Paper 2021/509

On using the same key pair for Ed25519 and an X25519 based KEM

Erik Thormarker

Abstract

Haber and Pinkas discussed the principle of when it is secure to reuse key material between public-key cryptosystems. They showed that this can be secure for multiple combinations of systems, including Schnorr signatures. Degabriele, Lehmann, Paterson, Smart and Strefler proved the security of sharing a key pair between a generic elliptic curve Schnorr signature scheme and an elliptic curve Diffie-Hellman based KEM in the random oracle model (ROM). They essentially ran the original security proofs in parallel by leveraging domain separation for the random oracle (RO) usage between the signature scheme and the specific KDF of the KEM. We make two contributions. First, we extend the result in Degabriele et al. by proving the joint security in the ROM of an X25519 based KEM with an HKDF-Extract-like KDF construction and Ed25519. Second, we make no assumptions about domain separation of RO usage between the two systems while making minimal assumptions about the format of the RO usage in Ed25519. Our result is applicable to Ed448 and a corresponding KEM based on X448 as well.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
elliptic curve cryptosystemdigital signaturesEd25519Ed448X25519X448
Contact author(s)
erik thormarker @ ericsson com
History
2021-04-23: received
Short URL
https://ia.cr/2021/509
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/509,
      author = {Erik Thormarker},
      title = {On using the same key pair for Ed25519 and an X25519 based {KEM}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/509},
      year = {2021},
      url = {https://eprint.iacr.org/2021/509}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.