What ECC curves are used in the EUDI Wallet ecosystem?

The EUDI Wallet primarily uses the NIST P-256 curve (also called secp256r1 or prime256v1) for credential signing and device binding. P-256 offers 128-bit security strength and is widely supported across mobile device secure elements, HSMs, and software libraries. The Brainpool curves (brainpoolP256r1) are also accepted in the European context as they were developed independently of NIST. For future-proofing, the Ed25519 curve (based on Curve25519) is gaining adoption for its performance advantages and simpler implementation that reduces the risk of implementation vulnerabilities.

How does ECC compare to RSA for EUDI Wallet operations?

ECC outperforms RSA in every metric relevant to mobile wallets: key size (256-bit ECC vs 3,072-bit RSA for equivalent security), signature size (64 bytes vs 384 bytes), signing speed (faster on mobile hardware), and verification speed (comparable or faster). These advantages compound in the EUDI Wallet: smaller credentials mean faster transmission over NFC or BLE, faster signing means better user experience during credential presentation, and smaller keys mean more efficient use of limited secure element storage. RSA is still used in legacy X.509 certificate chains but new EUDI infrastructure is built on ECC.

Is ECC vulnerable to quantum computing attacks?

Yes, like RSA, ECC is vulnerable to Shor's algorithm running on a sufficiently powerful quantum computer. A cryptographically relevant quantum computer could solve the elliptic curve discrete logarithm problem and break ECC. The EU is actively preparing for this threat through post-quantum cryptography (PQC) research. NIST has standardized PQC algorithms (ML-KEM, ML-DSA) that will eventually supplement or replace ECC. The EUDI Wallet architecture is designed with crypto-agility -- the ability to switch cryptographic algorithms without redesigning the entire system -- to enable a smooth transition to post-quantum algorithms when needed.

ECC (Elliptic Curve Cryptography) - EUDI Wallet Glossary

ECC

cryptography

Full Name: Elliptic Curve Cryptography

Definition

Elliptic Curve Cryptography (ECC) is a public key cryptography approach using the algebraic structure of elliptic curves over finite fields. ECC provides equivalent security to RSA with much smaller key sizes, making it the preferred cryptographic foundation for EUDI Wallet credential signing, device binding, and secure communication.

How Elliptic Curve Cryptography Works

ECC is based on the mathematical properties of elliptic curves -- smooth curves defined by equations of the form y² = x³ + ax + b over a finite field. The security of ECC relies on the Elliptic Curve Discrete Logarithm Problem (ECDLP): given two points on a curve P and Q where Q = kP (P multiplied by an integer k), it is computationally infeasible to determine k even if P and Q are known. This one-way property enables public key cryptography.

In the EUDI Wallet, ECC key pairs work as follows: the private key is a randomly chosen large integer k, and the public key is the point Q = kP on the chosen curve (where P is a standardized generator point). The private key is stored in the device secure element and never leaves the hardware. The public key is shared with credential issuers during the OpenID4VCI issuance flow and embedded in the credential for device binding.

The efficiency advantage of ECC comes from the mathematical structure of elliptic curves. Solving the discrete logarithm problem on elliptic curves is exponentially harder than the factoring problem that RSA relies on, meaning ECC achieves equivalent security with much shorter keys. A 256-bit ECC key provides security equivalent to a 3,072-bit RSA key and a 128-bit symmetric key.

ECC in EUDI Wallet Credential Formats

Both credential formats used in the EUDI Wallet use ECC extensively:

•SD-JWT credentials: The issuer signs the JWT payload using ECDSA with the ES256 algorithm (ECDSA on the P-256 curve with SHA-256). The device binding key (cnf claim) is an ECC public key. During presentation, the wallet creates a Key Binding JWT signed with the device ECC private key stored in the secure element.
•ISO mdoc credentials: The issuer signs the Mobile Security Object (MSO) using ECDSA with P-256 or P-384. The device key in the MSO is an ECC public key. During presentation, the mdoc device authentication uses ECDSA to sign session data, proving the presenter controls the device key.

ECC is also used in the transport layer: TLS 1.3 connections between wallets and backend services use ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) for key exchange, providing perfect forward secrecy. This means even if a server's long-term key is later compromised, past communication sessions remain protected because each session used a unique ephemeral ECC key pair.

Key Size Comparison and Security Levels

The following comparison illustrates why ECC is preferred for resource-constrained environments like mobile wallets:

•80-bit security: ECC requires 160-bit keys vs RSA 1,024-bit keys (no longer considered secure).
•128-bit security: ECC requires 256-bit keys (P-256) vs RSA 3,072-bit keys. This is the standard EUDI Wallet security level.
•192-bit security: ECC requires 384-bit keys (P-384) vs RSA 7,680-bit keys. Used for higher assurance EUDI certificates.
•256-bit security: ECC requires 512-bit keys (P-521) vs RSA 15,360-bit keys. The maximum practical RSA size.

What is Elliptic Curve Cryptography and why do EUDI Wallets use it?

ECC: Elliptic Curve Cryptography in the EUDI Wallet

ECC

Definition

How Elliptic Curve Cryptography Works

ECC in EUDI Wallet Credential Formats

Key Size Comparison and Security Levels

Related Terms

ECDSA

Hash Function

Device Binding

Frequently Asked Questions

Verwandte Leitfäden

→ Glossary Index

→ ECDSA

→ Hash Function

→ Device Binding

Quellen

⚠️ Independent Information