220 likes | 342 Vues
Hardware Implementations of (H)ECC and NTRU for RFID Junfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT. BCRYPT workshop on RFID Security, Feb 5, 2010. Overview. The challenge Security Budget Implementation of (H)ECC Reducing the area of ALU Reducing the area of Register File Comparison
E N D
Hardware Implementations of (H)ECC and NTRU for RFIDJunfeng Fan ESAT/SCD-COSIC, K.U.Leuven and IBBT BCRYPT workshop on RFID Security, Feb 5, 2010
Overview • The challenge • Security • Budget • Implementation of (H)ECC • Reducing the area of ALU • Reducing the area of Register File • Comparison • Conclusions
The challenge Scalability Anti-cloning Schnorr Protocol Privacy Okamoto Protocol Public key Crypto EC-RAC Protocol Replay Attack … DoS ?
The challenge Side-channel attacks Area ECC Power Public key Crypto HECC Performance NTRU
Elliptic curve cryptography Elliptic curve : E: y2 +a1xy+a3 y=x3+ a2x2+a4x +a6 Point addition: P (x1,y1), Q (x2,y2) R (x3,y3)= P+Q λ= x3= λ2+ λ +x1+x2+a y3= λ(x1+ x3) + x3+y1 y1 +y2 Q P ≠ Q P x1 +x2 y1 P = Q + x1 x1 R=P+Q y2=x3-13x-3 Point multiplication: r P = P + P … + P r
Schnorr protocol 6 • System parameters: {E,P,n} • Tag’s private key: x • Tag’s public key: X= -xP Verifier (server) r2∈Zn If vP + r2X = R1, then accept Prover (tag) r1∈Zn R1 ← r1 P v← xr2 + r1 R1 r2 v
Point multiplication - ECC 7 Point Multiplication e.g. 5 P = 2 (2 P) + P Point Addition Point Doubling e.g. Q1= 2 P, Q2 = Q1 + P e.g.a + bmodf, a * bmodf, a-1 modf Modular Addition Modular Multiplication Modular Inversion
Multiplier 8 A(x) B(x) C(x) Algorithm 1: Modular Multiplication in GF(2n) Bit-serial Mult. Input: A(x), B(x) and p(x) Output: A(x)B(x) mod p(x) 1: C(x) ←0 2: for i=n-1 to 0 do 3: C(x) ←x(C(x) + cnp(x)+biA(x)) 4: end for ReturnC(x)/x Bit-serial Mult. d Bit-serial Mult. Bit-serial Mult. Digit-serial Mult.
ECC processor 9 RF Main Control RAM • Area • Energy • Security I/O (8b) Controller Registers (N×163b) Digit-serial Mult. (for GF(2163)) ECC coprocessor
Low footprint • Curve parameters • ECC over binary fields, e.g. GF(2163) • Low weight p(x) • Coordinates • Affine : P(x,y) • Projective : P(X,Y,Z) • López-Dahab : P(x, z) • 6 registers in total! [LBV’08]
Low energy 11 • Energy = Power × Delay • Reduce power • Reduce area • Reduce flip-flop toggling • Reduce clock frequency • Reduce delay • Reduce cycle counts • Reduce memory accesses [LBV’08]
Side-channel attacks 12 • Unprotected method • Countermeasure • Unified PA/PD • Window method • Montgomery ladder fori=n-1to 0 Q← 2Q ifki=1 Q ← Q+P end for
Trade-offs [LBV’08] (Digit size) * To finish Schnorr protocol in 250 msec.
Hyperelliptic curver Cryptography • Definition Hyperelliptic curve CoverfieldKis defined by y2 + h(x)y = f (x) whereh(x),f (x) ∈K[x] • deg(h(x))<g and deg(f(x)) = 2g + 1 • No points also satisfy 2v + h(u) = 0, h′(u)v − f′(u) = 0 • Divisor and Jacobian A divisor D is a formal sum of points on C. D = ∑mPP • degD = ∑mP • Jacobian is defined as J = Div0 / PrinD
Point multiplication - ECC Scalar Multiplication ECC-based Protocols Point Addition Point Doubling Group operations Field operations Modular Addition Modular Multiplication Modular Inversion
Point multiplication - HECC Scalar Multiplication HECC-based Protocols Divisor Addition Divisor Doubling Group operations Field operations Modular Addition Modular Multiplication Modular Inversion
Comparison [LBV’08] [FBV’08] [ABFV’08] [ABFV’08] [kGates] [uW] [10-1s] [uJ]
Conclusion and Future work • Conclusion • Public Key Cryptography is possible on RFID tags • ECC outperforms HECC • NTRU looks promising • Future work • ECC: get smaller • HECC: get faster • NTRU: get more secure
Thank you! 21
Point multiplication 22 Algorithm 1: ECC Point Multiplication (Montgomery powering ladder) Input: P, k={kn-1,…, k0}2 Output: Q=k•P 1: Q[0] ← O, Q[1] ← 2P 2: for i=n-2 to 0 do 3: Q[1-ki] ← Q[0] + Q[1] 5: Q[ki] ← 2Q[ki] 6: end for ReturnQ