EPCBC - A Block Cipher Suitable for Electronic Product Code ...

More documents

Recommendations

Info

4n-bit. Their key scheduling algorithms produce 4n-bit round keys from an 80-bit master key. In this paper, for ease of reference, we shall name the generalized PRESENT block cipher with block size n bits as “PR-n”. PRESENT only has 64-bit block size and this may not be suitable for applications which require lightweight encryption on a larger block size. One example is the upcoming Electronic Product Code (EPC), which is thought to be a replacement for bar codes using low-cost passive RFID-tags, and in its smallest form uses 96 bits as a unique identifier for any physical item [22]. A smaller block size of 64 bits (e.g. PRESENT) requires two consecutive encryptions. On the other hand, the use of a larger block size of 128 bits (e.g. AES) results in a truncation to 96 bits which wastes internal state and effort. Our intention is thus to design a lightweight and efficient 96-bit block cipher for EPC encryption which has huge market implications, and at the same time improves previous analysis of PRESENT for increased confidence in security. We propose two variants of EPCBC: EPCBC(48,96) which has 48-bit block size and 96-bit key, and, EPCBC(96,96) which has 96-bit block size and 96-bit key. EPCBC(48,96) uses the PR-48 design for the main cipher structure and for the key schedule, it uses an 8-round variant-Feistel structure with 4round PR-48 as the nonlinear function. EPCBC(96,96) uses the PR-96 design both for the main cipher structure and the key schedule. The security of EPCBC(96,96) against DC and LC relies on that of PR-96 cipher structure. The DC and LC bounds can easily be inferred from that of PRESENT [10], because the results of PRESENT applies to PR-n for any n ≥ 64. Our contribution for the analysis of EPCBC(96,96) is that we improve on the bounds of [10]. This allows us to deduce DC and LC bounds of EPCBC(96,96) which are tighter than the bounds obtained by applying the results of [10]. However, in proving the security of EPCBC(48,96) against DC and LC, the DC and LC bounds cannot be inferred from that of PRESENT [10] because the block size n = 48 is less than 64. Therefore, we prove new DC/LC bounds for PR-n when n < 64. Using these new bounds, we are able to prove the resistance of EPCBC(48,96) against DC and LC. A recent class of powerful attacks against block ciphers are related-key differential attacks [5,6,4,21] which can break well established standards such as AES-128 and KASUMI. Although the practicality of these attacks is arguable (due to the difficulty in obtaining related keys), resistance against related-key differential attack is especially relevant when these block ciphers are used as hash functions in Davies- Meyer mode (e.g. see [9] and Section 2 of this paper). This is an important issue, since many designer of RFID security protocols assume a lightweight hash function to be available on the tag [1,26,35]. Our customized key schedule design ensures many active S-boxes in the key schedule when there is a nonzero key differential. Consequently and in contrast to PRESENT, we are able to prove resistance against related-key differential attacks for both versions of EPCBC, which enables a secure usage of EPCBC in Davies-Meyer mode as a lightweight hash functions. Further, we show that EPCBC is resistant against currently best known integral cryptanalysis, statistical saturation attack, slide attack, algebraic attack and the latest higher-order differential cryptanalysis from FSE 2011 [11]. On top of this, EPCBC performs well with respect to lightweight applications. In fact, EPCBC(48,96) has a slightly smaller area footprint than PRESENT-80, while at the same time offering a slightly higher speed, resulting in a 20% higher figure of merit (FOM). Our power estimates of 2.21 µW for EPCBC(48,96) and 3.63 µW for EPCBC(96,96) (at 1.8V and 100 KHz) indicate how well EPCBC is suited for ultra-constrained applications, such as passive RFID tags. As another contribution, we present an optimized hardware implementation of PRESENT-80 that is both smaller and faster than previously published results. The remainder of this paper is organized as follows: in Section 2 we briefly recall the Electronic product code before we propose two variants of EPBC in Section 3. Then we improve existing and prove new bounds for generalized PR-n in Section 4, which we will use for the security analysis of EPCBC in
