tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 6979

 
 
 

Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)

Part 3 of 3, p. 46 to 79
Prev RFC Part

 


prevText      Top      Up      ToC       Page 46 
A.2.10.  ECDSA, 283 Bits (Binary Field, Koblitz Curve)

   Key pair:

   curve: NIST K-283

   q = 1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061
       E163C61
   (qlen = 281 bits)

   private key:

   x = 06A0777356E87B89BA1ED3A3D845357BE332173C8F7A65BDC7DB4FAB3C4CC79A
       CC8194E

   public key: U = xG

   Ux = 25330D0A651D5A20DC6389BC02345117725640AEC3C126612CE444EDD19649BD
        ECC03D6

   Uy = 505BD60A4B67182474EC4D1C668A73140F70504A68F39EFCD972487E9530E050
        8A76193

   Signatures:

   With SHA-1, message = "sample":
   k = 0A96F788DECAF6C9DBE24DC75ABA6EAAE85E7AB003C8D4F83CB1540625B2993B
       F445692
   r = 1B66D1E33FBDB6E107A69B610995C93C744CEBAEAF623CB42737C27D60188BD1
       D045A68
   s = 02E45B62C9C258643532FD536594B46C63B063946494F95DAFF8759FD5525023
       24295C5

   With SHA-224, message = "sample":
   k = 1B4C4E3B2F6B08B5991BD2BDDE277A7016DA527AD0AAE5BC61B64C5A0EE63E8B
       502EF61
   r = 018CF2F371BE86BB62E02B27CDE56DDAC83CCFBB3141FC59AEE022B66AC1A60D
       BBD8B76
   s = 1854E02A381295EA7F184CEE71AB7222D6974522D3B99B309B1A8025EB84118A
       28BF20E

   With SHA-256, message = "sample":
   k = 1CEB9E8E0DFF53CE687DEB81339ACA3C98E7A657D5A9499EF779F887A934408E
       CBE5A38
   r = 19E90AA3DE5FB20AED22879F92C6FED278D9C9B9293CC5E94922CD952C9DBF20
       DF1753A
   s = 135AA7443B6A25D11BB64AC482E04D47902D017752882BD72527114F46CF8BB5
       6C5A8C3

Top      Up      ToC       Page 47 
   With SHA-384, message = "sample":
   k = 1460A5C41745A5763A9D548AE62F2C3630BBED71B6AA549D7F829C22442A728C
       5D965DA
   r = 0F8C1CA9C221AD9907A136F787D33BA56B0495A40E86E671C940FD767EDD75EB
       6001A49
   s = 1071A56915DEE89E22E511975AA09D00CDC4AA7F5054CBE83F5977EE6F8E1CC3
       1EC43FD

   With SHA-512, message = "sample":
   k = 00F3B59FCB5C1A01A1A2A0019E98C244DFF61502D6E6B9C4E957EDDCEB258EF4
       DBEF04A
   r = 1D0008CF4BA4A701BEF70771934C2A4A87386155A2354140E2ED52E18553C35B
       47D9E50
   s = 0D15F4FA1B7A4D41D9843578E22EF98773179103DC4FF0DD1F74A6B5642841B9
       1056F78

   With SHA-1, message = "test":
   k = 168B5F8C0881D4026C08AC5894A2239D219FA9F4DA0600ADAA56D5A1781AF81F
       08A726E
   r = 140932FA7307666A8CCB1E1A09656CC40F5932965841ABD5E8E43559D93CF231
       1B02767
   s = 16A2FD46DA497E5E739DED67F426308C45C2E16528BF2A17EB5D65964FD88B77
       0FBB9C6

   With SHA-224, message = "test":
   k = 045E13EA645CE01D9B25EA38C8A8A170E04C83BB7F231EE3152209FE10EC8B2E
       565536C
   r = 0E72AF7E39CD72EF21E61964D87C838F977485FA6A7E999000AFA97A381B2445
       FCEE541
   s = 1644FF7D848DA1A040F77515082C27C763B1B4BF332BCF5D08251C6B57D80631
       9778208

   With SHA-256, message = "test":
   k = 0B585A7A68F51089691D6EDE2B43FC4451F66C10E65F134B963D4CBD4EB844B0
       E1469A6
   r = 158FAEB2470B306C57764AFC8528174589008449E11DB8B36994B607A65956A5
       9715531
   s = 0521BC667CA1CA42B5649E78A3D76823C678B7BB3CD58D2E93CD791D53043A6F
       83F1FD1

   With SHA-384, message = "test":
   k = 1E88738E14482A09EE16A73D490A7FE8739DF500039538D5C4B6C8D6D7F208D6
       CA56760
   r = 1CC4DC5479E0F34C4339631A45AA690580060BF0EB518184C983E0E618C3B93A
       AB14BBE
   s = 0284D72FF8AFA83DE364502CBA0494BB06D40AE08F9D9746E747EA87240E589B
       A0683B7

Top      Up      ToC       Page 48 
   With SHA-512, message = "test":
   k = 00E5F24A223BD459653F682763C3BB322D4EE75DD89C63D4DC61518D543E7658
       5076BBA
   r = 1E7912517C6899732E09756B1660F6B96635D638283DF9A8A11D30E008895D7F
       5C9C7F3
   s = 0887E75CBD0B7DD9DE30ED79BDB3D78E4F1121C5EAFF5946918F594F88D36364
       4789DA7

Top      Up      ToC       Page 49 
A.2.11.  ECDSA, 409 Bits (Binary Field, Koblitz Curve)

   Key pair:

   curve: NIST K-409

   q = 7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F83B2D4EA20
       400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF
   (qlen = 407 bits)

   private key:

   x = 29C16768F01D1B8A89FDA85E2EFD73A09558B92A178A2931F359E4D70AD853E5
       69CDAF16DAA569758FB4E73089E4525D8BBFCF

   public key: U = xG

   Ux = 0CF923F523FE34A6E863D8BA45FB1FE6D784C8F219C414EEF4DB8362DBBD3CA7
        1AEB28F568668D5D7A0093E2B84F6FAD759DB42

   Uy = 13B1C374D5132978A1B1123EBBE9A5C54D1A9D56B09AFDB4ADE93CCD7C4D332E
        2916F7D4B9D18578EE3C2E2DE4D2ECE0DE63549

   Signatures:

   With SHA-1, message = "sample":
   k = 7866E5247F9A3556F983C86E81EDA696AC8489DB40A2862F278603982D304F08
       B2B6E1E7848534BEAF1330D37A1CF84C7994C1
   r = 7192EE99EC7AFE23E02CB1F9850D1ECE620475EDA6B65D04984029408EC1E5A6
       476BC940D81F218FC31D979814CAC6E78340FA
   s = 1DE75DE97CBE740FC79A6B5B22BC2B7832C687E6960F0B8173D5D8BE2A75AC6C
       A43438BAF69C669CE6D64E0FB93BC5854E0F81

   With SHA-224, message = "sample":
   k = 512340DB682C7B8EBE407BF1AA54194DFE85D49025FE0F632C9B8A06A996F2FC
       D0D73C752FB09D23DB8FBE50605DC25DF0745C
   r = 41C8EDF39D5E4E76A04D24E6BFD4B2EC35F99CD2483478FD8B0A03E99379576E
       DACC4167590B7D9C387857A5130B1220CB771F
   s = 659652EEAC9747BCAD58034B25362B6AA61836E1BA50E2F37630813050D43457
       E62EAB0F13AE197E6CFE0244F983107555E269

   With SHA-256, message = "sample":
   k = 782385F18BAF5A36A588637A76DFAB05739A14163BF723A4417B74BD1469D37A
       C9E8CCE6AEC8FF63F37B815AAF14A876EED962
   r = 49EC220D6D24980693E6D33B191532EAB4C5D924E97E305E2C1CCFE6F1EAEF96
       C17F6EC27D1E06191023615368628A7E0BD6A9
   s = 1A4AB1DD9BAAA21F77C503E1B39E770FFD44718349D54BA4CF08F688CE89D7D7
       C5F7213F225944BE5F7C9BA42B8BEE382F8AF9

