Secure Implementation of RFID Mutual

Authentication Protocol

Submitted in partial fulfillment of the requirements for the degree of

Master of Technology
in
VLSI Design

by
Aishwarya A Nair
17MVD0089

Under the guidance of

Prof.Sivasankaran K
Associate Professor(Senior)
Department of Micro and Nanoelectronics
School of Electronics Engineering,
VIT University, Vellore.

March 2019
 Certificate

This is to certify that the thesis work entitled “Secure Implementation of

Mutual Authentication Protocol” submitted by Aishwarya A Nair, School of
Electronics Engineering, Vellore Institute of Technology, for the award of the degree
of Master of Technology in VLSI Design, is a record of bonafide work carried out by
him/her under my supervision, as per the VIT code of academic and research ethics.

The contents of this thesis have not been submitted and will not be submitted
either in part or in full, for the award of any other degree or diploma in this institute
or any other institute or university. The thesis fulfills the requirements and regula-
tions of the institute and in my opinion meets the necessary standards for submission.

Signature of the External Guide Signature of the Internal Guide

Place : Vellore
Date : March 29, 2019

The thesis is satisfactory / unsatisfactory

Internal Examiner External Examiner

Approved by

Head of the Department

Department of Micro and Nano Electronics
School of Electronics Engineering
 Declaration

I hereby declare that the thesis work entitled “Secure Implementation of Mu-
tual Authentication RFID” submitted by me, for the award of the degree of Mas-
ter of Technology in VLSI Design to Vellore Institute of Technology is a record of
bonafide work carried out by me under the supervision of Dr K.Sivasankaran.

I further declare that the work reported in this thesis has not been submitted and
will not be submitted, either in part or in full, for the award of any other degree or
diploma in this institute or any other institute or university.

Place : Vellore Signature of the Candidate

Date : March 29, 2019
 Acknowledgment

It is with great enthusiasm and the learning spirit that to bring out this project re-
port. We also feel that it is the right opportunity to acknowledge the support and
guidance that came in from various quarters during the course of the completion of
our project. I am extremely grateful to Dr Arunachalam, HOD SENSE Department,
Vellore Institute of Technology,Vellore providing the necessary facilities. I express
my gratitude to Dr K Sivashankaran., Associate Professor, Department of Micro-
electronics,Vellore Institute of Technology , for the valuable suggestions, advice, and
encouragement throughout the project. I would like to express our sincere thanks
to Mrs Priya Mam, Research Schoalar, Department of Microelectronics, who helped
me to successfully completing this project. We are indebted to all other lectures for
their whole hearted cooperation. I extend our special thanks to all our friends for
their help and encouragement. Last but not the least we would like to thank God
Almighty for giving us confidence to do the project.

Place: Vellore Your Name (Reg No)

i
 iii

Abstract

Modern era needs secure communications and transactions.Also people want such type
of technology that,instead of giving data manually,one needs such a technology that
automates all ,rhus reduce the time as well as error.So one of the most flexible auto
identification technology is RFID(Radio Frequency Identification Technology).So the
researchers have worked for security and come up with some Mutual Identification
Protocol for UHF Passive RFID tags.Here a lightweight mutual authentication pro-
tocol is implemented in ASIC based on the EPC Class 1 Generation 2 framework
released by EPC global, which is the widely used industrial standard for passive UHF
RFID communication.Here I incorporate a variable Fibonacci LFSR rather than a
normal LFSR which will provide more secure communication compared to current
design methodology aned the results are optimized in Synopsys DC Compiler.
Contents

Acknowledgment i

Abstract iii

Contents v

List of Figures vii

List of Tables ix

List of Abbreviations xi

1 Introduction 1
1.1 RFID System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 EPC Class-1 Generation-2 RFID Standard . . . . . . . . . . . . . . . 2
1.3 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Literature Survey 5

3 Designing of RFID Tag 7

3.1 Gen2 Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4 Mutual Authentication Protocol 9

5 ARCHITECTURE AND DESIGN 13

5.1 PIE Decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.2 Variable LFSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.3 ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.4 CRC5 and CRC16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.5 FM ENCODER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

v
vi

5.6 Modified Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

5.7 Frontend Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.8 PreLayout Static Timing Analysis . . . . . . . . . . . . . . . . . . . . 26
5.9 Backend Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.10 Proposed Implementation Results . . . . . . . . . . . . . . . . . . . 30

Bibliography 31

Appendix 33

Publications 35
List of Figures

1.1 Basic RFID System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

3.1 Basic RFID Communication.A host server sends commands to tags

through reader.Then tags respond with inforamation stored in it . . . 8

4.1 Reader to Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4.2 Reader to Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5.1 Architecture of Passive RFID Tag . . . . . . . . . . . . . . . . . . . . 13

5.2 Architecture of digital Baseband . . . . . . . . . . . . . . . . . . . . . 14
5.3 State Diagram of PieDecoder . . . . . . . . . . . . . . . . . . . . . . 14
5.4 Schematic description of Powering the passive Tag. . . . . . . . . . . 15
5.5 RTcal symbol. Symbol is transmitted at the beginning of each reader
command and is used to calibrate the R–¿T data link. . . . . . . . . 15
5.6 Architecture of LFSR . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.7 Block Diageam of crc5 . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.8 Modified Circuit with Variable LFSR . . . . . . . . . . . . . . . . . . 20
5.9 Reader to Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.10 Tag to Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.11 Basic Rfid protocol Output . . . . . . . . . . . . . . . . . . . . . . . 22
5.12 Basic Rfid protocol Output . . . . . . . . . . . . . . . . . . . . . . . 23
5.13 Variable LFSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.14 Clock Management module . . . . . . . . . . . . . . . . . . . . . . . . 23
5.15 CRC 5 Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.16 FM Encoder Output . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.17 Gate Level Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.18 Histographical Representation of Timing Paths in Design . . . . . . . 27

vii
viii

5.19 Violation Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5.20 Floorplanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.21 Cell density in Placement . . . . . . . . . . . . . . . . . . . . . . . . 30
5.22 Clock Tree Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.23 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.24 Modified Output: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
List of Tables

ix
List of Abbreviations

RFID Radio Frequency Identification Technolgy

LFSR Linear feedback shift register
EPC Electronic Product Code
PIE Pulse Interval Encoding
C1G2 Class-1 Generation-2
CRC Cyclic redundancy check

xi
Chapter 1

Introduction

In the new modern era companies wanted to give datas into the computers without
just manualy printing it so as to save time, reduce error problems, increasees the
efficiency and to free up the employees to do other useful jobs. This idea leads to
the emergence of a broed new term automatic identification to help the machine to
identify objects and various things,to capture the information and give the datas into
the computer simultaneously. There are different types of automatic technologies like
bacode, RFID’s, smartcards, biometric scan etc.Out Of these the radio frequency
identification the most widely used the technology because of that capability to the
identify objects wireless without line of the site, reading of that information simulta-
neously from the multiple objects at the faster rate,allowing the tags to change the
data and the IDs dynamically,versatile, hide the tags in object physically so as the to
improve the security, to detect the distant of the objects, and the most the important
feature that of enabling the Internet of Things.

1.1 RFID System

An RFID system the uses radio waves for automatic communication. It consists of a
2 main blocks: the tag and a reader where the tag are embedded in with microchip
and the antenna while an reader is embedded with the antenna. The antenna receives
and the transmits the information while the microchip the stores and processes the

1
2

Figure 1.1: Basic RFID System

data. The basic RFID system is shown in Fig.1.1 It works in the such a way that
the information encoded on the Tag is read by the sending a signal from reader to
the tag and then tag responds by sending a the signal to the back to the reader.
The antennas embedded on the tag and a reader handle the communication between
them.This a response is after send to the computer or backend server from the reader
for the future processing of the RFID (radio frequency identification)which is the
automatic recognition technology that uses the wireless communication. Generally,
the system or a part that uses an IC tag to identify or to the control various the items
viz wireless communication is called RFID. There are two type of RFID’s Tags:Active
and the Passive Tags.Active Tags have the internal Power source butthe passive did
not have the internal power source.It gets the energy from the electromagnetic waves
send from the reader.Passive tags are the primarily intended to function as a form of
wireless barcode used for the tracking, inventorying, and even preventing of the theft
of costume.RFID operates in the three frequency region:Low Frequency(LF),High
Frequency (HF) and Near Field Communication (NFC) and Ultra High Frequency
(UHF).UHF range is normally used for the RFID security purposes.Here the protocol
fully implemented in UHFrequency Range.

