2019 Guide to Cryptographic Key Sizes and Algorithm Recommendations

In libraries such as Defuse Security’s PHP encryption library, where each message’s AES key is derived with HKDF-HMAC-SHA256 with a random 256-bit salt, there isn’t an immediately obvious avenue for exfiltrating the master key since each message is encrypted under a different AES key. Since most AES keys are exchanged using asymmetric cryptography, opting for a 256-bit key probably won’t be enough to protect your message confidentiality against a quantum attacker. Use, in order of preference:

The security of a 256-bit elliptic curve cryptography key is about even with 3072-bit RSA.

Source: paragonie.com