RFC6979 3.6: additional k' (optional).
A use case may be a protocol that requires a non-deterministic signature algorithm on a system that does not have access to a high-quality random source. It suffices that the additional data k' is non-repeating (e.g., a signature counter or a monotonic clock) to ensure "random-looking" signatures are indistinguishable, in a cryptographic way, from plain (EC)DSA signatures. In [SP800-90A] terminology, k' is the "additional input" that can be set as a parameter when generating pseudorandom bits. This variant can be thought of as a "strengthening" of the randomness of the source of the additional data k'.
https://datatracker.ietf.org/doc/html/rfc6979#section-3.6
According to the specification there is no requirements for
k'
length.Expected behaviour:
extraEntropy
checked to be a bytes.Actual behaviour: it checked to be a 32 bytes length.
https://github.com/paulmillr/noble-curves/blob/62e806cfaf961f58161382351f4def4c0345fbd9/src/abstract/weierstrass.ts#L964-L968