Kenny Patterson talked about theory and practice of key reuse. Key reuse offers some interesting advantages such as reducing storage requirements for certificates and keys, reducing the costs of certification as well as reducing the cryptographic code footprint. A classical scenario where to use this approach would be in an encryption and signature setting. Given all the advantages that key reuse provides in common practice, what can we say about security? At Asiacrypt 2011, an efficient construction based on pairings has been presented for joint security of encryption and signature.
However, in practice, simpler constructions are employed. For instance, the EMV standard uses RSA keys to compute signatures for card authentication and transaction authorization, and to encrypt the PIN between the terminal and the card. No specific analysis has been conducted of whether this approach is detrimental to security. If you are a follower of this blog then you will know that there exists an attack (at least in theory), Nigel described it in some more detail in one of his earlier posts.
Furthermore, Stefan gave a brief overview of the most important developments in the area of physical security in the last 15 years. State-of-the-art attacks can process up to 1 billion measurements of side-channel information (i.e., run time, power consumption or electromagnetic radiation) that typically leaks during the execution of security-critical code. This gives an attacker a lot of information to extract secret key material. That is one of the reasons why there is currently no countermeasure that guarantees absolute side-channel resistance. However, one can make life considerably more difficult for an attacker by employing defence mechanisms that combine higher-order masking with some shuffling of the security-critical code sections or alternatively using a key refreshing solution.