IMPROVED CRYPTOGRAPHIC PROCESSOR DESIGNS FOR
SECURITY IN RFID AND OTHER UBIQUITOUS SYSTEMS
by
LAWRENCE LEINWEBER
Submitted in partial fulfillment of the requirements
For the degree of
Doctor of Philosophy: Engineering
Major Field: Computer Engineering
Dissertation Adviser: Dr. Christos Papachristou
Department of Electrical Engineering and Computer Science
CASE WESTERN RESERVE UNIVERSITY
May, 2009
CASE WESTERN RESERVE UNIVERSITY
SCHOOL OF GRADUATE STUDIES
We hereby approve the thesis/dissertation of
______Lawrence Leinweber candidate for the ______degreePh.D. in Computer Engineering *.
Dr. Christos Papachristou (signed)______(chair of the committee)
Dr. Francis L. Merat ______
Dr. Swarup Bhunia ______
Dr. Xinmiao Zhang ______
Dr. Francis G. Wolff ______
______
(date) ______4/1/09
*We also certify that written approval has been obtained for any proprietary material contained therein. Table of Contents
I. Introduction ...... 1
A. Motivation ...... 1
B. Problem Definition...... 2
1. Secure Protocol ...... 2
2. Cryptographic Processors ...... 3
3. Power Management ...... 3
C. Outline of the Dissertation ...... 4
II. Background ...... 5
A. Security ...... 5
1. Product Identification ...... 5
2. Privacy and Business Intelligence Risks ...... 7
3. Consideration of Other Methods ...... 9
4. Network Security ...... 13
5. Security Through Cryptography ...... 14
B. Elliptic Curve Cryptography ...... 17
1. Galois Fields ...... 17
2. Elliptic Curves ...... 19
3. Coordinate Systems and Security ...... 21
C. Cryptographic Algorithms and Architectures ...... 22
1. Galois Field Operations ...... 22
2. Elliptic Curve Operations ...... 27
3. Cryptographic Processors ...... 29 i III. Processor Designs ...... 32
A. Data Flows ...... 33
B. Arithmetic Logic Unit (ALU) ...... 35
C. Key Control Logic ...... 37
D. Inversion Control Logic ...... 39
E. High-Level Organization ...... 40
F. Summary of Contributions ...... 43
G. Comparison with Other Works ...... 46
IV. Simulation Experiments ...... 51
A. Test Setup...... 51
B. Results ...... 52
C. Comparison with Other Works ...... 60
V. Secure Protocol ...... 64
A. Requirements of a Minimal Protocol ...... 65
1. Minimum Cost Tags ...... 65
2. Minimal Back-End Support ...... 65
3. Concept of Ownership ...... 66
4. Minimal Operations ...... 66
5. Minimum Message Words and Encryptions ...... 67
B. Description of a Minimal Protocol ...... 70
1. Operations ...... 70
2. Tag Memory Requirements ...... 73
3. Lower-Layer Support ...... 74
ii 4. Infrastructure for Key Management ...... 75
5. Other Capabilities ...... 76
C. Evaluation of the Protocol ...... 77
1. Benefits of the Protocol ...... 77
2. Defenses Against Various Attacks ...... 78
3. Drawbacks of the Protocol ...... 80
4. Moore’s Law ...... 80
5. Consumer Applications ...... 81
VI. Power Management ...... 82
A. Analog Front-End ...... 82
B. Subthreshold Logic ...... 84
C. Self-Timed Circuits ...... 86
D. Power vs. Impedance ...... 86
1. Motivation ...... 86
2. Test Setup ...... 87
3. Results ...... 88
E. Recommendations ...... 92
VII. Conclusion and Future Work ...... 98
VIII. Bibliography ...... 99
iii List of Tables
Table 1: Cryptographic Processor Programs ...... 50
Table 2: Approximate Area Coefficients, 3 ≤ m ≤ 256, w ≤ 16 ...... 59
Table 3: Approximate Energy Coefficients, 3 ≤ m ≤ 256, w ≤ 16 ...... 59
Table 4: Exact Time and D Flip-Flop Coefficients ...... 59
Table 5: Area for Proposed and Reference Processors ...... 62
Table 6: Time for Proposed and Reference Processors ...... 62
Table 7: Energy (µJ) for Proposed and Reference Processors ...... 63
