1. An Elliptic Curve Processor
Suitable for RFID-Tags
L. Batina1, J. Guajardo2, T. Kerins2,
N. Mentens1, P. Tuyls2 and I. Verbauwhede
1Katholieke Universiteit Leuven, ESAT-SCD/COSIC
2Philips Research, The Netherlands
WISSec 2006
Antwerpen, Belgium
November 8-9, 2006
1
2. Outline
Introduction and Motivation
Related Work
Secure Identification Protocols
Elliptic Curve Cryptography (ECC)
Low-cost ECC processor
Results
Conclusions
2
3. Motivation
Emerging new applications: wireless
applications, sensor networks, RFIDs, car
immobilizers, key chains...
resource limited:
area, memory, power, bandwidth
low-cost, low-power, low-energy
Purehardware solutions are energy and
cost effective
3
4. New challenging applications: RFID tags
RFID applications:
Supply chain
management
Access control
Payment systems
Product authentication
Vehicles tracking
Medical care
Key rings
More recent applications: Anti-counterfeiting
4
5. 5
6. Related Work
Juels:use RFIDs for anti-counterfeiting
[TB06]: EC-based solution could be
possible
RFID workshop: several papers
considering ECC processors for RFID tags
[McLR07]: limit number of authen.
Other embedded security applications
6
7. In short
PKCwould be quite useful
We would like to know
Are existing protocols feasible on RFID tags?
How small/cheap is the most compact
solution?
Ifknown solutions are too expensive we
should think about new, light-weight
protocols
7
8. Our contributions
Feasibility of ECC on RFID TAGS
Protocols of Schnorr and Okamoto evaluated
Performance vs. area trade-off
Our solution is based on identification
schemes
ECDSA is not necessary
8
9. Authentication options
Question:
Can we perform ECC on RFID Tags? Cost?
Options:
• ECDSA Signature
one point multiplication + hash
• Identification Protocols: Schnorr or Okamoto
one or two point multiplications
9
10. Secure Identification Protocols
Set-up: an elliptic curve E(GF(2m))
a point P of order n and a commitment Z = aP to the
secret a
Protocol Anatomy
Prover Verifier
witness
challenge
response
10
11. Schnorr Identification Protocol
Tag Reader
(a) (Z=aP)
1. request
2. Choose r R [1, n 1]
3. Compute X = rP
4. X
5. Choose challenge
6. e 2 e 2t n
7. Compute y = ae + r mod n
7. y 8. If
yP – eZ = X = rP
(ae + r) P – e(aP) = X
accept
Else
reject 11
12. ECC over binary fields
Arithmetic can be performed very efficiently
(carry-free).
An elliptic curve E over GF(2n) is defined by an
equation of the form:
y2 xy x3 ax2 b,
where a, b GF(2n), b 0. Points are (x, y)
which satisfy the equation, where x, y
GF(2n).
Exists a group operation i.e. addition such
that for any 2 points, sum is a third point.
12
13. ECC operations: Hierarchy
ECC
prot.
Point
multiplication:
kP
Group operation:
point add/double
Finite field arithmetic: multiplication,
addition, subtraction, inversion, …
13
14. Low-power design
Architectural decisions are important
Frequency as low as possible
Power consumption and energy efficiency
are both crucial
ECC arithmetic should be revisited to
optimize those parameters
The circuit size should be minimized
Flexibility can be sacrificed
14
15. Parameter Choice (EC operations)
Use Montgomery representation
Use Lopez-Dahab projective coordinates
Minimize number of registers
Use only x-coordinate of point during
protocol
15
16. The Montgomery Ladder
16
17. Point Operations
17
18. EC Processor Architecture
18
19. ALU Architecture
19
20. Area-Time Product of Various
Implementations
35000
30000
25000
AT factor (k=6)
20000
15000
10000
5000
0
131, 139, 134, 142, 134, 131, 142, 134, 134, 131, 139, 142, 142, 134, 139, 142, 134, 131, 134, 142, 139, 134,
D=2, D=2, D=4, D=4, D=3, D=2, D=3, D=4, D=2, D=1, D=2, D=2, D=4, D=3, D=1, D=3, D=2, D=1, D=1, D=2, D=1, D=1,
w w w w w wo w wo w w wo w wo wo w wo wo wo w wo wo wo
Implementation Type
20
22. Conclusions
ECC suitable for certain RFID applications
More research on low cost protocols and low cost
implementations
See also paper in ePrint Archive
22
Be the first to comment