ecc is ready for rfid a proof in silicon
play

ECC is Ready for RFID A Proof in Silicon RFIDsec 08 Presentation - PowerPoint PPT Presentation

Institut f r Integrierte Systeme Integrated Systems Laboratory ECC is Ready for RFID A Proof in Silicon RFIDsec 08 Presentation Daniel Hein, daniel.hein@gmx.at Johannes Wolkerstorfer, Johannes.Wolkerstorfer@iaik.tugraz.at Norbert


  1. Institut f ü r Integrierte Systeme Integrated Systems Laboratory ECC is Ready for RFID – A Proof in Silicon RFIDsec 08 Presentation Daniel Hein, daniel.hein@gmx.at Johannes Wolkerstorfer, Johannes.Wolkerstorfer@iaik.tugraz.at Norbert Felber, felber@iis.ee.ethz.ch Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 1

  2. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Outline I Radio Frequency Identification (RFID) – Product piracy – Authentication Elliptic Curve Cryptography (ECC) – Montgomery point multiplication – Binary extension field arithmetic ECCon processor architecture – RFID front-end – ECC processor • Small datapath Approach • Specialized ALU Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 2

  3. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Outline II Digit level algorithms – Multiplication – Reduction – Multiplication with interleaved reduction Results – Timing, Area, Power – Comparison with related work Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 3

  4. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Radio Frequency Identification Rapid automated item identification Barcode replacement Computer X-ray vision – No line of sight – No optical scanning RFID Tag – Antennae + IC – Powered by EM field Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 4

  5. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Product Piracy Causes considerable economic damage Counterfeits inserted in legitimate supply chain RFID tags – Alleviate problem – Easy to clone Cryptography – Authentication Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 5

  6. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Elliptic Curve Cryptography I Public-key cryptography – Short key => Small hardware footprint Authentication with digital signature – ECDSA Security depends on point multiplication Point multiplication – scalar • point on elliptic curve – Non-invertible Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 6

  7. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Elliptic Curve Cryptography II Point multiplication – Point addition – Point doubling – Montgomery point ladder algorithm Side channel attack resistance – Timing based attacks: MPLA – Simple power analyses attacks: MPLA – Differential power analyses attacks: ECDSA Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 7

  8. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Binary Extension Field Arithmetic Elliptic Curve defined on finite field Finite Fields – Fixed size elements Binary extension field – Elements = binary polynomials – Addition = XOR Required Operations – Addition – Multiplication – Reduction Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 8

  9. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Prerequisites of an RFID application Small die area – 15000 gate equivalents Minuscule power consumption – 15μA available mean current Constant power consumption – “Accidental” load modulation Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 9

  10. Institut f ü r Integrierte Systeme Integrated Systems Laboratory ECCon Top Level Architecture RFID front end – ISO-18000-3-1 compliant – Air Interface • Power supply • Clock generation • Signal modulation – RART • Receive: bit stream to byte • Send: byte to bit stream – RFID Control Unit (RCU) • Communication protocol • Manages ECC processor Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 10

  11. Institut f ü r Integrierte Systeme Integrated Systems Laboratory ECC Processor Architecture I Implements point multiplication – Fixed 163 bit NIST curve Supports two modes – RFID – Stand alone Interface – two-phase full handshake – 8 bit wide Control unit – hardwired FSM hierarchy Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 11

  12. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Low Power, Small Area ALU Architectures Bit-serial multiplier 163x6 RAM C – current state of the art o n I t – 2x163 = 326 bits ALU storage O r o • Lion's share of power used for l 163x1 Multiplier clocking the storage 16-bit datapath 64x16 – Used for ISE [GK03a] C RAM o – Conceptually 48-bit ALU storage n I t O • More power for computation r o 16x16 – Total power consumption smaller l Mult. – Requires digit based algorithms Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 12

  13. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Arithmetic Logic Unit 16x16 GF(2) multiplier 2 Register input selection units 2 16-bit adders (XOR) Registers – 32-bit accumulator – interleaved reduction • 15-bit MC • 13-bit RC – clock gated Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 13

