| > For instance, most CPUs nowadays support 256-bit AES without resorting to bitslicing. If you have the advantage of only working with newer hardware, this is true. But it's not immediately obvious whether or not your CPU supports 256-bit AES-NI without e.g. benchmarking OpenSSL. The point isn't "AES-256 almost never supports AES-NI" (although that used to be true). It's that naively saying "biggest rock is best rock" doesn't always hold true. > If you have to use RSA for some reason is there any scenario where you wouldn't also want 4096-bit keys? You're sacrificing performance for a hypothetical security gain that probably won't matter. If 2048-bit RSA gets implicated by some new attack, it's more likely that 256-bit ECC will save you than 4096-bit RSA. > https://latacora.micro.blog/2018/04/03/cryptographic-right-a... is an alternate, arguably better, source of information. When people are asking for a guide on Cryptographic Right Answers, I always point people to that page. The questions I wanted to address are about key size. And the point I wanted to stress was, "There are usually other factors that are far more important to consider than just the size of the key." If I see a system that uses RSA to encrypt, I care more about it not using textbook RSA or poorly-implemented PKCS#1v1.5 padding than I do about 2048-bit vs 4096-bit keys. |