Collision attack against long Key Ids

Andrew Gallagher andrewg at andrewg.com
Wed Mar 11 19:36:02 CET 2026 

On 11/03/2026 16:57, Nombre y Apellidos via Gnupg-users wrote:
> 
> I see a blog post about collisions in key Id's in this blog:
> https://soatok.blog/2026/01/07/practical-collision-attack-against-long-key-ids-in-pgp/

As usual, Soatok wraps technical correctness in hyperbole and 
self-promotion.

> According to the article itself, it can lead to cases of usurpation of
> signed data, such as software packages.
> 
> Is it really a weakness in PGP/GNUPG?

It's a weakness *if* people assume that key IDs are unique identifiers, 
rather than a convenience. In older user guides, key IDs were treated as 
unique identifiers but this has not been recommended for a long time. 
You will note that Soatok references a decade-old stackexchange answer, 
and even that text recommends the use of fingerprints instead.

In the openpgp protocol itself, the only place that key IDs are used is 
as a label to help a receiving implementation find the correct key for 
decryption (or in older messages, signature verification). The security 
of openpgp has never relied upon key IDs though.

To exploit a birthday attack against key IDs, an attacker would have to 
create two colliding keys, then use one for innocent purposes, get other 
people to trust it, then trick them into using the second one instead, 
and hope they only check the key ID and not the full fingerprint.

But remember that the attacker *already controls both keys*. Swapping 
one key under the attacker's control for a second key under the same 
attacker's control doesn't get the attacker any privileges they didn't 
already have after convincing people to trust the first key.

The best that Soatok can do is suggest that the colliding keys would 
give an attacker plausible deniablity after the fact, in the absence of 
other evidence. But given that a birthday attack is known to be feasible 
and a preimage attack is known to be technically infeasible (for now), 
nobody with any sense will believe them. Plausible deniability is as 
bulletproof as a piece of wet tissue paper.

tl;dr: don't panic.
A

More information about the Gnupg-users mailing list