Score:2

What happen if the curve used in key agreement protocol also used in signature inside of protocol?

ro flag

In key agreement (or key exchange) protocols, is used signature for authentication. Suppose that key exchange protocols execute on elliptic curve. The initiator of protocol must sends signature of his message with main message. What happen if the curve used in key agreement protocol also used in signature inside of protocol?

For example in Diffie-Hellman key exchange over curve, Alice sends $aP$ and $sig_{k_a}(aP)$ to Bob that $P$ is the generator of curve $E$. The signature is the ECDSA (or EdDSA) on curve $E'$. Is $E=E'$? Is $E$ and $E'$ different? What kind of these situation are the best? what is the advantages?

Score:1
ng flag

In signature as practiced with ECC, the first step in $\operatorname{sig}_{k_a}(aP)$ is hashing $aP$. That seems to prevent any attack that would use $aP$ is computed on the curve used for signature, except if that reused the same hash on a secret curve point, which is not the case in ECDH as practiced (specific KDFs are used; and it would be possible to reuse the same hash with a different message formatting, e.g. a prefix).

Thus I see no more problem with using the same curve for key agreement and signature, than there is using the same curve for multiple public keys in signature. The later is common and has little drawback. It does allow to put in common some pre-computation effort, e.g. when attacking public keys with baby-step/giant-step, but this has negligible practical importance.

mehdi mahdavi oliaiy avatar
ro flag
Thanks for your answer. What is your means from the 'later is common'? Is your means the case that use the same curve or different? Furthermore, I know the first step is hashing. My question is about the rest of the signing process. It means that, can we use the same generator point $P$ and the same curve $E$ for signature of $H(aP)$ as message??
fgrieu avatar
ng flag
@mehdi mahdavi oliaiy : My _"the later is common"_ means that _"using the same curve for multiple public keys in signature" "is common"_. It's fine. In my opinion, _"using the same curve for key agreement and signature"_ is just as fine (subject to the common condition explained).
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.