ECC Processor for RFID systems

To satisfy the requirement of radio frequency identification (RFID) tag [63, 64], the single field ECC processor is proposed [14, 22]. In the requirement of [63], the response time of RFID is 250ms and the energy received by th tag is 100µW. In ISO/IEC 18000-3(13.65MHz) [64], the power must be less than 15µW. To achieve the targets, we propose a low-cost ECC processor. We choose the LM C method [14] to finish the ECSM operation, because the method requires fewer registers, which is proven in [14]. The algorithm of LM C requires the MA, MM, and modular squaring (MSQ) operations. We use the parallel method [14] to implement the MM operation shown in figure A.4. Followings are the corresponding formula:

X · Y (mod p) =Pn/d

i=0X · Y(i+1)·d−1:i·d (mod p) (A.2) Note that the value of d represents the digit size. The execution cycle of MM operation is (n/d) + 1. In addition, we apply the fast squaring method [22] to finish the MSQ operation. Due to this method, the MSQ operation requires only 1 cycle. Combining the above architectures with MA, the single field ECC processor is proposed in figure A.5.

In table A.4, the implementation results show our work outperforms the relative works in gates × cycles ratio. And the power consumption is slower than 15µW when the digit size is bigger than 7, which is shown in table A.5. These results show our work satisfies the requirement of ISO/IEC 18000-3(13.65MHz).

Table A.4: Implementation results of ECC processors over GF(2^m).

Tech.

Digit

Gates(K) Field Cycles Gates ×

Size Cycles

a: By our modification.

Table A.5: Implementation results of proposed ECC processor.

Tech.

1 11.0 214,168 250@858.7 16.2

Proposed 90nm 7 19.4 GF(2¹⁶³) 33,885 250@135.5 14.2

14 26.1 18,321 250@73.3 14.6

celld-1

Figure A.4: The architecture of MM operation over GF(2^m).

MM X₁

2R1W Register File X₂

Z T' T''

MSQ MA

Circular shift register

MALU

Write Data Control Unit

Address Read Data Request Write

n d n

n

2 1 4 n

n n

ECC Processor reg

n

Figure A.5: The architecture of the proposed ECC processor.

Bibliography

[1] Standard Specifications for Public-Key Cryptography: Additional Techniques, IEEE Std. 1363A, 2000.

[2] D. Hankerson, A. Menezes, and S. Vanstone, Guide to Elliptic Curve Cryptography.

Springer, 2004.

[3] I. F. Blake, G. Seroussi, and N. P. Smart, Elliptic Curves in Cryptography. Cam-bridge University Press, 1999.

[4] ——, Advances in Elliptic Curve Cryptography. Cambridge University Press, 2005.

[5] H. Cohen and G. Frey, Handbook of Elliptic and Hyperelliptic Curve Cryptography.

Chapman and Hall/CRC, 2006.

[6] W. Trappe and L. C. Washington, Introduction to Cryptography with Coding Theory, 2nd ed. Pearson Education International, 2006.

[7] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Commun. ACM, vol. 21, no. 2, pp. 120–126, 1978.

[8] H. Yan and Z. J. Shi, “Studying software implementations of elliptic curve cryptogra-phy,” in 3rd International Conference on Information Technology: New Generations (ITNG), Las Vegas, Nevada, USA, 2006.

[9] G. Chen, G. Bai, and H. Chen, “A high-performance elliptic curve cryptographic processor for general curves over GF (p) based on a systolic arithmetic unit,” IEEE Trans. Circuits Syst. II, Exp. Briefs, vol. 54, no. 5, pp. 412–416, May 2007.

[10] C. J. McIvor, M. McLoone, and J. V. McCanny, “Hardware elliptic curve crypto-graphic processor over GF (p),” IEEE Trans. Circuits Syst. I, Regular, vol. 53, no. 9, pp. 1946–1957, Sept. 2006.

[11] P. Longa and A. Miri, “Fast and flexible elliptic curve point arithmetic over prime fields,” IEEE Transactions on Computers, vol. 57, no. 3, pp. 289–302, Mar. 2008.

