[curves] Key reuse on different curves

_MiW miwmailing at gmail.com
Tue May 30 19:17:14 PDT 2017


Dear Curves,

Recently joined list -- seemed like the best place to ask this question.
I call it 'key reuse on different curves', lacking a better name for it.
I have not found a good explanation online of why this particular
situation would be good/bad.
Intuitively, it seems like a bad idea, but I want to know why.
Please forgive the my terminology if it lacks the usual mathematical
rigour of the field.

Situation:

A random 256-bit integer k is plucked from a good CSPRNG.
Assume number is less than the order of curves SECP256k1 and PRIME256V1
(SECP256R1)

Admin takes curve SECP256K1 and calculates kG, generator of SECP256K1
kG = P, a public point (x,y)
Admin saves (k, "SECP256K1") to a file - privkey1.pem
Admin saves (P, "SECP256K1") to a file - pubkey1.pem

Admin extracts the value k from the file privkey.pem and saves (k,
"PRIME256V1")
to a new file  - privkey2.pem
The admin generates the corresponding value P'=kG' with G' as Generator
of PRIME256V1
and saves (P, "PRIME256V1") to file - pubkey2.pem

Admin provides files pubkey1 and privkey1 to User 1 stored so there is
no easy way to extract k manually, such as a smartcard.
likewise for User 2.

Question(s):

Something like X509 tags pubkey in a certificate by an identifier - a
hash of both the point P and curve.
In some cryptosystems the curve is implicit, so a pubkey hash will
identify such scalar reuse (which is just regular key reuse).
Because the question is framed over different curves, we ignore cases
using a single implicit curve like bitcoin.
These are closer to a scalar privkey reuse like in RSA.
I would say strictly, the key material in both cases is not 'identical'
but the secret scalar value is the same, with different public key
identifiers.

* Is there a formal name for when this occurs with like but differing
curve EC keys in a cryptosystem?

If you were to compare the pubkeys on both smartcards, it would not be
obvious they contained the same secret value.
Contrast this with RSA, in which it is easy to discover hosts with
duplicate key material.
(ie: 2 hosts with identical RSA host pubkeys on SSH will share private
key -- insecure as system has lost strong authentication guarantee)

Assume User 1 and 2 never meet nor perform any kind of cryptographic
operation with the others respective keys.
They will interact with other (presumed secure) SECP256K1 and PRIME256V1
keys in the wild.
* Is this System is secure (yes?)

Assume User 1 and 2 can perform operations on each others keys, say a
Client/Server context
* Is this System secure (no?) - Why? (Specifically about EC ops that
make this insecure rather than philosophically reusing keys)

User 1 has found a weakness in design that lets them extract k from the
smart card (say via nonce reuse in ECDSA).
* Is there anything beyond calculating: kG' for every observed 'unlike'
curve public key observed to determine a match?
(Anything else leaks from operations performed on same secret keys)?

* Is there anything fundamentally incorrect about reusing scalar secret
values across different but similarly sized curves in disparate
cryptosystems?

Thank you,
MiW




More information about the Curves mailing list