Score:1

Reusing additional data k' nonce from RFC6979 ECDSA

ru flag

It is known that you must not reuse k in ECDSA; doing so will leak your private key. That's one of the reasons RFC6979 deterministic signatures were invented.

Now, RFC6979 sec 3.6 specifies a possibility of using additional data k' which would feed entropy to the deterministic scheme.

It suffices that the additional data k' is non-repeating (e.g., a signature counter or a monotonic clock) to ensure "random-looking" signatures are indistinguishable, in a cryptographic way, from plain (EC)DSA signatures.

Is reusing k' as bad as reusing k? E.g. could it lead to private key leak?

Score:2
my flag

Is reusing k' as bad as reusing k? E.g. could it lead to private key leak?

No; reusing the same k' would cause the signature to be deterministic (that is, signing the same message twice would result in the same signature), but would have no other effect.

If so, why does the RFC state that k' should be nonrepeating?

Well, that section is all about 'variants that are NOT deterministic"; repeating k' would leak the data, but would also fail to achieve the nondeterministic property (which you would presumably interested in if you're looking at the 3.6 method).

ru flag
What about reusing `k'` for different messages?
poncho avatar
my flag
There's no issue with that. You could use a fixed `k'` for all messages if you didn't care about determinism (however, that would appear to have no advantage over not using `k'` at all)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.