Johannes Wolkerstorfer

Strong authentication for RFID systems using the AES algorithm

Radio frequency identification (RFID) is an emerging technology which brings enormous productivity benefits in applications where objects have to be identified automatically. This paper presents issues concerning security and privacy of RFID systems which are heavily discussed in public. In contrast to the RFID community, which claims that cryptographic components are too costly for RFID tags, we describe a solution using strong symmetric authentication which is suitable for today’s requirements regarding low power consumption and low die-size. We introduce an authentication protocol which serves as a proof of concept for authenticating an RFID tag to a reader device using the Advanced Encryption Standard (AES) as cryptographic primitive. The main part of this work is a novel approach of an AES hardware implementation which encrypts a 128-bit block of data within 1000 clock cycles and has a power consumption below 9 μA on a 0.35 μm CMOS process.

An ASIC Implementation of the AES SBoxes

This article presents a hardware implementation of the S-Boxes from the Advanced Encryption Standard (AES). The SBoxes substitute an 8-bit input for an 8-bit output and are based on arithmetic operations in the finite field GF(28). We show that a calculation of this function and its inverse can be done efficiently with combinational logic. This approach has advantages over a straight-forward implementation using read-only memories for table lookups. Most of the functionality is used for both encryption and decryption. The resulting circuit offers low transistor count, has low die-size, is convenient for pipelining, and can be realized easily within a semi-custom design methodology like a standard-cell design. Our standard cell implementation on a 0.6 ?m CMOS process requires an area of only 0.108 mm2 and has delay below 15 ns which equals a maximum clock frequency of 70 MHz. These results were achieved without applying any speed optimization techniques like pipelining.

ECC Is Ready for RFID --- A Proof in Silicon

This paper presents the silicon chip ECCon, an Elliptic Curve Cryptography processor for application in Radio-Frequency Identification. The circuit is fabricated on a 180 nm CMOS technology. ECCon features small silicon size (15K GE) and has low power consumption (8.57 μW). It computes 163-bit ECC point-multiplications in 296k cycles and has an ISO 18000-3 RFID interface. ECCons very low and nearly constant power consumption makes it the first ECC chip that can be powered passively. This major breakthrough is possible because of a radical change in hardware architecture. The ECCon datapath operates on 16-bit words, which is similar to ECC instruction-set extensions. A number of innovations on the algorithmic and on the architectural level substantially increased the efficiency of 163-bit ECC. ECCon is the first demonstration that the proof of origin via electronic signatures can be realized on RFID tags in 180 nm CMOS and below.

Strong Crypto for RFID Tags - A Comparison of Low-Power Hardware Implementations

The implementation of security protocols in RFID systems is challenging because of the fierce constraints concerning power consumption and low die size of RFID tags. The choice of the appropriate cryptographic primitive is difficult because there are many different algorithms available and the design options for each are manifold. In this paper, we analyze the standardized cryptographic algorithms SHA-256, SHA-1, MD5, AES-128, and ECC-192 in terms of implementation efficiency. The three parameters mean power consumption, chip area, and the number of clock cycles, are used to introduce a metric for a fair comparison of different hardware implementations. We describe the implementations of the five modules which were optimized for application in passive RFID tags and compare their results. We give conclusive evidence that the use of AES in RFID systems is most appropriate today

ECC Processor with Low Die Size for RFID Applications

This paper presents the design of a special purpose processor with elliptic curve digital signature algorithm (ECDSA) functionality. This digital signature generation device (SGD) was developed especially for RFID tags. The design parameters were low energy consumption, small chip area, robustness against cryptographic attacks, and flexibility. The SGD was designed to work as digital processor in an RFID tag requiring the tag to provide the secret key storage and a PRNG. The SHA-1 calculation needs to be included into the SGD to avoid a microcontroller on the tag. The asymmetric cryptosystem allows authentication of the tag to untrusted third parties without revealing the secret key. The ECDSA functionality was implemented using a prime field GF(p) and affine coordinates, an alternative way to reduce the die size and the costs of the tag. The standard-cell based implementation of the device is fully scalable for different prime fields sizes. The GF(p192) version will need 23k gate equivalents or 1.3 mm2 for a 0.35 mum process. 502k clock cycles are used for signature generation. The near-Spice level power simulation with Nanosim estimated the final energy consumption to 0.846 mWs for a generated signature.

Dual-Field Arithmetic Unit for GF(p) and GF(2m)

In this article we present a hardware solution for finite field arithmetic with application in asymmetric cryptography. It supports calculation in GF(p) as well as in GF(2m). Addition and multiplication with interleaved modular reduction are the main functionality of the unit. Additional functions--like shift operations and integer incrementation--allow the calculation of the multiplicative inverse and covering all operations required to implement Elliptic Curve Cryptography. Redundant number representation and efficient modular reduction make it ready for future cryptographic bitlengths and allow operation at high clock frequency on moderate hardware resources.

Efficient AES implementations on ASICs and FPGAs

In this article, we present two AES hardware architectures: one for ASICs and one for FPGAs. Both architectures utilize the similarities of encryption and decryption to provide a high throughput using only a relatively small area. The presented architectures can be used in a wide range of applications. The architecture for ASIC implementations is suited for full-custom as well as for semi-custom design flows. The architecture for the FPGA implementation does not require on-chip block RAMs and can therefore even be used for low-cost FPGAs.

Hardware/software co-design of elliptic curve cryptography on an 8051 microcontroller

8-bit microcontrollers like the 8051 still hold a considerable share of the embedded systems market and dominate in the smart card industry. The performance of 8-bit microcontrollers is often too poor for the implementation of public-key cryptography in software. In this paper we present a minimalist hardware accelerator for enabling elliptic curve cryptography (ECC) on an 8051 microcontroller. We demonstrate the importance of removing system-level performance bottlenecks caused by the transfer of operands between hardware accelerator and external RAM. The integration of a small direct memory access (DMA) unit proves vital to exploit the full potential of the hardware accelerator. Our design allows to perform a scalar multiplication over the binary extension field GF(2191) in 118 msec at a clock frequency of 12 MHz. Considering performance and hardware cost, our system compares favorably with previous work on similar 8-bit platforms.

Multi-gigabit GCM-AES Architecture Optimized for FPGAs

This paper presents a design-space exploration of the Galois/Counter Mode (GCM) algorithm with Advanced Encryption Standard (AES) as underlying block cipher for high throughput applications to combine data encryption and message authentication on FPGAs. Four different degrees of parallelism were implemented, namely a 128-, 64-, 32- and 16-bit wide data path calculating an output block in 1, 2, 4 and 8 clock cycles, respectively. Regarding the AES algorithm different SubBytes()and round architectures were evaluated against each other. For the multiplier required for GCM, two bit-parallel, a digit-serial and a hybrid architecture were evaluated. The different architectures were designed, implemented and tested on a Xilinx Virtex4-FX100 FPGA. All architectures support key lengths of 128, 192 and 256 bits and are equipped with a ready-to-use interface for real-world applications. A throughput of 15.3 Gb/s was reached. It pointed out that throughput rates for state-of-the-art communication channels can be achieved using reasonable hardware resources. The results comparing slice counts, RAM usage and speed are presented.

A Universal and Efficient AES Co-processor for Field Programmable Logic Arrays

In this article we present a compact and efficient co-processor that calculates the Advanced Encryption Standard (AES). It implements the whole functionality of the AES algorithm: all key lengths (128-bit, 192-bit, and 256-bit) are supported for both, encryption and decryption. Furthermore, it supports the Cipher Block Chaining mode. Due to an innovative AES State representation the complete AES co-processor is well suited for low-end FPGAs. The integrated AMBA interface facilitates the integration of the co-processor in System-on-Chip designs too. An implementation on a Xilinx Virtex-E FPGA device uses only 1,125 CLB slices and no block RAMs. Our FPGA implementation reaches a throughput of 215 Mbps at a clock frequency of 161.0 MHz.