FPGA Implementation of Mutual Authentication Protocol Using Modular Arithmetic

T.Sadaiyappan¹, K.K.Manoj², S.A.Subhasakthe³

¹PG Scholar, VLSI Design & Bannari Amman Institute Of Technology, India
²PG Scholar, VLSI Design & Bannari Amman Institute Of Technology, India
³PG Scholar, VLSI Design & Bannari Amman Institute Of Technology, India
¹ sadaiyappanee@gmail.com; ² kkm.apt@gmail.com; ³ saktheanand@gmail.com

Abstract— Radio-Frequency Identification (RFID) is a modern technology that utilize radio frequencies to locate the object. In this paper, we study the radio-frequency identification (RFID) tag–reader mutual authentication (TRMA)scheme. Two improved authentication protocols for generating the Pad Gen function are described. In this project, a protocol for RFID tag–reader mutual authentication scheme is proposed which is hardware efficient. Modified MOD scheme is implemented in protocol system to reduce the hardware cost. The proposed mutual authentication protocol with consumes less logic elements and also more secure from external attacks. The proposed protocol is described in Verilog HDL and simulated using Xilinx ISE design suite 14.2.

Keywords— Radio frequency identification; mutual identification

I. INTRODUCTION

Radio-Frequency Identification (RFID) is the use of a wireless non-contact system that uses radio-frequency electromagnetic field to transfer data from a tag attached to an object, for the purposes of automatic identifying objects. The main components of RFID system is tag and reader. The tag is at the heart of the system and consists of a small electronic circuit with an attached silicon chip. A typical reader contains an antenna to transmit information to the tag as well as receive it from the tag. The size and form of the antenna will be dependent on the specific application as well as frequency chosen. RFID is a versatile technology, capable of being used by businesses and the government. For high security purpose, automobile industries like Toyota, Lexus and Audi uses a RFID based car locking system. Sports-using RFID tags to track marathon runners and other sports participants. Ticketing—RFID embedded tickets for major sporting events such as the Tennis.

In the commercial setting, RFID tags contains a Electronic Product Code (EPC) that can uniquely identify each tagged object. The RFID tag stores its unique EPC with related product information inside the tag’s memory and sends these data whenever the reader requests them. The reader reads data from and writes data to tags by distributing the RF signals.
II. BACKGROUND AND RELATED WORK

Generally, in RFID system access password is required before data are exchanged between a reader and a single tag. The access password is a 32 bit value stored in the tag’s reserved memory. If this password is set, then the reader has to have the valid password before the tag will engage in a secured data exchange. These passwords can be used in activating kill commands to permanently shut down tags, as well as for accessing and relocking a tag’s memory.

To codecover data or a password the reader first requests a random number from tag. The reader then performs a bitwise XOR of the data or password with this random number and transmits the cover-coded (also called cipher text) string to the tag. The tag uncovers the data or password by performing a bitwise XOR of the received cover-coded string with the original random number. In addition, the tag conforming to the EPC C1G2 standard can support only a 16-b PRNG and a 16-b CRC checksum that are used to detect errors in the transmitted data [2]. Fig. 1 describes the EPC global C1G2 communication step between a reader and a tag.

The EPC C1G2 specification provides little security [4]. This makes RFID systems vulnerable to cloning attacks as well as password disclosure and information leakage [9]. Recently, Konidala et al. have pointed out the weakness in the EPCC1G2 reader-to-tag authentication protocol and proposed an alternative scheme. In the Konidala et al. [3] authentication scheme, as shown in Fig 3.1, the reader issues a Req_RN command to the acknowledged tag. The tag then generates two 16 bit random numbers, namely, $R_T^1$ and $R_T^2$, and backscatters them with its EPC to the reader. The manufacturer forwards these messages to the reader. The manufacturer matches the received EPC to retrieve the tag’s Access Password (Apwd) and Kill Password (Kpwd) from the back-end database. The manufacturer then generates and stores two 16 bit random numbers, namely, $R_M^1$ and $R_M^2$. The “Cover-Coded Passwords” for the 16 MSBs (CCPwdM1) and the 16 LSBs (CCPwdL1) are computed by the Padgen ($R_T^i, R_M^i$) function for $i = 1, 2$. CCpwdM1, CCpwdL1, and EPC along with four 16 bit random numbers, namely, $R_M^3$, $R_M^4$, $R_M^5$, and $R_M^6$, generated by the manufacturer are transmitted to the reader, which, in turn, forwards them to the tag for verification. To authenticate the tag, the tag generates another two random numbers $R_T^3$ and $R_T^4$ along with the received $R_M^3$ and $R_M^4$, used to compute CCpwdM2 and CCpwdL2 with the Padgen ($R_T^i, R_M^i$) function for $i = 3, 4$. CCpwdM2, CCpwdL2, and EPC along with two 16 bit random numbers, namely, $R_T^3$ and $R_T^4$, are transmitted to the reader, which, in turn, forwards them to the manufacturer for verification.

