Asymmetric cryptography

seed

Key pair (public + private) where one undoes what the other did. The foundation of every digital signature, TLS key exchange, and X.509 certificate.

Families in use

Family Typical size Speed Signature size Notes
RSA 2048, 3072, 4096 bits Fast verify, slow sign 256384512 bytes Still dominant in public CAs. NIST recommends 3072+ from 2030 onward
ECDSA P-256 256 bits Fast 64-72 bytes De facto standard in modern TLS. NIST curve.
ECDSA P-384 384 bits Medium 96 bytes Suite B; common in government.
Ed25519 256 bits Faster than ECDSA 64 bytes RFC 8032 curve. Deterministic — no PRNG at sign time. No nonce reuse vulnerability.
Ed448 448 bits Fast 114 bytes Goldilocks curve; more paranoid than Ed25519.
ML-KEM / ML-DSA (post-quantum) KEM/DSA Mature large (kB) FIPS 203/204, ratified 2024. Migration still in PoC at CAs.

RSA — practical view

  • Operations: sign(msg, sk) = msg^d mod n, verify(msg, sig, pk) = sig^e mod n == hash(msg) (simplified scheme; use RSA-PSS in practice, not PKCS#1 v1.5).
  • Key generation: 2 large primes p,q; npq; phi(p-1)(q-1); e=65537; d = e⁻¹ mod phi.
  • Pitfalls:
    • PKCS#1 v1.5 padding has padding oracles (Bleichenbacher); use RSA-PSS in new code.
    • Keys < 2048 bits are considered broken today.
    • Prime generation needs strong entropy; real-world failures (Debian OpenSSL 2008).

ECDSA — practical view

  • Operations over an elliptic curve (point multiplication). Key space 2× the bit-size for security comparable to RSA (256-bit ECC ≈ 3072-bit RSA).
  • Catastrophic pitfalls:
    • Nonce k reuse leaks the private key with 2 signatures. Sony's PS3 was broken this way in 2010. Mitigate with deterministic nonce RFC 6979.
    • NIST curves have unexplained constants (weak "nothing-up-my-sleeve"). Hence the appeal of Ed25519 (curve 25519, constants derived explicitly).

Ed25519 — why it is becoming the default

  • Deterministic by design — no PRNG at sign time, no nonce reuse possible.
  • 32-byte public key, 64-byte signature, ~50× faster than RSA-2048 at signing.
  • Supported in SSH (OpenSSH ≥ 6.5), TLS 1.3, JWT (EdDSA), CMS, X.509 certificates (RFC 8410).
  • Caveat: some root programs historically required RSA/ECDSA for compatibility.

Key exchange

Different from signing. Establishes a shared secret between 2 parties without revealing anything over a public channel.

  • (EC)DHE (Ephemeral Diffie-Hellman) — used in every modern TLS handshake; generates a disposable session secret → perfect forward secrecy.
  • X25519 — Curve25519 variant for DH. Default in TLS 1.3 (RFC 7748).
  • X-Wing / hybrid PQ — ML-KEM + X25519 combinations already deployed in Chrome and Cloudflare.

Operational summary for the Stack

  • Server keys (TLS, internal gateway): ECDSA P-256 or Ed25519 when the whole stack supports it.
  • Code / Koder artifact signing keys: Ed25519.
  • Internal CA keys (step-ca for the Koder network): ECDSA P-384 or Ed25519 root, ECDSA P-256 intermediate.
  • PQ migration: monitor services/foundation/id and services/foundation/certs when the browser ecosystem signals hybrid certs.

Canonical references