3

I'm using secp256k1; in normal scenario alice.privateKey and bob.publicKey (or vice versa) is used to derive the same secret.

Is it safe to use alice.privateKey and alice.publicKey to derive secret as a key for encryption for alice's personal information - where alice.publicKey and encrypted blob is publicly available?

Mirek Rusin
  • 133
  • 4

1 Answers1

3

Yes, recovering the computed secret is as hard as doing it for conventional Diffie-Hellman and thus infeasible for any secure groups.

This is known as Square-Diffie-Hellman problem, the reduction to the computational Diffie-Hellman problem (CDH) can be found in this Q&A.

SEJPM
  • 45,967
  • 7
  • 99
  • 205
  • It does however seem unwise. In addition to whatever cipher you use you now also introduce the additional attack surface of ECC. –  Dec 01 '17 at 21:07
  • 1
    @dingrite Actually I can see the point of doing this. For example consider a smartcard / HSM with an ECDH engine (which would provide you with eg a CDH oracle) but without a symmetric keystore. You can then use this HW device to hardware-enforce your "symmetric" key(s). – SEJPM Dec 01 '17 at 21:31
  • Is it required to input a salt or something similar as used in static-static DH key agreement? It seems to me that you would otherwise always derive the same secret. – Maarten Bodewes Dec 02 '17 at 00:41