Key strengths, and their equivalences, become meaningless when they reach the zone of "cannot be broken with existing and foreseeable technology", because there is no such thing as more secure than that. It is a common reflex to try to think of key sizes as providing some sort of security margin, but this kind of reasoning fails beyond some point.

Basically, the best known algorithms for breaking RSA, and for breaking elliptic curves, were already known 25 years ago. Since then, breaking efficiency has improved because of faster computers, at a rate which was correctly predicted. It is a tribute to researchers that they could, through a lot of fine tuning, keep up with that rate, as shown on this graph:

(extracted from this answer).

The bottom-line is that while a larger key offers longer predictable resistance, this kind of prediction works only as long as technology improvements can be, indeed, predicted, and anybody who claims that he knows what computers will be able to do more than 50 years from now is either a prophet, a madman, a liar, or all of these together.

50 years from now, the optimistic formula given in the answer quoted above ((year - 2000) * 32 + 512) means that, at best, RSA records could contemplate approaching 2592 bits.

The conclusion is that there is no meaningful way in which 3000-bit and 4000-bit RSA keys could be compared with each other, from a security point of view. They both are "unbreakable in the foreseeable future". A key cannot be less broken than not broken.

An additional and important point is that "permanent" keys in SSH (the keys that you generate and store in files) are used only for signatures. Breaking such a key would allow an attacker to impersonate the server or the client, but not to decrypt a past recorded session (the actual encryption key is derived from an ephemeral Diffie-Hellman key exchange, or an elliptic curve variant thereof). Thus, whether your key could be broken, or not, in the next century has no importance whatsoever. To achieve "ultimate" security (at least, within the context of the computer world), all you need for your SSH key is a key that cannot be broken now, with science and technology as they are known now.

Another point of view on the same thing is that your connections can only be as secure as the two endpoints. Nothing constraints your enemies, be they wicked criminals, spies or anything else, to try to defeat you by playing "fair" and trying to break your crypto upfront. Hiring thousands upon thousands of informants to spy on everybody (and on each other) is very expensive, but it has been done, which is a lot more than can be said about breaking a single RSA key of 2048 bits.

I recommend the Secure Secure Shell article, which suggests:

ssh-keygen -t ed25519 -a 100

Ed25519 is an EdDSA scheme with very small (fixed size) keys, introduced in OpenSSH 6.5 (2014-01-30) and made default ("first-preference") in OpenSSH 8.5 (2021-03-03). These have complexity akin to RSA at 4096 bits thanks to elliptic curve cryptography (ECC). The -a 100 option specifies 100 rounds of key derivations, making your key's password harder to brute-force.

However, Ed25519 is a rather new key algorithm (Curve25519's popularity spiked only when it was surmised that other standards had been diluted) and its adoption is not yet universal. Large steps were made in 2018, so we're nearly there, but on older systems or for older servers (like CentOS/RHEL < 7 or Ubuntu < 15.04), you can generate a similarly-complex RSA key with 4096 bits:

ssh-keygen -t rsa -b 4096 -o -a 100

(You may need to omit the -o option since it requires OpenSSH 6.5+ and is the default starting in v7.8, at which point it was removed from the ssh-keygen man page. This dictates usage of a new OpenSSH format to store the key rather than the previous default, PEM. Ed25519 requires this new format, so we do not need to explicitly state it given -t ed25519. A previous man page stated that “the new format has increased resistance to brute-force password cracking.” See this answer for more detail.)

Do not consider the other new ECC algorithm called ECDSA. It is considered suspect (it has known weaknesses and since the US government has been involved in its development, it may be compromised beyond that). Ed25519 was developed without any known government involvement.

Stay well away from DSA (“ssh-dss”) keys: they're not just suspect, DSA is insecure.

Right, welcome to a crypto-nerd battle. Let's try and break this down.

Key length: ed25519 is from a branch of cryptography called "elliptic curve cryptography (ECC)". RSA is based on fairly simple mathematics (multiplication of integers), while ECC is from a much more complicated branch of maths called "group theory". In short: ECC keys can be much shorter and give you the same security level because the mathematical problem they are based on is much more complex. This is far deeper than formatting differences. That's a bit like saying that index cards at the library vs google is a formatting difference.

Security: people tend to like ECC over RSA because the keys are smaller and the computations are faster for the same security level. Below is a table showing the security level comparison of RSA (labeled as Integer Factorization, or IF) vs ECC [source]. You can see that ECC keys really do get the same job done with a smaller key.

So you want to compare RSA-4096 (not in the above table) against ed25519 which has ~ 140 bits of security and is comparable to ~ 3000 bit RSA according to its inventor. Remember that bits is a log scale: 129 bits is twice as secure as 128 bits; 140 bits is 2¹² = ~4000x as secure as 128, so RSA-4096 might win, but really, anything above 128 bits of security is overkill unless you happen to be a military organisation or a bank.

For putting thumbtacks into your wall, should you use a sledgehammer or a wrecking ball? The correct answer is: whatever.

Yes, Ed25519 provides the existential unforgeability property. There is a nice work that studies the different variants of Ed25519 signatures

https://eprint.iacr.org/2020/823.pdf

As specified in that document, the different variants of ed25519 provide different security properties, but all are existentially unforgeable under chosen message attacks.

Indeed, as you point out, if an adversary could forge valid signatures to messages not signed by the key owner, the security of the blockchain could be compromised.

Yes.

ED25519 key fingerprint is...

This is not related to your id_rsa/id_rsa.pub key pair.

It is related to the remote host (github.com) has its own key, whose fingerprint you must accept, updating your ~/.ssh/known_hosts.

The reason you're seeing an ECDSA key being offered is that OpenSSH prefers ECDSA over Ed25519 keys.

This is less a comment on the security, as most folks agree that Ed25519 keys are just as secure (or more) as 256-bit ECDSA keys, and more for backwards compatibility.

When OpenSSH added Ed25519 keys, if they had been prioritized over ECDSA keys, then a changed host key error would show up when logging in the next time.

You can see those fingerprints in "GitHub’s SSH host keys are now published in the API"

Simply answer 'yes' to the 'authenticity' question, and then your key will be used to establish a connection.