## Abstract

It is a maxim of sound computer-security practice that a cryptographic key should have only a single use. For example, an RSA key pair should be used only for public-key encryption or only for digital signatures, and not for both. In this paper we show that in many cases, the simultaneous use of related keys for two cryptosystems, e.g. for a public-key encryption system and for a public-key signature system, does not compromise their security. We demonstrate this for a variety of public-key encryption schemes that are secure against chosen-ciphertext attacks, and for a variety of digital signature schemes that are secure against forgery under chosen-message attacks. The precise form of the statement of security that we are able to prove depends on the particular cryptographic schemes in question and on the cryptographic assumptions needed for their proofs of security; but in every case, our proof of security does not require any additional cryptographic assumptions. Among the cryptosystems that we analyze in this manner are the public-key encryption schemes of Cramer and Shoup, Naor and Yung, and Dolev, Dwork, and Naor, which are all defined in the standard model, while in the random-oracle model we analyze plaintext-aware encryption schemes (as defined by Bellare and Rogaway) and in particular the OAEP + cryptosystem. Among public-key signature schemes, we analyze those of Cramer and Shoup and of Gennaro, Halevi, and Rabin in the standard model, while in the random-oracle model we analyze the RSA PSS scheme as well as variants of the El Gamal and Schnorr schemes. (See references within).

Original language | English |
---|---|

Pages (from-to) | 215-224 |

Number of pages | 10 |

Journal | Proceedings of the ACM Conference on Computer and Communications Security |

DOIs | |

State | Published - 2001 |

Externally published | Yes |

Event | Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS-8) - Philadelphia, PA, United States Duration: 5 Nov 2001 → 8 Nov 2001 |