ECC vs RSA: Comparing SSL/TLS Algorithms

Here’s a comparative analysis of ECC & RSA cryptosystems and how they’re similar or different

Both ECC and RSA are protocols used for encryption in SSL/TLS certificate. But selecting RSA vs ECC certificate before buying SSL/TLS might be a daunting task for a layman. However, let’s understand both algorithms in detail.

ECC vs RSA — how do you choose between these two types of algorithms when choosing an SSL/TLS certificate? Moreover, what do each of these options even mean in terms of encryption?

When purchasing an SSL certificate, users come across many technical specifications that they have no idea about. However, going ahead without understanding these terms isn’t an option for many. They want to get to the roots of these terms so that they can make an educated choice about purchasing the right SSL/TLS certificate to protect their website.

Considering that you’re reading this sentence right now, either you’re one of them, or you’re just a curious person who wants or needs to know this. In either case, this post will help you learn what you need to know about RSA and ECC. So, let’s get to learning!

RSA Algorithm

RSA (Rivest–Shamir–Adleman) is the most widely adopted asymmetric cryptographic algorithm today. It’s extensively used in encrypting website data, emails, software, etc.

RSA was invented by Ron Rivest, Adi Shamir, and Leonard Adleman in 1977. These three cryptographers used the prime factorization method to achieve the one-way encryption of a message. The prime factorization method involves taking two large random prime numbers (even “trillions” is too small of a number to accurately represent them) and multiplying them to create a public key. However, you cannot decrypt the message without knowing these two prime numbers. Getting these two prime numbers is a mightily difficult task. How difficult? Well, a group of researchers estimated that it would take more than 1,500 years of computing time  to sieve a 768-bit, 232-digit RSA modulus using a “single core 2.2 GHz AMD Operton processor with 2 GB RAM.”

A significant thing making RSA tick is its simplicity. It’s based on simple mathematical principles and can run faster compared to ECC — we’ll speak more about what ECC is in just a moment. Therefore, RSA is ideal for securing internal organization security.

However, the thing about RSA is that it’s been found to vulnerable. We won’t get into mathematical details here, but researchers could break the encryption of 12,934 keys out of 6.2 million actual public keys they had scanned and collected. This means RSA encryption provides less than 99.8% security. While this number might sound promising on paper, with the ever-increasing computational power that computers now provide, it means that the RSA algorithm will likely be cracked in the foreseeable future.

Now, let’s dive in to ECC and what all of that entails.

Elliptical Curve Cryptography

The history of elliptical curve cryptography, or ECC, goes back to 1985 when two mathematicians named Neal Koblitz and Victor S. Miller suggested the use of elliptical curves in cryptography. However, it wasn’t until 2004 or 2005 when ECC algorithms entered in the public domain.

As the name suggests, ECC is an asymmetric cryptography algorithm based on uses of the algebraic structure of elliptic curves over finite fields. The ECC algorithm works on the elliptic curve discrete logarithm problem (ECDLP). This cryptography method is harder to crack since there is no known solution to the mathematical problem given by the equation producing the elliptical curve in a graph. Therefore, only one way remains for hackers: a brute-force attack — or a trial-and-error approach, in other words. This complexity makes ECC more secure compared to RSA.

As ECC — by structure — is more secure compared to RSA because it offers optimal security with shorter key lengths. As a result, it requires a lesser load for network and computing power, which translates into a better user experience. To give you some numbers, RSA can respond to 450 requests per second with a 150-millisecond average response time, whereas ECC takes only 75 milliseconds to respond to the same number of requests per second.

RSA vs ECC: Key Length Comparison

As you can see, RSA requires much larger key lengths compared to ECC. Therefore, to implement 256-bit encryption, we’ll have to use an RSA key length of 15360 bits. This, of course, it not practical since it’ll take much more computational power.

RSA vs ECC: Side by Side Comparison

RSA vs ECC: Conclusion

The primary difference between RSA vs ECC certificates is in the encryption strength. Elliptic Curve Cryptography (ECC) provides an equivalent level of encryption strength as RSA (Rivest-Shamir-Adleman) algorithm with a shorter key length. As a result, the speed and security offered by an ECC certificate are higher than an RSA certificate for Public Key Infrastructure (PKI).

Both methods are prevalent and offer security against man-in-the-middle (MitM) attacks. However, RSA has been found vulnerable against some attacks, and it’s a matter of “when” not “if” RSA will eventually fail. Many experts believe that RSA will no longer be in use by the time 2030 comes around. ECC, on the other hand, is in its maturity phase, and many users have started using it. If you’re thinking of purchasing an SSL certificate, we’d suggest you go with a certificate with the ECC option as it’s always better to stay a step ahead of the criminals.