What happen if the curve used in key agreement protocol also used in signature inside of protocol?

Question

In key agreement (or key exchange) protocols, is used signature for authentication. Suppose that key exchange protocols execute on elliptic curve. The initiator of protocol must sends signature of his message with main message. What happen if the curve used in key agreement protocol also used in signature inside of protocol?

For example in Diffie-Hellman key exchange over curve, Alice sends $aP$ and $sig_{k_a}(aP)$ to Bob that $P$ is the generator of curve $E$. The signature is the ECDSA (or EdDSA) on curve $E'$. Is $E=E'$? Is $E$ and $E'$ different? What kind of these situation are the best? what is the advantages?

Answer 1

In signature as practiced with ECC, the first step in $\operatorname{sig}_{k_a}(aP)$ is hashing $aP$. That seems to prevent any attack that would use $aP$ is computed on the curve used for signature, except if that reused the same hash on a secret curve point, which is not the case in ECDH as practiced (specific KDFs are used; and it would be possible to reuse the same hash with a different message formatting, e.g. a prefix).

Thus I see no more problem with using the same curve for key agreement and signature, than there is using the same curve for multiple public keys in signature. The later is common and has little drawback. It does allow to put in common some pre-computation effort, e.g. when attacking public keys with baby-step/giant-step, but this has negligible practical importance.