RSA has been the default asymmetric algorithm for 47 years. ECC (Elliptic Curve Cryptography) provides equivalent security with dramatically smaller keys and faster operations. Both are quantum-vulnerable (Shor’s algorithm breaks both). So which should you use today?
The short answer: ECC (P-256 or Ed25519) for new deployments. RSA-2048+ only when compatibility requires it. Here’s the detailed reasoning.
The Numbers That Matter
| Metric | RSA-2048 | RSA-3072 | RSA-4096 | ECC P-256 | ECC P-384 |
|---|---|---|---|---|---|
| Security level | 112-bit | 128-bit | ~140-bit | 128-bit | 192-bit |
| Public key size | 256 bytes | 384 bytes | 512 bytes | 64 bytes | 96 bytes |
| Signature size | 256 bytes | 384 bytes | 512 bytes | 64 bytes | 96 bytes |
| Key generation | ~100ms | ~500ms | ~2s | ~1ms | ~2ms |
| Sign operation | ~1ms | ~4ms | ~10ms | ~0.1ms | ~0.3ms |
| Verify operation | ~0.03ms | ~0.05ms | ~0.08ms | ~0.2ms | ~0.5ms |
| TLS handshake impact | Baseline | +50% | +100% | -80% | -60% |
Key insight: ECC P-256 provides the same security as RSA-3072 with:
- 6x smaller keys (64 bytes vs 384 bytes)
- 6x smaller signatures (64 bytes vs 384 bytes)
- 40x faster signing (0.1ms vs 4ms)
- Smaller TLS certificates (less bandwidth per handshake)
When to Use ECC
TLS Certificates (Default Choice)
ECC is strictly better for TLS server certificates:
- Smaller certificates = faster handshakes = lower latency
- Faster signing = less CPU on the server = more connections/second
- Same security level with less overhead
# Generate ECDSA P-256 key for TLS
openssl ecparam -genkey -name prime256v1 -out server-ec.key
openssl req -new -key server-ec.key -out server.csr -subj "/CN=example.com"
# Nginx configuration
ssl_certificate /etc/ssl/certs/example.com-ecc.pem;
ssl_certificate_key /etc/ssl/private/example.com-ecc.key;
ssl_ecdh_curve X25519:P-256;Performance at scale: A server handling 10,000 TLS handshakes/second saves significant CPU by using ECDSA vs RSA. At high traffic volumes, this translates to fewer servers needed.
SSH Keys
Ed25519 (an ECC variant) is the recommended algorithm for SSH:
# Generate Ed25519 SSH key (recommended)
ssh-keygen -t ed25519 -C "user@example.com"
# Key size: 32 bytes (vs 256+ bytes for RSA)
# Signing: constant-time (no timing side channels)
# Security: 128-bit equivalent
# RSA only if Ed25519 isn't supported (very old systems)
ssh-keygen -t rsa -b 4096 -C "user@example.com"IoT and Constrained Devices
ECC’s smaller keys and faster operations are critical for devices with limited:
- Memory: ECC P-256 key fits in 64 bytes vs 256+ bytes for RSA
- CPU: Signing is 10-40x faster with ECC
- Bandwidth: Smaller certificates = less data over constrained networks (LoRaWAN, NB-IoT)
- Battery: Less computation = less power consumption
Code Signing
ECDSA P-256 or P-384 for code signing certificates:
- Smaller signatures don’t bloat signed binaries
- Faster verification = faster application startup (signature checked at launch)
- CA/Browser Forum accepts ECDSA for code signing
When to Use RSA
Legacy System Compatibility
Some systems only support RSA:
- Windows Server 2008/2012 (limited ECC support)
- Older Java versions (< Java 8 for some ECC operations)
- Legacy hardware (HSMs, smart cards, embedded systems)
- Some government systems with RSA-only requirements
When You Need RSA Key Transport
RSA can encrypt data directly (up to key size minus padding). ECC cannot — it only does key agreement (ECDH) and signatures (ECDSA). If you specifically need to encrypt a small value with a public key (rare in modern protocols), RSA is the only option.
Note: TLS 1.3 removed RSA key transport entirely. This use case is disappearing.
Dual-Certificate Deployments
Some organizations deploy both RSA and ECC certificates on the same server:
# Serve ECC to modern clients, RSA to legacy clients
ssl_certificate /etc/ssl/certs/example.com-ecc.pem;
ssl_certificate_key /etc/ssl/private/example.com-ecc.key;
ssl_certificate /etc/ssl/certs/example.com-rsa.pem;
ssl_certificate_key /etc/ssl/private/example.com-rsa.key;
# Nginx automatically selects based on client capabilitiesThis provides ECC performance for modern clients while maintaining compatibility with legacy clients that don’t support ECDSA.
