[dominicl]

From this response it's not quite clear to me: So this identity collision is against their Curve25519 implementation? Does this mean the attacker has effectively found a new brute force attack on that specific public/private key algorithm? That seems it would be bigger news and affecting more than just zerotier. Or is here some proprietary crypto in place on which the collision has been generated? Maybe I'm missing an important link with the details?

[g_p]

I believe in some areas there was a shortened, truncated form of the public key being used as an "address".

If a device went offline and was forgotten about (but still trusted), an impersonator spoofing the same (truncated) public key could gain access, as long as the server didn't reject this identity and say "that's not the public key you had before". I believe truncation was used to facilitate typing it into the UI.

So in short, it seems to me this aspect was based on truncation of a public key or hash, and the inevitable finding of collisions in this reduced address space.

[RL_Quine]

It's a collision (demonstrated) or second presage against the first 5 bytes of a hash, which isn't novel, just brute force.

[tptacek]

They did not find a brute force attack against Curve25519.