BULK ENCRYPTION CRYPTO-PROCESSOR FOR

SMART CARDS: DESIGN AND IMPLEMENTATION

N. Sklavos, G. Selimis and O. Koufopavlou

Electrical and Computer Engineering Department

University of Patras, Patras, Greece
email: [email protected]

The need for express and secure financial transactions

was the basic reason for the introducing of smart card in
ABSTRACT
modern times. One basic problem that keeps down the
The evolution of cipher has no practical impact, if it has evolution of smart cards is security. The client or the
only theoretical background. Every encryption algorithm services subscriber is cautious in the use of smart cards
should exploit as much as possible the conditions of the and prefers to accomplish the economical transactions by
specific system without omitting the physical, area and traditional ways. New smart cards with more secure
timing limitations. The environment of smart card lacks of features are proposed. Tamper-proof technologies
system resources but the commercial and economic designed to avoid attackers to extract secret information
transactions via smart cards demand the use of certificated from card. Architectures for more secure features, without
and secure cryptographic methods. This fact requires new the performance of system to be decreased, are applied.
ways in design architectures for secure and reliable Smart The Data Encryption Standard was published by the
Card systems. In this paper, a Crypto-Processor National Bureau of Standards, now the National Institute
architecture and the VLSI implementation for smart cards of Standards and Technology (NIST), in 1977 [3,4]. A
bulk encryption is proposed. The proposed architecture more secure version of DES called 3DES, which is
achieves 30% area resources reduction and has throughput essentially equivalent to using DES three times on
value much greater than the smart cards standards specify. plaintext with three different keys. 3DES can however
work with one, two or three keys alternatively.
1. INTRODUCTION
In this work, a Crypto-Processor architecture is proposed
A smart card includes an embedded integrated circuit chip for the bulk encryption unit of smart cards. The proposed
that can be either a microcontroller with internal memory system operates in two different modes: DES and 3DES.
or a chip alone [1]. The cards connect to a reader through The introduced design is based on a DES transformation
direct physical contact or a remote contact-less round core and it is supported by feedback technique. In
electromagnetic interface. This difference separates smart this way a covered area reduction, with a factor 30% is
cards into two basic categories, contact and contact-less achieved, compared with the conventional architecture.
Smart Card. There are also dual interface cards which The Crypto-Processor has been implemented in a FPGA
communicate with the external world with both of ways. device. The operation frequency is equal to 90 MHz for
Smart cards are used in many application fields. both operation modes. The achieved data rate is equal to
Telecommunications provide SIM cards for mobile 120 and 360 Mbps for 3DES and DES operation
telephony and prepaid public telephone cards. Multimedia respectively.
and pay-TV Cards are significant representatives of smart This paper is organized as follows: In section 2 the main
cards. There are also several uses of smart cards in features of smart cards devices are presented. In section 3
transportations. An attempt for more secure financial a general overview of DES and 3DES is given. The next
services cards (banking, shopping) enforces the section introduces the conventional architecture. The
conversion of magnetic stripe and credit cards to smart proposed Crypto-Processor is represented in detail in
cards. The industry vendors forecast that in the future section 5. The FPGA synthesis results are given in section
smart card would be a multiplication card which will 6. Conclusions are discussed in section 7.
communicate via air with internet gates.
 3. DATA ENCRYPTION STANDARD
2. SMART CARDS DEVICES
The DES encryption algorithm converts 64-bit plaintext to
Modern smart cards are plastic, credit cards devices, with an
64-bit ciphertext using a 64-bit key in both encryption and
integrated circuit chip, with microprocessor. These smarts
decryption processes [3-5]. The same algorithm is reused
cards architecture includes the mechanism for storing and/or
with the same initial key to convert ciphertext back to
processing information [1, 2]. Fig.1 shows the main
plaintext, in the decryption process. The key is a 64-bit
elements of microprocessor used in smart cards: CPU,
word, of which eight are parity bits, at locations 8, 16, 24,…
ROM, RAM and EEPROM.
64. This encryption algorithm performs 16 rounds of
operations, which mix the data and the key using the
ROM fundamental operations of permutation and substitution. The
goal is to completely scramble the data and the key so that
every bit of the ciphertext depends on every bit of the data
plus every bit of the key. The 3DES processing is generated
DATA INTERFACE CPU
EEPROM by the use of three blocks of DES, in serial order. 3DES
architecture can use one, two or three secret keys (Fig. 2). In
this work, a 3DES architecture with the support of three
different keys (Key1, Key2, Key3) is proposed.
RAM
3DES Enryption Scheme

plaintext DES Unit , K1 DES Unit , K2 DES Unit , K3

ciphertext
(Encryption Mode) (Decryption Mode) (Encryption Mode)

Figure 1: Smart Card Microprocessor Architecture

3DES Decryption Scheme

Two are the basic categories of smart cards, the contact and ciphertext DES Unit , K3 DES Unit , K2 DES Unit , K1
plaintext
the contact-less smart card. Contact smart cards (ISO 7816), (Decryption Mode) (Encryption Mode) (Decryption Mode)

communicate with the smart card reader via pins which

placed to the outer surface of smart card. There is not Figure 2 : 3DES encryption/decryption schemes
battery internal of smart card which gains its power from
smart card reader. Contact-less smart cards (ISO 14443), 4. CONVENTIONAL ARCHITECTURE
have mainly the same features as contact smart cards.
However the communication between the card and reader The conventional architecture (Fig. 3) has been designed
takes place via two antennas, one for every communication according to standards specifications. It is based on three
part. Table 1 shows the main contact and contact-less smart original DES Core units. It operates for both 3DES
card features. encryption and decryption processes with the support of
three different keys (Key1, Key2, and Key3).
ROM RAM EEPROM Speed Ciphers
Input Key Input Data
3DES & 64-bit 64-bit
ISO 24-64 0,512-3 2.25-8 100ns-
H/W 64-bit Ciphertext
7816 Kbytes Kbytes Kbytes 9ms Register

Algorithms Key
48-bit Expansion
3DES & Unit
ISO 24-64 0,512-3 2.25-8 100ns-
H/W
14443 Kbytes Kbytes Kbytes 9ms DES Core 1
Algorithms
RAM
Block
Table 1: Smart Cards main features Key1 64-bit

16x48-bit
Smart cards already play an important role in electronic DES Core 2
RAM
transaction systems. Especially for smart card assisted Block
Key2
electronic payment systems, chip security becomes more 16x48-bit 64-bit

and more important [2]. Only smart card controllers with

RAM
appropriate security certifications will be authorized in the Block
Key3
DES Core 3
future [2]. A movement for more secure algorithms in a 16x48-bit

limited resources environment, such as the smart cart 64-bit

devices, has started. To ensure confidentiality, 64-bit Ciphertext

Register

authentication and integrity of data, smart cards use Output Data

different types of encryption systems such as SHA-1, the Figure 3: Conventional Architecture
Data Encryption Standard (DES) and the 3-DES.
 transformation rounds uses a different round key, comprised
5. PROPOSED CRYPTO-PROCESSOR of 48-bit of the input key. Although, if we analyze the key
The design of the proposed Crypto-Processor adopts an expansion process, we will conclude that every round key is
architecture which exploits the reduced area of smart card generated by a certain combinational shift register. This
features. It operates as 3DES and DES according the user means that the key expansion unit can be constructed by
needs. The proposed 3DES algorithm architecture is using 16 different shift static registers, instead of be
illustrated in Fig. 4. The proposed architecture embounds designed as a component of mixed mathematical and digital
the following basic procedures: Initial and Inverse Initial logic. In Fig. 5, the architecture of the combinational shift
Permutations, a basic DES transformation round, a Key register, for the first key generation, is presented. The
Expansion Unit and 3 RAM blocks 16*48 bits every one. implementation of the shift register is a simply matter of
wiring. According to DES specifications, the decryption
Input Key InputData keys are the same with those of encryption if they are
64-bit
64-bit processed in reverse order. This fact is exploited by
InitialPermutation restoring the round keys in RAM blocks and the proposed
Key
system has not to compute the round keys for decryption.
48-bit Expansion The drawback of the shift-based implementation of the key
3DES x 3
Unit
64-bit Ciphertext
expansion unit is a tolerant of 5-10% area increment,
Register compared with the mixed mathematical and digital logic
64-bit DES x 16 implementation. The shift register based architecture is also
RAM Block 1.7 faster times compared with the conventional (mixed
Key1
logic).
RoundKey
48-bit

