Review requested:

• @nodejs/crypto
• @nodejs/security-wg

Leaving this at draft PR unless there's user interest.

cc @paulmillr you might be interested / have an opinion on this

• Random nonces are absolute garbage. break csprng and you're leaking private keys through signatures
• Deterministic nonces are better as default, but suboptimal in some (albeit rare) situations
• Deterministic + random combination is ideal

See RFC6979 3.6 and https://paulmillr.com/posts/deterministic-signatures/.

The suggestion is to switch to deterministic by default + add an ability to pass either specific randomness Buffer, or make node auto-generate random buffer:

1. (default) sign() - always deterministic
2. (option) sign(randomness: Buffer) - specific buffer of randomness; but still deterministic
3. (option) sign(randomness: true) - auto-produce randomness; but still deterministic

@panva

1. Does random here imply csprng -> nonce or (csprng, input) -> deterministic RFC 6979 -> nonce?
2. It should be noted that any bug or change in the deterministic algo would mean an immediate leak of private keys

https://docs.openssl.org/master/man7/provider-signature/#signature-parameters > OSSL_SIGNATURE_PARAM_NONCE_TYPE

that's what this is, exposed as an opt-in option, not a new default

IIUC there are no other options available to us

The question is about how "random nonces" work, not about how deterministic one works
There is a fundamental difference between just using csprng output as a nonce and using that as a mixin to RFC 6979 algo to get a nonce
Ok i'll check openssl

Upd:
The OpenSSL doc states:

The default value for "nonce-type" is 0 and results in a random value being used for the nonce k as defined in FIPS 186-4 Section 6.3 "Secret Number Generation".

This is... bad.
Not the fault of this PR, the current state of things is bad.

0 / random = current behaviour, csprng -> k, not changed by this PR
1 / deterministic = this PR opt-in, RFC 6979, possible future semver major default (problematic to roll out because of OpenSSL version not being a given)

noisy / hedged is not an option in OpenSSL, draft-irtf-cfrg-det-sigs-with-noise would need to be finished and published as RFC first for OpenSSL to consider it.