an ecdsa processor for rfid authentication
play

An ECDSA Processor for RFID Authentication Michael Hutter, Martin - PowerPoint PPT Presentation

Apr 18, 2023 •931 likes •1.12k views

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security An ECDSA Processor for RFID Authentication Michael Hutter, Martin Feldhofer, and Thomas Plos Workshop on RFID Security 2010 07. - 09.06.2010,

  1. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security An ECDSA Processor for RFID Authentication Michael Hutter, Martin Feldhofer, and Thomas Plos Workshop on RFID Security 2010 07. - 09.06.2010, Istanbul, Turkey Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology TU Graz/Computer Science/IAIK/VLSI Michael Hutter 1

  2. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Outline  Motivation  Implementation Requirements  The ECDSA Processor  The System Architecture  Memory Unit and Datapath  Microcontroller  Instruction Set Extensions for ECDSA  Synthesis Results  Conclusion TU Graz/Computer Science/IAIK/VLSI Michael Hutter 2

  3. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Motivation  RFID is one key enabler for the “Internet of Things”  Intelligent “smart things/tags” extend the Internet  Tags are already integrated into many products  There are still open issues in realizing a “secure Internet of things” TU Graz/Computer Science/IAIK/VLSI Michael Hutter 3

  4. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Requirements  Digital-signature service  To provide a transferable proof of origin  Message authentication, non-repudiation, data integrity  Asymmetric cryptography  Large scale deployment  Integration in open-loop systems (Internet)  Standardized algorithms  ECDSA has been tested/proved over many years  Existing PKI (X.509 certificates using ECDSA)  Strong authentication  Challenge-response protocol (e.g. ISO/IEC 9798-3)  Low-resource HW design TU Graz/Computer Science/IAIK/VLSI Michael Hutter 4

  5. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security What we did?  Design of an ECDSA processor for RFID  Based on NIST recommended elliptic curve GF(p192) TU Graz/Computer Science/IAIK/VLSI Michael Hutter 5

  6. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Tag Authentication using ECDSA TU Graz/Computer Science/IAIK/VLSI Michael Hutter 6

  7. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Memory Unit  16-bit dual ported interface  Concurrently read/write from/to two ports  RAM macro (128x16 bit)  ROM  ECC constants (e.g. base point P) IN_A IN_B  EEPROM EEPROM  Stores the private key addr addr  Stores the certificate EEPROM ROM Port A Port B RAM RAM OUT_A OUT_B TU Graz/Computer Science/IAIK/VLSI Michael Hutter 7

  8. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 16-bit Datapath Port A Port B  16x16-bit multiply 16 16 accumulate (MAC) unit  1 cycle 16-bit operations 1 0 FFFF  Two 40-bit adders bitop logic mul 40 16 16  One 40-bit accumulator 20 16 0 16 16 1 16x16  Feedback of ACCU signal acc mux multiplier  Logic operations for SHA1 20 40 adder1  XOR, AND, OR 40 32  Writing into memory using adder2 two 16-bit values ACC concurrently 40 Port A Port B TU Graz/Computer Science/IAIK/VLSI Michael Hutter 8

  9. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 8-bit Microcontroller  32 instructions supported reg_in 4 ROM 8 8  Arithmetic operations (ADD, SUB,…) Program counter Register file  Logical operations (OR, AND,…) 16 x 8-bit I/O 12 Address  Control operations (GOTO, CALL,…) Data memory Prog. ROM  Register file and program ROM 600 x 16-bit ECDSA  Instruction decoder, ALU, PCH SHA-1 2 STATUS ACC Counter,… …... Instruction 16 Mux  Two-stage pipeline (fetch and reg_out1 ROM reg_out2 8 8 8 16 execute) Instruction Status  Call-stack support (3 recursive ALU decode unit subroutines possible) ALU out  Self-written Java compiler TU Graz/Computer Science/IAIK/VLSI Michael Hutter 9

  10. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Instruction Set Extensions  55 ISEs for ECDSA and SHA1  Can be executed by the microcontroller by a MICRO instruction  Implemented in 8 ROM tables  Area reduction through different table sizes  Modular arithmetic  Addition: 32 cycles  Subtraction: 38 cycles  Multiplication: 204 cycles  NIST reduction applied (p 192 ≡ 2 192 –2 64 –1)  Montgomery arithmetic  Inversion: 20823 cycles  Multiplication: 785 cycles  SHA1: 3455 cycles TU Graz/Computer Science/IAIK/VLSI Michael Hutter 10

