS).
Elliptic curve cryptography or RSA algorithm and why ....
A RIDDLE WRAPPED IN AN ENIGMA - Cryptology ePrint Archive.
