Professional Documents
Culture Documents
Article 1003
Article 1003
Anti-Counterfeiting
1.1 Introduction
3
A passive attack is an attack in which the attacker eavesdrops the communica-
tion between the reader and the tag. An active attack is an attack in which the
attacker actively participates in such a protocol e.g. by installing a fake reader.
A physical attack is an attack where an attacker attacks the tag itself using some
sophisticated physical tools (photo-flash lamps, focused ion beams, etc.).
1 Anti-Counterfeiting 3
1.2 Model
In order to protect a product against cloning (counterfeiting) a detection mark
is embedded into the product (ideally) or its packaging. This detection mark
consists of a physical and a digital part. The mark is put there by a legitimate
authority (which is trusted). When the product is in the field, the attacker
(counterfeiter) has access to all components of this detection mark; i.e. she can
read it, remove it from the product and investigate it, challenge/communicate
with it, etc. Based on the information that she obtains from investigating the
legal detection mark, she produces a fake detection mark. The goal of the
attacker is to produce a fake detection mark that can only be distinguished
from an authentic one with negligible probability.
First, we give some intuition for protocols that can be used to check the au-
thenticity of a product based on the two technological components previously
described. In order to determine the unique properties of the PUF and use
them to generate the reference information, there is first an enrollment phase,
which is performed by some trusted authority. During this phase the following
steps are performed:
1. Several fingerprints are derived from the PUF by challenging it with mul-
tiple challenges and recording the responses. These responses are then
turned into binary fingerprints (and some auxiliary data are derived for
use during the verification phase).
2. For use in off-line situations: These challenges, fingerprints and auxiliary
data are then signed with the secret key sk of the issuer of the product (the
issuer is assumed to be trustworthy). For the on-line case: the challenges,
fingerprints and auxiliary data are then stored in a verification database
(which we assume to be secure).
3. The signatures, the challenges (corresponding to the fingerprints) and
maybe some auxiliary data (needed to perform processing during the au-
thentication phase) are also printed on the product.
During the verification (or authentication) phase, the authenticity of the prod-
uct is checked by running the following protocol:
1. The verification device reads the challenges and auxiliary data of the de-
tection mark embedded in the product.
2. The verification device challenges the physical structure with one of the
challenges printed on the product. After having measured the responses,
it derives the fingerprint from the response based on the auxiliary data.
3. Then, using the fingerprint derived in Step 2, the verification device checks
the signature to verify that the fingerprint, challenges and auxiliary data
were printed on the product by a legitimate authority. If the signature is
not correct, the product is not authentic, otherwise it is.
We briefly analyze the security of this protocol. An attacker who wants to
counterfeit the product has to embed a fake physical structure on the product
that produces correct fingerprints to the challenges (with correct signatures).
Under the assumption that the physical structure is unclonable, she cannot
produce a clone of the originally embedded physical structure. More precisely,
we assume that given some challenges c1 , . . . , cn and corresponding finger-
prints s1 , . . . , sn she cannot produce a (fake) physical structure that produces
the same fingerprints s1 , . . . , sn given the original challenges c1 , . . . , cn . On the
other hand she can produce another structure and create challenges, auxiliary
6 Pim Tuyls, Jorge Guajardo, Lejla Batina, and Tim Kerins
data and fingerprints s01 , . . . , s0n according to the procedures used during en-
rollment. However, since she does not know the trusted authority’s secret key
sk and the responses of her fake structure will be different from the authentic
si ’s with very high probability, she will not be able to compute the correct sig-
natures on these data. The verification device will detect that the signatures
are not correct and reject this as a fake product. We note that in reality the
number of fingerprints that can be verified during a verification session is very
limited by time and space constraints. Clearly, the attacker can easily capture
the required fingerprints (by measuring the responses according to the chal-
lenges printed on the product). Therefore, in reality the production of a clone
requires the fabrication of a physical structure (PUF) producing the same
fingerprints for a limited number of challenges. Due to the above-mentioned
constraints, a practical implementation is not guaranteed to provide the same
security level as the one argued in theory. In the following sections, it will be
explained how the use of an unclonable RFID-Tag can minimize the disparity
between theoretical and practical security.
