To Be Or To Be (Deterministic). That Is The Question

OpenSSL now supports deterministic ECDSA signatures

Just imagine I had a wet signature, and every time I signed my name, it would give me a different version of it. This would be a non-deterministic signature, but someone could still tell it was me who had signed it. I suppose it’s a bit like using DocuSign, and where the output is not my signature, but DocuSign can tell that it was my email address and location that was used. Of course, my signature — if I could remember how I actually do my wet signature — should be deterministic and should always be a good match to my previous signatures.

But what about a digital signature? With this, Bob has a key pair: a private key and a public key. He then uses his private key to sign a hash of a message, and then Alice proves this signature with his public key:

So, should the signature (r,s) be ever-changing, or have the same output for the same private key and message? Well, with the ever-changing version, we use a random nonce value (k) to make sure it will always change the actual signature. But this brings in weaknesses, such as when we reuse the nonce value…