0
An Elliptic Curve Processor
          Suitable for RFID-Tags
        L. Batina1, J. Guajardo2, T. Kerins2,
    N. Mentens1...
Outline

 Introduction  and Motivation
 Related Work
 Secure Identification Protocols
 Elliptic Curve Cryptography (EC...
Motivation

 Emerging  new applications: wireless
 applications, sensor networks, RFIDs, car
 immobilizers, key chains......
New challenging applications: RFID tags

    RFID applications:

 Supply chain
  management
 Access control
 Payment sy...
5
Related Work

 Juels:use RFIDs for anti-counterfeiting
 [TB06]: EC-based solution could be
  possible
 RFID workshop: s...
In short

 PKCwould be quite useful
 We would like to know
      Are existing protocols feasible on RFID tags?
      H...
Our contributions

 Feasibility   of ECC on RFID TAGS
     Protocols of Schnorr and Okamoto evaluated
     Performance ...
Authentication options
Question:
 Can we perform ECC on RFID Tags? Cost?

Options:
  • ECDSA Signature
                   ...
Secure Identification Protocols
Set-up:   an elliptic curve E(GF(2m))
          a point P of order n and a commitment Z = ...
Schnorr Identification Protocol
Tag                                               Reader
(a)                              ...
ECC over binary fields

Arithmetic can be performed very efficiently
(carry-free).
An elliptic curve E over GF(2n) is defi...
ECC operations: Hierarchy

                    ECC
                    prot.

                   Point
               mult...
Low-power design

 Architectural  decisions are important
 Frequency as low as possible
 Power consumption and energy e...
Parameter Choice (EC operations)

 Use   Montgomery representation

 Use   Lopez-Dahab projective coordinates

 Minimiz...
The Montgomery Ladder




                        16
Point Operations




                   17
EC Processor Architecture




                            18
ALU Architecture




                   19
Area-Time Product of Various
                                    Implementations

                  35000


              ...
Results
Source             Field            Area     Technology   Frequency Performance
                    size          ...
Conclusions


ECC    suitable for certain RFID applications

More research on low cost protocols and low cost
implementa...
Upcoming SlideShare
Loading in...5
×

slides

697

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
697
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "slides"

  1. 1. An Elliptic Curve Processor Suitable for RFID-Tags L. Batina1, J. Guajardo2, T. Kerins2, N. Mentens1, P. Tuyls2 and I. Verbauwhede 1Katholieke Universiteit Leuven, ESAT-SCD/COSIC 2Philips Research, The Netherlands WISSec 2006 Antwerpen, Belgium November 8-9, 2006 1
  2. 2. Outline  Introduction and Motivation  Related Work  Secure Identification Protocols  Elliptic Curve Cryptography (ECC)  Low-cost ECC processor  Results  Conclusions 2
  3. 3. Motivation  Emerging new applications: wireless applications, sensor networks, RFIDs, car immobilizers, key chains...  resource limited: area, memory, power, bandwidth  low-cost, low-power, low-energy  Purehardware solutions are energy and cost effective 3
  4. 4. New challenging applications: RFID tags RFID applications:  Supply chain management  Access control  Payment systems  Product authentication  Vehicles tracking  Medical care  Key rings More recent applications: Anti-counterfeiting 4
  5. 5. 5
  6. 6. Related Work  Juels:use RFIDs for anti-counterfeiting  [TB06]: EC-based solution could be possible  RFID workshop: several papers considering ECC processors for RFID tags  [McLR07]: limit number of authen.  Other embedded security applications 6
  7. 7. In short  PKCwould be quite useful  We would like to know  Are existing protocols feasible on RFID tags?  How small/cheap is the most compact solution?  Ifknown solutions are too expensive we should think about new, light-weight protocols 7
  8. 8. Our contributions  Feasibility of ECC on RFID TAGS  Protocols of Schnorr and Okamoto evaluated  Performance vs. area trade-off  Our solution is based on identification schemes  ECDSA is not necessary 8
  9. 9. Authentication options Question: Can we perform ECC on RFID Tags? Cost? Options: • ECDSA Signature one point multiplication + hash • Identification Protocols: Schnorr or Okamoto one or two point multiplications 9
  10. 10. Secure Identification Protocols Set-up: an elliptic curve E(GF(2m)) a point P of order n and a commitment Z = aP to the secret a Protocol Anatomy Prover Verifier witness challenge response 10
  11. 11. Schnorr Identification Protocol Tag Reader (a) (Z=aP) 1. request 2. Choose r R [1, n 1] 3. Compute X = rP 4. X 5. Choose challenge 6. e 2 e 2t n 7. Compute y = ae + r mod n 7. y 8. If yP – eZ = X = rP (ae + r) P – e(aP) = X accept Else reject 11
  12. 12. ECC over binary fields Arithmetic can be performed very efficiently (carry-free). An elliptic curve E over GF(2n) is defined by an equation of the form: y2 xy x3 ax2 b, where a, b GF(2n), b 0. Points are (x, y) which satisfy the equation, where x, y GF(2n). Exists a group operation i.e. addition such that for any 2 points, sum is a third point. 12
  13. 13. ECC operations: Hierarchy ECC prot. Point multiplication: kP Group operation: point add/double Finite field arithmetic: multiplication, addition, subtraction, inversion, … 13
  14. 14. Low-power design  Architectural decisions are important  Frequency as low as possible  Power consumption and energy efficiency are both crucial  ECC arithmetic should be revisited to optimize those parameters  The circuit size should be minimized  Flexibility can be sacrificed 14
  15. 15. Parameter Choice (EC operations)  Use Montgomery representation  Use Lopez-Dahab projective coordinates  Minimize number of registers  Use only x-coordinate of point during protocol 15
  16. 16. The Montgomery Ladder 16
  17. 17. Point Operations 17
  18. 18. EC Processor Architecture 18
  19. 19. ALU Architecture 19
  20. 20. Area-Time Product of Various Implementations 35000 30000 25000 AT factor (k=6) 20000 15000 10000 5000 0 131, 139, 134, 142, 134, 131, 142, 134, 134, 131, 139, 142, 142, 134, 139, 142, 134, 131, 134, 142, 139, 134, D=2, D=2, D=4, D=4, D=3, D=2, D=3, D=4, D=2, D=1, D=2, D=2, D=4, D=3, D=1, D=3, D=2, D=1, D=1, D=2, D=1, D=1, w w w w w wo w wo w w wo w wo wo w wo wo wo w wo wo wo Implementation Type 20
  21. 21. Results Source Field Area Technology Frequency Performance size (gates) (µm) (msec) (bits) Östurk et al. 166 30333 0.13 20 MHz 31.9 CHES 2004 (Fp) Gaubatz et al. 100 18720 0.13 500 KHz 410.45 PerSec 2005 (Fp) Wolkerstorfer 191 23000 0.35 68.5 MHz 6.67 F2m CRASH 2005 (Fp and ) F2m Ours 2006 131 ( ) 14105 0.25 175 KHz 480 (Schnorr) Ours 2006 131 21179 0.25 175 KHz 830 (Okamoto) ( F2m ) 21
  22. 22. Conclusions ECC suitable for certain RFID applications More research on low cost protocols and low cost implementations  See also paper in ePrint Archive 22
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×