lightweight cryptography and and rfid security
play

Lightweight Cryptography and and RFID Security Svetla Nikova - PowerPoint PPT Presentation

Nov 05, 2022 •195 likes •599 views

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and UTwente d UT t Overview Lightweight cryptography - state of the art Comparison Standard vs. Lightweight Comparison Standard vs. Lightweight

  1. Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and UTwente d UT t

  2. Overview • Lightweight cryptography - state of the art • Comparison Standard vs. Lightweight Comparison Standard vs. Lightweight • SCA countermeasures - TI approach • TI implementations • Area, Power or Throughput? • Conclusions

  3. Lightweight Crypto Stream ciphers (3): only the eStream finalists: 2005 Grain, Trivium, Mickey

  4. Lightweight Crypto Stream ciphers (3): only the eStream finalists: 2005 Grain, Trivium, Mickey Bl Block ciphers (25): k i h (25) 1977 DES, 1989 GOST 1997 XTEA 1998 AES 2005 mCrypton, STEA 2006 Hight, SEA 2007 Clefia Kasumi DESL DESXL Present 2007 Clefia, Kasumi, DESL, DESXL, Present 2008 Puffin 2009 Katan, Ktantan, Hummingbird, MIBS 2010 PRINT 2011 Klein, LED, Twine, EPCBC, Vitamin-B, Piccolo

  5. Lightweight Crypto Stream ciphers (3): only the eStream finalists: 2005 Grain, Trivium, Mickey Bl Block ciphers (25): k i h (25) 1977 DES, 1989 GOST 1997 XTEA 1998 AES 2005 mCrypton, STEA 2006 Hight, SEA 2007 Clefia Kasumi DESL DESXL Present 2007 Clefia, Kasumi, DESL, DESXL, Present 2008 Puffin 2009 Katan, Ktantan, Hummingbird, MIBS 2010 PRINT 2011 Klein, LED, Twine, EPCBC, Vitamin-B, Piccolo Hash functions (10): 2007 MAME 2008 Squash DM Present H Present Keccak 2008 Squash, DM-Present, H-Present, Keccak 2010 Quark, Armadilo 2011 Spongent, Vitamin-H, Photon

  6. Overview • Lightweight crypto - state of the art • Comparison Standard vs. Lightweight Comparison Standard vs. Lightweight • SCA countermeasures - TI approach • TI implementations • Area, Power or Throughput? • Conclusions

  7. Standard vs. Lightweight Modules AES ‐ T Present AES-T (TUG) 2005 0.35 µm CMOS Technology of Philips Memory 2040 887 100kHz @1.5V Encryption + Decryption 100kHz @1 5V Encryption + Decryption [GE] Present (RUB/DTU/ORANGE) 2007 Mix Column 306 0 UMC L180 0.18 μ m 1P6M 100 kHz @1.8V [GE] Encryption only S ‐ box 408 32 Difficult to compare: [GE] • Different technology – GE differs • Power depends even more on the FSM + Rest 646 192 [GE] [GE] technology used. • Here 0.35 µm vs. 0.18 μ m is a big technology difference! Total Area 3400 1111 • Cycles do not depend on technology C l d t d d t h l [GE] • But AES=128 while Present=64 bits Cycles 1000 547 • Some implementations - encryption only others include decryption too only others include decryption too. Power 3.0 1.34 • Including decryption in AES adds [ μ A] cost in MixColumn and FSM.

  8. Standard (hits back) vs. Lightweight Modules AES ‐ T AES ‐ B Present Memory 2040 1678 887 AES T AES-T [GE] 0.35 µm CMOS Mix Column 306 373 0 Technology of Philips [GE] 100kHz @1.5V S ‐ box 408 233 32 Encryption + Decryption [GE] Present and AES-B FSM + Rest 646 317 192 UMC L180 0 18 μ m 1P6M UMC L180 0.18 μ m 1P6M [GE] [GE] 100 kHz @1.8V Encryption only Total Area 3400 2601 1111 Fair comparison is now F i i i [GE] possible. Cycles 1000 226 547 Power 3.0 3.7 1.34 [ μ A]