Table 8: Tag Memory Contents during Read and Change-Owner Operations ...... 74
iv List of Figures
Figure 1: Lopez-Dahab Data Flows for the R6 Processor ...... 33
Figure 2: Lopez-Dahab Data Flows for the R5 Processor ...... 33
Figure 3: Arithmetic Logic Unit (ALU) ...... 36
Figure 4: Dedicated Squarer, m = 11 ...... 36
Figure 5: XOR Gates per Degree for Dedicated Squarers ...... 37
Figure 6: Digit-Serial Most-Significant-Digit-First Multiplier...... 38
Figure 7: Key Control Logic ...... 40
Figure 8: Inverter Control Logic ...... 40
Figure 9: Datapaths of the R6 Processor ...... 41
Figure 10: Datapaths of the R5 Processor ...... 41
Figure 11: High Level Organization ...... 42
Figure 12: Registers and Multiplies for Proposed and Reference Processors ...... 47
Figure 13: Processor Area (NAND Gates) ...... 53
Figure 14: Processor and Divide Time (Cycles) ...... 54
Figure 15: Processor Area × Time (Million Gates × Cycles) ...... 55
Figure 16: 0.25 µm Processor Area (mm)2 ...... 56
Figure 17: 0.25 µm Processor Dynamic Energy (µJ) ...... 57
Figure 18: 0.25 µm Processor Leakage Energy × Frequency (mW) ...... 58
Figure 19: Area and Time for Proposed and Reference Processors ...... 61
Figure 20: Initial State ...... 71
Figure 21: After tag responds to read command; ID secret ...... 71
Figure 22: After tag responds to read command; ID not secret ...... 72
v Figure 23: After owner sends change-owner command; ID not secret ...... 72
Figure 24: Frequency vs. Power for 0.25 µm Chain of Four Inverters ...... 88
Figure 25: Frequency vs. Power for 0.25 µm R6 Elliptic Curve Processor ...... 88
Figure 26: 0.25 µm Chain of Four Inverters ...... 90
Figure 27: 0.25 µm R6 Elliptic Curve Processor, m = 11, w = 1 ...... 91
Figure 28: 0.25 µm Ring Oscillators with Frequency Dividers ...... 94
Figure 29: Mirrored Pair of Dickson Voltage Multipliers ...... 96
vi Improved Cryptographic Processor Designs for
Security in RFID and Other Ubiquitous Systems
Abstract
By
LAWRENCE LEINWEBER
In order to provide security in ubiquitous, passively powered systems, especially RFID
tags in the supply chain, improved asymmetric key cryptographic processors are
presented, tested and compared with others from the literature. The proposed processors
show a 12%-20% area and a 31%-45% time improvement. A secure protocol is also
presented to minimize cryptographic effort and communication between tag and reader.
A set of power management techniques is also presented to match processor performance to available power, resulting in greater range and responsiveness of RFID tags.
vii I. Introduction
A. Motivation
The motivation of this research was to make improvements in cryptographic processors
for low-power systems such as radio frequency identification (RFID). There is a great
deal of interest in this problem because security is important especially now because
these processors can be ubiquitous, everywhere. So the goal was to investigate as much
as possible what was already available for this application in terms of security protocols, cryptography and power management and find ways to make improvements. As it turned out, there was a great deal of information available especially about cryptography because lightweight cryptography was used in smartcards.
There is a gap, though, between what has been achieved for RFID and what is possible.
The direction in the near future will be guided by research done now to find ways to reduce the computational effort to provide security on RFID tags. Tags are unusual because they must be very inexpensive and because they have no power source of their own.
