RFC6979 "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)"
RFC6979 specifies an algorithm for generating deterministic (EC)DSA signatures.
Questions tagged [rfc6979]
10 questions
8
votes
1 answer
RFC6979: error in reference implementation?
If I correctly understand RFC 6979, there is an error in the ref implementation section 3.2.
In the step H2, RFC specification says
2. While tlen < qlen, do the following:
V = HMAC_K(V)
T = T || V
but in Java…
cslashm
- 413
- 3
- 4
2
votes
1 answer
Question about IETF RFC6979 determinisitc (EC)DSA document section 3.6 additional data k'
In RFC6979, on page 14, Section 3.6 "Variants":
o. Additional data may be added to the input of HMAC, concatenated
after bits2octets(H(m)):
K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
However, in the terminology of…
anmin
- 41
- 3
2
votes
1 answer
What degree of k bias is acceptable in ECDSA?
So there’s LadderLeak.
RFC6979 produces uniformly random nonce $k$.
There are other techniques, such as hash-to-curve standard (draft-irtf-cfrg-hash-to-curve-16 section 5), which allows to produce uniformly random scalars. They mention it’s OK to…
Paul Miller
- 340
- 1
- 12
1
vote
1 answer
Reusing additional data k' nonce from RFC6979 ECDSA
It is known that you must not reuse k in ECDSA; doing so will leak your private key. That's one of the reasons RFC6979 deterministic signatures were invented.
Now, RFC6979 sec 3.6 specifies a possibility of using additional data k' which would feed…
Paul Miller
- 340
- 1
- 12
1
vote
0 answers
Security proof about RFC 6979
In the paper: "The Random Oracle Model: a Twenty-Year
Retrospective", section 7.3 by Koblitz & Menezes,the authors tried to prove the security of ECDSA+.
But after looking at the entire proof, I didn’t find that they considered the probability that…
Steven Wu
- 15
- 2
1
vote
1 answer
Why does deterministic ECDSA (per RFC 6979) include the private key in the generation of k?
It's clear that using the private ECDSA key $x$ as an additional input into the hash algorithm, as specified in RFC 6979, doesn't harm security (assuming HMAC_DRBG is a PRF).
But is it necessary?
Would there be any problem with allowing the…
lxgr
- 1,798
- 1
- 13
- 22
1
vote
1 answer
RFC6979: Can deterministic ecdsa signature diverge with same key and message?
As I understands, RFC6979 uses deterministic K which is generated by HMAC-SHA256(private_key, message). In this way, I guess if same key with same message, ecdsa signature generated would be always same and so repeatable.
However, I just found some…
Hyunhum Cho
- 135
- 5
0
votes
1 answer
Why does RFC 6979 need so many loops?
I recently started reading RFC 6979. I'm curious why it needs so many loops.
This post asks a similar question: "RFC 6979 - Why not simply hash the message & the private key for deterministic ECDSA?", but my doubts are still unanswered.
Why can't…
Steven Wu
- 15
- 2
0
votes
0 answers
Apple secure enclave with RFC6979
Does Apple secure enclave support rfc6979 with P256 curve? This RFC defines a deterministic ecdsa with a deterministic k value.
THATS LINK OF THE RFC https://www.rfc-editor.org/rfc/rfc6979
I looked everywhere in their documentation but couldn't find…
0
votes
1 answer
Is it possible to define a new custom signed attribute for CAdES?
Is it possible to introduce a new signed attribute in the CMS Advanced Signature format (RFC 5126) for a custom data type? I want to include location data from GPS or Galileo and extend CAdES for my thesis.
I would appreciate it if you can provide…
zima blue
- 3
- 2