Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild

[Josh Triplett <josh@joshtriplett.org>]

Samuel Thibault wrote:
> And actually, moving to 64bit fingerprints by default is possibly not a
> good idea: who knows when 64bit will not be secure any more? Estimating
> very roughly, if a 32bit collision can be found within a few seconds
> with one GPU now as evil32 seems to show, a supercomputer with 10000
> GPUs can find a 64bit collision within a month...

Worse than that.  Consider that, given a financial incentive, people
developed FPGAs and then dedicated ASICs to perform double-sha256
incredibly quickly, in order to perform proof-of-work calculations that
consisted of seeking a hash with a given number of bits specified.
Doing the same for key fingerprints seems similarly plausible.

If you could check for key fingerprint collisions as fast as the hash
rate of current ASIC miners (order of magnitude 14 terahash/s), it'd
take ~15 days to find a 64-bit collision with just one such ASIC, and
the problem trivially parallelizes across multiple.  An adversary with a
modest number of such ASICs could produce 64-bit collisions for the
entire strong set in days (producing an "evil64" set).

I'd suggest moving directly to full fingerprints; from elsewhere in this
thread, it sounds like the current version of gnupg has done so.