



#### Low-cost SHA-1 Hash Function Architecture for RFID Tags

#### Dr. Máire O'Neill (nee McLoone)

Invest 💦

Northern

Ireland



EU Programme for Peace and Reconciliation



Employment

and Learning



- Importance of Security in RFID applications
- Need for research into low-cost hash functions
- SHA-1 Hash Function
- Low-cost 8-bit SHA-1 hardware architecture
- Performance Evaluation
- Suitability for RFID Tags
- Conclusions

#### **ECIT** | Importance of Security in RFID





CULIMATE 551 CU

www.ce.org



Data Security is <u>VITAL</u> for emerging Mobile & Ubiquitous Applications





#### **ECIT** | Importance of Security in RFID

- RFID tags will play a key role in future of mobile and ubiquitous computing
- Feb 2008 EC Draft Recommendation on RFID Privacy and Security stated that:

"RFID applications need to operate in a secure manner" ...

#### and

"Security and privacy by design is important in the early stage of development of RFID applications"



# **ECIT** | Hash Functions

- Hash functions provide data integrity
- When used with digital signature algorithms & MACs they can provide authentication
- A security level of 80-bits deemed adequate for RFID tags
- Hash function with output ≥ 160-bits needed to provide RFID tag security
- Propose to use SHA-1 hash function
- Although weaknesses discovered in SHA-1 only 2<sup>69</sup> operations required to find a collision (Wang *et al.*,05) – RFID tag security may not require collision resistance

### ECIT | Need for low-cost Hash Functions

• Previous research into low-cost SHA-1 designs:

| Design                                 | Area (gates) | Power             |
|----------------------------------------|--------------|-------------------|
| Feldhofer & Rechberger                 | 8120         | 35.24 µW @ 100kHz |
| Kaps & Sunar ( <i>partial design</i> ) | 4276         | 26.73 µW @ 500kHz |
| Satoh & Inoue                          | 7971         | None provided     |
| Choi <i>et al.</i>                     | 10641        | 19.5 µW @ 100kHz  |

 Area of these designs still too large to provide security in current RFID tags

# **ECIT** | Need for low-cost Hash Functions

- Low-cost designs of digital signature algorithms that incorporate SHA-1 have also been investigated:
   eg. ECDSA, EC Optimal El Gamal Signature scheme
- Many new security protocols proposed for RFID applications include hash functions
- Therefore, research is required into the design of:
  - New low-cost hash function algorithms;

-Highly optimised architectures of existing hash functions

# **ECIT** | SHA-1 Hash Function

- SHA-1 was proposed by the US NIST in 1995
- Operates on a message of length <2<sup>64</sup> in 512-bit blocks
- Produces a 160-bit message digest
- Comprises 3 steps:
  - Message pre-processing
  - Message schedule
  - Hash computation

## **ECIT** | SHA-1 Hash Function

- Message pre-processing:
  - Padding the message to a length  $\equiv$  448 mod 512;
  - Appending the message length as a 64-bit number;
  - Parsing the padded message into *N* 512-bit data blocks
- Message schedule:
  - Generation of 80 32-bit values,  $W_t$ :

$$W_t = \begin{cases} Message_t & 0 \le t \le 15\\ ROT_{LEFT_1}(W_{t-3} \oplus W_{t-8} \oplus W_{t-14} \oplus W_{t-16}) & 16 \le t \le 79 \end{cases}$$



### **ECIT** | SHA-1 Hash Function

• Hash computation:

$$T = ROT_{LEFT_{5}}(a) + F_{t}(b, c, d) + e + K_{t} + W_{t}$$

$$e = d$$

$$d = c$$

$$c = ROT_{LEFT_{30}}(b)$$

$$b = a$$

$$a = T$$

$$K_{t} = 5a827999 \quad 0 \le t \le 19$$

$$K_{t} = 6ed9eba1 \quad 20 \le t \le 39$$

$$K_{t} = 8f1bbcdc \quad 40 \le t \le 59$$

$$K_{t} = ca62c1d6 \quad 60 \le t \le 79$$

$$F_t(b,c,d) = \begin{cases} (b \text{ AND } c) \text{ OR } (\bar{b} \text{ AND } d) & 0 \le t \le 19 \\ b \oplus c \oplus d & 20 \le t \le 39 \\ (b \text{ AND } c) \text{ OR } (b \text{ AND } d) \text{ OR } (c \text{ AND } d) & 40 \le t \le 59 \\ b \oplus c \oplus d & 60 \le t \le 79 \end{cases}$$

### **ECIT** | Low-cost 8-bit SHA-1 Architecture

- SHA-1 algorithm intrinsically designed to be implemented on a 32-bit platform:
  - Logical function,  $F_t$ , and rotate functions operate on 32-bit words
  - Addition is performed modulo 2<sup>32</sup>
- All previous research into low-cost SHA-1 designs have employed a 32-bit architecture
- Proposal is to design an 8-bit low-cost SHA-1 architecture => modify the 32-bit oriented operations to be performed in 8-bit blocks

# **ECIT** | 8-bit SHA-1 Message Schedule

• For 8-bit design, SHA-1 Message Schedule can be rewritten as:



