If 256-bit private key is secure enough for Bitcoin and Ethereum then why people are moving from 1024 to 2048-bit RSA for day-to-day cryptographic operations (such as ssh) and even this can be not enough in a several decades?
Is checking that an ECDSA private key corresponds to a public address getting that(!) more time than checking that a RSA private key corresponds to a public key? It should be at least 2^768 times slower.
Or ECDSA gives that much less collisions?
Or there are some other reasons?
