Closed aidantwoods closed 2 years ago
Signatures generated by this package are not deterministic, but entropy is mixed with the private key and the message, achieving the same level of security in case of randomness source failure.
That's sufficient. From step 4 in the Version 3 spec (emphasis added):
- Sign
m2
using ECDSA over P-384 and SHA-384 with the private keysk
. We'll call thissig
. The output ofsig
MUST be in the formatr || s
(where||
means concatenate), for a total length of 96 bytes.
- Signatures SHOULD use deterministic nonces (RFC 6979) if possible, to mitigate the risk of k-value reuse.
- If RFC 6979 is not available in your programming language, ECDSA MUST use a CSPRNG to generate the k-value.
- Hedged signatures (RFC 6979 + additional randomness to provide resilience to fault attacks) are allowed.
sig = crypto_sign_ecdsa_p384( message = m2, private_key = sk );
Really appreciate you taking a look. Thanks for confirming! 😃
No Go language support for RFC 6979 (as suggested by the PASETO spec). However, the Go crypto library does address CSPRNG failures:
https://pkg.go.dev/crypto/ecdsa#pkg-overview
This should be sufficient to meet the spec recommendations, but open to feedback on how to improve this. My preference is to defer to the Go crypto library where possible here, rather than writing a custom implementation of RFC 6979.