1

�Abstract—This paper presents a practical implementation of a

digital baseband for a low-cost UHF Radio Frequency Identification (RFID) tag, in which a cryptography engine based on International Data Encryption Algorithm (IDEA) primitive is embedded. A mutual authentication scheme enforced by the IDEA engine is proposed. The scheme can improve the security of the ISO 18000-6C protocol and meet the timing constraints of the protocol as well. The whole security-enhanced tag, includingdigital baseband, RF/analog frontend and memory, has been taped out using SMIC 0.18�m CMOS process. The overall power consumption of the baseband system is 8.96�W when the supply voltage is 1.2V and the clock frequency is 1.28MHz. The tag works at the back linked frequency (BLF) of 80 KHz.

Index Terms— RFID, security, authentication, low-power, IDEA.

I. INTRODUCTION

adio Frequency Identification(RFID) technology, which identifies electronic tags using RF signal without contact, is

widely used in supply chain systems, and pervades our lives also in anti-counterfeit, healthcare, asset management, etc. A typical RFID system consists of a tag, a reader and a database. Readers interrogate tags by broadcasting RF signals. Tags, mostly passive, respond to readers using the energy collected from the RF signals. ISO 18000-6C [1] (EPC Gen2) is a widely-accepted standard for Ultra High Frequency (UHF) band (860MHz~960MHz) RFID applications.

While yielding great productivity gains, RFID may bring newthreats to the security and privacy of individuals or organizations. The security threats to RFID tags, including tracing, counterfeiting, unauthorized access, eavesdropping and physical attacks, are becoming one of the most important factors hindering the further application of RFID technology [2-4]. Aimed at one or several security threats, many security mechanisms and authentication protocols have been proposed

Manuscript received June 9, 2010. This work was supported by Ministry of Science & Technology of China, RFID Technology for Secure Pharmaceutical Tracking and Tracing Systems (No.2008BAI55B07).

in the literature. The idea “block tag” was presented by Juels et al. to prevent the unauthorized tracing in [5]. Weis et al.proposed the cryptographic privacy enhancing technology based on hash-lock for the first time in [3]. Juels et al. introduced an HB+ protocol in [7], which made use of thehardness assumption of statistical “Learning Parity with Noise” (LPN) problem. Symmetric-key cryptography has also been used to build strong security protocol, such as Advanced Encryption Standard (AES) [8] and Tiny Encryption Algorithm (TEA) [9]. Reference [6] reviewed previous work on RFID authentication protocols. Low-cost implementation of standard cipher algorithms or light-weight ciphers for RFID application can be found in [8-13].

References [14-16] are examples of secure UHF RFID baseband using AES cryptography engine. However, most of the reported implementation did not consider the timing requirements of RFID protocols, which are important for the performance of RFID systems in many applications, such as logistics applications.

In this paper, we analyze the timing constraints specified in the ISO 18000-6C, and provide a mutual authentication protocol fully compliant with the protocol to enhance the security. A comparatively light-weight cryptography algorithm,International Data Encryption Algorithm (IDEA) is selected to build the secure engine.

The paper is organized as follows. Section II analyzes the timing constraints in ISO 18000-6C and proposes a mutual authentication protocol for the security purpose. Section IIIdescribes the IDEA algorithm and its implementation. Section IV gives the architecture of the baseband. Section V presents the test results. Section VI concludes the whole work.

II. SECURITY ENHANCING PROTOCOL

In ISO 18000-6C Protocol, readers operate tags by three basic kinds of commands : select Tags change their states according to commands received and response to readers. The timing requirement for the communication between readers and tags is illustrated in the Figure 1.

