Does ICP support RFC6979 Sign?

I deployed a ecdsa signer canister on ICP, which call managment_cansiter’s sign_with_ecdsa

I found same input will result different signature, it looks like ICP does not support RFC6979?
If ICP does not support RFC6979, does ICP guarantee same random k must not be used with different input?

it looks like ICP does not support RFC6979

Indeed it does not support RFC6979. This essentially generates the presignature k by computing hmac of the secret signing key. Since the ICP operates in the threshold settings, the secret key is shared between the nodes of a subnet and it is never fully reconstructed, which makes it more complicated to compute this value in a secure way. Of course, one could do it using generic MPC protocols to compute HMAC on a secret-shared input, however this would be computationally very expensive and the resulting threshold signature scheme will be very inefficient.

does ICP guarantee same random k must not be used with different input?

Yes, the presignature k is generated using a distributed key generation protocol. If at least one protocol participant is honest, then the resulting k is distributed uniformly at random. Note that the presignature is typically computed ahead of time, before the signature is requested and thus before the message is known. Once the ICP receives a signature request, and thus the message is known the presignature is then re-randomized using a threshold Verifiable Random Function (based on BLS threshold signatures and hash functions). Thus under the usual security assumptions used by the ICP protocol, we have the guarantee that presignatures are uniformly random, so the probability of reusing them is negligible.

Here’s a couple of references if you want to know more about the protocol and its security:

2 Likes