[hujun]

`That is, if it costs very little to have larger keys, why not have larger keys?` it is often very expensive/difficult to change length of a RSA key is part of existing platform/infrastructure, like key in TPM/HSM/CA infrastructure, regardless how fast computer CPU is

[zokier]

But RSA has been long time going out, and short-keyed RSA doubly so. I would estimate that since maybe 2015ish deploying stuff that is coupled to 2048bit RSA would have been mistake. That gives generous 15ish year transition period. Anyone who cares even the slightest should succeed transition in that sort of timeframe.

[tptacek]

Why would deploying 2048 bit RSA be a mistake? If you believe 2048 is threatened in a meaningful time frame, when 1024 hasn't even been broken (thus sort of implying that the collapse of 2048 will occur in a much shorter time frame than the one separating 512 and 1024), is there any realistic RSA key size that should make you comfortable?

[adgjlsfhk1]

3 reasons

1. it's reasonable to assume the NSA is a decade ahead and has more computers than academia.

2. you want your secrets to last a decade (or longer)

3. the total amount of data you're encrypting per client is only 256 bits anyway (the size of a symmetric key) so the absolute performance impact is relatively minimal