RFC 6979
Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)
A.2.10. ECDSA, 283 Bits (Binary Field, Koblitz Curve)
Key pair: curve: NIST K-283 q = 1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061 E163C61 (qlen = 281 bits) private key: x = 06A0777356E87B89BA1ED3A3D845357BE332173C8F7A65BDC7DB4FAB3C4CC79A CC8194E public key: U = xG Ux = 25330D0A651D5A20DC6389BC02345117725640AEC3C126612CE444EDD19649BD ECC03D6 Uy = 505BD60A4B67182474EC4D1C668A73140F70504A68F39EFCD972487E9530E050 8A76193 Signatures: With SHA-1, message = "sample": k = 0A96F788DECAF6C9DBE24DC75ABA6EAAE85E7AB003C8D4F83CB1540625B2993B F445692 r = 1B66D1E33FBDB6E107A69B610995C93C744CEBAEAF623CB42737C27D60188BD1 D045A68 s = 02E45B62C9C258643532FD536594B46C63B063946494F95DAFF8759FD5525023 24295C5 With SHA-224, message = "sample": k = 1B4C4E3B2F6B08B5991BD2BDDE277A7016DA527AD0AAE5BC61B64C5A0EE63E8B 502EF61 r = 018CF2F371BE86BB62E02B27CDE56DDAC83CCFBB3141FC59AEE022B66AC1A60D BBD8B76 s = 1854E02A381295EA7F184CEE71AB7222D6974522D3B99B309B1A8025EB84118A 28BF20E With SHA-256, message = "sample": k = 1CEB9E8E0DFF53CE687DEB81339ACA3C98E7A657D5A9499EF779F887A934408E CBE5A38 r = 19E90AA3DE5FB20AED22879F92C6FED278D9C9B9293CC5E94922CD952C9DBF20 DF1753A s = 135AA7443B6A25D11BB64AC482E04D47902D017752882BD72527114F46CF8BB5 6C5A8C3
With SHA-384, message = "sample":
k = 1460A5C41745A5763A9D548AE62F2C3630BBED71B6AA549D7F829C22442A728C
5D965DA
r = 0F8C1CA9C221AD9907A136F787D33BA56B0495A40E86E671C940FD767EDD75EB
6001A49
s = 1071A56915DEE89E22E511975AA09D00CDC4AA7F5054CBE83F5977EE6F8E1CC3
1EC43FD
With SHA-512, message = "sample":
k = 00F3B59FCB5C1A01A1A2A0019E98C244DFF61502D6E6B9C4E957EDDCEB258EF4
DBEF04A
r = 1D0008CF4BA4A701BEF70771934C2A4A87386155A2354140E2ED52E18553C35B
47D9E50
s = 0D15F4FA1B7A4D41D9843578E22EF98773179103DC4FF0DD1F74A6B5642841B9
1056F78
With SHA-1, message = "test":
k = 168B5F8C0881D4026C08AC5894A2239D219FA9F4DA0600ADAA56D5A1781AF81F
08A726E
r = 140932FA7307666A8CCB1E1A09656CC40F5932965841ABD5E8E43559D93CF231
1B02767
s = 16A2FD46DA497E5E739DED67F426308C45C2E16528BF2A17EB5D65964FD88B77
0FBB9C6
With SHA-224, message = "test":
k = 045E13EA645CE01D9B25EA38C8A8A170E04C83BB7F231EE3152209FE10EC8B2E
565536C
r = 0E72AF7E39CD72EF21E61964D87C838F977485FA6A7E999000AFA97A381B2445
FCEE541
s = 1644FF7D848DA1A040F77515082C27C763B1B4BF332BCF5D08251C6B57D80631
9778208
With SHA-256, message = "test":
k = 0B585A7A68F51089691D6EDE2B43FC4451F66C10E65F134B963D4CBD4EB844B0
E1469A6
r = 158FAEB2470B306C57764AFC8528174589008449E11DB8B36994B607A65956A5
9715531
s = 0521BC667CA1CA42B5649E78A3D76823C678B7BB3CD58D2E93CD791D53043A6F
83F1FD1
With SHA-384, message = "test":
k = 1E88738E14482A09EE16A73D490A7FE8739DF500039538D5C4B6C8D6D7F208D6
CA56760
r = 1CC4DC5479E0F34C4339631A45AA690580060BF0EB518184C983E0E618C3B93A
AB14BBE
s = 0284D72FF8AFA83DE364502CBA0494BB06D40AE08F9D9746E747EA87240E589B
A0683B7
With SHA-512, message = "test":
k = 00E5F24A223BD459653F682763C3BB322D4EE75DD89C63D4DC61518D543E7658
5076BBA
r = 1E7912517C6899732E09756B1660F6B96635D638283DF9A8A11D30E008895D7F
5C9C7F3
s = 0887E75CBD0B7DD9DE30ED79BDB3D78E4F1121C5EAFF5946918F594F88D36364
4789DA7
A.2.11. ECDSA, 409 Bits (Binary Field, Koblitz Curve)
Key pair: curve: NIST K-409 q = 7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F83B2D4EA20 400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF (qlen = 407 bits) private key: x = 29C16768F01D1B8A89FDA85E2EFD73A09558B92A178A2931F359E4D70AD853E5 69CDAF16DAA569758FB4E73089E4525D8BBFCF public key: U = xG Ux = 0CF923F523FE34A6E863D8BA45FB1FE6D784C8F219C414EEF4DB8362DBBD3CA7 1AEB28F568668D5D7A0093E2B84F6FAD759DB42 Uy = 13B1C374D5132978A1B1123EBBE9A5C54D1A9D56B09AFDB4ADE93CCD7C4D332E 2916F7D4B9D18578EE3C2E2DE4D2ECE0DE63549 Signatures: With SHA-1, message = "sample": k = 7866E5247F9A3556F983C86E81EDA696AC8489DB40A2862F278603982D304F08 B2B6E1E7848534BEAF1330D37A1CF84C7994C1 r = 7192EE99EC7AFE23E02CB1F9850D1ECE620475EDA6B65D04984029408EC1E5A6 476BC940D81F218FC31D979814CAC6E78340FA s = 1DE75DE97CBE740FC79A6B5B22BC2B7832C687E6960F0B8173D5D8BE2A75AC6C A43438BAF69C669CE6D64E0FB93BC5854E0F81 With SHA-224, message = "sample": k = 512340DB682C7B8EBE407BF1AA54194DFE85D49025FE0F632C9B8A06A996F2FC D0D73C752FB09D23DB8FBE50605DC25DF0745C r = 41C8EDF39D5E4E76A04D24E6BFD4B2EC35F99CD2483478FD8B0A03E99379576E DACC4167590B7D9C387857A5130B1220CB771F s = 659652EEAC9747BCAD58034B25362B6AA61836E1BA50E2F37630813050D43457 E62EAB0F13AE197E6CFE0244F983107555E269 With SHA-256, message = "sample": k = 782385F18BAF5A36A588637A76DFAB05739A14163BF723A4417B74BD1469D37A C9E8CCE6AEC8FF63F37B815AAF14A876EED962 r = 49EC220D6D24980693E6D33B191532EAB4C5D924E97E305E2C1CCFE6F1EAEF96 C17F6EC27D1E06191023615368628A7E0BD6A9 s = 1A4AB1DD9BAAA21F77C503E1B39E770FFD44718349D54BA4CF08F688CE89D7D7 C5F7213F225944BE5F7C9BA42B8BEE382F8AF9
With SHA-384, message = "sample":
k = 4DA637CB2E5C90E486744E45A73935DD698D4597E736DA332A06EDA8B26D5ABC