1.2 EPC Class-1 Generation-2 RFID Standard

EPC Global is a GS1 initiative to innovate and to develop the industry driven stan-
dards for Electronic Product Code to support the use of the Radio Fequency Identi-
fiction and to allow global visiblity in terms of today’s fast moving,inforamtion rich
,tarding networks. The EPCglobal Class-1 Generation-2 Radio Frequency Identity
 3

Protocol for the Communications at the 860 MHz-960MHz, which defines the phys-
ical and the logical requirements for the passive back scatter, Interrogator talk first
(ITF), the radio frequency identification (RFID) system. This standard has been the
widely accepted as the primary standard for the passively powered RFID tags since
the its inception by EPCglobal in 2004.

1.3 Thesis Outline

In this thesis,We will get an idea of the EPC Global C1G2 which is the widely
used standard for the RFID Communication and also block by block description
of each block used in digital end and also it will give the main security issues of the
RFID Communication.And this also discuss the security enhancement of it .Following
chapters will give the verilog code for the each blocks .
4
Chapter 2

Literature Survey

To compensate the security problems of EPC C1G2 specification, the researchers pro-
posed some security methods like Pad generation function which isused to protect the
tags various password or crucial data during the transfer. Yu-Jung Huang, Wei-
Cheng Lin, and Hung-LinLi published a journal similar to the Pad generation
concept, where implemented in FPGA Board.Here they used to produce covercod-
ing pad to mask the tag’s access password before the the data is transmitted.Here
the information from tag to reader or reader to tag can be accessed by simple exor
operation.So to covercode the dta,reader request for he random number from the
tag,the reader performs bitwise exor operaton wit data or password with this ran-
dom number send by the raeder and this is transmitted to reader with a cover coded
form.And this is uncovered by the reader by doing the bitwise exor operation with
received information However the problem with it is the increase in power dissipation
due o incerse in hardware. Lili Wei, Zhaotong Luo, QiangQu, Qing He and
Jingwei published a fully fledged authentication protocol which widely used a pub-
lic key cryptography and also the crypto GPS method but the problem is the lack
of the security proof and also had limitations on the number count of the tag. In
2010 ,a Noval anonymous RFID authentication protocol was published by Jian Shen
Dongmin Choi, Sangman Mohand Ilyong Chung, they denote their protocol
as ARAP which provide a strong privacy and also the security aspects by taking the
pseudonym concept to protect from the synchronization, disclosure and attack.Here

5
6

protocol works without disclosing the real ID’s of the participating tags and provide
strong privacy and security.So the RFID tags substitute pseudonym for all rael ID’s
and this RFID tag preshares the Pseudonym ,the secret as well as information to
backend . In 2015 Mahsa Fathi and Elham Tavakol claimed and proved that
the ARAP protocol is very badly vulnerable to the security and the de synchroniza-
tion and modifies the a new authentication protocol which takes with hash function
and also the PRNG (Pseudo Random Number Generation)which safeguard against
replay, desynchronization, impersonation and traceability issues. Researchers have
also come up lot of lightweight authentication protocols but their hardware were long
neglected until Honorio Martin,Enrique San Millan, Pedro Peris-Lopez, and
Juan E. Tapiador implemented at two lightweight authentication protocols based
upon PRNG and come up with many ideas for the same. However the idea wit us-
ing f PRNF is very innovative and deterministic, therefore in 2015 Yu-Jung Huang,
Wei-Cheng Lin, and Hung-Lin Li proposed a new lightweight authentication pro-
tocol based on TRNG which will provide more security compared go previous works
but with little high power dissipation.In this thesis,I modify the design to provide
better secure communication from tag to reader by incoperating a Fibnocci LFSR in
the design.
Chapter 3

Designing of RFID Tag

Every block designs are implemented in Verilog Hardware Definition Language(HDL)with

compilation and simulation is done in Modelsim as well Synopsys EDA tool.As
said,main concern about RFID is the security issues in communication.So the fo-
cus of our project is to write code such as to increase the security,decrese the power
as well as area of RFID Communication.In order achieve the target,our RTL coding
must be proper,So here is is the some guidelines that on designer should implement:

1. Make your own design highly modularized, rather than integrated.

2. The way in which we write the code must be proper,such that reset,enable etc.

It is our manner to utilize the various coding guidelines,so that our coding will be
proper and does not create any problems during synthesis and backend.Also another
aspect is timing anlysis of our Design.So Design must be proper such that it does
not create any timing as well any viloations at backend.Detailed Prime time analysis
must be done after logic Synthesis as well as backend.

3.1 Gen2 Basics

As said RFID has three parts:

• Reader

• Tag

7
8

• Backend

In this protocol, the Reader will be modulates a signal in the UHF frequency range
(860-960 MHz) in order to communicate and transfer to receiver. The tag will utilize
this signal not only to receive data, but also to power the tag.The reader also receives
a continuous wave and also the tag will modulates the reflection the coefficient of
antenna in a process which called as backscatter.

