ESP32-S2/S3/C3 digital signature peripheral: wrong output?

yoxixaw
Posts: 1
Joined: Fri Sep 27, 2024 4:06 pm

ESP32-S2/S3/C3 digital signature peripheral: wrong output?

Postby yoxixaw » Fri Sep 27, 2024 4:28 pm

Hi,

I'm trying to use the Digital Signature (DS) peripheral found in some ESP32 chips, but there seems to be something going wrong. When I'm doing a sign-validate roundtrip using the regular RSA peripheral (with all keys coming from my firmware), I get the expected result and everything works fine, but the signature that's being output from the DS peripheral seems to be wrong.

For example, for a 1024-bit keypair (all large numbers listed at the bottom of this post), I would normally get a signature s=42^d mod N = <sig1> (yes, with a message of 42). Calculating s^e mod N gives me 42 back. The ESP32 RSA peripheral (direct exponentiation operation) also returns this result, and it can be verified using e.g. "signature=pow(42,d,N)" and "pow(signature,e,N)" in Python.

However, trying to sign a message of "42" using the DS peripheral results in a signature of <sig2> . This is most certainly not correct, and trying to verify it results in <loopback>, which is most certainly not equal to 42.

I have reproduced this across the ESP32-S2, S3 and C3, and regardless of whether I use esp_ds.h from esp_hw_support, the ROM (ets_ds_*) functions, or my own driver code using only ds_ll.h from the HAL. The (wrong) results are always consistent.

Hence, am I missing something as for why the DS peripheral is outputting these weird numbers?
Thanks.
  • N (public modulus, aka M) = 0x4B19CB6E37739BA8151D18DFA6B2C0BF78D86B2CBAB5E58C34813D751F9445C4DF418892787480CE77FEE2C845885C46F0D0B33E62B9C4F0040AEBD94979D8A83EFCAD62DC0DBF5974BD71460D8D800CC18E62D628F1E040D2AAABE59FB5A7FBDFBAA8BF8CDBC7204F111DD60D83A4A80FC0FFD89A63627899285B137C594103
  • d (private exponent, aka Y) = 0x35A9A7D8089D7E131B8B2013E77C81081024AC6858BDD2D95D47201009D19C0CF1EE54D53C671B06ED6D5EC4F6125AC5821BCE887C68FB94F97E884A4A1B5BB90E4103C32055DA945466D5D7FBEE4ECDA967506EA0923C366DED05AEE11F9895FF566377C3D206AC9125E0DCFA9D65FC035B89A4BAD330B4D64CCB32B930A7C1
  • e (public exponent) = 65537
  • sig1 = 0x318AB142FEA4B858A1261FC7D69EDA1B0560D89AE00F9CA7D3372CB4607849FBF8CF84A0A27C83F11F8E500968AA4486634006F731E294518F483A8AB7D075F7E17582F5973A9B0323D6674AB9223860C025F408D3E887E7A9A953A1D22C661FE4AB49330D45A1F34DFEBB9CCC7FB7AB1C666F1B4255C539C84AFAE904715541
  • sig2 = 0x24B1BABC2B7EF080A834542D203402D67392AB14997667D0A801B5C0FA8F84C042906958FC54744520004155B8635AA4F9FC986F8CB291BBBA572DEF5B413961A0D0537F79CFD64380AA819F0CB75B5818DC40F9BC05672C4AD188659E0FA18F0628239E3A787D6F2778F1A83683852EE30CCC457E4ABCCF3C5E72DF9C7D37CC
  • loopback = 0x1CF5110128F9EFBEDC3BB69DC258E1E5B0AB83B18402EA05B9D3E5A17C1576D8E3D1BA329D274DAD535CF00E38030EABB647D7F41592D72609C9656FFAE3E4DC04EEACE7ACC5FB93E4081225F046B5C119DEA2E5F9CBB199D0CEA12281AA2F6A36E2797EF933BABC14C18D119AA193DBEA2CAEE06112E8D47146B1F291941DDF

Who is online

Users browsing this forum: No registered users and 123 guests