A Low-cost UHF RFID Tag Baseband with an IDEA Cryptography Engine

Xiang Shen, Dan Liu, Yuqing Yang and Junyu Wang State Key Laboratory of ASIC & System, Fudan University

Shanghai, China Email: junyuwang@fudan.edu.cn

R

978-1-4244-7414-1/10/$26.00 ©2010 IEEE

2

An important parameter in the protocol is T1, which is defined by the latency time from the end of last symbol sent by the reader to the first symbol sent by the tag. Tags shouldrespond to the reader after receiving commands within time T1.The value of T1 is related to the Back Linked Frequency (BLF)as equation (1):

BLF ranges from 40 KHz to 640 KHz in ISO 18000-6C.Different T1 with different BLF can thus be calculated (Table I).In our design, BLF is set to 80 KHz and thus the T1 is no more than 132 �s.

Table I T1 for different BLFBLF/kHz 10/BLF

(�s)TRcal/�s

RTcal/�s T1/�s

40 250 200 [66.7,181.8] 26280 125 100 [33.3,90.1] [118,132]

160 62.5 133.3 [44.3,121.1] [70.7, 135.2]240 41.7 90 [30, 82] [47.87320 31.25 66.7 [22.2, 60.6] [36.4, 68.6]640 15.625 33.3 [11.1, 30.3] [20, 36.8]

As a timing constraint for a tag responding to an inventory command, T1 is a parameter related to the read rate. In some RFID applications, such as supply chain for luxury or dangergoods, both the read rate and the security are required. It is reasonable that the security-enhanced communication also meets the timing requirements of the ISO 18000-6C, so that the security of RFID system can be achieved with little modificationto circuits of the existing readers and tags.

As the clock frequency in RFID digital baseband is usually low (no more than 2MHz normally), cryptography engine needs to complete processing in several hundreds clock cycles to meet T1, which is a strict constrain for many cryptographic primitives.We provide a low-cost implementation of RFID tag baseband embedded with an IDEA engine. The IDEA engine can encrypta block within T1 constraints since only 320 clock cycles are needed. A mutual authentication data flow based on IDEA is presented (Figure 2). In the protocol, we assume that every tag has a 64-bit ID called metaID, an index by which the reader can search the paired key in the database to set up the authentication.Four new commands are added to the original protocol to complete a mutual authentication using IDEA. Rr and Rt arerandom numbers generated by the reader and the tagrespectively. K is the key which is shared by the tag and the database. All the commands in the authentication protocol meet

Table II Commands for authenticationCommand Contents Response by the tagReq_ID RN16 metaIDAuthen_Tag Rr IDEA{Rr,K}Req_Key RN16 IDEA{Rt,K}Authen_Reader IDEA{Rt,K} RN16

the timing constraint analyzed above. Table II presents detaileddescription of the four commands and their response.

After authentication, the IDEA engine turns from normal ECB mode to OFB mode to generate stream cipher to encrypt EPC or data in read/write command. All the data are transferredas ciphertext in our protocol, so that eavesdropping can be prevented.

III. IDEA ALGORITHM AND IMPLEMENTATION

IDEA is a block cipher designed by James Massey of ETH Zurich and Xuejia Lai in 1991. IDEA operates on 64-bit blocksusing a 128-bit key, and consists of a series of eight identical transformations (a round, as described as Fig.3) and an output transformation (the half-round).

Compared with AES, IDEA has the same key length but isless costly in power and latency time. No successful linear or algebraic weaknesses about IDEA have been reported.

There are few up-do-date papers reporting hardware implementation of IDEA. And most of them are focused on high throughput performance [17-19], which are not suitable for RFID due to their large circuit area and power.

A low-cost implementation of IDEA engine for low-cost RFID application is proposed in this paper. The IDEA engine consists of three modules: the Control Logic module the Key Schedule module and the Round Calculation module. The control logic module accumulates calculation rounds and controls the other two modules as the FSM. The key schedule

Fig. 1 Timing for tag and reader (ISO 18000-6C)

Query/Adjust/Rep

metaID

Authen_Tag

Authen_success

READER TAG

S1=IDEA(Rr, K)

r

RN16

Req_ID(RN16)

Req_Key

S2=IDEA(Rt, K)

Authen_Reade

Inventory

ACK

Cipher{PC+EPC}

Authentication

Fig. 2. Modified authentication protocol

3

module expends round key from initial 128-bit key by shift appointed bits. Since both the encryption and the decryption can be carried out by encryption function in OFB mode, onlyencryption is implemented, in order to reduce the complexity of our design. The round calculation module completes encryption operation in each round, and is the core of the IDEA implementation.

