7.3. Selecting Public Key Sizes
You’ve decided to use public key cryptography, and you need to know what size numbers you should use in your system. For example, if you want to use RSA, should you use 512-bit RSA or 4,096-bit RSA?
There’s some debate on this issue. When using RSA, we recommend a 2,048-bit instantiation for general-purpose use. Certainly don’t use fewer than 1,024 bits, and use that few only if you’re not worried about long-term security from attackers with big budgets. For Diffie-Hellman and DSA, 1,024 bits should be sufficient. Elliptic curve systems can use far fewer bits.
The commonly discussed " bit size” of an algorithm should be an indication of the algorithm’s strength, but it measures different things for different algorithms. For example, with RSA, the bit size really refers to the bit length of a public value that is a part of the public key. It just so happens that the combined bit length of the two secret primes tends to be about the same size. With Diffie-Hellman, the bit length refers to a public value, as it does with DSA. In elliptic curve cryptosystems, bit length does roughly map to key size, but there’s a lot you need to understand to give an accurate depiction of exactly what is being measured (and it’s not worth understanding for the sake of this discussion—“key size” will do!).
Obviously, we can’t always compare numbers directly, even across public key algorithms, never mind trying to make a direct comparison to ...