[12] J. Goodman and A. P. Chandrakasan, “An energy-efficient reconfigurable public-key cryptography processor,” IEEE J. Solid-State Circuits, vol. 36, no. 11, pp. 1808–1820, Nov. 2001.

[13] J.-H. Chen, M.-D. Shieh, and W.-C. Lin, “A high-performance unified-field reconfig-urable cryptographic processor,” IEEE Transactions on Computers, pp. 1–14, Nov.

2009.

[14] Y. K. Lee, K. Sakiyama, L. Batina, and I. Verbauwhede, “Elliptic-curve-based se-curity processor for RFID,” IEEE Transactions on Computers, vol. 57, no. 11, pp.

1514–1527, Nov. 2008.

[15] K. Sakiyama, L. Batina, B. Preneel, and I. Verbauwhede, “Multicore curve-based cryptoprocessor with reconfigurable modular arithmetic logic units over GF (2ⁿ),”

IEEE Transactions on Computers, vol. 56, no. 9, pp. 1269–1282, Sept. 2007.

[16] K. Jarvinen and J. Skytta, “On parallelization of high-speed processors for elliptic curve cryptography,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 16, no. 9, pp. 1162–1175, Sept. 2008.

[17] B. Ansari and M. A. Hasan, “High-performance architecture of elliptic curve scalar multiplication,” IEEE Transactions on Computers, vol. 57, no. 11, pp. 1443–1453, Nov. 2008.

[18] S. Okada, N. Torii, K. Itoh, and M. Takenaka, “Implementation of elliptic curve cryp-tographic coprocessor over GF (2^m) on an FPGA,” in Proc. Cryptographic Hardware and Embedded Systems (CHES’00), Worcester, MA, USA, Aug. 2000.

[19] Y. Eslami, A. Sheikholeslami, P. G. Gulak, S. Masui, and K. Mukaida, “An area-efficient universal cryptography processor for smart cards,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 14, no. 1, pp. 43–56, Jan. 2006.

[20] M. Purnprajna, C. Puttmann, and M. Porrmann, “Power aware reconfigurable multi-processor for elliptic curve cryptography,” in Design, Automation and Test in Europe Conference and Exhibition, ICM, Munich, Germany, Mar. 2008, pp. 1462–1467.

[21] S. Peter, P. Langend¨orfer, and K. Piotrowski, “Flexible hardware reduction for el-liptic curve cryptography in GF(2^m),” in Design, Automation and Test in Europe Conference and Exhibition, Nice Acropolis, France, Apr. 2007, pp. 1–6.

[22] S. Kumar and C. Paar, “Are standards compliant elliptic curve cryptosystems feasible on RFID?” in Workshop Record of the ECRYPT Workshop RFID Security, 2006.

[23] A. Satoh and K. Takano, “A scalable dual-field elliptic curve cryptographic proces-sor,” IEEE Trans. Comput., vol. 52, no. 4, pp. 449–460, 2003.

[24] J.-Y. Lai and C.-T. Huang, “Elixir: High-throughput cost-effective dual field proces-sors and the design framework for elliptic curve cryptography,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 16, no. 11, pp. 1567–1580, Nov. 2008.

[25] ——, “A highly efficient cipher processor for dual-field elliptic curve cryptography,”

IEEE Trans. Circuits Syst. II, Exp. Briefs, vol. 56, no. 5, pp. 394–398, May 2009.

[26] E. W. Weisstein, “Fermat’s little theorem,” in MathWorld–A Wolfram Web Resource, http://mathworld.wolfram.com/FermatsLittleTheorem.html.

[27] B. S. K. Jr., “The Montgomery inverse and its applications,” IEEE Transactions on Computers, vol. 44, no. 8, pp. 1064–1065, Aug. 1995.

[28] E. Sava¸s and C¸ . K. Ko¸c, “The Montgomery modular inverse - revisited,” IEEE Trans.

Circuits Syst. II, Exp. Briefs, vol. 49, no. 7, pp. 763–766, July 2000.

