2

The first part of the question: if I give the same inputs (content and signing address) to the web3.eth/personal.sign, am I correct to expect the signature generated to be the same no matter how many times I call it?

The second part of the question is, is it secure that I use the generated signature as a secret source for seed and derive things like private key from it?

Miao ZhiCheng
  • 232
  • 1
  • 13
  • 1
    Whether they're deterministic in practice is easy enough to just try, but I wouldn't rely on that behavior never changing. (There's no particular reason the signatures have to be deterministic, so whatever behavior you see now may change.) As for your second question, I'm not sure I follow what you're doing with the signatures. I've never seen a proof that the signature output meets any randomness criteria, nor is it designed to. – user19510 Jan 21 '19 at 23:24

1 Answers1

5

To the first part:

Ethereum uses the deterministic (and elliptic-curve) variant of DSA. So, unless you don't switch manually to the probabilistic variant, you'll get always the same signature.

To the second part:

This is a bad idea because:

  • if you use the probabilistic variant of (EC)DSA you'll need to feed it with some randomness that should be better used directly instead of extracting the randomness from the signature and reusing it afterwards to derive the keys.
  • reusing the randomness of a signature makes the signature itself useless because the keys that you've derived by using the signature's randomness will become easily derivable just when you publish that signature to someone else.

Update: There is a deterministic variant of DSA and ECDSA that is described under RFC6979. This means that DSA (and ECDSA) can implemented in both ways, deterministic and probabilistic. It was shown by Koblitz and Menezes that deterministic DSA has similar security guarantees as its probabilistic counterparts. The big advantage of that deterministic construction is that it gets along without the requirement of a good random number generator (RNG) and achieves therefore a higher "real-world security".

Community
  • 1
Robert Kiel
  • 106
  • 3
  • Thanks for the modified answer! Regarding the second part, I should stress that the use case requires the signature to be secret and never to be published. It can be seen as a workaround that web3 does not provide standard API for deterministic key generation scheme. – Miao ZhiCheng Jan 29 '19 at 14:28