Join Log in
Score:1
avatar Crypto

What data can be derived from ECDSA signature and message?

ru flag
ln3xp

I generate a random message m sent to a device that calculates sig(m, privKey) with secp256k1. It then performs an HTTP GET call to share both pubKey and sig with the purpose of authentication.

(m remains private to me and is randomly generated for every new authentication request. EDIT: it crypto terms it might be called a "challenge"?)

I want to derive a constant secret from m and sig, m' and sig', m'' and sig'' and so on.

My first thought was to use ECDSA public key recovery, that would deterministically yield the same data (the public key) each time. This would work, but there are issues:

  • ECDSA public key recovery might return 0, 1 or 2 possible EC points (public keys), as far as I understand.
  • The device made an HTTP call with the public key in the URL (even over SSL it might be prone to attacks).

If public key recovery returned 2 public keys, the one not shared by the device would be perfect. But how often does one get 2 public keys?

Are there alternative methods, with any cryptographic tools, to reliably derive a secret for any given m and sig? Thank you!

51
0 + 0
dsa
ru flag
ln3xp
Apologies in advance if I misused some terms, I'm a crypto n00b
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
A public key should be considered public, and for it to be useful for authentication, it also needs to be trusted. Sharing both a public key and signature created with that key makes no sense whatsoever. A signature is also considered public, so if you can derive a public key from that you cannot use it as secret. Maybe it would be better if you would describe what you want to achieve.
2
Reply
ru flag
ln3xp
I want to use [lnurl-auth](https://github.com/fiatjaf/lnurl-rfc/blob/luds/04.md) which uses the bitcoin private key to derive and sign challenges that are used as proof when signing into websites. I want to use it but locally in order to automatically calculate my passwords. Essentially as a password manager. And if it works then share it with others.
0
Reply
ru flag
ln3xp
Since message (which is private) along with the signature (which is public) is required for finding the unused, unpublished public key I thought it made sense.
0
Reply
meshcollider avatar
gb flag
meshcollider
You cannot verify a signature if you don't know the message $m$. Verification requires the public key, message, and the signature itself.
1
Reply
ru flag
ln3xp
@meshcollider Let me clarify: The message `m` is private to me, I know it, I generated it randomly. The device reads it (via QR code) and outputs public key and signature. Then I have the three pieces to verify the signature, so now I know the device (user) is who he says he is. Would that help with my original question?
0
Reply
ru flag
ln3xp
Maybe my use of the word "message" is confusing? In the spec they use "challenge" so perhaps that makes it more clear.
0
Reply
poncho avatar
my flag
poncho
Might I suggest it might be cleaner to start by describing the problem, rather than your solution. What are you trying to achieve? What are your resources? What security goals do you have?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.