There were three approaches to the problem of improving RFID security. The simplest was to find a secure protocol to communicate with a tag. The security flaw in tags is that they are promiscuous. They communicate with anyone and this can lead to problems for a person carrying tags. The second approach was to find the cheapest asymmetry key cryptography possible, to run on a tag. This is a very important problem of course, so
1 there is a lot of background material and a lot of effort is required to make improvements.
The third approach was to find ways to manage the available power in order to get the
greatest computational effect in a tag. Unlike ordinary computer systems, tags get their
energy from an unreliable source.
B. Problem Definition
RFID tags are the next generation of barcodes for products in the supply chain. Unlike barcodes, which are read with light, RFID tags are read with radio waves, so they do not need to be oriented to face the reader. RFID and other ubiquitous systems are very small computers that are inexpensive, have relatively little computational power and typically get their power coupled through an antenna. The basic security problem is that because tags are readable by radio signals, they can be tracked, so if a person is carrying tags, his movements can be monitored. The goal is to use the tag’s computational capability to solve this problem.
The problem has been attacked on three fronts and progress has been made in all three.
1. Secure Protocol
A number of techniques have been developed by others to provide some security against unauthorized tag reading. None of these techniques provide the level of security needed to protect indefinitely against a determined intruder without either destroying the tag or requiring a great deal of data processing infrastructure.
2 With the advent of asymmetric key cryptography on RFID tags, a protocol is needed to securely communicate tag identification only to authorized parties. Since resources, especially power, are scarce on a tag, a minimal protocol is needed. Such a protocol has been developed and proven to be minimal in the number of cryptographic operations and message words communicated between reader and tag.
2. Cryptographic Processors
A great deal of research has been carried out by others to find the minimal asymmetric key cryptographic system. This has applications beyond RFID, of course. While many components have already been developed, it remains to assemble these in the most efficient way possible to produce a processor with minimal area and execution time.
The focus of this research was integrating components for a small, fast asymmetric key cryptographic processor. The result of this research was a processor that was 12%-20% smaller and 31%-45% faster than those previously presented in the literature. This is a very competitive field and some of the techniques used in this research have already been discovered independently by others.
3. Power Management
Efficient security systems on RFID tags depend on scarce power. Inexpensive tags have no power source except what is coupled from the antenna. The amount of power available may fluctuate greatly during a cryptographic operation. Many techniques have been researched by others to deliver as much power as possible from antenna to processor
3 but the best techniques need to be assembled in a comprehensive approach for power management.
This research includes a set of techniques and improvements to match processor
performance to available power, which results in greater range and responsiveness of
RFID tags.
C. Outline of the Dissertation
Since improved cryptographic processors are the most important topic, this dissertation is
organized around it, with the others presented in later chapters.
After this brief introduction, this dissertation proceeds with chapter II, the background
material on security, cryptography, algorithms and architectures for existing
cryptographic processors. Next, two versions of an improved cryptographic processor are
described in detail in chapter III. Then in chapter IV, those processors are tested and
compared with others from the literature. Then developing from the background on
security, the discussion turns to the secure protocol in chapter V. Finally in chapter VI,
power management is discussed before closing with a conclusion and bibliography.
4 II. Background
Extensive research in security for Radio Frequency Identification (RFID) has already been carried out by others. The study of security and cryptography has been important for millennia, but its application to ubiquitous systems, such as RFID, is relatively recent.
Still, the study of security for RFID was preceded by the study of security for smartcards, such as credit cards with a memory component linked electrically to a reader.
In this chapter, the background on security and cryptography for RFID is discussed to
provide the context for the cryptographic processor designs to come in following
chapters. The discussion begins with the general security problems for RFID tags in the
consumer environment, and then establishes the need for a secure protocol and a cryptographic solution. The chapter continues with the mathematical background of
elliptic curve cryptography for small systems and concludes with a summary from the
literature of recent work in computer architecture for cryptographic processors suitable
for RFID tags.