Top      Up      ToC       Page 50 
   With SHA-384, message = "sample":
   k = 4DA637CB2E5C90E486744E45A73935DD698D4597E736DA332A06EDA8B26D5ABC
       6153EC2ECE14981CF3E5E023F36FFA55EEA6D7
   r = 562BB99EE027644EC04E493C5E81B41F261F6BD18FB2FAE3AFEAD91FAB8DD44A
       FA910B13B9C79C87555225219E44E72245BB7C
   s = 25BA5F28047DDDBDA7ED7E49DA31B62B20FD9C7E5B8988817BBF738B3F4DFDD2
       DCD06EE6DF2A1B744C850DAF952C12B9A56774

   With SHA-512, message = "sample":
   k = 57055B293ECFDFE983CEF716166091E573275C53906A39EADC25C89C5EC8D7A7
       E5629FCFDFAD514E1348161C9A34EA1C42D58C
   r = 16C7E7FB33B5577F7CF6F77762F0F2D531C6E7A3528BD2CF582498C1A48F2007
       89E9DF7B754029DA0D7E3CE96A2DC760932606
   s = 2729617EFBF80DA5D2F201AC7910D3404A992C39921C2F65F8CF4601392DFE93
       3E6457EAFDBD13DFE160D243100378B55C290A

   With SHA-1, message = "test":
   k = 545453D8DC05D220F9A12EF322D0B855E664C72835FABE8A41211453EB8A7CFF
       950D80773839D0043A46852DDA5A536E02291F
   r = 565648A5BAD24E747A7D7531FA9DBDFCB184ECFEFDB00A319459242B68D0989E
       52BED4107AED35C27D8ECA10E876ACA48006C9
   s = 7420BA6FF72ECC5C92B7CA0309258B5879F26393DB22753B9EC5DF905500A042
       28AC08880C485E2AC8834E13E8FA44FA57BF18

   With SHA-224, message = "test":
   k = 3C5352929D4EBE3CCE87A2DCE380F0D2B33C901E61ABC530DAF3506544AB0930
       AB9BFD553E51FCDA44F06CD2F49E17E07DB519
   r = 251DFE54EAEC8A781ADF8A623F7F36B4ABFC7EE0AE78C8406E93B5C3932A8120
       AB8DFC49D8E243C7C30CB5B1E021BADBDF9CA4
   s = 77854C2E72EAA6924CC0B5F6751379D132569843B1C7885978DBBAA6678967F6
       43A50DBB06E6EA6102FFAB7766A57C3887BD22

   With SHA-256, message = "test":
   k = 251E32DEE10ED5EA4AD7370DF3EFF091E467D5531CA59DE3AA791763715E1169
       AB5E18C2A11CD473B0044FB45308E8542F2EB0
   r = 58075FF7E8D36844EED0FC3F78B7CFFDEEF6ADE5982D5636552A081923E24841
       C9E37DF2C8C4BF2F2F7A174927F3B7E6A0BEB2
   s = 0A737469D013A31B91E781CE201100FDE1FA488ABF2252C025C678462D715AD3
       078C9D049E06555CABDF37878CFB909553FF51

   With SHA-384, message = "test":
   k = 11C540EA46C5038FE28BB66E2E9E9A04C9FE9567ADF33D56745953D44C1DC8B5
       B92922F53A174E431C0ED8267D919329F19014
   r = 1C5C88642EA216682244E46E24B7CE9AAEF9B3F97E585577D158C3CBC3C59825
       0A53F6D46DFB1E2DD9DC302E7DA4F0CAAFF291
   s = 1D3FD721C35872C74514359F88AD983E170E5DE5B31AFC0BE12E9F4AB2B2538C
       7797686BA955C1D042FD1F8CDC482775579F11

Top      Up      ToC       Page 51 
   With SHA-512, message = "test":
   k = 59527CE953BC09DF5E85155CAE7BB1D7F342265F41635545B06044F844ECB4FA
       6476E7D47420ADC8041E75460EC0A4EC760E95
   r = 1A32CD7764149DF79349DBF79451F4585BB490BD63A200700D7111B45DDA4140
       00AE1B0A69AEACBA1364DD7719968AAD123F93
   s = 582AB1076CAFAE23A76244B82341AEFC4C6D8D8060A62A352C33187720C8A37F
       3DAC227E62758B11DF1562FD249941C1679F82

Top      Up      ToC       Page 52 
A.2.12.  ECDSA, 571 Bits (Binary Field, Koblitz Curve)

   Key pair:

   curve: NIST K-571

   q = 2000000000000000000000000000000000000000000000000000000000000000
       0000000131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45
       CFE778F637C1001
   (qlen = 570 bits)

   private key:

   x = 0C16F58550D824ED7B95569D4445375D3A490BC7E0194C41A39DEB732C29396C
       DF1D66DE02DD1460A816606F3BEC0F32202C7BD18A32D87506466AA92032F131
       4ED7B19762B0D22

   public key: U = xG

   Ux = 6CFB0DF7541CDD4C41EF319EA88E849EFC8605D97779148082EC991C463ED323
        19596F9FDF4779C17CAF20EFD9BEB57E9F4ED55BFC52A2FA15CA23BC62B7BF01
        9DB59793DD77318

   Uy = 1CFC91102F7759A561BD8D5B51AAAEEC7F40E659D67870361990D6DE29F6B4F7
        E18AE13BDE5EA5C1F77B23D676F44050C9DBFCCDD7B3756328DDA059779AAE84
        46FC5158A75C227

   Signatures:

   With SHA-1, message = "sample":
   k = 17F7E360B21BEAE4A757A19ACA77FB404D273F05719A86EAD9D7B3F4D5ED7B46
       30584BB153CF7DCD5A87CCA101BD7EA9ECA0CE5EE27CA985833560000BB52B6B
       BE068740A45B267
   r = 0767913F96C82E38B7146A505938B79EC07E9AA3214377651BE968B52C039D3E
       4837B4A2DE26C481C4E1DE96F4D9DE63845D9B32E26D0D332725678E3CE57F66
       8A5E3108FB6CEA5
   s = 109F89F55FA39FF465E40EBCF869A9B1DB425AEA53AB4ECBCE3C310572F79315
       F5D4891461372A0C36E63871BEDDBB3BA2042C6410B67311F1A185589FF4C987
       DBA02F9D992B9DF

Top      Up      ToC       Page 53 
   With SHA-224, message = "sample":
   k = 0B599D068A1A00498EE0B9AD6F388521F594BD3F234E47F7A1DB6490D7B57D60
       B0101B36F39CC22885F78641C69411279706F0989E6991E5D5B53619E43EFB39
       7E25E0814EF02BC
   r = 010774B9F14DE6C9525131AD61531FA30987170D43782E9FB84FF0D70F093946
       DF75ECB69D400FE39B12D58C67C19DCE96335CEC1D9AADE004FE5B498AB8A940
       D46C8444348686A
   s = 06DFE9AA5FEA6CF2CEDC06EE1F9FD9853D411F0B958F1C9C519C90A85F6D24C1
       C3435B3CDF4E207B4A67467C87B7543F6C0948DD382D24D1E48B3763EC27D4D3
       2A0151C240CC5E0

   With SHA-256, message = "sample":
   k = 0F79D53E63D89FB87F4D9E6DC5949F5D9388BCFE9EBCB4C2F7CE497814CF40E8
       45705F8F18DBF0F860DE0B1CC4A433EF74A5741F3202E958C082E0B76E16ECD5
       866AA0F5F3DF300
   r = 1604BE98D1A27CEC2D3FA4BD07B42799E07743071E4905D7DCE7F6992B21A27F
       14F55D0FE5A7810DF65CF07F2F2554658817E5A88D952282EA1B8310514C0B40
       FFF46F159965168
   s = 18249377C654B8588475510F7B797081F68C2F8CCCE49F730353B2DA3364B1CD
       3E984813E11BB791824038EA367BA74583AB97A69AF2D77FA691AA694E348E15
       DA76F5A44EC1F40

