260 likes | 512 Views
Are standards compliant Elliptic Curve Cryptosystems feasible on RFID?. Sandeep Kumar* and Christof Paar Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany. Outline. The Past The Problem The Solution The Implementation The Future. : Previous work
E N D
Are standards compliant Elliptic Curve Cryptosystems feasible on RFID? Sandeep Kumar* and Christof Paar Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany
Outline • The Past • The Problem • The Solution • The Implementation • The Future : Previous work : Design a tiny ECC processor : Algorithmic choice : CMOS ASIC design : ECC in RFID
Elliptic Curve Cryptography (ECC) ECC suggested in 1985 by Miller/Koblitz Elliptic Curve Discrete Logarithm Problem (ECDLP) Define an Additive Abelian Group (E,+) over an Elliptic Curve Set E: Points on curve Operation: P+Q=(x1,y1)+(x2,y2)=R=(x3,y3)
Elliptic Curve Cryptography (ECC) • ECC suggested in 1985 by Miller/Koblitz • Elliptic Curve Discrete Logarithm Problem (ECDLP) • Define an Additive Abelian Group (E,+) over an Elliptic Curve • Set E: Points on curve • Operation: P+Q=(x1,y1)+(x2,y2)=R=(x3,y3) • =(y2-y1)/(x2-x1) • x3=2-x2-x1 • y3=(x1-x3)-y1
Define group over an Elliptic Curve Finite Field Types Binary Fields Prime Fields Extension Fields (OEF) Elliptic Curve Cryptography (ECC) Finite Fields Prime fields Extension fields GF(pm) GF(p) char > 2 char = 2 OEF binary GF(2n) GF((2n-c)m)
Protocol Point Mult (k.P) Group Operation Point Add/Double Field Operations Addition/Subtraction Multiplication Reduction Inverse ECC System Design a+b, a-b, a·b, 1/b
Protocol Point Mult (k.P) Group Operation Point Add/Double Field Operations Addition/Subtraction Multiplication Reduction Inverse ECC System Design x3=... y3=... a+b, a-b, a·b, 1/b
Protocol Point Mult (k.P) Group Operation Point Add/Double Field Operations Addition/Subtraction Multiplication Reduction Inverse ECC System Design kP x3=... y3=... a+b, a-b, a·b, 1/b
Scalar Point Multiplication Easy : Hard : k. P (Point Mult.) P + P + .. + P = T Given P, T. Find k? Elliptic Curve Discrete Logarithm Problem (ECDLP)
Reduce memory requirements Reduce arithemtic unit area Keep it simple but efficient : memory amounts to more than 50% of design : avoid units like invertor design for specific size : reduce control logic area - multiplexers The Problem: Tiny ECC design
Solution The Problem ! The Solution arithemtic unit memory simple but efficient
Reduce memory requirements Reduce arithemtic unit area Keep it simple but efficient : Affine co-ordinates, Montgomery scalar multiplication : An efficient invertor unit using an efficient squarer : Modify Montgomery scalar multiplication algo. The Solution: Tiny ECC design
Arithmetic Units Multiplier Squarer Invertor Point Multiplier Control Unit Memory Unit Most-Significant Bit Mult. Tiny ECC processor
The Implementation: Multiplier Most-Significant Bit (MSB) Multiplier n-clocks for n-bit multiplier
Arithmetic Units Multiplier Squarer Invertor Point Multiplier Control Unit Memory Unit Most-Significant Bit Mult. Fermat‘s Little Theorem Tiny ECC processor
The Implementation: Invertor Fermat‘s Little Theorem A-1= A2m-2 mod F(x) if A in GF(2m) For m=163 : 161 Mult. + 162 Sqr. Itoh-Tsuji Method: For m=163: 9 Mult. + 162 Sqr. A2m-2=A(2(m-1)-1).2 =A[111..1]2.2
Arithmetic Units Multiplier Squarer Invertor Point Multiplier Control Unit Memory Unit Most-Significant Bit Mult. Parallel Squaring Fermat‘s Little Theorem Tiny ECC processor
The Implementation: Squarer Single Cycle Squaring Low critical path
Arithmetic Units Multiplier Squarer Invertor Point Multiplier Control Unit Memory Unit Most-Significant Bit Mult. Parallel Squaring Fermat‘s Little Theorem Modified Montgomery Algo Tiny ECC processor
The Implementation • ECC processor implementation for 2113,2131,2163,2193
Tiny ECC processor: Results Performance @ 13.56 MHz 22% smaller than previous results
The Future • Are standards compliant Elliptic Curve Cryptosystems feasible on RFID? • Yes and No! • Depends on application, RFID device, power... • Future? • The next 60 mins!