xkcd

[WinstonChurchill]

SSH began defaulting to ECDSA keys in v5.7. Not being incredibly mathematically inclined myself, I was curious what anyone who had studied ECDSA and its friends in some detail might have to say about their security relative to RSA.

Nobody seems to like RSA anymore, but the fact is it's been around for a long time and nobody's managed to break it. ECDSA is faster (substantially so, in some cases) and results in much smaller keys, but doesn't it seem a little more prudent to stick with the tried-and-true solution that almost every programmer or mathematician on Earth has vetted? Am I being too cryptographically conservative? Or am I underestimating ECDSA's exposure?

[Thesh]

It all comes down to key size. A 384 bit elliptical curve key is equivalent to a 7680 bit RSA key in terms of security, and at some point (I don't know exactly where), ECC starts outperforming RSA for the same level of security.

The advantage to RSA is simplicity. RSA can encrypt arbitrary data, so it can be used directly for both signing and key exchange, and can even encrypt data directly.
ECC cannot be used to encrypt data directly, and requires separate algorithms to derive keys and generate/verify signatures.

The biggest problem with ECC is it's tangled in a web of patents, which makes implementing it risky unless you really want to spend a lot of time reading patents.