Setting quantum computers aside, what are the main directions classical cryptography is heading, and why is ECC displacing RSA?
ECC is replacing RSA because it reaches the same security with roughly a tenth of the key — and therefore a tenth of the signature size — which is decisive for smartcards and certificates. Alongside that, authenticated-encryption modes are evolving past GCM, and very long-lived signatures still need very large RSA keys.
ECC over RSA. At a 128-bit security level RSA needs 3072 bits but ECC only 256 — about a 10:1 ratio that widens as security rises (at 256-bit security it is 15360 vs 512, roughly 30:1). Smaller keys mean smaller signatures, which is a huge win where space and bandwidth are tight (chip cards, certificates, IoT). It also helps performance: an asymmetric operation's cost grows cubically, so doubling an RSA key multiplies work by 6–8×, whereas ECC's much smaller sizes keep that growth cheap.
Long-term archival is the exception. To keep a signature verifiable for decades, you must over-provision today: estimates call for RSA keys of 7–15 kbit (or ECC-512) paired with a strong hash such as SHA3-512, because you cannot re-sign an archived document later.
Authenticated encryption keeps evolving. GCM is the current workhorse but has known weaknesses, so the CAESAR competition selected successors (ACORN, AEGIS) that will spread over time.
Tip: The other headline direction — quantum-resistant (post-quantum) algorithms — is covered on its own card; here the theme is that even without quantum computers, the field keeps shifting toward smaller, faster, and longer-lived primitives.
Go deeper:
Elliptic-curve cryptography (Wikipedia) — why ECC matches RSA security at a fraction of the key size.