Re: [Cfrg] Ed25519 - X25519 keypair equivalences

"Riad S. Wahby" <rsw@cs.stanford.edu> Fri, 05 June 2020 23:48 UTC

Return-Path: <rswatjfet.org@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C495E3A0F5C for <cfrg@ietfa.amsl.com>; Fri, 5 Jun 2020 16:48:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7oOslQbI6TEv for <cfrg@ietfa.amsl.com>; Fri, 5 Jun 2020 16:48:25 -0700 (PDT)
Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 940A53A0ED1 for <cfrg@ietf.org>; Fri, 5 Jun 2020 16:48:25 -0700 (PDT)
Received: by mail-pf1-f169.google.com with SMTP id d66so5677890pfd.6 for <cfrg@ietf.org>; Fri, 05 Jun 2020 16:48:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=xSNg4AZ2iKxHDiga4A/z3ts0/iCI6uOizoPKJgST/kA=; b=a87iRxQUE+jbPgbWyijM2O+cs+9+u3sOTV/ZkETP90EPElPQORijU1pepkEUprV0Hk WE+4WZwJkkFtP5vJRGIJFz1Oxj56TV2o11DmvaCWj/14bCFl2Ua3wFC6yU03faBsVSvs 4Vo3+0GeoVi2iz9rgyGzc3QI/FHLnyteT4V80mC8LRs4nfuW8lODcKacB7d8Q6IwsdKl 919pyEhTDYYln5PtVLqDj5dKydmq7sZUdmWUzEaI59pyW5tB/7FjSJItRVOiBUdYc6YQ QCgihjs4Zy/snL8X+v1tauiT+PflznTp11qnLplxU2lOyxlE05OhOmpFjxcHza01veWP w34A==
X-Gm-Message-State: AOAM530ea0kSkuV7CySRKNeMsuEVZ3kDRD+b01FRcwkd056jQVD/P1ie wR2OgyAiipNNN9UQinJnlwM=
X-Google-Smtp-Source: ABdhPJyQiSeGLLtYBgKtZ+ey6XlT7MFym7pGqpUhQvuiZAUFhLtnhs+G5FoGZI6cxjWRjPcoUIRcZA==
X-Received: by 2002:a63:7788:: with SMTP id s130mr11254752pgc.182.1591400905019; Fri, 05 Jun 2020 16:48:25 -0700 (PDT)
Received: from localhost (graviton.stanford.edu. [171.67.76.22]) by smtp.gmail.com with ESMTPSA id n2sm639322pfd.125.2020.06.05.16.48.22 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 05 Jun 2020 16:48:24 -0700 (PDT)
Date: Fri, 5 Jun 2020 16:48:19 -0700
From: "Riad S. Wahby" <rsw@cs.stanford.edu>
To: chris - <chrispatton@gmail.com>
Cc: Robert Moskowitz <rgm-sec@htt-consult.com>, cfrg@ietf.org
Message-ID: <20200605234819.dzou3b5jnytdf6b4@muon>
References: <6cb870b8-71f3-7add-1d24-09797fb74f37@htt-consult.com> <CACLV2m5KuZzNo7EHr8kzKq2=Zr3VvUHDYdEN4Rw=nh+F9JR5oQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACLV2m5KuZzNo7EHr8kzKq2=Zr3VvUHDYdEN4Rw=nh+F9JR5oQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Y4Di7iNIwuibHn4X2KhcUJqfLLw>
Subject: Re: [Cfrg] Ed25519 - X25519 keypair equivalences
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2020 23:48:27 -0000

chris - <chrispatton@gmail.com> wrote:
> Using the same secret for two different applications is not generally
> secure. Whether it's secure depends intrinsically on what the applications
> are.

As luck would have it, Degabriele, Lehmann, Paterson, Smart, and
Strefler (CT-RSA '12, https://eprint.iacr.org/2011/615) show that
ECIES and EC-Schnorr signatures are secure when instantiated with
the same secret key, in the random oracle model and assuming that
gap-DH and gap-DLP are hard (see Theorem 2).

It seems like this proof could be extended to EdDSA and HPKE with
DHKEM---but I haven't done more than glance! so this should be
regarded as a pointer, not a recommendation.

Cheers,

-=rsw