6153EC2ECE14981CF3E5E023F36FFA55EEA6D7
r = 562BB99EE027644EC04E493C5E81B41F261F6BD18FB2FAE3AFEAD91FAB8DD44A
FA910B13B9C79C87555225219E44E72245BB7C
s = 25BA5F28047DDDBDA7ED7E49DA31B62B20FD9C7E5B8988817BBF738B3F4DFDD2
DCD06EE6DF2A1B744C850DAF952C12B9A56774
With SHA-512, message = "sample":
k = 57055B293ECFDFE983CEF716166091E573275C53906A39EADC25C89C5EC8D7A7
E5629FCFDFAD514E1348161C9A34EA1C42D58C
r = 16C7E7FB33B5577F7CF6F77762F0F2D531C6E7A3528BD2CF582498C1A48F2007
89E9DF7B754029DA0D7E3CE96A2DC760932606
s = 2729617EFBF80DA5D2F201AC7910D3404A992C39921C2F65F8CF4601392DFE93
3E6457EAFDBD13DFE160D243100378B55C290A
With SHA-1, message = "test":
k = 545453D8DC05D220F9A12EF322D0B855E664C72835FABE8A41211453EB8A7CFF
950D80773839D0043A46852DDA5A536E02291F
r = 565648A5BAD24E747A7D7531FA9DBDFCB184ECFEFDB00A319459242B68D0989E
52BED4107AED35C27D8ECA10E876ACA48006C9
s = 7420BA6FF72ECC5C92B7CA0309258B5879F26393DB22753B9EC5DF905500A042
28AC08880C485E2AC8834E13E8FA44FA57BF18
With SHA-224, message = "test":
k = 3C5352929D4EBE3CCE87A2DCE380F0D2B33C901E61ABC530DAF3506544AB0930
AB9BFD553E51FCDA44F06CD2F49E17E07DB519
r = 251DFE54EAEC8A781ADF8A623F7F36B4ABFC7EE0AE78C8406E93B5C3932A8120
AB8DFC49D8E243C7C30CB5B1E021BADBDF9CA4
s = 77854C2E72EAA6924CC0B5F6751379D132569843B1C7885978DBBAA6678967F6
43A50DBB06E6EA6102FFAB7766A57C3887BD22
With SHA-256, message = "test":
k = 251E32DEE10ED5EA4AD7370DF3EFF091E467D5531CA59DE3AA791763715E1169
AB5E18C2A11CD473B0044FB45308E8542F2EB0
r = 58075FF7E8D36844EED0FC3F78B7CFFDEEF6ADE5982D5636552A081923E24841
C9E37DF2C8C4BF2F2F7A174927F3B7E6A0BEB2
s = 0A737469D013A31B91E781CE201100FDE1FA488ABF2252C025C678462D715AD3
078C9D049E06555CABDF37878CFB909553FF51
With SHA-384, message = "test":
k = 11C540EA46C5038FE28BB66E2E9E9A04C9FE9567ADF33D56745953D44C1DC8B5
B92922F53A174E431C0ED8267D919329F19014
r = 1C5C88642EA216682244E46E24B7CE9AAEF9B3F97E585577D158C3CBC3C59825
0A53F6D46DFB1E2DD9DC302E7DA4F0CAAFF291
s = 1D3FD721C35872C74514359F88AD983E170E5DE5B31AFC0BE12E9F4AB2B2538C
7797686BA955C1D042FD1F8CDC482775579F11
With SHA-512, message = "test":
k = 59527CE953BC09DF5E85155CAE7BB1D7F342265F41635545B06044F844ECB4FA
6476E7D47420ADC8041E75460EC0A4EC760E95
r = 1A32CD7764149DF79349DBF79451F4585BB490BD63A200700D7111B45DDA4140
00AE1B0A69AEACBA1364DD7719968AAD123F93
s = 582AB1076CAFAE23A76244B82341AEFC4C6D8D8060A62A352C33187720C8A37F
3DAC227E62758B11DF1562FD249941C1679F82
A.2.12. ECDSA, 571 Bits (Binary Field, Koblitz Curve)
Key pair: curve: NIST K-571 q = 2000000000000000000000000000000000000000000000000000000000000000 0000000131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45 CFE778F637C1001 (qlen = 570 bits) private key: x = 0C16F58550D824ED7B95569D4445375D3A490BC7E0194C41A39DEB732C29396C DF1D66DE02DD1460A816606F3BEC0F32202C7BD18A32D87506466AA92032F131 4ED7B19762B0D22 public key: U = xG Ux = 6CFB0DF7541CDD4C41EF319EA88E849EFC8605D97779148082EC991C463ED323 19596F9FDF4779C17CAF20EFD9BEB57E9F4ED55BFC52A2FA15CA23BC62B7BF01 9DB59793DD77318 Uy = 1CFC91102F7759A561BD8D5B51AAAEEC7F40E659D67870361990D6DE29F6B4F7 E18AE13BDE5EA5C1F77B23D676F44050C9DBFCCDD7B3756328DDA059779AAE84 46FC5158A75C227 Signatures: With SHA-1, message = "sample": k = 17F7E360B21BEAE4A757A19ACA77FB404D273F05719A86EAD9D7B3F4D5ED7B46 30584BB153CF7DCD5A87CCA101BD7EA9ECA0CE5EE27CA985833560000BB52B6B BE068740A45B267 r = 0767913F96C82E38B7146A505938B79EC07E9AA3214377651BE968B52C039D3E 4837B4A2DE26C481C4E1DE96F4D9DE63845D9B32E26D0D332725678E3CE57F66 8A5E3108FB6CEA5 s = 109F89F55FA39FF465E40EBCF869A9B1DB425AEA53AB4ECBCE3C310572F79315 F5D4891461372A0C36E63871BEDDBB3BA2042C6410B67311F1A185589FF4C987 DBA02F9D992B9DF
With SHA-224, message = "sample":
k = 0B599D068A1A00498EE0B9AD6F388521F594BD3F234E47F7A1DB6490D7B57D60
B0101B36F39CC22885F78641C69411279706F0989E6991E5D5B53619E43EFB39
7E25E0814EF02BC
r = 010774B9F14DE6C9525131AD61531FA30987170D43782E9FB84FF0D70F093946
DF75ECB69D400FE39B12D58C67C19DCE96335CEC1D9AADE004FE5B498AB8A940
D46C8444348686A
s = 06DFE9AA5FEA6CF2CEDC06EE1F9FD9853D411F0B958F1C9C519C90A85F6D24C1
C3435B3CDF4E207B4A67467C87B7543F6C0948DD382D24D1E48B3763EC27D4D3
2A0151C240CC5E0
With SHA-256, message = "sample":
k = 0F79D53E63D89FB87F4D9E6DC5949F5D9388BCFE9EBCB4C2F7CE497814CF40E8
45705F8F18DBF0F860DE0B1CC4A433EF74A5741F3202E958C082E0B76E16ECD5
866AA0F5F3DF300
r = 1604BE98D1A27CEC2D3FA4BD07B42799E07743071E4905D7DCE7F6992B21A27F
14F55D0FE5A7810DF65CF07F2F2554658817E5A88D952282EA1B8310514C0B40
FFF46F159965168
s = 18249377C654B8588475510F7B797081F68C2F8CCCE49F730353B2DA3364B1CD
3E984813E11BB791824038EA367BA74583AB97A69AF2D77FA691AA694E348E15
DA76F5A44EC1F40
With SHA-384, message = "sample":
k = 0308253C022D25F8A9EBCD24459DD6596590BDEC7895618EEE8A2623A98D2A2B
2E7594EE6B7AD3A39D70D68CB4ED01CB28E2129F8E2CC0CC8DC7780657E28BCD
655F0BE9B7D35A2
r = 1E6D7FB237040EA1904CCBF0984B81B866DE10D8AA93B06364C4A46F6C9573FA
288C8BDDCC0C6B984E6AA75B42E7BF82FF34D51DFFBD7C87FDBFAD971656185B
