an ecdsa processor for rfid authentication
play

An ECDSA Processor for RFID Authentication Michael Hutter, Martin - PowerPoint PPT Presentation

Apr 18, 2023 •931 likes •1.12k views

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security An ECDSA Processor for RFID Authentication Michael Hutter, Martin Feldhofer, and Thomas Plos Workshop on RFID Security 2010 07. - 09.06.2010,

  1. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security An ECDSA Processor for RFID Authentication Michael Hutter, Martin Feldhofer, and Thomas Plos Workshop on RFID Security 2010 07. - 09.06.2010, Istanbul, Turkey Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology TU Graz/Computer Science/IAIK/VLSI Michael Hutter 1

  2. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Outline  Motivation  Implementation Requirements  The ECDSA Processor  The System Architecture  Memory Unit and Datapath  Microcontroller  Instruction Set Extensions for ECDSA  Synthesis Results  Conclusion TU Graz/Computer Science/IAIK/VLSI Michael Hutter 2

  3. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Motivation  RFID is one key enabler for the “Internet of Things”  Intelligent “smart things/tags” extend the Internet  Tags are already integrated into many products  There are still open issues in realizing a “secure Internet of things” TU Graz/Computer Science/IAIK/VLSI Michael Hutter 3

  4. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Requirements  Digital-signature service  To provide a transferable proof of origin  Message authentication, non-repudiation, data integrity  Asymmetric cryptography  Large scale deployment  Integration in open-loop systems (Internet)  Standardized algorithms  ECDSA has been tested/proved over many years  Existing PKI (X.509 certificates using ECDSA)  Strong authentication  Challenge-response protocol (e.g. ISO/IEC 9798-3)  Low-resource HW design TU Graz/Computer Science/IAIK/VLSI Michael Hutter 4

  5. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security What we did?  Design of an ECDSA processor for RFID  Based on NIST recommended elliptic curve GF(p192) TU Graz/Computer Science/IAIK/VLSI Michael Hutter 5

  6. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Tag Authentication using ECDSA TU Graz/Computer Science/IAIK/VLSI Michael Hutter 6

  7. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Memory Unit  16-bit dual ported interface  Concurrently read/write from/to two ports  RAM macro (128x16 bit)  ROM  ECC constants (e.g. base point P) IN_A IN_B  EEPROM EEPROM  Stores the private key addr addr  Stores the certificate EEPROM ROM Port A Port B RAM RAM OUT_A OUT_B TU Graz/Computer Science/IAIK/VLSI Michael Hutter 7

  8. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 16-bit Datapath Port A Port B  16x16-bit multiply 16 16 accumulate (MAC) unit  1 cycle 16-bit operations 1 0 FFFF  Two 40-bit adders bitop logic mul 40 16 16  One 40-bit accumulator 20 16 0 16 16 1 16x16  Feedback of ACCU signal acc mux multiplier  Logic operations for SHA1 20 40 adder1  XOR, AND, OR 40 32  Writing into memory using adder2 two 16-bit values ACC concurrently 40 Port A Port B TU Graz/Computer Science/IAIK/VLSI Michael Hutter 8

  9. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 8-bit Microcontroller  32 instructions supported reg_in 4 ROM 8 8  Arithmetic operations (ADD, SUB,…) Program counter Register file  Logical operations (OR, AND,…) 16 x 8-bit I/O 12 Address  Control operations (GOTO, CALL,…) Data memory Prog. ROM  Register file and program ROM 600 x 16-bit ECDSA  Instruction decoder, ALU, PCH SHA-1 2 STATUS ACC Counter,… …... Instruction 16 Mux  Two-stage pipeline (fetch and reg_out1 ROM reg_out2 8 8 8 16 execute) Instruction Status  Call-stack support (3 recursive ALU decode unit subroutines possible) ALU out  Self-written Java compiler TU Graz/Computer Science/IAIK/VLSI Michael Hutter 9

