Cryptology ePrint Archive: Report 2021/509

On using the same key pair for Ed25519 and an X25519 based KEM

Erik Thormarker

Abstract: Haber and Pinkas discussed the principle of when it is secure to reuse key material between public-key cryptosystems. They showed that this can be secure for multiple combinations of systems, including Schnorr signatures. Degabriele, Lehmann, Paterson, Smart and Strefler proved the security of sharing a key pair between a generic elliptic curve Schnorr signature scheme and an elliptic curve Diffie-Hellman based KEM in the random oracle model (ROM). They essentially ran the original security proofs in parallel by leveraging domain separation for the random oracle (RO) usage between the signature scheme and the specific KDF of the KEM. We make two contributions. First, we extend the result in Degabriele et al. by proving the joint security in the ROM of an X25519 based KEM with an HKDF-Extract-like KDF construction and Ed25519. Second, we make no assumptions about domain separation of RO usage between the two systems while making minimal assumptions about the format of the RO usage in Ed25519. Our result is applicable to Ed448 and a corresponding KEM based on X448 as well.

Category / Keywords: public-key cryptography / elliptic curve cryptosystem, digital signatures, Ed25519, Ed448, X25519, X448

Date: received 19 Apr 2021

Contact author: erik thormarker at ericsson com

Available format(s): PDF | BibTeX Citation

Version: 20210423:115856 (All versions of this report)

Short URL: ia.cr/2021/509


[ Cryptology ePrint archive ]