On Sun, Nov 4, 2012 at 7:15 PM, <jb-open...@wisemo.com> wrote: > On 02-11-2012 21:46, Jeffrey Walton wrote: >> >> On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm <jb-open...@wisemo.com> wrote: >>> >>> (continuing TOFU posting to keep the thread somewhat consistent) >>> >>> Given some of the mathematical restrictions on parameters needed to >>> keep DSA and ECDSA safe from attackers, I don't think using the same >>> private key for ECDSA and ECDH is a good/safe idea. >>> >>> However I am not a genius cryptanalyst, so I cannot guarantee that >>> this is really dangerous, it is just a somewhat educated guess. >> >> Not at all - its good advice. Its called Key Separation, and its >> covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I >> usually see folks trying to use the same key for signing and >> encryption. This is a slight twist in that they want to do signing and >> agreement. >> >> The HAC is available for free online at http://cacr.uwaterloo.ca/hac/. >> > I am aware of the general principle, but that is not my point at all. > > My point is that the very specific math of DSA signatures may enable > specific attacks if the same key pair is used as a static DH key. > > Information on this possibility (or its absence) is obscured by replies > like yours (and by similar general statements in official Government > materials from NIST etc.). My apologies. I was not aware I was obscuring results. It was not my intention.
The OpenSSL list is a good list, but its OpenSSL implementation oriented. As such, its not the best place to ask number theoretic questions. To get your question answered, I would encourage you to ask on an appropriate list; or visit a university and talk to someone in the math department or teaching cryptography. (I still keep in touch with my former crypto instructor, so I would simply send an email). As far as I know, there are three such lists. First you can ask on Usenet's sci.crypt. Second, you can ask on Usenet's sci.math. I see David Wagner patrolling sic.crypt on occasion. Both of these lists will require you to wade though copious amounts of spam. Third, you can try Jack Llyod's Cryptography mailing list at http://lists.randombit.net/mailman/listinfo. Jack is the author of Botan, and a lot of first class crypto folks are active on his list, such as Jon Callas and Peter Guttman. I have omitted a number of influential and helpful folks, so please don't take offense if I did not name your favorite cryptographer. For what its worth, I don't think this is a conspiracy or a concerted effort to suppress your knowledge. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org