Hardware Implementations of (H)ECC and NTRU for RFID

Junfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT

BCRYPT workshop on RFID Security, Feb 5, 2010

Overview

The challenge Security Budget

Implementation of (H)ECC Reducing the area of ALU Reducing the area of Register File

Comparison Conclusions

2

The challenge

Scalability

3

Replay Attack

Anti-cloning

Privacy

…

EC-RACProtocol

SchnorrProtocol

OkamotoProtocol

DoS ?

Public key Crypto

The challenge

Side-channel attacks

4

Performance

Area

Power

HECC

ECC

NTRU

Public key Crypto

Elliptic curve cryptography5

Elliptic curve : E: y2 + a1xy + a3 y = x3 + a2 x2 + a4x + a6

PQ

R=P+Q

y2=x3-13x-3

Point addition:

P (x1,y1), Q (x2,y2)R (x3,y3)= P+Q

λ=

x3= λ2 + λ + x1 + x2 + a y3= λ(x1 + x3) + x3 + y1

y1 + y2

x1 + x2

P ≠ Q

y1

x1

P = Q+ x1

Point multiplication: r P = P + P … + P

r

Schnorr protocol

• System parameters: {E,P,n}

• Tag’s private key: x

• Tag’s public key: X= -xP

Verifier (server)

r2 ∈Zn

If vP + r2X = R1,

then accept

Prover (tag)

r1 ∈Zn

R1 ← r1 P

v ← xr2 + r1

R1

r2

v

6

Point multiplication - ECC7

PointMultiplication

PointAddition

PointDoubling

ModularAddition

ModularInversion

ModularMultiplication

e.g. 5 P = 2 (2 P) + P

e.g. Q1= 2 P, Q2 = Q1 + P

e.g. a + b mod f, a * b mod f, a-1 mod f

Multiplier

Algorithm 1: Modular Multiplication in GF(2n)

Input: A(x), B(x) and p(x) Output: A(x)B(x) mod p(x)1: C(x) ← 02: for i=n-1 to 0 do3: C(x) ← x(C(x) + cnp(x)+biA(x))4: end forReturn C(x)/x

A(x) B(x) C(x)

Bit-serial Mult.

Bit-serial Mult.

Bit-serial Mult.

Bit-serial Mult.

d

Digit-serial Mult.

8

ECC processor9

I/O (8b)

Registers(N×163b)

ECC coprocessor

RF

Main Control RAM

Controller

Digit-serial Mult.(for GF(2163))

Area Energy Security

Low footprint10

Curve parameters ECC over binary fields, e.g. GF(2163) Low weight p(x)

Coordinates Affine : P(x,y) Projective : P(X,Y,Z) López-Dahab : P(x, z)

6 registers in total!

[LBV’08]

Low energy11

Energy = Power × Delay

Reduce power Reduce area Reduce flip-flop toggling Reduce clock frequency

Reduce delay Reduce cycle counts Reduce memory accesses [LBV’08]

for i=n-1 to 0 Q← 2Q if ki=1 Q ← Q+Pend for

Side-channel attacks12

Unprotected method

Countermeasure Unified PA/PD Window method Montgomery ladder

Trade-offs

0

5

10

15

20

25

30

35

40

1 2 3 4

Area[kG]

Power[uW]

cycl es[10̂ 4]

Freq.[100KHz]

Energy[uJ ]

* To finish Schnorr protocol in 250 msec.

(Digit size)[LBV’08]

Hyperelliptic curver Cryptography14

DefinitionHyperelliptic curve C over field K is defined by

y2 + h(x)y = f (x) where h(x),f (x) ∈K[x] deg(h(x))<g and deg(f(x)) = 2g + 1 No points also satisfy 2v + h(u) = 0, h (u)v − f (u) = 0′ ′

Divisor and JacobianA divisor D is a formal sum of points on C.

D = ∑mPP degD = ∑mP

Jacobian is defined as J = Div0 / PrinD

Point multiplication - ECC15

ScalarMultiplication

PointAddition

PointDoubling

ModularAddition

ModularInversion

ModularMultiplication

Group operations

Field operations

ECC-based Protocols

Point multiplication - HECC16

ScalarMultiplication

DivisorAddition

DivisorDoubling

ModularAddition

ModularInversion

ModularMultiplication

Group operations

Field operations

HECC-based Protocols

Architecture17

Comparison18

0

2

4

6

8

10

12

14

16

Area Power Del ay Energy

ECC @323 kHz

HECC@300kHz

NTRU Enc@500kHz

NTRUEnc-Dec@500kHz

[kGates] [uW] [10-1s] [uJ]

[LBV’08]

[FBV’08]

[ABFV’08]

[ABFV’08]

Conclusion and Future work

Conclusion Public Key Cryptography is possible on RFID tags ECC outperforms HECC NTRU looks promising

Future work ECC: get smaller HECC: get faster NTRU: get more secure

19

Thank you!

20

Thank you!

21

Point multiplication22

Algorithm 1: ECC Point Multiplication (Montgomery powering ladder)

Input: P, k={kn-1,…, k0}2

Output: Q=k•P1: Q[0] ← O, Q[1] ← 2P2: for i=n-2 to 0 do3: Q[1-ki] ← Q[0] + Q[1]5: Q[ki] ← 2Q[ki]6: end forReturn Q