Hi,
On 1/24/20 5:57 PM, Michael Richardson wrote:
Damien Goutte-Gattat <dgouttegattat(_at_)incenp(_dot_)org> wrote:
> What Marcus says the author *could* have done is to generate the two
keys A
> and B in such a way that they also have the same fingerprint. They have
> not
I'm not convinced that there are enough under-determined bytes that can be
mutated in the content that goes into making the fingerprint.
AFAIK, it's just the key.
I guess, maybe if the key is big enough (rsa 8K, bigger), that the bytes
could be in the prime itself. Are you saying that? If so, I wonder what the
smallest key for which this is true is.
The authors demonstrate a collision block within a RSA 6144 bit public
key. The collision happens at the first 6056 bits of the modulus, and
the remaining 88 bits are used to make a valid modulus for the public
exponent, which is fixed at 2^16+1.
Thanks,
Marcus
--
Dipl.-Math. Marcus Brinkmann
Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum
Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp