Pushing the Limits of SHA-3 Hardware Implementations to Fit on RFID

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8086)


There exists a broad range of RFID protocols in literature that propose hash functions as cryptographic primitives. Since keccak has been selected as the winner of the NIST SHA-3 competition in 2012, there is the question of how far we can push the limits of keccak to fulfill the stringent requirements of passive low-cost RFID. In this paper, we address this question by presenting a hardware implementation of keccak that aims for lowest power and lowest area. Our smallest (full-state) design requires only 2 927 GEs (for designs with external memory available) and 5 522 GEs (total size including memory). It has a power consumption of 12.5 μW at 1 MHz on a low leakage 130 nm CMOS process technology. As a result, we provide a design that needs 40% less resources than related work. Our design is even smaller than the smallest SHA-1 and SHA-2 implementations.


Hardware Implementation SHA-3 Keccak ASIC RFID Low-Power Design Embedded Systems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akin, A., Aysu, A., Ulusel, O.C., Savaş, E.: Efficient Hardware Implementations of High Throughput SHA-3 Candidates Keccak, Luffa and Blue Midnight Wish for Single- and Multi-Message Hashing. In: 3rd International Conference Security of Information and Networks–SIN 2010, Taganrog, Russia, September 7-11, pp. 168–177 (2010)Google Scholar
  2. 2.
    Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: A Lightweight Hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 1–15. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Baldwin, B., Byrne, A., Lu, L., Hamilton, M., Hanley, N., O’Neill, M., Marnane, W.P.: FPGA Implementations of the Round Two SHA-3 Candidates. In: International Conference on Field Programmable Logic and Applications–FPL 2010, Milano, Italy, August 31-September 2, pp. 400–407 (2010)Google Scholar
  4. 4.
    Bertoni, G., Daemen, J., Debande, N., Le, T.-H., Peeters, M., Van Assche, G.: Power Analysis of Hardware Implementations Protected with Secret Sharing. Cryptology ePrint Archive: Report 2013/067 (February 2013)Google Scholar
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Building Power Analysis Resistant Implementations of Keccak. In: Second SHA-3 Candidate Conference (August 2010)Google Scholar
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponge functions. Submission to NIST (Round 3) (2011)Google Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference. Submission to NIST (Round 3) (2011)Google Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak SHA-3 submission. Submission to NIST (Round 3) (2011)Google Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Keer, R.V.: Keccak Implementation Overview, V3.2 (2012)Google Scholar
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop, Barcelona, Spain, May 24-25 (2007),
  11. 11.
    Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: Spongent: A Lightweight Hash Function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  12. 12.
    Bogdanov, A., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y.: Hash Functions and RFID Tags: Mind the Gap. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 283–299. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Feldhofer, M., Rechberger, C.: A Case Against Currently Used Hash Functions in RFID Protocols. In: Dominikus, S. (ed.) Workshop on RFID Security 2006 (RFIDSec06), Graz, Austria, July 12-14, pp. 109–122 (July 2006)Google Scholar
  14. 14.
    Feldhofer, M., Rechberger, C.: A Case Against Currently Used Hash Functions in RFID Protocols. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2006 Workshops. LNCS, vol. 4277, pp. 372–381. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Feldhofer, M., Wolkerstorfer, J.: Hardware Implementation of Symmetric Algorithms for RFID Security. In: RFID Security: Techniques, Protocols and System-On-Chip Design, pp. 373–415. Springer (2008)Google Scholar
  16. 16.
    Finkenzeller, K.: RFID-Handbook, 2nd edn. Carl Hanser Verlag (April 2003) ISBN 0-470-84402-7Google Scholar
  17. 17.
    Gaj, K., Homsirikamol, E., Rogawski, M.: Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round two SHA-3 Candidates using FPGAs. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 264–278. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Gaj, K., Homsirikamol, E., Rogawski, M., Shahid, R., Sharif, M.U.: Comprehensive Evaluation of High-Speed and Medium-Speed Implementations of Five SHA-3 Finalists Using Xilinx and Altera FPGAs. Cryptology ePrint Archive: Report 2012/368 (June 2012)Google Scholar
  19. 19.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Guo, X., Huang, S., Nazhandali, L., Schaumont, P.: Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations. In: Second SHA-3 Candidate Conference 2010 (2010)Google Scholar
  21. 21.
