![Page 1: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/1.jpg)
Hardware Implementations of (H)ECC and NTRU for RFID
Junfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT
BCRYPT workshop on RFID Security, Feb 5, 2010
![Page 2: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/2.jpg)
Overview
The challenge Security Budget
Implementation of (H)ECC Reducing the area of ALU Reducing the area of Register File
Comparison Conclusions
2
![Page 3: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/3.jpg)
The challenge
Scalability
3
Replay Attack
Anti-cloning
Privacy
…
EC-RACProtocol
SchnorrProtocol
OkamotoProtocol
DoS ?
Public key Crypto
![Page 4: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/4.jpg)
The challenge
Side-channel attacks
4
Performance
Area
Power
HECC
ECC
NTRU
Public key Crypto
![Page 5: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/5.jpg)
Elliptic curve cryptography5
Elliptic curve : E: y2 + a1xy + a3 y = x3 + a2 x2 + a4x + a6
PQ
R=P+Q
y2=x3-13x-3
Point addition:
P (x1,y1), Q (x2,y2)R (x3,y3)= P+Q
λ=
x3= λ2 + λ + x1 + x2 + a y3= λ(x1 + x3) + x3 + y1
y1 + y2
x1 + x2
P ≠ Q
y1
x1
P = Q+ x1
Point multiplication: r P = P + P … + P
r
![Page 6: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/6.jpg)
Schnorr protocol
• System parameters: {E,P,n}
• Tag’s private key: x
• Tag’s public key: X= -xP
Verifier (server)
r2 ∈Zn
If vP + r2X = R1,
then accept
Prover (tag)
r1 ∈Zn
R1 ← r1 P
v ← xr2 + r1
R1
r2
v
6
![Page 7: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/7.jpg)
Point multiplication - ECC7
PointMultiplication
PointAddition
PointDoubling
ModularAddition
ModularInversion
ModularMultiplication
e.g. 5 P = 2 (2 P) + P
e.g. Q1= 2 P, Q2 = Q1 + P
e.g. a + b mod f, a * b mod f, a-1 mod f
![Page 8: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/8.jpg)
Multiplier
Algorithm 1: Modular Multiplication in GF(2n)
Input: A(x), B(x) and p(x) Output: A(x)B(x) mod p(x)1: C(x) ← 02: for i=n-1 to 0 do3: C(x) ← x(C(x) + cnp(x)+biA(x))4: end forReturn C(x)/x
A(x) B(x) C(x)
Bit-serial Mult.
Bit-serial Mult.
Bit-serial Mult.
Bit-serial Mult.
d
Digit-serial Mult.
8
![Page 9: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/9.jpg)
ECC processor9
I/O (8b)
Registers(N×163b)
ECC coprocessor
RF
Main Control RAM
Controller
Digit-serial Mult.(for GF(2163))
Area Energy Security
![Page 10: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/10.jpg)
Low footprint10
Curve parameters ECC over binary fields, e.g. GF(2163) Low weight p(x)
Coordinates Affine : P(x,y) Projective : P(X,Y,Z) López-Dahab : P(x, z)
6 registers in total!
[LBV’08]
![Page 11: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/11.jpg)
Low energy11
Energy = Power × Delay
Reduce power Reduce area Reduce flip-flop toggling Reduce clock frequency
Reduce delay Reduce cycle counts Reduce memory accesses [LBV’08]
![Page 12: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/12.jpg)
for i=n-1 to 0 Q← 2Q if ki=1 Q ← Q+Pend for
Side-channel attacks12
Unprotected method
Countermeasure Unified PA/PD Window method Montgomery ladder
![Page 13: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/13.jpg)
Trade-offs
0
5
10
15
20
25
30
35
40
1 2 3 4
Area[kG]
Power[uW]
cycl es[10̂ 4]
Freq.[100KHz]
Energy[uJ ]
* To finish Schnorr protocol in 250 msec.
(Digit size)[LBV’08]
![Page 14: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/14.jpg)
Hyperelliptic curver Cryptography14
DefinitionHyperelliptic curve C over field K is defined by
y2 + h(x)y = f (x) where h(x),f (x) ∈K[x] deg(h(x))<g and deg(f(x)) = 2g + 1 No points also satisfy 2v + h(u) = 0, h (u)v − f (u) = 0′ ′
Divisor and JacobianA divisor D is a formal sum of points on C.
D = ∑mPP degD = ∑mP
Jacobian is defined as J = Div0 / PrinD
![Page 15: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/15.jpg)
Point multiplication - ECC15
ScalarMultiplication
PointAddition
PointDoubling
ModularAddition
ModularInversion
ModularMultiplication
Group operations
Field operations
ECC-based Protocols
![Page 16: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/16.jpg)
Point multiplication - HECC16
ScalarMultiplication
DivisorAddition
DivisorDoubling
ModularAddition
ModularInversion
ModularMultiplication
Group operations
Field operations
HECC-based Protocols
![Page 17: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/17.jpg)
Architecture17
![Page 18: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/18.jpg)
Comparison18
0
2
4
6
8
10
12
14
16
Area Power Del ay Energy
ECC @323 kHz
HECC@300kHz
NTRU Enc@500kHz
NTRUEnc-Dec@500kHz
[kGates] [uW] [10-1s] [uJ]
[LBV’08]
[FBV’08]
[ABFV’08]
[ABFV’08]
![Page 19: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/19.jpg)
Conclusion and Future work
Conclusion Public Key Cryptography is possible on RFID tags ECC outperforms HECC NTRU looks promising
Future work ECC: get smaller HECC: get faster NTRU: get more secure
19
![Page 20: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/20.jpg)
Thank you!
20
![Page 21: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/21.jpg)
Thank you!
21
![Page 22: BCRYPT workshop on RFID Security, Feb 5, 2010](https://reader034.vdocuments.us/reader034/viewer/2022051215/568148ba550346895db5d4de/html5/thumbnails/22.jpg)
Point multiplication22
Algorithm 1: ECC Point Multiplication (Montgomery powering ladder)
Input: P, k={kn-1,…, k0}2
Output: Q=k•P1: Q[0] ← O, Q[1] ← 2P2: for i=n-2 to 0 do3: Q[1-ki] ← Q[0] + Q[1]5: Q[ki] ← 2Q[ki]6: end forReturn Q