Professional Documents
Culture Documents
X, JANUARY 20XX 1
Over the last few years several approaches for passive RFID used in previous works [14], [15]. Furthermore, they should
sensing have been proposed, based both on chipless RFID not consume more than 10 µW , as low-cost tags are passive
sensors (see, e.g., [7]) and on more general wireless identifi- and, therefore, must harvest their power supply from the reader
cation and sensing platforms (WISP) [8]. One area where such signal. (See, for example, [16] for an elaborate motivation on
sensors have found application is in bioprocess engineering, the need for low-power designs.) When these constraints are
particularly in the manufacturing of biopharmaceutical com- compared with the approximate 8120 GE [17], [18] required
ponents. In these scenarios, apart from wireless identification by a standard hash function like SHA-1 (which is an essential
functionalities, a number of critical manufacturing parameters building block for most security protocols), it becomes clear
of the biomaterials should be constantly monitored, such as for the need for schemes that can provide some minimum security
example the temperature and conductivity of certain solutions. services while requiring as few resources as possible.
Recent works (e.g., [9], [10], [11]) have reported on the design
of passive RFID sensors that incorporate this functionality. For This challenge has stimulated significant research efforts in
instance, in [9] it is described how a passive RFID tag is aug- lightweight cryptographic functions and protocols over the
mented with a pressure-sensitive flexible membrane coupled last decade. However, a major problem that researchers often
to a transducer and a layer that modulates the electromagnetic face when developing lightweight components is knowing if
field. their proposals will meet the restrictions of tags such as those
covered by the EPC-C1G2 standard. In many cases, reasonable
In a related work, Reinisch et al. [?] present an EPC C1-G2 arguments are given for the suitability of the design, such
compatible tag that contains an on-chip temperature sensor and as for example using only simple operations and avoiding
an interface for external sensors or other devices. Furthermore, complex computations that are known to be highly demanding.
the prototype exhibits a power consumption up to the milliwatt Even though such arguments are generally sound, in the case
range, which demonstrates the feasibilty of passive RFID sen- of platforms as bounded as an EPC-C1G2 tag, conclusive
sors such as this one. The authors identify as target application evidence can only come from real implementations.
its use as battery-less sensor for tire pressure modules, as this
is another scenario where batteries cannot be replaced.
Despite the future opportunities that the IoT promises to bring, In this paper, we describe our experiences with the ASIC
there is also a general concern about the threats derived from implementation of two lightweight authentication protocols for
widespread adoption: as pointed out in [2] (referring to [1]), it EPC-C1G2 tags. We explore the design space by experiment-
is possible that everyday objects become information security ing with different architectures and provide a detailed analysis
risks. Things in the IoT should be trusted. This can be achieved of the area occupied by the synthesized circuits, their power
by equipping them with adequate means to guarantee essential consumption and the throughput in terms of protocol runs per
security properties, including the confidentiality and integrity second. To the best of our knowledge, this is the first paper that
of the information stored in the object, the availability of the reports on an implementation of EPC-compliant authentication
identification and sensing services, and adequate protection protocols at the ASIC level. The work most similar to ours is
against privacy issues, among others. In traditional computing that of Huang et al. [19], which very recently reported on
and networking scenarios, most of these security functions are the FPGA implementation of two lightweight authentication
provided by cryptographic protocols built upon cryptographic protocols. Our results greatly differ with those offered there:
primitives such as pseudorandom number generators, hash for example, while our designs occupy around 9000 µm2 on
functions, and encryption algorithms. average, similar schemes need up to 60000 on an FPGA.