[29] R. Deng and Y. Zhou, “Improvement to Montgomery modular inverse algorithm,”

IEEE Trans. Circuits Syst. II, Exp. Briefs, vol. 55, no. 9, pp. 1207–1210, Sept. 2006.

[30] A. A.-A. Gutub, A. F. Tenca, and C¸ . K. Ko¸c, “Scalable and unified hardware to compute Montgomery inverse in GF (p) and GF (2ⁿ),” in CHES’02, Redwood Shores, CA, USA, 2003.

[31] Y.-J. Liu, “An implementation of universal dual-field scalar multiplication on elliptic curve cryptosystems,” Master’s thesis, National Chiao Tung University, 2007.

[32] C.-Y. Tseng, “Design and implementation of an SPA-resistance dual-field elliptic curve arithmetic unit,” Master’s thesis, National Chiao Tung University, 2008.

[33] J.-W. Lee, Y.-L. Chen, C.-Y. Tseng, H.-C. Chang, and C.-Y. Lee, “A 521-bit dual-field elliptic curve cryptographic processor with power analysis resistance,” in Eu-ropean Solid-State Circuits Conference (ESSCIRC), Seville, Spain, Sept. 2010 (to appear).

[34] E. Sava¸s, “A carry-free architecture for Montgomery inversion,” IEEE Transactions on Computers, vol. 54, no. 12, pp. 1508–1519, Dec. 2005.

[35] M. E. Kaihara and N. Takagi, “A hardware algorithm for modular multiplica-tion/division,” IEEE Transactions on Computers, vol. 54, no. 1, pp. 12–21, January 2005.

[36] G. Chen and H. Chen, “A new systolic architecture for modular division,” IEEE Transactions on Computers, vol. 56, no. 2, pp. 282–286, Feb. 2007.

[37] G. M. d. Dormale, P. Bulens, and J.-J. Quisquater, “Efficient modular division im-plementation,” in FPL 2004, LNCS 3203, Leuven, Belgium, 2004, pp. 231–240.

[38] N. Takagi, “A VLSI algorithm for modular division based on the binary GCD algo-rithm,” IEICE Trans. Fundamentals, vol. E81-A, no. 5, pp. 724–728, May 1998.

[39] S. Mangard, E. Oswald, and T. Popp, Power analysis Attacks-Revealing the Secrets of Smart Cards. Springer, 2006.

[40] A. Miyamoto, N. Homma, T. Aoki, and A. Satoh, “SPA aganist an FPGA-based RSA implementation with a high-radix Montgomery multiplier,” in IEEE Int. Symp.

Circuit Sust. (ISCAS), New Orleans, USA, May 2007, pp. 1847–1850.

[41] ——, “Chosen-message SPA attacks against FPGA-based RSA hardware implemen-tation,” in Int. Conf. on Field Programmable Logic and Applications (FPL), Heidel-berg, Germany, Sept. 2008.

[42] P. C. Kocher, “Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems,” in Proceedings of the 16th Annual International Cryptology Confer-ence on Advances in Cryptology, 1996, pp. 104–113.

[43] P. C. Kocher, R. Lee, and G. McGraw, “Security as a new dimension in embedded system design,” in Proceedings of the 41th Annual Conference on Design Automation, 2004, pp. 753–760.

[44] P. C. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, 1999, pp. 388–397.

[45] R. Muresan and S. Gregori, “Protection circuit against differential power analysis attacks for smart cards,” IEEE Transactions on Computers, vol. 57, no. 11, pp.

1540–1549, Nov. 2008.

[46] E. Brier and M. Joye, “Weierstaβ elliptic curves and side-channel attack,” in PKC’02, vol. 2274, Paris, France, 2002, pp. 335–345.

[47] J. L´opez and R. Dahab, “Fast multiplication on elliptic curve over GF(2ⁿ) without precomputation,” in CHES’99, vol. 1717, Worcester, MA, USA, 1999, pp. 316–327.

