This article criticizes the use of the RSA encryption system:
Since many PGP implementations use RSA by default some comments are in order. Some of the problems highlighted by the writer are not applicable to the applications that PGP is usable for. Some specific comments:
The writer mostly talks about common implementation errors. PGP has been using RSA for a very long time now. There is no real chance that there are any of those errors in the PGP code.
There is no incentive to incorrectly optimize for performance in the PGP case because of the PGP encrypt_once scheme. The RSA operation is only performed once per encrypt and once per signature.
The writer has a section on padding oracle attacks. Such attacks are not applicable to PGP simply because the encryption is only done once and there is no reverse channel.
The writer ends with a discussion of alternatives to RSA. The writer says this:
… the math behind ECC is so complicated that very few people feel confident enough to actually implement it. In other words, it intimidates people into using libraries built by cryptographers who know what they’re doing. RSA on the other hand is so simple that it can be (poorly) implemented in an hour.
In other words; the ECC encryption method is superior because it is significantly more complex than RSA. That is at the end of an article that talks about how hard RSA is to get right. This is not a compelling argument.