Skip to content

There is no way to perform a ECDSA sign with a deterministic K value #426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rickmark opened this issue Mar 30, 2021 · 3 comments · May be fixed by #434
Open

There is no way to perform a ECDSA sign with a deterministic K value #426

rickmark opened this issue Mar 30, 2021 · 3 comments · May be fixed by #434

Comments

@rickmark
Copy link
Contributor

It is not possible to specify the value for k allowing the usage of https://tools.ietf.org/html/rfc6979

This limits the ability to use libcrypto ECC operations in a number of ways.

OpenSSL::PKey::EC#dsa_sign_asn1 should take an optional precomputed K value as those APIs exist in OpenSSL
@rickmark rickmark mentioned this issue Mar 30, 2021
Open
@rhenium
Copy link
Member

rhenium commented Mar 31, 2021

ECDSA_*() functions are deprecated and I'd like to avoid implementing a feature on top of the legacy API.

There is an open Pull Request openssl/openssl#9223 to add RFC 6979 support via the EVP API.

Once it is merged and I finish #382, OpenSSL::PKey::EC#sign_raw can take ecdsa_nonce_type: "deterministic" argument.

@rickmark
Copy link
Contributor Author

rickmark commented Apr 2, 2021

I'm liking #382 - but I'd like to keep this as well:

being able to call sign with the value of k specified
being able to call sign with the value of inverse_k and r specified

This can be handled in the options hash.

This unblocks a number of scenarios for usage in Bitcoin / ECC where "close to the metal" is needed. I've also started to prepare a test suite that verifies correctness with predetermined k values. (see lian/bitcoin-ruby@master...rickmark:master)

I know introducing k means that if misused clients can leak their private key... but I think good documentation that you shouldn't provide these values if you don't know what they are.

@rickmark rickmark linked a pull request Apr 2, 2021 that will close this issue
Open
@rhenium
Copy link
Member

rhenium commented Aug 31, 2023

At the end of last year, OpenSSL finally added RFC 6979 support through the EVP API: openssl/openssl#18809

It will likely be available in OpenSSL 3.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Introduced optional values to ECDSA sign for deterministic k values rickmark/openssl
2 participants
@rickmark @rhenium