Does Google Cloud Platform KMS support RFC6979 signature generation using secp256k1

Question

We want to use GCP KMS to manage our Ethereum server keys. To do this, we need to be able to support the ability to sign messages the same way ethers.js (v5) wallet.signMessage(...) does. It is my understanding that it uses RFC6979 to produce the same signature for the same input message. (ie. k is computed from the message and the private key.)

Does anyone know if GCP KMS seckp256k1 keys support this? And if so, how do we use this feature?

Searching the GCP docs and google turned up nothing.

Answer 1

Presently, Cloud KMS doesn't support deterministic signatures (RFC 6979).

However, AFAIK, the Ethereum network doesn't require deterministic signatures, and the non-deterministic signatures produced by Cloud KMS ought to be fine.

It would be interesting to know if you tried to use a Cloud KMS signature with the Ethereum network and got stuck somewhere.

Answer 2

We encountered this issue when trying to use Google Cloud KMS and realize the KMS-generated signature is not deterministic and ethers-v5.7.2 is using noble-secp256k1 which uses RFC 6979 to make it deterministic.

Even though the RFC-6979 is not required in Ethereum for a signature to be considered valid, if the padding parameter K is generated in a way that's unsecure or could be leaked, it's going to be able to leak the private key of the signer. That means any wallet / key signing mechanism not implementing something like RFC 6979 is exposing additional attack service.

FYI https://github.com/paulmillr/noble-secp256k1/blob/b032053763c0d4ba107c18fee28344f64242b075/index.ts#L318

Answer 3

This repository could provide a good solution : https://github.com/JonathanOkz/web3-kms-signer

import { Signer } from "@web3-kms-signer/core";
import { KMSWallets } from "@web3-kms-signer/kms-wallets";
import { KMSProviderGCP } from "@web3-kms-signer/kms-provider-gcp";

const gcpConfig = {
    keyFilename: 'path/to/your/gcp/keyfile.json'
};
const provider = new KMSProviderGCP(gcpConfig);
provider.setPath({
        projectId: 'your-gcp-project-id',
        locationId: 'your-gcp-location-id',
        keyRingId: 'key-ring-id'
    });

const signer = new Signer(new KMSWallets(provider));
const signedMessage = await signer.signMessage({ keyId: 'keyId' }, "my message");