document ECDSA deterministic length signature algorithm #141
Description
Client implementations SHOULD implement our deterministic length signature algorithm and why it works.
TLDR:
ECDSA signatures can be one of three lengths. The thing that changes the length is whether the Y value is negative, positive, or zero. It is relatively unlikely that the value will be zero. Because all curves are symmetric on the Y axis, the signature is still valid if we negate the Y value.
We have defined the expected length for each signature algorithm (P256: 71, P384: 103) as the length with one of the non-zero Y values (tbh I forget which).
We do not alter the signature algorithm at all. Instead, we calculate a signature using the pre-hashed value representing the message. If the length is not what we want, we unpack the signature, negate the Y value, and re-pack the signature. If the length is still not what we want, we just calculate a new signature and try again.
In practice, this usually only requires us to calculate the signature once.
ex: