Why ECC Is Outpacing RSA: History, Algorithms, and Performance Benchmarks

Historical Overview

According to historical records, the ancient Greeks invented substitution ciphers around 400 BC. The first telephone secrecy patent appeared in 1881. During World War II, Germany introduced the Enigma machine, highlighting the crucial role of cryptography in warfare.

With the rise of the information age, the importance of data security grew. In 1997, the U.S. National Institute of Standards and Technology (NIST) released the Data Encryption Standard (DES). Since then, civilian research has expanded to include algorithms such as DES, RSA, SHA, AES, and ECC.

Goals of Cryptography

Confidentiality: Prevent unauthorized reading of data.

Data Integrity: Prevent unauthorized modification of data.

Authentication: Ensure data originates from a specific party.

Encryption Algorithms

Modern cryptography is divided into two categories based on key type: symmetric encryption algorithms and asymmetric encryption algorithms.

Symmetric encryption uses the same secret key for both encryption and decryption, requiring both parties to share and protect that key.

Asymmetric encryption uses a public key for encryption and a private key for decryption.

Common asymmetric algorithms include:

RSA – a public‑key algorithm supporting variable‑length keys.

DSA (Digital Signature Algorithm) – a standard for digital signatures.

ECC (Elliptic Curve Cryptography) – based on the elliptic‑curve discrete logarithm problem.

ECC vs. RSA

In 1976, Diffie and Hellman introduced public‑key encryption, and Rivest, Shamir, and Adelman proposed the RSA algorithm, named after their initials. RSA’s security relies on the difficulty of factoring large integers. As computational power increased, RSA keys had to grow larger, which slowed encryption/decryption and made hardware implementation harder.

In 1985, Koblitz and Miller suggested using elliptic curves for cryptography. ECC’s security is based on the elliptic‑curve discrete logarithm problem (ECDLP), which is harder than integer factorisation, offering comparable security with much shorter keys.

Today, most SSL certificates still use RSA, but since around 2008 CAs began issuing ECC root certificates, and by 2015 ECC certificates were widely accepted. Compared with RSA, ECC provides:

Stronger resistance to attacks.

Lower CPU consumption.

Smaller ciphertext.

Reduced network overhead.

Faster encryption speed.

For equivalent security levels, ECC requires far shorter keys: a 128‑bit security level needs a 3072‑bit RSA key but only a 256‑bit ECC key; a 256‑bit security level needs a 15 360‑bit RSA key versus a 512‑bit ECC key.

Testing and Analysis

Performance tests were conducted on two cloud servers using three authentication algorithms: RSA‑2048, RSA‑3072, and ECC‑256. The tests measured server‑side CPU usage, response time, and throughput under various GET request loads (0 K, 200 K, 1200 K) with different session‑reuse percentages.

Key findings:

ECC‑256 consistently outperformed RSA‑2048 and RSA‑3072 in request handling capacity. With 0 % session reuse, ECC‑256 handled up to 2800 requests per second, while RSA‑3072 saturated around 500 rps and RSA‑2048 around 1300 rps.

When session reuse increased to 68 %, average response times dropped and throughput rose for all algorithms, but ECC‑256 still maintained a clear advantage.

In high‑load scenarios (1200 K GET, 0 % reuse), ECC‑256 and RSA‑2048 began to saturate network transmission on Apache, whereas RSA‑3072 reached CPU limits; on IIS, all three algorithms hit CPU limits.

ECC Will Be Everywhere

ECC’s advantages are expected to make it replace RSA as the universal public‑key algorithm. For example, the SET protocol designers have selected ECC as the default public‑key algorithm for the next‑generation SET protocol.

ECC certificate compatibility:

(End)