The Round Calculation module consists of a 16-bit modular multiplier, a 16-bit adder, six 16-bit registers and ten multiplexers (Fig.4). The 16-bit multiplication is a resource costly operation. It is implemented based on a size-less booth recoding multiplier and can generate results of one 16×16 operation in 6 clock cycles. Both the multipliers and adders arereused in order to reduce the hardware resource. Registers store the results selected by the multiplexers in every round. Gated clock is widely used to cut down the consumed power.

Table III provides the performance of the IDEA engine and compares it with other implementations of cipher algorithms. Compared with AES, our implementation of IDEA needs lessclock cycles to complete a block encryption, which makes it meet the timing constraint analyzed in section II. Our IDEAengine consumes less power than AES and hash algorithms and has longer key length than light-weight ciphers such as DESL and TEA.

Table III Results and comparison with related work Algorithm Tech.

(�m)Key

lengthClockcycles

Gates equation

Power(�W)

TEA[9] 0.18 64 64 2355 7.37AES[10] 0.25 128 870 3900 4.85AES[11] 0.35 128 1032 3400 4.5

SHA-1[12] 0.25 / 330 10382 14.1DESL[13] 0.18 56 144 2309 2.14IDEA[17] 0.6 128 5 47555 42500

IDEAThis work

0.18 128 320 4487 2.21

IV. THE BASEBAND ARCHITECTURE

The baseband of an RFID tag is used to process signals from the frontend or the memory and to control the states and operations of the tag. For low-cost application, the baseband circuit shall consume as little area and energy as possible. Because the clock frequency in passive RFID tag is usually less than 2MHz, the clock cycles for processing the protocol shall be minimized. A simple FSM logic is better than a CPU-based architecture for its economic area, timing and power consumption.

The architecture of an IDEA-enabled baseband conforming to the 18000-6C protocol is presented in Fig.5. The DEMOD module demodulates signals from the analog frontend and generates data signals in pulse-interval encoding (PIE) format. The MOD module modulates the data signals to be backscattered in FM or Miller format. The CRC module is used for Cyclical Redundancy Check specified in protocol. The PRNG module is a pseudo random number generator for generating handle in communication. The DECODER module decodes the signals from DEMOD to the commands defined by the protocol. The OCU module, the output control unit, controls the output data and implements the backscattering with MOD.

The secure engine consists of the IDEA module and the IDEA_CTRL module. The former completes the encryption operation and the latter controls the work modes like ECB and OFB and controls the data I/O for the IDEA module. The mutual authentication and data encryption can be achieved by this secure engine.

For the low-power purpose, a clock management unit is embedded in the baseband. Since different modules usually

AdderModularMultiplier

Reg RegReg Reg RegReg

Sub-KeyPlaintext

Ciphertext

Round Calculation

MUX7 MUX8 MUX9 MUX10

MUX1 MUX5 MUX2 MUX3 MUX6 MUX4

Rt0R1 R3R2 Rt1 R4

64

64

Fig. 4. Architecture for Round Calculation Module

DEMOD DECODE

Tag Digital Baseband

DATA BUS

OCU PRNG

IDEA

Interface to Secure Engine

Secure Engine

CMU

EEPROM

Inte

rfac

eto

EE

FSM

ANALOGFRONTEND

MOD

CRC

IDEA_CTRL

Fig. 5. Architecture of the tag baseband

1iK 2

iK3iK 4

iK

5iK

6iK

A1 A2 B1 B2

C1

B3

M1M2

1iX 3

iX 2iX 4

iX

11iX � 1

2iX � 1

3iX � 1

4iX �

Fig. 3. Round Calculation in IDEA (i=0,2…7)

4

work at different time. The gated clock is adopted to reduce the leak current of the registers. Fig.6 shows the architecture of the clock management unit. A latch is used to implement the gated clock, which can effectively avoid potential glitch generated by gates latency of the clock. The widely-used gated clock reducesthe power remarkably in order to meet strict energy limitation of passive RFID tags.

