bcrypt workshop on rfid security, feb 5, 2010
Post on 14-Jan-2016
26 Views
Preview:
DESCRIPTION
TRANSCRIPT
Hardware Implementations of (H)ECC and NTRU for RFID
Junfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT
BCRYPT workshop on RFID Security, Feb 5, 2010
Overview
The challenge Security Budget
Implementation of (H)ECC Reducing the area of ALU Reducing the area of Register File
Comparison Conclusions
2
The challenge
Scalability
3
Replay Attack
Anti-cloning
Privacy
…
EC-RACProtocol
SchnorrProtocol
OkamotoProtocol
DoS ?
Public key Crypto
The challenge
Side-channel attacks
4
Performance
Area
Power
HECC
ECC
NTRU
Public key Crypto
Elliptic curve cryptography5
Elliptic curve : E: y2 + a1xy + a3 y = x3 + a2 x2 + a4x + a6
PQ
R=P+Q
y2=x3-13x-3
Point addition:
P (x1,y1), Q (x2,y2)R (x3,y3)= P+Q
λ=
x3= λ2 + λ + x1 + x2 + a y3= λ(x1 + x3) + x3 + y1
y1 + y2
x1 + x2
P ≠ Q
y1
x1
P = Q+ x1
Point multiplication: r P = P + P … + P
r
Schnorr protocol
• System parameters: {E,P,n}
• Tag’s private key: x
• Tag’s public key: X= -xP
Verifier (server)
r2 ∈Zn
If vP + r2X = R1,
then accept
Prover (tag)
r1 ∈Zn
R1 ← r1 P
v ← xr2 + r1
R1
r2
v
6
Point multiplication - ECC7
PointMultiplication
PointAddition
PointDoubling
ModularAddition
ModularInversion
ModularMultiplication
e.g. 5 P = 2 (2 P) + P
e.g. Q1= 2 P, Q2 = Q1 + P
e.g. a + b mod f, a * b mod f, a-1 mod f
Multiplier
Algorithm 1: Modular Multiplication in GF(2n)
Input: A(x), B(x) and p(x) Output: A(x)B(x) mod p(x)1: C(x) ← 02: for i=n-1 to 0 do3: C(x) ← x(C(x) + cnp(x)+biA(x))4: end forReturn C(x)/x
A(x) B(x) C(x)
Bit-serial Mult.
Bit-serial Mult.
Bit-serial Mult.
Bit-serial Mult.
d
Digit-serial Mult.
8
ECC processor9
I/O (8b)
Registers(N×163b)
ECC coprocessor
RF
Main Control RAM
Controller
Digit-serial Mult.(for GF(2163))
Area Energy Security
Low footprint10
Curve parameters ECC over binary fields, e.g. GF(2163) Low weight p(x)
Coordinates Affine : P(x,y) Projective : P(X,Y,Z) López-Dahab : P(x, z)
6 registers in total!
[LBV’08]
Low energy11
Energy = Power × Delay
Reduce power Reduce area Reduce flip-flop toggling Reduce clock frequency
Reduce delay Reduce cycle counts Reduce memory accesses [LBV’08]
for i=n-1 to 0 Q← 2Q if ki=1 Q ← Q+Pend for
Side-channel attacks12
Unprotected method
Countermeasure Unified PA/PD Window method Montgomery ladder
Trade-offs
0
5
10
15
20
25
30
35
40
1 2 3 4
Area[kG]
Power[uW]
cycl es[10̂ 4]
Freq.[100KHz]
Energy[uJ ]
* To finish Schnorr protocol in 250 msec.
(Digit size)[LBV’08]
Hyperelliptic curver Cryptography14
DefinitionHyperelliptic curve C over field K is defined by
y2 + h(x)y = f (x) where h(x),f (x) ∈K[x] deg(h(x))<g and deg(f(x)) = 2g + 1 No points also satisfy 2v + h(u) = 0, h (u)v − f (u) = 0′ ′
Divisor and JacobianA divisor D is a formal sum of points on C.
D = ∑mPP degD = ∑mP
Jacobian is defined as J = Div0 / PrinD
Point multiplication - ECC15
ScalarMultiplication
PointAddition
PointDoubling
ModularAddition
ModularInversion
ModularMultiplication
Group operations
Field operations
ECC-based Protocols
Point multiplication - HECC16
ScalarMultiplication
DivisorAddition
DivisorDoubling
ModularAddition
ModularInversion
ModularMultiplication
Group operations
Field operations
HECC-based Protocols
Architecture17
Comparison18
0
2
4
6
8
10
12
14
16
Area Power Del ay Energy
ECC @323 kHz
HECC@300kHz
NTRU Enc@500kHz
NTRUEnc-Dec@500kHz
[kGates] [uW] [10-1s] [uJ]
[LBV’08]
[FBV’08]
[ABFV’08]
[ABFV’08]
Conclusion and Future work
Conclusion Public Key Cryptography is possible on RFID tags ECC outperforms HECC NTRU looks promising
Future work ECC: get smaller HECC: get faster NTRU: get more secure
19
Thank you!
20
Thank you!
21
Point multiplication22
Algorithm 1: ECC Point Multiplication (Montgomery powering ladder)
Input: P, k={kn-1,…, k0}2
Output: Q=k•P1: Q[0] ← O, Q[1] ← 2P2: for i=n-2 to 0 do3: Q[1-ki] ← Q[0] + Q[1]5: Q[ki] ← 2Q[ki]6: end forReturn Q
top related