Score:2

Using same private key for both X25519 and ECDSA (using curve25519)

ru flag
jjd

I'm writing an application where both encryption/decryption and signing/verification are needed, and I choose X25519 as a key agreement algorithm which will produce a key for encryption, and ECDSA to sign messages.

Key generation: I generate a curve25519 private key from a mnemonic (so I have kind of a random 32 bytes private key).

Now I have 32 bytes array, I want to use this array byte array for both encryption and signing, the problem that I have is, for X25519 i need to apply key clamping for this private key to be valid which looks like this:

privateKey[0] &= 248;    // unset the 3 least significant bits
privateKey[31] &= 127   // unset the most significant bit
privateKey[31] |= 64      // set the second most significant bit

But for ECDSA, the key needs to be in the range $[1, N]$, where N (for curve25519) is equal to $2^{252}$ + a small factor, and so I need to convert my 32 bytes array to a number that fits in this range.

I have a few questions:

  • Why doesn't the X25519 private key need to fit in the range $[1, N]$?
  • Also why is it not important to apply the key clamping function used in X25519 to the key used for ECDSA?
knaccc avatar
es flag
Don't use the same private key directly for signing and encryption. Use HKDF-Expand on your uniformly random 32-byte master key to generate separate signing and encryption keys. Then let your libraries clamp or reduce them mod N in whatever ways they deem necessary.
Maarten Bodewes avatar
in flag
Hi jjd & welcome. I've removed the Bouncy Castle / implementation part; that's for [so] or maybe [codereview.se]; it's off topic here. Please reread and clean up your question before posting, users should not have to perform e.g. capitalization for you.
jjd avatar
ru flag
jjd
thanks knaccc you're answer was helpful!
jjd avatar
ru flag
jjd
i'll make sure to follow the rules next time my bad.
kelalaka avatar
in flag
Does this answer your question? 1) [Public Key generation for Ed25519 vs X25519](https://crypto.stackexchange.com/questions/76156/public-key-generation-for-ed25519-vs-x25519) 2) [Using a single Ed25519 key for encryption and signature](https://crypto.stackexchange.com/q/37896/18298) 3) [Using same private key for both X25519 and ECDSA (using curve25519)](https://crypto.stackexchange.com/q/63732/18298)
jjd avatar
ru flag
jjd
it does, thanks!
Score:3
gb flag

Why doesn't the X25519 private key need to fit in the range $[1,N]$?

By unsetting the most significant bit and the three least significant bits, you limit the key to effectively only 252 bits. When you say $N$ is $2^{252}$ + a small factor, you are talking about the order of the subgroup used by x25519, not the full order of the curve group. This subgroup has index (or cofactor) 8. Unsetting the three lower bits forces the secret to be a multiple of 8, meaning it will lie in this large prime-order subgroup.

Also why is it not important to apply the key clamping function used in X25519 to the key used for ECDSA?

To the best of my knowledge, Curve25519 is not used for ECDSA. Did you mean EdDSA (specifically, ed25519)?

jjd avatar
ru flag
jjd
Thanks for your answer! you're correct, i think curve25519 for ECDSA is a bad choice from my side, i'm thinking about using EdDSA now, i know that EdDSA and X25519 use different curves, but they're using the same key clamping function right, is it safe to use the same private key(but different public keys) for both EdDSA and X25519, or is it safer if I derive two different keys using my random 32 bytes?
meshcollider avatar
gb flag
You should definitely derive two separate keys. Reusing keys almost always has unforseen security complications. Btw, please remember to accept and upvote the answer if it helped!
jjd avatar
ru flag
jjd
just did, i need at least 15 reputation to upvote tho, thx for the answer!
dave_thompson_085 avatar
cn flag
@jjd: actually Ed25519 (a popular instance of EdDSA) and X25519 use the same _curve_ mathematically, but different representations -- X25519 uses Montgomery form and and Ed25519 uses Edwards form, and these forms have different coefficients and calculations, but they are what mathemeticians call birationally equivalent. See https://datatracker.ietf.org/doc/html/rfc7748 .
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.