Fig 1. EPC global C1G2 communication step between a reader and a tag.

Researchers have shown that the Electronic Product Code (EPC) Class-1 Generation-2 (C1G2) specification has serious security problems. To overcome these weaknesses, some authors have proposed a specially designed pad generation (Padgen) function to improve security. The Padgen function is used to produce a cover-coding pad to mask the tag’s access password before the data is transmitted.

In [1], the Padgen function is the key component in constructing the 16 bit pads to cover code the two 16 bit Access Password halves (ApwdM and ApwdL). The pad-generation function retrieves the individual bits of the Apwd and Kpwd from the memory locations by manipulating random numbers and concatenates these bits to form a 16 bit pad. A brief description of the Padgen function is provided in the following. Let us represent the 32 bit Apwd and Kpwd in binary (base 2) as in equation (1) and (2).

\[
\text{Apwd} = a_0a_1a_2a_3 \ldots \ldots a_{31} \quad (1)
\]

\[
\text{Kpwd} = k_0k_1k_2k_3 \ldots \ldots k_{31} \quad (2)
\]
The 16 bit random numbers $R_{Tx}$ and $R_{Mx}$ generated by the tag and manufacturer in hexadecimal (base 16) are in equation (3) and (4).

\[
R_{Tx} = d_1d_2d_3d_4 \tag{3}
\]

\[
R_{Mx} = d_{m1}d_{m2}d_{m3}d_{m4} \tag{4}
\]

Each digit of $R_{Tx}$ and $R_{Mx}$ is used to indicate a bit location in Apwd, and these bits are concatenated to form a 16 bit output in hexadecimal (base 16) representations as in equation (5).

\[
\text{Apwd} - \text{Padgen}(R_{Tx}, R_{Mx})
\]

\[
= a_{dt1}a_{dt2}a_{dt3}a_{dt4} \parallel a_{dm1}a_{dm2}a_{dm3}a_{dm4} \parallel a_{dt1+16}a_{dt2+16}a_{dt3+16}a_{dt4+16}
\]

\[
= d_v
\]

The Padgen is again performed over Kpwd using the previously generated $d_v$ to indicate a bit location in Kpwd, and these bits are concatenated to form a 16 bit PAD.

The resulting PAD would then be expressed as in equation (6).

\[
\text{Kpwd} - \text{Padgen}(d_v, R_{Tx})
\]

\[
= h_{pv1}h_{pv2}h_{pv3}h_{pv4} \parallel h_{pv1+16}h_{pv2+16}h_{pv3+16}h_{pv4+16}
\]

\[
= \text{PAD}
\]

Where $h_{pv1}h_{pv2}h_{pv3}h_{pv4}$ is the hexadecimal (base 16) notation.

\[
\text{CCPWDM} = \text{Apwd} \oplus \text{PAD1} \tag{7}
\]

\[
\text{CCPWL} = \text{Apwd} \oplus \text{PAD2} \tag{8}
\]

The Equation (7) and (8) shows code cover password obtained by XOR operation performed between access password and pad functions.

