Currently the ecdsa crate's ecdsa::Signer type only impls RandomizedSigner and RandomizedDigestSigner, and uses a k value derived verbatim from the RNG. This approach is historically fraught with problems and there are better solutions.
RFC 6979
Due to an ongoing litany of ECDSA secret key recovery vulnerabilities owing to accidental repetitions of the ECDSA k (nonce) value for signing multiple messages under the same secret key, deterministic methods of generating k like RFC 6979 have grown popular. Additionally, a deterministic method would allow us to sign without an RNG, i.e. impl the Signer and DigestSigner traits.
draft-mattsson-cfrg-det-sigs-with-noise
Unfortunately, deterministic k generation makes it easy for an attacker with physical access who can inject faults to potentially induce repeated signatures under the same k value. An attacker who can inject a fault in the calculation of the ECDSA z scalar from the message digest some time after k has been computed (or otherwise inject faults in the subsequent arithmetic on z) can leverage this to recover the private key.
draft-mattsson-cfrg-det-sigs-with-noise provides a hybrid approach that bolsters an RFC 6979-like construction with additional randomness to ensure k is still uniformly random per-message in the event of an RNG failure, but also uniquely random every time in the event the RNG is working. Ideally we can change the RandomizedSigner and RandomizedDigestSigner traits to use this sort of approach.
Currently the
ecdsacrate'secdsa::Signertype only implsRandomizedSignerandRandomizedDigestSigner, and uses akvalue derived verbatim from the RNG. This approach is historically fraught with problems and there are better solutions.RFC 6979
Due to an ongoing litany of ECDSA secret key recovery vulnerabilities owing to accidental repetitions of the ECDSA
k(nonce) value for signing multiple messages under the same secret key, deterministic methods of generatingklike RFC 6979 have grown popular. Additionally, a deterministic method would allow us to sign without an RNG, i.e. impl theSignerandDigestSignertraits.draft-mattsson-cfrg-det-sigs-with-noise
Unfortunately, deterministic
kgeneration makes it easy for an attacker with physical access who can inject faults to potentially induce repeated signatures under the samekvalue. An attacker who can inject a fault in the calculation of the ECDSAzscalar from the message digest some time afterkhas been computed (or otherwise inject faults in the subsequent arithmetic onz) can leverage this to recover the private key.draft-mattsson-cfrg-det-sigs-with-noise provides a hybrid approach that bolsters an RFC 6979-like construction with additional randomness to ensure
kis still uniformly random per-message in the event of an RNG failure, but also uniquely random every time in the event the RNG is working. Ideally we can change theRandomizedSignerandRandomizedDigestSignertraits to use this sort of approach.