Definitely. There are two main advantages of having one keypair for encryption and another keypair for signing.
The first reason is that you will want to keep backups of expired keys that have been used for encryption, which is not the case with signing keys. You normally store encrypted data encrypted and decrypt it to view it. If you lose an encryption private key you lose data. If you lose a signing private key you lose nothing (since the public key will be somewhere public, right?). Our favourite bear made a huge discussion about this point in a previous answer.
A second reason is that an encryption protocol may be broken. It is plausible that only the encryption part or only the signing part of the protocol is broken (e.g. by watermarking data inside a cyphertext). If RSA encryption is broken and you have 2 keys, you need to revoke all encryption keys (and substitute by another protocol) but does not need to do anything about the signing keys. The opposite (signing is broken) also holds.
Due to popular demand (in the comments), I'll defend the second point above by presenting two scenarios: one in which an asymmetric signature can be broken without breaking the encryption, and one in which the encryption can be broken without breaking the signing algorithm. Let's rock:
(I'm not a theoretician, therefore there may be something wrong if you look at it with enough pedantry, don't feel afraid of pointing it out.)
Breaking signing without breaking the encryption
Assuming that the signing is performed in the following fashion (it is a common fashion for asymmetric encryption):
encrypt(privkey, hash(plaintext))
The purpose of an attacker is to be able to sign a message of his own creation with my key. He can steal the key or attack the algorithm. If the attacker finds a way to efficiently find collisions in the hash()
function, he can take a message previously signed by me retrieve the hash (by decrypting the signature) and craft a message of his own that collides to the same hash value.
In other words, by breaking hash()
an having access to at least one of messages signed by me, the attacker defeats the signing algorithm without touching encrypt()
.
Breaking encryption without breaking the signing
One common way to break the encryption is being able to guess the key based on information in the cyphertext and the plaintext. This is often called watermarking (although that is more often used against symmetric encryption). The encryption will be performed by:
encrypt(pubkey, plaintext)
Now, let's assume that the attacker will send me several cyphertexts encrypted with my public key. And that he will convince me to reveal to him the content of the plaintext that I decrypted using my private key. This is not far fetched at all: imagine encrypted mails with password resets, I'll decrypt the mail and send the plaintext back to the attacker.
Now, if it is possible to guess (with high probability), based on certain bits in the cyphertext, that a certain bit in the plaintext will be 1 or 0 if another bit in the private key is 1 or 0, then we have a high probability chance that we discovered a single bit of the private key. This is akin of an attack against the S-BOX model of the algorithm had we been talking about symmetric encryption.
(The previous paragraph is considerably far fetched. Thinking of RSA as using bits is not very realistic. I'm using bits because it is how watermarking works against block ciphers, but you can think of it as any statistical attack on RSA)
Repeating the procedure above several times the attacker can recover my private key, and the encryption is broken since he can now decrypt all messages sent to me.
Why doesn't this work for signatures? Because of the same hash()
function as above. If the hash is cryptographic, it should be impossible to determine the location of bits in the plaintext based on the hash output. Therefore, if hash()
is sound but the encryption algorithm can be attacked with watermarking, we can break encryption without breaking the signing algorithm.
But wait, aren't cryptographic hashes used (on the plaintext) during the encryption? Ekhm... nope, the encryption need to preserve all data so it is possible to decrypt it. A hash will lose some data, therefore it cannot be used in the same form as in the signing algorithm in the encryption.
Of course, these two scenarios are not the only possible scenarios. But are plausible scenarios, woth enough attention to warrant using 2 keypairs (one for signing and one for encryption)