  11. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Improving ECC Point Multiplication  Montgomery Ladder  Use of x-coordinate only formulas (Brier and Joye)  Combined double-and-add (Izu, Möller, and Takagi)  Common-Z coordinate representation (Meloni, Lee)  Total: 12M + 4S + 9add + 7sub  7x192-bit RAM used TU Graz/Computer Science/IAIK/VLSI Michael Hutter 11

  12. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Implementation Attack Countermeasures  SPA  Montgomery Ladder  DPA  Randomized Projective Coordinates (S. Coron)  First-order blinding of the private-key multiplication instead of  Fault Injections  Check of curve equation after point multiplication (Ebeid and Lambert)  Y recovery necessary TU Graz/Computer Science/IAIK/VLSI Michael Hutter 12

  13. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Synthesis Results  Cadence RTL Compiler (0.35 µm CMOS)  Synopsys NanoSim for power simulation  387 µA mean current at 3.3 volt and 847 kHz Chip Area Power Consumption 43,17% RAM MCU 3,08% 23,78% R O M Prog. ROM Datapath 3,52% ISE 15,63% 7,04% 3,74% Clock TU Graz/Computer Science/IAIK/VLSI Michael Hutter 13

  14. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison with Related Work TU Graz/Computer Science/IAIK/VLSI Michael Hutter 14

  15. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Conclusions  Improved the state-of-the-art in designing a low- resource ECC hardware processor  First ECDSA hardware implementation results  Fully capable digital signature generating device  Allows proof of origin to prevent product counterfeiting  Sample implementation  Processor will be integrated in an NFC-compliant HF tag  Fabricated in summer 2010 TU Graz/Computer Science/IAIK/VLSI Michael Hutter 15

  16. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Thanks for your attention! http://www.iaik.tugraz.at/content/research/implementation_attacks/ Michael Hutter IAIK – Graz University of Technology michael.hutter@iaik.tugraz.at www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI Michael Hutter 16

  17. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Montgomery Ladder TU Graz/Computer Science/IAIK/VLSI Michael Hutter 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Designing Low-Cost Untraceable Authentication Protocols for RFID Dave Singele IFIP WG 11.2

Designing Low-Cost Untraceable Authentication Protocols for RFID Dave Singele IFIP WG 11.2

Designing Low-Cost Untraceable Authentication Protocols for RFID Dave Singele IFIP WG 11.2 Seminar Istanbul June 07, 2010 Outline of the talk n Introduction n RFID authentication protocols n Security requirements n Privacy requirements n

344 views • 31 slides
Butterfly: Environment-Independent Physical- Layer Authentication for Passive RFID

Butterfly: Environment-Independent Physical- Layer Authentication for Passive RFID

Butterfly: Environment-Independent Physical- Layer Authentication for Passive RFID Jinsong Han* , Chen Qian^, Yuqin Yang , Ge Wang ^, Han Ding , Xin Li^, Kui Ren* # # * Institute of Cyberspace Research, College of Computer

265 views • 25 slides
Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and

Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and

Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and Iwen COISEL Orange Labs R&D - Caen - France RFIDSec 08 - 10 th July 2008 Outline 1 General Context 2 A synchronization problem 3 A

714 views • 33 slides
RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011, Rennes, France Summary RFID Primer. Examples. Capabilities. Particularities. Authentication in RFID. Theory. Practical

934 views • 64 slides
An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement Gildas Avoine 1 and Aslan Tchamkerten 2 1 Universit e catholique de Louvain, Louvain-la-Neuve, Belgium 2 Telecom ParisTech,

335 views • 31 slides
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim Information and Communications University (ICU), International Research Center for Information Security (IRIS), Auto-ID Lab Korea

273 views • 12 slides
Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

March 2, 2014 Monte Jade's RFID Seminar Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight RFID 4. Current Airport RFID Deployments 5. Atlanta International Airport Activity with IATA RFID

912 views • 35 slides
Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa Lee , and abhi shelat j@ckdoerner.net ykondi@ccs.neu.edu eysa@ccs.neu.edu abhi@neu.edu Northeastern University Traditional Signature

868 views • 57 slides
IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing Tag Oslo, 28 November 2007 IntelliSense RFID Workshop IntelliSense RFID RESEARCH PROJECT FOR TECHNOLOGY DEVELOPMENT WITHIN THE FIELDS OF RFID

788 views • 13 slides
The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio Frequency Identification Modern RFID Applications VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips

628 views • 29 slides
Time Measurement Threatens Privacy-Friendly RFID Authentication Protocols Gildas Avoine 1 , Iwen

Time Measurement Threatens Privacy-Friendly RFID Authentication Protocols Gildas Avoine 1 , Iwen

