On 04/01/2013 12:24 PM, adrelanos wrote: > How difficult, i.e. how much computing power and time is required to > create a key, which matches the very same fingerprint? > > Isn't 40 chars a bit weak?
(Nothing I am writing here is sarcastic or non-factual.) At present, the only way to do a preimage attack on SHA-1 (as opposed to a random collision) is brute-force, so about 2**159 operations. If you've got a PC that operates at the thermodynamic limits of the universe and can compute a SHA-1 hash in only 1000 bitflips, and you want to achieve this collision within the space of a year, then you're looking at needing to use about 100 exatons or more of energy. This is considerably more than the gravitational binding energy of the earth: as in, 100 exatons is enough to send every single rock in the Earth flying away from all the other rocks faster than the Earth's escape velocity. 100 exatons is enough energy to notably warp the local spacetime continuum and would slightly perturb orbits of other planets. No one will ever brute-force a SHA-1 fingerprint. Maybe in five or ten or twenty or a hundred years someone will figure out a way to do it that doesn't involve brute-force, but for right now preimage attacks on SHA-1 are well in the realm of science fiction. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users