This is a real world question (and as I'm not an expert in cryptography I have only some basic knowledge in terms of just using it, not a deep understanding how ist works under the hood.): A system for data collection from many embedded end-devices employs AES128 GCM/GMAC to protect messages in terms of confidentiality and authenticity: each message $M$ is encrypted $C = E(K, M)$ and protected with a tag $T=T(K, M)$ using symmetric keys: $(C, T)$ is sent over to the receiver.
In an advanced version of the system, additionally to this protection, a digital signature $S=S(M)$ based on ECDSA (using ECC NIST key material) is employed: first sign $M$, then encrypt:
The result of signing is the tuple $(S, M)$
then ${ E(K,(S,M)), T(K, (S,M))}$ is sent to the receiver which has the public ECC key.
Q1: What is the additional benefit we gain from using this additional signing?
If GCM/GMAC is used in the right way (e.g. using initialization vectors only once) and the symmetric key is not compromised, then GCM/GMAC is a good protection. What are the scenarios where the additional use of the signature helps to make an improvement in terms of security?
Q2: In addition to signing messages, ECDH is used to agree on new symmetric keys from time to time. In the "old" version this was done via (standardized) key wrap algorithm, which depends on a symmetric KEK. Again I ask: What is the real benefit of using ECDH instead of Key Wrap?
I know of course the principles of public key cryptography but cannot really estimate the additional value we gain as compared to using just the symmetric variant which justifies the effort to implement the advanced version.
