- elliptic-curves signature diffie-hellman dsa x25519
- Updated Wed, 11 May 2022 02:17:47 GMT

I'm writing an application where both encryption/decryption and signing/verification are needed, and I choose X25519 as a key agreement algorithm which will produce a key for encryption, and ECDSA to sign messages.

Key generation: I generate a curve25519 private key from a mnemonic (so I have kind of a random 32 bytes private key).

Now I have 32 bytes array, I want to use this array byte array for both encryption and signing, the problem that I have is, for X25519 i need to apply key clamping for this private key to be valid which looks like this:

```
privateKey[0] &= 248; // unset the 3 least significant bits
privateKey[31] &= 127 // unset the most significant bit
privateKey[31] |= 64 // set the second most significant bit
```

But for ECDSA, the key needs to be in the range $[1, N]$, where N (for curve25519) is equal to $2^{252}$ + a small factor, and so I need to convert my 32 bytes array to a number that fits in this range.

I have a few questions:

- Why doesn't the X25519 private key need to fit in the range $[1, N]$?
- Also why is it not important to apply the key clamping function used in X25519 to the key used for ECDSA?

Why doesn't the X25519 private key need to fit in the range $[1,N]$?

By unsetting the most significant bit and the three least significant bits, you limit the key to effectively only 252 bits. When you say $N$ is $2^{252}$ + a small factor, you are talking about the order of the *subgroup* used by x25519, not the full order of the curve group. This subgroup has index (or cofactor) 8. Unsetting the three lower bits forces the secret to be a multiple of 8, meaning it will lie in this large prime-order subgroup.

Also why is it not important to apply the key clamping function used in X25519 to the key used for ECDSA?

To the best of my knowledge, Curve25519 is not used for ECDSA. Did you mean EdDSA (specifically, ed25519)?

- +0 – Thanks for your answer! you're correct, i think curve25519 for ECDSA is a bad choice from my side, i'm thinking about using EdDSA now, i know that EdDSA and X25519 use different curves, but they're using the same key clamping function right, is it safe to use the same private key(but different public keys) for both EdDSA and X25519, or is it safer if I derive two different keys using my random 32 bytes? — Feb 04, 2022 at 11:23
- +2 – You should definitely derive two separate keys. Reusing keys almost always has unforseen security complications. Btw, please remember to accept and upvote the answer if it helped! — Feb 04, 2022 at 11:35
- +1 – just did, i need at least 15 reputation to upvote tho, thx for the answer! — Feb 04, 2022 at 11:39
- +2 – @jjd: actually Ed25519 (a popular instance of EdDSA) and X25519 use the same
*curve*mathematically, but different representations -- X25519 uses Montgomery form and and Ed25519 uses Edwards form, and these forms have different coefficients and calculations, but they are what mathemeticians call birationally equivalent. See datatracker.ietf.org/doc/html/rfc7748 . — Feb 05, 2022 at 03:40