  9. Standard (hits back) vs. Lightweight Standard designs hit back AES-B (RUB/NTU) 2011

  10. Standard (hits back) vs. Lightweight • Memory becomes smaller Modules AES ‐ T AES ‐ B Present in GE due to technology Memory 2040 1678 887 change change. [GE] • MixColumns become Mix Column 306 373 0 bigger but this is the [GE] trade-off in order to trade off in order to S ‐ box 408 233 32 gain more in the FSM. [GE] • Canright’s S-box is used FSM + Rest 646 317 192 which is smaller, but not [GE] [GE] as much as indicated (again because of the technology change). Total Area 3400 2601 1111 • It is difficult to compare I i diffi l [GE] the FSM since AES-T Cycles 1000 226 547 contains also the decryption still AES B decryption, still AES-B Power 3.0 3.7 1.34 state machine is smaller. [ μ A]

  11. Standard vs. Lightweight (updated) Smaller key and block size Modules AES ‐ B Present • 128 bit - too much Memory 1678 887 • 80 bit key and 64 bit data – ok y [GE] • 32, 48 bit data might be acceptable? Mix Column 373 0 128 + 128 100 % [GE] 80 + 64 80 + 64 56 25 % 56.25 % S ‐ box 233 32 [GE] 80 + 48 50 % FSM + Rest 317 192 80 + 32 43.75 % [GE] [GE] • Memory • 65% for AES-B Total Area 2601 1111 • 80% for Present • 80% for Present [GE] Cycles 226 547 Power 3.7 1.34 [ μ A]

  12. Standard vs. Lightweight (updated) • P-layer costs 0 for Present. Modules AES ‐ B Present • Simple FSM can save a lot. Memory 1678 887 [GE] • 8x8 S-box costs ~300 GE or Mix Column 373 0 at least 200. [GE] • While an 4x4 S-box costs ~ 50 GE or at least 30. S ‐ box 233 32 [GE] • Saving of 6 to 7 times in the S-box. FSM + Rest 317 192 • Weaker S-box and P-layer W k S b d P l [GE] [GE] compensated by a larger number of rounds - 31 vs. 10. Total Area 2601 1111 [GE] Cycles 226 547 Power 3.7 1.34 [ μ A]

  13. Standard vs. Lightweight (updated) Still the lightweight cipher is more than twice smaller. And also the power consumption is ~ 3 times less. p p

  14. Overview • Lightweight crypto - state of the art • Comparison Standard vs. Lightweight Comparison Standard vs. Lightweight • SCA countermeasures - TI approach • TI implementations • Area, Power or Throughput? • Conclusions

  15. Side-Channel Attacks Device executing the cryptographic algorithm leaks information on internal state Instantaneous leakage depends on intermediate variables, which results in equations ti That have lower nonlinearity That may contain noise Power consumption depends on:  Instructions executed  Data processed Signal is noisy; multiple measurements needed d d

  16. SCA countermeasures at different levels Hardware logic style Hardware logic style Relieves cryptographers Places burden on hardware designers Algorithms and implementations Algorithms and implementations Probably lowest feasible level Ciphers and Protocols Ciphers and Protocols New standards, takes time

  17. Lightweight SCA protection Simple masking are vulnerable due to glitches. Private circuits [Ishai et al ] Private circuits [Ishai et.al.] – too expensive, not realistic model. too expensive not realistic model Multi-party computation (TI) made practical. 1. Correctness z = f (x) z = f (x) 2. Non-completeness z 1 = f 1 (x 1 ,x 2 ) f ( ) 3 3. I d Independent uniform d t if distribution of input z 2 = f 2 (x 1 ,x 3 ) z 3 = f 3 (x 2 ,x 3 ) 3 ( 2 3 ) 3 Power consumption of each f i is independent of x 1 , x 2 , x 3. Secure in the presence of glitches (transition count model) Secure in the presence of glitches (transition count model) against 1 st order SCA.

  18. Example: multiplier • = secure AND gate • 3 shares 3 shares • Secure in the presence of glitches

  19. Lightweight SCA protection Protecting Arbitrary Functions: Multiplication of Multiplication of n elements needs at least n+1 shares elements needs at least +1 shares Hardware size increases about quadratic with the number of shares Can we reduce the number of shares? Hence 3 shares we can apply only to the quadratic functions Hence 3 shares we can apply only to the quadratic functions. Pipelining: Registers are insensitive to glitches g g Split functions into parts with less non-linearity Use registers between combinatorial parts Problem: Property 3: the inputs of each step need to be independent uniformly distributed Pipelining: output of each step is input of next step W We need Property 3 for output as well. d P t 3 f t t ll

  20. Lightweight SCA protection Which functions can we protect? The number of shares depends on the degree of the function. Th b f h d d h d f h f i Hence 3 shares we can apply only to the quadratic functions. • The multiplications in GF(2) (AND gate) and GF(4). • The Boolean functions with 2 and 3 inputs • The Boolean functions with 2 and 3 inputs. • Noekeon (KUL) 2000, S-box. S(x) = NL(L(NL(x)) Pipelined implementation

