Download - slides
11
An Elliptic Curve Processor An Elliptic Curve Processor Suitable for RFID-TagsSuitable for RFID-Tags
L. BatinaL. Batina11, J. Guajardo, J. Guajardo22, T. Kerins, T. Kerins22, ,
N. MentensN. Mentens11, P. Tuyls, P. Tuyls22 and I. Verbauwhede and I. Verbauwhede
1 1 Katholieke Universiteit Leuven, Katholieke Universiteit Leuven, ESAT-SCD/COSICESAT-SCD/COSIC22Philips Research, The NetherlandsPhilips Research, The Netherlands
WISSec 2006Antwerpen, BelgiumNovember 8-9, 2006
22
OutlineOutline
Introduction and MotivationIntroduction and Motivation Related WorkRelated Work Secure Identification ProtocolsSecure Identification Protocols Elliptic Curve Cryptography (ECC)Elliptic Curve Cryptography (ECC) Low-cost ECC processorLow-cost ECC processor ResultsResults ConclusionsConclusions
33
MotivationMotivation
Emerging new applications: wireless Emerging new applications: wireless applications, sensor networks, RFIDs, applications, sensor networks, RFIDs, car immobilizers, key chains...car immobilizers, key chains... resource limited: area, memory, power, resource limited: area, memory, power,
bandwidthbandwidth low-cost, low-power, low-energylow-cost, low-power, low-energy
Pure hardware solutions are energy Pure hardware solutions are energy and cost effectiveand cost effective
44
New challenging applications: RFID New challenging applications: RFID tagstags
RFID applications:RFID applications:
Supply chain Supply chain managementmanagement
Access controlAccess control Payment systemsPayment systems Product Product
authenticationauthentication Vehicles trackingVehicles tracking Medical careMedical care Key ringsKey rings
More recent applications: Anti-counterfeiting
55
66
Related WorkRelated Work
Juels: use RFIDs for anti-counterfeiting [TB06]: EC-based solution could be
possible RFID workshop: several papers
considering ECC processors for RFID tags [McLR07]: limit number of authen. Other embedded security applications
77
In shortIn short
PKC would be quite useful We would like to know
Are existing protocols feasible on RFID tags?
How small/cheap is the most compact solution?
If known solutions are too expensive If known solutions are too expensive we should think about new, light-we should think about new, light-weight protocolsweight protocols
88
Our contributionsOur contributions
Feasibility of ECC on RFID TAGSFeasibility of ECC on RFID TAGS Protocols of Schnorr and Okamoto Protocols of Schnorr and Okamoto
evaluatedevaluated Performance vs. area trade-offPerformance vs. area trade-off
Our solution is based on Our solution is based on identification schemesidentification schemes ECDSA is not necessaryECDSA is not necessary
99
Authentication options Authentication options
Question:Question:
Can we perform ECC on RFID Tags? Cost?Can we perform ECC on RFID Tags? Cost?
Options:• ECDSA Signature
one point multiplication + hash
• Identification Protocols: Schnorr or Okamoto
one or two point multiplications
1010
Secure Identification ProtocolsSecure Identification ProtocolsSet-up: an elliptic curve E(GF(2m))
a point P of order n and a commitment Z = aP to the secret a
Protocol Anatomy
Prover Verifierwitness
challenge
response
1111
Schnorr Identification ProtocolSchnorr Identification ProtocolTag(a)
Reader(Z=aP)
1. request
2. Choose
3. Compute X = rP
4. X
5. Choose challenge
6. e
7. Compute y = ae + r mod n
7. y 8. If yP – eZ = X = rP (ae + r) P – e(aP) = X accept Else reject
]1,1[ nr R
ne t 22
1212
ECC over binary fieldsECC over binary fields
Arithmetic can be performed very Arithmetic can be performed very efficiently (carry-free).efficiently (carry-free).An An elliptic curveelliptic curve EE over over GF(2GF(2nn)) is defined is defined by an equation of the form:by an equation of the form:
where where aa, , bb GF(2GF(2nn),), PointsPoints are are ((xx, , yy)) which satisfy the equation, where which satisfy the equation, where xx, , yy GF(2GF(2nn)).. Exists a group operation i.e. Exists a group operation i.e. additionaddition such that for any 2 points, sum is a third such that for any 2 points, sum is a third point.point.
,232 baxxxyy
.0b
1313
ECC operations: HierarchyECC operations: Hierarchy
ECCprot.
Pointmultiplication:
kP
Group operation: point add/double
Finite field arithmetic: multiplication,addition, subtraction, inversion, …
1414
Low-power designLow-power design
Architectural decisions are importantArchitectural decisions are important Frequency as low as possible Frequency as low as possible Power consumption and energy Power consumption and energy
efficiency are both crucialefficiency are both crucial ECC arithmetic should be revisited to ECC arithmetic should be revisited to
optimize those parametersoptimize those parameters The circuit size should be minimizedThe circuit size should be minimized Flexibility can be sacrificedFlexibility can be sacrificed
1515
Parameter Choice (EC Parameter Choice (EC operations)operations)
Use Montgomery representationUse Montgomery representation
Use Lopez-Dahab projective coordinatesUse Lopez-Dahab projective coordinates
Minimize number of registersMinimize number of registers
Use only Use only xx-coordinate of point during -coordinate of point during protocolprotocol
1616
The Montgomery LadderThe Montgomery Ladder
1717
Point OperationsPoint Operations
1818
EC Processor ArchitectureEC Processor Architecture
1919
ALU ArchitectureALU Architecture
2020
Area-Time Product of Various Area-Time Product of Various ImplementationsImplementations
0
5000
10000
15000
20000
25000
30000
35000
131,D=2,
w
139,D=2,
w
134,D=4,
w
142,D=4,
w
134,D=3,
w
131,D=2,wo
142,D=3,
w
134,D=4,wo
134,D=2,
w
131,D=1,
w
139,D=2,wo
142,D=2,
w
142,D=4,wo
134,D=3,wo
139,D=1,
w
142,D=3,wo
134,D=2,wo
131,D=1,wo
134,D=1,
w
142,D=2,wo
139,D=1,wo
134,D=1,wo
Implementation Type
AT
fa
cto
r (k
=6
)
2121
ResultsResultsSource Field
size(bits)
Area (gates)
Technology (µm)
Frequency Performance (msec)
Östurk et al. CHES 2004
166 (Fp)
30333 0.13 20 MHz 31.9
Gaubatz et al. PerSec 2005
100 (Fp)
18720 0.13 500 KHz 410.45
Wolkerstorfer CRASH 2005
191 (Fp and )
23000 0.35 68.5 MHz 6.67
Ours 2006 (Schnorr)
131 ( ) 14105 0.25 175 KHz 480
Ours 2006(Okamoto)
131( )
21179 0.25 175 KHz 830
mF2
mF2
mF2
2222
ConclusionsConclusions
ECC suitable for certain RFID applications
More research on low cost protocols and low cost implementations
See also paper in ePrint Archive