ecdsa: implement RFC6979 ephemeral scalar generation#133
Conversation
| /// Internal implementation of `HMAC_DRBG` as described in NIST SP800-90A: | ||
| /// <https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final> | ||
| /// | ||
| /// This is a HMAC-based deterministic random bit generator used internally | ||
| /// to compute a deterministic ECDSA ephemeral scalar `k`. | ||
| // TODO(tarcieri): generalize and extract this into the `hmac` crate? | ||
| struct HmacDrbg<D> |
There was a problem hiding this comment.
@newpavlov it might be interesting to extract or reimplement this in the hmac crate (possibly as a CryptoRng?)
There was a problem hiding this comment.
I think it will be better to implement it in a separate crate and it would fit nicely into the currently empty CSRNGs repository. And it looks like @sorpaas has already published such crate (although without implementing the rand_core traits).
@sorpaas
Would you be interested in transferring hmac-drbg crate to this organization?
There was a problem hiding this comment.
Oh neat! Unfortunately it's hmac dependency is a version behind or otherwise it looks like what I need.
There was a problem hiding this comment.
Opened a PR to bump the hmac dependency here: sorpaas/rust-hmac-drbg#3
tarcieri
force-pushed
the
ecdsa/rfc6979
branch
from
3aec7f4 to
39c6936
Compare
Codecov Report
@@ Coverage Diff @@
## master #133 +/- ##
==========================================
- Coverage 43.37% 37.60% -5.78%
==========================================
Files 6 7 +1
Lines 219 250 +31
==========================================
- Hits 95 94 -1
- Misses 124 156 +32
Continue to review full report at Codecov.
|
| // TODO(tarcieri): don't panic (i.e. unwrap)! add/use trait for reducing digests mod q | ||
| let h1: ElementBytes<C> = C::Scalar::from_bytes(&msg_digest.finalize()) | ||
| .unwrap() | ||
| .into(); |
There was a problem hiding this comment.
TODO: Need a Scalar::from_digest-style trait here.
Adds a deterministic signing mode based on RFC6979. Modifies the existing `RandomizedDigestSigner` and `RandomizedSigner` impls to also use an RFC6979-style derivation, but supplying added entropy derived from a provided RNG, per an RFC6979 variant described in Section 3.6.
tarcieri
force-pushed
the
ecdsa/rfc6979
branch
from
39c6936 to
2e5ec4e
Compare
tarcieri
changed the title
|
Removed draft and WIP. This still doesn't have tests, but due to the nature of RFC6979 it's a bit tricky to test in isolation. It would require implementing the rudiments of a particular elliptic curve and writing tests against it. It will be easier to test in conjunction with particular elliptic curve implementations. |
Adds support for RFC6979 deterministic ECDSA ephemeral scalars (`k`) using the generic implementation added to the `ecdsa` crate in RustCrypto/signatures#133.
Adds support for RFC6979 deterministic ECDSA ephemeral scalars (`k`) using the generic implementation added to the `ecdsa` crate in RustCrypto/signatures#133.
Adds support for RFC6979 deterministic ECDSA ephemeral scalars (`k`) using the generic implementation added to the `ecdsa` crate in RustCrypto/signatures#133.
3 participants
Adds a deterministic signing mode based on RFC6979. Closes #124.
This could be further extended to bolster the security when usingRandomizedSignerusing the method described in Section 3.6.Edit: went ahead and made
RandomizedDigestSigneruse an RFC6979-style derivation but supplying some additional data from the RNG as input. It was easy enough.