bcrypt workshop on rfid security, feb 5, 2010

22
Hardware Implementations of (H)ECC and NTRU for RFID Junfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT BCRYPT workshop on RFID Security, Feb 5, 2010

Upload: leyna

Post on 14-Jan-2016

26 views

Category:

Documents


0 download

DESCRIPTION

Hardware Implementations of (H)ECC and NTRU for RFID Junfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT. BCRYPT workshop on RFID Security, Feb 5, 2010. Overview. The challenge Security Budget Implementation of (H)ECC Reducing the area of ALU Reducing the area of Register File Comparison - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: BCRYPT workshop on RFID Security, Feb 5, 2010

Hardware Implementations of (H)ECC and NTRU for RFID

Junfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT

BCRYPT workshop on RFID Security, Feb 5, 2010

Page 2: BCRYPT workshop on RFID Security, Feb 5, 2010

Overview

The challenge Security Budget

Implementation of (H)ECC Reducing the area of ALU Reducing the area of Register File

Comparison Conclusions

2

Page 3: BCRYPT workshop on RFID Security, Feb 5, 2010

The challenge

Scalability

3

Replay Attack

Anti-cloning

Privacy

EC-RACProtocol

SchnorrProtocol

OkamotoProtocol

DoS ?

Public key Crypto

Page 4: BCRYPT workshop on RFID Security, Feb 5, 2010

The challenge

Side-channel attacks

4

Performance

Area

Power

HECC

ECC

NTRU

Public key Crypto

Page 5: BCRYPT workshop on RFID Security, Feb 5, 2010

Elliptic curve cryptography5

Elliptic curve : E: y2 + a1xy + a3 y = x3 + a2 x2 + a4x + a6

PQ

R=P+Q

y2=x3-13x-3

Point addition:

P (x1,y1), Q (x2,y2)R (x3,y3)= P+Q

λ=

x3= λ2 + λ + x1 + x2 + a y3= λ(x1 + x3) + x3 + y1

y1 + y2

x1 + x2

P ≠ Q

y1

x1

P = Q+ x1

Point multiplication: r P = P + P … + P

r

Page 6: BCRYPT workshop on RFID Security, Feb 5, 2010

Schnorr protocol

• System parameters: {E,P,n}

• Tag’s private key: x

• Tag’s public key: X= -xP

Verifier (server)

r2 ∈Zn

If vP + r2X = R1,

then accept

Prover (tag)

r1 ∈Zn

R1 ← r1 P

v ← xr2 + r1

R1

r2

v

6

Page 7: BCRYPT workshop on RFID Security, Feb 5, 2010

Point multiplication - ECC7

PointMultiplication

PointAddition

PointDoubling

ModularAddition

ModularInversion

ModularMultiplication

e.g. 5 P = 2 (2 P) + P

e.g. Q1= 2 P, Q2 = Q1 + P

e.g. a + b mod f, a * b mod f, a-1 mod f

Page 8: BCRYPT workshop on RFID Security, Feb 5, 2010

Multiplier

Algorithm 1: Modular Multiplication in GF(2n)

Input: A(x), B(x) and p(x) Output: A(x)B(x) mod p(x)1: C(x) ← 02: for i=n-1 to 0 do3: C(x) ← x(C(x) + cnp(x)+biA(x))4: end forReturn C(x)/x

A(x) B(x) C(x)

Bit-serial Mult.

Bit-serial Mult.

Bit-serial Mult.

Bit-serial Mult.

d

Digit-serial Mult.

8

Page 9: BCRYPT workshop on RFID Security, Feb 5, 2010

ECC processor9

I/O (8b)

Registers(N×163b)

ECC coprocessor

RF

Main Control RAM

Controller

Digit-serial Mult.(for GF(2163))

Area Energy Security

Page 10: BCRYPT workshop on RFID Security, Feb 5, 2010

Low footprint10

Curve parameters ECC over binary fields, e.g. GF(2163) Low weight p(x)

Coordinates Affine : P(x,y) Projective : P(X,Y,Z) López-Dahab : P(x, z)

6 registers in total!

[LBV’08]

Page 11: BCRYPT workshop on RFID Security, Feb 5, 2010

Low energy11

Energy = Power × Delay

Reduce power Reduce area Reduce flip-flop toggling Reduce clock frequency

Reduce delay Reduce cycle counts Reduce memory accesses [LBV’08]

Page 12: BCRYPT workshop on RFID Security, Feb 5, 2010

for i=n-1 to 0 Q← 2Q if ki=1 Q ← Q+Pend for

Side-channel attacks12

Unprotected method

Countermeasure Unified PA/PD Window method Montgomery ladder

Page 13: BCRYPT workshop on RFID Security, Feb 5, 2010

Trade-offs

0

5

10

15

20

25

30

35

40

1 2 3 4

Area[kG]

Power[uW]

cycl es[10̂ 4]

Freq.[100KHz]

Energy[uJ ]

* To finish Schnorr protocol in 250 msec.

(Digit size)[LBV’08]

Page 14: BCRYPT workshop on RFID Security, Feb 5, 2010

Hyperelliptic curver Cryptography14

DefinitionHyperelliptic curve C over field K is defined by

y2 + h(x)y = f (x) where h(x),f (x) ∈K[x] deg(h(x))<g and deg(f(x)) = 2g + 1 No points also satisfy 2v + h(u) = 0, h (u)v − f (u) = 0′ ′

Divisor and JacobianA divisor D is a formal sum of points on C.

D = ∑mPP degD = ∑mP

Jacobian is defined as J = Div0 / PrinD

Page 15: BCRYPT workshop on RFID Security, Feb 5, 2010

Point multiplication - ECC15

ScalarMultiplication

PointAddition

PointDoubling

ModularAddition

ModularInversion

ModularMultiplication

Group operations

Field operations

ECC-based Protocols

Page 16: BCRYPT workshop on RFID Security, Feb 5, 2010

Point multiplication - HECC16

ScalarMultiplication

DivisorAddition

DivisorDoubling

ModularAddition

ModularInversion

ModularMultiplication

Group operations

Field operations

HECC-based Protocols

Page 17: BCRYPT workshop on RFID Security, Feb 5, 2010

Architecture17

Page 18: BCRYPT workshop on RFID Security, Feb 5, 2010

Comparison18

0

2

4

6

8

10

12

14

16

Area Power Del ay Energy

ECC @323 kHz

HECC@300kHz

NTRU Enc@500kHz

NTRUEnc-Dec@500kHz

[kGates] [uW] [10-1s] [uJ]

[LBV’08]

[FBV’08]

[ABFV’08]

[ABFV’08]

Page 19: BCRYPT workshop on RFID Security, Feb 5, 2010

Conclusion and Future work

Conclusion Public Key Cryptography is possible on RFID tags ECC outperforms HECC NTRU looks promising

Future work ECC: get smaller HECC: get faster NTRU: get more secure

19

Page 20: BCRYPT workshop on RFID Security, Feb 5, 2010

Thank you!

20

Page 21: BCRYPT workshop on RFID Security, Feb 5, 2010

Thank you!

21

Page 22: BCRYPT workshop on RFID Security, Feb 5, 2010

Point multiplication22

Algorithm 1: ECC Point Multiplication (Montgomery powering ladder)

Input: P, k={kn-1,…, k0}2

Output: Q=k•P1: Q[0] ← O, Q[1] ← 2P2: for i=n-2 to 0 do3: Q[1-ki] ← Q[0] + Q[1]5: Q[ki] ← 2Q[ki]6: end forReturn Q