An additional threat might exist, even when the techniques explained above
have been applied. Let’s consider therefore the example where the detection
mark is embedded in the package (not on the product). Instead of trying to
copy the package, the attacker may try to get hold of “old” used packages and
“refill” those with his own fake surrogates. This can be prevented by using
a Fragile-PUF instead of a normal PUF. A Fragile-PUF is a PUF that is
destroyed when the user (or an attacker) opens the package. Furthermore, the
same procedure is applied as with usual PUFs (fingerprints and accompanying
signatures/helper data are printed on the package or stored in the database).
This has two advantages. A fake product can not enter the supply chain of a
company by putting it in old/used packages. This allows legitimate companies
to better protect their supply chain. For the end-user on the other hand, the
use of a Fragile-PUF has the advantage that he can verify whether he indeed
bought an unused and authentic product or not. This is done by checking the
Fragile-PUF-authenticity before it is destroyed.
Although we consider below the situation where the detection mark is imple-
mented by an RFID-Tag containing a PUF, many protocols also hold (in a
slightly changed form) for the case where the detection mark just consists of
a PUF not embedded on a tag. In this case, we assume that every reader is
connected with a reference database through an authenticated channel. The
reference database contains for each tag ID a list of challenge-response pairs
(CRPs) (c1 , x1 ), . . . , (cn , xn ) of its corresponding PUF. We distinguish be-
tween two different situations, i) we assume that there is a large number of
challenge response pairs available for the PUF; i.e. n is a large number. We
refer to this case as strong PUFs. If the number of different CRPs n is rather
small, we refer to it as a weak PUF. More precisely, a strong PUF is a PUF that
has so many challenge-response pairs such that an attack (performed during a
limited amount of time) based on exhaustively measuring challenge-response
pairs only has a negligible probability of success O(2−n ) [33].
Strong PUFs
109 [33]). Since the various CRP pairs are independent, a passive attacker has
a probability of guessing a response zi with dH (zi , ri ) ≤ δ to a challenge ci
Pδ
equal to i=0 ki /2k ≈ 2(h(α)−1)k when δ = αk and h denotes the binary
entropy function 5 .
Note that an active attacker will probe the PUF of the tag with a fake
reader that sends arbitrarily chosen challenges c01 , . . . , c0m to the tag. When
the responses y1 , . . . , ym are returned, he records them and uses them to make
a model of the PUF and to guess the responses to other remaining challenge-
response pairs. It was shown in [33] that the number of responses that can be
obtained in a limited amount of time is small compared to the total number of
challenges, i.e. m n (Typically m = 100 and n = 109 ). Hence, the probabil-
ity that cj ∈ {c01 , c02 , . . . , c0m } for some j ∈R {1, . . . , n} is O( m
n ). This implies
that the verifier has to keep its database with CRPs secret. Finally, we note
that after some time the database might run out of CRPs. In [8] protocols
have been developed to update a CRP database with new CRPs. Since this
can only be done over a secure authenticated channel, it requires that first a
secure channel is established between the RFID-tag and the reader over which
the update protocol is run.
Weak PUFs
First Protocol. During the enrollment phase the PUF is challenged by a Cer-
tification Authority (CA) with n challenges, say c1 , . . . , cn and the corre-
sponding responses x1 , . . . , xn are measured. Then, a secret si ∈R {0, 1}k for
i = 1, . . . , n is randomly chosen for each response xi . The corresponding helper
data w1 , . . . , wn are computed by means of the key extraction algorithm ex-
plained in Sect. XX. In the (ROM) memory of the RFID-tag the challenges Missing section
c1 , . . . , cn are stored. In the database of the verifier, the triples (ci , wi , si ) for number
i = 1, . . . , n are stored. Let MACk (.) denote a MAC-ing algorithm using key
k. Then the authentication protocol performs the following steps [30]:
1. The reader contacts the tag which sends its ID.
2. The reader contacts the database and gets a random challenge response
pair for this ID, say (ci , si ), together with the helper data wi . It sends the
5
The binary entropy function h(p) is defined as h(p) = −p log 2 p−(1−p) log2 (1−p).
