Can sign something with a canister's key?

It is possible to verify, whether a user holds a principal, by him signing a random string by his private key.

Is there a similar way to check that a principal is controlled by a canister?

The only way of this, that I know, is to run an update method of the canister (which would for example return true to signify that the canister is consent to an act).

Running an update methods is slow. Can agreement of a canister to do something be obtained without running an update method?

Also, securely checking whether a user agrees to an action (to be done in the outside-of-IC backend) checking whether a canister agrees to an action is, as I described above, done by two different methods (key signing and update method, correspondingly), what is probably not mathematically elegant.

tECDSA is not an option, because it’s costly.

Sounds like you’re looking for canister signatures.

See the IC spec: The Internet Computer Interface Specification | Internet Computer

And related Rust library: GitHub - dfinity/ic-canister-sig-creation: Utils for creating canister signatures and handling canister signatures public keys.

Canister signatures are what’s behind the delegation chains created in II and certification of the http responses in the assets canister.