  21. Noekeon Implementation Results • Implementation using Austria Microsystems Standard Cell Library CMOS 0.35 μ m • S-Box:  54 GE (implementation of 2 quadratic mappings)  correlation • Protected S-Box:  188 GE (excluding 12 bit register)  no correlation between shares and unshared values unshared values • Less than 4x increase (actually 3.5x) in size N t Note nonlinear part only. li t l

  22. Noekeon Implementation Results • An 4x4 S-box costs ~ 50 GE or at-least 30 GE, but the s-box of Noekeon is 54 the s-box of Noekeon is 54 GE when decomposed in two quadratic mappings. • • Since the shared mappings Since the shared mappings are less efficient than the originals we get instead of theoretically expected 3x y p increase slightly more 3.5x.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K. Schramm Workshop on Fast Software Encryption 2007 Outline Introduction Why lightweight? Why choose DES? DESL: DES Lightweight Why change DES?

364 views • 12 slides
Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES Design and Security of Cryptographic Functions, Algorithms, and Devices, PAGE: 1 of 33 Summer

590 views • 45 slides
RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011, Corua, Spain RFID Primer RFID Primer Definition Radio frequency identification'' (RFID) means the use of electromagnetic radiating waves

729 views • 47 slides
Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event Cryptography for 2020 Tenerife January 23 rd , 2013 Organization Lightweight Cryptography: Mission Accomplished? Introduction Technical perspective

478 views • 20 slides
Analyzing Side-Channel Leakage of RFID-Suitable Lightweight

Analyzing Side-Channel Leakage of RFID-Suitable Lightweight

Ins$tute for Applied Informa$on Processing and Communica$ons (IAIK) Analyzing Side-Channel Leakage of RFID-Suitable Lightweight ECC Hardware

244 views • 23 slides
RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011, Rennes, France Summary RFID Primer. Examples. Capabilities. Particularities. Authentication in RFID. Theory. Practical

934 views • 64 slides
On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1 AIST, Japan Kolkata, India (16 November 2018) 1 / 38 Table of contents 1 Introduction 2 Lightweight Crypto Stack for Circuit/RAM Size Requirement

670 views • 38 slides
A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006

A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006 RFIDSec06 July 13-14, 2006, Graz, Austria

232 views • 21 slides
Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world crypto and privacy Sibenik, Croatia - June 15 2018 Outline Symmetric lightweight primitives Most used cryptanalysis Impossible

1.31k views • 76 slides
Smartcards and RFID Security in Organisations Erik Poll Digital Security University of Nijmegen

Smartcards and RFID Security in Organisations Erik Poll Digital Security University of Nijmegen

Smartcards and RFID Security in Organisations Erik Poll Digital Security University of Nijmegen 1 Goals of today What are smartcards and RFID tags? what can they do? what security can they provide? and what are the limits here?

1.17k views • 80 slides
Maximalist Cryptography and Computation on the WISP UHF RFID Tag Hee-Jin Chae 1 , Daniel J. Yeager

Maximalist Cryptography and Computation on the WISP UHF RFID Tag Hee-Jin Chae 1 , Daniel J. Yeager

Maximalist Cryptography and Computation on the WISP UHF RFID Tag Hee-Jin Chae 1 , Daniel J. Yeager 2 , Joshua R. Smith 2 , and Kevin Fu 1 1 University of Massachusetts, Amherst, MA, USA, { chae, kevinfu } @cs.umass.edu 2 Intel Research Seattle,

381 views • 12 slides
The Future Security Challenges in RFID Gildas Avoine, UCL Belgium Workshop in Information

The Future Security Challenges in RFID Gildas Avoine, UCL Belgium Workshop in Information

The Future Security Challenges in RFID Gildas Avoine, UCL Belgium Workshop in Information Security Theory and Practices 1 4 September 2009, Brussels, Belgium Summary A brief reminder about RFID. Description of the threats, state of

880 views • 41 slides
Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID Tags and Presentation of First Results Walter Hinz, Klaus Finkenzeller, Martin Seysen Barcelona, February 19 th , 2013 Agenda Motivation for

416 views • 26 slides
The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work

The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work

The State of the Art in Symmetric Lightweight Cryptography Lo Perrin Based on a joint work with Alex Biryukov November 18, 2017 Cryptacus Workshop Taken from a document writen originally in English. The programming of billions of processors

