ESP32-S2/S3/C3 digital signature peripheral: wrong output?
Posted: Fri Sep 27, 2024 4:28 pm
Hi,
I'm trying to use the Digital Signature (DS) peripheral found in some ESP32 chips, but there seems to be something going wrong. When I'm doing a sign-validate roundtrip using the regular RSA peripheral (with all keys coming from my firmware), I get the expected result and everything works fine, but the signature that's being output from the DS peripheral seems to be wrong.
For example, for a 1024-bit keypair (all large numbers listed at the bottom of this post), I would normally get a signature s=42^d mod N = <sig1> (yes, with a message of 42). Calculating s^e mod N gives me 42 back. The ESP32 RSA peripheral (direct exponentiation operation) also returns this result, and it can be verified using e.g. "signature=pow(42,d,N)" and "pow(signature,e,N)" in Python.
However, trying to sign a message of "42" using the DS peripheral results in a signature of <sig2> . This is most certainly not correct, and trying to verify it results in <loopback>, which is most certainly not equal to 42.
I have reproduced this across the ESP32-S2, S3 and C3, and regardless of whether I use esp_ds.h from esp_hw_support, the ROM (ets_ds_*) functions, or my own driver code using only ds_ll.h from the HAL. The (wrong) results are always consistent.
Hence, am I missing something as for why the DS peripheral is outputting these weird numbers?
Thanks.
I'm trying to use the Digital Signature (DS) peripheral found in some ESP32 chips, but there seems to be something going wrong. When I'm doing a sign-validate roundtrip using the regular RSA peripheral (with all keys coming from my firmware), I get the expected result and everything works fine, but the signature that's being output from the DS peripheral seems to be wrong.
For example, for a 1024-bit keypair (all large numbers listed at the bottom of this post), I would normally get a signature s=42^d mod N = <sig1> (yes, with a message of 42). Calculating s^e mod N gives me 42 back. The ESP32 RSA peripheral (direct exponentiation operation) also returns this result, and it can be verified using e.g. "signature=pow(42,d,N)" and "pow(signature,e,N)" in Python.
However, trying to sign a message of "42" using the DS peripheral results in a signature of <sig2> . This is most certainly not correct, and trying to verify it results in <loopback>, which is most certainly not equal to 42.
I have reproduced this across the ESP32-S2, S3 and C3, and regardless of whether I use esp_ds.h from esp_hw_support, the ROM (ets_ds_*) functions, or my own driver code using only ds_ll.h from the HAL. The (wrong) results are always consistent.
Hence, am I missing something as for why the DS peripheral is outputting these weird numbers?
Thanks.
- N (public modulus, aka M) = 0x4B19CB6E37739BA8151D18DFA6B2C0BF78D86B2CBAB5E58C34813D751F9445C4DF418892787480CE77FEE2C845885C46F0D0B33E62B9C4F0040AEBD94979D8A83EFCAD62DC0DBF5974BD71460D8D800CC18E62D628F1E040D2AAABE59FB5A7FBDFBAA8BF8CDBC7204F111DD60D83A4A80FC0FFD89A63627899285B137C594103
- d (private exponent, aka Y) = 0x35A9A7D8089D7E131B8B2013E77C81081024AC6858BDD2D95D47201009D19C0CF1EE54D53C671B06ED6D5EC4F6125AC5821BCE887C68FB94F97E884A4A1B5BB90E4103C32055DA945466D5D7FBEE4ECDA967506EA0923C366DED05AEE11F9895FF566377C3D206AC9125E0DCFA9D65FC035B89A4BAD330B4D64CCB32B930A7C1
- e (public exponent) = 65537
- sig1 = 0x318AB142FEA4B858A1261FC7D69EDA1B0560D89AE00F9CA7D3372CB4607849FBF8CF84A0A27C83F11F8E500968AA4486634006F731E294518F483A8AB7D075F7E17582F5973A9B0323D6674AB9223860C025F408D3E887E7A9A953A1D22C661FE4AB49330D45A1F34DFEBB9CCC7FB7AB1C666F1B4255C539C84AFAE904715541
- sig2 = 0x24B1BABC2B7EF080A834542D203402D67392AB14997667D0A801B5C0FA8F84C042906958FC54744520004155B8635AA4F9FC986F8CB291BBBA572DEF5B413961A0D0537F79CFD64380AA819F0CB75B5818DC40F9BC05672C4AD188659E0FA18F0628239E3A787D6F2778F1A83683852EE30CCC457E4ABCCF3C5E72DF9C7D37CC
- loopback = 0x1CF5110128F9EFBEDC3BB69DC258E1E5B0AB83B18402EA05B9D3E5A17C1576D8E3D1BA329D274DAD535CF00E38030EABB647D7F41592D72609C9656FFAE3E4DC04EEACE7ACC5FB93E4081225F046B5C119DEA2E5F9CBB199D0CEA12281AA2F6A36E2797EF933BABC14C18D119AA193DBEA2CAEE06112E8D47146B1F291941DDF