  10. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Instruction Set Extensions  55 ISEs for ECDSA and SHA1  Can be executed by the microcontroller by a MICRO instruction  Implemented in 8 ROM tables  Area reduction through different table sizes  Modular arithmetic  Addition: 32 cycles  Subtraction: 38 cycles  Multiplication: 204 cycles  NIST reduction applied (p 192 ≡ 2 192 –2 64 –1)  Montgomery arithmetic  Inversion: 20823 cycles  Multiplication: 785 cycles  SHA1: 3455 cycles TU Graz/Computer Science/IAIK/VLSI Michael Hutter 10

  11. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Improving ECC Point Multiplication  Montgomery Ladder  Use of x-coordinate only formulas (Brier and Joye)  Combined double-and-add (Izu, Möller, and Takagi)  Common-Z coordinate representation (Meloni, Lee)  Total: 12M + 4S + 9add + 7sub  7x192-bit RAM used TU Graz/Computer Science/IAIK/VLSI Michael Hutter 11

  12. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Implementation Attack Countermeasures  SPA  Montgomery Ladder  DPA  Randomized Projective Coordinates (S. Coron)  First-order blinding of the private-key multiplication instead of  Fault Injections  Check of curve equation after point multiplication (Ebeid and Lambert)  Y recovery necessary TU Graz/Computer Science/IAIK/VLSI Michael Hutter 12

  13. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Synthesis Results  Cadence RTL Compiler (0.35 µm CMOS)  Synopsys NanoSim for power simulation  387 µA mean current at 3.3 volt and 847 kHz Chip Area Power Consumption 43,17% RAM MCU 3,08% 23,78% R O M Prog. ROM Datapath 3,52% ISE 15,63% 7,04% 3,74% Clock TU Graz/Computer Science/IAIK/VLSI Michael Hutter 13

  14. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison with Related Work TU Graz/Computer Science/IAIK/VLSI Michael Hutter 14

  15. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Conclusions  Improved the state-of-the-art in designing a low- resource ECC hardware processor  First ECDSA hardware implementation results  Fully capable digital signature generating device  Allows proof of origin to prevent product counterfeiting  Sample implementation  Processor will be integrated in an NFC-compliant HF tag  Fabricated in summer 2010 TU Graz/Computer Science/IAIK/VLSI Michael Hutter 15

  16. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Thanks for your attention! http://www.iaik.tugraz.at/content/research/implementation_attacks/ Michael Hutter IAIK – Graz University of Technology michael.hutter@iaik.tugraz.at www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI Michael Hutter 16

  17. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Montgomery Ladder TU Graz/Computer Science/IAIK/VLSI Michael Hutter 17

Recommend

Designing Low-Cost Untraceable Authentication Protocols for RFID Dave Singele IFIP WG 11.2

Designing Low-Cost Untraceable Authentication Protocols for RFID Dave Singele IFIP WG 11.2

Designing Low-Cost Untraceable Authentication Protocols for RFID Dave Singele IFIP WG 11.2 Seminar Istanbul June 07, 2010 Outline of the talk n Introduction n RFID authentication protocols n Security requirements n Privacy requirements n

344 views • 31 slides
Butterfly: Environment-Independent Physical- Layer Authentication for Passive RFID

Butterfly: Environment-Independent Physical- Layer Authentication for Passive RFID

Butterfly: Environment-Independent Physical- Layer Authentication for Passive RFID Jinsong Han* , Chen Qian^, Yuqin Yang , Ge Wang ^, Han Ding , Xin Li^, Kui Ren* # # * Institute of Cyberspace Research, College of Computer

265 views • 25 slides
Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and

Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and

Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and Iwen COISEL Orange Labs R&D - Caen - France RFIDSec 08 - 10 th July 2008 Outline 1 General Context 2 A synchronization problem 3 A

714 views • 33 slides
RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011, Rennes, France Summary RFID Primer. Examples. Capabilities. Particularities. Authentication in RFID. Theory. Practical

934 views • 64 slides
An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement Gildas Avoine 1 and Aslan Tchamkerten 2 1 Universit e catholique de Louvain, Louvain-la-Neuve, Belgium 2 Telecom ParisTech,