Furthermore, even though the effort is certainly valuable, a
The security level offered by the EPC-C1G2 standard and platform such as an EPC-C1G2 tag necessarily requires an
other passive RFID sensors is extremely low –in fact, almost ASIC implementation. In this regard, Reinisch et al. [20] have
inexistent. This is mainly due to the lack of computational described the ASIC implementation of an EPC tag (with all
resources on the tags, which prevents them from using stan- its security vulnerabilities) that also incorporates a temperature
dard security primitives and protocols. For example, it is sensor.
commonly assumed (see, e.g., [12]) that no more than 4000
Gate Equivalents (GE) can be devoted to security functions. The rest of this paper is organized as follows. In Section
EPC-C1G2 tags support simultaneous read attempts up to II we describe the protocols and cryptographic components
1500 tags/sec under ideal conditions. However, this rate can (pseudorandom number generators) that we implemented and
be five or ten times smaller (500-150 tags/sec) in real-world evaluated. Details about the hardware designs and the chosen
environments [13]. Therefore the number of clock cycles architectures are provided in Section III. In Section IV we
consumed per reading is upper-bounded by 670 clock cycles, discuss the results obtained with up to 15 different designs
assuming that the RFID chip operates at a clock frequency of and analyze the various trade-offs found between area and
100 kHz. We take 500 clock cycles as reference value because throughput. Finally, Section V concludes the paper and sum-
this limit is less than the above mentioned value and has been marizes our findings and contributions.
IEEE SENSORS JOURNAL, VOL. X, NO. X, JANUARY 20XX 3
the third approach (AKARI-2C) goes one step further and • Timer Block: It controls the maximum waiting time for
uses m/4-bit adders with additional support logic. In detail each message exchange during a protocol run, indicating
Figure 4(b) we show the m/4 adder plus the logic control if the current execution must be aborted if the other party
(multiplexers and D flip-flops) that is needed to implement does not reply.
this approach. • FSM: The interaction between the different block ele-
ments during a protocol run is controled by a protocol-
specific FSM. It also implements other details of each
scheme. For example, in the Burmester-Munilla protocol
B. An Architecture for EPC-C1G2 Protocols
it checks the alarm signal and selects the different oper-
ation modes (optimistic case or worst case).
Most PRNG-based EPC-C1G2 protocols follow a similar
working scheme. We have designed an architecture for a As far as optimization is concerned, most efforts concentrated
generic EPC-C1G2 protocol (see Fig. 5) and then particu- on the PRNG block. The remaining modules are mainly
larized it for each implemented protocol. This architecture composed of basic blocks and there is not much room for
includes four main blocks: optimization. Despite this, in some cases we were able to
reduce area by reusing some logic components from the PRNG
• Register Block: This encompasses all the registers needed into the protocol FSM.
to store intermediate computations and long-term val-
ues. For example, in the Burmester-Munilla protocol it
contains the registers that store RN1 , RN2 , the state IV. C IRCUIT S YNTHESIS AND E XPERIMENTAL R ESULTS
(gtag (state)) plus the refresh key K (we can discard the
1-bit flag cnt as its cost is negligible). Likewise, in the In this section, we report and discuss the main experimental
Chien-Huang protocol the block stores the internal values findings obtained for the different architectures described
(SID, IDS and x) and the nonce R1 received from the above. Firstly, we implemented the 3+2 choices for the PRNG
reader. using 6 different bit lengths (8, 16, 32, 64, 128 and 256
• PRNG Block: It implements the chosen pseudorandom bits), resulting in 30 different designs. Each protocol was
number generator. then implemented with 15 of them (32, 64 and 128 bits), as
IEEE SENSORS JOURNAL, VOL. X, NO. X, JANUARY 20XX 6
A. Experimental Setting
8 bits 16 bits 32 bits 64 bits 128 bits 256 bits Gate Equivalents (GE):
2
PRNG 32 bits 64 bits 128 bits
Area (µm :) AKARI-1A 2666 5184 11382
AKARI-2A 2582 5837 11740 23462 46955 93257
AKARI-1B 2557 4833 9227
AKARI-2B 2794 5173 10014 19656 38641 76910
AKARI-2C 2831 5081 9534 18421 36241 71579
AKARI-2A 4026 8010 18282
AKARI-2B 3427 6766 13037
Gate Equivalents (GE): AKARI-2C 3519 6659 12723
AKARI-2A 824 1.861 3.744 7.482 14.973 29.738
AKARI-2B 891 1.650 3.193 6.268 12.322 24.525 Power (nW):
AKARI-2C 903 1.620 3.040 5.874 11.557 22.825 PRNG 32 bits 64 bits 128 bits
AKARI-1A 311 614 1250
Power (nW):
AKARI-1B 288 530 1051
AKARI-2A 57.38 109.88 216.06 439.37 902.49 1790.00
AKARI-2B 76.95 135.81 255.28 522.04 1070.00 2300.00
AKARI-2A 338 643 1266
AKARI-2C 72.33 126.02 231.25 454.34 924.81 1810.00 AKARI-2B 326 622 1239
AKARI-2C 321 610 1162
Throughput (Kbps):
AKARI-2A 15.68 31.37 62.74 125.49 250.90 501.96 Authentications/second
AKARI-2B 2.75 5.50 11.03 22.06 44.13 88.27 PRNG Best case Worst case
AKARI-2C 1.50 3.01 6.03 12.07 24.15 48.30 AKARI-1A 245 147
AKARI-1B 37 22
AKARI-2A 314 188
AKARI-2B 57 34
AKARI-2C 31 18
TABLE V
C HIEN -H UANG EPC-C1G2 P ROTOCOL
Power (nW):
PRNG 32 bits 64 bits 128 bits
AKARI-1A 277 538 1347
AKARI-1B 280 528 1025
AKARI-2A 315 597 1442
AKARI-2B 323 616 1218
AKARI-2C 319 611 1192 Fig. 12. Block diagram of a passive sensing tag.
Authentications/second
PRNG
AKARI-1A 352
According to our implementations, Chieng-Huang protocol
AKARI-1B 54 is clearly faster than Burmester-Munilla, with a difference
AKARI-2A 446 of more than 100 authentications per second for the fastest
AKARI-2B 84
AKARI-2C 47
versions of both schemes. This is reasonable, as Chieng-
Huang involves the generation of just 1 random number, while
Burmester-Munilla requires 3 or 5.
than 8.5 % in comparison to the whole chip area of the above [7] S. Shrestha, M. Balachandran, M. Agarwal, V. Phoha, and
mentioned RFID sensor tag. This percentage could be even K. Varahramyan, “A chipless rfid sensor system for cyber centric
monitoring applications,” Microwave Theory and Techniques, IEEE
smaller since in our proposed EPC module the needed memory Transactions on, vol. 57, no. 5, pp. 1303–1309, May 2009.
is counted in the module area calculations and a sensor tag is
[8] A. Sample, D. Yeager, P. Powledge, A. Mamishev, and J. Smith, “Design
often armed with a external EEPROM and the EPC module of an rfid-based battery-free programmable sensing platform,” Instru-
could use this memory. mentation and Measurement, IEEE Transactions on, vol. 57, no. 11, pp.
2608–2615, Nov. 2008.
[9] C. Surman, R. Potyrailo, W. Morris, T. Wortley, M. Vincent, R. Diana,
V. C ONCLUSIONS V. Pizzi, J. Carter, and G. Gach, “Temperature-independent passive
rfid pressure sensors for single-use bioprocess components,” in RFID
(RFID), 2011 IEEE International Conference on, April, pp. 78–84.
One major challenge in the IoT is to design efficient protocols
to cater for a variety of devices, sensors and services. This [10] R. Potyrailo, D. Monk, W. Morris, S. Klensmeden, H. Ehring, T. Wortley,
V. Pizzi, J. Carter, and G. Gach, “Integration of passive multivariable rfid
applies to security functions too, and becomes particularly sensors into single-use biopharmaceutical manufacturing components,”
relevant for devices with scarce resources (computational, in RFID, 2010 IEEE International Conference on, April, pp. 1–7.
energy) for which traditional cryptographic primitives and
[11] R. Potyrailo, C. Surman, W. Morris, T. Wortley, M. Vincent, R. Diana,
protocols are simply too demanding. One evident example are V. Pizzi, J. Carter, and G. Gach, “Lab-scale long-term operation of
low-cost RFID technologies such as those covered by the EPC- passive multivariable rfid temperature sensors integrated into single-
C1G2 standard, where tags do not have a permanent battery use bioprocess components,” in RFID-Technologies and Applications
(RFID-TA), 2011 IEEE International Conference on, Sept., pp. 16–19.
