1

As I understands, RFC6979 uses deterministic K which is generated by HMAC-SHA256(private_key, message). In this way, I guess if same key with same message, ecdsa signature generated would be always same and so repeatable.

However, I just found some cases where signature diverges across different software(which claims they follow RFC6979), even with same key and message. I think it would be probably because the implementation of some of software I used is wrong(i.e. generation of K in wrong way), but gets just wondering if there's any other possibility that even strictly meeting RFC6979 results in diverging signature when message and key are same.

Appreciate in advance!

Hyunhum Cho
  • 135
  • 5

1 Answers1

2

The signature produced per RFC6979 is supposed to depend only on:

  • elliptic curve group and conventional generator thereof
  • hash function
  • message, including the convention for it's encoding
  • private key, irrespective of the convention for it's encoding
  • convention for the encoding of the signature.

Notice that the hash function defines two associated parameters $B$ and $L$ for the block input size and hash output size, in bytes. Parameter $B$ is not mentioned in the RFC, but matters when it comes to HMAC. The RFC's hlen is $8\cdot L$. For example, $(B,L)$ is $(64,32)$ for SHA-256, $(128,64)$ for SHA-512, $(136,32)$ for SHA3-256, $(72,64)$ for SHA3-512.

Any other variation is an implementation deviation, or a misuse of the implementation. There are test vectors for some standard curves and hashes in FIPSĀ 180-4.

If the signature produced by two implementations are interoperable when it comes to verifying their signatures, but differ in the signatures they produce (other than by encoding) for identical private key and encoded message, then one at least of the implementations deviates from the RFC (e.g. in how it implements the generation of $k$, or ECDSA itself).

fgrieu
  • 149,326
  • 13
  • 324
  • 622