That's not the consensus. Check out this cool site that lets you explore recommendations: http://keylength.com .

Here is what it says if you ask it what is equivalent to 256-bit ECC keys:

http://tahoe-lafs.org/~zooko/Keylength%20-%20Compare%20all%20Methods.html

Only the German standards body, BSI, thinks that a 256-bit ECC key is equivalently strong to a 2048 DSA key. The other researchers range from 3072 up to 4440 bit DSA keys as being as strong as 256-bit ECDSA keys!

]]>http://www.crypto.rub.de/imperia/md/content/texte/theses/kumar_diss.pdf

It mentions in detail the Elliptic Curve Diffie-Hellman (ECDH) protocol (which OpenSSH 5.7 and later supports as well) which is possible on these devices without a cryptographic processor.

Anyway, FYI.

]]>Nope, it's not a typo. I do in fact mean 521 bits. Here's the RFC: http://www.faqs.org/rfc/rfc4754.txt

When I'm talking about the algorithm, I'm referring to the encryption/decryption algorithm. ECC doesn't depend on S-boxes, so it can achieve higher cycles per byte than most other algorithms.

Also, because it's based on the algebraic properties of elliptic curves, rather than factoring large primes, the math is an order of magnitude lighter to compute, thus it's great for embedded systems, lower-end CPUs, etc. Even the LOC to implement ECC in any specific language is less than traditional AES, 3DES, RSA, DSA and other algorithms.

]]>Perhaps you mean 512? 521 is an.. odd number.

When you say "the algorithm is faster and lighter", do you mean the key generation only, or the encrypt/decrypt cycle?

]]>