The best size for an RSA modulus depends on one's security needs. The
larger the modulus, the greater the security but also the slower the
RSA operations. One should choose a modulus length upon consideration,
first, of one's security needs, such as the value of the protected data
and how long it needs to be protected, and, second, of how powerful
one's potential enemy is. It is also possible that a larger key size
will allow a digitally signed document to be valid for a longer time;
see Question 3.3.17.
A good analysis of the security obtained by a given modulus length is given
by Rivest, in the context of discrete logarithms modulo a prime, but it
applies to RSA as well. Rivest's estimates imply that a 512-bit modulus can
be factored with an $8.2 million effort, less in the future. It may
therefore be advisable to use a longer modulus, perhaps 768 bits in length.
Those with extremely valuable data (or large potential damage from digital
forgery) may want to use a still longer modulus. A certifying authority
(see Question 3.3.5) might use a modulus of length 1000 bits or
more, because the validity of so many other key pairs depends on the
security of the one central key.
The key of an individual user will expire after a certain time, say, two
years (see Question 3.3.12). Upon expiration, the user will
generate a new key which should be at least a few digits longer than the
old key to reflect the speed increases of computers over the two years.
Recommended key length schedules will probably be published by some
authority or public body.
Users should keep in mind that the estimated times to break RSA are
averages only. A large factoring effort, attacking many thousands of
RSA moduli, may succeed in factoring at least one in a reasonable time.
Although the security of any individual key is still strong, with some
factoring methods there is always a small chance that the attacker may
get lucky and factor it quickly.
As for the slowdown caused by increasing the key size (see Question 3.2.3), doubling the modulus length would, on average, increase the time required for public-key operations (encryption and signature verification) by a factor of 4, and increase the time taken by private key operations (decryption and signing) by a factor of 8. The reason that public-key operations are affected less than private-key operations is that the public exponent can remain fixed when the modulus is increased, whereas the private exponent increases proportionally. Key generation time would increase by a factor of 16 upon doubling the modulus, but this is a relatively infrequent operation for most users.