x.509 vs ECDSA vs RSA

x.509

X.509 is a standard that defines the structure and  hierarchy of public key certificates.  It relies on an hierarchical system of certificate authorities (CAs) for issuing the certificates (in contrast to a  web of trust model, like PGP, where anyone (not just special CAs) may sign and thus attest to the validity of others’ key certificates).

A typical CA system is not a web of trust, but rather a chain of trust.

Web Only Encryption vs Off Web Encryption

Since the introduction of SSL by Netscape, certificates for web sites have typically used a public/private key pair based on the RSA algorithm.

Web Only (SSL Encryption) X.509 typically uses RSA (but doesn’t have to). For web SSL certificates,  the number of bits used by RSA is typically 2048.  With the advent of TLS, support for more algorithms (including ECDSA) was added for web certificates. 

ECDSA is becoming the defacto off-web encryption algorithm. Bitcoin is a good example of a system that uses ECDSA.

ECDSA vs RSA (ECDSA is computationally cheaper and for the same level of security)

Certificates can also be created using the public key part of an ECDSA key pair  (Elliptic curve keys – aka ECC keys). While the DS in ECDSA stands for ‘Digital signature’, ECDSA supports more than just digital signing operations.

For actual message (payload) encryption ECDSA is used in the Apple ecosystem.  Messages through iMessage are signed with ECDSA.  Apple’s keychain syncing also uses ECDSA to encrypt in transit keychains.

RSA, just like ECDSA can be used for both – digital signing as well as encryption operations.

Breaking an ECDSA key requires you to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP).

This means that with ECDSA you can get the same level of security as RSA but with smaller keys.  A 256-bit ECDSA key provides the same level of protection as a 3,248-bit asymmetric key (Typical RSA keys in website certificates are 2048-bits).

Bitcoin and ECDSA

Bitcoin relies on ECDSA for security.  A Bitcoin address is just a cryptographic hash of an ECDSA public key.

The ownership of the account is determined by who controls the ECDSA private key. In the bitcoin network, a SEND  transaction (i.e. sending someone bitcoin) is a message that transfers bitcoin to a recipient address. This message (the SEND message) is signed with your private key. Once signed, it is submitted it to the underlying network, where, after a certain number of node confirmations, it is ‘ledgered’ (locked into the permanent ledger).

QUIC  Internet

Due to the smaller size of ECDSA certificates, they are computationally (about 10 times) more effective than RSA.

QUIC (Quick UDP Internet Connections) is a new encrypted-by-default Internet transport protocol, that provides a number of improvements designed to accelerate HTTP traffic as well as make it more secure, with the intended goal of eventually replacing TCP and TLS on the web. This