_MiW

2017-05-31 02:17:14 UTC

Dear Curves,

Recently joined list -- seemed like the best place to ask this question.

I call it 'key reuse on different curves', lacking a better name for it.

I have not found a good explanation online of why this particular

situation would be good/bad.

Intuitively, it seems like a bad idea, but I want to know why.

Please forgive the my terminology if it lacks the usual mathematical

rigour of the field.

Situation:

A random 256-bit integer k is plucked from a good CSPRNG.

Assume number is less than the order of curves SECP256k1 and PRIME256V1

(SECP256R1)

Admin takes curve SECP256K1 and calculates kG, generator of SECP256K1

kG = P, a public point (x,y)

Admin saves (k, "SECP256K1") to a file - privkey1.pem

Admin saves (P, "SECP256K1") to a file - pubkey1.pem

Admin extracts the value k from the file privkey.pem and saves (k,

"PRIME256V1")

to a new file - privkey2.pem

The admin generates the corresponding value P'=kG' with G' as Generator

of PRIME256V1

and saves (P, "PRIME256V1") to file - pubkey2.pem

Admin provides files pubkey1 and privkey1 to User 1 stored so there is

no easy way to extract k manually, such as a smartcard.

likewise for User 2.

Question(s):

Something like X509 tags pubkey in a certificate by an identifier - a

hash of both the point P and curve.

In some cryptosystems the curve is implicit, so a pubkey hash will

identify such scalar reuse (which is just regular key reuse).

Because the question is framed over different curves, we ignore cases

using a single implicit curve like bitcoin.

These are closer to a scalar privkey reuse like in RSA.

I would say strictly, the key material in both cases is not 'identical'

but the secret scalar value is the same, with different public key

identifiers.

* Is there a formal name for when this occurs with like but differing

curve EC keys in a cryptosystem?

If you were to compare the pubkeys on both smartcards, it would not be

obvious they contained the same secret value.

Contrast this with RSA, in which it is easy to discover hosts with

duplicate key material.

(ie: 2 hosts with identical RSA host pubkeys on SSH will share private

key -- insecure as system has lost strong authentication guarantee)

Assume User 1 and 2 never meet nor perform any kind of cryptographic

operation with the others respective keys.

They will interact with other (presumed secure) SECP256K1 and PRIME256V1

keys in the wild.

* Is this System is secure (yes?)

Assume User 1 and 2 can perform operations on each others keys, say a

Client/Server context

* Is this System secure (no?) - Why? (Specifically about EC ops that

make this insecure rather than philosophically reusing keys)

User 1 has found a weakness in design that lets them extract k from the

smart card (say via nonce reuse in ECDSA).

* Is there anything beyond calculating: kG' for every observed 'unlike'

curve public key observed to determine a match?

(Anything else leaks from operations performed on same secret keys)?

* Is there anything fundamentally incorrect about reusing scalar secret

values across different but similarly sized curves in disparate

cryptosystems?

Thank you,

MiW

Recently joined list -- seemed like the best place to ask this question.

I call it 'key reuse on different curves', lacking a better name for it.

I have not found a good explanation online of why this particular

situation would be good/bad.

Intuitively, it seems like a bad idea, but I want to know why.

Please forgive the my terminology if it lacks the usual mathematical

rigour of the field.

Situation:

A random 256-bit integer k is plucked from a good CSPRNG.

Assume number is less than the order of curves SECP256k1 and PRIME256V1

(SECP256R1)

Admin takes curve SECP256K1 and calculates kG, generator of SECP256K1

kG = P, a public point (x,y)

Admin saves (k, "SECP256K1") to a file - privkey1.pem

Admin saves (P, "SECP256K1") to a file - pubkey1.pem

Admin extracts the value k from the file privkey.pem and saves (k,

"PRIME256V1")

to a new file - privkey2.pem

The admin generates the corresponding value P'=kG' with G' as Generator

of PRIME256V1

and saves (P, "PRIME256V1") to file - pubkey2.pem

Admin provides files pubkey1 and privkey1 to User 1 stored so there is

no easy way to extract k manually, such as a smartcard.

likewise for User 2.

Question(s):

Something like X509 tags pubkey in a certificate by an identifier - a

hash of both the point P and curve.

In some cryptosystems the curve is implicit, so a pubkey hash will

identify such scalar reuse (which is just regular key reuse).

Because the question is framed over different curves, we ignore cases

using a single implicit curve like bitcoin.

These are closer to a scalar privkey reuse like in RSA.

I would say strictly, the key material in both cases is not 'identical'

but the secret scalar value is the same, with different public key

identifiers.

* Is there a formal name for when this occurs with like but differing

curve EC keys in a cryptosystem?

If you were to compare the pubkeys on both smartcards, it would not be

obvious they contained the same secret value.

Contrast this with RSA, in which it is easy to discover hosts with

duplicate key material.

(ie: 2 hosts with identical RSA host pubkeys on SSH will share private

key -- insecure as system has lost strong authentication guarantee)

Assume User 1 and 2 never meet nor perform any kind of cryptographic

operation with the others respective keys.

They will interact with other (presumed secure) SECP256K1 and PRIME256V1

keys in the wild.

* Is this System is secure (yes?)

Assume User 1 and 2 can perform operations on each others keys, say a

Client/Server context

* Is this System secure (no?) - Why? (Specifically about EC ops that

make this insecure rather than philosophically reusing keys)

User 1 has found a weakness in design that lets them extract k from the

smart card (say via nonce reuse in ECDSA).

* Is there anything beyond calculating: kG' for every observed 'unlike'

curve public key observed to determine a match?

(Anything else leaks from operations performed on same secret keys)?

* Is there anything fundamentally incorrect about reusing scalar secret

values across different but similarly sized curves in disparate

cryptosystems?

Thank you,

MiW