Introducing the 2024 PKI & Digital Trust Report     | Download the Report

Elliptic Curve Cryptography: What is it? How does it work?

SSL/TLS Certificates

Elliptic curve cryptography (ECC) is a public key cryptographic algorithm used to perform critical security functions, including encryption, authentication, and digital signatures. ECC is based on the elliptic curve theory, which generates keys through the properties of the elliptic curve equation, compared to the traditional method of factoring very large prime numbers.

ECC vs RSA: Key differences

Rivest-Shamir-Adleman (RSA) cryptographic method is still the most widely adopted public-key algorithm today. It’s used extensively to encrypt and authenticate websites, emails, software, etc.

Originally invented by Ron Rivest, Adi Shamir, and Leonard Adleman in 1977, RSA uses the prime factorization method, which involves taking two large random prime numbers and multiplying them to create a public key. 

RSA algorithm has served the security world well for decades. However, the mathematics and computational power required to factor large numbers and ‘break’ RSA keys have become increasingly more available and practical for attackers to use. To counter the threats posed by advanced computing and mathematics, RSA key sizes need to grow, which becomes unsustainable in the long-term.

Several researchers have found vulnerabilities in RSA public keys in recent years. For example, in 2020, Keyfactor researchers analyzed more than 75 million active RSA keys across the internet, discovering that 1 in every 172 certificates using RSA keys are vulnerable to a practical attack known as ‘factoring.’

ECC is considered more secure than RSA, because RSA is based on factoring large numbers, a problem that computers have solved. In contrast, elliptic curve cryptography is based on the discrete logarithm problem, which is much harder to solve. It’s been proven that even with today’s technology, it would take longer than the universe’s age to reverse engineer a key that’s been generated using ECC.

ECC keys are also much shorter than RSA keys—the most common type of key used in public-key cryptography—making them much easier to manage and store. Shorter keys also mean less processing power is required to encrypt and decrypt data, making ECC more efficient than other algorithms.

What are the benefits of ECC?

Several benefits make elliptic curve cryptography an attractive option for certain applications. First, as mentioned above, ECC requires smaller keys than other methods to achieve the same level of security. This can be important in constrained environments where limited storage is available.

Because ECC offers equivalent security with lower computing power and battery resource usage, it is becoming more widely used in cryptocurrency platforms, including Bitcoin and Ethereum, mobile applications, and low-power devices that have limited computational power.

Finally, ECC can be used for digital signatures, key exchange, and other purposes; this makes it a versatile tool for many different applications.

How does ECC work?

An elliptic curve is a plane curve defined by an equation of the form y^2 = x^3 + ax + b. A and b are constants, and x and y are variables. Elliptic curves have many interesting mathematical properties that make them well-suited for cryptography. For example, given two points P and Q on an elliptic curve, there is a third point R such that P + Q = R. This property is called “point addition” and is illustrated below.

Another valuable property of cryptography is “point doubling.” This is when we take a point P on an elliptic curve and find another point 2P such that P + P = 2P. This is illustrated below.

We can keep doubling points until we get to the point that we call “the infinity point,” which we denote as O. You can think of this as the limit case where the distance between P and 2P gets arbitrarily close to zero.

Thus, we can add and double points on an elliptic curve to our heart’s content and never get the exact moment twice (except for O). 

Given any point P on an elliptic curve, an infinite number of points can be obtained by adding and doubling P (including O). Consequently, an endless number of possible keys can be generated using elliptic curves.

How is Elliptic Curve Cryptography used?

Now that we’ve seen elliptic curves and their work, let’s look at how they’re used in cryptography. Elliptic curve cryptography typically relies on the Elliptic Curve Discrete Logarithm Problem (ECDLP), which states that it is hard to solve for x if we know y = g^x mod p where g is some known integer and p is prime. 

This problem is complex because there is no known way to efficiently find x given y (that is, without trying every possible value of x until we find one that works).

Since the DDL problem is hard to solve, it follows that it would also be hard to solve for y if we know x = g^y mod p. That is, it would be difficult for someone who doesn’t know the secret exponent y to compute y given x (again, without trying every possible value until they find one that works). 

Therefore, if we choose our parameters g and p carefully, it should be difficult for someone who doesn’t know the secret exponent x to compute x given y (or vice versa).

As long as it’s hard to compute the secret exponent x given y (or vice versa), we can use elliptic curve cryptographic algorithms for things like digital signatures and key agreement protocols.

Real-world applications of Elliptic Curve Cryptography

Elliptic curve cryptography has several practical applications in the real world. One example is online banking and payments. When you make an online purchase with your debit or credit card, your information is often encrypted using ECC before it’s sent over the internet. This ensures that your information remains confidential and secure throughout the transaction process.

Another application of ECC is in email encryption. Pretty Good Privacy (PGP) is a popular email encryption software that can leverage ECC to protect your emails from being read by anyone other than the intended recipient. 

PGP works by generating a public/private key pair for each user. The public key can be shared with anyone, but the private key must be kept confidential at all times. To encrypt an email, you simply need the recipient’s public key; conversely, you’ll need your private key to decrypt an email you’ve received.


ECC is a powerful tool that can protect data, authenticate connections, and verify integrity in various applications. As more and more of our lives move online, cryptography is essential to keep our data safe and secure. 

Elliptic curve cryptography is just one type of cryptographic algorithm that can be used for this purpose. As we move toward a post-quantum world, new algorithms have emerged, each with their own unique benefits. IT and security leaders must understand how applications within their organization use cryptography, and what it will take to adapt as the security and technology landscape evolves.