1 / 22

An Elliptic Curve Processor Suitable for RFID-Tags

An Elliptic Curve Processor Suitable for RFID-Tags. L. Batina 1 , J. Guajardo 2 , T. Kerins 2 , N. Mentens 1 , P. Tuyls 2 and I. Verbauwhede 1 Katholieke Universiteit Leuven, ESAT-SCD/COSIC 2 Philips Research, The Netherlands. WISSec 2006 Antwerpen, Belgium November 8-9, 2006. Outline.

yuma
Download Presentation

An Elliptic Curve Processor Suitable for RFID-Tags

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Elliptic Curve Processor Suitable for RFID-Tags L. Batina1, J. Guajardo2, T. Kerins2, N. Mentens1, P. Tuyls2 and I. Verbauwhede 1 Katholieke Universiteit Leuven, ESAT-SCD/COSIC 2Philips Research, The Netherlands WISSec 2006 Antwerpen, Belgium November 8-9, 2006

  2. Outline • Introduction and Motivation • Related Work • Secure Identification Protocols • Elliptic Curve Cryptography (ECC) • Low-cost ECC processor • Results • Conclusions

  3. Motivation • Emerging new applications: wireless applications, sensor networks, RFIDs, car immobilizers, key chains... • resource limited: area, memory, power, bandwidth • low-cost, low-power, low-energy • Pure hardware solutions are energy and cost effective

  4. New challenging applications: RFID tags RFID applications: • Supply chain management • Access control • Payment systems • Product authentication • Vehicles tracking • Medical care • Key rings More recent applications: Anti-counterfeiting

  5. Related Work • Juels: use RFIDs for anti-counterfeiting • [TB06]: EC-based solution could be possible • RFID workshop: several papers considering ECC processors for RFID tags • [McLR07]: limit number of authen. • Other embedded security applications

  6. In short • PKC would be quite useful • We would like to know • Are existing protocols feasible on RFID tags? • How small/cheap is the most compact solution? • If known solutions are too expensive we should think about new, light-weight protocols

  7. Our contributions • Feasibility of ECC on RFID TAGS • Protocols of Schnorr and Okamoto evaluated • Performance vs. area trade-off • Our solution is based on identification schemes • ECDSA is not necessary

  8. Authentication options Question: Can we perform ECC on RFID Tags? Cost? • Options: • ECDSA Signature • one point multiplication + hash • Identification Protocols: Schnorr or Okamoto • one or two point multiplications

  9. Protocol Anatomy Prover Verifier witness challenge response Secure Identification Protocols Set-up: an elliptic curve E(GF(2m)) a point P of order n and a commitment Z = aP to the secret a

  10. Schnorr Identification Protocol Reader (Z=aP) Tag (a) 1. request 2. Choose 3. Compute X = rP 4. X 5. Choose challenge 6. e 7. Compute y = ae + rmod n 7. y 8. If yP – eZ = X = rP (ae + r) P – e(aP) = X accept Else reject

  11. ECC over binary fields Arithmetic can be performed very efficiently (carry-free). An elliptic curveE over GF(2n)is defined by an equation of the form: where a, b GF(2n),Points are (x, y)which satisfy the equation, where x, y  GF(2n). Exists a group operation i.e. addition such that for any 2 points, sum is a third point.

  12. ECC operations: Hierarchy

  13. Low-power design • Architectural decisions are important • Frequency as low as possible • Power consumption and energy efficiency are both crucial • ECC arithmetic should be revisited to optimize those parameters • The circuit size should be minimized • Flexibility can be sacrificed

  14. Parameter Choice (EC operations) • Use Montgomery representation • Use Lopez-Dahab projective coordinates • Minimize number of registers • Use only x-coordinate of point during protocol

  15. The Montgomery Ladder

  16. Point Operations

  17. EC Processor Architecture

  18. ALU Architecture

  19. Area-Time Product of Various Implementations

  20. Results

  21. Conclusions • ECC suitable for certain RFID applications • More research on low cost protocols and low cost implementations • See also paper in ePrint Archive

More Related