What happen if the curve used in key agreement protocol also used in signature inside of protocol?

mehdi mahdavi oliaiy

10/15/22, 5:28 AM

In key agreement (or key exchange) protocols, is used signature for authentication. Suppose that key exchange protocols execute on elliptic curve. The initiator of protocol must sends signature of his message with main message. What happen if the curve used in key agreement protocol also used in signature inside of protocol?

For example in Diffie-Hellman key exchange over curve, Alice sends $aP$ and $sig_{k_a}(aP)$ to Bob that $P$ is the generator of curve $E$. The signature is the ECDSA (or EdDSA) on curve $E'$. Is $E=E'$? Is $E$ and $E'$ different? What kind of these situation are the best? what is the advantages?

110

1 + 0

protocol-design

Score:1

Crypto

fgrieu

10/15/22, 6:25 AM

In signature as practiced with ECC, the first step in $\operatorname{sig}_{k_a}(aP)$ is hashing $aP$. That seems to prevent any attack that would use $aP$ is computed on the curve used for signature, except if that reused the same hash on a secret curve point, which is not the case in ECDH as practiced (specific KDFs are used; and it would be possible to reuse the same hash with a different message formatting, e.g. a prefix).

Thus I see no more problem with using the same curve for key agreement and signature, than there is using the same curve for multiple public keys in signature. The later is common and has little drawback. It does allow to put in common some pre-computation effort, e.g. when attacking public keys with baby-step/giant-step, but this has negligible practical importance.

0 + 2

mehdi mahdavi oliaiy

10/15/22, 11:22 AM

Thanks for your answer. What is your means from the 'later is common'? Is your means the case that use the same curve or different? Furthermore, I know the first step is hashing. My question is about the rest of the signing process. It means that, can we use the same generator point $P$ and the same curve $E$ for signature of $H(aP)$ as message??

fgrieu

10/15/22, 12:21 PM

@mehdi mahdavi oliaiy : My _"the later is common"_ means that _"using the same curve for multiple public keys in signature" "is common"_. It's fine. In my opinion, _"using the same curve for key agreement and signature"_ is just as fine (subject to the common condition explained).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What happen if the curve used in key agreement protocol also used in signature inside of protocol?

TH: จะเกิดอะไรขึ้นหากเส้นโค้งที่ใช้ในโปรโตคอลข้อตกลงหลักยังใช้ในลายเซ็นภายในโปรโตคอลด้วย

RO: Ce se întâmplă dacă curba folosită în protocolul acordului cheie este folosită și în semnătură în interiorul protocolului?

RU: Что произойдет, если кривая, используемая в протоколе согласования ключей, также будет использоваться в подписи внутри протокола?

VI: Điều gì xảy ra nếu đường cong được sử dụng trong giao thức thỏa thuận khóa cũng được sử dụng trong chữ ký bên trong giao thức?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.