RFC6979 nonce (k) generation should be modulo-reduced

[paulmillr]

Currently k256 produces different signatures WHEN msg and privkey are bigger than curve order. This is not a big deal but it's better to follow RFC

See this for more info: bitcoin-core/secp256k1#1064, https://github.com/paulmillr/noble-curves/blob/e0ad0530f64d7cc01514b65d819b7f76db5f0da4/src/abstract/weierstrass.ts#L1047-L1052

[tarcieri]

Are you sure you're talking about k, which RFC6979 computes, or are you talking about z, i.e. the message digest? k is ensured mod reduced by the RFC6979 algorithm using rejection sampling, not reduction (which would introduce a bias that could potentially leak the private key). See RFC6979 § 3.2 step h.3. That much should be correct in all releases as far as I'm aware.

There are issues with the current stable releases of the ecdsa and rfc6979 crates which have been fixed in the latest prereleases. Notably z wasn't previously modulo-reduced, which was corrected here: RustCrypto/signatures#777

I would suggest trying the latest prerelease of k256: v0.14.0-pre.2, and seeing if the issue persists.

See also: RustCrypto/signatures#833

[paulmillr]

yeah 777 probably fixes it.