Figure 3.1: Basic RFID Communication.A host server sends commands to tags
through reader.Then tags respond with inforamation stored in it

As said, the reader which emits the em signal is also responsible to control the
Uplink(R-T) and also Downlink(T-R)with possible data rate.Uplink Transmission
will occur with the data rate of between 50-215 kbps and downlink Transmssion with
data rate between 640 kbps. Tags also have some form of non-volatile memory such as
flash, where the Electronic Product Code, denoted as EPCID throughout this work,
which can be thought of as the ID of the tag, as well as other information.
Chapter 4

Mutual Authentication Protocol

Before going to detailed description of protocol,it is important to analyze the tag

state and its working.RFID Tag implement 7 states as shown in figure The authenti-

Figure 4.1: Reader to Tag

cation phase is done in secured or otther wise in open state.In this protocol,the alues
are always updating the secret value.So it is advised to implement this protocol in
secured state.The flow diagram of implemented protocol is shown in figure Accord-
ing tho the protocol,every tag has an unique code.So before starting communication
reader should acquire the unique ID from tag by authenticate command.In this pro-
tocol,communication between reader nad tag is insecure where as we assume that
between reader and tag it is secure.Here the following notation are used in following

9
10

Figure 4.2: Reader to Tag

sections:

• VLFSR Variable LFSR function

• UID Unique ID of RFID tag

• SIDj Secure ID in jth session

• Rr Random number generated by reader

• Rt1 Random number generated by tag

• Rt2 Random number generated by tag

• k Bit series connection ⊕ operation

• mj Secret value

Brief Description

• Phase 1:The reader will generate random number Rr which will be send to tag
with a authentication command.

• Phase 2:After receiving authenticate command,tag will generate two ramdom

number Rt1 and Rt2.Then tag will utilize the secret value mj and Rt1 to obtain
the βt which is generated from VLFSR. βt= VLFSR(Rt1kRr,mj) (1)
 11

• Phase 3:Then tag will transmit, βt,(Rt1kRt2)⊕SID to the reader.

• Phase 4:The reader after receiving ,then transmit β,Rr,(Rt1kRt2) ,UID to

backend server.

• Phase 5: This is the back-end server authentication phase. In this phase,

the back-end server authenticates the tag and reader, and updates the secret
value. I. The back-end server performs the following steps, based on the received
information of each tag.

1. According to the UID that comes from a tag to nd the matching SIDj in
the database.

2. Extracts Rt1 and Rt2 from (Rt2kRt1)⊕SIDj, with SIDj

3. Finds the secret value mj from the Mj table based on SIDj.

4. Generates βb using extracted Rt1, Rr and mj βb =VLFSR(Rt1kRr,mj)

II. If βb = βt, the secret value will be updated. At the same time, in order to
prevent de-synchronization attack, the back-end server performs the following
steps:

1. Updates the secret values of mj and SIDj. The new secret value mj+1 is
generated by the XOR operation with random numbers, mj+1 = (Rt2kRt1)
mj, SIDj+1 = VLFSR(Rt1kRt2,mj).

2. Generates the value of VLFSR(Rt2kRr, SIDj), tag will authenticate the

reader with this value

III. If betab6= βt, the back-end server will nd the secret value mj1 and SIDj1 from
the Mj1 table instead of mj and SIDj, and calculate betab = VLFSR(Rt1/parallelRr,
mj1) according to step I. This is to prevent a synchronization problem that has
occurred in the previous authentication.

• Phase 6: The back-end server transmits the value of VLFSR(Rt2/parallelRr,

SIDj) to the reader.
12

• Phase 7: The reader transmits the value of VLFSR(Rt2kRr, SIDj) to the tag.

• Phase 8: The tag authenticates the reader and back-end server via VLFSR(Rt2kRr,
SIDj). The tag updates the new secret value mj+1 = (Rt2kRt1)⊕ mj and
SIDj+1 =VLFSR(Rt1kRt2,mj) after back-end server authentication. The pro-
tocol is nished after updating the secret value.
Chapter 5

ARCHITECTURE AND DESIGN

A RFID modules of the tag consist of both analog frontend and digital backend. The
frontend will regulate the incoming RF signal to generate VDD for the digital control,
will generate the clock signal, and demodulating of incoming data. The frontend also
consist the backstatter antenna which moduletes for for communication between tag
and reader.The block diagram of Passive Tag is shown in Figure which has an analog
frontend and a digital backend. The frontend is also responsible for transmitting data
back and forth to the reader, provides control datas like reset and also True Random
Number Generator to the digital block. We concentrate on the digital backend where

Figure 5.1: Architecture of Passive RFID Tag

the protocol is implemented. It has Rom interfaced to store the secret values,Secure

13
14

ID sand other secret data.Implementation of digital baseband is fully based upon the
EPC C1G2 standards. In the following section we present the operation of each block
used in the architecture.

