Lightweight Cryptography Mission Accomplished? Peter Rombouts - - PowerPoint PPT Presentation

Lightweight Cryptography

Mission Accomplished?

Peter Rombouts ECRYPT II Closing Event Cryptography for 2020 Tenerife January 23rd, 2013

PUBLIC

Organization

Lightweight Cryptography: Mission Accomplished? Introduction Technical perspective Business perspective Examples Evaluation Next?

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• 2

PUBLIC

Introduction

Why Lightweight Cryptography? RFID tags

– Small transponders, command-reply interrogation by a reader – Passively powered by reader field (not always)

What if…

… cryptography was possible on these devices ? – Applications ? – Technical constraints ?

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• 3

PUBLIC

Introduction

Applications

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• Luxury Goods

Anti-counterfeiting Storage Warranty Certificates Privacy Untraceability Perishable Goods Quality monitoring

4

PUBLIC

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• Introduction

Technical constraints Cost of RFID tag

– RFID market is cost driven – Cost determined by

• Area of tag (GE)
• Silicon process technology
• Assembly

Read range

– Application specific requirement – Read range determined by

• Power consumption
• Operating Frequency

Transaction time

– Application specific requirement – Transaction time determined by

• Clock speed & Memory access

Robustness against attacks

5

PUBLIC

Progress

Algorithms & Implementations

1000 2000 3000 4000 5000 6000 7000 8000 9000 2000 2004 2008 2012 Gate Count AES (128/128) PRESENT (80/64) mCrypton (64/64) KATAN (80/32-64) HIGHT (64/64) PUFFIN (128/64) TWINE (80/64) LED (64/64) KLEIN (80/64) PICCOLO (80/64)

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• 6

PUBLIC

Progress

Algorithms & Implementations

200 400 600 800 1000 1200 1400 2000 2004 2008 2012 Latency (cycles/block) AES (128/128) PRESENT (80/64) mCrypton (64/64) KATAN (80/32-64) HIGHT (64/64) PUFFIN (128/64) TWINE (80/64) LED (64/64) KLEIN (80/64) PICCOLO (80/64)

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• 7

PUBLIC

Progress

Algorithms & Implementations

1000 2000 3000 4000 5000 6000 7000 8000 9000 250 500 750 1000 1250 Gate Count AES (128/128) PRESENT (80/64) mCrypton (64/64) KATAN (80/32-64) HIGHT (64/64) PUFFIN (128/64) TWINE (80/64) LED (64/64) KLEIN (80/64) PICCOLO (80/64)

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• Latency (cycles/block)

8

PUBLIC

Progress

Standardization: ISO/IEC 29192 ISO/IEC 29192: Information technology – Security techniques – Lightweight cryptography

– Part 1: General

• Security requirements,
• Classification requirements
• Implementation requirements

– Part 2: Block ciphers

• PRESENT:

block size of 64 bits and a key size of 80 or 128 bits;

• CLEFIA:

block size of 128 bits and a key size of 128, 192 or 256 bits.

– Part 3: Stream ciphers

• Enocoro:

key size of 80 or 128 bits;

• Trivium:

key size of 80 bits.

– Part 4: Mechanisms using asymmetric techniques

• Under Development

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• PUBLISHED

PUBLISHED PUBLISHED

9

PUBLIC

EPC Gen-2 UHF RFID Protocol

– For Communications at 860 MHz – 960 MHz – Version 2.0.0

New Commands – Security Commands – File Management Mirrored in ISO/IEC 18000-63

Progress

Standardization: EPC Global

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• – Challenge

– Authenticate – AuthComm – SecureComm – KeyUpdate – TagPrivilege – ReadBuffer – Untraceable – FileOpen – FileList – FilePrivilege – FileSetup REVIEW

10

PUBLIC

Progress

Standardization: EPC Global

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• Interrogator

(Standard) Tag (Standard) Tag (Cryptographic Suite) Interrogator (Cryptographic Suite)

Tag processing:

• Message processing
• Response construction

Interrogator processing: Response processing 2 step interro- gator authen- tication Message Response Message Response IPReply (Done) Response Authenticate Message

EPC Air Interface Authentication Protocol / SecureComm

IPReply (Busy) Interrogator processing: Message construction Tag processing:

• Message processing
• Response construction

Interrogator processing:

• Response processing
• Message construction

Message Response Message Response IPReply (Done) Response Authenticate Message

Air interface & Commands

– Defined by EPC

Global Cryptographic functionality

– Defined by

ISO/IEC 29167 State machine

– Each standard

11

PUBLIC

Progress

Standardization: ISO/IEC 29167 ISO/IEC 29167 : Information technology – Automatic identification and data capture techniques

– Part 1: General – Part 10: AES-128 (CD) – Part 11: Present 80 (CD) – Part 12: ECC-DH (CD) – Part 13: Grain-128A (WD) – Part 14: AES-OFB (WD) – Part 15: XOR (WD) – Part 16: ECDSA ECDH (CD) – Part 17: Crypto GPS (CD) – Part 1x: HB2 (NWIP) – Part 1x: RAMON (NWIP)

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• PUBLISHED

12

PUBLIC

Lightweight Cryptography

Did it deliver on its promise?

NXP UCODE Crypto

PRESENT-80 crypto core

– ISO 29192-2 compliant – Only Tag Authentication

Silicon available Chip size 0.7 mm2 I2C interface 4kb memory Also an ECC version

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• YES

13

PUBLIC

Lightweight Cryptography

Did it deliver on its promise?

PASTEUR Sensor Platform

NXP UCODE I2C Sensor: MIST 1431 (RH, T, light)  SEN 300 LPC 1114 Batteries (only for sensor) Single chip solution

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• YES

14

PUBLIC

Lightweight Cryptography

Unsolved issues Protocol: Randomness Device: Secure Storage Robustness: Countermeasures

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• MAYBE

Applications require more than just the crypto core !

15

PUBLIC

Lightweight Cryptography

New directions

Countermeasures

– Currently: add-on – Future: Algorithms designed to be protected

Other primitives

– Hash, Public Key

Low-latency

– Lightweight primitives useful for other applications? – Ultra-high speed applications – Some algorithms better than others

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• 16

PUBLIC

Low-Latency Cryptography

Applications When response time is critical

– Solid state disk – Network – Real time

When clock frequency is limited

– FPGA

Energy efficiency

– Wireless sensors – Batteries

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• 17

PUBLIC

Low-Latency Cryptography

Evaluation results

50 100 150 200 250 300 350 400 10 20 30 40 50 Gate Count (kGE)

AES (128/128) PRESENT (80-128/64) mCrypton (64-96-128/64) MINI-AES (64/64) NOEKEON (128/128) LED (64-128/64) KLEIN (80-96-128/64) PRINCE (128/64)

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• Latency (ns)

18

PUBLIC

Conclusions

Lightweight Cryptography A lot of progress has been made

– Algorithms & Implementations – Eco-system: Standards

It has been integrated into products

– Focus on Tag Authentication – Inclusion of sensors

Some unsolved issues New applications emerging

– Low-latency Cryptography

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• There is still a lot to be explored !

19

PUBLIC

January 10, 2013 Lightweight Cryptography / ECRYPT II Closing Event / Peter Rombouts

• 20