D12E4B8372F4BF1
s = 04F94550072ADA7E8C82B7E83577DD39959577799CDABCEA60E267F36F1BEB98
1ABF24E722A7F031582D2CC5D80DAA7C0DEEBBE1AC5E729A6DBB34A5D645B698
719FCA409FBA370
With SHA-512, message = "sample":
k = 0C5EE7070AF55F84EBC43A0D481458CEDE1DCEBB57720A3C92F59B4941A044FE
CFF4F703940F3121773595E880333772ACF822F2449E17C64DA286BCD65711DD
5DA44D7155BF004
r = 086C9E048EADD7D3D2908501086F3AF449A01AF6BEB2026DC381B39530BCDDBE
8E854251CBD5C31E6976553813C11213E4761CB8CA2E5352240AD9FB9C635D55
FAB13AE42E4EE4F
s = 09FEE0A68F322B380217FCF6ABFF15D78C432BD8DD82E18B6BA877C01C860E24
410F5150A44F979920147826219766ECB4E2E11A151B6A15BB8E2E825AC95BCC
A228D8A1C9D3568
With SHA-1, message = "test":
k = 1D056563469E933E4BE064585D84602D430983BFBFD6885A94BA484DF9A7AB03
1AD6AC090A433D8EEDC0A7643EA2A9BC3B6299E8ABA933B4C1F2652BB49DAEE8
33155C8F1319908
r = 1D055F499A3F7E3FC73D6E7D517B470879BDCB14ABC938369F23643C7B96D024
2C1FF326FDAF1CCC8593612ACE982209658E73C24C9EC493B785608669DA74A5
B7C9A1D8EA843BC
s = 1621376C53CFE3390A0520D2C657B1FF0EBB10E4B9C2510EDC39D04FEBAF12B8
502B098A8B8F842EA6E8EB9D55CFEF94B7FF6D145AC3FFCE71BD978FEA3EF819
4D4AB5293A8F3EA
With SHA-224, message = "test":
k = 1DA875065B9D94DBE75C61848D69578BCC267935792624F9887B53C9AF9E43CA
BFC42E4C3F9A456BA89E717D24F1412F33CFD297A7A4D403B18B5438654C74D5
92D5022125E0C6B
r = 18709BDE4E9B73D046CE0D48842C97063DA54DCCA28DCB087168FA37DA2BF5FD
BE4720EE48D49EDE4DD5BD31AC0149DB8297BD410F9BC02A11EB79B60C8EE63A
F51B65267D71881
s = 12D8B9E98FBF1D264D78669E236319D8FFD8426C56AFB10C76471EE88D7F0AB1
B158E685B6D93C850D47FB1D02E4B24527473DB60B8D1AEF26CEEBD3467B65A7
0FFDDC0DBB64D5F
With SHA-256, message = "test":
k = 04DDD0707E81BB56EA2D1D45D7FAFDBDD56912CAE224086802FEA1018DB306C4
FB8D93338DBF6841CE6C6AB1506E9A848D2C0463E0889268843DEE4ACB552CFF
CB858784ED116B2
r = 1F5BF6B044048E0E310309FFDAC825290A69634A0D3592DBEE7BE71F69E45412
F766AC92E174CC99AABAA5C9C89FCB187DFDBCC7A26765DB6D9F1EEC8A6127BB
DFA5801E44E3BEC
s = 1B44CBFB233BFA2A98D5E8B2F0B2C27F9494BEAA77FEB59CDE3E7AE9CB2E385B
E8DA7B80D7944AA71E0654E5067E9A70E88E68833054EED49F28283F02B22912
3995AF37A6089F0
With SHA-384, message = "test":
k = 0141B53DC6E569D8C0C0718A58A5714204502FDA146E7E2133E56D19E905B794
13457437095DE13CF68B5CF5C54A1F2E198A55D974FC3E507AFC0ACF95ED391C
93CC79E3B3FE37C
r = 11F61A6EFAB6D83053D9C52665B3542FF3F63BD5913E527BDBA07FBAF34BC766
C2EC83163C5273243AA834C75FDDD1BC8A2BEAD388CD06C4EBA1962D645EEB35
E92D44E8F2E081D
s = 16BF6341876F051DF224770CC8BA0E4D48B3332568A2B014BC80827BAA89DE18
D1AEBC73E3BE8F85A8008C682AAC7D5F0E9FB5ECBEFBB637E30E4A0F226D2C2A
A3E569BB54AB72B
With SHA-512, message = "test":
k = 14842F97F263587A164B215DD0F912C588A88DC4AB6AF4C530ADC1226F16E086
D62C14435E6BFAB56F019886C88922D2321914EE41A8F746AAA2B964822E4AC6
F40EE2492B66824
r = 0F1E50353A39EA64CDF23081D6BB4B2A91DD73E99D3DD5A1AA1C49B4F6E34A66
5EAD24FD530B9103D522609A395AF3EF174C85206F67EF84835ED1632E0F6BAB
718EA90DF9E2DA0
s = 0B385004D7596625028E3FDE72282DE4EDC5B4CE33C1127F21CC37527C90B730
7AE7D09281B840AEBCECAA711B00718103DDB32B3E9F6A9FBC6AF23E224A73B9
435F619D9C62527
A.2.13. ECDSA, 163 Bits (Binary Field, Pseudorandom Curve)
Key pair: curve: NIST B-163 q = 40000000000000000000292FE77E70C12A4234C33 (qlen = 163 bits) private key: x = 35318FC447D48D7E6BC93B48617DDDEDF26AA658F public key: U = xG Ux = 126CF562D95A1D77D387BA75A3EA3A1407F23425A Uy = 7D7CB5273C94DA8CA93049AFDA18721C24672BD71 Signatures: With SHA-1, message = "sample": k = 0707A94C3D352E0A9FE49FB12F264992152A20004 r = 153FEBD179A69B6122DEBF5BC61EB947B24C93526 s = 37AC9C670F8CF18045049BAE7DD35553545C19E49 With SHA-224, message = "sample": k = 3B24C5E2C2D935314EABF57A6484289B291ADFE3F r = 0A379E69C44F9C16EA3215EA39EB1A9B5D58CC955 s = 04BAFF5308DA2A7FE2C1742769265AD3ED1D24E74 With SHA-256, message = "sample": k = 3D7086A59E6981064A9CDB684653F3A81B6EC0F0B r = 134E00F78FC1CB9501675D91C401DE20DDF228CDC s = 373273AEC6C36CB7BAFBB1903A5F5EA6A1D50B624 With SHA-384, message = "sample": k = 3B1E4443443486C7251A68EF184A936F05F8B17C7 r = 29430B935AF8E77519B0CA4F6903B0B82E6A21A66 s = 1EA1415306E9353FA5AA54BC7C2581DFBB888440D With SHA-512, message = "sample": k = 2EDF5CFCAC7553C17421FDF54AD1D2EF928A879D2 r = 0B2F177A99F9DF2D51CCAF55F015F326E4B65E7A0 s = 0DF1FB4487E9B120C5E970EFE48F55E406306C3A1
With SHA-1, message = "test": k = 10024F5B324CBC8954BA6ADB320CD3AB9296983B4 r = 256D4079C6C7169B8BC92529D701776A269D56308 s = 341D3FFEC9F1EB6A6ACBE88E3C86A1C8FDEB8B8E1 With SHA-224, message = "test": k = 34F46DE59606D56C75406BFB459537A7CC280AA62 r = 28ECC6F1272CE80EA59DCF32F7AC2D861BA803393 s = 0AD4AE2C06E60183C1567D2B82F19421FE3053CE2 With SHA-256, message = "test": k = 38145E3FFCA94E4DDACC20AD6E0997BD0E3B669D2 r = 227DF377B3FA50F90C1CB3CDCBBDBA552C1D35104 s = 1F7BEAD92583FE920D353F368C1960D0E88B46A56 With SHA-384, message = "test": k = 375813210ECE9C4D7AB42DDC3C55F89189CF6DFFD r = 11811DAFEEA441845B6118A0DFEE8A0061231337D s = 36258301865EE48C5C6F91D63F62695002AB55B57 With SHA-512, message = "test": k = 25AD8B393BC1E9363600FDA1A2AB6DF40079179A3 r = 3B6BB95CA823BE2ED8E3972FF516EB8972D765571 s = 13DC6F420628969DF900C3FCC48220B38BE24A541
