On Sun, Apr 23, 2017 at 7:31 PM, Martin Thomson
<martin(_dot_)thomson(_at_)gmail(_dot_)com>
wrote:
On 22 April 2017 at 00:31, John Levine <johnl(_at_)taugh(_dot_)com> wrote:
If a recipient is cooperative, and sends you back a message signed
with the same key to which you encrypted the message, that tells you
he got it, but that's not a very interesting case.
It's also abuse of the cryptographic primitives, I hope that this
isn't really how it works and you are eliding certain key details.
It doesn't use the same session key, it uses the same public key. It's
not obvious to me why that would be wrong.
https://tools.ietf.org/html/rfc8017#section-6
If you are using ECDSA/ECDH, then you can also commit the same abuses.
Historically, keys were saved with an "EC" type, and can be used for
either interchangeably (the library I work on commits this sin). In
the case of EC, there isn't a known path from use of ECDSA to abuse of
ECDH and vice versa, but it isn't known to be safe either.
This is much harder, if not possible with the X25519/Ed25519 pair,
because no library will support you in this.
That isn't actually true. My library supports encryption on the Ed25519
curve and it does it for a very specific reason.
The Montgomery curves are only designed to support scalar multiplication,
they don't expose a primitive for point addition because you don't need
that for operations using EC keys. You do need EC addition for operations
on keys however and that is what a lot of my code does.