Figure 5.2: Architecture of digital Baseband

5.1 PIE Decoder

Pulse interval encoding (PIE) is special encoding scheme used for Reader to Tag
transmissions.The To simplify the decoder, amplitude modulation (AM) is used. We

Figure 5.3: State Diagram of PieDecoder

know that the tag also harvests power from this signal, whenever the amplitude of
the incoming RF signal was low, the tag will not receiving power. Therefore,use an
 15

encoding method in which the incoming RF signal is high for the majority of the
time.So in this fig, we can see the low in the 0 and 1 . Decoding of data start when

Figure 5.4: Schematic description of Powering the passive Tag.

incoming data is high. Figure shows the R T calibration symbol (RTcal) which will
be send in starting of every reader command. We will sample the RTcal and divide
this the number by two resulting will be pivot. For the durations of this current
commands we will be interpret any symbols shorter (less samples) than the pivot to
be a zero and any symbol larger to be a one. A detailed description of the PIE decoder
state machine is given in Fig. Brief Description of different states in pie decoder is

Figure 5.5: RTcal symbol. Symbol is transmitted at the beginning of each reader
command and is used to calibrate the R–¿T data link.

described as follows:

Ready

• Reset all counters

• Reset TRCAL and RTCAL

• Reset all ags

• Reset OPCODE and data

Delimiter

• IfData in=0 counter is incremented

16

• Delimiter has to be 12us 5

Initial data 0

• Delimiter is always followed by data0

• counter is reset

Initial PW

• Delimiter is always followed by data0

• counter is reset

Sample RTCAL

• If Data in = 1 then the counter will be incremented

• If Data in = 0 then RTCAL is then stored and pivot is calculated

Initial PW2

• OPCODE counter will be is reset

• We start to begin to sample TRCAL

Decide TRCAL

• We get the TRCAL and compare it with pivot to know which symbol has been
recieved

• OPCODE counter is incremented

OPCODE PW

• The opcode counter and opcode is been compared and if there is a match the
opcode ready ag is raised and we prepare to receive the message(R1).

Decide Opcode

• If Data in = 1 counter is incremented.

 17

• If Data in = 0 we compare the counter with pivot to decode the symbol received.

Data Decode

• If Data in = 1 counter is incremented.

• If Data in = 0 we compare the counter with pivot to decode the symbol received

Data PW

• The data ready ag is raised after we receive all the symbols and also if the
opcode ready ag is raised.

Wait

• The state hold the values for a long time simultaneously implementing the
protocol operations.

5.2 Variable LFSR

LFSR (Linear feedback shift register) is the base element of the protocol.A simple
LFSR is the shift register where its inputs are driven by the XOR operation ie.is a
linear function of its previous state therefore will then make it a deterministic.

Figure 5.6: Architecture of LFSR

The implemented lfsr structure consists has 2 sets of register one is normal shift
register and other is coefficient register. They both are initialized with Rt1kRt2 and
Sa after the decoder reads all the data inputs. Coecient register will determine the
18

input values according to the value of mb stored in rom, then shift register will shifts
the values upto mb cycles so that we get b and this βt will be decoded back to reader.

5.3 ROM

Simple ROM is implemented to store secret value mj = Sakmb, Secure ID (SID) and
tag random numbers (Rt1,Rrt2). And is used to initialize the coecient register in
LFSR while mb will be used to rotate this value. Rr,Rt1 and SID is encoded back
after an XOR operation. Rr is also used to initialize the Sr.

5.4 CRC5 and CRC16

Valid communication between the reader and tag is ensured by CRC16 and CRC5.
This will be done as per the EPC gen2 standards as a safeguard against bit errors.
The CRC5 and CRC16 circuits are a form of LFSR that consist of 5 and 16 registers
respectively. Modules working will be started by initially the registers by preloading
to 01001 (CRC5) or FFFFh (CRC16). Then data bits are encoded back. This register
will now holds the crc5 output . Here CRC5 is will be to validate AUTHENTICATE
command while the CRC16 is used to compute the crc16 value which has to be send
to the reader. The structure of CRC5 and CRC16 is shown in g and g respectively.
CRC5 can be used for both generating a 5 bit value and also for checking bit errors.