A. Security
1. Product Identification
In the 1970’s, barcode technology was developed to make product identification more
efficient [1]. One of the most important code systems was Universal Product Code
(UPC). Today barcodes based on UPC adorn the labels on most all retail products in the
developed world. 5 RFID is a technology that has evolved with falling semiconductor prices and power
requirements. Low-cost RFID tags now include modest computing capability using
power coupled by antenna from the reader. When tag prices reach a sufficiently low
price, perhaps $0.05, RFID systems will become a viable replacement for barcodes.
In the past decade, important contributions to the application of product identification
with RFID systems were made at the Auto-ID Lab at Massachusetts Institute of
Technology, including the development of the Electronic Product Code (EPC). In 2003,
the Lab was spun-off into the industry organization EPCglobal.
Optically read barcodes require a line of sight and cannot pass through most packaging.
The moniker “RFID” designates systems that operate over a wide range of frequencies,
from MHz to GHz [2]. The lower frequencies are less directional and have a greater
ability to pass through packaging material. Higher frequency RFID systems operate on the principles of radar, using reflected waves. Optically read barcode systems operate at
the frequencies of visible light, ~1015 Hz. A typical low-cost RFID system operates at
~107 Hz which is far less directional and more easily passes though packaging material.
Because barcode systems require a line of sight, they require more handling. Items must
be separated and turned to find the barcode and put it in view of the reading device. In
point-of-sale applications, this is manual labor. RFID systems promise to avoid much of
this although the seller will still need evidence that items are properly tagged. If items can
be easily identified at point of sale, they can be identified as easily all the way up the
supply chain. Shipments transferred between manufacturer, retailer, and reseller can be
verified easily and accurately.
6 As the cost of semiconductor fabrication continues to fall, RFID systems will overtake
and replace barcodes as the principal method of product identification.
2. Privacy and Business Intelligence Risks
Unfortunately, RFID introduces privacy risks for consumers and intelligence risks for
businesses [3]. Simple RFID tags can be read from anywhere within the interrogation
range of a reader. The consumer risks divulgence of personal information such as the
products, clothing, books and videos he or she is carrying. The consumer also risks being
tracked. Businesses risk divulgence of quantities and suppliers of materials purchased and
customers of products sold. All risk targeting via RFID tags.
Targeting is the problem in which a thief can identify more valuable items and therefore
devotes greater effort to steal them. For example, a thief might rob a home if an RFID tag on an expensive television can be read through an outside wall. Of course the thief would
have to know how to interpret the product code read from the tag.
Tracking is the problem in which a spy or stalker can monitor the movements of a person
from the products the person carries. In this case, the spy does not know or care about the
product code, but knows the tag will transmit the same code every time. The spy can
position a reader to indicate when a person is near the reader by identifying the tag or
constellation of tags the person usually carries.
These risks to consumers and businesses are inherent problems of RFID technology. The
ability of tag and reader to communicate through materials, without a line of sight is a
7 double-edged sword. The benefits and risks of RFID cannot be easily separated by, for example, limiting range to reduce risk without also reducing the system’s effectiveness.
A technological solution to these privacy problems is beyond the current state of the art.
Present tags lack the computing capability to simply implement a command to disable the tag. This and other solutions are being developed but the cryptographic capabilities
necessary for robust security will require an increase of orders of magnitude in circuit
complexity.
Without a technological solution, society must solve these problems through public
policy. These solutions include guidelines by industry and government groups for RFID
system deployment and use of information.
Since the technology has entered the public arena in a flawed form, consumer confidence
has suffered. In 2003, at a Wal-Mart store in Broken Arrow, Oklahoma, customers were
viewed by hidden camera while they used Procter & Gamble products with RFID tags.
Press accounts of the ill-conceived market research study embarrassed both companies,
causing them to suspend RFID development.
Privacy advocates have formulated a bill of rights for consumers including rights of
(1) notice of the presence of RFID tags, (2) removal or deactivation of tags at point of
sale, (3) alternatives to tagged products without economic penalty, (4) notice of uses of
RFID information, and, (5) timely notice of tag reading.
