cancel
Showing results for 
Search instead for 
Did you mean: 

Public Key decompression, get Y from X: HAL_PKA_ModExp wrong output

moe_fdi
Associate II

Hello,

I have implemented most of the functions required for decompressing the public key using the PKA arithmetic functions. But, I'm encountering a timeout error with HAL_PKA_ModExp, even when setting a high delay with HAL_MAX_DELAY. Additionally, the output data is incorrect. Here is a simplified version of my code:
uint8_t data[96] = {
0x9c, 0x29, 0xec, 0x4b, 0xd7, 0x69, 0xf4, 0xe9, 0x30, 0xc7, 0xb0, 0x14, 0x2e, 0x51, 0x81, 0xff,
0x98, 0x8c, 0xb1, 0xa0, 0x3e, 0x66, 0xf8, 0xcc, 0x62, 0x13, 0xb5, 0xed, 0xf6, 0x89, 0xfc, 0x9d,
0x37, 0x0e, 0xa0, 0x94, 0xfe, 0x9e, 0x8d, 0xd5, 0x64, 0xf9, 0x05, 0x28, 0x22, 0x42, 0xfd, 0x87,
0xec, 0xb2, 0x99, 0x5c, 0xaf, 0x3c, 0x0d, 0x9d, 0xd7, 0xcf, 0x2f, 0x35, 0xda, 0xf0, 0xcb, 0xc7,
0xb8, 0xcd, 0x7c, 0xc1, 0xe0, 0xed, 0xa6, 0x13, 0xe5, 0xbd, 0x07, 0xfb, 0x81, 0x80, 0xb6, 0x4a,
0x1a, 0x27, 0x80, 0xd9, 0xd8, 0xc5, 0x28, 0xa0, 0xae, 0xe2, 0xb2, 0xef, 0x93, 0x37, 0x91, 0xa3
};

uint8_t exponent[32] = {
0x3f, 0xff, 0xff, 0xff, 0xc0, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};

uint8_t mod[96] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};

PKA_ModExpInTypeDef sModExpConfig;
sModExpConfig.expSize = 32;
sModExpConfig.OpSize = 96;
sModExpConfig.pExp = exponent;
sModExpConfig.pOp1 = data;
sModExpConfig.pMod = mod;

uint8_t resultModExp[100];
memset(resultModExp, 0, 100);

if (HAL_PKA_ModExp(&hpka, &sModExpConfig, 10000) != HAL_OK) {
printf("Modular exponentiation timed out.\n");
}

HAL_PKA_ModExp_GetResult(&hpka, resultModExp);

The expected result is (calculated using python):
plaintext = 0x9c29ec4bd769f4e930c7b0142e5181ff988cb1a03e66f8cc6213b5edf689fc9d370ea094fe9e8dd564f905282242fd87ecb2995caf3c0d9dd7cf2f35daf0cbc7b8cd7cc1e0eda613e5bd07fb8180b64a1a2780d9d8c528a0aee2b2ef933791a3
publicExponent = 0x3fffffffc0000000400000000000000000000000400000000000000000000000
modulus = 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000001000000000000000000000000ffffffffffffffffffffffff

result = pow(plaintext, publicExponent, modulus)
print("Mod Exp: ")
print(hex(result))

--> 0x80d6d17eb470e9b87827860307fbd48b4adef1ad9346527a32cd6e34e64e7ec2


But, Strangely, HAL_PKA_ModExp works as expected with a different modulus and exponent setup:

uint8_t modulus[96] = {
0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25,
0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25,
0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25,
0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25,
0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25,
0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25, 0x23, 0x22, 0x22, 0x25};

uint8_t publicExponent[32] = {
0x00, 0x00, 0x05, 0x01, 0x00, 0x00, 0x05, 0x01, 0x00, 0x00, 0x05, 0x01, 0x00, 0x00, 0x05, 0x01,
0x00, 0x00, 0x05, 0x01, 0x00, 0x00, 0x05, 0x01, 0x00, 0x00, 0x05, 0x01, 0x00, 0x00, 0x05, 0x01};
};

uint8_t plaintext[96] = {
0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43,
0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43,
0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43,
0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43,
0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43,
0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x43, 0x44, 0x44, 0x44, 0x44};
};

expected result:
plaintext = 0x444444434444444344444443444444434444444344444443444444434444444344444443444444434444444344444443444444434444444344444443444444434444444344444443444444434444444344444443444444434444444344444444
publicExponent = 0x0000050100000501000005010000050100000501000005010000050100000501
modulus = 0x232222252322222523222225232222252322222523222225232222252322222523222225232222252322222523222225232222252322222523222225232222252322222523222225232222252322222523222225232222252322222523222225
result = pow(plaintext, publicExponent, modulus)
print("Mod Exp: ")
print(hex(result))
--> 0xeac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac92680eac9269

 

Could you please help me to find out the problem ?Has anyone encountered a similar issue with HAL_PKA_ModExp? Are there specific constraints on modulus or exponent values that could cause this behavior? Any advice on potential fixes or workarounds would be greatly appreciated!

0 REPLIES 0