ECDSA-secp521 test fail

Mbed TLS Crypto and SSL questions
1

Hi !

I have disabled LTC HW accelerator on K82 MCU for be able to have P-521 cryptography.
All memory constrains removed also. mbedTLS version 2.6.0.

But ECDSA-secp521r1 test fail at verification phase.
Other remains curves pass both tests.

MBEDTLS_ECP_WINDOW_SIZE - 7
MBEDTLS_ECP_FIXED_POINT_OPTIM - 1
MBEDTLS_MPI_MAX_SIZE - 1024
MBEDTLS_MPI_WINDOW_SIZE - 7
MBEDTLS_SSL_MAX_CONTENT_LEN - 16384

ECDSA-secp521r1 : 0.15 sign/s 15168 heap bytes
ECDSA-brainpoolP512r1 : 0.17 sign/s 14664 heap bytes
ECDSA-secp192r1 : 0.50 sign/s 4816 heap bytes

ECDSA-secp521r1 : FAILED: -0x4e00
ECDSA-brainpoolP512r1 : 0.08 verify/s 14852 heap bytes
ECDSA-secp192r1 : 0.25 verify/s 5176 heap bytes

Can it be something what is known already ?
Or some extra configuration should be done.

Regards,
Eugene

2

Hi Eugene,
The error you are receiving is MBEDTLS_ERR_ECP_VERIFY_FAILED
I have tried reproducing this with your changes, but I don’t get the failure.
I believe it is some platform related issue, most likely stack corruption with this larger curve.
Have you changed any other configuration from the default values?
Regards,
Mbed TLS Team member
Ron

3

Hi Ron !

I think this is platform specific error. In case of K82 it is not so clear how to disconnect LTC HW accelerator for that operations what can’t be accelerated due natural LTC HW limitations for ECC up to 512 bits only.

Finally. I’m able to pass those tests by disabling the next definitions:

#if defined(MBEDTLS_FREESCALE_LTC_PKHA)
//#define MBEDTLS_MPI_ADD_ABS_ALT
//#define MBEDTLS_MPI_SUB_ABS_ALT
//#define MBEDTLS_MPI_MUL_MPI_ALT
//#define MBEDTLS_MPI_MOD_MPI_ALT

#define MBEDTLS_MPI_EXP_MOD_ALT
#define MBEDTLS_MPI_GCD_ALT
#define MBEDTLS_MPI_INV_MOD_ALT
#define MBEDTLS_MPI_IS_PRIME_ALT

//#define MBEDTLS_ECP_MUL_COMB_ALT
//#define MBEDTLS_ECP_ADD_ALT
#endif

So consistency of P-521 after that modifications are not so clear for now.
May be I should found extra P-521 relative tests for be sure if everything OK.
Or may be better to exclude LTC from picture at all and use pure genericSW implementation ?

Regards,
Eugene

4

Hi Eugene,
The definitions you showed me are not part of Mbed TLS configuration, and these are probably part of your own proprietary fork.
AS much as I would like to assist you, it seems you are working on an unsupported fork ( In addition Mbed TLS 2.6.0 is not an LTS branch), as I don’t know what other changes your codebase has compared to Mbed TLS.

However, since you disabled your alternative implementation, it is reasonable that you would not encounter failures, as you described that your LTC HW accelerator can’t work on p521 curve, and that the sw implementation should work.
Regards,
Mbed TLS Team member
Ron

5

Hi Ron !

I have taken mbedTLS variant what is part of standart SDK for NXP K82 MCU.
And just try to configure it in way where P-521 works with maximum performance.

I just wondering of mbedTLS 2.7.5 is better than 2.6.0 in case of P-521 ?

Regards,
Eugene

6

HI Eugene,
There weren’t many changes in P521 from 2.6.0 to 2.7.5 , however, 2.7.5 is from the Mbed TLS 2.7 LTS branch, which will receive bug fixes and security updates, so I recommend you update to 2.7 branch.

Regards,
Mbed TLS Team member
Ron

7

Hi Ron !

I also would like to ask you to do mbedTLS more friendly for low end MCU with simple MPU.
For run mbedTLS code with User priviledges, all global/static variables should be removed.
If they need , they should be defined as part of cryptosuites handlers for example.

For example ecp_curves.c has definition:

/*

  • Set an MPI to static value 1
    */
    static inline void ecp_mpi_set1( mbedtls_mpi *X )
    {
    static mbedtls_mpi_uint one = { 1 }; // Static !!!
    X->s = 1;
    X->n = 1;
    X->p = one;
    }

It is possible to add this variable to mbedtls group to the end and populate it where it is need.


mbedtls_mpi_uint one;
}
mbedtls_ecp_group;

Regards,
Eugene