[48] P. Fouque and F. Valette, “The doubling attack-why upwards is better than down-wards,” in CHES’03, vol. 2779, Cologne, Germany, 2003, pp. 269–280.

[49] K. Itoh, T. Izu, and M. Takenaka, “Address-bit differential power analysis of crypto-graphic schemes OK-ECDH and OK-ECDSA,” in CHES’02, Redwood Shores, CA, USA, 2003, pp. 399–412.

[50] L. Goubin, “A refined power-analysis attack on elliptic curve cryptosystems,” in PKC 2003, ser. Lecture Notes in Computer Science, vol. 2567, Miami, Florida, USA, 2003, pp. 199–210.

[51] T. Akishita and T. Takagi, “Zero-value point attacks on elliptic curve cryptosystem,”

in ISC 2003, ser. Lecture Notes in Computer Science, vol. 2851, Bristol, UK, 2003, pp. 199–210.

[52] J. L´opez and R. Dahab, “Improved algorithms for elliptic curve arithmetic in GF (2^m),” in Sel. Areas Cryptography: 5th Annu. Int. Workshop(SAC), vol. 1556, Santa Fe, New Mexico, Aug. 1998, pp. 201–212.

[53] H. Cohen, A. Miyaji, and T. Ono, “Efficient elliptic curve exponentiation using mixed coordinates,” in in Proc. Adv. Cryptolog. (Asiacrypt’98).

[54] P. L. Montgomery, “Modular multiplication without trial division,” Mathematics of Computation, vol. 44, no. 170, pp. 519–521, April 1985.

[55] G. Chen, G. Bai, and H. Chen, “A dual-field elliptic curve cryptographic processor based on a systolic arithmetic unit,” in IEEE Int. Symp. Circuit Sust. (ISCAS), Seattle, Washington, USA, May 2008, pp. 3298–3301.

[56] A. F. Tenca and C¸ . K. Ko¸c, “A scalable architecture for modular multiplication based on Montgomery’s algorithm,” IEEE Transactions on Computers, vol. 52, no. 9, pp.

1215–1221, Sept. 2003.

[57] D. E. Knuth, The Art of Computer Programming, 3rd ed. Addison-Wesley, 1998, vol. 2, ch. Seminumerical Algorithms.

[58] G. V. S. Raju and R. Akbani, “Elliptic curve cryptosystem and its applications,”

in IEEE International Conference on Systems, Man and Cybernetics, vol. 2, Crystal City Hyatt Regency Washington, D. C., USA, Nov. 2003, pp. 1540–1543.

[59] FIPS 186—Digital signature standard, National Institute of Standards and Technol-ogy (NIST) Std., June 2009.

[60] J.-S. Coron, “Resistance against differential power analysis for elliptic curve cryptog-raphy,” in CHES’99, ser. Lecture Notes in Computer Science, C¸ . K. Ko¸c and C. Paar, Eds., vol. 1717, Worcester, MA, USA, 1999, pp. 292–302.

[61] T. Addabbo, M. Alioto, A. Fort, S. Rocchi, and V. Vignoli, “Long period pseudo random bit generators derived from a discretized chaotic map,” in IEEE International Symposium on Circuits and Systems (ISCAS), vol. 2, Kobe, Japan, May 2005, pp.

892–895.

[62] A. Rukhin, J. Soto, J. Nechvatal, M. Smid, E. Barker, S. Leigh, M. Levenson, D. B.

M. Vangel, A. Heckert, J. Dray, and S. Vo, A statistical test suite for random and pseudorandom number generators for cryptographic applications, NIST Special Pub-lication 800-22 Std., Aug. 2008.

[63] F. Zhou, C. Chen, D. Jin, C. Huang, and H. Ming, “Evaluating and optimizing power consumption of anti-collision protocols for application in RFID systems,” in AUTO-ID Labs, white paper, 2008.

[64] Information Technology-Radio Frequency Identification for Item Management-Part 3:

Parameters for Air Interface Communications at 13.56 MHz, ISO/IEC Std. 18 000-3:2004, 2004.