This review of a book on elliptic curves summarizes what has happened with public-key cryptography. In a nutshell, methods like RSA were the first generation, and elliptic curve methods are the second generation.
Second-generation methods provide more security per bit. For example, an RSA key with 3072 bits is no more secure than an elliptic curve key with 256 bits.
Sadly, the proliferation of patents on computer-implemented mathematics means it will probably be 10 years or more before we see ECC widely adopted. (If pressed, I would give a 90% confidence range of 5 to 15 years of patent encumbrances outweighing the benefits.)
Well, I wouldn’t say that the claim is quite accurate: there is no reduction from breaking 256-bit ECC to breaking 3072-bit RSA; this is just an estimate based on our current best approaches for breaking both.
I wonder if RSA is like JPEG in that it’s here to stay even though there might be something theoretically better out there. Are industries going to switch without a pressing need? Claims about “power savings” seem a bit far fetched to me, though I’m no expert. Aren’t RSA etc used just to set up the communication, after which a faster non-public key crypto technique is used?
It’s not clear that key length is really the right metric here. How often does it matter whether your key is 256 bits or 3072 bits? Aren’t 256-bit ECC and 3072-bit RSA quite similar in CPU time cost?
Sorry, that was a bit too compressed. For the avoidance of doubt, I’m not saying that CPU time is the only thing that matters. Though it might turn out that it is, if — as seems likely — the network bandwidth cost of asymmetric cvrypto keys is negligible.