Fig 2. Tag-reader authentication using the Xor or mod scheme

A. XOR Scheme

An improved version of the Padgen function based on Exclusive-OR operation[1]. Each PAD function is computed based on one set of $(R_T, R_M)$, which is transmitted in the open space. In contrast to the Padgen proposed and the present PAD function is computed based on one set of $(R_V, R_W)$, which is not transmitted openly. $R_V$ and $R_W$ are computed based on Apwd − Padgen ($R_T, R_M$) and Apwd-Padgen ($R_{TX}, R_T \oplus R_M$), respectively. PAD1 and PAD2 are then generated by Kpwd− Padgen ($R_V, R_W$) and Kpwd− Padgen ($R_V, R_V \oplus w$), respectively. The RV and RW values were calculated within the tags and readers. Therefore, an adversary
would not be able to correlate all the bits in Apwdm and Apwdl. In this scheme requires less area but provides less security as compared mod scheme.

B. MOD Scheme

Modulo arithmetic[1] is used as another approach to generate the Padgen function because of the scheme’s simplicity. Modulo arithmetic does not require carry or borrow operations. In computing hardware, the carry circuitry is a major part of arithmetic computation, and is a major contributor to speed limitations. The simplicity of modulo arithmetic allows several different approaches not available in the previous generation of Padgen function. These operations are done on modulo arithmetic based on mod 2. In modulo mathematics, the subtraction function is replaced by exclusive OR operation. The XOR-based division (no carry in addition or subtraction) consumes very small resources. The particular advantage of exclusive-OR operation is it can thus achieve low-cost hardware implementation of the Padgen function.

III. PROPOSED METHOD

The protocol consists of three main component’s tag, reader and server or database. In the proposed protocol, each tag has an individual EPC, Password (PWD) and a common architecture (modified MOD Function) provided by manufacturer to encrypt PWD. The database has the information about EPC and PWD of all tags. It also has a common protocol architecture which is embedded in all tags.

A. modulo $2^n+1$ Adder

Designing a modulo $(2^n + 1)$ adder[7] is a little bit trickier. Such an operator is useful in a wider range of application including for instance modulo $(2^n+1)$ multiplier for the IDEA block cipher. This mathematic operation is often performed in diminished-one number system, where a number $x$ is represented by $x = x-1$ and the number 0 is not used or treated as a special case. Fig 3 depict hardware operators performing the modulo $(2^n+1)$ addition according to this algorithm.

$$
(x' + y' + 1) \mod (2^n + 1)
= \begin{cases} 
(x' + y') & \text{if } x' + y' \geq 2^n \\
(x' + y')\mod 2^n & \text{if } x' + y' < 2^n
\end{cases}
$$

$$
= (x' + y' + \bar{c}_0) \mod 2^n
$$

(9)

Let us study the modulo $(2^n + 1)$ addition of two numbers in normal representation[13]. The algorithms described in this paper returns the desired result increased by one. Nevertheless, this property facilitate the design of circuit and can be dealt with applications. The modulo $(2^n + 1)$ addition is now defined by,

$$
(x + y + 1) \mod (2^n + 1)
= \begin{cases} 
2^n & \text{if } x = 2^n \text{ and } y = 2^n, \\
(x + y)\mod 2^n + \bar{c}_0 & \text{if } 0 \leq x + y < 2^{n+1}
\end{cases}
$$

(10)

Mutual authentication protocol for RFID system has been proposed and analysis instead of padgen function a modified MOD scheme function are implemented in RFID tag-reader mutual authentication protocol system due to reduction in hardware cost and area. Experimental evaluation reveals that the proposed protocol with modified MOD scheme provides more security with less area and efficient than the earlier schemes.
B. Modified Mod Scheme

An improved version of the Padgen function based on $2^n+1$ modulo addition operation is proposed as follows:

$$R_T \oplus R_M = R_{TM}$$

$$R_T \mod(2^{n+1}) R_M = R_c$$

$$\text{Apwd} - \text{Padgen}(R_c, R_{TM}) = d_{w1} d_{w2} d_{w3} d_{w4} \quad \text{(Base 10)}$$

$$= R_W$$

(11)

$$R_{TM} \mod(2^{n+1}) R_M = R_l$$

$$\text{Apwd} - \text{Padgen}(R_l, R_{TM}) = R_v$$

(12)

$$\text{Kpwd} - \text{Padgen}(R_v, R_w) = h_{q1} h_{q2} h_{q3} h_{q4}$$

$$= \text{PDA}_1$$

(13)

$$R_V \oplus R_W = R_{VW}$$

$$= d_{s1} d_{s2} d_{s3} d_{s4}$$

$$\text{Kpwd} - \text{Padgen}(R_V, R_{VW}) = \text{PDA}_2$$

(14)