  14. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Word Size Selection 12 A*C*P A*C*P 2 10 A*C 2 *P A*C 2 *P 2 8 6 4 2 0 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Bit-width Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 14

  15. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Comba Multiplication Two possible digit ✳ B[2] B[1] B[0] A[2] A[1] A[0] multiplication algorithms – Operand scanning form B[0]A[0] – Product scanning form B[0]A[1] B[1]A[0] Product Scanning Form B[1]A[1] – A.k.a Comba Multiplication B[0]A[2] – Computes result one result B[2]A[0] digit at the time B[2]A[1] – Optimal operand order B[1]A[2] minimizes memory access B[2]A[2] P[5] P[4] P[3] P[2] P[1] P[0] Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 15

  16. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Modular Reduction in GF(2 163 ) Multiplication of 2 163-bit elements produces a 325-bit result: a(z)*b(z)=c(z); deg(c(z))=325 Common residue: c(z) ≡ c(z) (mod f(z)) – f(z) = z 163 +z 7 +z 6 +z 3 +1... irreducible polynomial The common residue is limited in size to 163 bits The common residue is the remainder of a long division by f(z) Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 16

  17. Institut f ü r Integrierte Systeme Integrated Systems Laboratory An Alternate Reduction Method c H0 c L0 324 163 162 0 ⊕ c H1 c L1 c 1 =c H0 *r 168 163 162 0 ⊕ c L2 c 2 =c H1 *r 12 0 c =c L0 +c L1 +c L2 c 162 0 c(z)=c 2m-2 z 2m-2 +...+c m z m +c m-1 z m-1 +...+c 1 z+c 0 ≡ (c 2m-2 z m-2 +...+c m )r(z)+c m-1 z m-1 +...+c 1 z+c 0 (mod f(z)), where the reduction polynomial r(z)=f(z)-z 163 =z 7 +z 6 +z 3 +1 Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 17

  18. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Interleaved Reduction Step I C[10] ACC H ACC L C L0 [10] C[10] Carry C H0 [0] L 175 163 162 160 MC RC empty empty Computation of the first 10 digits of the product 11 th digit (C[10]) exceeds 163 bit limit – Stored in ACC L – ACC H contains multiplication carry for 12 th digit C[11] C[10] contains the first 13 bits of C H0 – Saved to Reduction Carry register RC Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 18

  19. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Interleaved Reduction Step II C[11] ACC H ACC L C[11] Carry C H0 [1] L C H0 [0] H 191 179 178 176 C H0 [0] L MC empty RC ACC H ACC L C[11] Carry C H0 [0] 178 163 C[11] Carry C H0 [1] L MC RC Upon computation of 12 th digit (C[11]) – Last 3 bits of C H0 [0] become available – C H0 [0] is restored in ACC L , lower 13 bit of C H0 [0] saved to RC – Multiplication carry is saved to Multiplication Carry register MC Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 19

  20. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Interleaved Reduction Step III ACC H ACC L (C H0 [0] *r(z)) H (C H0 [0] *r(z)) L 15 0 C[11] Carry C H0 [1] L MC RC Multiplication of 1 st digit of C H0 (C H0 [0]) with r(z) produces 1 st digit of C 1 (C L1 [0]) Addition of C L1 [0] to C L0 [0], Sum stored to result memory Exchange of reduction multiplication carry and nominal multiplication carry Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 20

  21. Institut f ü r Integrierte Systeme Integrated Systems Laboratory Interleaved Reduction Step IV C[12] ACC H ACC L C[12] Carry C H0 [2] L C H0 [1] H 207 195 194 192 (C H0 [0] *r(z)) H C H0 [1] L MC RC The next digit of the product (C[12]) is computed – Requires several MAC operations Interleaved reduction steps I to IV repeat until all digits of C 1 are processed Process is repeated for C 2 – Single multiplication and addition Daniel Hein Budapest, 10.07.2008 ECC is Ready for RFID – A Proof in Silicon 21

Recommend


More recommend