Clarification on warning against using same key material for both Ed25519 and X25519

[timmc]

I have a use-case for users needing both a signing key and an encryption key, both of which will be on Curve 25519. (They're for distinct operations. I don't want signcryption and I'm happy with the authenticated encryption, but I also need to actually-sign one thing.) I've read the FAQ entry "How can I sign and encrypt using the same key pair?" and understood all of it—except for this one part that's left vague (emphasis mine):

Alternatively, signing key pairs can be converted to X25519 key exchange key pairs. This can be used to encrypt and sign independently. However, this is not recommended and usually not necessary. Prefer using distinct key pairs instead.

This then links to a page about how to do it, which again notes:

If you can afford it, using distinct keys for signing and for encryption is still highly recommended.

and then links to a paper containing what appears to be a proof that it is in fact safe to do so. [EDIT: Apparently it just has a proof for one specific use of these keys, not the general case. Or at least, that's what someone on IRC seemed to be saying?]

As best I can figure, the reasoning here is that there's always some risk in using the same key material in two different cryptographic constructions or for two different purposes, but that's just based on some background information the paper lays out.

So, questions:

• Why is the documentation so hesitant in recommending this operation? Just to guide people towards more appropriate operations if they're in an "RSA mindset"? Or is there a security concern?
• Does this paper in fact prove to people's satisfaction that it's safe to do this operation? Or is it only providing a weaker proof, maybe a step towards that? (I'm not a cryptographer and am not qualified to interpret it...)

[samuel-lucas6]

As best I can figure, the reasoning here is that there's always some risk in using the same key material in two different cryptographic constructions or for two different purposes, but that's just based on some background information the paper lays out.

Indeed, it's just generally recommended to not reuse key material in different contexts. There's also the fact that signing keys and encryption keys typically have different lifecycles, with encryption keys often being frequently replaced. Then there can sometimes be cross-protocol attacks, as briefly mentioned here.

There hasn't been much direct research into it as far as I'm aware, but the consensus seems to be that it's probably secure, just not a sensible default choice for the reasons above. The safest approach will always be to use two different types of keys.

It sounds like that paper found it to be secure, but I'm not good at reading cryptography papers as I'm still unfamiliar with the notation and don't like maths.

[timmc]

Update -- the paper is apparently just for one use of these keys, not for general signing and encryption. Or at least, that's what I'm told. Too many acronyms for me to understand it myself. 😵

[samuel-lucas6]

I've only glanced at the paper, but that sounds right as it's talking about a key encapulation mechanism specifically, which is not necessarily what you're doing. Again, I would suggest following the norm if possible, meaning use two key pairs. I don't think anyone would encourage reusing the same key pair. It should only be done if there's no alternative (e.g. you're resource constrained).