2

Hy!

I want to use an EC key for ECDH and ECDSA too. Using the same key does compromise the security of the key in a cryptographic / mathematical sense? I read a lot in this theme, but I found nothing exact. I know that the usage of the same key for encryption and for signing is not recommended (because of encryption keys must be escrowed, and signing keys must not be escrowed), but is there any mathematical/cryptographic reason to use different keys? (Only in Elliptic curve cryptography of course). Is there an RFC or something formal paper about this? (A haven't found any)

I want to generate an EC key on a HSM, but I can't enable SIGN, and DERIVE at the same time. (I think that's because the HSM generates an ECDSA key in the precending case, and an ECDH key in the latter case, and don't know what to do if they are enabled in the same time). But I can generate an EC key with openssl without so much as to know if I want to use it for ECDH, or ECDSA purposes. Is there any workaround for that? Can I generate a general EC key on the HSM?

Zsolt Czikó
  • 21
  • 1
  • https://crypto.stackexchange.com/q/37896/18298 – kelalaka Sep 10 '20 at 12:25
  • It would help if the question stated if something precise if meant by "ECDH". That can go from straight Diffie-Hellman key exchange using an Elliptic Curve group, in which case there is no dual use of and no security compromise, but no authentication; to several variants of authenticated Diffie-Hellman key exchange using an Elliptic Curve group (with one in SEC1v2), where the issue raised by the question makes a lot of sense. – fgrieu Sep 10 '20 at 14:19
  • The keys used for ECDSA (as defined in X9.62 and FIPS 186-2+) and ECDH (as the specific scheme in X9.63 but not other kinds of EC-based DH like Bernstein's X) are mathematically the same. However, many HSMs and also many non-hardware crypto implementations restrict a given key to only one function or the other, and this restriction may be reflected in the certificate(s?) for the key. There are many thousands of HSM designs. all different, and what your particular HSM can do depends on exactly which HSM it is, which you didn't give any clue about. – dave_thompson_085 Sep 11 '20 at 00:03

0 Answers0