According to wiki public key in ECDSA is multiplication of private key (random number) to some base point G on elliptic curve C. And also we have usage of C in both signing and verification.
May I use some G1 and C1 for public key generation and other curve C2 for signing and verification?
I know it sounds strange but my actual goal is to use GOST private keys in ECDSA (I already have them and have to use them). Hence, GOST public may be generated from special C1, G1 and Java's SHA256withECDSA probably uses other curve who knows.
- How detect curve used by
Signature ecdsaSign = Signature.getInstance("SHA256withECDSA", "BC");? If sign and verify returns true, does it mean that GOST keys which I gave to ECDSA are compatible with ECDSA?
Signature ecdsaSign = Signature.getInstance("SHA256withECDSA", "BC"); ecdsaSign.initSign(privateKeyGOST); ecdsaSign.update("aaaa".getBytes("UTF-8")); byte[] signature = ecdsaSign.sign(); Signature ecdsaVerify = Signature.getInstance("SHA256withECDSA", "BC"); ecdsaVerify.initVerify(publicKeyGOST); ecdsaVerify.update("aaaa".getBytes("UTF-8")); System.out.println(); System.out.println(ecdsaVerify.verify(signature)); //TRUE
Note, that curve for GOST key generation and internal curve of SHA256withECDSA may be not equal that's why I'm asking this question.
UPDATE
Answer to
May I use some G1 and C1 for public key generation and other curve C2 for signing and verification?
No, C1 must be equal to C2.
It's possible to detect BC curve - I looked in SignatureSpi sources of BC and saw that curve params taken from key. And discovered C2 equals to known C1. In other words, not SHA256withECDSA but prKey.getAlgorithm() decides.
BUT!! Compability of keys doesn't mean that it's safe to use it. GOST curve has special invariants which may impact at some ECDSA steps - this is interesting but very hard question - is there any weak points of GOST curves in ECDSA. So, answer is "compatible but check carefully math staff before using"
Note, that KBKDF will not save from GOST curve weakness in ECDSA (if it really exists behind the "math-crypto-scenes"
I'll answer in order:
You can't because the public & private keys should contain the parameters, not the algorithm. However, only certain curve parameters will be supported by the underlying library. In the case of Bouncy Castle those are those for the F(p) and F(2^m) curves. These include at least the NIST and Brainpool curves.
Yes, you can safely assume that. If that wasn't the case then there would be something seriously wrong with the verification. As you may now understand this is because C1 = C2.
Note that you should not use secret keys like this, especially if the secret keys are also used for the GOST algorithm itself. It is good practice to not mix values. You should rather use the (leftmost) bytes of SHA-256 over the secret key value instead (if you have to use it). It would be even better to use a Key Based Key Derivation Function (KBKDF).