Samuel Thibault wrote: > And actually, moving to 64bit fingerprints by default is possibly not a > good idea: who knows when 64bit will not be secure any more? Estimating > very roughly, if a 32bit collision can be found within a few seconds > with one GPU now as evil32 seems to show, a supercomputer with 10000 > GPUs can find a 64bit collision within a month...
Worse than that. Consider that, given a financial incentive, people developed FPGAs and then dedicated ASICs to perform double-sha256 incredibly quickly, in order to perform proof-of-work calculations that consisted of seeking a hash with a given number of bits specified. Doing the same for key fingerprints seems similarly plausible. If you could check for key fingerprint collisions as fast as the hash rate of current ASIC miners (order of magnitude 14 terahash/s), it'd take ~15 days to find a 64-bit collision with just one such ASIC, and the problem trivially parallelizes across multiple. An adversary with a modest number of such ASICs could produce 64-bit collisions for the entire strong set in days (producing an "evil64" set). I'd suggest moving directly to full fingerprints; from elsewhere in this thread, it sounds like the current version of gnupg has done so.
