Do we need to use the CSPRNG for SM2 DSA like ECDSA?

[emmansun]

// SignASN1 signs a hash (which should be the result of hashing a larger message)
// using the private key, priv. If the hash is longer than the bit-length of the
// private key's curve order, the hash will be truncated to that length. It
// returns the ASN.1 encoded signature.
//
// The signature is randomized. Most applications should use [crypto/rand.Reader]
// as rand. Note that the returned signature does not depend deterministically on
// the bytes read from rand, and may change between calls and/or between versions.
//
// If the opts argument is instance of [*SM2SignerOption], and its ForceGMSign is true,
// then the hash will be treated as raw message.
func SignASN1(rand io.Reader, priv *PrivateKey, hash []byte, opts crypto.SignerOpts) ([]byte, error) {
	if sm2Opts, ok := opts.(*SM2SignerOption); ok && sm2Opts.forceGMSign {
		newHash, err := calculateSM2Hash(&priv.PublicKey, hash, sm2Opts.uid)
		if err != nil {
			return nil, err
		}
		hash = newHash
	}

	randutil.MaybeReadByte(rand)

	//TODO: Do we need to use this CSPRNG for SM2 DSA?
	//There are no standard and dependencies with sha512 and AES-CTR
	csprng, err := mixedCSPRNG(rand, &priv.PrivateKey, hash)
	if err != nil {
		return nil, err
	}

	switch priv.Curve.Params() {
	case P256().Params():
		return signSM2EC(p256(), priv, csprng, hash)
	default:
		return signLegacy(priv, csprng, hash)
	}
}

由于：

1. 当前的CSPRNG源于Golang SDK，其实现依赖于SHA512和AES-CTR；
2. SM2 DSA中，随机数r (nonce)，已经和待签名消息hash做过加法：r=f(Rx, e)，这里Rx是熵源产生的随机数对应的点的x坐标，所以两个不同的消息做签名时，不会产生相同的随机数r；
3. SM2 DSA中，签名s和随机数r(nonce)，签名私钥以及熵源产生的随机数都有关系：s=f(d, r, k)，这里k是熵源产生的随机数，所以两个不同的消息做签名时，也不会产生相同的签名s（因为r不同）；

基于上述结论，准备在下个release（应该是v0.18.1）取消目前的CSPRNG。