On 10/14/25 08:48, Philip Homburg wrote:
With 10 keys and no key tags, it is will take on average 5 public key operations to validate a good signature. With 10 signatures, an attacker can generate 9 bad signatures and one good one. On average finding the good one requires checking 5 signatures. The 4 bad ones requires 10 public key operations each and the good one requires 5 operations. So the attacker can make to cost of a single logical signature validation equal to 45 public key operations. In contrast, with key tags and no collisions, the number of required public key operations is only one. So the attacker gains a factor of 45.
Except that the attacker can trivially introduce collisions (KeyTrap, as you mentioned), so I'm not sure how far this argument gets us. The defense is to limit the number of public key operations. I believe Donald's point is that this bounding of work could happen whether you look at keytag or not. That said, I think it's up to validators whether to look at keytags, and I'm not sure what the goal of this discussion is. Keytags are what they are and we can't go back. Best, Peter _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