Section 5. Hardware implementation results are presented in Section 6 and finally the paper is concluded in Section 7. 2 The Electronic Product Code - EPC The Electronic Product code (EPC) is an industry standard by EPCglobal, designed to “facilitate business processes and applications that need to manipulate visibility data (i.e. data about observations of physical objects)” [22]. In other words, it is a unique identifier for any physical object. The standard also focuses on EPC class 1 Gen 2 RFID tag [23] as the carrier for the EPC and proposes a 96-bit unique identifier to be stored for low-cost applications. EPCglobal has specified seven application-dependent identification keys for EPC, such as Serialized Global Trade Item Number (SGTIN), Serialized Shipping Container Code (SSCC), or the Global Document Type Identifier (GDTI). These numbers consist at leastofacompanyprefixandauniqueserialnumbercommisionedbythecompany.Someapplicationalso comprise additional mandatory fields such as the document type in the case of GDTI. As a consequence, the length of the serial number varies between 36-bits and 62-bits (note that there are further restrictions on the choice of the serial number such as no leading zeros). An EPC class 1 Gen 2 RFID tag consists of four memory banks: one to store the kill and access passwords of 32-bits each, one for the EPC information, one for the manufacturer information about the tag itself, and one for user data. The tag manufacturer information (TID) may contain a manufacturer ID, a code for the tag model, and a unique serial number, which can be used independently of the EPC. A globally unique identifier for any physical item certainly promises many benefits, such as optimized supply chains. On the other hand it could be a nightmare for privacy, especially since RFID tags could be read out without notion of its owner, and readers can be easily hidden and positioned at highly frequented locations. In this way unique movement patterns of single tags or a selection of tags can be created, which can be used to reveal the identity of their owner. For this reason a wide variety of protocols with the aim of securing privacy have been proposed. Out of these protocols, there are several which use lightweight cryptographic mechanisms with hash functions [46,42,47,26,20]. There are also some protocols which use pseudo-random number generators such as the privacy protocol proposed by Juels in [29]. In particular, Juels proposes a “minimalist” system in which every tag contains and rotates a short list of pseudonyms, emitting a different pseudonym on each reader query. A block cipher is a versatile building-block and, besides encrypting data, can also be used as a oneway function, a pseudo random number generator or a compression function. In a straightforward way one would encrypt the whole 96-bit EPC, but one can also envision different scenarios where a user wants to either hide the serial number or the company’s identity for the sake of privacy. The former may be the case that a book is borrowed from a public library: it is fine for others to know that you borrow a book, but might not be when the book is on cancer treatment. The latter may be the case that a pharmaceutical product is bought: knowing the pharmaceutical company can reveal very sensitive information, while a serial number might reveal no information about the product. A wide variety of lightweight block ciphers optimized for ultra-constrained devices, such as passive RFID tags has been proposed over the last couple of years. Most notably are DESXL [34], KATAN [12], or PRESENT [10] among others. However, none of them has either key or block length that suits the uncommon 96 bits of an EPC and with the proposal of EPCBC in the next section we close this gap. 3 A New Block Cipher Suitable for EPC Encryption: EPCBC We propose two variants of EPCBC: EPCBC(48,96) which has 48-bit block size and 96-bit key, and, EPCBC(96,96) which has 96-bit block size and 96-bit key. (The testvectors are provided in Appendix A.2.)
Page 1: EPCBC - A Block Cipher Suitable for
Page 5 and 6: 4.1 Brief Description of PR-n The d
Page 7 and 8: Theorem 4. Let ǫr be the maximal b
Page 9 and 10: fourth round. The attacker launches
Page 11 and 12: data_out 4 data_in data_out 4 data_
Page 13 and 14: It is noteworthy to stress that EPC
Page 15 and 16: 45. Virtual Silicon Inc. 0.18 µm V
Page 17 and 18: Proof. The result for k = 8 follows

EPCBC - A Block Cipher Suitable for Electronic Product Code ...

Create successful ePaper yourself

Delete template?

Save as template?