Why should one not use the same asymmetric key for encryption as they do for signing?
It is mostly that the management approaches and timeframes differ for the use of signing and encryption keys.
For non-repudiation, you never want someone else to get control to your signing key since they could impersonate you. But your workplace may want to escrow your encryption key so that others who need to can get to the information you've encrypted.
You also may want a signing key to be valid for a long time so people around the world can check signatures from the past, but with an encryption key, you often want to roll it over sooner, and be able to revoke old ones without as many hassles.
It is potentially insecure to use the same keypair for both signing and encryption. Doing so may enable attacks, depending on the particular public-key scheme you use. This kind of use is not what the system was designed for, so using the system in a way it was not designed "voids the warranty".
Don't do it. It's asking for trouble.
There are some reasons that we should not use the same key for encryption and signing.
We need to backup our secret key for encrypted data. Later we want to decrypt some old encrypted messages, but we don't need to backup our secret key for signing. If attacker finds the key, we can tell our CA to revoke it and get new secret key for signing without need of backup.
More importantly: If we use the same key for encryption and signing, the attacker can use this to decrypt our encrypted message. This is what he/she would do:
The attacker must choose a random number
r, wherermust haveGDC(N, r) = 1,
andNis the number used for creating private and public key (N = pq)Then the attacker chooses a new message (
m′) and sends this for signing to the sender:m′ = m^e.r^e…(here(e,n)is the public key)When the sender signs
m′we getm′^d ≡ (m^e.r^e)^d ≡ m.r (mod N)Now the attacker only needs to "divide" it by
rto getm(the secret message).