Figure 5.7: Block Diageam of crc5

The CRC5 value is generated by the following steps.

• Initialize the 5 registers with value 01001.

 19

• Input is clocked by data inputs ( Data in) starting from the MSB.

• CRC value will be generated after that.

For checking bit errors the following steps are performed.

• Initialize the 5 registers with value 01001

• CRC5 value is transmitted by data,CRC5 is clocked to the input ( Data in)

starting from the MSB.

• We will get 00000 as CRC5 value then there is no bit error.

Similarly the CRC6 structure shown in g can be used for both generating a 16 bit
value and also for checking bit errors. The CRC16 value is generated by the following
steps.

• Registers are initialized with value FFFF.

• Input is clocked through the inputs ( Data in) starting from the MSB.

• After clocking all the data we get the CRC16 value

For checking bit errors the following steps are performed.

• First Initialize with 16 registers with value FFFF

• Value along with 16 bit value data,CRC16 is clocked to the input ( Data in)
starting from the MSB.

• After clocking all the values if we get FFFF as CRC16 value then there is no
bit error.

5.5 FM ENCODER

Fm0 encoder specied by the EPC gen2 standards to backscatter the data back to
the reader in a frequency that is decided by the TRCAL value send from the reader.
TRCAL value is set by clock management module and set the required backscatter
20

frequency and provides this as the input clock to the fm0 encoder. The Backscatter
link frequency ranges between 40-640 Khz and the output clock to the encoder is
determined by the formula clk encoder = TRCALDR where DR is the data rate
which can have value 64/3 or 8. In this thesis we encode the data in 640 KHz.

5.6 Modified Design

As said ,in RFID most important aspect is need of secure communication between
reader and tag.So here instead of of normal Variable LFSR,I incooerated a Fibnocci
logic in the LFSR.So that we an named it as Variable Fibnocci LFSR.The new pro-
posed diagram is shown below: So here we can see that,I used an Variable Fibonacci

Figure 5.8: Modified Circuit with Variable LFSR

Logic in LFSR.Lfsr is needed to generate the random number which will be used
to generate βt =VLFSR(Rt1kRr,mj) As said,the Rt1 and Rr will be extracted from
the server,to ensure that received values are correct or not.So in current design,the
shifte register just normal shifts the data coming in Shift register input serially.So
that retrieving of this number also will be easy task. But in modified design,we will
using Fibonacci LFSR, so that every data shift will depend previous two values.So
that we can surely claim that,data will be more difficult to retrieve by any attackers
between Tag and Reader communication.
SIMULATION RESULTS

The entire protocol is implemented in secured state .The message from reader to tag
as well as tag to reader is did according to a frame,which called as Authenticate
command which is send from reader to tag and reply send vice versa. The structure
of the 2 frameworks is shown.Authentication frame is off 80 bits whch include pie
frame,8 bit authenticate command followed by crc16,handle etc. As we can see from
Authenticate command,it begins with an pie frame.Pie frame is used to know when
to start the the transmission, and it is followed by the opcode for Command to
Authenticate d5. We also mention the length of the message which is 16 as we send
random number R1 as message. We also send a handle and crc16 for error safeguard.

Figure 5.9: Reader to Tag

Figure 5.10: Tag to Reader

The reply command from tag to the reader is off 107 bits,which starts with fm-
preamble,header,values from LFSR etc.A said Replay commnad which has to be en-

21
22

coded starts with fm0 preamble so as to determine the start of the message, followed
by 7-bit barkercode, 1 bit done indicator, which states that the encoding is nished,
header to state that the process is a success followed by the message signal Rr and
Rt1kRt2⊕SID. The reply command ends with the 16 bit handle and 16 bit crc16.
Moreover, as per EPC gen2 standards we need to use either fm0 encoder or miller
encoder so we chose to have one encoder (fm0) and the encoding scheme used was
gray encoding which reduced the power. The clock managing module in the previous
work led to an increase in area. Therefore we optimized this block to provide separate
clock only to the encoder, thus we get a reduced area. Table II shows comparison of
our work and the previous work

5.7 Frontend Simulation

The protocol was simulated and synthesized in SCL pdk 180nm synopsys DC compiler
and its physical synthesis was done in synopsys IC compiler. The simulation result
is shown in g Similarly we can verify these outputs in monitor window.So here is

Figure 5.11: Basic Rfid protocol Output

monitor window output for main program as well as various other blocks used in
design.First figure gives the outputs of Main module. followed every block in design.
 23

• Main Module

Figure 5.12: Basic Rfid protocol Output

• Variable LFSR Here is the monitor output of VLFSR.By carefully examining
that,we are able to see that,values will be obtained when count and value of Sb
equals.

