Why we need ECDSA when we have ECDH?

Question

ECDSA and ECDH give us the following methods:

// ECDSA
var signature = ECDSA.sign(privateKey, hash);
var isValid = ECDSA.verify(publicKey, hash, signature);

// ECDH
var sharedSecret1 = ECDH.compute(node1.publicKey, node2.privateKey);
var sharedSecret2 = ECDH.compute(node2.publicKey, node1.privateKey);
// sharedSecret1 == sharedSecret2;

ECDSA give as a very long signature (73 bytes).

I am wondering why we need ECDSA if we can do signing only with ECDH and get much smaller signature:

function sign(priavteKey, hash) {
  // generate public key from private key
  var publicKey = computePublicKey(hash);
  var sharedSecret = ECDH.compute(publicKey, privateKey);
  var signature = hash(sharedSecret);
  return signature;
}

function verify(publicKey, hash, signature) {
  var sharedSecret = ECDH.compute(publicKey, hash);
  return (hash(sharedSecret) == signature);
}

This method exposes one of the private keys of ECDH and uses it for generating the signature hash. Is there any way that this method can expose the real private key?

I've been reading these answers and it seems ok…

Answer 1

To simplify your definition:

$$ s = \operatorname{sign}(k, m) = h(G\ h(m)\ k)\\ \operatorname{verify}(Gk, m, s)\iff s \overset{?}{=} h(Gk\ h(m)) $$

This is obviously insecure because I can forge "signatures"!

$$s' = \operatorname{forge}(Gk, m') = h(Gk\ h(m'))$$

ECDH is not a signature scheme. Schnorr is amazing and is much more interesting than ECDSA! Including but not limited to: threshold k-of-n distributed identities, n-of-n multisig aggregation, batch verification, public key recovery, implicit certificates, and much more!

Answer 2

ECDH is not for signing. Your sign method using ecdh does not look like any valid signature scheme I have ever seen, and is therefore likely wildly insecure.

Note that the Q&A you link to is asking a very different question.