[cryptography] Using same key for ECDSA and ECIES

Paterson, Kenny Kenny.Paterson at rhul.ac.uk
Fri Sep 20 15:26:49 EDT 2013


Dominik,

You can certainly do it safely in this instance, because we have a
security analysis that says it's OK, but in general it's a bad idea to use
the same key-pair for more than one purpose, and, as the RSA-based example
in the paper shows, it can sometimes get you into serious trouble. Indeed,
there's even a cryptographic principle - key separation - which says "use
different keys for different functions".

Regards

Kenny

On 20/09/2013 19:35, "Dominik Schürmann" <dominik at dominikschuermann.de>
wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>On 20.09.2013 17:17, Paterson, Kenny wrote:
>> It is "technically secure". See:
>> 
>> http://eprint.iacr.org/2011/615
>
>Thanks you so much for this paper, it's even mostly understandable
>with some basic knowledge of attack models :)
>
>> Even so, I would not recommend this approach unless you absolutely
>> have to use it.
>
>Could you elaborate more on this? Do you see problems besides Alan
>Braggins remark?
>
>
>In my scenario I have a network with nodes sending messages
>hop-by-hop, where the ids of these nodes are the public keys itself.
>The problem is that these networks are highly unreliable and have high
>delays (Delay tolerant networking). Thus, DH key exchange protocols
>are out of scope. The idea is to always sign messages with your
>private key which could be verified by anyone using the node id itself
>(your pub key), and encrypted using the destination's node id (which
>is the pub key of the destination).
>How you know if you are using the right node id (for verification or
>encryption) is not a problem which should be discussed here.
>
>Because ids should be as short as possible it would be nice to use the
>same pub key for verification and encryption.
>
>After reading related literature, I came to the conclusion to use
>ECDSA and ECIES (Both with Koblitz curves, as I am sceptical about the
>random curves ;),
>Bernstein's curve25519 would be too difficult to integrate, as I
>didn't found a library, which is present in current linux distros and
>handles both EC sign and encryption schemes.
>
>Regards
>Dominikh
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.14 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iQEcBAEBAgAGBQJSPJVmAAoJEHGMBwEAASKC6rMH/1Q4edycmw1CIwTVBsz0RG0E
>wlstAuBkHm4Msd7nnVzK601imXfkqRaXI8uuzhm4XlCFhykh6DrPQ7W9idWqJSyG
>ioefr7od5up0aGZna5PZQCinm0X7b1e8HbcMLXFhgYcXVvQWMbcLfdikUpHgotbW
>XgiH4JwR9xC178bPzacduBZI0Gy7IZPNUO0geTCYEvvcS144V+w5WlGidzsP6F1p
>sDYEjI6oxfYxQ8ThzKnzxYQSNfzpPGaLIUdSb6WkLSJOGGtoPGCigxlAXUC3L6fE
>n3V6n2mALHDgjmnReMg/4cNK+8TFjJcohCL2k0ZO+8WiHNAl5PT//D+6Q8FSbPc=
>=Z59x
>-----END PGP SIGNATURE-----
>_______________________________________________
>cryptography mailing list
>cryptography at randombit.net
>http://lists.randombit.net/mailman/listinfo/cryptography
>




More information about the cryptography mailing list