Skip to main content
antfarmer
antfarmer
Associate III
May 20, 2024
Solved

Can't generate ECDSA key for Brainpool curves using X-CUBE-CRYPTOLIB

  • May 20, 2024
  • 3 replies
  • 1575 views

I'm trying to create ECDSA keys on a STM32WL55 using the X-Cube/HAL Crypto library. I can generate NIST keys no problem, however when I try using the Brainpool curves, it mostly returns the following error: CMOX_ECC_ERR_WRONG_RANDOM ((cmox_ecc_retval_t)0x0006000B) /*!< Random not compliant with the API (Recall with other random material) */

I've tried the following curves: CMOX_ECC_CURVE_BPP256R1 and CMOX_ECC_CURVE_BPP384R1. Sometimes BPP256R1 works, but BPP384R1 seems to always fail. That's very strange so it almost seems the library is validating the randomness in some way? I'm using the RNG to create a buffer of randoms the same size as the public key in bytes.

Here is the jist of the code:

	// inputs: size_t pubLen, ecc_key_t* keypair
	
	uint16_t randSize = pubLen;
	uint8_t randBuff[randSize];
	// ... set randoms via HAL_RNG_GenerateRandomNumber
	
	if ((result = cmox_ecdsa_keyGen(&eccHandle, CMOX_ECC_CURVE_BPP256R1, randBuff, randSize,
			keypair->private, &keypair->privLen, keypair->public, &keypair->pubLen)) != CMOX_ECC_SUCCESS) {
		return result;
	}
	
	// ecc_key_t defined as...
	typedef struct {
		size_t privLen;
		size_t pubLen;
		uint8_t* private;
		uint8_t* public;
	} ecc_key_t;

Any ideas?

Best answer by Frantz LEFRERE

Hello @antfarmer 

there is a related statement in  in the https://wiki.st.com/stm32mcu/wiki/Security:Secure_usage_of_the_Cryptographic_Library

"Even if the random array has the correct length, a failure might occur with return value CMOX_ECC_ERR_WRONG_RANDOM. A security check is done inside the ECC functions, assuring not only that the byte length is correct, but also that the value is compatible with the chosen curve N parameter.

For NIST curves, that have the N parameter starting with 0xFFFFFFFF…, this scenario is highly improbable, while for other curves (for example brainpoolP384r1) the probability can almost reach 50%.

The solution to this is to generate a new random byte array and recall the cryptographic API."

Br,

Frantz 

 

3 replies

Tesla DeLorean
Tesla DeLorean
Guru
May 20, 2024

@Jocelyn RICARD 

Tips, Buy me a coffee, or three.. PayPal VenmoUp vote any posts that you find helpful, it shows what's working..
Frantz LEFRERE
Frantz LEFREREBest answer
ST Employee
May 21, 2024

Hello @antfarmer 

there is a related statement in  in the https://wiki.st.com/stm32mcu/wiki/Security:Secure_usage_of_the_Cryptographic_Library

"Even if the random array has the correct length, a failure might occur with return value CMOX_ECC_ERR_WRONG_RANDOM. A security check is done inside the ECC functions, assuring not only that the byte length is correct, but also that the value is compatible with the chosen curve N parameter.

For NIST curves, that have the N parameter starting with 0xFFFFFFFF…, this scenario is highly improbable, while for other curves (for example brainpoolP384r1) the probability can almost reach 50%.

The solution to this is to generate a new random byte array and recall the cryptographic API."

Br,

Frantz 

 

    antfarmer
    antfarmerAuthor
    Associate III
    May 21, 2024

    I missed this section. Wow, got it working. At first I tried running a HKDF routine on the random buffer with extra random salt, but only after multiple retries does it work. Interesting. Any point to running HKDF on the random to improve the "quality", or should I just do simple retries?

    Terms & ConditionsAccessibility statement