The baseband with IDEA engine is synthesized by the Synopsys Design Compiler in SMIC0.18�m process cell library,and the area of each part is noted in Table IV. And the SynopsysNanoSim is used to evaluate the power consumption of the whole baseband. Simulation results show that the mean power of the baseband is about 8.96�W when the support voltage is 1.2V and the clock frequency is 1.28MHz.

Table IV Area of different parts in the baseband Module Area(�m2) rate

DEMODU 9230 8.9DECODE 5653 5.4PRNG 2922 2.8OCU 4096 3.9MOD 907 0.9CRC 121 0.1EEINTERFACE 4304 4.1FSM 12539 12.0IDEA 39147 37.6IDEA_CTRL 25209 24.2Total 104128 100

V. RESULTS

The whole tag including RF/analog frontend, digital baseband and the memory has been taped out in SMIC0.18�mprocess. The overall area of the chip is 0.9mm 1.15mm in which the digital baseband takes about 0.6mm×0.65mm The micrograph of the chip can be seen in Fig.7.

A print circuit board (PCB) is made to test the secure tag chip,which consists of the chip, antenna and the test pins (Fig.8). Weused a commercial 18000-6C UHF RFID reader to test the tag.The firmware of the reader is modified according to our security scheme. An oscilloscope connected with PCB is used to record

the waveform of the communication between the reader and the tag.

The tag is proved to be able to work at the BLF of 80 KHz. Fig.9 shows the record of the security authentication. The upper waveform is the command sent by the reader, from the left to right: Query Req_ID Authen_Tag Req_Key Authen_Reader. And the waveform below is: RN16 metaIDS1 S2 Authen_success responding by the tag. The conclusion can be draw that the tag works correctly as the protocol specification requires. The latency time that the tag responding to different commands is measured and presented in table V. Note that the timing requirements of ISO 18000-6C are satisfied.

Fig. 6. Clock management unit

Fig. 8. PCB for test

Fig. 9. Waveform of the tag-reader communication

Baseband

Memory

Frontend

Fig. 7. Micrograph of the secure tag chip

5

Table V Latency for the tag responding to different authentication commands BLF=80KHz,T1=132�s

Command Req_ID

Authen_Tag

Req_Key

Authen_Reader

latency(�s) 128 132 132 130

VI. CONCLUSION

In this paper, a low-cost passive RFID tag baseband based on 18000-6C standard and with a cryptography engine is presented.We propose an authentication protocol to enhance the security of ISO 18000-6C, and use the cryptographic primitive IDEA to build the security engine. According to the test results, the function of the secure-enhanced tag chip is achieved and the timing requirements of the protocol are satisfied as well.

REFERENCES

[1] EPC global, EPCTM Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID Protocol for Communications at 860MHz~960MHz Version 1.1.10[M]

[2] A. Juels, RFID Security and Privacy: A Research Survey, IEEE J. on Selected Areas in Communications, vol. 24 no. 2, pp 381394, invited paper, Feb 2006.

[3] S.A. Weis, S.E. Sarma, R.L. Rivest and D.W. Engels, Security andPrivacy Aspects of Low- cost Radio Frequency Identification Systems,Security in Pervasive Computing 2003, LNCS, vol. 2802, pp 201212,Springer, 2004.

[4] Sanjay E. Sarma, Stephen A. Weis, and Daniel W. Engels. RFID Systems and Security and Privacy Implications. In Workshop on Cryptographic Hardware and Embedded Systems, pages 454–470. Lecture Notes in Computer Science, 2002.