Time Measurement Threatens Privacy-Friendly RFID Authentication Protocols Gildas Avoine 1 , Iwen Coisel 2 and Tania Martin 1 1: Information Security Group - Universit e Catholique de Louvain 2: Crypto Group - Universit e Catholique de

605 views • 24 slides
Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General model Foundations of security RSA, DSA, ECDSA signatures Zero knowledge (Guillo-Quisquater) One-time signature Special

675 views • 46 slides
RFID Authentication Protocols based on Elliptic Curves A Top-Down Evaluation Survey Michael

RFID Authentication Protocols based on Elliptic Curves A Top-Down Evaluation Survey Michael

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security RFID Authentication Protocols based on Elliptic Curves A Top-Down Evaluation Survey Michael Hutter Institute for Applied Information Processing

426 views • 16 slides
A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010

A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010

A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010 Outline Introduction. Model of RFID Systems. Adaptive Completeness and Mutual Authentication. zk-Privacy: Formulation, Clarifications

456 views • 35 slides
Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA Keegan Ryan NCC Group What is ROHNP? Key extraction attack on DSA and ECDSA Uses an old technique to target a new part of the algorithm

243 views • 23 slides
Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM: Advanced RISC Machine First developed in 1983 by Acorn Computers ARM Ltd was formed in 1988 to continue development Advantages of the ARM

391 views • 14 slides
we have been assuming that the data collections we

we have been assuming that the data collections we

we have been assuming that the data collections we have been manipulating were entirely stored in memory. In practice, this is

1.24k views • 92 slides
FFTs Overview EECS 360 Notes Methods descriptions Hardware Implementations

FFTs Overview EECS 360 Notes Methods descriptions Hardware Implementations

FFTs Overview EECS 360 Notes Methods descriptions Hardware Implementations Direct Implementation Goertzel Re-indexing Chirp-z Rader Fourier Methods Time Domain Frequency Domain Frequency Time Domain Transfer

536 views • 32 slides
Market-leading Hardw are/Softw are Co-Verification Seamless for Field Programmable SoC n FPSoC

Market-leading Hardw are/Softw are Co-Verification Seamless for Field Programmable SoC n FPSoC

Market-leading Hardw are/Softw are Co-Verification Seamless for Field Programmable SoC n FPSoC devices share many of the same challenges of the SoC and Board methodologies they will replace: Hardware & Software - must be developed and

374 views • 19 slides
edet: Depfet Movie Chip (DMC) Status 20th International Workshop on DEPFET Detectors and

edet: Depfet Movie Chip (DMC) Status 20th International Workshop on DEPFET Detectors and

edet: Depfet Movie Chip (DMC) Status 20th International Workshop on DEPFET Detectors and Applications 11.-14.05.2014 Kloster Seeon Andreas Wassatsch, MPG HLL DMC keypoints Capturing up to 100 full pictures ( 512x64x100x8bit = 26Mbit)

140 views • 10 slides
THREAD LEVEL PARALLELISM Mahdi Nazm Bojnordi Assistant Professor School of Computing University

THREAD LEVEL PARALLELISM Mahdi Nazm Bojnordi Assistant Professor School of Computing University

THREAD LEVEL PARALLELISM Mahdi Nazm Bojnordi Assistant Professor School of Computing University of Utah CS/ECE 6810: Computer Architecture Overview Announcement Homework 6 is due on Apr. 18 th This lecture Thread level parallelism

432 views • 18 slides
CHEP 2010 How to harness the performance potential How to harness the performance potential of

CHEP 2010 How to harness the performance potential How to harness the performance potential of

CHEP 2010 How to harness the performance potential How to harness the performance potential of current Multi-Core CPUs and GPUs Sverre Jarp CERN openlab IT Dept. CERN CERN Taipei, Monday 18 October 2010 CHEP 2010, Taipei Contents

551 views • 42 slides
Page Fault Liberation Army Its turtles Turing machines all the way down! Julian Bangert,

Page Fault Liberation Army Its turtles Turing machines all the way down! Julian Bangert,

Page Fault Liberation Army Its turtles Turing machines all the way down! Julian Bangert, Sergey Bratus, Rebecca .bx Shapiro Trust Lab Dartmouth College Sunday, February 17, 13 Page Fault Liberation l The x86 MMU is not just

760 views • 75 slides
ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen

ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen

ss 6 Cl Class CSC 472/583 Software Security Return-oriented programming (ROP) Dr. Si Chen (schen@wcupa.edu) Compile the code gcc -m32 fno-stack-protector z execstack o ./overflow2 ./overflow2.c Page 2 No eXecute (NX) -z

636 views • 37 slides

More recommend