[Cryptography] Minimal secure boot

sebastien riou matic at nimp.co.uk
Sun Jun 9 16:57:25 EDT 2019

I am looking for a minimal secure boot scheme, with 128 bit security level.
The target device has a 16bit CPU, RAM in the KBytes range and the code
size is critical (this is supposed to go in ROM and its already full...).
What I am considering so far:
- Generate an RSA2048 key pair
   - d: private exponent
   - n: modulus
   - e: public exponent
- store n and e in the ROM
- at build time:
   - digest = sha256 over the code
   - sig = mod_exp(digest,d,n)
   - append sig to code
- at boot:
   - get code and sig
   - digest = sha256 over code
   - expectetd = mod_exp(sig,e,n)
   - launch code only if digest == expected

Any issue with that ?

Now I am wondering if I need:
   - e larger than 3 ? if yes what is the sensible minimum ? I am inclined
to set e=11 to get (digest power e) > n but I do not have really clear
argument for that.
   - padding the digest before the mod_exp

I will be the only one knowing the private key and I won't sign any third
party code, so chosen plaintext attacks are not a worry.
I am not concerned by attacks where the same thing is signed by multiple
keys either.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190609/d29098da/attachment.html>

More information about the cryptography mailing list