Re: [openpgp] Fingerprint requirements for OpenPGP

[Vincent Breitmoser <look@my.amazin.horse>]

>   usually considered “broken” by cryptographers

This is not the general case cryptographers talk about, but a specific
use case with a very specific set of requirements.

>   so it seems OK to be somewhat cautious here and require collisions
>   to be hard.

If we could get it for free, maybe. But collision resistance is a factor
two in bitsize, which is not only not free, but pretty darn costly.

Just to get a feeling for the numbers, let's do some good old
pessimistic math:

We take a 128 bit fingerprint. We say the attacker wants to attack a
pool of 65000 keys, so 2^16. That leaves 112 bits of fingerprint to
attack. We also assume that an attacker can test as fast as they can
generate sha-256 hashes, and give no penalties for key generation,
multi-target attack, collisions or stuff like that.

Top of the line hashing ASICs are at about 5 terahashes per second. But
let's just say our attacker has 10 terahashes/s (2^43) per device for
ease of math. Then let's say our attacker has one *billion* of those
devices (2^30), which is a ridunculous number to have.

In this scenario, our attacker needs 2^(128-16-43-30) = 2^39 seconds to
find a single preimage, which is 17432 years.

From a different angle, for one Joule of energy (= 1 watt-second) you
can very optimistically get about 5T (2^42) sha256 hashes for one Joule
of energy. For 2^112 hashes, that's 2^(112-42) = 2^70 Joule of energy,
or 2^19 terawatt-hours of energy. For comparison, the total world energy
consumption is around 2^17TWh per year, so that's something like four
years of energy (not even only power) used by people in the world.

 - V