A.2.14. ECDSA, 233 Bits (Binary Field, Pseudorandom Curve)
Key pair: curve: NIST B-233 q = 1000000000000000000000000000013E974E72F8A6922031D2603CFE0D7 (qlen = 233 bits) private key: x = 07ADC13DD5BF34D1DDEEB50B2CE23B5F5E6D18067306D60C5F6FF11E5D3 public key: U = xG Ux = 0FB348B3246B473AA7FBB2A01B78D61B62C4221D0F9AB55FC72DB3DF478 Uy = 1162FA1F6C6ACF7FD8D19FC7D74BDD9104076E833898BC4C042A6E6BEBF Signatures: With SHA-1, message = "sample": k = 0A4E0B67A3A081C1B35D7BECEB5FE72A918B422B907145DB5416ED751CE r = 015CC6FD78BB06E0878E71465515EA5A21A2C18E6FC77B4B158DBEB3944 s = 0822A4A6C2EB2DF213A5E90BF40377956365EE8C4B4A5A4E2EB9270CB6A With SHA-224, message = "sample": k = 0F2B1C1E80BEB58283AAA79857F7B83BDF724120D0913606FD07F7FFB2C r = 05D9920B53471148E10502AB49AB7A3F11084820A074FD89883CF51BC1A s = 04D3938900C0A9AAA7080D1DFEB56CFB0FADABE4214536C7ED5117ED13A With SHA-256, message = "sample": k = 034A53897B0BBDB484302E19BF3F9B34A2ABFED639D109A388DC52006B5 r = 0A797F3B8AEFCE7456202DF1E46CCC291EA5A49DA3D4BDDA9A4B62D5E0D s = 01F6F81DA55C22DA4152134C661588F4BD6F82FDBAF0C5877096B070DC2 With SHA-384, message = "sample": k = 04D4670B28990BC92EEB49840B482A1FA03FE028D09F3D21F89C67ECA85 r = 015E85A8D46225DD7E314A1C4289731FC14DECE949349FE535D11043B85 s = 03F189D37F50493EFD5111A129443A662AB3C6B289129AD8C0CAC85119C With SHA-512, message = "sample": k = 0DE108AAADA760A14F42C057EF81C0A31AF6B82E8FBCA8DC86E443AB549 r = 03B62A4BF783919098B1E42F496E65F7621F01D1D466C46940F0F132A95 s = 0F4BE031C6E5239E7DAA014CBBF1ED19425E49DAEB426EC9DF4C28A2E30
With SHA-1, message = "test": k = 0250C5C90A4E2A3F8849FEBA87F0D0AE630AB18CBABB84F4FFFB36CEAC0 r = 02F1FEDC57BE203E4C8C6B8C1CEB35E13C1FCD956AB41E3BD4C8A6EFB1F s = 05738EC8A8EDEA8E435EE7266AD3EDE1EEFC2CEBE2BE1D614008D5D2951 With SHA-224, message = "test": k = 07BDB6A7FD080D9EC2FC84BFF9E3E15750789DC04290C84FED00E109BBD r = 0CCE175124D3586BA7486F7146894C65C2A4A5A1904658E5C7F9DF5FA5D s = 08804B456D847ACE5CA86D97BF79FD6335E5B17F6C0D964B5D0036C867E With SHA-256, message = "test": k = 00376886E89013F7FF4B5214D56A30D49C99F53F211A3AFE01AA2BDE12D r = 035C3D6DFEEA1CFB29B93BE3FDB91A7B130951770C2690C16833A159677 s = 0600F7301D12AB376B56D4459774159ADB51F97E282FF384406AFD53A02 With SHA-384, message = "test": k = 03726870DE75613C5E529E453F4D92631C03D08A7F63813E497D4CB3877 r = 061602FC8068BFD5FB86027B97455D200EC603057446CCE4D76DB8EF42C s = 03396DD0D59C067BB999B422D9883736CF9311DFD6951F91033BD03CA8D With SHA-512, message = "test": k = 09CE5810F1AC68810B0DFFBB6BEEF2E0053BB937969AE7886F9D064A8C4 r = 07E12CB60FDD614958E8E34B3C12DDFF35D85A9C5800E31EA2CC2EF63B1 s = 0E8970FD99D836F3CC1C807A2C58760DE6EDAA23705A82B9CB1CE93FECC
A.2.15. ECDSA, 283 Bits (Binary Field, Pseudorandom Curve)
Key pair: curve: NIST B-283 q = 3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CE FADB307 (qlen = 282 bits) private key: x = 14510D4BC44F2D26F4553942C98073C1BD35545CEABB5CC138853C5158D2729E A408836 public key: U = xG Ux = 17E3409A13C399F0CA8A192F028D46E3446BCFFCDF51FF8A905ED2DED786E74F 9C3E8A9 Uy = 47EFCBCC31C01D86D1992F7BFAC0277DBD02A6D289274099A2C0F039C8F59F31 8371B0E Signatures: With SHA-1, message = "sample": k = 277F389559667E8AE4B65DC056F8CE2872E1917E7CC59D17D485B0B98343206F BCCD441 r = 201E18D48C6DB3D5D097C4DCE1E25587E1501FC3CF47BDB5B4289D79E273D6A9 ACB8285 s = 151AE05712B024CE617358260774C8CA8B0E7A7E72EF8229BF2ACE7609560CB3 0322C4F With SHA-224, message = "sample": k = 14CC8FCFEECD6B999B4DC6084EBB06FDED0B44D5C507802CC7A5E9ECF36E69DA 6AE23C6 r = 143E878DDFD4DF40D97B8CD638B3C4706501C2201CF7108F2FB91478C11D6947 3246925 s = 0CBF1B9717FEEA3AABB09D9654110144267098E0E1E8D0289A6211BE0EEDFDD8 6A3DB79 With SHA-256, message = "sample": k = 38C9D662188982943E080B794A4CFB0732DBA37C6F40D5B8CFADED6FF31C5452 BA3F877 r = 29FD82497FB3E5CEF65579272138DE59E2B666B8689466572B3B69A172CEE83B E145659 s = 05A89D9166B40795AF0FE5958201B9C0523E500013CA12B4840EA2BC53F25F9B 3CE87C0
With SHA-384, message = "sample":
k = 21B7265DEBF90E6F988CFFDB62B121A02105226C652807CC324ED6FB119A287A
72680AB
r = 2F00689C1BFCD2A8C7A41E0DE55AE182E6463A152828EF89FE3525139B660329
4E69353
s = 1744514FE0A37447250C8A329EAAADA81572226CABA16F39270EE5DD03F27B1F
665EB5D
With SHA-512, message = "sample":
k = 20583259DC179D9DA8E5387E89BFF2A3090788CF1496BCABFE7D45BB120B0C81
1EB8980
r = 0DA43A9ADFAA6AD767998A054C6A8F1CF77A562924628D73C62761847AD8286E
0D91B47
s = 1D118733AE2C88357827CAFC6F68ABC25C80C640532925E95CFE66D40F8792F3
AC44C42
With SHA-1, message = "test":
k = 0185C57A743D5BA06193CE2AA47B07EF3D6067E5AE1A6469BCD3FC510128BA56
4409D82
r = 05A408133919F2CDCDBE5E4C14FBC706C1F71BADAFEF41F5DE4EC27272FC1CA9
366FBB2
s = 012966272872C097FEA7BCE64FAB1A81982A773E26F6E4EF7C99969846E67CA9
CBE1692
With SHA-224, message = "test":
