[cryptography] Using same key for ECDSA and ECIES
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am wondering if it is okay to use the same asymmetric ECC key for ECDSA and ECIES. Given that the signing and encryption algorithms are not related like in RSA, I assume it is okay to use the same key for both operations. Are there any things I need to pay attention to when combining both schemes using same keys? Can Bob decrypt messages by forcing Alice to sign messages? (as in naive RSA implementations). Regards Dominik -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSPD3wAAoJEHGMBwEAASKCOBAIAItX7FpM5DM3fVimkU1ae/7E BYRYznwAdb2K+fyAJJA5GVgiWe8T013WQUMmKbtHyvLWL1BwSrszhCVpHxgK7ij2 FsfuWHmiiVI4LE8t8GsZqq5SFV/vhswDL9TywqpXTMR9Uo+FSvEyvYOo+7yrmXoC S6mLm8uZCl9NOh0lD4ApQhcrmFZnjcWpR6RVQnzR5RM2ZNhJPPHFe285JsSO7wIP oKlOOXvOZLEp/HM0lzDtslucAEAMqzRzuoMaSOcn1brxTkdEiY8vUsod9nU1WoTy orOa4TV/PnX63OKps7t5vsjPIa3Wgrch9hQsNAzRloDnnturt+c81tlmJDtTq48= =2pxI -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Using same key for ECDSA and ECIES
Hi On 20/09/2013 16:07, Alan Braggins alan.bragg...@gmail.com wrote: On 20/09/13 13:22, Dominik Schürmann wrote: I am wondering if it is okay to use the same asymmetric ECC key for ECDSA and ECIES. Given that the signing and encryption algorithms are not related like in RSA, I assume it is okay to use the same key for both operations. Are there any things I need to pay attention to when combining both schemes using same keys? Can Bob decrypt messages by forcing Alice to sign messages? (as in naive RSA implementations). Even if it's technically secure (and I suspect it isn't), in some legislations you can be compelled to hand over a decryption key, or a dual use key, but not a signature _only_ key. http://www.legislation.gov.uk/ukpga/2000/23/section/49/enacted (9) So at least in some use cases, it's better to keep the signature key as a signature only key. It is technically secure. See: http://eprint.iacr.org/2011/615 especially Section 4. Even so, I would not recommend this approach unless you absolutely have to use it. Cheers Kenny ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Using same key for ECDSA and ECIES
On 20/09/13 16:17, Paterson, Kenny wrote: It is technically secure. See: http://eprint.iacr.org/2011/615 especially Section 4. Thanks. I wish I'd known that back in 2008 https://bugzilla.mozilla.org/show_bug.cgi?id=344179#c6 With a pointer to a security proof, I might have got the firmware changed. (But I no longer work for nCipher, so not my problem any more.) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Using same key for ECDSA and ECIES
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20.09.2013 17:17, Paterson, Kenny wrote: It is technically secure. See: http://eprint.iacr.org/2011/615 Thanks you so much for this paper, it's even mostly understandable with some basic knowledge of attack models :) Even so, I would not recommend this approach unless you absolutely have to use it. Could you elaborate more on this? Do you see problems besides Alan Braggins remark? In my scenario I have a network with nodes sending messages hop-by-hop, where the ids of these nodes are the public keys itself. The problem is that these networks are highly unreliable and have high delays (Delay tolerant networking). Thus, DH key exchange protocols are out of scope. The idea is to always sign messages with your private key which could be verified by anyone using the node id itself (your pub key), and encrypted using the destination's node id (which is the pub key of the destination). How you know if you are using the right node id (for verification or encryption) is not a problem which should be discussed here. Because ids should be as short as possible it would be nice to use the same pub key for verification and encryption. After reading related literature, I came to the conclusion to use ECDSA and ECIES (Both with Koblitz curves, as I am sceptical about the random curves ;), Bernstein's curve25519 would be too difficult to integrate, as I didn't found a library, which is present in current linux distros and handles both EC sign and encryption schemes. Regards Dominikh -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSPJVmAAoJEHGMBwEAASKC6rMH/1Q4edycmw1CIwTVBsz0RG0E wlstAuBkHm4Msd7nnVzK601imXfkqRaXI8uuzhm4XlCFhykh6DrPQ7W9idWqJSyG ioefr7od5up0aGZna5PZQCinm0X7b1e8HbcMLXFhgYcXVvQWMbcLfdikUpHgotbW XgiH4JwR9xC178bPzacduBZI0Gy7IZPNUO0geTCYEvvcS144V+w5WlGidzsP6F1p sDYEjI6oxfYxQ8ThzKnzxYQSNfzpPGaLIUdSb6WkLSJOGGtoPGCigxlAXUC3L6fE n3V6n2mALHDgjmnReMg/4cNK+8TFjJcohCL2k0ZO+8WiHNAl5PT//D+6Q8FSbPc= =Z59x -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Using same key for ECDSA and ECIES
