Exploring the Design Space of the GPS Authentication Scheme

GPS is a public-key zero-knowledge protocol, which provides unilateral authentication and offers a rather large design space of possible implementation variants compared to other authentication schemes. Due to its flexibility it has been suggested for use in passive RFID tags, challenging the doctrine that public-key cryptography is too complex for passive devices. In its smallest configuration, GPS allows to use a coupon-based approach where only simple integer operations need to be computed on the prover’s side during authentication. More complex forms which require computation of number-theoretic operations, hashes, and random numbers form the opposite border of the design space. This work presents an approach where complex number-theoretic operations are (slowly) precomputed during idle time of the tag. The idea is to accept longer execution times to save chip area and decrease power consumption. To the best of the author’s knowledge this is the first time that this approach has been attempted with GPS. Several (parameterizable) architectures will be presented and discussed. The smallest full-precision arithmetic unit requires approximately 50000 gate equivalents and can calculate one commitment in about 2.4 million clock cycles. When using digit-level arithmetic, the size of the arithmetic unit can be reduced significantly. Using a digit size of 8 bits, the arithmetic unit takes only about 800 gate equivalents (plus RAM space for 560 bytes), at the price of spending approximately 66.6 million clock cycles for one commitment calculation. However, due to its short critical path this unit could be operated at frequencies up to about 290 MHz, when synthesized for UMC 0.13μm CMOS technology.