[mcstafford]

The section entitled "So what should you use instead?" doesn't make a suggestion of what to use instead...

[mundo]

> Trail of Bits recommends using Curve25519 for key exchange and digital signatures... it is implemented in libsodium, which has easy-to-read documentation and is available for most languages.

[tptacek]

You use ECDH to establish keys for sessions or files. You use ECDSA and ECC-Schnorr stuff like Ed25519 to sign things. That covers 99.9% of what RSA is used for. HTH.

[timothy-quinn]

This is how most critical articles of crypto end. They criticise the algorithm or system, and then don't offer much in the way of solutions.

They _do_ suggest using ECC, but in practice ECC support is super sporadic, and a lot of products charge extra for it.

[TwoBit]

Doesn't it say so in the last paragraph of that section?