Coupon Recalculation for the GPS Authentication Scheme

Transcription

1 Coupon Recalculation for the GPS Authentication Scheme Georg Hofferek and Johannes Wolkerstorfer Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, 8010 Graz, Austria This research was supported by the European Union through project BRIDGE (IST-FP ). 1

2 Outline Motivation Introduction Short Introduction to the GPS Authentication Scheme Background & Properties Protocol & Typical Values Classic Coupon Approach Reported Architectures and Implementations Idea of Coupon Recalculation Coupon Recalculation Full-Precision Architecture Digit-Serial Architecture Summary & Outlook 2

3 Motivation Introduction (Public-Key) Authentication for Resource-Restricted Devices (e.g. RFID-Tags) Tag Proves Identity to Reader Many Application Scenarios: Public Transportation Tickets Product Genuineness... From now on: Prover = Tag (or Other Limited Device) Verifier = Reader (or Other Computationally Powerful Device) 3

4 GPS Background Proposed by Marc Girault, Guillaume Poupard, and Jacques Stern [2,3,4] Standardized in ISO/IEC 9798 Part 5 (2004) [1] Zero-Knowledge Protocol Unilateral Authentication (Tag Authenticates to Reader) Based on the Discrete Logarithm Problem (in Groups of Unknown Order) e.g.: mod n = p * q (RSA-like Modulus) Further Specialties: ECC Variant Low-Hamming-Weight Variant Optional Hash Function, Weaker" Hash Functions Coupon-Approach 4

5 The GPS Authentication Scheme Typical Values p, q: 512 bits Modulus n: 1024 bits σ = 160 Secret Key s: 160 bits δ = 20 Challenge c: 20 bits ρ = σ + δ + 80 = 260 Random Value r: 260 bits (cf. [1]) 5

6 Coupon Approach Commitments do not depend on any input from the verifier! Calculate Commitments x = hash(g r mod n) in Advance (e.g. off-tag, at Production Time) Store Coupons (r i, x i ) in NVRAM At Authentication: Select Coupon (r i, x i ) Send x i to Verifier Use r i to Calculate y = r i + s*c (cf. [8]) 6

7 Coupon Approach No Complex (Number Theoretic) Operations on the Tag Implementations by McLoone and Robshaw [5,6]: Low-Hamming-Weight Variant 431 GE (excl. NVRAM for coupons) 136 cycles per Authentication FPGA Prototype by Girault et al. [7]: ECC Variant 2600 GE Including 10 Coupons (Plus 3400 for Supporting Module) 200 ms per Authentication BUT: Denial-of-Service Attack 7

8 Coupon Recalculation Approach Recompute Coupons on the Tag (During Idle Time) Find Slow, but Area- and Power-Efficient Implementations for Commitment Calculation x = g r mod n Reuse Hardware Resources for Response Calculation y = r + s*c Full-Precision Approach & Digit-Serial Approach 8

9 Full-Precision Architecture Needs at least 5 full-precision registers 2 Operands, 1 Result, 1 Modulus, 1 Intermediate (Square&Multiply) ~ GE (for 1024 bits modulus) ~ 5 Million Cycles per Commitment Calculation At least 1024 flip-flops clocked every cycle ( power consumption!) Total High-Level Estimate: ~ GE 9

10 Digit-Serial Approach Less Gates (Area) for Arithmetic Components Less Flip-Flops Clocked per Cycle (Power Consumption) Can Use Standardized RAM Hardmacro (less Area) More Clock Cycles Needed 10

11 Digit-Serial Architecture Synthesis Results Digit Size: 8 bits Needs RAM for 560 digits, ~66.6 million clock cycles per coupon ~800 GE Digit Size d parameterizeable! (~8-64 bits) 11

12 Power Simulation of Arithmetic Unit (d = 8 bits) AMS c35b4 CMOS technology Area after Place & Route: µm² Power Consumption: (simulated with Synopsys 2.5V, 100 khz: 2.5 µa V, 125 MHz: 3.2 ma mw (~ 2 coupons per second) 12

13 Smallest Architecture: Summary & Outlook ~800 GE, plus 560 Bytes RAM 66.6 Million Cycles per Commitment Calculation up to 290 MHz (~ 4 coupons per second) possible in UMC V, 100 khz (AMS c35b4 CMOS technology) Analyse Application Scenarios (Trade-Offs) Think about Storing "Checkpoints in NVRAM Use Elliptic Curve Cryptography On-Tag Public-Key Cryptography not completely out of the question any more. 13

14 References [1] ISO/IEC. International Standard ISO/IEC 9798 Part 5: Mechanisms using zeroknowledge techniques. December, 2004 [2] Marc Girault. An identiy-based identification scheme based on discrete logarithms modulo a composite number.in I. B. Daamgard, editor, Advances in Cryptology Eurocrypt 90, number 473 in Lecture Notes in Computer Science, pages Springer,1991. [3] Marc Girault. Self-certified public keys. In D. Davies, editor, Advances in Cryptology Eurocrypt 91, number 547 in Lecture Notes in Computer Science, pages Springer, April [4] Guillaume Poupard and Jacques Stern. Security analysis of a practical on the fly authentication and signature generation. In Advances in Cryptology EUROCRYPT 98, volume 1403 of Lecture Notes in Computer Science, page 422. Springer, ISBN [5] M. McLoone and M. J. B. Robshaw. New architectures for low-cost public key cryptography on RFID tags. In IEEE International Symposium on Circuits and Systems, ISCAS 2007, pages , May [6] M. McLoone and M. J. B. Robshaw. Public key cryptography and RFID tags. In Topics in Cryptology CT- RSA 2007, volume 4377 of Lecture Notes in Computer Science. Springer, ISBN [7] Marc Girault, L. Juniot, and M. J. B. Robshaw. The feasibility of on-the-tag public key cryptography. In Proceedings of the International Conference on RFID Security 2007, [8] Girault, M.: Low-size coupons for low-cost ic cards. In Smart Card Research and Advanced Applications. In: Proceedings of the Fourth Working Conference on Smart Card Research and Advanced Applications, CARDIS 2000, Bristol, UK, September 20-22, 2000, vol. 180, pp Kluwer, Dordrecht (2000) 14

15 Thank You for Your Attention! Georg Hofferek, Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, 8010 Graz, Austria Phone: