A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography – CloudFlare
This provides a really good explanation of Elliptic Curve Cryptography (ECC) and includes a fantastic real world analogy:
“By this measure, breaking a 228-bit RSA key requires less energy to than it takes to boil a teaspoon of water. Comparatively, breaking a 228-bit elliptic curve key requires enough energy to boil all the water on earth. For this level of security with RSA, you’d need a key with 2,380-bits.”
CloudFlare have also just blogged about their use of ECC when signing DNSSEC responses. The result is a very strong key with a significantly smaller response size (1181 bytes vs. 313 bytes).
Their engineer (Vlad Krasnov) even implemented the ECDSA signature algorithm in assembler speeding up signing by 21x!
CloudFlare’s reason for doing this is to limit the vector of DDoS based attacks using DNS reflection.
“By keeping our packet size small enough to fit in a 512 byte UDP packet, we keep the domains on us safe from being the amplification factor of a DDoS attack.”