903 views • 75 slides
Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert Staples STVM/CSD/NIST A perspective: cryptography evolves very fast to provide security in cyberspace Emerging crypto technologies - lightweight crypto

199 views • 17 slides
RFID Security Gildas Avoine UCL, Louvain-la-Neuve, Belgium Department of Computing Science and

RFID Security Gildas Avoine UCL, Louvain-la-Neuve, Belgium Department of Computing Science and

Ecole Internationale de Printemps Syst` emes R epartis : METIS2008 RFID Security Gildas Avoine UCL, Louvain-la-Neuve, Belgium Department of Computing Science and Engineering RFID Security gildas.avoine@uclouvain.be Introduction Outline

1.28k views • 95 slides
Long Range and Low Powered RFID Tags with Tunnel Diode F. Amato, C. W. Peterson, M. B. Akbar, G.

Long Range and Low Powered RFID Tags with Tunnel Diode F. Amato, C. W. Peterson, M. B. Akbar, G.

Long Range and Low Powered RFID Tags with Tunnel Diode F. Amato, C. W. Peterson, M. B. Akbar, G. D. Durgin School of Electrical and Computer Engineering Georgia Institute of Technology This work was supported, in part, by NSF Grant ECCS

526 views • 33 slides
FlowCube Constructing RFID FlowCubes for Multi-dimensional Analysis of Commodity Flows Hector

FlowCube Constructing RFID FlowCubes for Multi-dimensional Analysis of Commodity Flows Hector

Motivation FlowGraphs FlowCubes FlowCube Constructing RFID FlowCubes for Multi-dimensional Analysis of Commodity Flows Hector Gonzalez, Jiawei Han, Xiaolei Li University of Illinois at Urbana-Champaign Department of Computer Science The

630 views • 30 slides
Distribution for RFID-Enabled Supply Chains Tieyan Li, Yingjiu Li, Guilin Wang SecureComm 2011,

Distribution for RFID-Enabled Supply Chains Tieyan Li, Yingjiu Li, Guilin Wang SecureComm 2011,

Secure and Practical Key Distribution for RFID-Enabled Supply Chains Tieyan Li, Yingjiu Li, Guilin Wang SecureComm 2011, London Outline Motivations Related Works Contributions Scenario Desired Security Properties

303 views • 15 slides
Konark: A RFID based system for enhancing in-store shopping experience Swadhin Pradhan 1 , Eugene

Konark: A RFID based system for enhancing in-store shopping experience Swadhin Pradhan 1 , Eugene

Konark: A RFID based system for enhancing in-store shopping experience Swadhin Pradhan 1 , Eugene Chai 2 , Karthik Sundaresan 2 , Sampath Rangarajan 2 , and Lili Qiu 1 . 1 UT Austin 2 NEC Labs America WP WPA 2017, Mo MobiSys 1 17 Ju

715 views • 15 slides
ECC on small devices Junfeng Fan Katholieke Universiteit Leuven, Belgium

ECC on small devices Junfeng Fan Katholieke Universiteit Leuven, Belgium

ECC on small devices Junfeng Fan Katholieke Universiteit Leuven, Belgium junfeng.fan@esat.kuleuven.be What is a small device? 2 What is a small device? 3 What is a small device? 4 What is a small device? Trusted Platform

1.34k views • 111 slides
PublicKeyCryptographyforRFID Tags

PublicKeyCryptographyforRFID Tags

PublicKeyCryptographyforRFID Tags !" #$ %&! '()* +( "

760 views • 49 slides
A Privacy-Restoring Mechanism for Offline RFID Systems Gildas Avoine Iwen Coisel Tania Martin

A Privacy-Restoring Mechanism for Offline RFID Systems Gildas Avoine Iwen Coisel Tania Martin

A Privacy-Restoring Mechanism for Offline RFID Systems Gildas Avoine Iwen Coisel Tania Martin Universit e catholique de Louvain Belgium April 16, 2012 [WiSec12, Tucson, AZ, USA] Goal of our Paper Authentication protocol that

1.08k views • 43 slides
SYSTEM CALL IN MINIX Zhen Mo What is the MINIX System? Mini Unix (Minix) basically, a UNIX

SYSTEM CALL IN MINIX Zhen Mo What is the MINIX System? Mini Unix (Minix) basically, a UNIX

SYSTEM CALL IN MINIX Zhen Mo What is the MINIX System? Mini Unix (Minix) basically, a UNIX compatible operating system. Open source : intend to be studied in universities Very small (kernel is under 4000 lines) Simple Design

299 views • 17 slides

More recommend