What about RSA (as a simple cryptosystem)?
--Too slow or insecure. Say you are encrypting N-bit message using N-bit key. Then the following time and security formulas hold approximately for N large (ignoring constant factors and sometimes log factors). "Fast" denotes fast FFT-based arithmetic. "Security" is kind of a guess, not proven at least until we know P unequal NP. SYSTEM....TIME.....SECURITY slowRSA........N^3............N^(1/3) fastRSA........N^2*logN.....N^(1/3) slowECC.......N^3.............N^(1/2) fastECC........N^2*logN.....N^(1/2) Feistel...........N^2*logN......N I said for my question I did not care about speed so much... but you've got to be in the right ballpark on speed. I'll forgive a factor 10 or even 100 speed loss -- but squaring or cubing the runtime to reach same security level, that seems too much.