Scribd Logo
Importer

Bienvenue sur Scribd !

  • 011 - A Case Against Hash Functions

    Transféré par

    m_durai
    19 vues21 pages
    hash

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    hash

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    19 vues21 pages

    011 - A Case Against Hash Functions

    Transféré par

    m_durai
    hash

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 21

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    A Case Against Currently Used Hash Functions in RFID Protocols


    Workshop on RFID Security 2006 RFIDSec06 July 13-14, 2006, Graz, Austria
    Martin Feldhofer and Christian Rechberger
    IAIK Graz University of Technology Martin.Feldhofer@iaik.tugraz.at www.iaik.tugraz.at

    TU Graz/Computer Science/IAIK/VLSI/Feldhofer
    1

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Presentation outline
    Cryptographic primitives in RFID systems Hardware implementation of low-power SHA-256 Synthesis and power simulation results Conclusions

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    2

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Motivation
    High-end security in RFID systems standardized algorithms Hash functions are conceptionally easy mainly used by RFID protocol designers

    Implementation costs? Comparison of popular hash functions with AES block cipher in context of RFID tags

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    3

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Building blocks for RFID security


    Authentication and/or anonymity is required Commonly used cryptographic primitives
    Hash functions Block ciphers Universal hash functions PRNGs Public key algorithms Some leightweight solutions (HB, )

    We focus on standardized cryptographic primitives


    MD4-family (SHA-256, SHA-1, MD5, MD4) AES-128
    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer
    4

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Survey on existing RFID security protocols


    Proposal Molnar Avoine Choi Henrici Ohkubo Dimitriou Lee Rhee Weis Feldhofer Primitive PRF Hash Hash Hash Hash Hash + PRNG Hash + PRNG Hash + PRNG Hash + PRNG AES + PRNG Authentication No No Yes Yes No Yes Yes Yes Yes Yes Privacy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
    5

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Design issues for RFID hardware


    Not relevant for RFID tags
    Energy consumption per operation Power consumption per operation

    RF field ISupply

    Relevant for RFID tags


    Power consumption per cycle Mean current consumption must not exceed available energy in capacitor

    Vdd VddMIN

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer

    IIC
    6

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Implementation targets
    Target Class of tags Mean power consumption Hardware resources Data rate of protocol Clock frequency of crypto module Number of clock cycles (latency) Available modules Technology Costs
    TU Graz/Computer Science/IAIK/VLSI/Feldhofer
    7

    Passive class 2 (HF 13.56 MHz) < 15 A @ 1.5V < 1,000 - 10,000 GEs 26 kbps ~100 kHz ~50 for immediate answer (0.5ms) use interleaved protocol instead No microcontroller or external memory available Standard cells (no dedicated RAM) ~5-50 Cent per tag
    http://www.iaik.tugraz.at

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Outline of SHA-256
    IVs

    Message m (16 words)

    Message
    expansion

    Expanded message w (64 words)

    State update
    64 steps

    Output o http://www.iaik.tugraz.at (8 words)

    TU Graz/Computer Science/IAIK/VLSI/Feldhofer
    8

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Outline of SHA-256 Message expansion

    Mt Wt = 1 (Wt 2 ) +Wt 7 + 0 (Wt 15 ) +Wt 16

    for ( 0t 15 ) for (16t 63)

    0 ( x) = ROTR 7 ( x) ROTR18 ( x) SHR 3 ( x)


    1 ( x) = ROTR17 ( x) ROTR19 ( x) SHR10 ( x)

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    9

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Outline of SHA-256 State update


    H(i) or IV (64 bits) A0 B0 C0 D0 E0 F0 G0 H0

    Step transformation A1 B1 C1 D1 E1 F1 G1 H1

    Step transformation

    Message m (16x32-bit)

    (61 identical steps) A62 B62 C62 D62 E62 F62 G62 H62

    Step transformation A63 B63 C63 D63 E63 F63 G63 H63

    H(i+1) (64 bits)

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    10

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Outline of SHA-256 Step transformation

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    11

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Secure RFID tag architecture

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    12

    Controller

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Architecture of low-power SHA-256

    Controller

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    13

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Chip area [in gate equivalents]


    Total chip area: 10,868 GEs
    RAM; 8292; 76%

    others; 407; 4% Controller; 364; 3% Adder; 156; 1% Sigma; 643; 6% Register T1/T2; 394; 4%

    Constants; 612; 6%
    http://www.iaik.tugraz.at

    1024 bits memory 8292 GEs !!!

    TU Graz/Computer Science/IAIK/VLSI/Feldhofer
    14

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Power consumption [in A @ 100kHz; 3.3V]


    Mean current consumption: 15.87 A
    others; 1,54; 10% RAM; 7,73; 49%

    Controller; 1,1; 7%

    Constants;0,18; 1% Adder; 2,74; 17% Sigma; 0,98; 6% Register T1/T2; 1,6; 10%

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    15

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Comparison of chip area and power consumption


    Area distribution Power consumption distribution

    RAM; 8292; 76%


    RAM; 7,73; 49%

    others; 407; 4% Controller; 364; 3% Adder; 156; 1% Sigma; 643; 6% Register T1/T2; 394; 4%

    others; 1,54; 10%

    Controller; 1,1; 7%

    Constants;0,18; 1% Adder; 2,74; 17% Register T1/T2; 1,6; 10%

    Constants; 612; 6%
    Sigma; 0,98; 6%

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    16

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Comparison of SHA-256, SHA1, MD5, MD4 and AES Chip area

    12000 SHA-256 10000 Gate equivalents [GEs] SHA-1 8000 MD5 MD4

    6000 AES

    4000

    2000

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    17

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Comparison of SHA-256, SHA1, MD4, MD5 and AES Mean current consumption

    18 Current consumption [A@100kHZ] 16 14 12 SHA-256

    3.3V !!!
    10 AES 8 6 4 2 SHA-1 0 MD5 MD4

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    18

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Implications of this work


    Two dominating factors decide on the suitability of a symmetric primitive for RFID tags
    The required number of registers (state variables, chaining variables and message words)
    SHA-256 (1024 bits) vs. AES (256 bits)

    The underlying word size of the used primitive


    How many flip flops have to be clocked at the same time SHA-256 (32 bits) vs. AES (8 bits)

    Input for future design of cryptographic primitives


    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer
    19

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Comparison with parallel work


    Kaps et al. state that SHA-1 is more energyefficient than AES
    Stated chip area: 4276 GEs This seems to contradict our conclusions

    But: 1. Low energy consumption is not a main concern in RFID tag design 2. Necessary external memory for message expansion is not available on RFID tags (requires additional 3722 GEs)

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    20

    VLSI

    Institute for Applied Information Processing and Communications (IAIK) VLSI & Security

    Conclusions
    We analyzed implementations of commonly used cryptographic primitives for RFID tags Comparison of SHA-256 with AES-128 because of same level of security
    AES-128 requires less chip area AES-128 has less mean power consumption

    Even older MD4-family hash functions (SHA-1, MD5, MD4) do not change conclusion

    http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer


    21

    Vous aimerez peut-être aussi