[Cryptech Tech] why not deterministic ecdsa?

Simon Josefsson simon at josefsson.org
Mon Sep 7 07:25:14 UTC 2015


Randy Bush <randy at psg.com> writes:

>> Am I reading this right that your ECDSA code generated a fresh k from
>> your TRNG?
>> 
>> You want to read and consider RFC 6979.
>
> hi simon.  considering the rate js is getting out of the trng, what
> other motivation is there to do 6979?

Normally you would ask the reverse question (why use something if it
isn't needed), but answers include:

1) Be able to self test the functions against expected input/output
vectors.

2) Avoid catastrophic failures if the rng stops working or produce poor
quality.

3) Generality and separation of components (someone who uses your ecdsa
might not necessarily trust your rng).

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: <https://lists.cryptech.is/archives/tech/attachments/20150907/27391faf/attachment.sig>


More information about the Tech mailing list