[cryptography] Using same key for ECDSA and ECIES

Paterson, Kenny Kenny.Paterson at rhul.ac.uk
Fri Sep 20 15:26:49 EDT 2013


You can certainly do it safely in this instance, because we have a
security analysis that says it's OK, but in general it's a bad idea to use
the same key-pair for more than one purpose, and, as the RSA-based example
in the paper shows, it can sometimes get you into serious trouble. Indeed,
there's even a cryptographic principle - key separation - which says "use
different keys for different functions".



On 20/09/2013 19:35, "Dominik Schürmann" <dominik at dominikschuermann.de>

>Hash: SHA1
>On 20.09.2013 17:17, Paterson, Kenny wrote:
>> It is "technically secure". See:
>> http://eprint.iacr.org/2011/615
>Thanks you so much for this paper, it's even mostly understandable
>with some basic knowledge of attack models :)
>> Even so, I would not recommend this approach unless you absolutely
>> have to use it.
>Could you elaborate more on this? Do you see problems besides Alan
>Braggins remark?
>In my scenario I have a network with nodes sending messages
>hop-by-hop, where the ids of these nodes are the public keys itself.
>The problem is that these networks are highly unreliable and have high
>delays (Delay tolerant networking). Thus, DH key exchange protocols
>are out of scope. The idea is to always sign messages with your
>private key which could be verified by anyone using the node id itself
>(your pub key), and encrypted using the destination's node id (which
>is the pub key of the destination).
>How you know if you are using the right node id (for verification or
>encryption) is not a problem which should be discussed here.
>Because ids should be as short as possible it would be nice to use the
>same pub key for verification and encryption.
>After reading related literature, I came to the conclusion to use
>ECDSA and ECIES (Both with Koblitz curves, as I am sceptical about the
>random curves ;),
>Bernstein's curve25519 would be too difficult to integrate, as I
>didn't found a library, which is present in current linux distros and
>handles both EC sign and encryption schemes.
>Version: GnuPG v1.4.14 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>cryptography mailing list
>cryptography at randombit.net

More information about the cryptography mailing list