Let me get this straight. In
rng.js , our pool
rng_pool is seeded first with the time the browser starts in the line 37 like
t = Math.floor(65536 * Math.random());
with 48 bits of entropy
and then it is seeded in with the time in milliseconds whenever the
rng_seed_time() is called
rng_seed_int(new Date().getTime());
(does it bring any new bits of entropy?)
The
rng_pool is an array that is used to initialize our state
rng_state in the line 52
rng_state.init(rng_pool);
and
rng_pool is the input for that initialization. It is being inputted into
Arcfour() from
prng4.js which in line 32 returns
return this.S[(t + this.S[this.i]) & 255];
and this is what is being assigned to
rng_state at the end of it
Then in
ecdsa.js it becomes just
rng in the line 128 like:
var rng = new SecureRandom();
and in the line 180 we construct an integer value from that array with
BigInteger(...). After this, the integer is passed to
eckey.js for generating the private key? (i.e. after
BigInteger(...) we already got our private key. Its output is essentially our private key)
On the development side, on cryptography in JavaScript, yeah. Your point is understandable. Even
Mozilla developer doc recommends instead to use Web crypto API