These privacy problems will be resolved by legislation unless and until RFID technology
evolves to correct them.
8 3. Consideration of Other Methods
For the most part, RFID security today relies on the unsound principle of security by obscurity. Most of this obscurity is unintentional. There are a variety of tag frequencies, modulation and coding techniques for a relatively small number of tags, (mere billions today). Gathering RFID information is impractical now, but this will change as tag technology becomes standardized and tags more widespread.
RFID security has also depended on limited read range but this is based on unsound assumptions of radio frequency noise around a tag.
RFID systems have also relied on the physical difficulty of reverse engineering a tag but
with a sufficiently large effort, all tags of the same architecture can be compromised.
If radio waves can pass through some materials, they can also be blocked and interfered
with. The simplest way to prevent RFID tags from communicating is to enclose them in a
Faraday cage such as a foil envelope or metalized tape. This low-tech solution can be
impractical for a tag embedded in clothing and other materials or when the location of the
tag is unknown.
A novel solution is the blocker tag, designed to transmit an interfering signal especially to
confound the singulation process, in which a reader isolates one of many tags in its
interrogation zone [4]. But if a reader does not follow the singulation protocol, the
blocker tag’s strategy may be defeated. Also the blocker needs to be designed to work
with the same frequency and modulation method of the tag to be blocked.
9 Both the Faraday cage and blocker tags have the weakness of being negative solutions.
There is no evidence that they are working unless the tag is brought within interrogation range of a suitable reader and the reader fails to read the tag, which still does not prove that another reader in another orientation would not read the tag.
The processing capabilities of RFID tags can be exploited to implement a simple command which effectively destroys the tag [5]. Although it can be difficult to prove that a tag has been disabled, a tag can send confirmation to the issuer of the kill command.
The kill command requires additional processing capability in the tag to implement password protection against unauthorized use of the command that effectively destroys the tag. The kill command password must be a carefully guarded secret, though typically the same password is embedded in many tags. Killing is a one-shot operation, at point of sale. It offers no security against business intelligence risks upstream in the supply chain, and no RFID benefit at all after the sale.
More sophisticated software solutions include novel methods of implementing password protection on tags with very little computing power. One scheme uses a set of pairs of pseudonyms (IDs) and keys (passwords) [6].
Hash-locking is a scheme that uses a one-way hash function to produce a metaID that obscures the tag’s real ID while providing an index to find the tag’s ID in a database [7].
The tag challenges with the metaID and the reader must respond with the ID to unlock the tag. The ID acts as a password. The metaIDs are vulnerable to tracking, unless they are randomized, which defeats their usefulness as database indices.
10 Protocols based on pseudonyms and hash-locking depend on shared secrets between tags
and databases. Information about every tag must be maintained indefinitely. In order to
prevent tracking, exhaustive searches of tag records are required, so these schemes do not
scale well. The burden cannot be alleviated by delegation unless the delegate is given a copy of the tag secrets [8].
The identity of a tag can be held in a central database rather than the tag itself. If a tag responds only with encrypted, nonced messages, its identity will remain hidden from the reader. Unlike a low-power, isolated tag, the central database enjoys plenty of power, storage, and network bandwidth and so can detect and refuse communication with unauthorized (rogue) readers. In effect, the problem of privacy can be delegated to the central database if the tag has the minimum capabilities of cryptography and random number generation.
A central database, however, has some drawbacks: (1) there is a communication bottleneck to the database, with some substantial fraction of the world’s tags contacting it; (2) the database is a potential single point of failure, so needs to be redundant, distributed and secure; and (3) a central database is the antithesis of consumer privacy, replacing fear of strangers reading tags with fear of Big Brother reading tags.
