Asymmetric (public-key) algorithm reference
Asymmetric algorithms use a key pair: a public key anyone can hold and a private key kept secret. They power TLS handshakes, SSH, code signing, certificates and end-to-end encryption. This reference compares RSA, ECDSA, Ed25519, X25519, ECDH and ElGamal by equivalent security level, key size, performance and intended purpose (signing, key exchange or encryption).
How it works
Security rests on hard math problems: RSA on integer factorisation, elliptic-curve schemes on the elliptic-curve discrete log problem. Because EC attacks scale better for defenders, EC keys are much smaller than RSA keys at the same security level:
| Security level | RSA key size | EC curve | EC key size |
|---|---|---|---|
| ~112-bit | 2048-bit | P-224 | 224-bit |
| ~128-bit | 3072-bit | P-256, Curve25519 | 256-bit |
| ~192-bit | 7680-bit | P-384 | 384-bit |
| ~256-bit | 15360-bit | P-521 | 521-bit |
The dramatic key-size difference — 3072 bits of RSA versus 256 bits of ECC for the same protection — translates into faster operations and smaller certificates, which is why modern systems are moving to elliptic-curve algorithms wherever possible.
Signing versus key exchange: two different problems
Public-key cryptography serves two fundamentally different purposes, and different algorithms are optimised for each:
Digital signatures prove that a message was created by the holder of a particular private key and has not been altered. A signature uses the private key to sign and the public key to verify. Algorithms: RSA-PSS, ECDSA, Ed25519.
Key exchange allows two parties to agree on a shared secret over an insecure channel, which is then used as a symmetric encryption key. Algorithms: ECDH (Elliptic-curve Diffie-Hellman), X25519. No message is signed — the exchange establishes a secret, then a cipher like AES-GCM encrypts data.
A critical rule: never use the same key pair for both signing and key exchange. The mathematical operations are different enough that a key designed for one purpose can leak information if used for the other. Ed25519 keys are for signing; X25519 keys are for key exchange — they use the same underlying curve (Curve25519) but different operations.
Algorithm quick reference
RSA: The oldest widely deployed asymmetric algorithm. Use RSA-2048 as the absolute minimum; RSA-3072 or higher for keys that must remain secure for many years. RSA can do both signing and encryption (OAEP for encryption, PSS for signing), but EC alternatives are preferred in new designs.
ECDSA: Elliptic-curve digital signature algorithm over NIST curves (P-256, P-384). More compact than RSA signatures at equivalent security. The main risk is a poor random-number generator — a biased nonce leaks the private key, as has happened in real exploits.
Ed25519: EdDSA over Curve25519. Deterministic — no random nonce needed, eliminating the nonce-reuse risk that affects ECDSA. Fast, small signatures, simple to implement correctly. The preferred choice for new signature systems.
X25519: Diffie-Hellman over Curve25519, used for key exchange. Deployed in TLS 1.3, Signal, and most modern encrypted messaging. Pairs with Ed25519 for a complete “Curve25519 toolkit.”
ECDH / X448: Curve448 variants offering ~224-bit security for applications requiring higher assurance than 128-bit.
Post-quantum considerations
RSA and all elliptic-curve algorithms are broken by a sufficiently large quantum computer running Shor’s algorithm. While no such computer exists today, long-lived keys (certificate authorities, signing keys for software) should plan for migration now. NIST has standardised ML-KEM (Kyber) for key encapsulation and ML-DSA (Dilithium) for digital signatures as the first post-quantum replacements. TLS 1.3 already supports hybrid key exchange combining X25519 with ML-KEM so that traffic encrypted today is safe even if a large quantum computer arrives in the future.
For new code: prefer Ed25519 for signing, X25519 for key exchange. Plan for post-quantum hybrid schemes in high-assurance applications. RSA-2048 is the practical minimum for any RSA use; retire 1024-bit RSA immediately.