Given a private signature key sk and a public signature key SK, does revealing s

Question

Given a private signature key sk and a public signature key SK, does revealing sk(H(SK)) (in addition to SK) make it more easy for an attacker to determine sk or to fake a signature that would appear to have been produced by sk? Is this scheme a bad idea - in other words, does it compromise the secuity of the signing algorithm? (It seems like this is analogous to key-dependent encryption, but for signatures, and with the interposition of a hash function in between).

If that matters, I'm using ECDSA signatures. Any pointers are appreciated.

Explanation / Answer

No, signing the hash of the public key cannot introduce a weakness on a secure signature scheme.

When we have a signature scheme, we assume that it is secure in an chosen text model, where the attacker has access to the public key, and can ask any text of his choosing to be signed. We can see that any such scheme (such as ECCDSA, or so we believe) cannot be specifically weak this way.

This is easy to see; suppose we had a weakness that was caused by this (whether it revealed the private key, or made it easier the create a forgery). What the attacker could do is hash the public key, and then ask that hash to be signed. If the public key system had a weakness, this signature would reveal it, hence showing that the signature scheme didn't meet the requirements of security in the first place.

Related Questions

Navigate

• Browse (All)
• Browse G
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.