Bruce Schneier noted in the latest 'Crypto-Gram' a paper on key sizes written by Arjen Lenstra and Eric Verheul: http://www.cryptosavvy.com The paper explains the methods used to arrive at various estimates. One interesting note is the expected weakness of the US Digital Signature Standard (DSS) - it is recommended for commercial applications only until about 2002 (for the field size) and about 2013 for hashes. They also note that NIST is working on a replacement of the DSS with longer key sizes. The Crypto-Gram newsletter is at: http://www.counterpane.com/labs.html
