Elliptic Curve Cryptography · Rolling Thunder Security Codex

Why ECC Replaced RSA For New Systems

A 256-bit elliptic-curve key offers roughly the same security as a 3072-bit RSA key. Smaller keys mean shorter signatures, faster math, less power on mobile devices, and smaller certificates. For a phone making a hundred TLS connections an hour, the savings add up.

Security level	RSA key size	ECC key size	Signature size
~80-bit	1024 bits	160 bits	RSA 128 bytes / ECDSA 40 bytes
~128-bit	3072 bits	256 bits	RSA 384 bytes / ECDSA 64 bytes
~192-bit	7680 bits	384 bits	RSA 960 bytes / ECDSA 96 bytes
~256-bit	15360 bits	512 bits	RSA 1920 bytes / ECDSA 132 bytes

The 15360-bit RSA row exists only on paper. Nobody runs that in production. ECC scales gracefully into the high-security range; RSA does not.

The Curve Itself

An elliptic curve over the real numbers is the set of (x, y) points that satisfy the equation:

y² = x³ + ax + b

For different choices of a and b, you get different curves. The standard restriction is that the curve has no cusps or self-intersections, which means 4a³ + 27b² ≠ 0.

Crypto does not use the real-number version. Crypto uses the curve over a finite field: instead of all real x and y, you only consider integers mod p, so the curve becomes a scatter of discrete points instead of a continuous line. The geometric pictures on this page are the continuous-real version because they are easier to draw. The math works the same way on the finite field, just without the smooth picture.

Fig 5.1 · A typical elliptic curve plotted in the real plane

Point Addition, Geometrically

The crypto-relevant operation is adding two points on the curve to get a third point. The addition rule is geometric:

To compute P + Q, draw a straight line through P and Q.
That line will cross the curve in exactly one other place. Call that point R'.
Reflect R' across the x-axis. The reflection is the result: P + Q = R.

It looks like a bizarre rule, but it is mathematically natural: it makes the set of points on the curve into a group, which means you can do algebra with them. The special case P + P uses the tangent line at P instead of a chord.

Fig 5.2 · Geometric point addition

Scalar Multiplication

If you can add P to itself, you can do 2P = P + P, then 3P = 2P + P, and so on. In general, kP means adding P to itself k times. This is called scalar multiplication and it is the workhorse operation of ECC.

Naive repeated addition would be slow for big k. The standard algorithm is double-and-add: read the bits of k from most to least significant, double the running point each step, and add P whenever you see a 1 bit. This computes kP in O(log k) steps instead of O(k).

Interactive · Scalar Multiplication Ladder

Watch the double-and-add algorithm compute kP

Drag the slider to pick k. The widget shows the binary expansion of k and walks the double-and-add ladder. The plot tracks where the running point lands on the curve at each step. Notice how few steps are needed even for large k: that is the whole point.

Scalar k = 7 (binary: 111, steps: 5)

The Elliptic Curve Discrete Logarithm Problem

Computing kP when you know P and k is easy (double-and-add). Recovering k when you know P and kP is the elliptic curve discrete logarithm problem (ECDLP). It is the trapdoor function of ECC.

ECDLP is harder than the regular DLP in finite fields. The Number Field Sieve, which is the best general-purpose attack against RSA and traditional DH, does not apply to elliptic curves. The best generic attack on ECDLP is Pollard's rho, which runs in roughly O(√n) time. That square-root cost is why ECC keys can be so much shorter than RSA keys: doubling the bit length squares the attack cost.

To attack a 256-bit elliptic curve, you need about 2¹²⁸ point additions.
To attack a 256-bit RSA key, you need... a few seconds.
To attack a 256-bit AES key, you need about 2¹²⁸ trial encryptions.

ECC and AES scale the same way: bit length roughly equals security level. RSA does not.

Curves You Actually Encounter

You will see a few specific curve names recur across protocols:

Curve	Where it shows up	Notes
P-256 (secp256r1)	TLS, most browsers, smart cards	NIST curve from 1999. Constants chosen by NSA, which has prompted ongoing suspicion.
P-384, P-521	High-assurance government use	NIST curves at higher security levels.
Curve25519	SSH, Signal, WireGuard, TLS 1.3	Designed by Daniel Bernstein in 2005. Fast, side-channel-resistant, designed with reproducible constants.
Ed25519	SSH host keys, signing in OpenSSL, JWT	Edwards-curve form of Curve25519. Used for signatures rather than key exchange.
secp256k1	Bitcoin, Ethereum, most cryptocurrencies	Koblitz curve. Chosen for slight performance benefits in scalar multiplication.

Why the suspicion about NIST curves

The constants for P-256 came from a process described in NIST FIPS 186-2 that involved a "verifiably random" seed. The seed itself, however, was supplied by NSA with no explanation. In 2013, leaked documents revealed that NSA had successfully inserted a backdoor into a different NIST cryptography standard (Dual_EC_DRBG). After that, the cryptographic community lost confidence that NIST curves were free of similar manipulation. Curve25519 was designed with constants that anyone can re-derive from a simple equation, removing the trust requirement. Most new systems use Curve25519 by default.

Where ECC Lives

TLS 1.3: X25519 is the default key-exchange curve. Most server certificates still use RSA or ECDSA-P256.
SSH: ed25519 is the default host key type and the default user-key recommendation since 2014.
Apple Secure Enclave / Android Keystore: Device-bound private keys for biometric auth use P-256 ECDSA.
Bitcoin and Ethereum: Every wallet is an ECDSA key pair on secp256k1. Every transaction is an ECDSA signature.
JWT and OIDC: ES256 (ECDSA on P-256) is one of the most common signing algorithms for identity tokens.

If you wrote new cryptographic software in the last decade, you almost certainly reached for an elliptic curve and not an RSA modulus.