k = 2E5C1F00677A0E015EC3F799FA9E9A004309DBD784640EAAF5E1CE64D3045B9F
E9C1FA1
r = 08F3824E40C16FF1DDA8DC992776D26F4A5981AB5092956C4FDBB4F1AE0A711E
EAA10E5
s = 0A64B91EFADB213E11483FB61C73E3EF63D3B44EEFC56EA401B99DCC60CC28E9
9F0F1FA
With SHA-256, message = "test":
k = 018A7D44F2B4341FEFE68F6BD8894960F97E08124AAB92C1FFBBE90450FCC935
6C9AAA5
r = 3597B406F5329D11A79E887847E5EC60861CCBB19EC61F252DB7BD549C699951
C182796
s = 0A6A100B997BC622D91701D9F5C6F6D3815517E577622DA69D3A0E8917C1CBE6
3ACD345
With SHA-384, message = "test":
k = 3C75397BA4CF1B931877076AF29F2E2F4231B117AB4B8E039F7F9704DE1BD352
2F150B6
r = 1BB490926E5A1FDC7C5AA86D0835F9B994EDA315CA408002AF54A298728D422E
BF59E4C
s = 36C682CFC9E2C89A782BFD3A191609D1F0C1910D5FD6981442070393159D65FB
CC0A8BA
With SHA-512, message = "test":
k = 14E66B18441FA54C21E3492D0611D2B48E19DE3108D915FD5CA08E786327A267
5F11074
r = 19944AA68F9778C2E3D6E240947613E6DA60EFCE9B9B2C063FF5466D72745B5A
0B25BA2
s = 03F1567B3C5B02DF15C874F0EE22850824693D5ADC4663BAA19E384E550B1DD4
1F31EE6
A.2.16. ECDSA, 409 Bits (Binary Field, Pseudorandom Curve)
Key pair: curve: NIST B-409 q = 10000000000000000000000000000000000000000000000000001E2AAD6A612F 33307BE5FA47C3C9E052F838164CD37D9A21173 (qlen = 409 bits) private key: x = 0494994CC325B08E7B4CE038BD9436F90B5E59A2C13C3140CD3AE07C04A01FC4 89F572CE0569A6DB7B8060393DE76330C624177 public key: U = xG Ux = 1A7055961CF1DA4B9A015B18B1524EF01FDD9B93FAEFC26FB1F2F828A7227B70 31925DA0AC1A8A075C3B33554B222EA859C17E7 Uy = 18105C042F290736088F30AEC7AE7732A45DE47BCE0940113AB8132516D1E059 B0F581FD581A9A3CB3A0AC42A1962738ADB86E6 Signatures: With SHA-1, message = "sample": k = 042D8A2B34402757EB2CCFDDC3E6E96A7ADD3FDA547FC10A0CB77CFC720B4F9E 16EEAAA2A8CC4E4A4B5DBF7D8AC4EA491859E60 r = 0D8783188E1A540E2022D389E1D35B32F56F8C2BB5636B8ABF7718806B27A713 EBAE37F63ECD4B61445CEF5801B62594EF3E982 s = 03A6B4A80E204DB0DE12E7415C13C9EC091C52935658316B4A0C591216A38791 54BEB1712560E346E7EF26517707435B55C3141 With SHA-224, message = "sample": k = 0C933F1DC4C70838C2AD16564715ACAF545BCDD8DC203D25AF3EC63949C65CB2 E68AC1F60CA7EACA2A823F4E240927AA82CEEC5 r = 0EE4F39ACC2E03CE96C3D9FCBAFA5C22C89053662F8D4117752A9B10F09ADFDA 59DB061E247FE5321D6B170EE758ACE1BE4D157 s = 00A2B83265B456A430A8BF27DCC8A9488B3F126C10F0D6D64BF7B8A218FAAF20 E51A295A3AE78F205E5A4A6AE224C3639F1BB34 With SHA-256, message = "sample": k = 08EC42D13A3909A20C41BEBD2DFED8CACCE56C7A7D1251DF43F3E9E289DAE00E 239F6960924AC451E125B784CB687C7F23283FD r = 02D8B1B31E33E74D7EB46C30FDE5AD2CA04EC8FE08FBA0E73BA5E568953AC5EA 307C072942238DFC07F4A4D7C7C6A9F86436D17 s = 079F7D471E6CB73234AF7F7C381D2CE15DE35BAF8BB68393B73235B3A26EC2DF 4842CE433FB492D6E074E604D4870024D42189A
With SHA-384, message = "sample":
k = 0DA881BCE3BA851485879EF8AC585A63F1540B9198ECB8A1096D70CB25A104E2
F8A96B108AE76CB49CF34491ABC70E9D2AAD450
r = 07BC638B7E7CE6FEE5E9C64A0F966D722D01BB4BC3F3A35F30D4CDDA92DFC5F7
F0B4BBFE8065D9AD452FD77A1914BE3A2440C18
s = 06D904429850521B28A32CBF55C7C0FDF35DC4E0BDA2552C7BF68A171E970E67
88ACC0B9521EACB4796E057C70DD9B95FED5BFB
With SHA-512, message = "sample":
k = 0750926FFAD7FF5DE85DF7960B3A4F9E3D38CF5A049BFC89739C48D42B34FBEE
03D2C047025134CC3145B60AFD22A68DF0A7FB2
r = 05D178DECAFD2D02A3DA0D8BA1C4C1D95EE083C760DF782193A9F7B4A8BE6FC5
C21FD60613BCA65C063A61226E050A680B3ABD4
s = 013B7581E98F6A63FBBCB3E49BCDA60F816DB230B888506D105DC229600497C3
B46588C784BE3AA9343BEF82F7C9C80AEB63C3B
With SHA-1, message = "test":
k = 017E167EAB1850A3B38EE66BFE2270F2F6BFDAC5E2D227D47B20E75F0719161E
6C74E9F23088F0C58B1E63BC6F185AD2EF4EAE6
r = 049F54E7C10D2732B4638473053782C6919218BBEFCEC8B51640FC193E832291
F05FA12371E9B448417B3290193F08EE9319195
s = 0499E267DEC84E02F6F108B10E82172C414F15B1B7364BE8BFD66ADC0C5DE23F
EE3DF0D811134C25AFE0E05A6672F98889F28F1
With SHA-224, message = "test":
k = 01ADEB94C19951B460A146B8275D81638C07735B38A525D76023AAF26AA8A058
590E1D5B1E78AB3C91608BDA67CFFBE6FC8A6CC
r = 0B1527FFAA7DD7C7E46B628587A5BEC0539A2D04D3CF27C54841C2544E1BBDB4
2FDBDAAF8671A4CA86DFD619B1E3732D7BB56F2
s = 0442C68C044868DF4832C807F1EDDEBF7F5052A64B826FD03451440794063F52
B022DF304F47403D4069234CA9EB4C964B37C02
With SHA-256, message = "test":
k = 06EBA3D58D0E0DFC406D67FC72EF0C943624CF40019D1E48C3B54CCAB0594AFD
5DEE30AEBAA22E693DBCFECAD1A85D774313DAD
r = 0BB27755B991D6D31757BCBF68CB01225A38E1CFA20F775E861055DD108ED7EA
455E4B96B2F6F7CD6C6EC2B3C70C3EDDEB9743B
s = 0C5BE90980E7F444B5F7A12C9E9AC7A04CA81412822DD5AD1BE7C45D5032555E
A070864245CF69266871FEB8CD1B7EDC30EF6D5
With SHA-384, message = "test":
k = 0A45B787DB44C06DEAB846511EEDBF7BFCFD3BD2C11D965C92FC195F67328F36
A2DC83C0352885DAB96B55B02FCF49DCCB0E2DA
r = 04EFEB7098772187907C87B33E0FBBA4584226C50C11E98CA7AAC6986F8D3BE0
44E5B52D201A410B852536527724CA5F8CE6549
s = 09574102FEB3EF87E6D66B94119F5A6062950FF4F902EA1E6BD9E2037F33FF99
1E31F5956C23AFE48FCDC557FD6F088C7C9B2B3
With SHA-512, message = "test":