10 Pim Tuyls, Jorge Guajardo, Lejla Batina, and Tim Kerins
data (ci , wi ) together with MACsi (wi ) to the tag. Additionally, the reader
chooses a random nonce m ∈ {0, 1}t and sends it to the tag too.
3. The tag challenges its PUF according to the challenge ci , and measures
the response yi . Then, it uses the helper data wi to derive s0i = G(yi , wi ).
Using s0i and wi the tag checks MACsi (wi ) using s0i . If the MAC is not OK,
the tag stops. Otherwise it proceeds. Note that in this step we have in fact
transformed the key-extraction function G into a robust key-extraction
function G∗ in a similar way to the one presented in [4].
4. Finally, the tag MACs the message m and sends M ACs0i (m) to the reader.
5. The reader checks MACs0i (m). If the MAC is OK, it considers the tag as
authentic and otherwise not.
The authentication technique in Step 2 prevents an active attack by a fake
reader. If the challenge-response protocol carried out in Steps 3 and 4 uses
a secure MAC-ing algorithm, it reveals no information on the used key s i .
Finally, notice that this protocol requires only symmetric crypto primitives
which require a few thousand gates.
In order to minimize the size of the ROM memory of the tag, we propose to
use Elliptic Curve (EC) based secure identification schemes. For the signature
algorithm SS we choose then ECDSA. This makes the size of the signatures no
larger than 326 bits (when using the field F2163 ). The identification protocol
investigated in detail is Schnorr’s identification protocol. The total storage
requirement for the public information (sP, Cert) is in total about 500 bits.
6
uf-cma: existential unforgeability under chosen message attack.
1 Anti-Counterfeiting 13
1. Common Input: The set of system parameters in this case consists of: (q, a, b, P, n, h). Here, q
specifies the finite field, a, b, define an elliptic curve, P is a point on the curve of order n and h is the
cofactor. In the case of tag authentication, most of these parameters are assumed to be fixed.
2. Prover-Tag Input: The prover’s secret a such that Z = −a · P .
3. Protocol: The protocol involves exchange of the following messages:
Prover P Verifier V
r ∈ R Zn
X ← r·P X -
e e ∈R Z t
2
y = ae + r mod n y -
If y · P + e · Z = X then
accept, else reject
multiplication. On the other hand, in Okamoto’s scheme [24], the tag needs
to compute kP + lQ, i.e. a so-called multiple-point multiplication. For the
purpose of speeding-up this computation one uses Shamir’s trick. The scalars
k and l are stored in a 2-row matrix. Each row contains the binary represen-
tation of one of the scalars. Then, all values of the form iP + jQ, 0 ≤ i, j < 2 w
are precalculated and stored in a table, where w is referred to as the window
size. The algorithm to perform this so-called simultaneous point multiplica-
tion computes at each of d wt e steps, w doublings and 1 addition from the list
of the precomputed values. Here, t is the bit-length of a scalar multiplier. As
the parameter w is a variable that allows some trade-off, we chose the smallest
window i.e. w = 1 in order to maintain memory utilization as low as possible.
In the remainder of the chapter, we describe a processor specifically suited for
this operation and to anti-counterfeiting RFID-based applications [2].
n−1 i d−1
Require: A = i=0 ai x , where ai ∈ F2 , B = j=0 bj xjD where bj =
D−1 l n
l=0 bDj+l x , bi ∈ F2 , and d = d D e.
Ensure: C = A · B mod f (x)
1: C ← 0
2: for i = 0 to d − 1 do
4: end for
5: Return C
Our Elliptic Curve Processor (ECP) for RFID is shown in Fig. 1.2. The oper-
ational blocks are as follows: a Control Unit(CU), an Arithmetic Logic Unit
(ALU), and Memory (RAM and ROM). In ROM the ECC parameters and
the constants x4 (the x-coordinate of P2 −P1 ) and b are stored. RAM memory
contains all input and output variables and it therefore communicates with
both, the ROM and the ALU. The CU controls scalar multiplication and point
operations. In the case of composite fields implementations, it also controls
the operations in extension fields. In addition, the controller commands the
ALU which performs field multiplication, addition and squaring. The CU con-
sists of a number of simple state machines and a counter and its area cost is
small. The processor memory consists of the equivalent to seven n-bit (n = p)
registers for ordinary fields and nine n-bit (n = 2p) registers for composite
fields. Tables 1.1 and 1.2 summarizes the number of cycles required for basic
operations and for a whole point multiplication in an EC over F2p . The com-
plexity for whole point multiplication over F22p can be obtained directly from
Table 1.2 and our previous discussion on composite fields.
