Re: [Cfrg] Outline -> was Re: normative references

Paul Lambert <> Thu, 16 January 2014 20:10 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AD52A1ACCDC for <>; Thu, 16 Jan 2014 12:10:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.967
X-Spam-Status: No, score=-0.967 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_22=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rhRmLcz9onRu for <>; Thu, 16 Jan 2014 12:10:54 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A742F1ACC86 for <>; Thu, 16 Jan 2014 12:10:54 -0800 (PST)
Received: from pps.filterd ( []) by (8.14.5/8.14.5) with SMTP id s0GKA6fV002992; Thu, 16 Jan 2014 12:10:38 -0800
Received: from ([]) by with ESMTP id 1hcwywujfb-1 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 16 Jan 2014 12:10:38 -0800
Received: from ([]) by ([]) with mapi; Thu, 16 Jan 2014 12:10:37 -0800
From: Paul Lambert <>
To: "Igoe, Kevin M." <>, Watson Ladd <>
Date: Thu, 16 Jan 2014 12:10:35 -0800
Thread-Topic: [Cfrg] Outline -> was Re: normative references
Thread-Index: AQHPEmDPuF6E2aaMg0ipxqLFsDcgPpqHO1MAgACERBCAAAXnEA==
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-16_07:2014-01-15, 2014-01-16, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401160130
Cc: Yaron Sheffer <>, David McGrew <>, "" <>
Subject: Re: [Cfrg] Outline -> was Re: normative references
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 16 Jan 2014 20:10:55 -0000

Hi Kevin,

⨳|> A truly ‘unified' public key system would support both signatures
 ⨳|> key establishment with the same key.
 ⨳|Received wisdom is that using the same key for both key establishment
 ⨳|and signatures is a bad idea.  I believe the concern is that one
 ⨳|protocol might be used an Oracle to subvert the other.
[ ⨳]
Yes - greatly appreciate the transfer of wisdom.  General guidelines are well documented to this effect.

This makes complete sense in the general case where a curve may support generic  key establishment or signature algorithms.

However, for specifically selected signature and key establishment methods I would assume that and examination could be made of this potential subversion.  The general guideline seems to be blocking the examination and evaluation of the sensitivity of such combined modes.

As a protocol designer, being able to use the same key for signatures and key establishment makes for a simpler design and trust model.  The session key security (e.g. from ECDH) would be implicitly bound to the any signed information from the same key.  

I is possible to just consider a combined public key that is the concatenation of two types ... but then you need another mechanism to validate the binding.  Right now if you have two public keys Pe and Ps (public to sign and public to encrypt) This would be P = Pe|Ps ( concatenated).  Binding could through and be Id = h(P)=h(Pe|Ps) or 
Ps signing Pe, etc.

Still ... it doubles the effective required key size and adds additional steps in an authenticated key exchange.