The case for using 2048 bits instead of 4096 bits
- Some hardware (many smart cards, some card readers, and some other devices such as Polycom phones) don’t support anything bigger than 2048 bits.
- Uses less CPU than a longer key during encryption and authentication
- Using less CPU means using less battery drain (important for mobile devices)
- Uses less storage space: while not an issue on disk, this can be an issue in small devices like smart cards that measure their RAM in kilobytes rather than gigabytes
So in certain situations, there are some clear benefits of using 2048 bit keys and not just jumping on the 4096 bit key bandwagon
The case for using 4096 bits
- If an attack is found that allows a 2048 bit key to be hacked in 100 hours, that does not imply that a 4096 bit key can be hacked in 200 hours. The hack that breaks a 2048 bit key in 100 hours may still need many years to crack a single 4096 bit key. It is also worth noting that simply adding 1 bit (going from 1024 bits to 1025 bits) does not double the effort to crack the key, each extra bit adds some security but a little bit less than what was gained with the previous bit. There is a law of diminishing returns with RSA key length.
- Some types of key (e.g. an OpenPGP primary key which is signed by many other people) are desirable to keep for an extended period of time, perhaps 10 years or more. In this context, the hassle of replacing all those signatures may be quite high and it is more desirable to have a long-term future-proof key length.