[Cryptography] Minimal secure boot

sebastien riou matic at nimp.co.uk
Tue Jun 11 15:31:46 EDT 2019

> Now I am wondering if I need:
> >    - e larger than 3 ? if yes what is the sensible minimum ? I am
> inclined to set e=11 to get (digest power e) > n but I do not have really
> clear argument for that.
> Yes. You want something bigger than 3. Three can work, but you have to
> take care. It's simpler to pick something bigger.
> Mathematically, 5 works just fine. Traditionally in RSA cryptography, 17
> and 65537 are traditional because they're (2^n)+1.
> >    - padding the digest before the mod_exp
> Knowing I don't know, why wouldn't you use OAEP or some equivalent?

Thanks for the advices. This is going to a ROM code, this is not general
purpose nor updated carelessly by random guys, so I am willing "to take
care" if that saves few bytes in my code and/or improves performance.
I like e=3 very much, with that I could hardcode the main loop to do 2
identical iterations, saving both code size and execution time.
On the padding I don't like OAEP because of the increased complexity which
will increase code size.
For now I settled for PKCS1_1v5 following
https://tools.ietf.org/html/rfc8017 (with padding hardcoded for SHA256). Of
course I will switch immediatly to OAEP if there is a compelling reason to
do that, but my understanding is that PKCS1_1v5 is good enough for my

So my question can be reformulated as follow: what I would have to ensure
to be safe with e=3 and PKCS1_1v5 ?
- I can take care of not signing the same plaintext with two different keys.
- I can take care of not signing anything coming from a third party.
Is there something else to take of ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190611/06b09d4b/attachment.html>

More information about the cryptography mailing list