Crate rfc6979

source ·
Expand description

RustCrypto: RFC6979 Deterministic Signatures

crate Docs Build Status Apache2/MIT licensed MSRV Project Chat

Pure Rust implementation of RFC6979: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA).

Algorithm described in RFC 6979 § 3.2:


Minimum Supported Rust Version

This crate requires Rust 1.57 at a minimum.

We may change the MSRV in the future, but it will be accompanied by a minor version bump.


All crates licensed under either of

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.


See also: the documentation for the generate_k function.

use crypto_bigint::{ArrayEncoding, U256};
use sha2::{Digest, Sha256};

// NIST P-256 field modulus
const NIST_P256_MODULUS: U256 =

// Public key for RFC6979 NIST P256/SHA256 test case
const RFC6979_KEY: U256 =

// Test message for RFC6979 NIST P256/SHA256 test case
const RFC6979_MSG: &[u8; 6] = b"sample";

// Expected K for RFC6979 NIST P256/SHA256 test case
const RFC6979_EXPECTED_K: U256 =

let h = Sha256::digest(RFC6979_MSG);
let aad = b"";
let k = rfc6979::generate_k::<Sha256, U256>(&RFC6979_KEY, &NIST_P256_MODULUS, &h, aad);
assert_eq!(&k.to_be_byte_array(), &RFC6979_EXPECTED_K.to_be_byte_array());


  • Internal implementation of HMAC_DRBG as described in NIST SP800-90A.


  • Deterministically generate ephemeral scalar k.