Introduction
The Elliptic Curve Digital Signature Algorithm (ECDSA) is a cryptographic method used to ensure the authenticity and integrity of digital messages or documents. Various applications, including secure communications, blockchain technologies, and digital certificates use ECDSA. The process involves two main steps: signature generation and signature verification.
The cryptographic library is designed and compiled to run on Arm Cortex®-M based ST microcontrollers. The version V4.x.x supports most of required algorithms for encryption, hashing, message authentication and digital signing including ECDSA and RSA algorithms.
1. Checking ECDSA implementation
It is common to check any ECDSA implementation using the test vectors part of the Cryptographic Algorithm Validation Program (CAVP) provided by the National Institute of Standards and Technology (NIST).
SigGen file provided by NIST contains test vectors used to validate the correctness of digital signature generation algorithms, such as ECDSA (Elliptic Curve Digital Signature Algorithm).
Find below a vector test extracted from this file:
[P-256,SHA-256]
Msg = 5905238877c77421f73e43ee3da6f2d9e2ccad5fc942dcec0cbd25482935faaf416983fe165b1a045ee2bcd2e6dca3bdf46c4310a7461f9a37960ca672d3feb5473e253605fb1ddfd28065b53cb5858a8ad28175bf9bd386a5e471ea7a65c17cc934a9d791e91491eb3754d03799790fe2d308d16146d5c9b0d0debd97d79ce8
/* d is Private Key */
d = 519b423d715f8b581f4fa8ee59f4771a5b44c8130b4e3eacca54a56dda72b464
/* Qx and Qy are the public Key components */
Qx = 1ccbe91c075fc7f4f033bfa248db8fccd3565de94bbfb12f3c59ff46c271bf83
Qy = ce4014c68811f9a21a1fdb2c0e6113e06db7ca93b7404e78dc7ccd5ca89a4ca9
/* K is the Known random number for the given signature */
k = 94a1bbb14b906a61a280f245f9e93c7f3b4a6247824f5d33b9670787642a68de
/* R and S are the expected signature components */
R = f3ac8061b514795b8843e3d6629527ed2afd6b1f6a555a7acabb5e6f79c8c2ac
S = 8bf77819ca05a6b2786c76262bf7371cef97b218e96f175a3ccdda2acc058903
The above vector test is used to check the ECDSA implementation in STM32 MCUs. Implementation is either software using the STM32 cryptographic library or hardware using the hardware private key accelerator (PKA). In both implementations the random scalar K input is fed as follows:
- K: The STM32 private key accelerator (PKA) requires K as input to the ECDSA hardware accelerator.
- K-1: The STM32 cryptographic library, in contrary, requires to pass K-1 as random scalar instead of K.
2. Why K-1 for ECDSA in STM32CryptoLib?
In the ECDSA signature generation process:
- K is the scalar used for the scalar multiplication. It is important to use a fresh random K at each signature generation.
- K scalar is incremented by 1 internally in the STM32 cryptographic library. The reason is to avoid the condition of a 0-valued scalar input;
- K-1 is fed as input by the user to the ECDSA computation function.
- "1" is read internally by the library while performing ECDSA computation.
This explains why it is necessary to decrement the random scalar parameter K of the provided test vector by 1, before feeding inputs to the ECDSA signature computation.
In the following snippet, the input K-1 is computed as follows.
/* K is the Known random number for the given signature */
k = 94a1bbb14b906a61a280f245f9e93c7f3b4a6247824f5d33b9670787642a68de
/* K-1 is the input to the STM32 Cryptographic library as a Known Random */
k -1 = 94a1bbb14b906a61a280f245f9e93c7f3b4a6247824f5d33b9670787642a68dd
As mentioned above the last K and K-1 sequences are the same except the last bytes which are 0xde for K and 0xdd for K-1.
Conclusion
We recommend feeding the ECDSA by K-1 as the known random scalar when using NIST, or any other test vectors to compute the correct signature.
Related links