16x48-bit Bit(1) Bit(2) Bit(3) Bit(61) Bit(62) Bit(63)

Basic DES ...

56-bit Key Input
3x1 Multiplexer Block

Transformation
RAM Block Round

...
Key2 Shift Register
16x48-bit

64-bit
48-bit Key Output
RAM Block
Key3 64-bit Ciphertext
Register
...
16x48-bit Bit(9) Bit(13) Bit(20) Bit(37) Bit(40) Bit(46)
64-bit

Inverse Initial Figure 5 : Shift Register for the first round key
Permutation
Output Data 64-bit
According to the proposed Crypto-Processor (Fig. 3) a 3 x
Figure 4: Proposed Crypto-Processor 16-DES rounds procedure, in the middle of data processing,
and an initial permutation at the start and an inverse
Since 3DES is the union of three same DES parts, it is permutation at the end, completes the 3DES processing. The
preferred 3DES architecture with only one DES Core impact of the proposed architecture is a low reduced
component. By the support of the appropriate control throughput. The quite low bandwidth (102 Kbps) standards
signals and round keys, a 3 loop DES Core performs as the of the physical link, that smart cards exchange data with the
3DES encryption algorithm. Especially for 3DES external world, permit this direction in design.
encryption the DES core performs as: Encryption (K1)- 6. VLSI SYNTHESIS RESULTS
Decryption (K2)-Encryption (K3). The decryption of 3DES
is achieved due to integrated DES Core operation as: Both conventional and proposed architectures have been
Decryption (K3)-Encryption (K2)-Decryption (K1) captured by using VHDL. The two systems have been
synthesized, placed, and routed using a XILINX FPGA
The same consecutive logic is the basis for the internal device [6]. The synthesis results for both implementations
construction of DES. Since DES consists of 16 sequential are illustrated in Table 2.
iterations (transformation rounds), a solution for a light
space resources DES architecture is the construction of one From the synthesis results, it is proven that the proposed
basic transformation round. Crypto-Processor achieves at about 30% reduction of the
area resources. The little bit lower frequency of the Crypto-
In the DES encryption algorithm specifications [5], the Processor, compared with the conventional, 90 Vs 93 MHz
computation of the key schedule, from the 64-bit initial respectively, is due to the control logic additional delay that
input key is described in detail. Each one of the 16 the proposed architecture needs.
 FPGA XILINX (v100epq240) Achieved approximately 70,000 cells is not extraordinary [10]. This
Area cell count will easily fit on all chips, including smart cards.
DEVICE Convention. Proposed Reduction This small size provides the algorithm with great flexibility
Fun. Generat. 2211 711 210% and the ability to be utilized in many varied applications.
CLB Slices 1010 356 183% This in particular, we know of smart card containing a
Dffs 521 172 202%
crypto ASIC for symmetric key cryptography with more
Frequency 93 MHz 90 MHz -
than 10,000 gates [9].
Ratio (Mbps) 372 3DES 120 3DES
-
372 DES 360 DES 7. CONCLUSION
Table 2: FPGA Synthesis Results Comparison Smart cards are used in many application fields.
The lower throughput that the proposed Crypto-Processor Telecommunications provide SIM cards for mobile
achieves, compared with the conventional architecture, is telephony and prepaid public telephone cards. Multimedia
not a crucial factor for smart card integrations. The quite and pay-TV Cards are significant representatives of smart
low throughput standards of 102 Kbps, that smart cards cards. The need for express and secure financial transactions
exchange data with the external world, is far too lower than is the basic problem that keeps down the evolution of smart