   With SHA-384, message = "sample":
   k = 0308253C022D25F8A9EBCD24459DD6596590BDEC7895618EEE8A2623A98D2A2B
       2E7594EE6B7AD3A39D70D68CB4ED01CB28E2129F8E2CC0CC8DC7780657E28BCD
       655F0BE9B7D35A2
   r = 1E6D7FB237040EA1904CCBF0984B81B866DE10D8AA93B06364C4A46F6C9573FA
       288C8BDDCC0C6B984E6AA75B42E7BF82FF34D51DFFBD7C87FDBFAD971656185B
       D12E4B8372F4BF1
   s = 04F94550072ADA7E8C82B7E83577DD39959577799CDABCEA60E267F36F1BEB98
       1ABF24E722A7F031582D2CC5D80DAA7C0DEEBBE1AC5E729A6DBB34A5D645B698
       719FCA409FBA370

   With SHA-512, message = "sample":
   k = 0C5EE7070AF55F84EBC43A0D481458CEDE1DCEBB57720A3C92F59B4941A044FE
       CFF4F703940F3121773595E880333772ACF822F2449E17C64DA286BCD65711DD
       5DA44D7155BF004
   r = 086C9E048EADD7D3D2908501086F3AF449A01AF6BEB2026DC381B39530BCDDBE
       8E854251CBD5C31E6976553813C11213E4761CB8CA2E5352240AD9FB9C635D55
       FAB13AE42E4EE4F
   s = 09FEE0A68F322B380217FCF6ABFF15D78C432BD8DD82E18B6BA877C01C860E24
       410F5150A44F979920147826219766ECB4E2E11A151B6A15BB8E2E825AC95BCC
       A228D8A1C9D3568

Top      Up      ToC       Page 54 
   With SHA-1, message = "test":
   k = 1D056563469E933E4BE064585D84602D430983BFBFD6885A94BA484DF9A7AB03
       1AD6AC090A433D8EEDC0A7643EA2A9BC3B6299E8ABA933B4C1F2652BB49DAEE8
       33155C8F1319908
   r = 1D055F499A3F7E3FC73D6E7D517B470879BDCB14ABC938369F23643C7B96D024
       2C1FF326FDAF1CCC8593612ACE982209658E73C24C9EC493B785608669DA74A5
       B7C9A1D8EA843BC
   s = 1621376C53CFE3390A0520D2C657B1FF0EBB10E4B9C2510EDC39D04FEBAF12B8
       502B098A8B8F842EA6E8EB9D55CFEF94B7FF6D145AC3FFCE71BD978FEA3EF819
       4D4AB5293A8F3EA

   With SHA-224, message = "test":
   k = 1DA875065B9D94DBE75C61848D69578BCC267935792624F9887B53C9AF9E43CA
       BFC42E4C3F9A456BA89E717D24F1412F33CFD297A7A4D403B18B5438654C74D5
       92D5022125E0C6B
   r = 18709BDE4E9B73D046CE0D48842C97063DA54DCCA28DCB087168FA37DA2BF5FD
       BE4720EE48D49EDE4DD5BD31AC0149DB8297BD410F9BC02A11EB79B60C8EE63A
       F51B65267D71881
   s = 12D8B9E98FBF1D264D78669E236319D8FFD8426C56AFB10C76471EE88D7F0AB1
       B158E685B6D93C850D47FB1D02E4B24527473DB60B8D1AEF26CEEBD3467B65A7
       0FFDDC0DBB64D5F

   With SHA-256, message = "test":
   k = 04DDD0707E81BB56EA2D1D45D7FAFDBDD56912CAE224086802FEA1018DB306C4
       FB8D93338DBF6841CE6C6AB1506E9A848D2C0463E0889268843DEE4ACB552CFF
       CB858784ED116B2
   r = 1F5BF6B044048E0E310309FFDAC825290A69634A0D3592DBEE7BE71F69E45412
       F766AC92E174CC99AABAA5C9C89FCB187DFDBCC7A26765DB6D9F1EEC8A6127BB
       DFA5801E44E3BEC
   s = 1B44CBFB233BFA2A98D5E8B2F0B2C27F9494BEAA77FEB59CDE3E7AE9CB2E385B
       E8DA7B80D7944AA71E0654E5067E9A70E88E68833054EED49F28283F02B22912
       3995AF37A6089F0

   With SHA-384, message = "test":
   k = 0141B53DC6E569D8C0C0718A58A5714204502FDA146E7E2133E56D19E905B794
       13457437095DE13CF68B5CF5C54A1F2E198A55D974FC3E507AFC0ACF95ED391C
       93CC79E3B3FE37C
   r = 11F61A6EFAB6D83053D9C52665B3542FF3F63BD5913E527BDBA07FBAF34BC766
       C2EC83163C5273243AA834C75FDDD1BC8A2BEAD388CD06C4EBA1962D645EEB35
       E92D44E8F2E081D
   s = 16BF6341876F051DF224770CC8BA0E4D48B3332568A2B014BC80827BAA89DE18
       D1AEBC73E3BE8F85A8008C682AAC7D5F0E9FB5ECBEFBB637E30E4A0F226D2C2A
       A3E569BB54AB72B

Top      Up      ToC       Page 55 
   With SHA-512, message = "test":
   k = 14842F97F263587A164B215DD0F912C588A88DC4AB6AF4C530ADC1226F16E086
       D62C14435E6BFAB56F019886C88922D2321914EE41A8F746AAA2B964822E4AC6
       F40EE2492B66824
   r = 0F1E50353A39EA64CDF23081D6BB4B2A91DD73E99D3DD5A1AA1C49B4F6E34A66
       5EAD24FD530B9103D522609A395AF3EF174C85206F67EF84835ED1632E0F6BAB
       718EA90DF9E2DA0
   s = 0B385004D7596625028E3FDE72282DE4EDC5B4CE33C1127F21CC37527C90B730
       7AE7D09281B840AEBCECAA711B00718103DDB32B3E9F6A9FBC6AF23E224A73B9
       435F619D9C62527

Top      Up      ToC       Page 56 
A.2.13.  ECDSA, 163 Bits (Binary Field, Pseudorandom Curve)

   Key pair:

   curve: NIST B-163

   q = 40000000000000000000292FE77E70C12A4234C33
   (qlen = 163 bits)

   private key:

   x = 35318FC447D48D7E6BC93B48617DDDEDF26AA658F

   public key: U = xG

   Ux = 126CF562D95A1D77D387BA75A3EA3A1407F23425A

   Uy = 7D7CB5273C94DA8CA93049AFDA18721C24672BD71

   Signatures:

   With SHA-1, message = "sample":
   k = 0707A94C3D352E0A9FE49FB12F264992152A20004
   r = 153FEBD179A69B6122DEBF5BC61EB947B24C93526
   s = 37AC9C670F8CF18045049BAE7DD35553545C19E49

   With SHA-224, message = "sample":
   k = 3B24C5E2C2D935314EABF57A6484289B291ADFE3F
   r = 0A379E69C44F9C16EA3215EA39EB1A9B5D58CC955
   s = 04BAFF5308DA2A7FE2C1742769265AD3ED1D24E74

   With SHA-256, message = "sample":
   k = 3D7086A59E6981064A9CDB684653F3A81B6EC0F0B
   r = 134E00F78FC1CB9501675D91C401DE20DDF228CDC
   s = 373273AEC6C36CB7BAFBB1903A5F5EA6A1D50B624

   With SHA-384, message = "sample":
   k = 3B1E4443443486C7251A68EF184A936F05F8B17C7
   r = 29430B935AF8E77519B0CA4F6903B0B82E6A21A66
   s = 1EA1415306E9353FA5AA54BC7C2581DFBB888440D

   With SHA-512, message = "sample":
   k = 2EDF5CFCAC7553C17421FDF54AD1D2EF928A879D2
   r = 0B2F177A99F9DF2D51CCAF55F015F326E4B65E7A0
   s = 0DF1FB4487E9B120C5E970EFE48F55E406306C3A1

Top      Up      ToC       Page 57 
   With SHA-1, message = "test":
   k = 10024F5B324CBC8954BA6ADB320CD3AB9296983B4
   r = 256D4079C6C7169B8BC92529D701776A269D56308
   s = 341D3FFEC9F1EB6A6ACBE88E3C86A1C8FDEB8B8E1

