aboutsummaryrefslogtreecommitdiffstats
path: root/src/content/docs/extra/algorithms-comparison.md
diff options
context:
space:
mode:
Diffstat (limited to 'src/content/docs/extra/algorithms-comparison.md')
-rw-r--r--src/content/docs/extra/algorithms-comparison.md199
1 files changed, 135 insertions, 64 deletions
diff --git a/src/content/docs/extra/algorithms-comparison.md b/src/content/docs/extra/algorithms-comparison.md
index 9c8a478..9a52ccb 100644
--- a/src/content/docs/extra/algorithms-comparison.md
+++ b/src/content/docs/extra/algorithms-comparison.md
@@ -6,7 +6,8 @@ sidebar:
When choosing cryptographic algorithms for key management and data security,
it's important to understand the differences and use cases for RSA, DSA, ECDSA,
-and ECDH. Here’s a detailed comparison to help you make an informed decision:
+EdDSA, and ECDH. Here’s a detailed comparison to help you make an informed
+decision.
## RSA (Rivest-Shamir-Adleman)
@@ -23,20 +24,6 @@ and ECDH. Here’s a detailed comparison to help you make an informed decision:
- **Security**: Provides strong security, but larger key sizes are required as
computational power increases.
-## DSA (Digital Signature Algorithm)
-
-- **Key Characteristics**: DSA, introduced by NIST in 1991, is primarily used
- for digital signatures and is not suitable for encryption.
-- **Key Sizes**: Typically uses 1024 to 3072-bit keys, with a recommended
- minimum of 2048 bits for new deployments.
-- **Use Cases**: Mainly used for digital signatures in various security
- protocols. It is less common than RSA and ECDSA.
-- **Performance**: Faster at generating keys compared to RSA but slower in
- verification. Requires a secure random number for each signature, which if
- compromised, can lead to vulnerabilities.
-- **Security**: Suitable for digital signatures, but less versatile and not as
- widely supported as RSA and ECDSA.
-
## ElGamal Encryption (ELG-E)
- **Key Characteristics**: ElGamal encryption (ELG-E) is an asymmetric key
@@ -84,52 +71,136 @@ used in two main algorithms: ECDH and ECDSA.
### Common ECC Algorithms and Their Use Cases
-- **NIST Curves (P-256, P-384, P-521)**: These curves, standardized by the
- National Institute of Standards and Technology (NIST), are widely used in
- secure communication protocols. For example, **ECDH NIST P-256** provides
- approximately 128-bit security, making it suitable for most encryption needs,
- while **ECDSA NIST P-256** is often used for digital signatures. As the key
- size increases (e.g., P-384, P-521), so does the security level, with P-521
- offering approximately 256-bit security, ideal for applications requiring the
- highest level of protection.
-
-- **ED25519 and ED448**: **ED25519** is favored for its speed and security,
- providing 128-bit security and commonly used in modern applications like
- secure messaging (e.g., Signal) and blockchain technologies. **ECDSA ED25519**
- is excellent for generating fast and secure digital signatures. **ED448**, on
- the other hand, offers higher security (224-bit) and is suitable for
- environments that require even stronger protection, although at a slight
- performance cost.
-
-- **BrainPool Curves (P-256, P-384, P-512)**: These curves are alternatives to
- the NIST standards, offering similar security levels but with different
- parameters. **ECDH BrainPool P-256** and **ECDSA BrainPool P-256** are used
- when there is a preference for non-NIST curves, especially in regions or
- industries where alternative cryptographic standards are required. The
- BrainPool curves maintain the balance between security and performance across
- different key sizes.
-
-- **CV25519 and X448**: **ECDH CV25519** is a counterpart to ED25519 but is used
- specifically for key exchange. It provides approximately 128-bit security and
- is widely used for its efficiency in secure communications. **ECDH X448** is
- the higher-security variant (224-bit security) and is appropriate for
- scenarios demanding more robust encryption, albeit with higher computational
- costs.
-
-## Algorithm Flexibility in Primary Keys and Subkeys
-
-Primary keys are typically limited to RSA, DSA, and ECDSA due to their critical
-role in establishing trust and signing other keys. These algorithms are
-well-established and extensively audited, providing robust security for identity
-verification.
-
-Subkeys, however, are often used for specific operational tasks such as
-encryption and authentication. This allows them to utilize a broader range of
-algorithms like ECDH, which is optimized for key exchange. The flexibility in
-choosing algorithms for subkeys enhances their efficiency and allows
-cryptographic operations to be tailored to specific use cases, providing both
-performance and security benefits.
-
-By understanding the strengths and appropriate use cases for each algorithm, you
-can choose the best cryptographic solution for your needs, ensuring both
-security and efficiency in your operations.
+Elliptic Curve Cryptography (ECC) offers a range of algorithms and curves
+tailored to different cryptographic needs. Below is an overview of commonly used
+ECC algorithms and their specific applications.
+
+- **NIST Curves (P-256, P-384, P-521)**: Standardized by the National Institute
+ of Standards and Technology (NIST), these curves are widely utilized in secure
+ communication protocols. For example:
+
+ - **ECDH NIST P-256**: Provides approximately 128-bit security, making it
+ suitable for most encryption scenarios.
+ - **ECDSA NIST P-256**: Commonly employed for digital signatures, offering
+ robust security for authentication purposes.
+ - **Higher Key Sizes**: P-384 and P-521 increase security levels
+ proportionally, with P-521 offering around 256-bit security, making it ideal
+ for high-security environments.
+
+- **BrainPool Curves (P-256, P-384, P-512)**: BrainPool curves serve as
+ alternatives to NIST standards, providing similar security levels but with
+ independently developed parameters.
+
+ - **Use Cases**: Often used in regions or industries that prefer non-NIST
+ curves for compliance or operational reasons.
+ - **Examples**: **ECDH BrainPool P-256** and **ECDSA BrainPool P-256** offer a
+ balance between security and performance, catering to scenarios where NIST
+ standards are not desired.
+
+- **CV25519 and X448**: These curves are optimized for performance and are
+ widely used in modern cryptographic applications.
+
+ - **ECDH CV25519**: A counterpart to ED25519, this curve is designed for key
+ exchange and offers approximately 128-bit security. It is highly efficient
+ in secure communications.
+ - **ECDH X448**: A higher-security variant providing 224-bit security,
+ suitable for applications requiring more robust encryption. However, it
+ comes with a slight trade-off in computational efficiency.
+
+- **SECP256K1**: Defined by the Standards for Efficient Cryptography Group
+ (SECG), SECP256K1 is distinct from NIST curves and has gained significant
+ traction due to its adoption in blockchain technologies.
+ - **Key Use Case**: Widely used for cryptographic operations in Bitcoin and
+ other blockchain systems, where efficient signature verification is crucial.
+ - **Performance**: Optimized for computational efficiency, making it an
+ excellent choice for environments requiring rapid cryptographic operations.
+
+## EdDSA (Edwards-Curve Digital Signature Algorithm)
+
+### **Overview**
+
+EdDSA is a modern digital signature algorithm based on elliptic curve
+cryptography. It is specifically designed to be more efficient, secure, and
+resistant to common implementation errors compared to older algorithms like DSA
+or ECDSA.
+
+### **Key Characteristics**
+
+- **Deterministic Signature Generation**: Unlike ECDSA and DSA, which require
+ secure random numbers for each signature, EdDSA uses deterministic methods,
+ reducing the risk of vulnerabilities caused by poor randomness.
+- **Elliptic Curves Used**: EdDSA supports two primary curves:
+ - **Ed25519**: Provides 128-bit security and is optimized for speed and
+ compact key sizes.
+ - **Ed448**: Provides higher 224-bit security for environments requiring
+ greater protection but at the cost of performance.
+
+### **Use Cases**
+
+- **Ed25519**: Ideal for secure messaging (e.g., Signal), blockchain, and other
+ modern cryptographic protocols where performance and efficiency are critical.
+- **Ed448**: Used in environments requiring stronger security, such as highly
+ sensitive communications or systems with long-term security needs.
+
+### **Performance**
+
+EdDSA is faster than RSA and ECDSA for both signing and verification. Its
+compact key sizes make it ideal for resource-constrained devices or systems.
+
+### **Compatibility**
+
+While Ed25519 has gained significant adoption in modern cryptographic libraries,
+it is not yet universally supported in older systems or clients. Ed448 has even
+more limited support.
+
+## Why ECDH Cannot Be Used as a Primary Key Algorithm
+
+### Key Difference Between ECDH and ECDSA/EdDSA
+
+- **ECDH (Elliptic Curve Diffie-Hellman)** is a key exchange algorithm used to
+ establish shared secrets between two parties. It is not designed for signing
+ or verification, which are essential for primary key functionalities.
+- **ECDSA (Elliptic Curve Digital Signature Algorithm)** and **EdDSA** are
+ signature algorithms, specifically designed for identity verification and
+ creating/verifying digital signatures, making them suitable for primary keys.
+
+### Primary Key Requirements
+
+Primary keys are used to:
+
+1. **Sign Other Keys**: Establish trust relationships by signing subordinate
+ keys.
+2. **Verify Identities**: Sign and verify data, proving ownership of the key.
+
+Since ECDH does not provide signature functionality, it cannot be used for these
+purposes. Instead, it is commonly used for subkeys dedicated to encryption or
+key exchange tasks.
+
+## Recommended Algorithms for Compatibility and Security
+
+### **1. RSA (2048-bit or 3072-bit)**
+
+- **Why**: RSA offers the broadest compatibility across legacy systems,
+ libraries, and cryptographic protocols.
+- **When to Use**: Choose RSA when you need to ensure interoperability with
+ older clients or systems that may not support newer elliptic curve algorithms.
+
+### **2. Curve25519**
+
+- **Why**: Curve25519 is highly efficient, secure, and compact, making it a great
+ choice for modern cryptographic applications.
+- **When to Use**: Use Curve25519 in environments where compatibility with
+ modern systems is sufficient, and you want to benefit from its speed and
+ smaller key sizes.
+
+### Combining RSA and Curve25519
+
+For the best balance between compatibility and performance, consider using RSA
+for the **primary key** (for identity verification and signing other keys) and
+Curve25519 for **subkeys** (used for signing, encryption, or authentication).
+This approach ensures:
+
+- **Maximum Compatibility**: RSA as the primary key ensures interoperability
+ with older systems.
+- **Modern Efficiency**: Curve25519 as subkeys provides better performance for
+ modern operations.
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-26 22:27:24 +0000