yet another tiny feature: deterministic ECDSA

Christian Grothoff christian at grothoff.org
Thu Apr 11 21:37:13 CEST 2013


Hi!

I don't know if I mentioned this one yet.   When I call 'gcry_pk_sign' for ECDSA signing,
libgcrypt generates (as per ECDSA requirements) a random 'k' value each time.  'k' must
be random as an adversary must not be able to determine 'k', and two signatures must not
share the same 'k' to avoid exposing the private key.

However, in our use, it happens that the same private key is used to sign the same
private data more than once.  Thus, it would be great if we could in that case generate
exactly the same signature over the same data by using the same 'k' value.

I can (safely) construct a pseudo-random seed/k-value that will be unique (and only
known to those that know the private key anyway), but the current gcry_pk_sign API
does not yet allow me to pass it.

My suggestion is that we expand the S-expression with the data to sign.  Right now,
I pass a "(data(flags raw)(value ...))" input there; allowing me to pass an additional
optional argument "(data(flags raw)(value ...)(k ...))" to achieve deterministic
signature generation would be perfect.

(This is not urgent, the ECDH/ECDSA issue is the important one for me right now).


Happy hacking!

Christian



More information about the Gcrypt-devel mailing list