If RSA 3072 is equal to 128 bit symmetric and 2048 is equal to 112 bit symmetric then 128-112= 16 and 2^16= 65,536. In that case wouldn't this make 3072 more future proof against quantum computers or does Shor's algorithm mean they will both be equally useless?
Also, how many bits of symmetric is RSA 4096 equal to?
If RSA 3072 is equal to 128 bit symmetric and 2048 is equal to 112 bit symmetric...
To be precise, a 2048 bit composite is estimated to take approximately $2^{112}$ operations using the Number Field Sieve algorithm; 3072 bit composites are estimated to take approximately $2^{128}$ operations using that same operation.
Since the Number Field Sieve (NFS) algorithm is the fastest factoring algorithm known on a classical computer for large general composites, this is taken as the work estimate
In that case wouldn't this make 3072 more future proof against quantum computers or does Shor's algorithm mean they will both be equally useless?
Once we bring Quantum Computers and Shor's algorithm into the mix, that opens up another algorithm that is potentially more efficient than NFS. And, for Shor's, 3072 bit integers isn't that much more difficult that 2048 bit ones.
Q: RSA 3072 is 65,536 more difficult to factor than 2048? If RSA 3072 is equal to 128 bit symmetric and 2048 is equal to 112 bit symmetric then 128-112= 16 and 2^16= 65,536.
Basically yes.
Q: In that case wouldn't this make 3072 more future proof against quantum computers or does Shor's algorithm mean they will both be equally useless?
The point of quantum computing is that the above calculation doesn't work anymore. It solves the problem in polynomial time. From Wikipedia:
On a quantum computer, to factor an integer $N$, Shor's algorithm runs in polynomial time (the time taken is polynomial in log $N$, which is the size of the input). Specifically it takes quantum gates of order $O((\log N)^2(\log \log N)(\log \log \log N))$ using fast multiplication ...
As you can see, larger $N$ will still slow down the attack, but not as much as classical attacks. Furthermore, higher values of $N$ also require additional Qbits. Currently the number of Qbits and noise are the main culprits of building larger quantum computers.
In short, you'd need more time and especially a more complex quantum computer to attack larger key sizes. The current quantum computers we know about only handle toy key sizes.
That said, the quantum computer would not have to grow exponentially, and if they are able to factor large keys then the big problems facing QC have probably been overcome. So choosing a larger key size will have limited value; hence the quest for practical quantum resistant algorithms by e.g. NIST.
Q: Also, how many bits of symmetric is RSA 4096 equal to?
Well, the actual algorithm is rather complex, but here's the result from WolframAlpha using the input of this Q/A: about 156 bits (which is somewhat in-betweenish, so you won't find it in the pre-calculated tables).
Obviously, that's without taking QC into account. Note that symmetric primitives are much more resistant against GC attacks, so the above calculation will fail. I'll leave it as an exercise to calculate the equivalent symmetric key size using Shor's algorithm ;)
