Click to edit Master title style KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 1 Compact Implementations for RFID and Sensor Nodes L. Batina, K. Sakiyama and I. Verbauwhede Katholieke Universiteit Leuven ESAT-SCD/COSIC DATE 2007 Workshop on Secure Embedded Implementations Nice, France, April 20, 2007

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 2 Outline  Introduction and Motivation  Curve-based Cryptography (ECC/HECC)  Low-cost ECC/HECC processor  Results: area, power, performance  Conclusions  Future work

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 3 Introduction  RFID system and sensors Tags Readers Server

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 4 Motivation  Emerging new applications: wireless applications, sensor networks, RFIDs, car immobilizers, key chains etc. resource limited: area (< 1 mm 2 *), memory, bandwidth resource limited: area (< 1 mm 2 *), memory, bandwidth low-cost, low-power (< 500μW or 1.5 V *), low-energy low-cost, low-power (< 500μW or 1.5 V *), low-energy  Pure hardware solutions are energy and cost effective  Side-channel security  Privacy enhancement * Source: Wolkerstorfer, RFID workshop 2005.

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 5 Motivation: Why Public- Key Cryptography?  PKC reduces protocol overhead => less packet transmissions Example: Schnorr Example: Schnorr identification protocol identification protocol (3 rounds) (3 rounds)  PKC provides more security Key protection Key protection Authentication Authentication Key distribution Key distribution  PKC allows for strong authentication

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 6 ECC/HECC over binary fields A hyperelliptic curve of genus g over a finite field K : A hyperelliptic curve of genus g over a finite field K : f and h are polynomials, deg(h) ≤ g, deg(f)=2g+1 and f is monic some more conditions should be satisfied. An elliptic curve E over GF(2 n ) is defined by an equation of the form: where a, b  GF(2 n ), Points are (x, y) which satisfy the equation, where x, y  GF(2 n ). where a, b  GF(2 n ), Points are (x, y) which satisfy the equation, where x, y  GF(2 n ). A hyperelliptic curve of genus g=1 is called elliptic curve.

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 7 ECC operations: Hierarchy Point Multiplication Point Addition Point Doubling Finite Field Addition Finite Field Multiplication Finite Field Inversion Point Multiplication Point Addition Point Doubling Finite Field Operation E.g. AB or (B+C) mod P Finite Field Inversion (a)(b)  (H)ECC computes point multiplication, kP  (a) conventional hierarchy  (b) Compact datapath architecture Controller Datapath

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 8 Low-power design  Architectural decisions are important  Frequency as low as possible  Power consumption and energy efficiency are both crucial  ECC arithmetic should be revisited to optimize those parameters  The circuit size should be minimized  Flexibility can be sacrificed

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 9 (H)ECC processor HECC (83 bits) ECC-comp. (83 bits)

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 10 New compact MALU (Modular ALU)  Implements bit/digit serial modular multiplication and addition in a binary field  Fixed irreducible polynomial  Suitable for ECC over GF(2 p ), ECC over composite fields and HECC  Resource sharing of both modular operations required  No separate squaring unit or inverter => simple side-channel resistance

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 11  AB mod N (cmd = 1) & B +C mod N (cmd = 0) Schematics of the MALU d: digit size n: field size

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 12 Area of MALU for ECC/HECC  ECC: d = 1,…, 4; k = 131,…, 163  ECC comp. & HECC: d = 1,…, 8, k = 67,…, 83 ECC ECC-comp. / HECC

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 13 ECC results for area: MALU + controller d = 1 d = 2 d = 3 d = 4 k = k = k = k = Control is around 30% of the total # of gates

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 14 ECC-comp. and HECC results for area: MALU + controller d = 1 d = 2 d = 4 d = 6 d = 8 k = 67 ECC-comp.HECC k = 83 ECC-comp.HECC

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 15 Results: Power consumption by MALU ECC (163 bits) ECC-comp (83 bits)  ECC: d = 1,…, 4; k = 163  ECC comp. : d = 1,…, 8; k = 83

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 16 Results for ECC: performance  Estimated performance for ECC over GF(2 p ), 1 point 500 kHz (digit size d = 4 ): (digit size d = 4 ): t = 190 ms in GF(2 163 ) t = 190 ms in GF(2 163 ) t = 115 ms in GF(2 131 ) t = 115 ms in GF(2 131 )

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 17 Complete results PKC – bits of sec. d # gates w/o RAM f [kHz] t [ms] P [μW] ECC < 12 ECC < 15 ECC-comp < 13 HECC < 17

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 18 Conclusions  The presented MALU is the smallest possible solution for curve-based cryptography  Our result is also the most compact ECC/HECC solution so far  Area and power are scalable in the digit size, d

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 19 Future work  Better power estimates regarding RAM and synthesis in 0.13 (0.18)  m CMOS library are required  Compact RNG for tag authentication protocol  Light-weight protocols: trade-off between security and efficiency  Low-cost countermeasures for side- channel attacks

KATHOLIEKE UNIVERSITEIT LEUVEN | COSIC 20 Further reading 1. L. Batina, N. Mentens, K. Sakiyama, B. Preneel, and I. Verbauwhede, "Public-Key Cryptography on the Top of a Needle", In Proc. of IEEE International Symposium on Circuits and Systems (ISCAS 2007), May 27-30, 2007, New Orleans, to appear. 2. L. Batina, N. Mentens, K. Sakiyama, B. Preneel, and I. Verbauwhede, "Low-cost Elliptic Curve Cryptography for wireless sensor networks", In Third European Workshop on Security and Privacy in Ad hoc and Sensor Networks, LNCS 4357, Springer-Verlag, pp. 6-17, Sep , 2006, Hamburg, Germany. 3. K. Sakiyama, L. Batina, N. Mentens, B. Preneel, and I. Verbauwhede, "Small-footprint ALU for public-key processors for pervasive security," In Workshop on RFID Security 2006, July 12-14, 2006, Graz, Austria.