Title: An Elliptic Curve Processor Suitable for RFID-Tags
1An Elliptic Curve Processor Suitable for
RFID-Tags
- L. Batina1, J. Guajardo2, T. Kerins2,
- N. Mentens1, P. Tuyls2 and I. Verbauwhede
- 1 Katholieke Universiteit Leuven, ESAT-SCD/COSIC
- 2Philips Research, The Netherlands
WISSec 2006 Antwerpen, Belgium November 8-9, 2006
2Outline
- Introduction and Motivation
- Related Work
- Secure Identification Protocols
- Elliptic Curve Cryptography (ECC)
- Low-cost ECC processor
- Results
- Conclusions
3Motivation
- Emerging new applications wireless applications,
sensor networks, RFIDs, car immobilizers, key
chains... - resource limited area, memory, power, bandwidth
- low-cost, low-power, low-energy
- Pure hardware solutions are energy and cost
effective
4New challenging applications RFID tags
-
- RFID applications
- Supply chain management
- Access control
- Payment systems
- Product authentication
- Vehicles tracking
- Medical care
- Key rings
More recent applications Anti-counterfeiting
5(No Transcript)
6Related Work
- Juels use RFIDs for anti-counterfeiting
- TB06 EC-based solution could be possible
- RFID workshop several papers considering ECC
processors for RFID tags - McLR07 limit number of authen.
- Other embedded security applications
7In short
- PKC would be quite useful
- We would like to know
- Are existing protocols feasible on RFID tags?
- How small/cheap is the most compact solution?
- If known solutions are too expensive we should
think about new, light-weight protocols
8Our contributions
- Feasibility of ECC on RFID TAGS
- Protocols of Schnorr and Okamoto evaluated
- Performance vs. area trade-off
- Our solution is based on identification schemes
- ECDSA is not necessary
9Authentication options
- Question
- Can we perform ECC on RFID Tags? Cost?
- Options
- ECDSA Signature
- one point multiplication hash
- Identification Protocols Schnorr or Okamoto
- one or two point multiplications
10Secure Identification Protocols
Set-up an elliptic curve E(GF(2m)) a point P
of order n and a commitment Z aP to the
secret a
11Schnorr Identification Protocol
Reader (ZaP)
Tag (a)
1. request
2. Choose
3. Compute X rP
4. X
5. Choose challenge
6. e
7. Compute y ae r mod n
7. y
8. If yP eZ X rP (ae r) P
e(aP) X accept Else reject
12ECC over binary fields
- Arithmetic can be performed very efficiently
(carry-free). - An elliptic curve E over GF(2n) is defined by an
equation of the form -
- where a, b ? GF(2n), Points are (x, y)
which satisfy the equation, where x, y ? GF(2n). - Exists a group operation i.e. addition such
that for any 2 points, sum is a third point.
13ECC operations Hierarchy
14Low-power design
- Architectural decisions are important
- Frequency as low as possible
- Power consumption and energy efficiency are both
crucial - ECC arithmetic should be revisited to optimize
those parameters - The circuit size should be minimized
- Flexibility can be sacrificed
15Parameter Choice (EC operations)
- Use Montgomery representation
- Use Lopez-Dahab projective coordinates
- Minimize number of registers
- Use only x-coordinate of point during protocol
16The Montgomery Ladder
17Point Operations
18EC Processor Architecture
19ALU Architecture
20Area-Time Product of Various Implementations
21Results
Source Field size (bits) Area (gates) Technology (µm) Frequency Performance (msec)
Östurk et al. CHES 2004 166 (Fp) 30333 0.13 20 MHz 31.9
Gaubatz et al. PerSec 2005 100 (Fp) 18720 0.13 500 KHz 410.45
Wolkerstorfer CRASH 2005 191 (Fp and ) 23000 0.35 68.5 MHz 6.67
Ours 2006 (Schnorr) 131 ( ) 14105 0.25 175 KHz 480
Ours 2006 (Okamoto) 131 ( ) 21179 0.25 175 KHz 830
22Conclusions
- ECC suitable for certain RFID applications
- More research on low cost protocols and low cost
implementations - See also paper in ePrint Archive