Figure 5.13: Variable LFSR

• Clock Management Module As said clock management module is responsi-

Figure 5.14: Clock Management module

ble for the setting up of required backscatter frequency.This frequency is set by

TRCal from tag.
24

• CRC5

Figure 5.15: CRC 5 Output

• FM ENCODER The entire simulation is done in tsmc 180 nm,and the values

Figure 5.16: FM Encoder Output

obtained from the gui window is shown below:

– Rr= 17B6h

– Rt1 = AA10h

– Rt2 = F F 35h

– Sa = ABCD5432h

– Sb = 14h
 25

– Sid = F C2C6700h

– TRCal = 64h

For the LFSR function we use R1kR2 = 17B6AA10h to initialize shift register,Sa
(ABCD5432) to initialize coecient register and it will shift Sb(14) cycles to get
βb as 7EEDEF62. As in protocol,we will transmit βb, R2kR3 ⊕SID to the
reader through reply command. As mentioned in thesis,we will use frequency
that is set by using TRCAL value.So here we are using 640 KHz for back
scattering. The reply command obtained is shown in graph with red mark.
We then carried out the logical and physical synthesis using TSMC 180nm
Synopsys DC compiler and IC compiler to come up with the results shown in
table given below.Area and performance is better compared to preious works
done in this area. This because we have used decoder and control as a single
block instead of 2 separate blocks as in the previous work. Moreover as per
EPC gen2 standards we need to use either fm0 encoder or miller encoder so we
chose to have 1 encoder(fm0). The clock managing module in the previous work
led to an increase in area.Therefore we optimized this block to provide separate
clock only to the encoder, thus we get a reduced area. Below given table gives
the results obtained:

Logical Synthesis Result of Basic RFID

Parameter Without Optimiza- With Optimization

tion

Operating Voltage 1.8V 1.8V

Total Dynamic Power 90.577 u 1.05 uW
Total Power 607.1599 uW 206.1599
Total Area 28455.820737 18543.567
Slack 5.4ns 5.4ns

• Gate Level Simulation Logical simulation is part of every design so that to

verify our design in various aspects.Logical Simulation can be done in various
abstract levels such as transistor level.RTL level or Gate Level.Out of these gate
26

Figure 5.17: Gate Level Simulation

level simulation can be done after the basic synthesis to verify our generated
netlist and design.Gate Level simulation is done to verify that our generated
netlist and our design is matching properly,so that it will give proper output
for our design.Here listed some importance of doing Gate Level Simulation:

– It helps to verify the power up and reset opeeration of our design.

– it help to catch any multicycle paths in our design.

– it helps to catch any glitches that caused by any combinational path in

design.

– To collect all switching activity for power calculation.

– To validate the constraints used in STA

Here is the output for gate Level Simulation.It will not check the functionality.It
will check for equivalence only.

5.8 PreLayout Static Timing Analysis

PrimeTime (PT) is a sign-off quality static timing analysis tool from Synopsys. Static
timing analysis or STA is without a doubt the most important step in the design flow.
It determines whether the design works at the required speed. PT analyzes the timing
 27

delays in the design and flags violation that must be corrected. In the pre-layout
phase, the clock tree information is absent from the netlist. Therefore, it is necessary
to estimate the post-route clock-tree delays upfront, during the pre-layout phase in
order to perform adequate STA. The various timing paths are shown in below table

Figure 5.18: Histographical Representation of Timing Paths in Design

which is obtained from Synopsys Prime Time Tool.Here we can see that ,there is no
setup as well as hold violation.

Figure 5.19: Violation Report

5.9 Backend Simulation

As we can see in frontend,we get an optimized netlist,the next step is Physical Im-
plementation.The physical design stage of ASIC is usually called as Place and route
stage.This is based upon the idea of physically placing the circuits, which form logic
28

gates and represent a particular design, in such a way that the circuits can be fabri-
cated.The physical Design Implementaion in ASIC consist of :

1. Floorplanning

2. Placement

3. Clock Tree Synthesis

4. Routing

Detailed Description of evey stage is given below:

• FloorPlanning At the Floorplanning stage,we have netlist,then constraints,library

files and various interconnects between them.We can say that floorpanning is
the physical description of the ASIC.So by doing floorplanning,we can map log-
ical description into a physical description.During Floorplaning,we are mainly
doing :

– The size of chip os estimated.

