^{1}

^{2}

^{*}

^{2}

^{3}

^{2}

^{4}

This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/).

Pseudorandom number generation (PRNG) is the main security tool in low-cost passive radio-frequency identification (RFID) technologies, such as EPC Gen2. We present a lightweight PRNG design for low-cost passive RFID tags, named J3Gen. J3Gen is based on a linear feedback shift register (LFSR) configured with multiple feedback polynomials. The polynomials are alternated during the generation of sequences via a physical source of randomness. J3Gen successfully handles the inherent linearity of LFSR based PRNGs and satisfies the statistical requirements imposed by the EPC Gen2 standard. A hardware implementation of J3Gen is presented and evaluated with regard to different design parameters, defining the key-equivalence security and nonlinearity of the design. The results of a SPICE simulation confirm the power-consumption suitability of the proposal.

The Electronic Product Code Class 1 Generation 2 [

EPC Gen2 manufacturers do not provide their PRNG designs [

In this paper, we present a lightweight PRNG scheme for EPC Gen2 tags named J3Gen, which is based on a preliminary design presented in [

The paper is organized as follows. Section 2 surveys related work. Section 3 describes the design of J3Gen. Section 4 defines the optimal parameters used in the construction of J3Gen. Section 5 evaluates the statistical properties, hardware complexity and power consumption of J3Gen. Section 6 closes the paper.

Although RFID is becoming an active research field in scientific literature, very few PRNG designs for lightweight RFID technologies have been disclosed in the related literature. Some examples are Trivium [

The PRNG presented in this paper can be applied to current lightweight security proposals in wireless sensor networks, like the one-time-pad encryption scheme by Dolev

It is worth to mention that there exist other PRNG implementations for security improvement like [

Considering EPC Gen2 RFID technology, Huang

The main challenge to obtain an efficient PRNG is how to guarantee the generation of sequences with (almost) true random properties, while also addressing efficiency and computational complexity. Indeed, the low power, chip area and output rate (among other constraints) of EPC Gen2 technology makes the task of improving security harder. This is the case of true random number generator (TRNG) designs based on, e.g., thermal noise, high frequency sampling or fingerprinting, whose requirements of power consumption or computational complexity for full-length real-time generation of random sequences fall out of EPC Gen2 standards [

The J3Gen generator relies on a n-cell LFSR module. LFSRs produce pseudorandom sequences with good statistical values. They are very fast and efficient in hardware implementations, and quite simple in terms of computational requirements [

The Polynomial Selector is the responsible of the linearity avoidance of J3Gen. A set of

The Decoding Logic is the responsible for managing the internal PRNG clock of J3Gen. It activates and deactivates the PRNG modules for its proper performance. The internal PRNG modules have different activation and deactivation timings. Depending on the internal clock frequency, _{clk}, some modules such as the LFSR or the TRNG need different activation cycles. For example, the

The Decoding Logic also manages the

Regarding the physical source of randomness (

Although J3Gen can be used as a security tool in multiple lightweight ubiquitous computing scenarios, we look for compatibility with the EPC Gen2 requirements. The EPC standard [^{2} using current 130 nm process for static CMOS designs.

The size and design of each component of J3Gen implies a specific hardware implementation, being the LFSR size (

For the LFSR implementation purpose, we use the

As shown in

We then provide the physical source of randomness assumed for our generator. For the gate equivalence of this component, we based our estimations on previous works presented in [

From Table 1, it can be extracted that implementations using up to 32 cells for the LFSR are roughly EPC Gen2 suitable from the hardware perspective. Also, a combination of large LFSR with a small pool of polynomials (e.g.,

EPC Gen2 security relies on the PRNG utilization, and how the PRNG ciphers the

In order to achieve the best statistical properties, feedback polynomials of LFSRs shall be primitive [

For that reason, we determine the best parameters to choose in terms of GE efficiency with respect to the key length. Taking that measure, we obtain that the best parameter configuration is

Regardless of the parameters values, the core of the J3Gen generator is an LFSR with multiple polynomials (instead of a single one). The polynomial generator from a simple ^{n}

An attacker aiming to predict the J3Gen output has to synchronize its output with the beginning of a feedback polynomial generated sequence, obtain the feedback polynomial from 2_{i}_{sel} are the

If further security is desired, the pool of polynomials can include non-primitive polynomials besides primitive polynomials (avoiding those leading to absorbing states), increasing the complexity of the system and decreasing the success odds of a brute force attack.

Once the parameters have been fixed based on the hardware constraints and the security requirements discussed in previous sections, we now evaluate the proposed scheme for its implementation, and the restrictions imposed by the EPC standard. We analyze two important parameters of J3Gen: statistical requirements stated by the EPC Gen2 standard for pseudorandom sequence generation, and power consumption.

Detailed in the EPC Gen2 standard [

Any single 16-bit sequence

Among a tag population of up to ten thousand tags, the probability that any two tags simultaneously generate the same 16-bit sequence shall be less than 0.1%.

The chance of guessing the next 16-bit sequence generated by a tag shall be less than 0.025% even if all previous outputs are known to an adversary.

To confirm the suitability of the current design of J3Gen for handling the statistical and randomness requirements defined above, different pseudorandom sequences using the parameters defined in Section 4 shall be generated. The three EPC Gen2 statistical requirements tests are presented. To accomplish these tests, 30 million 16-bit pseudorandom sequences are generated using an implementation of the J3Gen design. This dataset size is chosen since it is the minimum necessary for a truly generated random sequence to accomplish the proposed requirement [

First, the probability of occurrence of any given value shall lie between probabilities defined in Equation 2. The results shown in

The second property for building an EPC Gen2 compliant PRNG requires that two simultaneous identical sequences must not appear with more than 0.1% probability for a population up to 10,000 tags. To test this property, 10,000 instances of J3Gen, initialized at random, are used to simulate the test scenario. We conducted ten tests, running 1,000 iterations per test. The second row of

Finally, to statistically confirm the fulfillment of the third property, we computed the degree of dependence of the ongoing bits regarding their predecessors, using the same pseudorandom sequences. Based on the results shown in

The energy used for a (cryptographic) operation depends on the average power and the duration of the computation. For passively powered devices such as RFID tags, the average power transmitted from the reader to the tag is relatively small (although, in general terms, the reader can supply the power during all the operation time [

Analytical methods for estimating the CMOS dynamic power dissipation can be adapted to the design of J3Gen [_{avg} = 178 nW (readers can refer to [

After defining the design of the digital core of J3Gen based on GEs (

Power dissipation is one of the most important factors in VLSI design and its technology choice. Therefore, accurate simulation of CMOS power dissipation using languages such as SPICE is highly desirable [

The analysis targets the average power consumption of J3Gen, in order to evaluate its implementability in a real EPC Gen2 tag.

The simulated average power consumption for the 16-bit sequence generation is 156.3 nW, which is consistent with the aforementioned dynamic CMOS power estimation. The simulated power consumption is also under the average power consumption requirements for cryptographic operations in RFID tags proposed by Feldhofer

A pseudorandom number generator (PRNG) design for EPC Gen2 RFID technologies, named J3Gen, has been presented. The generator is based on a linear feedback shift register (LFSR) configured with a multiple-polynomial tap architecture fed by a physical source of randomness, achieving a reduced computational complexity and low-power consumption as required by the EPC Gen2 standard. It is intended for security, improving the one-time-pad cipher unpredictability. It is configurable for other purposes and scenarios besides EPC Gen2 RFID technologies through its main parameters

The authors would like to thank Josep Domingo-Ferrer, Miquel Soriano and David Megías for their helpful comments during the realization of this work. The authors thank as well the anonymous reviewers for their valuable comments and suggestions to improve the quality of the paper. This work was partly funded by the Spanish Government through projects TSI2007-65406-C03-03 E-AEGIS, TIN2011-27076-C03-02 CO-PRIVACY, CONSOLIDER INGENIO 2010 CSD2007-0004 ARES, and TIN2010-15764 N-KHRONOUS.

Block diagram of J3Gen.

Different combinations present suitable trade-offs between security and implementation area.

EPC Gen2 first randomness property test, achieving similar statistical results than

LTSpice power consumption simulation. Power dissipation is concentrated around the internal clock cycles.

Logical GE Count for J3Gen.

LFSR size ( |
16 | 24 | 32 | 64 | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|

| ||||||||||||

Feedback polynomials ( |
8 | 16 | 32 | 8 | 16 | 32 | 8 | 16 | 32 | 8 | 16 | 32 |

LFSR module | 72.0 | 72.0 | 72.0 | 108.0 | 108.0 | 108.0 | 144.0 | 144.0 | 144.0 | 288.0 | 288.0 | 288.0 |

Polynomial Selector module | 209.3 | 396.6 | 774.1 | 305.1 | 577.6 | 1,125.3 | 401.0 | 758.6 | 1,476.5 | 784.3 | 1,482.4 | 2,881.3 |

Decoding Logic module | 48.3 | 48.3 | 48.3 | 53.3 | 53.3 | 53.3 | 53.3 | 53.3 | 53.3 | 61.3 | 61.3 | 61.3 |

TRNG | 22.0 | 22.0 | 22.0 | 22.0 | 22.0 | 22.0 | 22.0 | 22.0 | 22.0 | 22.0 | 22.0 | 22.0 |

Additional Control | 87.5 | 125.0 | 182.1 | 114.9 | 169.3 | 279.9 | 141.2 | 212.7 | 356.3 | 249.3 | 387.9 | 667.7 |

| ||||||||||||

2,052.1 | 2,241.6 | 3,920.3 |

Combinations using primitive polynomials.

8 | 2^{73} |
439.1 | 0.1662 | ||

16 | 2,048 | 16 | 2^{131} |
663.9 | 0.1973 |

32 | 2^{234} |
1092.5 | 0.2141 | ||

| |||||

8 | 2^{129} |
603.3 | 0.2138 | ||

24 | 276,480 | 16 | 2^{245} |
930.2 | 0.2633 |

32 | 2^{461} |
1,602.8 | 0.2876 | ||

| |||||

32 | 67,108,864 | 8 | 2^{192} |
761.5 | 0.2521 |

16 | 2^{372} |
1,190.6 | |||

| |||||

64 | 1.44 ×10^{17} |
8 | 2^{441} |
1,419.3 | 0.3107 |

EPC Gen2 second and third randomness property tests.

1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 | |
---|---|---|---|---|---|---|---|---|---|---|

0.0377 | 0.0383 | 0.0377 | 0.0370 | 0.0375 | 0.0375 | 0.0369 | 0.0375 | 0.0371 | 0.0379 | |

–0.0085 | –0.0093 | –0.0044 | –0.0014 | 0.0003 | 0.0053 | 0.0073 | 0.0038 | –0.0020 | –0.0178 |