Implement ECDSA nonce hardening to protect against bad PRNG.

[briansmith]

No description provided.

[briansmith]

This is a work in progress. It would be great to get some feedback on this. I actually don't like this nonce derivation scheme much, but we have a bit of analysis paralysis in coming up with a better one, so I'm going with this as an approximation of "Make it work like we'd more-or-less transliterated the BoringSSL code to Rust two years ago."

@ctz Could you check this out and see if it makes sense to you?

[ctz]

I'll write out what I see to check understanding. With:

• H: hash function associated with signature, with image size |h| and MD block size |H| in bits
• q: group size
• d: private scalar, |q|-length encoding in the usual way
• H(m): hash of message being signed
• $ⁿ: n random bits

Precompute:

• d_nrk = H($^|q| || d)

Per-signature:

• k = H(d_nrk || $^{|H| - |h|} || H(m))

If that's accurate it looks good to me.