A nonce is a random number that is encrypted into a message to prevent tracking and replay attacks. If a tag generates the same message every time it is queried, it is easily tracked. Even if the tag generates a sequence of messages, a malevolent reader could query the tag repeatedly, so the sequence needs to be long. A tag needs the ability to
11 generate a series of random bits that can be formed into a random number so that it is not practical to read out all nonced messages.
Nonces are also needed to ensure that communication is fresh and not a replay attack. A tag or reader generates such a nonce and insists that the other use it in encrypted form in subsequent messages to demonstrate the capability to include it in an encrypt message.
An encrypted nonce can be used as the basis of a session key.
A certificate is a message signed by a trusted party or certificate authority (CA). A certificate contains a plaintext and a signature which is the plaintext (or one-way hash of the plaintext) encrypted backwards, using the CA’s private key. Anyone can decrypt this message using the CA’s public key, proving the CA endorsed the plaintext message, which might say that the public key for a particular reader is trustworthy. Without trusting the reader in advance and without the means to communicate with any other reader, a tag receiving such a certificate would know that the reader had gotten approval from the CA.
A certificate establishes trust but cannot revoke it. If a reader is stolen and operated by an unauthorized party, the reader will still have the certificate from the CA. In a typical network, a node could get a list of revoked certificates or periodically contact the CA via a different network route; however, because a tag is an isolated node, these alternatives may be unavailable or the tag may be spoofed.
In order to make certificates revocable, they could be time limited if tags have their own time sources, which would preclude passive tags. Measuring time with any accuracy
12 requires a crystal oscillator, which consumes too much power, (~1 µW). Quartz crystals may be too brittle for product tags or require too much space to protect them from
physical shock.
4. Network Security
The problem of privacy in RFID is similar to that of a laptop computer in a Wi-Fi
network, except that the resources available to an RFID tag are orders of magnitude
smaller. A battery-less (passive) tag has energy coupled to it from a reader, but the tag is
an independent digital circuit. Assuming the tag has sufficient capability to be called a
processor, the tag is an independent processor. When a tag is interrogated by a reader, the reader and tag share a communication link. A reader typically is linked to a local area
network (LAN), though not necessarily contemporaneously with the link to the tag.
Therefore, a tag fits the model of a network node, so ideas of network security directly apply [9]. But to be economical for the application of product identification, RFID tags must be network nodes of extremely low computational power.
A second disadvantage of product identification tags, compared to larger networked systems, is that tags are isolated network nodes. A tag’s access to the outside world is usually at the pleasure of a single reader. Moreover, there is no human operator who might balk at a suspicious contact from a reader. A tag without an operator is expected to
communicate with readers that the tag cannot independently authenticate. A tag is,
therefore, vulnerable to spoofing and replay attacks.
13 Spoofing is the problem in which an impostor creates a simulated environment in order to
gain the victim’s confidence so the victim reveals a secret. To protect the privacy of the
holder of an RFID tag, the tag must not reveal its ID to an untrusted party, an
unauthenticated reader. But the tag is dependent on the reader for all the tag’s
communication. A reader can spoof a tag if the reader can send legitimate looking messages.
A replay attack is a simple trick in which a message from a trusted party is recorded by an intruder and later played back to mimic the trusted party. A tag password, for example, might be replayed by a reader to defeat tag security. Readers are also vulnerable to replay attacks from tags. For example, one tag could pretend to be many by transmitting a series of IDs.
5. Security Through Cryptography
Modern computer security is based on cryptography. A plaintext message along with an encryption key are input to an encryption algorithm that produces a ciphertext which is sent on the channel to the rightful receiver and possibly an eavesdropper, who also has the decryption algorithm. Kerckhoff’s Principle states that security should come from the secrecy of the keys, not the secrecy of the algorithm, because keys are much easier to replace.
Simpler encryption algorithms use symmetric keys, where the encryption and decryption keys are related; however, in an asymmetric key cryptographic system, a decryption key cannot be deduced from an encryption key. An asymmetric key system is like giving
14 open lock-boxes to your friends. They can put secret messages in the boxes and lock
them (encryption) and send them to you. Only you can open the boxes using your key
(decryption). Your enemies cannot open the boxes. In fact, your friends cannot open them
either. The encryption key is public and openly disseminated. The decryption key is
private and never disseminated.
