How to specify ECDSA nonce used in bitcoin signing code?

Question

Below is the CECKey::Sign() code (v0.9.3).

bool Sign(const uint256 &hash, std::vector<unsigned char>& vchSig) {
    vchSig.clear();
    ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey);
    if (sig == NULL)
        return false;
    BN_CTX *ctx = BN_CTX_new();
    BN_CTX_start(ctx);
    const EC_GROUP *group = EC_KEY_get0_group(pkey);
    BIGNUM *order = BN_CTX_get(ctx);
    BIGNUM *halforder = BN_CTX_get(ctx);
    EC_GROUP_get_order(group, order, ctx);
    BN_rshift1(halforder, order);
    if (BN_cmp(sig->s, halforder) > 0) {
        // enforce low S values, by negating the value (modulo the order) if above order/2.
        BN_sub(sig->s, order, sig->s);
    }
    BN_CTX_end(ctx);
    BN_CTX_free(ctx);
    unsigned int nSize = ECDSA_size(pkey);
    vchSig.resize(nSize); // Make sure it is big enough
    unsigned char *pos = &vchSig[0];
    nSize = i2d_ECDSA_SIG(sig, &pos);
    ECDSA_SIG_free(sig);
    vchSig.resize(nSize); // Shrink to fit actual size
    return true;
}

How could I specify which nonce is used in the ECDSA_do_sign()? By nonce, I am referring to the k value described here: http://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm.

At a guess, just looking at the code you pasted, the magic is in ECDSA_do_sign(). I believe that 0.9.3 does its signing through OpenSSL, so you may have to do a bunch of digging. You may also want to look at the code in the master branch---I think it currently does deterministic nonce generation using Pieter Wuille's libsecp256k1. — David A. Harding, Dec 08 '14 at 15:54
If you're going to use your own k, I urge you and others to use RFC6979. — Chuck Batson, Dec 11 '14 at 23:46

Pieter Wuille · Accepted Answer · 2021-12-11T22:36:54.873

7

ECDSA_do_sign() does not allow specifying the nonce. You can use ECDSA_do_sign_ex(), which needs extra arguments for (k*G).x and 1/k instead.

Bitcoin master recently switched to the libsecp256k1 library for signing, which always needs the nonce passed explicitly, and does not require precomputation of the x coordinate and inverse. See the code in Bitcoin Core for signing: https://github.com/bitcoin/bitcoin/blob/0a1d03ca5265293e6419b0ffb68d277da6b1d9a0/src/key.cpp#L75-L92

Disclaimer: I'm the author of libsecp256k1.

Edit: this answer is now outdated. libsecp256k1 now computes the nonce automatically using a nonce function. The default nonce function is RFC6979-based. It is no longer possible to specify the nonce directly, as this is dangerous practice.

edited Dec 11 '21 at 22:36

answered Dec 11 '14 at 00:29

Pieter Wuille

105,497
9
194
308

Can you show (or give a link to) an example using that library to sign with a given nonce? Thanks! – morsecoder Dec 11 '14 at 00:36
Updated the post. – Pieter Wuille Dec 11 '14 at 00:56

How to specify ECDSA nonce used in bitcoin signing code?

1 Answers1

Linked