[tor-talk] Choosing a name for a .onon

Asheesh Laroia asheesh at asheesh.org
Fri Mar 30 04:44:08 UTC 2012

Excerpts from Robert Ransom's message of Thu Mar 29 23:28:39 -0400 2012:
> On 2012-03-29, Seth David Schoen <schoen at eff.org> wrote:
> > There's a nice description of the possibility of creating a public key
> > with a chosen set of bits at the beginning or end at
> >
> > http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html
> >
> > although note that the Tor hidden service identifiers are 80 bits, while
> > PGP short key IDs are only 32 bits, so it's 2⁴⁸ times as hard to fake a
> > hidden service as it is to make a colliding PGP short key ID.  (Full PGP
> > fingerprints are 160 bits.)
> In the old-style (PGP 2.x) key ID format, a portion of the public RSA
> modulus was directly used as the key ID.  The most
> difficult-to-implement algorithm that you could possibly want to use
> to attack that involves a lattice computation, and succeeds far faster
> than brute-force.
> New-style (OpenPGP) key IDs are hashes of the public key; the only
> attack that can produce a desired key ID is brute-force search.
> (That's not hard though -- for RSA, generate a keypair in the usual
> manner, then change the public exponent (as Shallot does); for DSA or
> ElGamal, generate a keypair and then search for powers of the group
> generator and of the public key which lead to the desired hash.  Both
> attacks allow the brute-force search to be performed on computers
> which cannot be trusted to know the private key.)
> So yes, short PGP key IDs are very bad news.  Avoid them if you can
> (but I doubt that you can).

Hi Robert,

As the author of that asheesh.org note, I suggest you read it carefully.

In particular, pay attention to how key timestamps are used in OpenPGP!
It's interesting and was surprising to me at first, too.

-- Asheesh.

More information about the tor-talk mailing list