– Blocks are arranged perfectly on a chip.

– Pin Assignments are done.

– IØand power,ground planning are done.

– Clock tree needed.

Here is the obtained Floorplan diagram for Design

• PLACEMENT Physical Implementaion process where the standard cell are

placed to the locaton defined to the particular position in te row.After place-
ment, we can see the accurate estimates of the capacitive loads of each standard
cell must drive. The tool places these cells based on the algorithms which it
uses internally. It is a process of placing the design cells in the floorplan in the
most optimal way.
 29

Figure 5.20: Floorplanning

• Clock Tree Synthesis Clock Tree is done to have clock skew minimum as
possible in order remove all type of violation.Clock Skew defines as difference
in arrival of clock in different domains.So clock routing must be done in order
to minimize the clock skew,thus makes system faster.

• Routing Routing is nothing but connecting the various blocks in the chip with
one an other. Until now, the blocks were only just placed on the chip. Routing
also is spilt into two steps:

– Global Routing:It basically plans the overall connections between all the
blocks and the nets. Its main aim is to minimize the total interconnect
length, minimize the critical path delay. It determines the track assign-
ments for each interconnect

– Detailed Routing: In this step, the actual connection between all the nets
takes place. It creates the actual via and metal connections. The main
objective of detailed routing is to minimize the total area, wire length,
delay in the critical paths.
30

Figure 5.21: Cell density in Placement

5.10 Proposed Implementation Results

As said,we are aiming to have more secure communication between reader and tag,So
that no middle man can retrieve the informaton between tag and reader.So for that ,we
are replacing our normal variable LFSR to variable Fibonacci LFSR,which requires
extra two steps to extract the values of Rr,Rt1,Rt2 in server. The output is shown
below.Here only the value of βb is changing,and no other changes.

Here is the comparison of current design and modified design.Implementation

of Fibocci logic will consume little bit power compared previous works.So we can
optimize the obtained results with various optimization technique available in EDA
tool .Here is the comparison table ,which comapres the current design and modified
design.The table show that the power and area is decresed compared to current design
and we can claim that our security incresed by using Fibonacci LFSR.
 31

Figure 5.22: Clock Tree Synthesis

Comparison of Current Design and Proposed Design

Parameter Current Design Proposed Design

Operating Voltage 1.8V 1.8 V

Cell Internal Power 404.1022 uW 4.1740 uW
Total Dynamic Power 1.0577 uW 97.1576 nW
Total Power 405.1599 uW 4.2712 Uw
Combinational Area 14435.020844 113.35680
Non Combinational 12294.143855 146.534399
Area
Total Area 28455.820737 267.99116
Slack 5.4ns 4.2ns
32

Figure 5.23: Routing

Figure 5.24: Modified Output:

Bibliography

33
34
Conclusion

Detailed literature survey: As the increasing of the wireless communication mar-

ket, the design of low noise amplifier becomes important part which characterizes
the whole receiver performance, especially noise figure. Thus a low noise amplifier
has been improved and analyzed widely. In order to improve the noise characteristic,
some kinds of feedback topologies are reported. At
Detailed literature survey: As the increasing of the wireless communication mar-
ket, the design of low noise amplifier becomes important part which characterizes
the whole receiver performance, especially noise figure. Thus a low noise amplifier
has been improved and analyzed widely. In order to improve the noise characteristic,
some kinds of feedback topologies are reported. At first, shunt resistive feedback can
relieve the noise contribution to whole noise figure . But used resistor is originally
the major thermal noise source. Because of this reason, this topology cannot be at-
tractive solution to achieve the very low noise performance. Usually, shunt resistive
feedback low noise amplifier has been used for wideband low noise amplifier. On the
other hand, second feedback topology using source degenerated inductor for series
inductive feedback has been considered the best solution to acquire good noise figure
and high power gain. A fully differential series inductive feedback structure low

35
36
Publications

Students need to write their publication list here. It is to be written in the format of
bibliography. Following is for your guidance.
Sonal, Mohanthy. (2016), “FPGA implementation of bitonic merge signal network”,
IEEE Transactions on Signal Processing, 41(6), 566-576.

37