Table 1.1. Cycle count for basic field operations. L: Load, C: Computation, S: Store
The largest contribution in area to the overall design comes from the ALU,
illustrated in Fig. 1.3. It consists of two n-bit registers a and c and one n-bit
1 Anti-Counterfeiting 17
Table 1.2. Cycle count for elliptic curve operations over F2p .
EC Operation EC operations with a squarer EC operations without a squarer
p−1 p−1
Addition 4 M U L + 1 SQ + 2 ADD = 4d e + 23 5 M U L + 2 ADD = 5d e + 23
D D
p−1 p−1
Doubling 2 M U L + 4 SQ + 1 ADD = 2d e + 22 6 M U L + 1 ADD = 6d e + 22
D D
p−1 p−1
Point mult. (n − 1) 6d e + 45 (n − 1) 11d e + 45
D D
shift-register b that outputs D bits at the time. In addition, the ALU has
circuitry for implementing addition, squaring and multiplication in F2n . Load
and store operations between the ALU and memory cost a single clock cycle.
The ADD block consists of n XOR gates, and the SQR block consists of at
most 3n2 XOR gates and computes F2 additions and squarings in a single clock
n
cycle once data has been loaded into the ALU. The MUL block implements
an iteration of Step 3 of Algorithm 2 in a single clock cycle. Multiplication
n
is calculated then in d = d D e clock cycles. For composite fields, the field
arithmetic translates to the arithmetic in the subfield as follows: (i) addition
in F(2p )2 requires 2 additions in F2p , (ii) multiplication in F(2p )2 requires 3
multiplications and 4 additions in F2p , and (iii) squaring in F(2p )2 requires 2
squaring and 1 addition in F2p .
In this section, we provide estimates for the latency and the area complexity
of Schnorr’s protocol. As mentioned above the core part of the protocol is
one point multiplication. The results for various architectures are given in
Tables 1.3 and 1.4. We considered solutions with or without the squarer as
it allows also for a trade-off between area and performance. For the case of
composite fields the ALU shrinks in size but some speed-up is then necessary
which we obtain by means of a digit-serial multiplier (instead of a bit-serial
one, i.e., D = 1). The performance in each case is calculated by use of
formulae for point operations as in Algorithm 1 and we calculate the total
number of cycles for each case assuming the numbers for field arithmetic
provided in Sect. 1.5.4.
The designs were synthesized using Synopsis Design-analyzer for the fre-
quency of 175 kHz and a 0.25 µm CMOS library. One of our main reasons
for using composite fields was to reduce the ALU’s area. This is clearly visi-
ble in Tables 1.3 and 1.4. We notice that the ALU varies in size from 2,863
to 7,379 gates and the smallest one is obtained for the field F(267 )2 , without
the squarer and with a bit-serial multiplier. However, the performance is the
worst for this case, requiring 1.88 seconds for one point multiplication. The
total area without RAM includes the sizes of the ALU, the CU, the counter
and the shift-register. The largest portion of that is occupied by the key reg-
ister i.e. 1,400 and 1,500 gates for fields F2131 and F2139 , respectively. The
control logic takes between 10% and 15% of a whole design.
18 Pim Tuyls, Jorge Guajardo, Lejla Batina, and Tim Kerins
Table 1.3. Implementation results @ 175 kHz and assuming a dedicated squarer.
Implementation ALU RAM Perf. Area no AT factor AT f.
