0

I recently started reading RFC 6979. I'm curious why it needs so many loops.

This post asks a similar question: "RFC 6979 - Why not simply hash the message & the private key for deterministic ECDSA?", but my doubts are still unanswered.

Why can't the $k$ used in ECDSA be just like $k = SHA256(sk + HASH(m))$ ?

Is it just because HMAC_DRBG has a better security proof ?

Patriot
  • 3,132
  • 3
  • 18
  • 65
Steven Wu
  • 15
  • 2

1 Answers1

2

The existing security proofs for DSA and ECDSA require k to be chosen uniformly at random. HMAC_DRBGB is already an approved CSPRNG for use in either signature scheme. So this just changes the instantiation and entropy source, making it a minimal change for existing implementations to add. See section 3.5, "Rationale"

SAI Peregrinus
  • 5,836
  • 19
  • 26