   With SHA-224, message = "test":
   k = 34F46DE59606D56C75406BFB459537A7CC280AA62
   r = 28ECC6F1272CE80EA59DCF32F7AC2D861BA803393
   s = 0AD4AE2C06E60183C1567D2B82F19421FE3053CE2

   With SHA-256, message = "test":
   k = 38145E3FFCA94E4DDACC20AD6E0997BD0E3B669D2
   r = 227DF377B3FA50F90C1CB3CDCBBDBA552C1D35104
   s = 1F7BEAD92583FE920D353F368C1960D0E88B46A56

   With SHA-384, message = "test":
   k = 375813210ECE9C4D7AB42DDC3C55F89189CF6DFFD
   r = 11811DAFEEA441845B6118A0DFEE8A0061231337D
   s = 36258301865EE48C5C6F91D63F62695002AB55B57

   With SHA-512, message = "test":
   k = 25AD8B393BC1E9363600FDA1A2AB6DF40079179A3
   r = 3B6BB95CA823BE2ED8E3972FF516EB8972D765571
   s = 13DC6F420628969DF900C3FCC48220B38BE24A541

Top      Up      ToC       Page 58 
A.2.14.  ECDSA, 233 Bits (Binary Field, Pseudorandom Curve)

   Key pair:

   curve: NIST B-233

   q = 1000000000000000000000000000013E974E72F8A6922031D2603CFE0D7
   (qlen = 233 bits)

   private key:

   x = 07ADC13DD5BF34D1DDEEB50B2CE23B5F5E6D18067306D60C5F6FF11E5D3

   public key: U = xG

   Ux = 0FB348B3246B473AA7FBB2A01B78D61B62C4221D0F9AB55FC72DB3DF478

   Uy = 1162FA1F6C6ACF7FD8D19FC7D74BDD9104076E833898BC4C042A6E6BEBF

   Signatures:

   With SHA-1, message = "sample":
   k = 0A4E0B67A3A081C1B35D7BECEB5FE72A918B422B907145DB5416ED751CE
   r = 015CC6FD78BB06E0878E71465515EA5A21A2C18E6FC77B4B158DBEB3944
   s = 0822A4A6C2EB2DF213A5E90BF40377956365EE8C4B4A5A4E2EB9270CB6A

   With SHA-224, message = "sample":
   k = 0F2B1C1E80BEB58283AAA79857F7B83BDF724120D0913606FD07F7FFB2C
   r = 05D9920B53471148E10502AB49AB7A3F11084820A074FD89883CF51BC1A
   s = 04D3938900C0A9AAA7080D1DFEB56CFB0FADABE4214536C7ED5117ED13A

   With SHA-256, message = "sample":
   k = 034A53897B0BBDB484302E19BF3F9B34A2ABFED639D109A388DC52006B5
   r = 0A797F3B8AEFCE7456202DF1E46CCC291EA5A49DA3D4BDDA9A4B62D5E0D
   s = 01F6F81DA55C22DA4152134C661588F4BD6F82FDBAF0C5877096B070DC2

   With SHA-384, message = "sample":
   k = 04D4670B28990BC92EEB49840B482A1FA03FE028D09F3D21F89C67ECA85
   r = 015E85A8D46225DD7E314A1C4289731FC14DECE949349FE535D11043B85
   s = 03F189D37F50493EFD5111A129443A662AB3C6B289129AD8C0CAC85119C

   With SHA-512, message = "sample":
   k = 0DE108AAADA760A14F42C057EF81C0A31AF6B82E8FBCA8DC86E443AB549
   r = 03B62A4BF783919098B1E42F496E65F7621F01D1D466C46940F0F132A95
   s = 0F4BE031C6E5239E7DAA014CBBF1ED19425E49DAEB426EC9DF4C28A2E30

Top      Up      ToC       Page 59 
   With SHA-1, message = "test":
   k = 0250C5C90A4E2A3F8849FEBA87F0D0AE630AB18CBABB84F4FFFB36CEAC0
   r = 02F1FEDC57BE203E4C8C6B8C1CEB35E13C1FCD956AB41E3BD4C8A6EFB1F
   s = 05738EC8A8EDEA8E435EE7266AD3EDE1EEFC2CEBE2BE1D614008D5D2951

   With SHA-224, message = "test":
   k = 07BDB6A7FD080D9EC2FC84BFF9E3E15750789DC04290C84FED00E109BBD
   r = 0CCE175124D3586BA7486F7146894C65C2A4A5A1904658E5C7F9DF5FA5D
   s = 08804B456D847ACE5CA86D97BF79FD6335E5B17F6C0D964B5D0036C867E

   With SHA-256, message = "test":
   k = 00376886E89013F7FF4B5214D56A30D49C99F53F211A3AFE01AA2BDE12D
   r = 035C3D6DFEEA1CFB29B93BE3FDB91A7B130951770C2690C16833A159677
   s = 0600F7301D12AB376B56D4459774159ADB51F97E282FF384406AFD53A02

   With SHA-384, message = "test":
   k = 03726870DE75613C5E529E453F4D92631C03D08A7F63813E497D4CB3877
   r = 061602FC8068BFD5FB86027B97455D200EC603057446CCE4D76DB8EF42C
   s = 03396DD0D59C067BB999B422D9883736CF9311DFD6951F91033BD03CA8D

   With SHA-512, message = "test":
   k = 09CE5810F1AC68810B0DFFBB6BEEF2E0053BB937969AE7886F9D064A8C4
   r = 07E12CB60FDD614958E8E34B3C12DDFF35D85A9C5800E31EA2CC2EF63B1
   s = 0E8970FD99D836F3CC1C807A2C58760DE6EDAA23705A82B9CB1CE93FECC

Top      Up      ToC       Page 60 
A.2.15.  ECDSA, 283 Bits (Binary Field, Pseudorandom Curve)

   Key pair:

   curve: NIST B-283

   q = 3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CE
       FADB307
   (qlen = 282 bits)

   private key:

   x = 14510D4BC44F2D26F4553942C98073C1BD35545CEABB5CC138853C5158D2729E
       A408836

   public key: U = xG

   Ux = 17E3409A13C399F0CA8A192F028D46E3446BCFFCDF51FF8A905ED2DED786E74F
        9C3E8A9

   Uy = 47EFCBCC31C01D86D1992F7BFAC0277DBD02A6D289274099A2C0F039C8F59F31
        8371B0E

   Signatures:

   With SHA-1, message = "sample":
   k = 277F389559667E8AE4B65DC056F8CE2872E1917E7CC59D17D485B0B98343206F
       BCCD441
   r = 201E18D48C6DB3D5D097C4DCE1E25587E1501FC3CF47BDB5B4289D79E273D6A9
       ACB8285
   s = 151AE05712B024CE617358260774C8CA8B0E7A7E72EF8229BF2ACE7609560CB3
       0322C4F

   With SHA-224, message = "sample":
   k = 14CC8FCFEECD6B999B4DC6084EBB06FDED0B44D5C507802CC7A5E9ECF36E69DA
       6AE23C6
   r = 143E878DDFD4DF40D97B8CD638B3C4706501C2201CF7108F2FB91478C11D6947
       3246925
   s = 0CBF1B9717FEEA3AABB09D9654110144267098E0E1E8D0289A6211BE0EEDFDD8
       6A3DB79

   With SHA-256, message = "sample":
   k = 38C9D662188982943E080B794A4CFB0732DBA37C6F40D5B8CFADED6FF31C5452
       BA3F877
   r = 29FD82497FB3E5CEF65579272138DE59E2B666B8689466572B3B69A172CEE83B
       E145659
   s = 05A89D9166B40795AF0FE5958201B9C0523E500013CA12B4840EA2BC53F25F9B
       3CE87C0

Top      Up      ToC       Page 61 
   With SHA-384, message = "sample":
   k = 21B7265DEBF90E6F988CFFDB62B121A02105226C652807CC324ED6FB119A287A
       72680AB
   r = 2F00689C1BFCD2A8C7A41E0DE55AE182E6463A152828EF89FE3525139B660329
       4E69353
   s = 1744514FE0A37447250C8A329EAAADA81572226CABA16F39270EE5DD03F27B1F
       665EB5D

