A Case Against Currently Used Hash Functions in RFID Protocols - - PowerPoint PPT Presentation

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 1

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

Martin Feldhofer and Christian Rechberger

IAIK – Graz University of Technology Martin.Feldhofer@iaik.tugraz.at www.iaik.tugraz.at

VLSI

A Case Against Currently Used Hash Functions in RFID Protocols

Workshop on RFID Security 2006 – RFIDSec06 July 13-14, 2006, Graz, Austria

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 2

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Presentation outline

Cryptographic primitives in RFID systems Hardware implementation of low-power SHA-256 Synthesis and power simulation results Conclusions

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 3

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Motivation

High-end security in RFID systems standardized algorithms Hash functions are conceptionally easy mainly used by RFID protocol designers Implementation costs? Comparison of popular hash functions with AES block cipher in context of RFID tags

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 4

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Building blocks for RFID security

Authentication and/or anonymity is required Commonly used cryptographic primitives

Hash functions Block ciphers Universal hash functions PRNGs Public key algorithms Some “leightweight” solutions (HB, …)

We focus on standardized cryptographic primitives

MD4-family (SHA-256, SHA-1, MD5, MD4) AES-128

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 5

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Survey on existing RFID security protocols

Proposal Primitive Authentication Privacy Molnar PRF No Yes Avoine Hash No Yes Choi Hash Yes Yes Henrici Hash Yes Yes Ohkubo Hash No Yes Dimitriou Hash + PRNG Yes Yes Lee Hash + PRNG Yes Yes Rhee Hash + PRNG Yes Yes Weis Hash + PRNG Yes Yes Feldhofer AES + PRNG Yes Yes

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 6

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

RF field

Design issues for RFID hardware

Not relevant for RFID tags

Energy consumption per operation Power consumption per operation

Relevant for RFID tags

Power consumption per cycle Mean current consumption must not exceed available energy in capacitor

Vdd IIC ISupply VddMIN

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 7

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Implementation targets

Target Class of tags Passive class 2 (HF 13.56 MHz) Clock frequency of crypto module ~100 kHz Number of clock cycles (latency) ~50 for immediate answer (0.5ms) use interleaved protocol instead Technology Standard cells (no dedicated RAM) Available modules No microcontroller or external memory available Costs ~5-50 Cent per tag Mean power consumption < 15 µA @ 1.5V Hardware resources < 1,000 - 10,000 GEs Data rate of protocol 26 kbps

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 8

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Outline of SHA-256

State update

64 steps

IVs

Message

expansion

Message m (16 words) Expanded message w (64 words) Output o (8 words)

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 9

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Outline of SHA-256 – Message expansion

) 63 16 ( ) 15 ( ) ( ) (

16 15 7 2 1

≤ ≤ ≤ ≤ + + +

⎪ ⎩ ⎪ ⎨ ⎧ =

− − − −

t for t for W W W W M t

t t t t t

W

σ σ

) ( ) ( ) ( ) (

3 18 7

x SHR x ROTR x ROTR x ⊕ ⊕ = σ ) ( ) ( ) ( ) (

10 19 17 1

x SHR x ROTR x ROTR x ⊕ ⊕ = σ

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 10

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Outline of SHA-256 – State update

A0 B0 C0 D0 E0 F0 G0 H0 Step transformation Step transformation H(i) or IV (64 bits) (61 identical steps) Step transformation H(i+1) (64 bits) Message m (16x32-bit) A1 B1 C1 D1 E1 F1 G1 H1 A62 B62 C62 D62 E62 F62 G62 H62 A63 B63 C63 D63 E63 F63 G63 H63

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 11

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Outline of SHA-256 – Step transformation

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 12

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Secure RFID tag architecture

Controller

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 13

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Architecture of low-power SHA-256

Controller

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 14

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Chip area [in gate equivalents]

RAM; 8292; 76% Register T1/T2; 394; 4% Constants; 612; 6% Controller; 364; 3% Adder; 156; 1% Sigma; 643; 6%

• thers; 407; 4%

Total chip area: 10,868 GEs

1024 bits memory 8292 GEs !!!

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 15

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Power consumption [in µA @ 100kHz; 3.3V]

RAM; 7,73; 49%

• thers; 1,54; 10%

Register T1/T2; 1,6; 10% Constants;0,18; 1% Controller; 1,1; 7% Adder; 2,74; 17% Sigma; 0,98; 6%

Mean current consumption: 15.87 µA

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 16

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Comparison of chip area and power consumption

Area distribution Power consumption distribution

RAM; 8292; 76% Register T1/T2; 394; 4% Constants; 612; 6% Controller; 364; 3% Adder; 156; 1% Sigma; 643; 6%

• thers; 407; 4%

RAM; 7,73; 49%

• thers; 1,54; 10%

Register T1/T2; 1,6; 10% Constants;0,18; 1% Controller; 1,1; 7% Adder; 2,74; 17% Sigma; 0,98; 6%

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 17

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Comparison of SHA-256, SHA1, MD5, MD4 and AES – Chip area

SHA-256 SHA-1 MD5 MD4 AES 2000 4000 6000 8000 10000 12000 Gate equivalents [GEs]

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 18

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Comparison of SHA-256, SHA1, MD4, MD5 and AES – Mean current consumption

SHA-256 SHA-1 MD5 MD4 AES 2 4 6 8 10 12 14 16 18 Current consumption [µA@100kHZ]

3.3V !!!

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 19

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Implications of this work

Two dominating factors decide on the suitability of a symmetric primitive for RFID tags

The required number of registers (state variables, chaining variables and message words)

SHA-256 (1024 bits) vs. AES (256 bits)

The underlying word size of the used primitive

How many flip flops have to be clocked at the same time SHA-256 (32 bits) vs. AES (8 bits)

Input for future design of cryptographic primitives

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 20

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Comparison with parallel work

Kaps et al. state that SHA-1 is more energy- efficient than AES

• Stated chip area: 4276 GEs
• This seems to contradict our conclusions

But:

• 1. Low energy consumption is not a main concern in RFID tag

design

• 2. Necessary external memory for message expansion is not

available on RFID tags (requires additional 3722 GEs)

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 21

TU Graz/Computer Science/IAIK/VLSI/Feldhofer

VLSI

Conclusions

We analyzed implementations of commonly used cryptographic primitives for RFID tags Comparison of SHA-256 with AES-128 because

• f same level of security

AES-128 requires less chip area AES-128 has less mean power consumption

Even older MD4-family hash functions (SHA-1, MD5, MD4) do not change conclusion