Collision attack against long Key Ids

Robert J. Hansen rjh at sixdemonbag.org
Sat Mar 14 19:33:06 CET 2026 

> If its an OK, albeit simplistic question to ask - is there a reason
> for this?

There are many reasons.

My personal bête noire is there are a lot of people who derive their 
social status from the unholy union of (a) being a geek and (b) making 
people afraid. When you can make people afraid you can lead them into 
looking to you to tell them what to do. Making people afraid is usually 
a power play of some kind and it reminds me of high school. What pushes 
me over the edge into being a genuinely unpleasant person is when (c) 
they make people afraid about something the person is unable to find out 
for themselves. When Chicken Little told everyone the sky was falling, 
at least Chicken Little had the common decency to lie about something 
people could disprove just by looking up.

There are a lot of (a) nerdy people (b) making people scared about (c) 
near-future events they have to take on faith.

I don't see much difference between Sam Altman telling people "in 
eighteen months half of your jobs will be gone!" and somebody hiding 
behind a pseudonym saying "ackshually the new NSA listening center in 
Utah is going to be able to crack PGP because...". Either way it's the 
same spiel. These people make me very angry.

=====

Then there are the people who deal in half-truth criticisms. For 
instance, a lot of people say that Open/LibrePGP don't offer forward 
secrecy, and "all modern designs offer perfect forward secrecy."

Rubbish. PGP offered perfect forward secrecy in 1991. It was one of the 
first systems with perfect forward secrecy. It's so old it predates the 
term perfect forward secrecy.

What perfect forward secrecy means is "the compromise of a key does not 
allow an attacker to read messages sent after the compromise." Well, 
Open/LibrePGP uses random per-session cryptographic keys. Compromising 
the key used for a specific message doesn't help you compromise any 
other message, in the past or in the future. Open/LibrePGP is, in that 
sense, providing perfect forward secrecy.

At the same time, it's also plainly obvious that Open/LibrePGP uses 
long-term keys as well (your asymmetric keypair). And there, sure, there 
are criticisms that can be made from a PFS standpoint. Those are valid 
and worth listening to.

But for every person who gives a nuanced and complete understanding of 
PFS in Libre/OpenPGP, there are a dozen who are just repeating "no 
perfect forward secrecy guarantees!" without ever talking about the 
subject in a realistic way.

=====

Then there are academics who make highly academic criticisms, that 
although are offered in good faith often show a lack of consideration of 
real-world constraints on what we can do, or a lack of understanding of 
what the real problems are.

For instance, from RFC2440 to the final draft of RFC4880, OpenPGP 
specified 3DES as a permissible algorithm. 3DES was designed in the 
1970s and is by modern standards unbearably ugly. It has all the 
aesthetic qualities of Soviet New Realism art, all the elegance of a 
North Korean workers' housing bloc. When the movie _Tropic Thunder_ 
played in theaters, when Robert Downey Jr.'s character exclaimed 
"Behold, God's mistake!", every cryptographer in the audience perked up 
thinking 3DES was about to make its Hollywood appearance.

But you'll notice I never said 3DES was weak. After fifty years (!!) of 
cryptanalytical research nobody knows of any practical attacks on 3DES 
when used in the standard OpenPGP use case. It's kind of impressive that 
way. (If you're using it for more than a few hundred megs of data in a 
single message you're doing it wrong, but how many of us actually do that?)

Given all this, for many years we were slow to remove 3DES from the 
Open/LibrePGP cipher suites. It was on the TODO. It wasn't terribly high 
priority. And our attitude on this caused a lot of academics to say 
"they still require every client support 3DES; my God, what backwards 
heathens."

=====

Some very serious people have made very serious criticisms of OpenPGP 
over the years. Matthew Green at Johns Hopkins, for starters, was really 
not a fan. See, for instance, this essay:

https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/

His criticisms in 2014 were pretty sharp and for the most part fair. 
Libre/OpenPGP took notice and have since taken steps to mitigate a lot 
of those concerns. (He's probably still not a fan, however.)

But for every solid, well-thought-out, and occasionally devastating 
critique on Open/LibrePGP there are easily a dozen ones that vary from 
disingenuous to confused to genuinely dishonest and manipulative.

Anyway. Hope this helps. :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4583 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260314/c780bea8/attachment.bin>

More information about the Gnupg-users mailing list