3

According to wiki public key in ECDSA is multiplication of private key (random number) to some base point G on elliptic curve C. And also we have usage of C in both signing and verification.

May I use some G1 and C1 for public key generation and other curve C2 for signing and verification?

I know it sounds strange but my actual goal is to use GOST private keys in ECDSA (I already have them and have to use them). Hence, GOST public may be generated from special C1, G1 and Java's SHA256withECDSA probably uses other curve who knows.

  1. How detect curve used by Signature ecdsaSign = Signature.getInstance("SHA256withECDSA", "BC");?

  2. If sign and verify returns true, does it mean that GOST keys which I gave to ECDSA are compatible with ECDSA? 

      Signature ecdsaSign = Signature.getInstance("SHA256withECDSA", "BC");
  ecdsaSign.initSign(privateKeyGOST);
  ecdsaSign.update("aaaa".getBytes("UTF-8"));
  byte[] signature = ecdsaSign.sign();

  Signature ecdsaVerify = Signature.getInstance("SHA256withECDSA", "BC");
  ecdsaVerify.initVerify(publicKeyGOST);
  ecdsaVerify.update("aaaa".getBytes("UTF-8"));
  System.out.println();
  System.out.println(ecdsaVerify.verify(signature));  //TRUE

Note, that curve for GOST key generation and internal curve of SHA256withECDSA may be not equal that's why I'm asking this question.

UPDATE

Answer to

May I use some G1 and C1 for public key generation and other curve C2 for signing and verification?

No, C1 must be equal to C2.

It's possible to detect BC curve - I looked in SignatureSpi sources of BC and saw that curve params taken from key. And discovered C2 equals to known C1. In other words, not SHA256withECDSA but prKey.getAlgorithm() decides.

BUT!! Compability of keys doesn't mean that it's safe to use it. GOST curve has special invariants which may impact at some ECDSA steps - this is interesting but very hard question - is there any weak points of GOST curves in ECDSA. So, answer is "compatible but check carefully math staff before using"

Note, that KBKDF will not save from GOST curve weakness in ECDSA (if it really exists behind the "math-crypto-scenes"

1 Answers1

2

I'll answer in order:

  1. How detect curve used by Signature ecdsaSign = Signature.getInstance("SHA256withECDSA", "BC");

You can't because the public & private keys should contain the parameters, not the algorithm. However, only certain curve parameters will be supported by the underlying library. In the case of Bouncy Castle those are those for the F(p) and F(2^m) curves. These include at least the NIST and Brainpool curves.

  1. If sign and verify returns true, does it mean that GOST keys which I gave to ECDSA are compatible with ECDSA?

Yes, you can safely assume that. If that wasn't the case then there would be something seriously wrong with the verification. As you may now understand this is because C1 = C2.

Note that you should not use secret keys like this, especially if the secret keys are also used for the GOST algorithm itself. It is good practice to not mix values. You should rather use the (leftmost) bytes of SHA-256 over the secret key value instead (if you have to use it). It would be even better to use a Key Based Key Derivation Function (KBKDF).

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • It's possible to get used curve. In general, I agree with you. However, there exist possibility of GOST curve weakness in ECDSA usage and KBKDF will not save from it because problem not in key but in GOST curve. See update. –  Jun 26 '15 at 02:45
  • Would this be considered a "quantum safe" encryption method? – Colby Jun 26 '15 at 03:02