• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
slides
 

slides

on

  • 789 views

 

Statistics

Views

Total Views
789
Views on SlideShare
789
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    slides slides Presentation Transcript

    • An Elliptic Curve Processor Suitable for RFID-Tags L. Batina1, J. Guajardo2, T. Kerins2, N. Mentens1, P. Tuyls2 and I. Verbauwhede 1Katholieke Universiteit Leuven, ESAT-SCD/COSIC 2Philips Research, The Netherlands WISSec 2006 Antwerpen, Belgium November 8-9, 2006 1
    • Outline  Introduction and Motivation  Related Work  Secure Identification Protocols  Elliptic Curve Cryptography (ECC)  Low-cost ECC processor  Results  Conclusions 2
    • Motivation  Emerging new applications: wireless applications, sensor networks, RFIDs, car immobilizers, key chains...  resource limited: area, memory, power, bandwidth  low-cost, low-power, low-energy  Purehardware solutions are energy and cost effective 3
    • New challenging applications: RFID tags RFID applications:  Supply chain management  Access control  Payment systems  Product authentication  Vehicles tracking  Medical care  Key rings More recent applications: Anti-counterfeiting 4
    • 5
    • Related Work  Juels:use RFIDs for anti-counterfeiting  [TB06]: EC-based solution could be possible  RFID workshop: several papers considering ECC processors for RFID tags  [McLR07]: limit number of authen.  Other embedded security applications 6
    • In short  PKCwould be quite useful  We would like to know  Are existing protocols feasible on RFID tags?  How small/cheap is the most compact solution?  Ifknown solutions are too expensive we should think about new, light-weight protocols 7
    • Our contributions  Feasibility of ECC on RFID TAGS  Protocols of Schnorr and Okamoto evaluated  Performance vs. area trade-off  Our solution is based on identification schemes  ECDSA is not necessary 8
    • Authentication options Question: Can we perform ECC on RFID Tags? Cost? Options: • ECDSA Signature one point multiplication + hash • Identification Protocols: Schnorr or Okamoto one or two point multiplications 9
    • Secure Identification Protocols Set-up: an elliptic curve E(GF(2m)) a point P of order n and a commitment Z = aP to the secret a Protocol Anatomy Prover Verifier witness challenge response 10
    • Schnorr Identification Protocol Tag Reader (a) (Z=aP) 1. request 2. Choose r R [1, n 1] 3. Compute X = rP 4. X 5. Choose challenge 6. e 2 e 2t n 7. Compute y = ae + r mod n 7. y 8. If yP – eZ = X = rP (ae + r) P – e(aP) = X accept Else reject 11
    • ECC over binary fields Arithmetic can be performed very efficiently (carry-free). An elliptic curve E over GF(2n) is defined by an equation of the form: y2 xy x3 ax2 b, where a, b GF(2n), b 0. Points are (x, y) which satisfy the equation, where x, y GF(2n). Exists a group operation i.e. addition such that for any 2 points, sum is a third point. 12
    • ECC operations: Hierarchy ECC prot. Point multiplication: kP Group operation: point add/double Finite field arithmetic: multiplication, addition, subtraction, inversion, … 13
    • Low-power design  Architectural decisions are important  Frequency as low as possible  Power consumption and energy efficiency are both crucial  ECC arithmetic should be revisited to optimize those parameters  The circuit size should be minimized  Flexibility can be sacrificed 14
    • Parameter Choice (EC operations)  Use Montgomery representation  Use Lopez-Dahab projective coordinates  Minimize number of registers  Use only x-coordinate of point during protocol 15
    • The Montgomery Ladder 16
    • Point Operations 17
    • EC Processor Architecture 18
    • ALU Architecture 19
    • Area-Time Product of Various Implementations 35000 30000 25000 AT factor (k=6) 20000 15000 10000 5000 0 131, 139, 134, 142, 134, 131, 142, 134, 134, 131, 139, 142, 142, 134, 139, 142, 134, 131, 134, 142, 139, 134, D=2, D=2, D=4, D=4, D=3, D=2, D=3, D=4, D=2, D=1, D=2, D=2, D=4, D=3, D=1, D=3, D=2, D=1, D=1, D=2, D=1, D=1, w w w w w wo w wo w w wo w wo wo w wo wo wo w wo wo wo Implementation Type 20
    • Results Source Field Area Technology Frequency Performance size (gates) (µm) (msec) (bits) Östurk et al. 166 30333 0.13 20 MHz 31.9 CHES 2004 (Fp) Gaubatz et al. 100 18720 0.13 500 KHz 410.45 PerSec 2005 (Fp) Wolkerstorfer 191 23000 0.35 68.5 MHz 6.67 F2m CRASH 2005 (Fp and ) F2m Ours 2006 131 ( ) 14105 0.25 175 KHz 480 (Schnorr) Ours 2006 131 21179 0.25 175 KHz 830 (Okamoto) ( F2m ) 21
    • Conclusions ECC suitable for certain RFID applications More research on low cost protocols and low cost implementations  See also paper in ePrint Archive 22