335 views • 31 slides
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim Information and Communications University (ICU), International Research Center for Information Security (IRIS), Auto-ID Lab Korea

273 views • 12 slides
Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

March 2, 2014 Monte Jade's RFID Seminar Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight RFID 4. Current Airport RFID Deployments 5. Atlanta International Airport Activity with IATA RFID

912 views • 35 slides
Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa Lee , and abhi shelat j@ckdoerner.net ykondi@ccs.neu.edu eysa@ccs.neu.edu abhi@neu.edu Northeastern University Traditional Signature

868 views • 57 slides
IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing Tag Oslo, 28 November 2007 IntelliSense RFID Workshop IntelliSense RFID RESEARCH PROJECT FOR TECHNOLOGY DEVELOPMENT WITHIN THE FIELDS OF RFID

788 views • 13 slides
The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio Frequency Identification Modern RFID Applications VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips

628 views • 29 slides
Time Measurement Threatens Privacy-Friendly RFID Authentication Protocols Gildas Avoine 1 , Iwen

Time Measurement Threatens Privacy-Friendly RFID Authentication Protocols Gildas Avoine 1 , Iwen

Time Measurement Threatens Privacy-Friendly RFID Authentication Protocols Gildas Avoine 1 , Iwen Coisel 2 and Tania Martin 1 1: Information Security Group - Universit e Catholique de Louvain 2: Crypto Group - Universit e Catholique de

605 views • 24 slides
Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General model Foundations of security RSA, DSA, ECDSA signatures Zero knowledge (Guillo-Quisquater) One-time signature Special

675 views • 46 slides
RFID Authentication Protocols based on Elliptic Curves A Top-Down Evaluation Survey Michael

RFID Authentication Protocols based on Elliptic Curves A Top-Down Evaluation Survey Michael

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security RFID Authentication Protocols based on Elliptic Curves A Top-Down Evaluation Survey Michael Hutter Institute for Applied Information Processing

426 views • 16 slides
A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010

A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010

A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010 Outline Introduction. Model of RFID Systems. Adaptive Completeness and Mutual Authentication. zk-Privacy: Formulation, Clarifications

456 views • 35 slides
Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA Keegan Ryan NCC Group What is ROHNP? Key extraction attack on DSA and ECDSA Uses an old technique to target a new part of the algorithm

243 views • 23 slides
Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM: Advanced RISC Machine First developed in 1983 by Acorn Computers ARM Ltd was formed in 1988 to continue development Advantages of the ARM

391 views • 14 slides
TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown & Blaine McDonnell Using RFID for Model Railroad Operations What is RFID? How does RFID Work? RFID Frequencies and Type of Tags

853 views • 25 slides
A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work with R emi Piau and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Africacrypt 2020 Cairo, Egypt 1/32 How to attack ECDSA

646 views • 32 slides
DEVELOPMENT OF AN RFID SYSTEM FOR SPS-ALPHA 1 OBJECTIVES RFID Implementation: SPS-ALPHA

DEVELOPMENT OF AN RFID SYSTEM FOR SPS-ALPHA 1 OBJECTIVES RFID Implementation: SPS-ALPHA

DEVELOPMENT OF AN RFID SYSTEM FOR SPS-ALPHA 1 OBJECTIVES RFID Implementation: SPS-ALPHA Structure RFID Technology Applications in SPS-ALPHA architecture Part Identification Location Referencing 2 Why Space Solar No

241 views • 22 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016 ECDSA Elliptic Curve Cryptography allows for the construction of strong public/private key pairs with key lengths that are far shorter than

416 views • 27 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
RFID from Farm to Fork Piero Filippin p.filippin@wlv.ac.uk RFID from Farm to Fork Funded by

RFID from Farm to Fork Piero Filippin p.filippin@wlv.ac.uk RFID from Farm to Fork Funded by

RFID - From Farm to Fork Strengthening SME competitive advantage through RFID implementation RFID from Farm to Fork Piero Filippin p.filippin@wlv.ac.uk RFID from Farm to Fork Funded by the EU as part of the Competitiveness and Innovation

356 views • 9 slides

More recommend