[5] Juels, A. et al.: The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy, 10th ACM Conference on Computer and Communications Security, 2003

[6] M. Lehtonen, T. Staake, F. Michahelles, E. Fleisch, “From Identification to Authentication-A Review of RFID Product Authentication Techniques”. In Printed handout of Workshop on RFID Security —RFIDSec 2006, 2006.

[7] Juels, A. and Weis, S. (2005). Authenticating pervasive devices with human protocols. In Victor Shoup, editor, Advances in Cryptology –CRYPTO’05, volume 3126 of Lecture Notes in Computer Science, pages 293–308, Santa Barbara, California, USA, August 2005. IACR, Springer-Verlag.

[8] M. Feldhofer, S. Dominikus, J.Wolkerstorfer. Strong Authentication for RFID Systems using the AES Algorithm. In CHES 2004, Proceedings,volume 3156 of Lecture Notes in Compute Science, pages 357-370.Springer,2004.

[9] Pasin Israsena. Securing Ubiquitous and Low-cost RFID Using Tiny Encryption Algorithm. In International Symposium on Wireless Pervasive Computing, 2006.

[10] Mooseop Kim; Jaecheol Ryou; Yongje Choi. Low-cost Cryptographic Circuits for Authentication in Radio Frequency Identification Systems Consumer Electronics, 2006. ISCE '06.2006 IEEE Tenth International Symposium on 0-00Page(s):1-5.

[11] Feldhofer, M.; Wolkerstorfer, J.; Rijmen, V. AES implementation on a grain of sand. Information Security, IEEEProceedings, 2005, Volume 152, Issue 1:13 - 20

[12] Yongje Choi; Mooseop Kim; Taesung Kim; Howon Kim: Low power implementation of SHA-1 algorithm for RFID system Consumer Electronics, 2006. ISCE '06. 2006 IEEE Tenth International Symposium on Digital Object Identifier: 10.1109/ISCE.2006.1689488, Page(s): 1 - 5.

[13] Poschmann, A., Leander, G., Schramm, K., Paar, C.: A Family of Light-Weight Block Ciphers Based on DES Suited for RFID Applications.

In:Workshop on RFID Security 2006 (RFIDSec 2006), Graz, Austria, July 12-14 (2006)

[14] A.S.W. Man, E.S. Zhang, V.K.N. Lau, C.Y. Tsui and H.C. Luong, LowPower VLSI Design for a RFID Passive Tag baseband System Enhancedwith an AES Cryptography Engine, 1st Annual RFID Eurasia conf., 5-6Sept. 2007, pp 1-6, 2007

[15] A. Ricci, M. Grisanti, I. De Munari, P. Ciampolini, Design of a 2�W RFID baseband processor featuring an AES cryptography primitive,IEEE ICECS, pp 376-379, 31 Aug 3 Sept, Malta, 2008

[16] M.L. Hsai, O.T. Chen, Passive RFID transponder with power-awareencryption, Midwest Symposium on Circuits and Systems, pp 838-841,10-13 Aug, Knoxville USA, 2008.

[17] Sklavos, N.; Koufopavlou, O.: Asynchronous low power VLSI implementation of the International Data Encryption Algorithm. The 8th IEEE International Conference on Electronics, Circuits and Systems, 2001. ICECS 2001. Volume: 3 Digital Object Identifier: 10.1109/ICECS.2001.957482 ,Page(s): 1425 - 1428 vol.3

[18] R.Zimmermann, A. Curiger, H. Bonneberg, H. Kaeslin, N. Felber, and W. Fichtner, A 177 Mb/s VLSI Implementation of the International DataEncryption Algorithm, IEEE Journal of Solid States Circuits, vol. 29, no 3, March 1994.

[19] Wolter, S.; Matz, H.; Schubert, A.; Laur, R., On the VLSI implementation of the international data encryption algorithm IDEA. 1995. ISCAS '95., 1995 IEEE International Symposium on Circuits and SystemsVolume:1 Page(s): 397 - 400 vol.1