Why don't the nacl public key primitives for signatures and authenticated encryption use the same keys?

Question

The nacl.cr.yp.to source code has separate methods for doing public key encryption: https://nacl.cr.yp.to/box.html and for verifying signatures: https://nacl.cr.yp.to/sign.html

I would expect that a private and public key generated by one would be usable by the other - this would be really nice, since I would only need to distribute one public and private key to devices. However, reading through the code, it looks like they use different methods to generate public and private keys.

Signatures use this method:

int crypto_sign_keypair(
    unsigned char *pk,
    unsigned char *sk
    )
{
  sc25519 scsk;
  ge25519 gepk;

  randombytes(sk, 32);
  crypto_hash_sha512(sk, sk, 32);
  sk[0] &= 248;
  sk[31] &= 127;
  sk[31] |= 64;

  sc25519_from32bytes(&scsk,sk);

  ge25519_scalarmult_base(&gepk, &scsk);
  ge25519_pack(pk, &gepk);
  return 0;
}

Public keys use this method:

int crypto_box_keypair(
  unsigned char *pk,
  unsigned char *sk
)
{
  randombytes(sk,32);
  return crypto_scalarmult_curve25519_base(pk,sk);
}

Why can't they just use the same? Are they actually interchangeable?

See https://crypto.stackexchange.com/questions/3260/using-same-keypair-for-diffie-hellman-and-signing for some interesting reading on the potential implications of using the same ECDH private key for both key exchange and signing. — mti2935, Oct 19 '19 at 17:45

Why don't the nacl public key primitives for signatures and authenticated encryption use the same keys?

0 Answers0