ed25519 ECDH encryption possible and safe?
Question
As far as I can see everybody use curve25519 for public/private encryption (ECDH) and ed25519 for signing (ECDSA). This creates double size of keys or some special conversion tricks that may not be safe:
https://github.com/dchest/ed2curve-js
Is it not possible to use curve ed25519 for both ECDH and ECDSA and have half the key size?
Is it not possible to use curve ed25519 for only ECDH?
I admit that I have a very limited understanding of ECC so the reason above may be because of security considerations but it is not easy to find any hint about this on the web!
NB: I understand that curve25519 can not be used for signing!
Benny
1 answers
solution1
-1 2015-03-01 16:37:15
I don't think you'll find anything better than the paper linked at Using same keypair for Diffie-Hellman and signing .
I suspect that this key reuse is fine as long as you're comfortable with assumption that SHA-512 (used in Ed25519 signing) and HSalsa (used as KDF with NaCl's Curve25519 based boxes) are independent hash functions (I do). But it'd be probably cleaner to use the same hash function with different prefixes.
I heard that Bernstein, Lange and Schwabe (authors of NaCl) are working on a paper about these issues, but who knows when it'll be published.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.