3
$\begingroup$

ECDSA and ECDH give us the following methods:

// ECDSA var signature = ECDSA.sign(privateKey, hash); var isValid = ECDSA.verify(publicKey, hash, signature); // ECDH var sharedSecret1 = ECDH.compute(node1.publicKey, node2.privateKey); var sharedSecret2 = ECDH.compute(node2.publicKey, node1.privateKey); // sharedSecret1 == sharedSecret2;

ECDSA give as a very long signature (73 bytes).

I am wondering why we need ECDSA if we can do signing only with ECDH and get much smaller signature:

function sign(priavteKey, hash) { // generate public key from private key var publicKey = computePublicKey(hash); var sharedSecret = ECDH.compute(publicKey, privateKey); var signature = hash(sharedSecret); return signature; } function verify(publicKey, hash, signature) { var sharedSecret = ECDH.compute(publicKey, hash); return (hash(sharedSecret) == signature); }

This method exposes one of the private keys of ECDH and uses it for generating the signature hash. Is there any way that this method can expose the real private key?

I've been reading these answers and it seems ok…

Improve this question
$\endgroup$
3
  • 7
    $\begingroup$ You recompute the signature in your verification algorithm from public information. Therefore your signature scheme is trivially forgeable. $\endgroup$ Commented Jul 9, 2015 at 23:56
  • $\begingroup$ I don't understand what you sign function is supposed to be doing. You treat hash as some value at first and then as a function. $\endgroup$ Commented Jul 10, 2015 at 7:04
  • 1
    $\begingroup$ You might be interested in BLS signatures, they're essentially Diffie-Hellman between the message hash interpreted as group element and the signers key. But they require a group in which the decisional Diffie-Hellman problem is easy to verify the signature. $\endgroup$ Commented Jul 10, 2015 at 8:10

2 Answers 2

Reset to default
6
$\begingroup$

To simplify your definition:

$$ s = \operatorname{sign}(k, m) = h(G\ h(m)\ k)\\ \operatorname{verify}(Gk, m, s)\iff s \overset{?}{=} h(Gk\ h(m)) $$

This is obviously insecure because I can forge "signatures"!

$$s' = \operatorname{forge}(Gk, m') = h(Gk\ h(m'))$$

ECDH is not a signature scheme. Schnorr is amazing and is much more interesting than ECDSA! Including but not limited to: threshold k-of-n distributed identities, n-of-n multisig aggregation, batch verification, public key recovery, implicit certificates, and much more!

Improve this answer
$\endgroup$
2
$\begingroup$

ECDH is not for signing. Your sign method using does not look like any valid signature scheme I have ever seen, and is therefore likely wildly insecure.

Note that the Q&A you link to is asking a very different question.

Improve this answer
$\endgroup$
1
  • 2
    $\begingroup$ I also think that way. I wondering why this method may be insecure.. $\endgroup$ Commented Jul 9, 2015 at 23:33

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.