Comparison of RSA vs elliptical keys

Sylvain Besençon sylvain.besencon at
Tue May 12 17:04:10 CEST 2020

Le 12.05.20 à 11:24, Johan Wevers a écrit :
> On 12-05-2020 3:46, Pete Stephenson via Gnupg-users wrote:
>> For example, a 256 bit elliptic curve key has a similar strength to a symmetric key of 128 bits.
> Until, of course, a working quantum computer with more than a few qubits
> is constructed. Then ECC is much more vulnerable than RSA or ElGamal due
> to its smaler keysize (of course once a 256 bit quantum computer gets
> constructed I would also worry about 8192 bit RSA being vulnerable too
> in the very near future).


In the FAQ, it is written:
> Will GnuPG ever support RSA-3072 or RSA-4096 by default?
> Probably not. The future is elliptical-curve cryptography, which will bring a level of safety comparable to RSA-16384. Every minute we spend arguing about whether we should change the defaults to RSA-3072 or more is one minute the shift to ECC is delayed. Frankly, we think ECC is a really good idea and we’d like to see it deployed as soon as humanly possible. 

So, I guess the key size is not the only criteria to evaluate the 
strength of a cipher and ECC still provides better results despite 
shorter keys.

However, I would be interested to know which ECC cipher would you 
recommend to replace RSA. I am not a cryptographer and I don't find any 
information (or more honestly: information that I can understand) about 
Curve 25519, NIST P-256 (and greater), Brainpool, or secp256k1.

Thanks for the feedback,


More information about the Gnupg-users mailing list