Dominik, You can certainly do it safely in this instance, because we have a security analysis that says it's OK, but in general it's a bad idea to use the same key-pair for more than one purpose, and, as the RSA-based example in the paper shows, it can sometimes get you into serious trouble. Indeed, there's even a cryptographic principle - key separation - which says use different keys for different functions. Regards Kenny On 20/09/2013 19:35, Dominik Schürmann domi...@dominikschuermann.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20.09.2013 17:17, Paterson, Kenny wrote: It is technically secure. See: http://eprint.iacr.org/2011/615 Thanks you so much for this paper, it's even mostly understandable with some basic knowledge of attack models :) Even so, I would not recommend this approach unless you absolutely have to use it. Could you elaborate more on this? Do you see problems besides Alan Braggins remark? In my scenario I have a network with nodes sending messages hop-by-hop, where the ids of these nodes are the public keys itself. The problem is that these networks are highly unreliable and have high delays (Delay tolerant networking). Thus, DH key exchange protocols are out of scope. The idea is to always sign messages with your private key which could be verified by anyone using the node id itself (your pub key), and encrypted using the destination's node id (which is the pub key of the destination). How you know if you are using the right node id (for verification or encryption) is not a problem which should be discussed here. Because ids should be as short as possible it would be nice to use the same pub key for verification and encryption. After reading related literature, I came to the conclusion to use ECDSA and ECIES (Both with Koblitz curves, as I am sceptical about the random curves ;), Bernstein's curve25519 would be too difficult to integrate, as I didn't found a library, which is present in current linux distros and handles both EC sign and encryption schemes. Regards Dominikh -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSPJVmAAoJEHGMBwEAASKC6rMH/1Q4edycmw1CIwTVBsz0RG0E wlstAuBkHm4Msd7nnVzK601imXfkqRaXI8uuzhm4XlCFhykh6DrPQ7W9idWqJSyG ioefr7od5up0aGZna5PZQCinm0X7b1e8HbcMLXFhgYcXVvQWMbcLfdikUpHgotbW XgiH4JwR9xC178bPzacduBZI0Gy7IZPNUO0geTCYEvvcS144V+w5WlGidzsP6F1p sDYEjI6oxfYxQ8ThzKnzxYQSNfzpPGaLIUdSb6WkLSJOGGtoPGCigxlAXUC3L6fE n3V6n2mALHDgjmnReMg/4cNK+8TFjJcohCL2k0ZO+8WiHNAl5PT//D+6Q8FSbPc= =Z59x -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Using same key for ECDSA and ECIES
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20.09.2013 22:09, Jeffrey Walton wrote: Crypto++ has the schemes and Dr. Bernstein's curve. The library is available on all major Linux and BSD platforms. I am using Crypto++ already, but I can't find ed25519 anywhere in the library. FYI: The maintainers of pycryptopp are including ed25519 as a separate dependency besides Crypto++. Regards Dominik -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSPK6LAAoJEHGMBwEAASKC6zAH/RlefcJrP0GPhxPcD72T9DWp 0F3jyUmnzPaNq2wg8nKwrvh5/XP28/m1WNOryP0bNB5qTDfmw59CGtAU1RDPm2MZ yTMAT9p8cxuvoyIZiEYFhio00VAlSmSivhWN3KjDU92Ng1C+0Bc5nmSxmBkRC4Ud KdKfnEZrnVf2nvrQoUOomfAj3z7tNue7f4DkUblpsAm+lAValw6FRFfaBW2F2bkg pJTLmPrg7Dsl3ZaAsIRvqt+froJMHlqBur44dEUp9XnHVLBHwd4VEy5UcIV2CahD 4wfwzpl7XdPO9cyKyUi/5L9BbmrsBuIp3ltM/V+k2eUpJN/k3sLLzzqyMQECB8k= =dEUI -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Using same key for ECDSA and ECIES
On Fri, Sep 20, 2013 at 2:35 PM, Dominik Schürmann domi...@dominikschuermann.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ... After reading related literature, I came to the conclusion to use ECDSA and ECIES (Both with Koblitz curves, as I am sceptical about the random curves ;), Bernstein's curve25519 would be too difficult to integrate, as I didn't found a library, which is present in current linux distros and handles both EC sign and encryption schemes. Crypto++ has the schemes and Dr. Bernstein's curve. The library is available on all major Linux and BSD platforms. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