Digit size Field Type [gates] [bits] [s] RAM [gates] [wo RAM] [w RAM]
D=1 F 131 6306 917 0.61 8582 5260 8632
2
F 67 2 3274 1206 1.09 6074 6611 14486
(2 )
F 139 6690 973 0.69 9044 6227 10246
2
D=2 F 131 6962 917 0.32 9233 2984 4762
2
F 67 2 3610 1206 0.64 6410 4083 8691
(2 )
F 139 7379 973 0.36 9734 3524 5637
2
F 71 2 3648 1278 0.70 6534 4602 10001
(2 )
D=3 F 3789 1206 0.49 6589 3205 6725
(267 )2
F 3833 1278 0.54 6719 3660 7837
(271 )2
D=4 F 4103 1206 0.42 6903 2886 5911
(267 )2
F 71 2 4152 1278 0.46 7038 3321 6731
(2 )
Table 1.4. Implementation results @ 175 kHz and assuming no dedicated squarer.
Implementation ALU RAM Perf. Area no AT factor AT f.
Digit size Field Type [gates] [bits] [s] RAM [gates] [wo RAM] [w RAM]
D=1 F 131 5679 917 1.10 7953 8715 14743
2
F 67 2 2953 1206 1.88 5708 10746 24368
(2 )
F 139 6018 973 1.23 8380 10329 17525
2
D=2 F 131 6335 917 0.56 8603 4858 7964
2
F 67 2 3289 1206 1.05 6044 6376 14009
(2 )
F 139 6718 973 0.63 9079 5757 9458
2
F 71 2 3463 1278 1.17 6304 7386 16369
(2 )
D=3 F 3468 1206 0.78 6224 4849 10486
(267 )2
F 3647 1278 0.88 6489 5705 12445
(271 )2
D=4 F 3782 1206 0.65 6537 4273 9003
(267 )2
F 71 2 3967 1278 0.72 6808 4899 10416
(2 )
In the last two columns, we computed the area-time product for two cases,
including RAM and not including RAM. To map the number of bits to be
stored to actual gates we used a factor of 6, which is conservative when using
SRAM. If we were to use dedicated embedded RAM, it would be possible to
half the area requirement (see for example [22, 13]), at the very least. From
Table 1.3 and looking at the AT-product values, we conclude that, in general,
it is beneficial to use a digit-serial multiplier and a squarer. However, these
options are not the most compact. For compactness one should choose an
implementation without squarer. The total area is expressed without RAM
for two reasons. First, it is hard to exactly map it to the corresponding number
of gates and second, most tags have RAM available. Some high-end tags have
therefore the possibility to store 1,000 bits, which would be enough in some
cases presented in Table 1.3.
We compare our results with other related work in Table 1.5. It is hard
to compare with other related work as there are only a few previous ECC
implementations suitable for RFIDs. We chose to provide two values: the
architecture with the best AT product and best timing and the architecture
with the smallest area. We stress here again that we obtain these figures by
including very conservative estimates for RAM in the total gate count. In fact,
a RAM cell that requires 6 equivalent gates to be implemented is a register
1 Anti-Counterfeiting 19
References
1. ADT/Tyco Fire and Security, Alien Technology, Impinj Inc., Intel Corporation,
Symbol Technologies Inc., and Xterprice. RFID and UHF: A Prescription for
RFID Success in the Pharmaceutical Industry. White paper, Pharmaceutical
Online, June 2006. Available at http://www.pharmaceuticalonline.com/uhf/.
2. L. Batina, J. Guajardo, T. Kerins, N. Mentens, P. Tuyls, and I. Verbauwhede.
Public-Key Cryptography for RFID-Tags. In IEEE Conference on Pervasive
Computing and Communications Workshops — PerCom 2007 Workshops, New
York, March 19-23, 2007. IEEE Computer Society.
3. M. Bellare, C. Namprempre, and G. Neven. Security proofs for identity-based
identification and signature schemes. In C. Cachin and J. Camenisch, editors,
Advances in Cryptology — Eurocrypt 2004, volume 3027 of LNCS, pages 268–
286. Springer-Verlag, 2004.
4. X. Boyen, Y. Dodis, J. Katz, R. Ostrovsky, and A. Smith. Secure remote au-
thentication using biometric data. In R. Cramer, editor, Advances in Cryptology
— Eurocrypt 2005, volume 3494 of LNCS, pages 147–163. Springer-Verlag, 2005.
20 Pim Tuyls, Jorge Guajardo, Lejla Batina, and Tim Kerins