k = 0B90F8A0E757E81D4EA6891766729C96A6D01F9AEDC0D334932D1F81CC4E1973
A4F01C33555FF08530A5098CADB6EDAE268ABB5
r = 07E0249C68536AE2AEC2EC30090340DA49E6DC9E9EEC8F85E5AABFB234B6DA7D
2E9524028CF821F21C6019770474CC40B01FAF6
s = 08125B5A03FB44AE81EA46D446130C2A415ECCA265910CA69D55F2453E16CD7B
2DFA4E28C50FA8137F9C0C6CEE4CD37ABCCF6D8
A.2.17. ECDSA, 571 Bits (Binary Field, Pseudorandom Curve)
Key pair: curve: NIST B-571 q = 3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFE661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8 382E9BB2FE84E47 (qlen = 570 bits) private key: x = 028A04857F24C1C082DF0D909C0E72F453F2E2340CCB071F0E389BCA2575DA19 124198C57174929AD26E348CF63F78D28021EF5A9BF2D5CBEAF6B7CCB6C4DA82 4DD5C82CFB24E11 public key: U = xG Ux = 4B4B3CE9377550140B62C1061763AA524814DDCEF37B00CD5CDE94F7792BB0E9 6758E55DA2E9FEA8FF2A8B6830AE1D57A9CA7A77FCB0836BF43EA5454CDD9FEA D5CCFE7375C6A83 Uy = 4453B18F261E7A0E7570CD72F235EA750438E43946FBEBD2518B696954767AA7 849C1719E18E1C51652C28CA853426F15C09AA4B579487338ABC7F33768FADD6 1B5A3A6443A8189 Signatures: With SHA-1, message = "sample": k = 2669FAFEF848AF67D437D4A151C3C5D3F9AA8BB66EDC35F090C9118F95BA0041 B0993BE2EF55DAAF36B5B3A737C40DB1F6E3D93D97B8419AD6E1BB8A5D4A0E9B 2E76832D4E7B862 r = 147D3EB0EDA9F2152DFD014363D6A9CE816D7A1467D326A625FC4AB0C786E1B7 4DDF7CD4D0E99541391B266C704BB6B6E8DCCD27B460802E0867143727AA4155 55454321EFE5CB6 s = 17319571CAF533D90D2E78A64060B9C53169AB7FC908947B3EDADC54C79CCF0A 7920B4C64A4EAB6282AFE9A459677CDA37FD6DD50BEF18709590FE18B923BDF7 4A66B189A850819
With SHA-224, message = "sample":
k = 2EAFAD4AC8644DEB29095BBAA88D19F31316434F1766AD4423E0B54DD2FE0C05
E307758581B0DAED2902683BBC7C47B00E63E3E429BA54EA6BA3AEC33A94C9A2
4A6EF8E27B7677A
r = 10F4B63E79B2E54E4F4F6A2DBC786D8F4A143ECA7B2AD97810F6472AC6AE2085
3222854553BE1D44A7974599DB7061AE8560DF57F2675BE5F9DD94ABAF3D47F1
582B318E459748B
s = 3BBEA07C6B269C2B7FE9AE4DDB118338D0C2F0022920A7F9DCFCB7489594C03B
536A9900C4EA6A10410007222D3DAE1A96F291C4C9275D75D98EB290DC0EEF17
6037B2C7A7A39A3
With SHA-256, message = "sample":
k = 15C2C6B7D1A070274484774E558B69FDFA193BDB7A23F27C2CD24298CE1B22A6
CC9B7FB8CABFD6CF7C6B1CF3251E5A1CDDD16FBFED28DE79935BB2C631B8B8EA
9CC4BCC937E669E
r = 213EF9F3B0CFC4BF996B8AF3A7E1F6CACD2B87C8C63820000800AC787F17EC99
C04BCEDF29A8413CFF83142BB88A50EF8D9A086AF4EB03E97C567500C21D8657
14D832E03C6D054
s = 3D32322559B094E20D8935E250B6EC139AC4AAB77920812C119AF419FB62B332
C8D226C6C9362AE3C1E4AABE19359B8428EA74EC8FBE83C8618C2BCCB6B43FBA
A0F2CCB7D303945
With SHA-384, message = "sample":
k = 0FEF0B68CB49453A4C6ECBF1708DBEEFC885C57FDAFB88417AAEFA5B1C35017B
4B498507937ADCE2F1D9EFFA5FE8F5AEB116B804FD182A6CF1518FDB62D53F60
A0FF6EB707D856B
r = 375D8F49C656A0BBD21D3F54CDA287D853C4BB1849983CD891EF6CD6BB56A62B
687807C16685C2C9BCA2663C33696ACCE344C45F3910B1DF806204FF731ECB28
9C100EF4D1805EC
s = 1CDEC6F46DFEEE44BCE71D41C60550DC67CF98D6C91363625AC2553E4368D2DF
B734A8E8C72E118A76ACDB0E58697940A0F3DF49E72894BD799450FC9E550CC0
4B9FF9B0380021C
With SHA-512, message = "sample":
k = 3FF373833A06C791D7AD586AFA3990F6EF76999C35246C4AD0D519BFF180CA18
80E11F2FB38B764854A0AE3BECDDB50F05AC4FCEE542F207C0A6229E2E19652F
0E647B9C4882193
r = 1C26F40D940A7EAA0EB1E62991028057D91FEDA0366B606F6C434C361F04E545
A6A51A435E26416F6838FFA260C617E798E946B57215284182BE55F29A355E60
24FE32A47289CF0
s = 3691DE4369D921FE94EDDA67CB71FBBEC9A436787478063EB1CC778B3DCDC1C4
162662752D28DEEDF6F32A269C82D1DB80C87CE4D3B662E03AC347806E3F19D1
8D6D4DE7358DF7E
With SHA-1, message = "test":
k = 019B506FD472675A7140E429AA5510DCDDC21004206EEC1B39B28A688A8FD324
138F12503A4EFB64F934840DFBA2B4797CFC18B8BD0B31BBFF3CA66A4339E4EF
9D771B15279D1DC
r = 133F5414F2A9BC41466D339B79376038A64D045E5B0F792A98E5A7AA87E0AD01
6419E5F8D176007D5C9C10B5FD9E2E0AB8331B195797C0358BA05ECBF24ACE59
C5F368A6C0997CC
s = 3D16743AE9F00F0B1A500F738719C5582550FEB64689DA241665C4CE4F328BA0
E34A7EF527ED13BFA5889FD2D1D214C11EB17D6BC338E05A56F41CAFF1AF7B8D
574DB62EF0D0F21
With SHA-224, message = "test":
k = 333C711F8C62F205F926593220233B06228285261D34026232F6F729620C6DE1
2220F282F4206D223226705608688B20B8BA86D8DFE54F07A37EC48F253283AC
33C3F5102C8CC3E
r = 3048E76506C5C43D92B2E33F62B33E3111CEEB87F6C7DF7C7C01E3CDA28FA5E8
BE04B5B23AA03C0C70FEF8F723CBCEBFF0B7A52A3F5C8B84B741B4F6157E69A5
FB0524B48F31828
s = 2C99078CCFE5C82102B8D006E3703E020C46C87C75163A2CD839C885550BA5CB
501AC282D29A1C26D26773B60FBE05AAB62BFA0BA32127563D42F7669C97784C
8897C22CFB4B8FA
With SHA-256, message = "test":
k = 328E02CF07C7B5B6D3749D8302F1AE5BFAA8F239398459AF4A2C859C7727A812
3A7FE9BE8B228413FC8DC0E9DE16AF3F8F43005107F9989A5D97A5C4455DA895
E81336710A3FB2C
r = 184BC808506E11A65D628B457FDA60952803C604CC7181B59BD25AEE1411A66D
12A777F3A0DC99E1190C58D0037807A95E5080FA1B2E5CCAA37B50D401CFFC34
17C005AEE963469
s = 27280D45F81B19334DBDB07B7E63FE8F39AC7E9AE14DE1D2A6884D2101850289
D70EE400F26ACA5E7D73F534A14568478E59D00594981ABE6A1BA18554C13EB5
E03921E4DC98333
With SHA-384, message = "test":