the 120 Mbps that the proposed system performs as 3DES cards. New smart cards with more secure features are
and 360 Mbps as DES. This fact guarantees the proposed proposed. Architectures for more secure features, without
Crypto-Processor suitability for smart cards devices, even if the performance of system to be decreased, are applied.
it has lower throughput than the conventional. The major In this work, Crypto-Processor architecture is proposed for
advantage of the proposed architecture is the achieved area the bulk encryption unit of smart cards. The proposed
reduction. system operates in two different modes: DES and 3DES.
The area reduction is the main goal of a security The proposed architecture is based on only one DES Core
implementation, for smart cards, when the achieved and it is supported by feedback technique. In this way with
throughput reaches the limitations of bandwidth. The the proposed architecture a covered area reduction of 30% is
proposed Crypto-Processor achieves 30% area reduction achieved, compared with the conventional. The proposed
and has throughput much greater than the standard 102 Crypto-Processor achieved throughput is far better
Kbps of smart cards. compared with the needed standards’ value that smart cards
In addition, the proposed Crypto-Processor is compared devices specify.
with other well known DES implementations. The achieved
operation frequency and throughput of the proposed Crypto-
Processor is enough higher than the conventional works, in
8. REFERENCES
most of the cases (Table 3). [1] RESET Roadmap 5.0, Roadmap for European research on Smartcard
related technologies, Version 5, www.ercim.org/reset/, 2003.
Architectures Freq. (MHz) Rate (Mbps) [2] Data Encryption Standard, Federal Information Processing Standard
(GIPS) 46, National Bureau of Standards, 1977.
Kaps [8] 25 403, 183, 99 [3] Federal Information Processing Standards 140-1, “Security
Broscius [9] N/A 11.6 Requirements for Cryptographic Modules” U.S. Department of
Commerce/NIST, Springfield, 1994.
Raghuram [10] 77 44 [4] Douglas R. Stinson, Cryptography: Theory and Practice, CRC Press
Proposed 90 360 LCC, 1995.
[5] Xilinx, San Jose, California, USA, Virtex, 2.5 V Field Programmable
Table 3: DES Implementations Comparisons Gate Arrays, www.xilinx.com, 2003.
[6] J. Kaps and Chr. Paar, “Fast DES implementations for FPGAs and its
Application to a universal key search Machine”, 5th Annual
As it was described in section 2 the standards ISO 7816 and Workshop on Selected Areas in Cryptography (SAC ’98), August 17-
ISO 14443 do not provide any specifications for the 18, Ontario, Canada.
implementation of smart cards security part. A low cost [7] A.G. Broscious and J.M. Smith, “Exploiting Parallelism in Hardware
Implementation of the DES”, Advances in Cryptology: Crypto-91
approach is the software developments of encryption Proceedings, Springer-Verlag, 1992.
algorithms. By introducing an embedded hardware Crypto- [8] S.S Raghuram and C. Chakrabarti, “A programmable processor for
Processor in the smart card, the required cryptography”, proc. of ISCAS ’00, May 28-31 Switzerland, 2000.
encryption/decryption processing time is decreased [9] R. Anderson, E. Biham, and L. Knudsen, “Serpent and Smart Cards”,
dramatically. In some smart cards, a hardware encryption Third Smart Card Research and Advanced Applications Conference
Proceedings.
circuit has been bundled along with the CPU.
[10] C. Burwick, D. Coppersmith, E. D’ Avignon, et al, “MARS- a
Custom crypto processors containing tens of thousands of candidate cipher for AES”, 1st AES Conference, Ventura, CA, August
20-22, 1998.
gates can be embedded in smartcard CPUs. A count of