Well, RSA can be broken by integer factoring, and for factoring there is a subexponential time algorithm, namely the number field sieve, which will factor N-bit-long integers in time of order about 2^O(cuberoot(N)). Consequently to get security with RSA you need very large numbers, say 1024 bits long, which makes it slow. Meanwhile for elliptic curve cryptosystems, only ways I know to break them take exponential time, 2^O(N) using N-bit long integers. You can get security using integers only say 128 bits long. (Note: I am not being careful here about my security estimates, but other people have tried to carefully estimate security and how many bits you need.) More security in less time with less memory. And the underlying reason is: that integers mod primes form a field, and integers a ring, whereas for elliptic curves, we only have a mere group. Point of that is, there is more mathematical structure usable for attacking the RSA cryptosystem than elliptic curve systems. Which is why they were able to develop subexponential attacks. It is more of a pain to use elliptic curve systems since you need to find a good curve, etc, which is not trivial. In contrast for RSA, finding suitable primes is pretty easy. However, that only needs to be done once, then the whole world can use just that one curve forever after. Standardize a good one. Both methods are breakable with a quantum computer. There are public key cryptosystems hopefully immune to quantum computers but the last time I looked they were not attractive to me in the sense they need a lot of time and memory -- Warren D. Smith http://RangeVoting.org <-- add your endorsement (by clicking "endorse" as 1st step)