k = 2A77E29EAD9E811A9FDA0284C14CDFA1D9F8FA712DA59D530A06CDE54187E250
AD1D4FB5788161938B8DE049616399C5A56B0737C9564C9D4D845A4C6A7CDFCB
FF0F01A82BE672E
r = 319EE57912E7B0FAA1FBB145B0505849A89C6DB1EC06EA20A6A7EDE072A6268A
F6FD9C809C7E422A5F33C6C3326EAD7402467DF3272A1B2726C1C20975950F0F
50D8324578F13EC
s = 2CF3EA27EADD0612DD2F96F46E89AB894B01A10DF985C5FC099CFFE0EA083EB4
4BE682B08BFE405DAD5F37D0A2C59015BA41027E24B99F8F75A70B6B7385BF39
BBEA02513EB880C
With SHA-512, message = "test":
k = 21CE6EE4A2C72C9F93BDB3B552F4A633B8C20C200F894F008643240184BE57BB
282A1645E47FBBE131E899B4C61244EFC2486D88CDBD1DD4A65EBDD837019D02
628D0DCD6ED8FB5
r = 2AA1888EAB05F7B00B6A784C4F7081D2C833D50794D9FEAF6E22B8BE728A2A90
BFCABDC803162020AA629718295A1489EE7ED0ECB8AAA197B9BDFC49D18DDD78
FC85A48F9715544
s = 0AA5371FE5CA671D6ED9665849C37F394FED85D51FEF72DA2B5F28EDFB2C6479
CA63320C19596F5E1101988E2C619E302DD05112F47E8823040CE540CD3E90DC
F41DBC461744EE9
A.3. Sample Code
We include here a sample implementation of deterministic DSA. It is meant for illustration purposes; for instance, this code makes no attempt at avoiding side-channel leakage of the private key. It is written in the Java programming language. The actual generation of the "random" value k is done in the computek() method. The Java virtual machine (JVM) is assumed to provide the implementation of the hash function and of HMAC. // ================================================================== import java.math.BigInteger; import java.security.InvalidKeyException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; /** * Deterministic DSA signature generation. This is a sample * implementation designed to illustrate how deterministic DSA * chooses the pseudorandom value k when signing a given message. * This implementation was NOT optimized or hardened against * side-channel leaks. * * An instance is created with a hash function name, which must be * supported by the underlying Java virtual machine ("SHA-1" and * "SHA-256" should work everywhere). The data to sign is input * through the {@code update()} methods. The private key is set with * {@link #setPrivateKey}. The signature is obtained by calling * {@link #sign}; alternatively, {@link #signHash} can be used to * sign some data that has been externally hashed. The private key * MUST be set before generating the signature itself, but message * data can be input before setting the key. * * Instances are NOT thread-safe. However, once a signature has * been generated, the same instance can be used again for another * signature; {@link #setPrivateKey} need not be called again if the * private key has not changed. {@link #reset} can also be called to * cancel previously input data. Generating a signature with {@link * #sign} (not {@link #signHash}) also implicitly causes a * reset. * * ------------------------------------------------------------------ * Copyright (c) 2013 IETF Trust and the persons identified as * authors of the code. All rights reserved. *
* Redistribution and use in source and binary forms, with or without * modification, is permitted pursuant to, and subject to the license * terms contained in, the Simplified BSD License set forth in Section * 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents * (http://trustee.ietf.org/license-info). * * Technical remarks and questions can be addressed to: * pornin@bolet.org * ------------------------------------------------------------------ */ public class DeterministicDSA { private String macName; private MessageDigest dig; private Mac hmac; private BigInteger p, q, g, x; private int qlen, rlen, rolen, holen; private byte[] bx; /** * Create an instance, using the specified hash function. * The name is used to obtain from the JVM an implementation * of the hash function and an implementation of HMAC. * * @param hashName the hash function name * @throws IllegalArgumentException on unsupported name */ public DeterministicDSA(String hashName) { try { dig = MessageDigest.getInstance(hashName); } catch (NoSuchAlgorithmException nsae) { throw new IllegalArgumentException(nsae); } if (hashName.indexOf('-') < 0) { macName = "Hmac" + hashName; } else { StringBuilder sb = new StringBuilder(); sb.append("Hmac"); int n = hashName.length(); for (int i = 0; i < n; i ++) { char c = hashName.charAt(i); if (c != '-') { sb.append(c); } } macName = sb.toString();
}
try {
hmac = Mac.getInstance(macName);
} catch (NoSuchAlgorithmException nsae) {
throw new IllegalArgumentException(nsae);
}
holen = hmac.getMacLength();
}
/**
* Set the private key.
*
* @param p key parameter: field modulus
* @param q key parameter: subgroup order
* @param g key parameter: generator
* @param x private key
*/
public void setPrivateKey(BigInteger p, BigInteger q,
BigInteger g, BigInteger x)
{
/*
* Perform some basic sanity checks. We do not
* check primality of p or q because that would
* be too expensive.
