FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can't generate ECDSA key for Brainpool curves using X-CUBE-CRYPTOLIB

Go to solution
antfarmer
Associate III

‎2024-05-20 07:51 AM

I'm trying to create ECDSA keys on a STM32WL55 using the X-Cube/HAL Crypto library. I can generate NIST keys no problem, however when I try using the Brainpool curves, it mostly returns the following error: CMOX_ECC_ERR_WRONG_RANDOM ((cmox_ecc_retval_t)0x0006000B) /*!< Random not compliant with the API (Recall with other random material) */

I've tried the following curves: CMOX_ECC_CURVE_BPP256R1 and CMOX_ECC_CURVE_BPP384R1. Sometimes BPP256R1 works, but BPP384R1 seems to always fail. That's very strange so it almost seems the library is validating the randomness in some way? I'm using the RNG to create a buffer of randoms the same size as the public key in bytes.

Here is the jist of the code:

	// inputs: size_t pubLen, ecc_key_t* keypair
	
	uint16_t randSize = pubLen;
	uint8_t randBuff[randSize];
	// ... set randoms via HAL_RNG_GenerateRandomNumber
	
	if ((result = cmox_ecdsa_keyGen(&eccHandle, CMOX_ECC_CURVE_BPP256R1, randBuff, randSize,
			keypair->private, &keypair->privLen, keypair->public, &keypair->pubLen)) != CMOX_ECC_SUCCESS) {
		return result;
	}
	
	// ecc_key_t defined as...
	typedef struct {
		size_t privLen;
		size_t pubLen;
		uint8_t* private;
		uint8_t* public;
	} ecc_key_t;

Any ideas?

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Frantz LEFRERE
ST Employee

‎2024-05-20 11:24 PM

Hello @antfarmer 

there is a related statement in  in the https://wiki.st.com/stm32mcu/wiki/Security:Secure_usage_of_the_Cryptographic_Library

"Even if the random array has the correct length, a failure might occur with return value CMOX_ECC_ERR_WRONG_RANDOM. A security check is done inside the ECC functions, assuring not only that the byte length is correct, but also that the value is compatible with the chosen curve N parameter.

For NIST curves, that have the N parameter starting with 0xFFFFFFFF…, this scenario is highly improbable, while for other curves (for example brainpoolP384r1) the probability can almost reach 50%.

The solution to this is to generate a new random byte array and recall the cryptographic API."

Br,

Frantz 

 

View solution in original post

3 REPLIES 3
Go to solution
Tesla DeLorean
Guru

‎2024-05-20 08:47 AM

@Jocelyn RICARD 

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..
0 Kudos
Go to solution
Frantz LEFRERE
ST Employee

‎2024-05-20 11:24 PM

Hello @antfarmer 

there is a related statement in  in the https://wiki.st.com/stm32mcu/wiki/Security:Secure_usage_of_the_Cryptographic_Library

"Even if the random array has the correct length, a failure might occur with return value CMOX_ECC_ERR_WRONG_RANDOM. A security check is done inside the ECC functions, assuring not only that the byte length is correct, but also that the value is compatible with the chosen curve N parameter.

For NIST curves, that have the N parameter starting with 0xFFFFFFFF…, this scenario is highly improbable, while for other curves (for example brainpoolP384r1) the probability can almost reach 50%.

The solution to this is to generate a new random byte array and recall the cryptographic API."

Br,

Frantz 

 

Go to solution
antfarmer
Associate III

‎2024-05-21 12:17 PM

I missed this section. Wow, got it working. At first I tried running a HKDF routine on the random buffer with extra random salt, but only after multiple retries does it work. Interesting. Any point to running HKDF on the random to improve the "quality", or should I just do simple retries?

0 Kudos
Top