bcrypt workshop on rfid security, feb 5, 2010
DESCRIPTION
Hardware Implementations of (H)ECC and NTRU for RFID Junfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT. BCRYPT workshop on RFID Security, Feb 5, 2010. Overview. The challenge Security Budget Implementation of (H)ECC Reducing the area of ALU Reducing the area of Register File Comparison - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/1.jpg)
Hardware Implementations of (H)ECC and NTRU for RFID
Junfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT
BCRYPT workshop on RFID Security, Feb 5, 2010
![Page 2: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/2.jpg)
Overview
The challenge Security Budget
Implementation of (H)ECC Reducing the area of ALU Reducing the area of Register File
Comparison Conclusions
2
![Page 3: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/3.jpg)
The challenge
Scalability
3
Replay Attack
Anti-cloning
Privacy
…
EC-RACProtocol
SchnorrProtocol
OkamotoProtocol
DoS ?
Public key Crypto
![Page 4: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/4.jpg)
The challenge
Side-channel attacks
4
Performance
Area
Power
HECC
ECC
NTRU
Public key Crypto
![Page 5: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/5.jpg)
Elliptic curve cryptography5
Elliptic curve : E: y2 + a1xy + a3 y = x3 + a2 x2 + a4x + a6
PQ
R=P+Q
y2=x3-13x-3
Point addition:
P (x1,y1), Q (x2,y2)R (x3,y3)= P+Q
λ=
x3= λ2 + λ + x1 + x2 + a y3= λ(x1 + x3) + x3 + y1
y1 + y2
x1 + x2
P ≠ Q
y1
x1
P = Q+ x1
Point multiplication: r P = P + P … + P
r
![Page 6: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/6.jpg)
Schnorr protocol
• System parameters: {E,P,n}
• Tag’s private key: x
• Tag’s public key: X= -xP
Verifier (server)
r2 ∈Zn
If vP + r2X = R1,
then accept
Prover (tag)
r1 ∈Zn
R1 ← r1 P
v ← xr2 + r1
R1
r2
v
6
![Page 7: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/7.jpg)
Point multiplication - ECC7
PointMultiplication
PointAddition
PointDoubling
ModularAddition
ModularInversion
ModularMultiplication
e.g. 5 P = 2 (2 P) + P
e.g. Q1= 2 P, Q2 = Q1 + P
e.g. a + b mod f, a * b mod f, a-1 mod f
![Page 8: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/8.jpg)
Multiplier
Algorithm 1: Modular Multiplication in GF(2n)
Input: A(x), B(x) and p(x) Output: A(x)B(x) mod p(x)1: C(x) ← 02: for i=n-1 to 0 do3: C(x) ← x(C(x) + cnp(x)+biA(x))4: end forReturn C(x)/x
A(x) B(x) C(x)
Bit-serial Mult.
Bit-serial Mult.
Bit-serial Mult.
Bit-serial Mult.
d
Digit-serial Mult.
8
![Page 9: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/9.jpg)
ECC processor9
I/O (8b)
Registers(N×163b)
ECC coprocessor
RF
Main Control RAM
Controller
Digit-serial Mult.(for GF(2163))
Area Energy Security
![Page 10: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/10.jpg)
Low footprint10
Curve parameters ECC over binary fields, e.g. GF(2163) Low weight p(x)
Coordinates Affine : P(x,y) Projective : P(X,Y,Z) López-Dahab : P(x, z)
6 registers in total!
[LBV’08]
![Page 11: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/11.jpg)
Low energy11
Energy = Power × Delay
Reduce power Reduce area Reduce flip-flop toggling Reduce clock frequency
Reduce delay Reduce cycle counts Reduce memory accesses [LBV’08]
![Page 12: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/12.jpg)
for i=n-1 to 0 Q← 2Q if ki=1 Q ← Q+Pend for
Side-channel attacks12
Unprotected method
Countermeasure Unified PA/PD Window method Montgomery ladder
![Page 13: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/13.jpg)
Trade-offs
0
5
10
15
20
25
30
35
40
1 2 3 4
Area[kG]
Power[uW]
cycl es[10̂ 4]
Freq.[100KHz]
Energy[uJ ]
* To finish Schnorr protocol in 250 msec.
(Digit size)[LBV’08]
![Page 14: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/14.jpg)
Hyperelliptic curver Cryptography14
DefinitionHyperelliptic curve C over field K is defined by
y2 + h(x)y = f (x) where h(x),f (x) ∈K[x] deg(h(x))<g and deg(f(x)) = 2g + 1 No points also satisfy 2v + h(u) = 0, h (u)v − f (u) = 0′ ′
Divisor and JacobianA divisor D is a formal sum of points on C.
D = ∑mPP degD = ∑mP
Jacobian is defined as J = Div0 / PrinD
![Page 15: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/15.jpg)
Point multiplication - ECC15
ScalarMultiplication
PointAddition
PointDoubling
ModularAddition
ModularInversion
ModularMultiplication
Group operations
Field operations
ECC-based Protocols
![Page 16: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/16.jpg)
Point multiplication - HECC16
ScalarMultiplication
DivisorAddition
DivisorDoubling
ModularAddition
ModularInversion
ModularMultiplication
Group operations
Field operations
HECC-based Protocols
![Page 17: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/17.jpg)
Architecture17
![Page 18: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/18.jpg)
Comparison18
0
2
4
6
8
10
12
14
16
Area Power Del ay Energy
ECC @323 kHz
HECC@300kHz
NTRU Enc@500kHz
NTRUEnc-Dec@500kHz
[kGates] [uW] [10-1s] [uJ]
[LBV’08]
[FBV’08]
[ABFV’08]
[ABFV’08]
![Page 19: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/19.jpg)
Conclusion and Future work
Conclusion Public Key Cryptography is possible on RFID tags ECC outperforms HECC NTRU looks promising
Future work ECC: get smaller HECC: get faster NTRU: get more secure
19
![Page 20: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/20.jpg)
Thank you!
20
![Page 21: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/21.jpg)
Thank you!
21
![Page 22: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/22.jpg)
Point multiplication22
Algorithm 1: ECC Point Multiplication (Montgomery powering ladder)
Input: P, k={kn-1,…, k0}2
Output: Q=k•P1: Q[0] ← O, Q[1] ← 2P2: for i=n-2 to 0 do3: Q[1-ki] ← Q[0] + Q[1]5: Q[ki] ← 2Q[ki]6: end forReturn Q