How to choose the right algorithm
For encrypting files and messages
AES-256 is the gold standard. It is fast, secure, and used everywhere — TLS, disk encryption, VPNs, and more. Use AES-256-GCM for authenticated encryption. ChaCha20-Poly1305 is a strong alternative, especially on mobile devices without hardware AES acceleration.
For key exchange and digital signatures
ECC (P-256 or P-384) is the modern choice over RSA — it provides equivalent security with much smaller keys. RSA-2048 is still widely deployed but RSA key sizes need to be at least 3072 bits for long-term security.
For post-quantum readiness
Kyber (ML-KEM) is the NIST-standardized replacement for RSA and ECDH key exchange. Dilithium (ML-DSA) replaces ECDSA and RSA signatures. SPHINCS+ (SLH-DSA) is the most conservative option — based only on hash functions.
What to avoid
DES was broken in 1997 and must never be used. 3DES is deprecated since 2023 (NIST SP 800-131A). Blowfish has a 64-bit block size making it vulnerable to birthday attacks in large data scenarios — use AES instead.
Classical vs Post-Quantum security levels
| Classical algorithm | Classical security | Post-quantum security | Recommendation |
|---|---|---|---|
| AES-128 | 128-bit | 64-bit (Grover) | Use AES-256 for long-term |
| AES-256 | 256-bit | 128-bit (Grover) | Safe for long-term use |
| RSA-2048 | 112-bit | Broken (Shor) | Migrate to Kyber |
| ECC P-256 | 128-bit | Broken (Shor) | Migrate to Kyber/Dilithium |
| Kyber-768 | 192-bit | 192-bit | NIST recommended |
| Dilithium3 | 192-bit | 192-bit | NIST recommended |