Key management: are there known collisions of a "long" (64 bit) OpenPGP key ID?

The OpenPGP IDs are parts of the SHA-1 fingerprint, as defined in the standard. A short key ID is the last 32 bits, and the long key ID is the last 64 bits. A collision usually carries an average of 2.n / 2 operations, where north It is the size of the hash in bits. Generating collisions for short identifiers and long identifiers is trivial and requires an average of 2sixteen and 232 operations, respectively. A collision in this case is defined as the creation of two different keys that have identical short and long identifications. In fact, it is even possible to collide with the complete SHA-1 fingerprint, as Google has shown. The collision of a complete OpenPGP fingerprint requires nothing more than the collision of a single SHA-1 hash. This is difficult, but it is possible with sufficient computing power.

Creating a preimage is different. Unlike a collision, a preimage attack requires creating an entry that matches a specific hash summary. The attacker can not provide both inputs, only one, which makes it a much more difficult attack. Unlike a collision attack, a preimage attack requires a total of 2north Operations for a size hash. north. Because of this, creating a preimage for a short ID requires only 232 operations, which is frankly trivial. Doing the same for long identification requires 264 Operations, which is not easy, but it is far from impossible. Doing the same with the 160-bit full fingerprint is simply impossible with current technology.

In summary:




+ ------------- + ----------- + ------------ +
| | Collision | Preimage |
+ ------------- + ----------- + ------------ +
| Short ID | Trivial | Easy |
+ ------------- + ----------- + ------------ +
| Long ID | Easy | Hard |
+ ------------- + ----------- + ------------ +
| Hard fingerprint | Impossible |
+ ------------- + ----------- + ------------ +