Elliptic-curve cryptography (ECC)

Elliptic-curve cryptography (ECC) is public-key cryptography built on the arithmetic of points on an elliptic curve over a finite field. Its security rests on the elliptic-curve discrete logarithm problem: given points P and Q equal to k times P, recovering the scalar k is computationally hard by classical means. Because that problem resists the best classical attacks more strongly per bit than integer factoring, ECC reaches the same classical security as RSA with far smaller keys, a 256-bit curve roughly matching 3072-bit RSA (SP 800-186).

Quantum vulnerability

Shor's algorithm solves the discrete logarithm problem in polynomial time, so a large quantum computer recovers an ECC private key from its public key just as it breaks RSA (Shor 1995). The smaller key sizes offer no additional protection. Widely used instances include the NIST P-256 curve, the secp256k1 curve behind Bitcoin signatures, and X25519 for key exchange, all of which a quantum computer would break. Post-quantum replacements come from lattice-based and hash-based families instead.

Sources

  1. SP 800-186, Recommendations for Discrete Logarithm-Based Cryptography: Elliptic Curve Domain Parameters (NIST, 2023)
  2. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer (arXiv, 1995)
Cite this entry
"Elliptic-curve cryptography (ECC)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/elliptic-curve-cryptography@misc{pqwiki-elliptic-curve-cryptography, title = {Elliptic-curve cryptography (ECC)}, howpublished = {\url{https://postquantum.wiki/elliptic-curve-cryptography}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }