A significant burden would be if implementations didnâ€™t allow selecting unusual key sizes. In my experience, enough common applications support uncommon key sizes, for example GnuPG, OpenSSL, OpenSSH, FireFox, and Chrome

There are rumors it might be harder to decrypt non standard key lengths because of a specific software customization and optimization can be needed. So I guess if the key length is floating, say changed semi automatically and randomly (say in a range of 4000+RND*96) daily or weekly it may be even harder.

Desktop OpenPGP GnuPG is known to work with non standard RSA key lengths, most likely OpenSSH can do it too.

But I guess OpenPGP JavaCard firmware shall support it in the first place to be usable.

Good point about needing a custom implementation, but again, that would not be a problem for a skilled cryptographic algorithms programmer. Even worse, using custom lengths might introduce unintended side-effects, like secret data leakage, while the common key sizes execution paths seem to be audited and proven. For ECC leaking even 1 bit is catastrophic for the key strength - see this article: LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage.

1024-bit RSA requires 2051 qubits (1024 Ă— 2 + 3) and 160-bit ECC requires far more than 320 (it requires 160 Ă— 6 = 960). RSA can be broken with 2n + 3 qubits, whereas ECC can be broken with 6n .

It would take about 8K qubits to break RSA 40xx keys and about 3K qubits to break a ecc521.

RSA looks more strong in terms of a break by a quantum computer and it may be not convenient to permanently change amount of involved qubits it RSA key size floats often? Sorry if I am wrong about â€śinvolved qubitsâ€ť, I hardly understand how it works and do not even have any imagination about how to reconfigure their breaking algorithms for different key sizes.

Please suggest, is following supported by HSM2 and PRO2?

The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
algorithms have the advantage of using the same key type as
â€śssh-rsaâ€ť but use the safe SHA-2 hash algorithms. These have been
supported since OpenSSH 7.2 and are already used by default if the
client and server support them.

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
be disabling the â€śssh-rsaâ€ť public key signature algorithm that depends
on SHA-1 by default in a near-future release.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.

I have tried a software 16K RSA key, it generated fine, authentication worked too, but log contains a record like: debug1: Server accepts key: pkalg ssh-rsa blen 2071

Not sure after that, does it use true 16K RSA key size or a cut key to 2071 bits:

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /download/rsa16k/test_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 2071

How can I verify actual key length is used?
Would for NK RSA 4096 key it work any different?