1

It is known that you must not reuse k in ECDSA; doing so will leak your private key. That's one of the reasons RFC6979 deterministic signatures were invented.

Now, RFC6979 sec 3.6 specifies a possibility of using additional data k' which would feed entropy to the deterministic scheme.

It suffices that the additional data k' is non-repeating (e.g., a signature counter or a monotonic clock) to ensure "random-looking" signatures are indistinguishable, in a cryptographic way, from plain (EC)DSA signatures.

Is reusing k' as bad as reusing k? E.g. could it lead to private key leak?

Paul Miller
  • 340
  • 1
  • 12

1 Answers1

2

Is reusing k' as bad as reusing k? E.g. could it lead to private key leak?

No; reusing the same k' would cause the signature to be deterministic (that is, signing the same message twice would result in the same signature), but would have no other effect.

If so, why does the RFC state that k' should be nonrepeating?

Well, that section is all about 'variants that are NOT deterministic"; repeating k' would leak the data, but would also fail to achieve the nondeterministic property (which you would presumably interested in if you're looking at the 3.6 method).

poncho
  • 154,064
  • 12
  • 239
  • 382