   With SHA-512, message = "sample":
   k = 20583259DC179D9DA8E5387E89BFF2A3090788CF1496BCABFE7D45BB120B0C81
       1EB8980
   r = 0DA43A9ADFAA6AD767998A054C6A8F1CF77A562924628D73C62761847AD8286E
       0D91B47
   s = 1D118733AE2C88357827CAFC6F68ABC25C80C640532925E95CFE66D40F8792F3
       AC44C42

   With SHA-1, message = "test":
   k = 0185C57A743D5BA06193CE2AA47B07EF3D6067E5AE1A6469BCD3FC510128BA56
       4409D82
   r = 05A408133919F2CDCDBE5E4C14FBC706C1F71BADAFEF41F5DE4EC27272FC1CA9
       366FBB2
   s = 012966272872C097FEA7BCE64FAB1A81982A773E26F6E4EF7C99969846E67CA9
       CBE1692

   With SHA-224, message = "test":
   k = 2E5C1F00677A0E015EC3F799FA9E9A004309DBD784640EAAF5E1CE64D3045B9F
       E9C1FA1
   r = 08F3824E40C16FF1DDA8DC992776D26F4A5981AB5092956C4FDBB4F1AE0A711E
       EAA10E5
   s = 0A64B91EFADB213E11483FB61C73E3EF63D3B44EEFC56EA401B99DCC60CC28E9
       9F0F1FA

   With SHA-256, message = "test":
   k = 018A7D44F2B4341FEFE68F6BD8894960F97E08124AAB92C1FFBBE90450FCC935
       6C9AAA5
   r = 3597B406F5329D11A79E887847E5EC60861CCBB19EC61F252DB7BD549C699951
       C182796
   s = 0A6A100B997BC622D91701D9F5C6F6D3815517E577622DA69D3A0E8917C1CBE6
       3ACD345

   With SHA-384, message = "test":
   k = 3C75397BA4CF1B931877076AF29F2E2F4231B117AB4B8E039F7F9704DE1BD352
       2F150B6
   r = 1BB490926E5A1FDC7C5AA86D0835F9B994EDA315CA408002AF54A298728D422E
       BF59E4C
   s = 36C682CFC9E2C89A782BFD3A191609D1F0C1910D5FD6981442070393159D65FB
       CC0A8BA

Top      Up      ToC       Page 62 
   With SHA-512, message = "test":
   k = 14E66B18441FA54C21E3492D0611D2B48E19DE3108D915FD5CA08E786327A267
       5F11074
   r = 19944AA68F9778C2E3D6E240947613E6DA60EFCE9B9B2C063FF5466D72745B5A
       0B25BA2
   s = 03F1567B3C5B02DF15C874F0EE22850824693D5ADC4663BAA19E384E550B1DD4
       1F31EE6

Top      Up      ToC       Page 63 
A.2.16.  ECDSA, 409 Bits (Binary Field, Pseudorandom Curve)

   Key pair:

   curve: NIST B-409

   q = 10000000000000000000000000000000000000000000000000001E2AAD6A612F
       33307BE5FA47C3C9E052F838164CD37D9A21173
   (qlen = 409 bits)

   private key:

   x = 0494994CC325B08E7B4CE038BD9436F90B5E59A2C13C3140CD3AE07C04A01FC4
       89F572CE0569A6DB7B8060393DE76330C624177

   public key: U = xG

   Ux = 1A7055961CF1DA4B9A015B18B1524EF01FDD9B93FAEFC26FB1F2F828A7227B70
        31925DA0AC1A8A075C3B33554B222EA859C17E7

   Uy = 18105C042F290736088F30AEC7AE7732A45DE47BCE0940113AB8132516D1E059
        B0F581FD581A9A3CB3A0AC42A1962738ADB86E6

   Signatures:

   With SHA-1, message = "sample":
   k = 042D8A2B34402757EB2CCFDDC3E6E96A7ADD3FDA547FC10A0CB77CFC720B4F9E
       16EEAAA2A8CC4E4A4B5DBF7D8AC4EA491859E60
   r = 0D8783188E1A540E2022D389E1D35B32F56F8C2BB5636B8ABF7718806B27A713
       EBAE37F63ECD4B61445CEF5801B62594EF3E982
   s = 03A6B4A80E204DB0DE12E7415C13C9EC091C52935658316B4A0C591216A38791
       54BEB1712560E346E7EF26517707435B55C3141

   With SHA-224, message = "sample":
   k = 0C933F1DC4C70838C2AD16564715ACAF545BCDD8DC203D25AF3EC63949C65CB2
       E68AC1F60CA7EACA2A823F4E240927AA82CEEC5
   r = 0EE4F39ACC2E03CE96C3D9FCBAFA5C22C89053662F8D4117752A9B10F09ADFDA
       59DB061E247FE5321D6B170EE758ACE1BE4D157
   s = 00A2B83265B456A430A8BF27DCC8A9488B3F126C10F0D6D64BF7B8A218FAAF20
       E51A295A3AE78F205E5A4A6AE224C3639F1BB34

   With SHA-256, message = "sample":
   k = 08EC42D13A3909A20C41BEBD2DFED8CACCE56C7A7D1251DF43F3E9E289DAE00E
       239F6960924AC451E125B784CB687C7F23283FD
   r = 02D8B1B31E33E74D7EB46C30FDE5AD2CA04EC8FE08FBA0E73BA5E568953AC5EA
       307C072942238DFC07F4A4D7C7C6A9F86436D17
   s = 079F7D471E6CB73234AF7F7C381D2CE15DE35BAF8BB68393B73235B3A26EC2DF
       4842CE433FB492D6E074E604D4870024D42189A

Top      Up      ToC       Page 64 
   With SHA-384, message = "sample":
   k = 0DA881BCE3BA851485879EF8AC585A63F1540B9198ECB8A1096D70CB25A104E2
       F8A96B108AE76CB49CF34491ABC70E9D2AAD450
   r = 07BC638B7E7CE6FEE5E9C64A0F966D722D01BB4BC3F3A35F30D4CDDA92DFC5F7
       F0B4BBFE8065D9AD452FD77A1914BE3A2440C18
   s = 06D904429850521B28A32CBF55C7C0FDF35DC4E0BDA2552C7BF68A171E970E67
       88ACC0B9521EACB4796E057C70DD9B95FED5BFB

   With SHA-512, message = "sample":
   k = 0750926FFAD7FF5DE85DF7960B3A4F9E3D38CF5A049BFC89739C48D42B34FBEE
       03D2C047025134CC3145B60AFD22A68DF0A7FB2
   r = 05D178DECAFD2D02A3DA0D8BA1C4C1D95EE083C760DF782193A9F7B4A8BE6FC5
       C21FD60613BCA65C063A61226E050A680B3ABD4
   s = 013B7581E98F6A63FBBCB3E49BCDA60F816DB230B888506D105DC229600497C3
       B46588C784BE3AA9343BEF82F7C9C80AEB63C3B

   With SHA-1, message = "test":
   k = 017E167EAB1850A3B38EE66BFE2270F2F6BFDAC5E2D227D47B20E75F0719161E
       6C74E9F23088F0C58B1E63BC6F185AD2EF4EAE6
   r = 049F54E7C10D2732B4638473053782C6919218BBEFCEC8B51640FC193E832291
       F05FA12371E9B448417B3290193F08EE9319195
   s = 0499E267DEC84E02F6F108B10E82172C414F15B1B7364BE8BFD66ADC0C5DE23F
       EE3DF0D811134C25AFE0E05A6672F98889F28F1

   With SHA-224, message = "test":
   k = 01ADEB94C19951B460A146B8275D81638C07735B38A525D76023AAF26AA8A058
       590E1D5B1E78AB3C91608BDA67CFFBE6FC8A6CC
   r = 0B1527FFAA7DD7C7E46B628587A5BEC0539A2D04D3CF27C54841C2544E1BBDB4
       2FDBDAAF8671A4CA86DFD619B1E3732D7BB56F2
   s = 0442C68C044868DF4832C807F1EDDEBF7F5052A64B826FD03451440794063F52
       B022DF304F47403D4069234CA9EB4C964B37C02

   With SHA-256, message = "test":
   k = 06EBA3D58D0E0DFC406D67FC72EF0C943624CF40019D1E48C3B54CCAB0594AFD
       5DEE30AEBAA22E693DBCFECAD1A85D774313DAD
   r = 0BB27755B991D6D31757BCBF68CB01225A38E1CFA20F775E861055DD108ED7EA
       455E4B96B2F6F7CD6C6EC2B3C70C3EDDEB9743B
   s = 0C5BE90980E7F444B5F7A12C9E9AC7A04CA81412822DD5AD1BE7C45D5032555E
       A070864245CF69266871FEB8CD1B7EDC30EF6D5

   With SHA-384, message = "test":
   k = 0A45B787DB44C06DEAB846511EEDBF7BFCFD3BD2C11D965C92FC195F67328F36
       A2DC83C0352885DAB96B55B02FCF49DCCB0E2DA
   r = 04EFEB7098772187907C87B33E0FBBA4584226C50C11E98CA7AAC6986F8D3BE0
       44E5B52D201A410B852536527724CA5F8CE6549
   s = 09574102FEB3EF87E6D66B94119F5A6062950FF4F902EA1E6BD9E2037F33FF99
       1E31F5956C23AFE48FCDC557FD6F088C7C9B2B3

Top      Up      ToC       Page 65 
   With SHA-512, message = "test":
   k = 0B90F8A0E757E81D4EA6891766729C96A6D01F9AEDC0D334932D1F81CC4E1973
       A4F01C33555FF08530A5098CADB6EDAE268ABB5
   r = 07E0249C68536AE2AEC2EC30090340DA49E6DC9E9EEC8F85E5AABFB234B6DA7D
       2E9524028CF821F21C6019770474CC40B01FAF6
   s = 08125B5A03FB44AE81EA46D446130C2A415ECCA265910CA69D55F2453E16CD7B
       2DFA4E28C50FA8137F9C0C6CEE4CD37ABCCF6D8

Top      Up      ToC       Page 66 
A.2.17.  ECDSA, 571 Bits (Binary Field, Pseudorandom Curve)

   Key pair:

   curve: NIST B-571

   q = 3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
       FFFFFFFE661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8
       382E9BB2FE84E47
   (qlen = 570 bits)

   private key:

   x = 028A04857F24C1C082DF0D909C0E72F453F2E2340CCB071F0E389BCA2575DA19
       124198C57174929AD26E348CF63F78D28021EF5A9BF2D5CBEAF6B7CCB6C4DA82
       4DD5C82CFB24E11

   public key: U = xG

   Ux = 4B4B3CE9377550140B62C1061763AA524814DDCEF37B00CD5CDE94F7792BB0E9
        6758E55DA2E9FEA8FF2A8B6830AE1D57A9CA7A77FCB0836BF43EA5454CDD9FEA
        D5CCFE7375C6A83

   Uy = 4453B18F261E7A0E7570CD72F235EA750438E43946FBEBD2518B696954767AA7
        849C1719E18E1C51652C28CA853426F15C09AA4B579487338ABC7F33768FADD6
        1B5A3A6443A8189

   Signatures:

   With SHA-1, message = "sample":
   k = 2669FAFEF848AF67D437D4A151C3C5D3F9AA8BB66EDC35F090C9118F95BA0041
       B0993BE2EF55DAAF36B5B3A737C40DB1F6E3D93D97B8419AD6E1BB8A5D4A0E9B
       2E76832D4E7B862
   r = 147D3EB0EDA9F2152DFD014363D6A9CE816D7A1467D326A625FC4AB0C786E1B7
       4DDF7CD4D0E99541391B266C704BB6B6E8DCCD27B460802E0867143727AA4155
       55454321EFE5CB6
   s = 17319571CAF533D90D2E78A64060B9C53169AB7FC908947B3EDADC54C79CCF0A
       7920B4C64A4EAB6282AFE9A459677CDA37FD6DD50BEF18709590FE18B923BDF7
       4A66B189A850819

Top      Up      ToC       Page 67 
   With SHA-224, message = "sample":
   k = 2EAFAD4AC8644DEB29095BBAA88D19F31316434F1766AD4423E0B54DD2FE0C05
       E307758581B0DAED2902683BBC7C47B00E63E3E429BA54EA6BA3AEC33A94C9A2
       4A6EF8E27B7677A
   r = 10F4B63E79B2E54E4F4F6A2DBC786D8F4A143ECA7B2AD97810F6472AC6AE2085
       3222854553BE1D44A7974599DB7061AE8560DF57F2675BE5F9DD94ABAF3D47F1
       582B318E459748B
   s = 3BBEA07C6B269C2B7FE9AE4DDB118338D0C2F0022920A7F9DCFCB7489594C03B
       536A9900C4EA6A10410007222D3DAE1A96F291C4C9275D75D98EB290DC0EEF17
       6037B2C7A7A39A3

   With SHA-256, message = "sample":
   k = 15C2C6B7D1A070274484774E558B69FDFA193BDB7A23F27C2CD24298CE1B22A6
       CC9B7FB8CABFD6CF7C6B1CF3251E5A1CDDD16FBFED28DE79935BB2C631B8B8EA
       9CC4BCC937E669E
   r = 213EF9F3B0CFC4BF996B8AF3A7E1F6CACD2B87C8C63820000800AC787F17EC99
       C04BCEDF29A8413CFF83142BB88A50EF8D9A086AF4EB03E97C567500C21D8657
       14D832E03C6D054
   s = 3D32322559B094E20D8935E250B6EC139AC4AAB77920812C119AF419FB62B332
       C8D226C6C9362AE3C1E4AABE19359B8428EA74EC8FBE83C8618C2BCCB6B43FBA
       A0F2CCB7D303945

   With SHA-384, message = "sample":
   k = 0FEF0B68CB49453A4C6ECBF1708DBEEFC885C57FDAFB88417AAEFA5B1C35017B
       4B498507937ADCE2F1D9EFFA5FE8F5AEB116B804FD182A6CF1518FDB62D53F60
       A0FF6EB707D856B
   r = 375D8F49C656A0BBD21D3F54CDA287D853C4BB1849983CD891EF6CD6BB56A62B
       687807C16685C2C9BCA2663C33696ACCE344C45F3910B1DF806204FF731ECB28
       9C100EF4D1805EC
   s = 1CDEC6F46DFEEE44BCE71D41C60550DC67CF98D6C91363625AC2553E4368D2DF
       B734A8E8C72E118A76ACDB0E58697940A0F3DF49E72894BD799450FC9E550CC0
       4B9FF9B0380021C

   With SHA-512, message = "sample":
   k = 3FF373833A06C791D7AD586AFA3990F6EF76999C35246C4AD0D519BFF180CA18
       80E11F2FB38B764854A0AE3BECDDB50F05AC4FCEE542F207C0A6229E2E19652F
       0E647B9C4882193
   r = 1C26F40D940A7EAA0EB1E62991028057D91FEDA0366B606F6C434C361F04E545
       A6A51A435E26416F6838FFA260C617E798E946B57215284182BE55F29A355E60
       24FE32A47289CF0
   s = 3691DE4369D921FE94EDDA67CB71FBBEC9A436787478063EB1CC778B3DCDC1C4
       162662752D28DEEDF6F32A269C82D1DB80C87CE4D3B662E03AC347806E3F19D1
       8D6D4DE7358DF7E

Top      Up      ToC       Page 68 
   With SHA-1, message = "test":
   k = 019B506FD472675A7140E429AA5510DCDDC21004206EEC1B39B28A688A8FD324
       138F12503A4EFB64F934840DFBA2B4797CFC18B8BD0B31BBFF3CA66A4339E4EF
       9D771B15279D1DC
   r = 133F5414F2A9BC41466D339B79376038A64D045E5B0F792A98E5A7AA87E0AD01
       6419E5F8D176007D5C9C10B5FD9E2E0AB8331B195797C0358BA05ECBF24ACE59
       C5F368A6C0997CC
   s = 3D16743AE9F00F0B1A500F738719C5582550FEB64689DA241665C4CE4F328BA0
       E34A7EF527ED13BFA5889FD2D1D214C11EB17D6BC338E05A56F41CAFF1AF7B8D
       574DB62EF0D0F21

   With SHA-224, message = "test":
   k = 333C711F8C62F205F926593220233B06228285261D34026232F6F729620C6DE1
       2220F282F4206D223226705608688B20B8BA86D8DFE54F07A37EC48F253283AC
       33C3F5102C8CC3E
   r = 3048E76506C5C43D92B2E33F62B33E3111CEEB87F6C7DF7C7C01E3CDA28FA5E8
       BE04B5B23AA03C0C70FEF8F723CBCEBFF0B7A52A3F5C8B84B741B4F6157E69A5
       FB0524B48F31828
   s = 2C99078CCFE5C82102B8D006E3703E020C46C87C75163A2CD839C885550BA5CB
       501AC282D29A1C26D26773B60FBE05AAB62BFA0BA32127563D42F7669C97784C
       8897C22CFB4B8FA

   With SHA-256, message = "test":
   k = 328E02CF07C7B5B6D3749D8302F1AE5BFAA8F239398459AF4A2C859C7727A812
       3A7FE9BE8B228413FC8DC0E9DE16AF3F8F43005107F9989A5D97A5C4455DA895
       E81336710A3FB2C
   r = 184BC808506E11A65D628B457FDA60952803C604CC7181B59BD25AEE1411A66D
       12A777F3A0DC99E1190C58D0037807A95E5080FA1B2E5CCAA37B50D401CFFC34
       17C005AEE963469
   s = 27280D45F81B19334DBDB07B7E63FE8F39AC7E9AE14DE1D2A6884D2101850289
       D70EE400F26ACA5E7D73F534A14568478E59D00594981ABE6A1BA18554C13EB5
       E03921E4DC98333

   With SHA-384, message = "test":
   k = 2A77E29EAD9E811A9FDA0284C14CDFA1D9F8FA712DA59D530A06CDE54187E250
       AD1D4FB5788161938B8DE049616399C5A56B0737C9564C9D4D845A4C6A7CDFCB
       FF0F01A82BE672E
   r = 319EE57912E7B0FAA1FBB145B0505849A89C6DB1EC06EA20A6A7EDE072A6268A
       F6FD9C809C7E422A5F33C6C3326EAD7402467DF3272A1B2726C1C20975950F0F
       50D8324578F13EC
   s = 2CF3EA27EADD0612DD2F96F46E89AB894B01A10DF985C5FC099CFFE0EA083EB4
       4BE682B08BFE405DAD5F37D0A2C59015BA41027E24B99F8F75A70B6B7385BF39
       BBEA02513EB880C

Top      Up      ToC       Page 69 
   With SHA-512, message = "test":
   k = 21CE6EE4A2C72C9F93BDB3B552F4A633B8C20C200F894F008643240184BE57BB
       282A1645E47FBBE131E899B4C61244EFC2486D88CDBD1DD4A65EBDD837019D02
       628D0DCD6ED8FB5
   r = 2AA1888EAB05F7B00B6A784C4F7081D2C833D50794D9FEAF6E22B8BE728A2A90
       BFCABDC803162020AA629718295A1489EE7ED0ECB8AAA197B9BDFC49D18DDD78
       FC85A48F9715544
   s = 0AA5371FE5CA671D6ED9665849C37F394FED85D51FEF72DA2B5F28EDFB2C6479
       CA63320C19596F5E1101988E2C619E302DD05112F47E8823040CE540CD3E90DC
       F41DBC461744EE9

Top      Up      ToC       Page 70 
A.3.  Sample Code

   We include here a sample implementation of deterministic DSA.  It is
   meant for illustration purposes; for instance, this code makes no
   attempt at avoiding side-channel leakage of the private key.  It is
   written in the Java programming language.  The actual generation of
   the "random" value k is done in the computek() method.  The Java
   virtual machine (JVM) is assumed to provide the implementation of the
   hash function and of HMAC.

  // ==================================================================

  import java.math.BigInteger;
  import java.security.InvalidKeyException;
  import java.security.MessageDigest;
  import java.security.NoSuchAlgorithmException;
  import javax.crypto.Mac;
  import javax.crypto.spec.SecretKeySpec;

  /**
   * Deterministic DSA signature generation.  This is a sample
   * implementation designed to illustrate how deterministic DSA
   * chooses the pseudorandom value k when signing a given message.
   * This implementation was NOT optimized or hardened against
   * side-channel leaks.
   *
   * An instance is created with a hash function name, which must be
   * supported by the underlying Java virtual machine ("SHA-1" and
   * "SHA-256" should work everywhere).  The data to sign is input
   * through the {@code update()} methods.  The private key is set with
   * {@link #setPrivateKey}.  The signature is obtained by calling
   * {@link #sign}; alternatively, {@link #signHash} can be used to
   * sign some data that has been externally hashed.  The private key
   * MUST be set before generating the signature itself, but message
   * data can be input before setting the key.
   *
   * Instances are NOT thread-safe.  However, once a signature has
   * been generated, the same instance can be used again for another
   * signature; {@link #setPrivateKey} need not be called again if the
   * private key has not changed.  {@link #reset} can also be called to
   * cancel previously input data.  Generating a signature with {@link
   * #sign} (not {@link #signHash}) also implicitly causes a
   * reset.
   *
   * ------------------------------------------------------------------
   * Copyright (c) 2013 IETF Trust and the persons identified as
   * authors of the code.  All rights reserved.
   *

Top      Up      ToC       Page 71 
   * Redistribution and use in source and binary forms, with or without
   * modification, is permitted pursuant to, and subject to the license
   * terms contained in, the Simplified BSD License set forth in Section
   * 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents
   * (http://trustee.ietf.org/license-info).
   *
   * Technical remarks and questions can be addressed to:
   * pornin@bolet.org
   * ------------------------------------------------------------------
   */

  public class DeterministicDSA {

          private String macName;
          private MessageDigest dig;
          private Mac hmac;
          private BigInteger p, q, g, x;
          private int qlen, rlen, rolen, holen;
          private byte[] bx;

          /**
           * Create an instance, using the specified hash function.
           * The name is used to obtain from the JVM an implementation
           * of the hash function and an implementation of HMAC.
           *
           * @param hashName   the hash function name
           * @throws IllegalArgumentException  on unsupported name
           */
          public DeterministicDSA(String hashName)
          {
                  try {
                          dig = MessageDigest.getInstance(hashName);
                  } catch (NoSuchAlgorithmException nsae) {
                          throw new IllegalArgumentException(nsae);
                  }
                  if (hashName.indexOf('-') < 0) {
                          macName = "Hmac" + hashName;
                  } else {
                          StringBuilder sb = new StringBuilder();
                          sb.append("Hmac");
                          int n = hashName.length();
                          for (int i = 0; i < n; i ++) {
                                  char c = hashName.charAt(i);
                                  if (c != '-') {
                                          sb.append(c);
                                  }
                          }
                          macName = sb.toString();

Top      Up      ToC       Page 72 
                  }
                  try {
                          hmac = Mac.getInstance(macName);
                  } catch (NoSuchAlgorithmException nsae) {
                          throw new IllegalArgumentException(nsae);
                  }
                  holen = hmac.getMacLength();
          }

          /**
           * Set the private key.
           *
           * @param p   key parameter: field modulus
           * @param q   key parameter: subgroup order
           * @param g   key parameter: generator
           * @param x   private key
           */
          public void setPrivateKey(BigInteger p, BigInteger q,
                  BigInteger g, BigInteger x)
          {
                  /*
                   * Perform some basic sanity checks.  We do not
                   * check primality of p or q because that would
                   * be too expensive.
                   *
                   * We reject keys where q is longer than 999 bits,
                   * because it would complicate signature encoding.
                   * Normal DSA keys do not have a q longer than 256
                   * bits anyway.
                   */
                  if (p == null || q == null || g == null || x == null
                          || p.signum() <= 0 || q.signum() <= 0
                          || g.signum() <= 0 || x.signum() <= 0
                          || x.compareTo(q) >= 0 || q.compareTo(p) >= 0
                          || q.bitLength() > 999
                          || g.compareTo(p) >= 0 || g.bitLength() == 1
                          || g.modPow(q, p).bitLength() != 1) {
                          throw new IllegalArgumentException(
                                  "invalid DSA private key");
                  }
                  this.p = p;
                  this.q = q;
                  this.g = g;
                  this.x = x;
                  qlen = q.bitLength();
                  if (q.signum() <= 0 || qlen < 8) {
                          throw new IllegalArgumentException(
                                  "bad group order: " + q);

Top      Up      ToC       Page 73 
                  }
                  rolen = (qlen + 7) >>> 3;
                  rlen = rolen * 8;

                  /*
                   * Convert the private exponent (x) into a sequence
                   * of octets.
                   */
                  bx = int2octets(x);
          }

          private BigInteger bits2int(byte[] in)
          {
                  BigInteger v = new BigInteger(1, in);
                  int vlen = in.length * 8;
                  if (vlen > qlen) {
                          v = v.shiftRight(vlen - qlen);
                  }
                  return v;
          }

          private byte[] int2octets(BigInteger v)
          {
                  byte[] out = v.toByteArray();
                  if (out.length < rolen) {
                          byte[] out2 = new byte[rolen];
                          System.arraycopy(out, 0,
                                  out2, rolen - out.length,
                                  out.length);
                          return out2;
                  } else if (out.length > rolen) {
                          byte[] out2 = new byte[rolen];
                          System.arraycopy(out, out.length - rolen,
                                  out2, 0, rolen);
                          return out2;
                  } else {
                          return out;
                  }
          }

          private byte[] bits2octets(byte[] in)
          {
                  BigInteger z1 = bits2int(in);
                  BigInteger z2 = z1.subtract(q);
                  return int2octets(z2.signum() < 0 ? z1 : z2);
          }

          /**

Top      Up      ToC       Page 74 
           * Set (or reset) the secret key used for HMAC.
           *
           * @param K   the new secret key
           */
          private void setHmacKey(byte[] K)
          {
                  try {
                          hmac.init(new SecretKeySpec(K, macName));
                  } catch (InvalidKeyException ike) {
                          throw new IllegalArgumentException(ike);
                  }
          }

          /**
           * Compute the pseudorandom k for signature generation,
           * using the process specified for deterministic DSA.
           *
           * @param h1   the hashed message
           * @return  the pseudorandom k to use
           */
          private BigInteger computek(byte[] h1)
          {
                  /*
                   * Convert hash value into an appropriately truncated
                   * and/or expanded sequence of octets.  The private
                   * key was already processed (into field bx[]).
                   */
                  byte[] bh = bits2octets(h1);

                  /*
                   * HMAC is always used with K as key.
                   * Whenever K is updated, we reset the
                   * current HMAC key.
                   */

                  /* step b. */
                  byte[] V = new byte[holen];
                  for (int i = 0; i < holen; i ++) {
                          V[i] = 0x01;
                  }

                  /* step c. */
                  byte[] K = new byte[holen];
                  setHmacKey(K);

                  /* step d. */
                  hmac.update(V);
                  hmac.update((byte)0x00);

Top      Up      ToC       Page 75 
                  hmac.update(bx);
                  hmac.update(bh);
                  K = hmac.doFinal();
                  setHmacKey(K);

                  /* step e. */
                  hmac.update(V);
                  V = hmac.doFinal();

                  /* step f. */
                  hmac.update(V);
                  hmac.update((byte)0x01);
                  hmac.update(bx);
                  hmac.update(bh);
                  K = hmac.doFinal();
                  setHmacKey(K);

                  /* step g. */
                  hmac.update(V);
                  V = hmac.doFinal();

                  /* step h. */
                  byte[] T = new byte[rolen];
                  for (;;) {
                          /*
                           * We want qlen bits, but we support only
                           * hash functions with an output length
                           * multiple of 8;acd hence, we will gather
                           * rlen bits, i.e., rolen octets.
                           */
                          int toff = 0;
                          while (toff < rolen) {
                                  hmac.update(V);
                                  V = hmac.doFinal();
                                  int cc = Math.min(V.length,
                                          T.length - toff);
                                  System.arraycopy(V, 0, T, toff, cc);
                                  toff += cc;
                          }
                          BigInteger k = bits2int(T);
                          if (k.signum() > 0 && k.compareTo(q) < 0) {
                                  return k;
                          }

                          /*
                           * k is not in the proper range; update
                           * K and V, and loop.
                           */

Top      Up      ToC       Page 76 
                          hmac.update(V);
                          hmac.update((byte)0x00);
                          K = hmac.doFinal();
                          setHmacKey(K);
                          hmac.update(V);
                          V = hmac.doFinal();
                  }
          }

          /**
           * Process one more byte of input data (message to sign).
           *
           * @param in   the extra input byte
           */
          public void update(byte in)
          {
                  dig.update(in);
          }

          /**
           * Process some extra bytes of input data (message to sign).
           *
           * @param in   the extra input bytes
           */
          public void update(byte[] in)
          {
                  dig.update(in, 0, in.length);
          }

          /**
           * Process some extra bytes of input data (message to sign).
           *
           * @param in    the extra input buffer
           * @param off   the extra input offset
           * @param len   the extra input length (in bytes)
           */
          public void update(byte[] in, int off, int len)
          {
                  dig.update(in, off, len);
          }

          /**
           * Produce the signature.  {@link #setPrivateKey} MUST have
           * been called.  The signature is computed over the data
           * that was input through the {@code update*()} methods.
           * This engine is then reset (made ready for a new
           * signature generation).
           *

Top      Up      ToC       Page 77 
           * @return  the signature
           */
          public byte[] sign()
          {
                  return signHash(dig.digest());
          }

          /**
           * Produce the signature.  {@link #setPrivateKey} MUST
           * have been called.  The signature is computed over the
           * provided hash value (data is assumed to have been hashed
           * externally).  The data that was input through the
           * {@code update*()} methods is ignored, but kept.
           *
           * If the hash output is longer than the subgroup order
           * (the length of q, in bits, denoted 'qlen'), then the
           * provided value {@code h1} can be truncated, provided that
           * at least qlen leading bits are preserved.  In other words,
           * bit values in {@code h1} beyond the first qlen bits are
           * ignored.
           *
           * @param h1   the hash value
           * @return  the signature
           */
          public byte[] signHash(byte[] h1)
          {
                  if (p == null) {
                          throw new IllegalStateException(
                                  "no private key set");
                  }
                  try {
                          BigInteger k = computek(h1);
                          BigInteger r = g.modPow(k, p).mod(q);
                          BigInteger s = k.modInverse(q).multiply(
                                  bits2int(h1).add(x.multiply(r)))
                                  .mod(q);

                          /*
                           * Signature encoding: ASN.1 SEQUENCE of
                           * two INTEGERs.  The conditions on q
                           * imply that the encoded version of r and
                           * s is no longer than 127 bytes for each,
                           * including DER tag and length.
                           */
                          byte[] br = r.toByteArray();
                          byte[] bs = s.toByteArray();
                          int ulen = br.length + bs.length + 4;
                          int slen = ulen + (ulen >= 128 ? 3 : 2);

Top      Up      ToC       Page 78 
                          byte[] sig = new byte[slen];
                          int i = 0;
                          sig[i ++] = 0x30;
                          if (ulen >= 128) {
                                  sig[i ++] = (byte)0x81;
                                  sig[i ++] = (byte)ulen;
                          } else {
                                  sig[i ++] = (byte)ulen;
                          }
                          sig[i ++] = 0x02;
                          sig[i ++] = (byte)br.length;
                          System.arraycopy(br, 0, sig, i, br.length);
                          i += br.length;
                          sig[i ++] = 0x02;
                          sig[i ++] = (byte)bs.length;
                          System.arraycopy(bs, 0, sig, i, bs.length);
                          return sig;

                  } catch (ArithmeticException ae) {
                          throw new IllegalArgumentException(
                                  "DSA error (bad key ?)", ae);
                  }
          }

          /**
           * Reset this engine.  Data input through the {@code
           * update*()} methods is discarded.  The current private key,
           * if one was set, is kept unchanged.
           */
          public void reset()
          {
                  dig.reset();
          }
  }

  // ==================================================================

Top      Up      ToC       Page 79 
Author's Address

   Thomas Pornin
   Quebec, QC
   Canada

   EMail: pornin@bolet.org