Any plan for deterministic signatures?

Is there any plan for deterministic signatures in Ergo similar to RFC6979 for DSA? If I’m not mistaken, this can mitigate vulnerabilities in flawed implementations that reuse secrets.


If it isn’t already being used to generate nonces then it probably should be.

However this is something generally done at the cryptographic protocol level, meaning this would need to be an update to sigmastate interpreter.

For reference Bitcoin core has had this since version 0.10.0 and their cryptographic library lib-secp256k1 implements this as a standard for nonces.

The RFC describes the hash of the private-key and the message as a valid nonce.



I think this is interesting feature to be considered. Implementation would touch DLogInteractiveProver,firstMessage() and DiffieHellmanTupleInteractiveProver.firstMessage(), and also require for some refactoring to pass message to the methods.