0

As far as I can see everybody use curve25519 for public/private encryption (ECDH) and ed25519 for signing (ECDSA). This creates double size of keys or some special conversion tricks that may not be safe:

https://github.com/dchest/ed2curve-js

Is it not possible to use curve ed25519 for both ECDH and ECDSA and have half the key size?

Is it not possible to use curve ed25519 for only ECDH?

I admit that I have a very limited understanding of ECC so the reason above may be because of security considerations but it is not easy to find any hint about this on the web!

NB: I understand that curve25519 can not be used for signing!

Benny

Beast
  • 271
  • 2
  • 5
  • 15
  • I'm not familiar with curve25519 and ed25519, but it is generally not ok to re-use a key for different purposes, because it might leak information which might compromise the whole system. That is at least the case for RSA encryption and signing [1](http://crypto.stackexchange.com/questions/15043/should-different-key-pairs-be-used-for-signing-and-encryption) [2](http://crypto.stackexchange.com/questions/12090/using-the-same-rsa-keypair-to-sign-and-encrypt). – Artjom B. Mar 01 '15 at 16:23

1 Answers1

-1

I don't think you'll find anything better than the paper linked at Using same keypair for Diffie-Hellman and signing.

I suspect that this key reuse is fine as long as you're comfortable with assumption that SHA-512 (used in Ed25519 signing) and HSalsa (used as KDF with NaCl's Curve25519 based boxes) are independent hash functions (I do). But it'd be probably cleaner to use the same hash function with different prefixes.

I heard that Bernstein, Lange and Schwabe (authors of NaCl) are working on a paper about these issues, but who knows when it'll be published.

Community
  • 1
  • 1
CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
  • Is it then fine to use curve Ed25519 for ECDH? – Beast Mar 02 '15 at 06:06
  • @Beast I believe that it doesn't cause a practical break, provided you use properly hash the shared DH secret. But depending on the hash it might require some ugly assumptions in the security proof. And of course it widens the attack surface. For example the carry bug in one of the assembly implementations is mostly harmless with signatures but probably allows key recovery when used with a long term DH key. – CodesInChaos Mar 02 '15 at 11:34