    Gürkaynak, F.K., Gaj, K., Muheim, B., Homsirikamol, E., Keller, C., Rogawski, M., Kaeslin, H., Kaps, J.-P.: Lessons Learned from Designing a 65nm ASIC for Evaluating Third Round SHA-3 Candidates. In: Third SHA-3 Candidate Conference (March 2012)Google Scholar
  22. 22.
    Henzen, L., Gendotti, P., Guillet, P., Pargaetzi, E., Zoller, M., Gürkaynak, F.K.: Developing a Hardware Evaluation Method for SHA-3 Candidates. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 248–263. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Homsirikamol, E., Rogawski, M., Gaj, K.: Comparing Hardware Performance of Round 3 SHA-3 Candidates using Multiple Hardware Architectures in Xilinx and Altera FPGAs. In: CRYPT II Hash Workshop 2011 (May 2011)Google Scholar
  24. 24.
    Hsing, H.: Sha3 (keccak). (January 2013)Google Scholar
  25. 25.
    Juels, A., Weis, S.A.: Defining Strong Privacy for RFID. Cryptology ePrint Archive, Report 2006/137 (April 2006),
  26. 26.
    Jungk, B., Apfelbeck, J.: Area-Efficient FPGA Implementations of the SHA-3 Finalists. In: International Conference on Reconfigurable Computing and FPGAs–ReConFig 2011, Cancun, Mexico, November 30-December 2, pp. 235–241 (2011)Google Scholar
  27. 27.
    Kaps, J.-P., Yalla, P., Surapathi, K.K., Habib, B., Vadlamudi, S., Gurung, S., Pham, J.: Lightweight Implementations of SHA-3 Candidates on FPGAs. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 270–289. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  28. 28.
    Kavun, E.B., Yalcin, T.: A Lightweight Implementation of Keccak Hash Function for Radio-Frequency Identification Applications. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 258–269. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  29. 29.
    Keccak Design Team. The Keccak sponge function family,
  30. 30.
    Kerckhof, S., Durvaux, F., Veyrat-Charvillon, N., Regazzoni, F., de Dormale, G.M., Standaert, F.-X.: Compact FPGA Implementations of the Five SHA-3 Finalists. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 217–233. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  31. 31.
    Kim, M., Ryou, J., Jun, S.: Efficient Hardware Architecture of SHA-256 Algorithm for Trusted Mobile Computing. In: Yung, M., Liu, P., Lin, D. (eds.) Inscrypt 2008. LNCS, vol. 5487, pp. 240–252. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  32. 32.
    Kobayashi, K., Ikegami, J., Knežević, M., Guo, E.X., Matsuo, S., Huang, S., Nazhandali, L., Kocabas, Ü., Fan, J., Satoh, A., Verbauwhede, I., Sakiyama, K., Ohta, K.: Prototyping Platform for Performance Evaluation of SHA-3 Candidates. In: IEEE International Symposium on Hardware-Oriented Security and Trust–HOST 2010, Anaheim, California, USA, June 13-14, pp. 60–63 (2010)Google Scholar
  33. 33.
    O’Neill, M.: Low-Cost SHA-1 Hash Function Architecture for RFID Tags. In: Dominikus, S. (ed.) Workshop on RFID Security 2008 (RFIDsec 2008), pp. 41–51 (July 2008)Google Scholar
  34. 34.
    Ranasinghe, D.C., Cole, P.H.: Networked RFID Systems and Lightweight Cryptography. Springer, Berlin (2008)Google Scholar
  35. 35.
    Saarinen, M.-J.O., Engels, D.: A Do-It-All-Cipher for rfid: Design Requirements (Extended Abstract). Cryptology ePrint Archive: Report 2012/317 (June 2012)Google Scholar
  36. 36.
    Sarma, S.: Towards the 5 Cent Tag. White paper, MIT Auto-ID Center (2001)Google Scholar
  37. 37.
    Sarma, S.E., Weis, S.A., Engels, D.W.: Radio Frequency Identification: Risks and Challenges. CryptoBytes (RSA Laboratories) 6(1), 325 (2003)Google Scholar
  38. 38.
    Sarma, S.E., Weis, S.A., Engels, D.W.: RFID Systems and Security and Privacy Implications. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 454–469. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  39. 39.
    Shamir, A.: SQUASH A New MAC with Provable Security Properties for Highly Constrained Devices Such as RFID Tags. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 144–157. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  40. 40.
    Strömbergson, J.: Implementation of the Keccak Hash Function in FPGA Devices. Technical report, InformAsic AB (2008)Google Scholar
  41. 41.
    Tillich, S., Feldhofer, M., Kirschbaum, M., Plos, T., Schmidt, J.-M., Szekely, A.: Hardware Implementations of the Round-Two SHA-3 Candidates: Comparison on a Common Ground. In: Proceedings of Austrochip 2010, Villach, Austria, October 6, pp. 43–48 (2010) ISBN 978-3-200-01945-4Google Scholar
  42. 42.
    Weis, S.A., Sarma, S.E., Rivest, R.L., Engels, D.W.: Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. In: Hutter, D., Müller, G., Stephan, W., Ullmann, M. (eds.) Security in Pervasive Computing 2003. LNCS, vol. 2802, pp. 201–212. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  43. 43.
    Yoshida, H., Watanabe, D., Okeya, K., Kitahara, J., Wu, H., Küçük, Ö., Preneel, B.: MAME: A Compression Function with Reduced Hardware Requirements. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 148–165. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria

Personalised recommendations