Is it possible to generate ECDSA signature without nonce?

guest

5/23/23, 10:12 AM

I am newbie to cryptography and my college has given me this ECDSA. I know that you have to divide result of: h(m)+r.priv in order to generate signature. But is it possible to generate signature without Nonce or 'K' when I have private key(priv) and a selected r and an hash of message?

116

0 + 0

elliptic-curves

signature

dsa

nonce

kelalaka

5/23/23, 10:17 AM

There is [deterministic ECDSA rfc6979](https://datatracker.ietf.org/doc/html/rfc6979) other than this it is not safe.

meshcollider

5/23/23, 10:18 AM

r and H(m) are both public knowledge, so based on your understanding, would this be secure?

guest

5/23/23, 10:25 AM

@meshcollider no, but I am just askin' if it is possible?

kelalaka

5/23/23, 10:39 AM

What is the origin of this question?

Score:2

Crypto

fgrieu

5/23/23, 11:36 AM

Yes, it's normal practice to generate an ECDSA signature from message $M$ (or it's hash $H(M)$ ), private key $d_U$ and curve parameters, without being given a nonce as input. The nonce $k$ is built as part of the signing process, in one of two ways:

It's generated a secret integer $k$ uniformly in $[1,n)$ using a true random number generator with secret output. That's the standard definition of ECDSA.
It's generated a secret integer $k$ in $[1,n)$ using a Pseudo Random Function with key $d_U$, applied to $H(M)$ and optionally other data that needs not be secret (such as a timestamp, or/and a random number). That's what RFC6979 does, prescribing a PRF based on HMAC.

Both methods are as secure: in essence, $k$ is a secret in $[1,n)$ that, to attackers who do not know the private key $d_U$, is unknown and, if it was known, would appear to be random (except for the second option if the same $M$ is re-signed and the optional other data repeats or is absent).

The second method has the advantage of not requiring a true random number generator of cryptographic quality. However it uses private key $d_U$ (and worse mixes it with variable data potentially known to the adversary), therefore the PRF must be protected against side-channel attacks.

Only the second method can insure that signing the same message twice with the same private key generates the same signature, which depending on circumstances is desirable, or not.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it possible to generate ECDSA signature without nonce?

TH: เป็นไปได้ไหมที่จะสร้างลายเซ็น ECDSA โดยไม่ใช้ nonce

RO: Este posibil să generați semnătura ECDSA fără nonce?

RU: Можно ли сгенерировать подпись ECDSA без одноразового номера?

VI: Có thể tạo chữ ký ECDSA mà không cần nonce không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.