Why does NaCL have different keys for signing and encryption?

Question

I want to start using NaCL to sign messages that will go into a message queue, and I noticed that it generates different keys for each operation. Is there a reason for this? Can I not use the same PK for signing and encryption?

Answer 1

• The encryption part of NaCl is older. I think NaCl itself still doesn't have official signature support.

  NaCl's box uses montgomery form public keys together with the montgomery ladder. This ladder only returns the x-coordinate of the result and thus is not compatible with most signature algorithms.

  Ed25519 on the other hand uses (twisted) edwards form, with keys in the same format.

  But it is possible to convert the keys between these formats (the missing sign of the second coordinate can cause some complications when converting from montgomery). There are several encryption products which use these conversions to share a key.

• Using the same key for multiple purposes requires the algorithms to be jointly secure. Some people are not comfortable with that. Tanja Lange voiced some vague doubts at 30c3.

  See Using same keypair for Diffie-Hellman and signing

Answer 2

The answer to the question actually goes back to the basics of cryptography. Many people confuse the two fundamental uses of cryptology:

1. Privacy
2. Authentication

The first item, privacy, is accomplished by encryption. Encryption, however, does not guarantee that the secret message actually came from its supposed source. It does not even guarantee that the message wasn't tampered with. This is where authentication comes in. It guarantees that the message came from the intended source and that it hasn't been altered.

You could use the same key for both things, but depending on the implementation and the cipher mode you are using, you could seriously compromise either the security of the key or the reliability of the authentication. Therefore, it is always better to use separate keys for encryption and authentication. Many implementations make things user-friendly by requesting a single key or password, but behind the scenes they use that password to generate separate keys for encryption and authentication (or signing).