#### ECIT | 8-bit SHA-1 Message Schedule

32-bit input, x = 11100001 01100010 01100011 01100100  $ROT_{left1}(x) = 11000010$  11000100 11000110 11001001 x3 x2 x1 x0

| Cycle | Input<br>O Register A | W63               | W62       | W61       | <i>W60/</i><br>Output |
|-------|-----------------------|-------------------|-----------|-----------|-----------------------|
| 1     | <i>x</i> 0:0110 0100  | 1100 100 <u>0</u> | 1100 1000 | 1100 1000 | 1100 100 <u>1</u>     |
| 2     | x1:0110 0011          | 1100 0110         | 1100 0110 | 1100 0110 | 1100 0110             |
| 3     | x2:0110 0010          | 1100 0100         | 1100 0100 | 1100 0100 | 1100 0100             |
| 4     | x3: 1110 0001         | 1100 0010         | 1100 0010 | 1100 0010 | 1100 0010             |

### **D** ECIT | **8-bit SHA-1 Hash Computation**

- 32-bit *a* to *e* considered as 8-bit *a0, a1, a2, a3* to *e0, e1, e2, e3*
- Hash computation:



#### **ECIT** | 8-bit SHA-1 Hash Computation







### **ECIT** | **8-bit SHA-1 Final Addition**

- To perform final addition:
  - As initial 8-bit a0, a1, a2, a3 to e0, e1, e2, e3 are input into shift register array they are also stored in a register array memory
  - After 80 iterations, o/p of register e3 added to 8-bit register array output (carry used to ensure correct result)
- Cycle count:
  - 8-bit hash computation takes 320 clock cycles
  - Output of message schedule not available for 4 cycles
  - 160-bit hash result is output in 8-bit blocks over 20 cycles
- => Overall 8-bit SHA-1 architecture takes 344 clock cycles

### **ECIT** | **Performance Evaluation**

- Implementation: Faraday UMC 180nm & 130nm CMOS libs
- Synthesised: Synopsys Physical Compiler
- Power consumption: Synopsys PrimeTime PX
- Power consumption calculated as:

 $P_{max} = P_{ave} + 2 * StdDev$ 

for a set of randomly generated input values

## **ECIT** | **Performance Evaluation**

Area utilised by 8-bit SHA-1 Architecture

| Component        | Area<br>0.13 µm (gates) | Area<br>0.18 μm (gates) |
|------------------|-------------------------|-------------------------|
| Hash computation | 2751                    | 3160                    |
| Message schedule | 2655                    | 2831                    |
| Control logic    | 121                     | 131                     |
| Total            | 5527                    | 6122                    |

*Note:* Area can vary by  $\approx 10\%$  across different technologies

## **ECIT** | **Performance Evaluation**

#### Comparison with previous research

| Design                                  | Area (gates)             | Power Cons (uW)<br>@100 kHz | Timing<br>(cycles) |
|-----------------------------------------|--------------------------|-----------------------------|--------------------|
| This work: 8-bit SHA-1<br>(0.13um/1.2V) | 5527                     | 2.32                        | 344                |
| This work: 8-bit SHA-1<br>(0.18um/1.8V) | 6122                     | 13.6                        | 344                |
| Feldhofer & Rechberger<br>(0.35um/3.3V) | 8120                     | 35.24                       | 1274               |
| Kaps and Sunar<br>(0.13um/1.2V)         | 4276<br>(partial design) | 26.73<br>@500 kHz           | 405                |
| Choi <i>et al.</i><br>(0.25um)          | 10641                    | 19.5                        | 330                |
| Satoh & Inoue<br>(0.13um)               | 7971                     | None<br>provided            | 85                 |

# **ECIT** | Suitability for RFID Tags

#### • RFID Tag Limitations:

| Area         | Power                           |                                 | Timing                                            |
|--------------|---------------------------------|---------------------------------|---------------------------------------------------|
| ≈ 3000 gates | 18 μW<br>( <i>0.13μm/1.2V</i> ) | 27 μW<br>( <i>0.18μm/1.8V</i> ) | 1800 clock cycles ( <i>interleaved protocol</i> ) |

- Proposed 8-bit SHA-1 design meets power & timing & is within reach of area limitations
- In RFID tags, silicon area significantly impacts cost
   => security design area overhead <u>must</u> be kept to minimum
- Proposed architecture is *smallest* full SHA-1 design to date
- 8-bit design methodology gives overall area saving of 1200 gates



- Hash functions play important role in providing data security
- Will continue to be required in future ubiquitous applications
- Although SHA-1 considered weak in comparison to other hash functions, may remain suitable for some RFID applications
- Proposed a low-cost SHA-1 design based on 8-bit data path
  - 32-bit XOR, AND, NOT & OR  $\rightarrow$  8-bit functions: no logic overhead
  - − 32-bit addition modulo  $2^{32}$  & rotate functions → 8-bit functions: minimal control logic overhead
- Results in smallest SHA-1 design reported to date
- Meets RFID tag power and timing limitations & is within reach of area requirement