1 / 22

BCRYPT workshop on RFID Security, Feb 5, 2010

Hardware Implementations of (H)ECC and NTRU for RFID Junfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT. BCRYPT workshop on RFID Security, Feb 5, 2010. Overview. The challenge Security Budget Implementation of (H)ECC Reducing the area of ALU Reducing the area of Register File Comparison

leyna
Télécharger la présentation

BCRYPT workshop on RFID Security, Feb 5, 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Hardware Implementations of (H)ECC and NTRU for RFIDJunfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT BCRYPT workshop on RFID Security, Feb 5, 2010

  2. Overview • The challenge • Security • Budget • Implementation of (H)ECC • Reducing the area of ALU • Reducing the area of Register File • Comparison • Conclusions

  3. The challenge Scalability Anti-cloning Schnorr Protocol Privacy Okamoto Protocol Public key Crypto EC-RAC Protocol Replay Attack … DoS ?

  4. The challenge Side-channel attacks Area ECC Power Public key Crypto HECC Performance NTRU

  5. Elliptic curve cryptography Elliptic curve : E: y2 +a1xy+a3 y=x3+ a2x2+a4x +a6 Point addition: P (x1,y1), Q (x2,y2) R (x3,y3)= P+Q λ= x3= λ2+ λ +x1+x2+a y3= λ(x1+ x3) + x3+y1 y1 +y2 Q P ≠ Q P x1 +x2 y1 P = Q + x1 x1 R=P+Q y2=x3-13x-3 Point multiplication: r P = P + P … + P r

  6. Schnorr protocol 6 • System parameters: {E,P,n} • Tag’s private key: x • Tag’s public key: X= -xP Verifier (server) r2∈Zn If vP + r2X = R1, then accept Prover (tag) r1∈Zn R1 ← r1 P v← xr2 + r1 R1 r2 v

  7. Point multiplication - ECC 7 Point Multiplication e.g. 5 P = 2 (2 P) + P Point Addition Point Doubling e.g. Q1= 2 P, Q2 = Q1 + P e.g.a + bmodf, a * bmodf, a-1 modf Modular Addition Modular Multiplication Modular Inversion

  8. Multiplier 8 A(x) B(x) C(x) Algorithm 1: Modular Multiplication in GF(2n) Bit-serial Mult. Input: A(x), B(x) and p(x) Output: A(x)B(x) mod p(x) 1: C(x) ←0 2: for i=n-1 to 0 do 3: C(x) ←x(C(x) + cnp(x)+biA(x)) 4: end for ReturnC(x)/x Bit-serial Mult. d Bit-serial Mult. Bit-serial Mult. Digit-serial Mult.

  9. ECC processor 9 RF Main Control RAM • Area • Energy • Security I/O (8b) Controller Registers (N×163b) Digit-serial Mult. (for GF(2163)) ECC coprocessor

  10. Low footprint • Curve parameters • ECC over binary fields, e.g. GF(2163) • Low weight p(x) • Coordinates • Affine : P(x,y) • Projective : P(X,Y,Z) • López-Dahab : P(x, z) • 6 registers in total! [LBV’08]

  11. Low energy 11 • Energy = Power × Delay • Reduce power • Reduce area • Reduce flip-flop toggling • Reduce clock frequency • Reduce delay • Reduce cycle counts • Reduce memory accesses [LBV’08]

  12. Side-channel attacks 12 • Unprotected method • Countermeasure • Unified PA/PD • Window method • Montgomery ladder fori=n-1to 0 Q← 2Q ifki=1 Q ← Q+P end for

  13. Trade-offs [LBV’08] (Digit size) * To finish Schnorr protocol in 250 msec.

  14. Hyperelliptic curver Cryptography • Definition Hyperelliptic curve CoverfieldKis defined by y2 + h(x)y = f (x) whereh(x),f (x) ∈K[x] • deg(h(x))<g and deg(f(x)) = 2g + 1 • No points also satisfy 2v + h(u) = 0, h′(u)v − f′(u) = 0 • Divisor and Jacobian A divisor D is a formal sum of points on C. D = ∑mPP • degD = ∑mP • Jacobian is defined as J = Div0 / PrinD

  15. Point multiplication - ECC Scalar Multiplication ECC-based Protocols Point Addition Point Doubling Group operations Field operations Modular Addition Modular Multiplication Modular Inversion

  16. Point multiplication - HECC Scalar Multiplication HECC-based Protocols Divisor Addition Divisor Doubling Group operations Field operations Modular Addition Modular Multiplication Modular Inversion

  17. Architecture

  18. Comparison [LBV’08] [FBV’08] [ABFV’08] [ABFV’08] [kGates] [uW] [10-1s] [uJ]

  19. Conclusion and Future work • Conclusion • Public Key Cryptography is possible on RFID tags • ECC outperforms HECC • NTRU looks promising • Future work • ECC: get smaller • HECC: get faster • NTRU: get more secure

  20. Thank you!

  21. Thank you! 21

  22. Point multiplication 22 Algorithm 1: ECC Point Multiplication (Montgomery powering ladder) Input: P, k={kn-1,…, k0}2 Output: Q=k•P 1: Q[0] ← O, Q[1] ← 2P 2: for i=n-2 to 0 do 3: Q[1-ki] ← Q[0] + Q[1] 5: Q[ki] ← 2Q[ki] 6: end for ReturnQ

More Related