Rivest-Shamir-Adleman (RSA) cryptography is the original practical algorithm for
asymmetric key cryptography [10]. It is based on multiplication and specifically on the
difficulty of factoring large prime numbers. RSA is the de facto standard asymmetric
system for internet security. For example, it is the basis of the handshaking stage of the
secure socket layer (SSL) protocol. Once two parties share a secret; however, symmetric
key systems are more efficient.
Elliptic curve cryptography (ECC) is an asymmetric key system based on elliptic curves
in finite fields. The mathematical operations for ECC are simpler than integer
multiplication. Consequently ECC implementations are more efficient than RSA in terms
of key length and circuit area [11]. Both of these systems depend on the difficulty of
certain mathematical operations that have been studied for centuries. There is no
mathematical proof that there is no shortcut solution to either of these problems.
The RSA system encrypts a plaintext, m, with an encryption exponent, e, to produce a ciphertext, c, which in turn can be decrypted with a decryption exponent, d, so c = me and m = cd. But, d cannot be deduced from e. So e is disseminated and d is used to decode messages that are received. In ECC, a shared secret can be established by a combination of sender and receiver keys using Diffie-Hellman key exchange. The parties select
15 exponents, a and b which are applied to a publicly known generator, g. The parties
disseminate ga and gb, respectively. Upon receipt, each applies his own exponent, resulting in the shared secret, gab. Typically, an ECC message needs two encryptions to
pass one secret. In this system, a and b cannot be disseminated because a-1 and b-1 can be deduced from each of them, respectively. Although RSA is the more efficient in terms of the number of cryptographic operations, the resources required for each operation are much larger and therefore ECC is more economical overall. So herein the discussion proceeds with the assumption that an asymmetric cryptographic system is required but decryption exponents can be deduced from encryption exponents.
The difficulty, or computational complexity, of decoding encrypted messages without benefit of the decryption key is due to the existence of an efficient squaring operation in these cryptographic systems. For example, to get the tenth code in the sequence, xn, given x, requires three squaring operations (which yield x2, x4, and x8) and one multiply x8x2.
Without knowledge that the tenth code was used, a cryptanalyst would have to try x1, x2, … , x10, requiring nine multiplies. The difference is more dramatic with longer keys. The strength of these cryptographic systems is that they are exponentially harder to
break than they are to use as intended. This is known as the discrete logarithm problem.
Hereinafter, cryptographic operations will be written in the customary ECC notation in which encryption is represented in the notation of multiplication, rather than RSA notation, in which exponentiation is the natural choice. The ECC notation represents
point multiplication and has the multiplier, in lower-case, to the left of the generator, in
upper-case: a⋅G, b⋅G and a⋅b⋅G, as this is less cumbersome. For example, the weakness of
16 ECC, that a-1 can be deduced from a, implies that x⋅G can be deduced from a⋅x⋅G and a
because x⋅G = a-1⋅a⋅x⋅G.
B. Elliptic Curve Cryptography
1. Galois Fields
Galois field mathematics is written in a notation and is carried out with operations
distinct from ordinary math and elliptic curve math.
A Galois, or finite, field is a finite set and two operations, + and ×, each of which forms
an abelian group over the set, except that there is no x such that 0 × x = 1, if 0 and 1 are the + and × identities. Also, the distributive law of × over + holds [12]. The extension field, GF(pm), can be represented as the polynomials of degree m − 1, a(x), where each coefficient, ai œ Zp, and the operations + and × are performed modulo a reduction
polynomial, f(x), and modulo p for each ai.
Of particular interest are fields of characteristic two, p = 2, in which an element,
a = {ai œ {0, 1}, 0 ≤ i < m}, is a bit vector. Polynomial addition is addition of the
coefficients of similar degree: