[dns-operations] [Ext] real world keytag collision example

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Jan 19 19:50:46 UTC 2019

On Fri, Jan 18, 2019 at 09:30:16AM -0500, Warren Kumari wrote:

> Actually, I **think** it is even smaller than that -- both primes will
> always have their top bits set (this might be a property of what you said
> above, but my eyes glazed over while trying to work it out :-))

The top bits of the modulus don't noticeably bias the final sum,
which is computed left to right, and the essentially random following
key bytes whiten any such signal from the biased initial byte, all
that remains is the co-primality to F_0, F_1, F_2, and F_3 which
are all divisors of 65535, which does noticeably reduce the key tag
entropy.  With OpenSSL the CRT factors are also never 1 mod F_0..F_3,
which gives a bit more entropy reduction, but the top bits don't come
into play here.


More information about the dns-operations mailing list