Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> writes:
Luckily my computations (which you unfortunately cut out) were based on 30
million attempts per second, so my results (the attack taking over a year)
is still correct! Indeed, your numbers are still 3x slower than my
computation estimates.
Your original assertion was broken. I don't think it very likely that someone
is going to spend more than a machine year to generate a vanity key unless
they
can get someone else to pay for the time.
Phill, it was *your* proposal that I was talking to, Mallet creating
keys M1 and M2 to attack some open source project using PGP Signatures.
So thank you for acknowledging that your original assertion was broken!
My point was that particular notion isn't viable; nobody is going to
expend that much effort just to be able to spoof a broken source control
system. And moreover, a non-broken system (that uses the full
fingerprint) is still out of reach even for stronger adversaries.
A hundred machine years for creating a key collision attack is completely
viable.
It's only a hundred machine years for a 100-bit collision. A 160-bit
collision is much much further out!
Also when we are talking about PGP Key fingerprint, the fingerprint is over
the
key binding and not just the key and so it is malleable.
I don't see how that helps (today) with SHA1 or SHA2.
I can well imagine someone making use of all that Bitcoin hardware for some
mischief. Hence a reason to go for SHA-2-512.
Again, this is only a security consideration that has to be noted.
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp