Isn't RSA the best assymmetric crypto system for when you do need that? I mean, I get it for signatures, key exchange and data encryption it should be avoided but what else is there for symmetric key encryption such as how S/MIME uses it for example. I always thought RSA+OAEP with >= 4096 bits was an acceptable way to encrypt symmetric key material for transport.
I only know of PGP as the alternative which isn't well supported in many environments (especially commercial).
> Encryption needs to be done using a protocol called ECIES which combines an elliptic curve key exchange with a symmetric encryption algorithm.
kex+symmetric encryption is not the same as actually encrypting the symmetric key for transport. In situations where you need the recipient to decrypt it with only their private key and the symmetric key must be anything other than (EC)DH derived key, this does not work
I only know of PGP as the alternative which isn't well supported in many environments (especially commercial).