Why not simply using RFC 6979?
RFC 6979 is not used by anyone and is unnecessary complex.
It's preferrable to reuse existing hash functions like double-SHA256 or HMAC-SHA512 since they are heavily used in Bitcoin infrastructure already.
This BIP also specifies canonical ECDSA signature and CompactSignature algorithm. Those are out of scope of RFC 6979.
I don't feel these are particularly good reasons to not use an existing standard.
RFC6979 is already incorporated into multiple libraries (bitcoinj, NBitcoin, bitcoinjs-lib, python-ecdsa, etc). In the case of bitcoinjs-lib they claim it is used by blockchain.info so potentially the largest web wallet in the world has the ability to use deterministic signatures right now (if they aren't already). I haven't verified this claim maybe someone from blockchain.info can verify if they are using bitcoinjs.
As gmaxwell pointed out RFC6979 can be used with HMAC-SHA512. All existing implementations use HMAC-SHA256 but that isn't a requirement rather a choice.
The "full" RFC6979 is rather complex as it is a universal solution which handles lots of edge cases which don't apply to Bitcoin signatures. From bitcoinjs the "route" taken by Bitcoin signatures makes implementing a Bitcoin only subset pretty straight forward.
//
https://tools.ietf.org/html/rfc6979#section-3.2function deterministicGenerateK(curve, hash, d) {
var x = d.toBuffer(32)
var k = new Buffer(32)
var v = new Buffer(32)
v.fill(1)
k.fill(0)
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k)
v = crypto.HmacSHA256(v, k)
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k)
v = crypto.HmacSHA256(v, k)
v = crypto.HmacSHA256(v, k)
var T = BigInteger.fromBuffer(v)
//will only occur less than 1 in
while ((T.signum() <= 0) || (T.compareTo(curve.n) >= 0)) {
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0])]), k)
v = crypto.HmacSHA256(v, k)
T = BigInteger.fromBuffer(v)
}
return T
}
https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/ecdsa.js