Each PAD function is computed based on one set of ($R_T, R_M$), which is transmitted in the open space. In contrast to the Padgen proposed and the present proposed PAD function is computed based on one set of ($R_V, R_W$), which is not transmitted openly. $R_l$ and $R_w$ are computed based on results of $2^{n+1}$ modulo addition applied to $\text{Apwd} - \text{Padgen}(R_c, R_{TM})$ and $\text{Apwd-Padgen}(R_l, R_T \oplus R_M)$, respectively. PAD1 and PAD2 are then generated by $\text{Kpwd} - \text{Padgen}(R_V, R_w)$ and $\text{Kpwd} - \text{Padgen}(R_V, R_{VW})$, respectively. The RV and RW values were calculated within the tags and readers. Therefore, an adversary would not be able to correlate all the bits in Apwdm and Apwdl.

IV. RESULTS AND DISCUSSION

Xilinx ISE is a set of tools integrated into a single user interface called the “Project Navigator”. The main goal of the tools is the capture and verification of design information targeted at a programmable logic implementation.

The proposed RFID mutual authentication protocol is described using structural Verilog HDL to produce gate level net list and synthesized using Xilinx ISE design suite 14.2 tool. Here different RFID tag-reader authentication protocol namely Konidala Scheme, modified scheme, Xor scheme, MOD scheme, Modified MOD scheme are considered for comparison in terms of Logic elements, Delay. Figure 4 shows that simulation output of the Modified MOD scheme.

Fig 4. Simulation result of modified mod scheme
A. Area and Delay Analysis

Comparison of Logic Elements and Register Count of Proposed Protocol with Previous Approaches. The logical element requirement to perform a single time Padgen, Modified MOD function is synthesized and result has been measured. Each protocol may utilize the function eight times to complete a single authentication process. The Number of Slice Registers elements of Modified MOD scheme and number of transition required to complete a function is less compared to other functions. From the synthesis results in Table I, it is shown that the logical elements of the proposed protocol are low. The reason for increased number of transitions is that, it needs to be updating the value for each iteration by performing some logical operation after each authentication process. Protocol uses a padgen function to encrypt the password since padgen function consumes more logic elements which increases the hardware cost.

<table>
<thead>
<tr>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>Number of Slice Registers</td>
<td>32</td>
<td>32</td>
<td>42</td>
<td>32</td>
</tr>
<tr>
<td>Number of Slice LUTs</td>
<td>162</td>
<td>322</td>
<td>986</td>
<td>426</td>
</tr>
<tr>
<td>Number of LUT Flip Flop pairs used</td>
<td>177</td>
<td>348</td>
<td>975</td>
<td>452</td>
</tr>
<tr>
<td>Delay (ns)</td>
<td>9.493ns</td>
<td>11.514ns</td>
<td>31.80</td>
<td>17.276ns</td>
</tr>
</tbody>
</table>
                      Logic 4.849ns Route 4.644ns Logic 5.906ns Route 5.608ns Logic 51.3% Route 48.7% Logic 8.35 Route 23.45 Logic 26.3% Route 73.7% |
| Hardware Implementation    | No          | Yes            | Yes            | Yes      |
| Security                    | Less        | Average        | High           | High     |

Mutual authentication protocol for RFID system has been proposed and its simulation, implementation results has been analyzed. From this analysis instead of padgen function a modified MOD scheme function are implemented in RFID tag-reader mutual authentication protocol system due to reduction in hardware cost and area. Experimental evaluation reveals that the proposed protocol with modified MOD scheme provides more security with less area than the earlier schemes.

V. CONCLUSION

In this work, VLSI implementation of an efficient RFID mutual authentication protocol and Modified algorithm is proposed whose functionality is described in Verilog hardware description language. Modified MOD functions were examined for the tag-reader mutual authentication protocol in the RFID system environment. The proposed RFID tag-reader mutual authentication protocol has been simulated in Xilinx ISE Design Suite 14.2. In addition to that the proposed protocol outperform than the earlier schemes in terms of area.

REFERENCES


