Asymmetric cryptography
Key pair (public + private) where one undoes what the other did. The foundation of every digital signature, TLS key exchange, and X.509 certificate.
Families in use
| Family | Typical size | Speed | Signature size | Notes |
|---|---|---|---|---|
| RSA | 2048, 3072, 4096 bits | Fast verify, slow sign | 256384512 bytes | Still dominant in public CAs. NIST recommends 3072+ from 2030 onward |
| ECDSA P-256 | 256 bits | Fast | 64-72 bytes | De facto standard in modern TLS. NIST curve. |
| ECDSA P-384 | 384 bits | Medium | 96 bytes | Suite B; common in government. |
| Ed25519 | 256 bits | Faster than ECDSA | 64 bytes | RFC 8032 curve. Deterministic — no PRNG at sign time. No nonce reuse vulnerability. |
| Ed448 | 448 bits | Fast | 114 bytes | Goldilocks curve; more paranoid than Ed25519. |
| ML-KEM / ML-DSA (post-quantum) | KEM/DSA | Mature | large (kB) | FIPS 203/204, ratified 2024. Migration still in PoC at CAs. |
RSA — practical view
- Operations:
sign(msg, sk) = msg^d mod n,verify(msg, sig, pk) = sig^e mod n == hash(msg)(simplified scheme; use RSA-PSS in practice, not PKCS#1 v1.5). - Key generation: 2 large primes p,q; npq; phi(p-1)(q-1); e=65537; d = e⁻¹ mod phi.
- Pitfalls:
- PKCS#1 v1.5 padding has padding oracles (Bleichenbacher); use RSA-PSS in new code.
- Keys < 2048 bits are considered broken today.
- Prime generation needs strong entropy; real-world failures (Debian OpenSSL 2008).
ECDSA — practical view
- Operations over an elliptic curve (point multiplication). Key space 2× the bit-size for security comparable to RSA (256-bit ECC ≈ 3072-bit RSA).
- Catastrophic pitfalls:
- Nonce k reuse leaks the private key with 2 signatures. Sony's PS3 was broken this way in 2010. Mitigate with deterministic nonce RFC 6979.
- NIST curves have unexplained constants (weak "nothing-up-my-sleeve"). Hence the appeal of Ed25519 (curve 25519, constants derived explicitly).
Ed25519 — why it is becoming the default
- Deterministic by design — no PRNG at sign time, no nonce reuse possible.
- 32-byte public key, 64-byte signature, ~50× faster than RSA-2048 at signing.
- Supported in SSH (OpenSSH ≥ 6.5), TLS 1.3, JWT (
EdDSA), CMS, X.509 certificates (RFC 8410). - Caveat: some root programs historically required RSA/ECDSA for compatibility.
Key exchange
Different from signing. Establishes a shared secret between 2 parties without revealing anything over a public channel.
- (EC)DHE (Ephemeral Diffie-Hellman) — used in every modern TLS handshake; generates a disposable session secret → perfect forward secrecy.
- X25519 — Curve25519 variant for DH. Default in TLS 1.3 (RFC 7748).
- X-Wing / hybrid PQ — ML-KEM + X25519 combinations already deployed in Chrome and Cloudflare.
Operational summary for the Stack
- Server keys (TLS, internal gateway): ECDSA P-256 or Ed25519 when the whole stack supports it.
- Code / Koder artifact signing keys: Ed25519.
- Internal CA keys (step-ca for the Koder network): ECDSA P-384 or Ed25519 root, ECDSA P-256 intermediate.
- PQ migration: monitor
services/foundation/idandservices/foundation/certswhen the browser ecosystem signals hybrid certs.