5

If I have a cryptosystem based on C25519 ECC crypto, is it possible to use the same public/private key pairs for key agreement in a FIPS compliant way by deterministically converting C25519 public and private keys into keys under some other ECC curve?

In other words let's say Alice and Bob have C25519 key pairs. Alice has her public and private key and Bob's public key, and Bob has Alice's public key and his public and private. Alice and Bob want to convert their keys into NIST P-256 keys (or some other NIST curve) and then execute ECC key agreement using a FIPS compliant cryptographic module in order to run in a FIPS compliant mode of operation.

Is this possible? Is it secure?

Adam Ierymenko
  • 916
  • 6
  • 20

2 Answers2

9

No, conversion of an EC key pair from a curve to another of unrelated order is not possible.

One of the closest things that could be done would be that parties generate a new P256 key pair, then

  • certify their new P256 public key using their C25519 private key, check the other party's certificate using the other party's trusted C25519 public key, and now trust the other party's P256 public key.
  • or negotiate trusted symmetric session key(s) per their C25519 key pairs, and transmit their new P256 public key over a channel secured by symmetric crypto.
fgrieu
  • 149,326
  • 13
  • 324
  • 622
2

You could use the private Curve25519 key as the seed to a Key derivation function that allows arbitrary output lengths, such as HKDF. Use this HKDF output as the CSPRNG you would normally use to generate a NIST keypair. This should be deterministic so long as your library does not access the system RNG on its own when generating keys.

You should probably use a customization string such as 'FIPS P256 Key derivation for my_app_name' as an additional input or salt to the key derivation function to prevent any collisions if someone else has the same idea.

rmalayter
  • 2,297
  • 17
  • 24