At 12:07 PM 11/25/95, James A. Donald wrote: ....

Can someone tell me the true story?

Not with any assurance. I don't trust my own knowledge yet. I think that the opinion is that the discrete log problem is harder with elliptic curves than for prime modulus arithmetic for numbers of a given size. That is why you can use fewer bits. The inner loop in some elliptic curve systems is not multiply-add (as is the case with number fields) but other operations that are as efficient with gates but less efficient with normal machine instructions. There are probably an order of magnitude more people that have studied and published about the problems of breaking prime modulus crypto than elliptic curves. Perhaps progress will be faster should elliptic curves be studied by more people. There are a lot of tricks to speed up discrete logs in for prime modulus schemes that don't seem to work for elliptic curves. There are many parameters to an elliptic curve crypto system. I haven't seen any taxonomy of which kinds are good and which have been shown to be week. In contrast there seems to be a consensus about how to pick primes for RSA or Diffie-Hellman. I am certainly no expert. Perhaps this will prompt comments from someone who can point to real information.