search

paulmillr / noble-curves

Audited & minimal JS implementation of elliptic curve cryptography.
https://paulmillr.com/noble
MIT License
623 stars 56 forks source link

The specification does not require additional entropy length #55

Closed mahnunchik closed 12 months ago

mahnunchik commented 1 year ago

RFC6979 3.6: additional k' (optional). A use case may be a protocol that requires a non-deterministic signature algorithm on a system that does not have access to a high-quality random source. It suffices that the additional data k' is non-repeating (e.g., a signature counter or a monotonic clock) to ensure "random-looking" signatures are indistinguishable, in a cryptographic way, from plain (EC)DSA signatures. In [SP800-90A] terminology, k' is the "additional input" that can be set as a parameter when generating pseudorandom bits. This variant can be thought of as a "strengthening" of the randomness of the source of the additional data k'.

https://datatracker.ietf.org/doc/html/rfc6979#section-3.6

According to the specification there is no requirements for k' length.

Expected behaviour: extraEntropy checked to be a bytes.

Actual behaviour: it checked to be a 32 bytes length.

https://github.com/paulmillr/noble-curves/blob/62e806cfaf961f58161382351f4def4c0345fbd9/src/abstract/weierstrass.ts#L964-L968