Paper 2021/509

On using the same key pair for Ed25519 and an X25519 based KEM

Erik Thormarker


Haber and Pinkas discussed the principle of when it is secure to reuse key material between public-key cryptosystems. They showed that this can be secure for multiple combinations of systems, including Schnorr signatures. Degabriele, Lehmann, Paterson, Smart and Strefler proved the security of sharing a key pair between a generic elliptic curve Schnorr signature scheme and an elliptic curve Diffie-Hellman based KEM in the random oracle model (ROM). They essentially ran the original security proofs in parallel by leveraging domain separation for the random oracle (RO) usage between the signature scheme and the specific KDF of the KEM. We make two contributions. First, we extend the result in Degabriele et al. by proving the joint security in the ROM of an X25519 based KEM with an HKDF-Extract-like KDF construction and Ed25519. Second, we make no assumptions about domain separation of RO usage between the two systems while making minimal assumptions about the format of the RO usage in Ed25519. Our result is applicable to Ed448 and a corresponding KEM based on X448 as well.

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
elliptic curve cryptosystemdigital signaturesEd25519Ed448X25519X448
Contact author(s)
erik thormarker @ ericsson com
2021-04-23: received
Short URL
Creative Commons Attribution


      author = {Erik Thormarker},
      title = {On using the same key pair for Ed25519 and an X25519 based KEM},
      howpublished = {Cryptology ePrint Archive, Paper 2021/509},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.