1-4244-0216-6/06/$20.00 ©2006 IEEE Low-cost Cryptographic Circuits for Authentication in Radio Frequency Identification Systems Mooseop Kim, Jaecheol Ryou, Yongje Choi, and Sungik Jun Abstract — We present a new architecture of Advanced Encryption Standard (AES) cryptographic circuit which can be used as cryptographic primitives supporting privacy and authentication for Radio frequency identification (RFID). RFID is a technology to identify goods or person containing the tags. While it is a convenient way to track items, it also provides chances to track people and their activities through their belongings. For these reasons, privacy and authentication are a major concern with RFID system and many solutions have been proposed. M. Feldhofer, S. Dominikus, and J. Wolkerstorfer introduced the Interleaved Protocol which serves as a means of authenticating RFID tag to reader devices in [14]. They designed very small AES hardware circuit as a cryptographic primitive. The proposed circuit requires about 1,000 clock cycles to encrypt a 128-bit block of data. In this contribution, we introduce a novel method to increase the operating speed of previous method for low-cost AES cryptographic circuits. Our low-cost AES cryptographic circuit can encrypt 128-bit data block within 870 clock cycles using less than 4000 gates on a 0.25 CMOS process 1 . Index Terms — RFID, AES, Privacy, Authentication I. INTRODUCTION RFID is a technology for automated identification of objects and people with electromagnetic fields. Thanks to dropping cost and many efforts to adapt it in real world, RFID systems seems to proliferate and ubiquitous in the future. However, the radio communications between RFID tag and readers raise a number of security issues. Basically, RFID tags send their identifier without further security verification when they are powered by electromagnetic waves from a reader. For these reasons, the security and privacy aspects of RFID systems have become a major issue. Current RFID systems do not protect the unique identifier so that unauthorized readers in the proximity can gather identity data. The collected identifying data could be accumulated and linked with location information in order to generate a customer profile. The threat to privacy grows 1 Mooseop Kim is with the Electronics and Telecommunications Research Institute (ETRI), 161 Gajeong-dong, Yuseong-gu, Daejeon, 305- 350, Korea (e-mail: gomskim@etri.re.kr). Jaecheol Ryou is a Professor of Division of Electrical and Computer Engineering, Chungnam National University, 220 Gung-dong, Yuseong-gu, Daejon, 305-764, Korea (e-mail: jcryou@home.cnu.ac.kr) Yongje Choi is with the Electronics and Telecommunications Research Institute (ETRI) (e-mail: choiyj@etri.re.kr) Sungik Jun is with the Electronics and Telecommunications Research Institute (ETRI) (e-mail: sijun@etri.re.kr) when a tag serial number is combined with personal information. Over the past few years, several efforts have been made to protect privacy problems of RFID systems. The first step to protect user privacy in RFID systems was physical approaches such as Kill Tag, Faraday cage, Blocker tag techniques[2], [3], [4]. But these methods did not give enough solutions. Alternative approaches are to design an authentication protocol using cryptographic solutions [5], [14]. The Hash- Lock and Randomized Hash Lock scheme [2], [3], [4] was introduced to prevent an exposure of tag identity by using cryptographic hash functions. However, these schemes do not protect location privacy. In [14], M. Feldhofer, S. Dominikus, and J. Wolkerstorfer introduced the Interleaved Protocol which serves as a means of authenticating RFID tag to reader devices. They used AES cryptographic algorithm for their authentication protocol. They designed very small AES hardware circuit as a cryptographic primitive. The proposed circuit requires about 1,000 clock cycles to encrypt a 128-bit block of data. RFID system has very strict circuit environment. Therefore special design methods for low-end AES circuit are required. In this paper, we introduce a novel method to increase the operating speed of previous method for low-cost AES cryptographic hardware. AS a result, a compact and fast AES implementation capable of supporting strong authentication for RFID applications was developed and evaluated. This paper is constructed as follows. Section 2 describes some related works. Section 3 describes AES algorithm reviews and architecture of our low-cost AES circuits. Section 4 describes synthesis and implementation results. Finally, in Section 5, we conclude this work. II. RELATED WORKS The National Institute of Standard and Technology (NIST) selected the Rijndael algorithm as the Advanced Encryption Standard (AES) [8] in 2001. Numerous FPGA and ASIC implementations [10], [11], [12], [13] of the AES were previously proposed and evaluated. Most of these implementations feature high speeds and high costs suitable for high-performance usages. The need for secure data exchange will become more important in the low-end devices such as RFID, sensor network systems and many other embedded systems. Most of these low-end embedded systems do not require high