*
* We reject keys where q is longer than 999 bits,
* because it would complicate signature encoding.
* Normal DSA keys do not have a q longer than 256
* bits anyway.
*/
if (p == null || q == null || g == null || x == null
|| p.signum() <= 0 || q.signum() <= 0
|| g.signum() <= 0 || x.signum() <= 0
|| x.compareTo(q) >= 0 || q.compareTo(p) >= 0
|| q.bitLength() > 999
|| g.compareTo(p) >= 0 || g.bitLength() == 1
|| g.modPow(q, p).bitLength() != 1) {
throw new IllegalArgumentException(
"invalid DSA private key");
}
this.p = p;
this.q = q;
this.g = g;
this.x = x;
qlen = q.bitLength();
if (q.signum() <= 0 || qlen < 8) {
throw new IllegalArgumentException(
"bad group order: " + q);
}
rolen = (qlen + 7) >>> 3;
rlen = rolen * 8;
/*
* Convert the private exponent (x) into a sequence
* of octets.
*/
bx = int2octets(x);
}
private BigInteger bits2int(byte[] in)
{
BigInteger v = new BigInteger(1, in);
int vlen = in.length * 8;
if (vlen > qlen) {
v = v.shiftRight(vlen - qlen);
}
return v;
}
private byte[] int2octets(BigInteger v)
{
byte[] out = v.toByteArray();
if (out.length < rolen) {
byte[] out2 = new byte[rolen];
System.arraycopy(out, 0,
out2, rolen - out.length,
out.length);
return out2;
} else if (out.length > rolen) {
byte[] out2 = new byte[rolen];
System.arraycopy(out, out.length - rolen,
out2, 0, rolen);
return out2;
} else {
return out;
}
}
private byte[] bits2octets(byte[] in)
{
BigInteger z1 = bits2int(in);
BigInteger z2 = z1.subtract(q);
return int2octets(z2.signum() < 0 ? z1 : z2);
}
/**
* Set (or reset) the secret key used for HMAC.
*
* @param K the new secret key
*/
private void setHmacKey(byte[] K)
{
try {
hmac.init(new SecretKeySpec(K, macName));
} catch (InvalidKeyException ike) {
throw new IllegalArgumentException(ike);
}
}
/**
* Compute the pseudorandom k for signature generation,
* using the process specified for deterministic DSA.
*
* @param h1 the hashed message
* @return the pseudorandom k to use
*/
private BigInteger computek(byte[] h1)
{
/*
* Convert hash value into an appropriately truncated
* and/or expanded sequence of octets. The private
* key was already processed (into field bx[]).
*/
byte[] bh = bits2octets(h1);
/*
* HMAC is always used with K as key.
* Whenever K is updated, we reset the
* current HMAC key.
*/
/* step b. */
byte[] V = new byte[holen];
for (int i = 0; i < holen; i ++) {
V[i] = 0x01;
}
/* step c. */
byte[] K = new byte[holen];
setHmacKey(K);
/* step d. */
hmac.update(V);
hmac.update((byte)0x00);
hmac.update(bx);
hmac.update(bh);
K = hmac.doFinal();
setHmacKey(K);
/* step e. */
hmac.update(V);
V = hmac.doFinal();
/* step f. */
hmac.update(V);
hmac.update((byte)0x01);
hmac.update(bx);
hmac.update(bh);
K = hmac.doFinal();
setHmacKey(K);
/* step g. */
hmac.update(V);
V = hmac.doFinal();
/* step h. */
byte[] T = new byte[rolen];
for (;;) {
/*
* We want qlen bits, but we support only
* hash functions with an output length
* multiple of 8;acd hence, we will gather
* rlen bits, i.e., rolen octets.
*/
int toff = 0;
while (toff < rolen) {
hmac.update(V);
V = hmac.doFinal();
int cc = Math.min(V.length,
T.length - toff);
System.arraycopy(V, 0, T, toff, cc);
toff += cc;
}
BigInteger k = bits2int(T);
if (k.signum() > 0 && k.compareTo(q) < 0) {
return k;
}
/*
* k is not in the proper range; update
* K and V, and loop.
*/
hmac.update(V);
hmac.update((byte)0x00);
K = hmac.doFinal();
setHmacKey(K);
hmac.update(V);
V = hmac.doFinal();
}
}
/**
* Process one more byte of input data (message to sign).
*
* @param in the extra input byte
*/
public void update(byte in)
{
dig.update(in);
}
/**
* Process some extra bytes of input data (message to sign).
*
* @param in the extra input bytes
*/
public void update(byte[] in)
{
dig.update(in, 0, in.length);
}
/**
* Process some extra bytes of input data (message to sign).
*
* @param in the extra input buffer
* @param off the extra input offset
* @param len the extra input length (in bytes)
*/
public void update(byte[] in, int off, int len)
{
dig.update(in, off, len);
}
/**
* Produce the signature. {@link #setPrivateKey} MUST have
* been called. The signature is computed over the data
* that was input through the {@code update*()} methods.
* This engine is then reset (made ready for a new
* signature generation).
*
* @return the signature
*/
public byte[] sign()
{
return signHash(dig.digest());
}
/**
* Produce the signature. {@link #setPrivateKey} MUST
* have been called. The signature is computed over the
* provided hash value (data is assumed to have been hashed
* externally). The data that was input through the
* {@code update*()} methods is ignored, but kept.
*
* If the hash output is longer than the subgroup order
* (the length of q, in bits, denoted 'qlen'), then the
* provided value {@code h1} can be truncated, provided that
* at least qlen leading bits are preserved. In other words,
* bit values in {@code h1} beyond the first qlen bits are
* ignored.
*
* @param h1 the hash value
* @return the signature
*/
public byte[] signHash(byte[] h1)
{
if (p == null) {
throw new IllegalStateException(
"no private key set");
}
try {
BigInteger k = computek(h1);
BigInteger r = g.modPow(k, p).mod(q);
BigInteger s = k.modInverse(q).multiply(
bits2int(h1).add(x.multiply(r)))
.mod(q);
/*
* Signature encoding: ASN.1 SEQUENCE of
* two INTEGERs. The conditions on q
* imply that the encoded version of r and
* s is no longer than 127 bytes for each,
* including DER tag and length.
*/
byte[] br = r.toByteArray();
byte[] bs = s.toByteArray();
int ulen = br.length + bs.length + 4;
int slen = ulen + (ulen >= 128 ? 3 : 2);
byte[] sig = new byte[slen];
int i = 0;
sig[i ++] = 0x30;
if (ulen >= 128) {
sig[i ++] = (byte)0x81;
sig[i ++] = (byte)ulen;
} else {
sig[i ++] = (byte)ulen;
}
sig[i ++] = 0x02;
sig[i ++] = (byte)br.length;
System.arraycopy(br, 0, sig, i, br.length);
i += br.length;
sig[i ++] = 0x02;
sig[i ++] = (byte)bs.length;
System.arraycopy(bs, 0, sig, i, bs.length);
return sig;
} catch (ArithmeticException ae) {
throw new IllegalArgumentException(
"DSA error (bad key ?)", ae);
}
}
/**
* Reset this engine. Data input through the {@code
* update*()} methods is discarded. The current private key,
* if one was set, is kept unchanged.
*/
public void reset()
{
dig.reset();
}
}
// ==================================================================
Author's Address
Thomas Pornin Quebec, QC Canada EMail: pornin@bolet.org