(they harvest energy from the signal sent by a reader) and only
a few thousands GE of the hardware can be devoted to security [12] D. Ranasinghe, D. Engels, and P. Cole, “Low-cost rfid systems: con-
fronting security and privacy,” in Proceedings of Auto-ID Labs Research
functions. Even though this clearly imposes severe restrictions Workshop, 2004.
on the sort of protocols that can be used, in many cases it is
[13] M. Brown, E. Zeisel, and R. Sabella, “Chapter 2 - rfid tags,” in RFID+
still difficult for designers to know whether a given scheme is Exam Cram. Que, 2006.
efficient enough or not.
[14] K. Mandal, X. Fan, and G. Gong, “Warbler: A lightweight pseudo-
In this paper, we have addressed this question by exploring random number generator for epc c1 gen2 tags,” in Radio Frequency
Identification System Security, ser. Cryptology and Information Security
the ASIC implementation of two lightweight authentication Series, 2012, vol. 8, pp. 73–84.
protocols for EPC-C1G2 tags. To do this, we have chosen a
[15] J. Melia-Segui, G.-A. J., and J. Herrera-Joancomarti, “Analysis and
low-demanding PRNG and proposed several implementation improvement of a pseudorandom number generator for epc gen2 tags.” in
architectures. Our experimentation suggests that there are clear Financial Cryptography and Data Security 2010 Workshops. Springer-
trade-offs between the circuit area and its throughput, so Verlag, 2010, pp. 34–46.
that optimization of one of them comes at the expense of [16] D. Brenk, J. Essel, J. Heidrich, R. Agethen, D. Kissinger, G. Hofer,
a low performance in the other. We also found out that the G. Holweg, G. Fischer, and R. Weigel, “Energy-efficient wireless sensing
PRNG area is a very significant fraction of the entire protocol using a generic adc sensor interface within a passive multi-standard rfid
transponder,” IEEE Sensors Journal, vol. 11, no. 11, pp. 2698–2710,
implementation, which reinforces the view that advances in nov. 2011.
this area will greatly benefit from lightweight cryptographic
[17] M. Feldhofer and C. Rechberger, “A case against currently used hash
components. More generally, our analysis of 15 different functions in rfid protocols,” in Proceedings of the 2006 international
hardware architectures shows that the two analyzed protocols conference on On the Move to Meaningful Internet Systems: AWeSOMe,
are adequate for low-cost RFID tags in terms of performance, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part I,
ser. OTM’06. Berlin, Heidelberg: Springer-Verlag, 2006, pp. 372–381.
power consumption and impact on area. We believe these
results may be helpful to protocol designers for highly con- [18] M. O’Neill, “Low-cost sha-1 hash function architecture for rfid tags,”
in Workshop on RFID Security, 2008, pp. 41–51.
strained devices.
[19] Y.-J. Huang, W.-C. Lin, and H.-L. Li, “Efficient implementation of
rfid mutual authentication protocol,” IEEE Transactions on Industrial
Electronics, vol. 59, no. 12, pp. 4784–4791, dec. 2012.
R EFERENCES
[20] H. Reinisch, M. Wiessflecker, S. Gruber, H. Unterassinger, G. Hofer,
M. Klamminger, W. Pribyl, and G. Holweg, “A multifrequency passive
[1] N. I. Council, “Disruptive civil technologies: Six technologies with
sensing tag with on-chip temperature sensor and off-chip sensor interface
potential impacts on us interests out to 2025,” Conference Report CR
using epc hf and uhf rfid technology,” IEEE Journal of Solid-State
2008-07, April 2008.
Circuits, vol. 46, no. 12, pp. 3075–3088, dec. 2011.
