Dear Curves, Recently joined list -- seemed like the best place to ask this question. I call it 'key reuse on different curves', lacking a better name for it. I have not found a good explanation online of why this particular situation would be good/bad. Intuitively, it seems like a bad idea, but I want to know why. Please forgive the my terminology if it lacks the usual mathematical rigour of the field.
Situation: A random 256-bit integer k is plucked from a good CSPRNG. Assume number is less than the order of curves SECP256k1 and PRIME256V1 (SECP256R1) Admin takes curve SECP256K1 and calculates kG, generator of SECP256K1 kG = P, a public point (x,y) Admin saves (k, "SECP256K1") to a file - privkey1.pem Admin saves (P, "SECP256K1") to a file - pubkey1.pem Admin extracts the value k from the file privkey.pem and saves (k, "PRIME256V1") to a new file - privkey2.pem The admin generates the corresponding value P'=kG' with G' as Generator of PRIME256V1 and saves (P, "PRIME256V1") to file - pubkey2.pem Admin provides files pubkey1 and privkey1 to User 1 stored so there is no easy way to extract k manually, such as a smartcard. likewise for User 2. Question(s): Something like X509 tags pubkey in a certificate by an identifier - a hash of both the point P and curve. In some cryptosystems the curve is implicit, so a pubkey hash will identify such scalar reuse (which is just regular key reuse). Because the question is framed over different curves, we ignore cases using a single implicit curve like bitcoin. These are closer to a scalar privkey reuse like in RSA. I would say strictly, the key material in both cases is not 'identical' but the secret scalar value is the same, with different public key identifiers. * Is there a formal name for when this occurs with like but differing curve EC keys in a cryptosystem? If you were to compare the pubkeys on both smartcards, it would not be obvious they contained the same secret value. Contrast this with RSA, in which it is easy to discover hosts with duplicate key material. (ie: 2 hosts with identical RSA host pubkeys on SSH will share private key -- insecure as system has lost strong authentication guarantee) Assume User 1 and 2 never meet nor perform any kind of cryptographic operation with the others respective keys. They will interact with other (presumed secure) SECP256K1 and PRIME256V1 keys in the wild. * Is this System is secure (yes?) Assume User 1 and 2 can perform operations on each others keys, say a Client/Server context * Is this System secure (no?) - Why? (Specifically about EC ops that make this insecure rather than philosophically reusing keys) User 1 has found a weakness in design that lets them extract k from the smart card (say via nonce reuse in ECDSA). * Is there anything beyond calculating: kG' for every observed 'unlike' curve public key observed to determine a match? (Anything else leaks from operations performed on same secret keys)? * Is there anything fundamentally incorrect about reusing scalar secret values across different but similarly sized curves in disparate cryptosystems? Thank you, MiW _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves