Re: Random values in DSA signature computation

Gigi Ankeny (Gigi.Ankeny@Eng)
Fri, 31 Oct 1997 16:11:23 -0800 (PST)

Date: Fri, 31 Oct 1997 16:11:23 -0800 (PST)
From: Gigi Ankeny <Gigi.Ankeny@Eng>
Subject: Re: Random values in DSA signature computation
To: java-security@web2.javasoft.com, burnettS@RSA.COM

Steve,

If you don't pass in a random generator, yes, our sun implementation uses
the SecureRandom class for k generation.

The seeding is done by the SecureRandom automatically and produces different
k for each signing operation. The two continuous operation is guaranteed to
use different k.

The randomness of SecureRandom seeding can be found in the following javadoc
for SecureRandom class:

/* Note that if a seed is not provided, we attempt to provide sufficient
* seed bytes to completely randomize the internal state of the generator
* (20 bytes). However, our seed generation algorithm has not been thoroughly
* studied or widely deployed. It relies on counting the number of times that
* the calling thread can yield while waiting for another thread to sleep for
* a specified interval.
*/
Hope this helps,

Gigi

>
> I'm sorry if this question has been answered, but I have not seen it,
> so ...
>
> It used to be that java.security.Signature did not compute a separate
> random value for each DSA signature (the value "k"). A couple people
> from JavaSoft have told me this has been fixed.
>
> I would like to know how the k value is computed. When I create a
> Signature object, I never pass in a random number generator, so does the
> Signature class (the SUN Provider version thereof) build a random number
> generator? If so, what is its seed? Time of Day? Is it supposed to
> produce a separate k for each signature? Or will it produce a separate k
> only for different messages?
>
> Thanks,
>
> Steve Burnett
> burnetts@rsa.com