Security Comparison
Against Classical Attacks
| Attack | RSA | ECC |
|---|---|---|
| Brute force | Factor n=p×q (GNFS) | Solve ECDLP (Pollard’s rho) |
| Best known attack | Sub-exponential (GNFS) | Fully exponential (Pollard’s rho) |
| Key size growth needed | Must double key size for +20 years security | Minimal growth needed |
| RSA-2048 break estimate | ~2030-2035 (classical, optimistic) | N/A |
| ECC P-256 break estimate | N/A | Not foreseeable (classical) |
ECC’s security scales better: doubling the key size (P-256 → P-521) provides exponentially more security. RSA’s security grows sub-exponentially — you need much larger key increases for the same security gain.
Against Quantum Attacks
Both RSA and ECC are equally vulnerable to quantum computers:
- RSA: Shor’s algorithm factors n in polynomial time → broken
- ECC: Shor’s algorithm solves ECDLP in polynomial time → broken
Neither is “more quantum-safe” than the other. Both will be replaced by post-quantum algorithms (ML-KEM, ML-DSA) when quantum computers become practical.
Timeline: Most estimates place cryptographically-relevant quantum computers at 2030-2040. Both RSA and ECC certificates issued today will likely expire before quantum computers can break them. But data encrypted today with RSA/ECC key exchange could be decrypted later (harvest-now-decrypt-later).
Algorithm Recommendations by Use Case (2026)
| Use Case | Recommended | Fallback | Avoid |
|---|---|---|---|
| TLS server certificates | ECDSA P-256 | RSA-2048 (legacy compat) | RSA-1024, DSA |
| TLS key exchange | X25519 | P-256 | RSA key transport, DH-1024 |
| SSH keys | Ed25519 | RSA-4096 | RSA-1024, DSA, ECDSA (nonce risk) |
| Code signing | ECDSA P-256 or P-384 | RSA-4096 | RSA-2048 (short margin) |
| CA signing keys | ECDSA P-384 | RSA-4096 | RSA-2048 (too short for CA lifetime) |
| IoT device identity | ECDSA P-256 | — | RSA (too large for constrained devices) |
| Email (S/MIME) | ECDSA P-256 | RSA-2048 | RSA-1024 |
| Document signing | ECDSA P-256 | RSA-3072 | RSA-2048 (long-lived signatures) |
Migration: RSA to ECC
If you’re currently using RSA and want to migrate:
For TLS Certificates
- Generate new ECC key:
openssl ecparam -genkey -name prime256v1 -out new.key - Create CSR with ECC key:
openssl req -new -key new.key -out new.csr - Request new certificate from your CA (same domain, ECC key)
- Deploy new ECC certificate alongside RSA (dual-cert if needed)
- Monitor for client compatibility issues (very rare in 2026)
- Remove RSA certificate after confirming no issues
For SSH
# Generate new Ed25519 key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
# Deploy new public key to servers (alongside existing RSA key)
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server
# Test new key works
ssh -i ~/.ssh/id_ed25519 user@server
# Remove old RSA key from servers after confirmingCompatibility Check
Before migrating, verify your clients support ECC:
- Browsers: All modern browsers support ECDSA (Chrome, Firefox, Safari, Edge) — since 2014+
- curl: Supports ECDSA since version 7.36 (2014)
- Java: Full ECDSA support since Java 7 (2011)
- Python:
sslmodule supports ECDSA since Python 2.6 - Go: Native ECDSA support since Go 1.0
- OpenSSL: ECDSA support since 1.0.0 (2010)
If your oldest supported client is from 2014 or later, ECC is safe.
FAQ
Q: Is ECC more secure than RSA? A: At equivalent security levels, they’re equally secure against classical attacks. ECC achieves that security with much smaller keys. Against quantum attacks, both are equally broken. ECC isn’t “more secure” — it’s “equally secure with better performance.”
Q: Why do some organizations still use RSA-4096? A: Inertia, compliance requirements that specify RSA, legacy system compatibility, or organizational policy that hasn’t been updated. There’s no technical reason to prefer RSA-4096 over ECDSA P-256 for new deployments (P-256 provides 128-bit security; RSA-4096 provides ~140-bit — both are more than sufficient).
Q: Should I use P-256 or P-384? A: P-256 for most use cases (128-bit security is sufficient for certificates with 1-2 year validity). P-384 for CA signing keys (longer-lived, higher security margin) or when compliance specifically requires 192-bit security.
Q: What about Ed25519 vs ECDSA P-256? A: Ed25519 is preferred for SSH and signatures (deterministic, no nonce vulnerability, faster, simpler). For TLS certificates, ECDSA P-256 has wider CA support (most CAs issue P-256 certificates; Ed25519 certificate support is still emerging). Use Ed25519 where supported, P-256 where Ed25519 isn’t available.
Q: If both are quantum-vulnerable, why bother migrating from RSA to ECC? A: Performance. ECC gives you the same security with less CPU, less bandwidth, and faster operations — today. When post-quantum algorithms arrive (ML-DSA, ML-KEM), you’ll migrate from ECC to PQC. But in the meantime (2026-2030+), ECC is the best classical algorithm available.