5

I am having trouble coming up with a use case for RSA or DSA. It appears that ECC is better in every way.

Is this true?

I am looking for cases where RSA/DSA is superior to ECC, not where it is used for historical reasons.

Demi
  • 4,853
  • 1
  • 22
  • 40

2 Answers2

15

There are three use cases where RSA beats common ECC algorithms, such as ECDSA:

  1. Signature with verification frequent or/and by low-power devices or/and where the verification code needs to be small. The verification cost of $n$-bit RSA with usual public exponents is $O(n^2)$, but the verification cost of ECC-based signatures is $O(n^3)$ (using usual algorithms). Together with simpler math, that's why RSA can be way over 10 times faster for signature verification at usual security levels, even though it must use a larger $n$ for equivalent security level. RSA verification also requires significantly less code than ECC computations, which makes it attractive, for example, in ROM code where space is expensive and a bug can't be patched.

  2. Similarly, encryption by low-power devices or/and with decryption comparatively rare.

  3. Need to minimize the size overhead of adding a signature; using signature with message recovery, that can be 34 bytes for RSA (using SHA-256 hash, ISO 9796-2 mode 3 or the deprecated mode 1, for messages at least 222 bytes before signature at the 2048-bit security level), versus 64 bytes for ECDSA for comparable security.

RSA is thus a good choice (and indeed still the dominant one, I believe) for signing public-key certificates; beside inertia, in the internet domain that's mostly for reason 1 (certificates are verified often), but in the Smart Card and payment industry reason 3 adds up.

Additional arguments for RSA (vs ECC) are

  • RSA was first there / is the most time-proven, and became an industry standard.
  • Simplicity. RSA signature verification is much easier to code, and get right, than ECDSA signature verification.
  • RSA has long been clearly patent-free. But that now applies to ECDSA as well, and arguably applied all along and indisputably since August 2014, at least for curves in a prime field; e.g. ECDSA on secp256r1 and EdDSA on Curve25519 are patent unencumbered.
  • Perhaps (but see these comments) slightly more quantum resilience; that is, at comparable level of resistance versus non-quantum attacks, RSA arguably would fall after ECC if it ever emerged quantum computers usable for cryptanalysis; see this other answer and section 5.4 of its source; note that Koblitz and Menezes are not making any strong statement, rather, their intro is (emphasis mine):

We next examine some conjectures about the NSA’s motives in its PQC announcement (..)
The NSA believes that RSA-3072 is much more quantum-resistant than ECC-256 and even ECC-384. (..)

Note: this answer does not touch use cases where ECC is preferable, or its virtues.

Gilles 'SO- stop being evil'
  • 20,442
  • 4
  • 54
  • 97
fgrieu
  • 149,326
  • 13
  • 324
  • 622
2

If practical quantum computers become a reality, the larger bitlengths of RSA keys would make them more quantum-resistant than their ECC counterparts. See section 5.4 of this Koblitz & Menezes paper

Thomas Byrd
  • 111
  • 1
  • 6