Can I use Libsodium crypto_box_easy for signing with 32 byte keypair?

tobalr

3/7/24, 10:40 AM

I have a chat system where multiple clients communicate securely using Libsodium authenticated encryption. Every client have their own 32 byte key pair. If two clients want to communicate they first share their public key out of band and then use e.g. crypto_box_easy for encryption.

I want to create a service that allows a client to vouch for another clients public key using signing.

However, public-key-signatures using Libsodium requires 64 byte signing keys and for practical matters I would like to not introduce a second key pair.

So I was thinking if it was cryptographically sane to use crypto_box_easy to sign stuff by encrypting to a public known key pair? Following pseudocode exemplifies how this would work when Alice wants to vouch for Charlie and Bob reads the message.

On Alice's client:

message = "trust: \"pkCharlie\""
message_hash = secureHash(message)
ciphertext = crypto_box_easy(message_hash, nonce, skAlice, pkPublic)

Alice can now store the message, nonce and ciphertext somewhere public and Bob can later read it and verify its authenticity and integrity

message = "trust: \"pkCharlie\""
message_hash = secureHash(message)
decrypted_message_hash=crypto_box_open_easy(ciphertext, nonce, pkBob, skPublic)
if ( message_hash == decrypted_message_hash ) return true;

Is this approach safe or am I missing something critical?

0 + 4

libsodium

samuel-lucas6

3/7/24, 10:56 AM

crypto_box isn't for signing/won't provide equivalent properties to signing and doesn't provide sender authentication, as explained [here](https://crypto.stackexchange.com/a/103934/102678). You can [convert](https://doc.libsodium.org/advanced/ed25519-curve25519) Ed25519 keys to X25519 keys to reuse keys, but this isn't recommended and should be avoided unless you have serious bandwidth/storage restrictions.

Maarten Bodewes

3/7/24, 6:55 PM

@samuel-lucas6 That comment works perfectly fine as a short answer for me as well... crypto-box sits somewhere between an algorithm / scheme and a protocol. It's more of a good practice way of encrypting at the application layer. Could be made part of a protocol, but it isn't one.

tobalr

3/9/24, 7:12 AM

@samuel-lucas6 thank you for explaining how this does not work. I have read through the sources you have mentioned and in my head it boils down to: Don't be lazy. Add that second key pair for signing—it is the least complex path going forward.

samuel-lucas6

3/9/24, 6:31 PM

@MaartenBodewes Not good practice enough though as it lacks sender authentication and doesn't use a regular KDF. @ tobalr Good man.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can I use Libsodium crypto_box_easy for signing with 32 byte keypair?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.