The highlight here is that in some cases, failure to properly validate gets an attacker the secret key material.
Note all the conditional bits. Different curves have different properties and different issues. There are a bunch of different curves in common use while RSA pretty much always uses the same value for the parameter these days (RSA literally has just one parameter. The exponent.).
The article discusses this, the difference is that ECC parameters can be chosen before library-development time by expert cryptographers, all the developers have to do when actually developing the library is to generate random bits. The obviously complex mathematics of EC intimidate the non-experts away from trying to roll their own implementation and push them towards the most trusted expert implementation, while the false superficial simplicity of RSA seduce non-experts into greenspunning own implementations or using a greenspunned implementation without too much thought.
>RSA literally has just one parameter. The exponent.
How so? the 2 most important parameters are p and q, which have so many caveats and constraints on them that you lose track of them by the midpoint of the article, and you have to generate them privately so you can't offload this to non-affiliated cryptographers.
p and q are not parameters, they're the secret key. A "parameter" in this sense is a constant that defines the behavior of the algorithm that all users of the algorithm must agree on, otherwise they can't communicate.
In every RSA primer and cryptography reference that I'm aware of, p and q are considered parameters. Their nature as secret keys is merely a qualifier ("secret parameters").
>The obviously complex mathematics of EC intimidate the non-experts away from trying to roll their own implementation and push them towards the most trusted expert implementation...
My experience is that programmers are not so easily intimidated. If anything, complexity is an attractant...
Why would someone create their own parameters for deployment and not strictly research? There are plenty curves studied by academic experts out there that aren't even NIST.
* https://research.nccgroup.com/2021/11/18/an-illustrated-guid...
The highlight here is that in some cases, failure to properly validate gets an attacker the secret key material.
Note all the conditional bits. Different curves have different properties and different issues. There are a bunch of different curves in common use while RSA pretty much always uses the same value for the parameter these days (RSA literally has just one parameter. The exponent.).