In 1976, before RSA, Diffie and Hellman proposed a system for key
exchange only; it permits secure exchange of keys in an otherwise
conventional secret-key system. This system is in use today.

Cryptosystems based on mathematical operations on elliptic curves have also
been proposed, as have cryptosystems based on discrete exponentiation in
the finite field *GF*(2^{n}). The latter are very fast in hardware; however,
doubts have been raised about their security because the underlying problem
may be easier to solve than factoring. There are also some probabilistic
encryption methods, which have the attraction of being resistant to a
guessed ciphertext attack (see Question 3.2.5), but at a
cost of data expansion. In probabilistic encryption, the same plaintext
encrypted twice under the same key will give, with high probability, two
different ciphertexts.

For digital signatures, Rabin proposed a system which is provably
equivalent to factoring; this is an advantage over RSA, where one may
still have a lingering worry about an attack unrelated to factoring.
Rabin's method is susceptible to a chosen message attack, however, in
which the attacker tricks the user into signing messages of a special
form. Another signature scheme, by Fiat and Shamir, is based on
interactive zero-knowledge protocols, but can be adapted for
signatures. It is faster than RSA and is provably equivalent to
factoring, but the signatures are much larger than RSA signatures.
Other variations, however, lessen the necessary signature length; see
for references. A system is ``equivalent to factoring'' if recovering
the private key is provably as hard as factoring; forgery may be easier
than factoring in some of the systems.

Advantages of RSA over other public-key cryptosystems include the fact that it can be used for both encryption and authentication, and that it has been around for many years and has successfully withstood much scrutiny. RSA has received far more attention, study, and actual use than any other public-key cryptosystem, and thus RSA has more empirical evidence of its security than more recent and less scrutinized systems. In fact, a large number of public-key cryptosystems which at first appeared secure were later broken.