[2] L. Atzori, A. Iera, and G. Morabito, “The internet of things: A survey,”
[21] H.-Y. Chien, “SASI: A new ultralightweight RFID authentication proto-
Computer Networks, vol. 54, no. 15, pp. 2787–2805, 2010.
col providing strong authentication and strong integrity,” IEEE Transac-
[3] EPCglobal Inc, “Class-1 Generation-2 UHF RFID protocol for commu- tions on Dependable and Secure Computing, vol. 4, no. 4, pp. 337–340,
nications at 860 MHz - 960 MHz (version 1.2.0).” oct.-dec. 2007.
[4] D. M. Dobkin, “Chapter 3 - radio basics for uhf rfid,” in The RF in [22] M. Burmester and J. Munilla, “Lightweight RFID authentication
RFID. Newnes, 2008, pp. 51 – 101. with forward and backward security,” ACM Trans. Inf. Syst. Secur.,
vol. 14, no. 1, pp. 11:1–11:26, Jun. 2011. [Online]. Available:
[5] B. Glover and H. Bhatt, RFID Essentials (Theory in Practice). O’Reilly http://doi.acm.org/10.1145/1952982.1952993
Media, Inc., 2006.
[23] H.-Y. Chien and C.-W. Huang, “A lightweight authentication protocol for
[6] NxP, “UCODE EPC Gen2,” http://www.nxp.com/, Consulted on March low-cost RFID,” Signal Processing Systems, vol. 59, no. 1, pp. 95–102,
2013. 2010.
IEEE SENSORS JOURNAL, VOL. X, NO. X, JANUARY 20XX 11
[24] Y.-Z. Li, Y.-B. Cho, N.-K. Um, and S.-H. Lee, “Security and privacy
on authentication protocol for low-cost RFID,” in Intl. Conf. on Com-
putational Intelligence and Security, vol. 2, nov. 2006, pp. 1101–1104.
[25] W. Che, H. Deng, X. Tan, and J. Wang, “A random number generator for
application in rfid tags,” in Networked RFID Systems and Lightweight
Cryptography. Springer-Verlag, 2008, pp. 279–287.
[26] A. Klimov and A. Shamir, “A new class of invertible mappings,” in
International Workshop on Cryptographic Hardware and Embedded
Systems, ser. LNCS, vol. 2523. Springer-Verlag, 2002, pp. 471–484.
[27] ——, “New applications of t-functions in block ciphers and hash
functions,” in Fast Software Encryption, ser. LNCS, vol. 3557. Springer
Berlin Heidelberg, 2005, pp. 18–31.
[28] H. Martin, E. San Millan, L. Entrena, P. Peris-Lopez, and J. Hernandez-
Castro, “Akari-x: A pseudorandom number generator for secure
lightweight systems,” in 2011 IEEE International On-Line Testing
Symposium (IOLTS), 2011, pp. 228–233.
[29] J. Hernandez-Castro, J. Estevez-Tapiador, A. Ribagorda-Garnacho, and
B. Ramos-Alvarez, “Wheedham: an automatically designed block cipher
by means of genetic programming,” in Proc. of IEEE Congress on
Evolutionary Computation, 2006, pp. 192–199.
[30] J. Walker, “Randomness battery,” 1998.
[31] G. Marsaglia, “The marsaglia random number cdrom including the
diehard battery of tests of randomness,” 1996.
[32] A. Rukhin, J. Soto, J. Nechvatal, M. Smid, E. Barker, S. Leigh,
M. Levenson, M. Vangel, D. Banks, A. Heckert, J. Dray, and S. Vo, “A
statistical test suite for random and pseudorandom number generators
for cryptographic applications,” Technical Report, 2001.
[33] I. Zalbide, J. Vicario, and I. Velez, “Power and energy optimization of
the digital core of a gen2 long range full passive rfid sensor tag,” in
IEEE International Conference on RFID, 2008, pp. 125–133.
[34] B. Baas, “A low-power, high-performance, 1024-point fft processor,”
IEEE Journal of Solid-State Circuits, vol. 34, no. 3, pp. 380–387, 1999.