IEEE MELECON 2004, May 12-15 , 2004, Dubrovnik, Croatia

Crypto Processor for Contactless Smart Cards

G. Selimis, N. Sklavos and 0.Koufopavlou
University of Patras / Department of Electrical and Computer Engineering,
Patras, Greece
e-mail: gselimis@ee.upatras.gr
Abstruct- In this paper a crypto processor for contactless
smart cards is presented. The proposed architecture is
based on DES algorithm standard. The introduction in the
proposed system a power management unit results in a
significant power consumption reduction. The use of
feedback design techniques reduces the required silicon
area. The overall system throughput satisfies the contactless
smart card data rate demands. The proposed system
operates in 55 MHz frequency with maximum data rate 42.5
Mbps. A 50% power reduction, in comparison with
conventional implementations, has estimated mainly due to
the switching activity and the total memory accesses
reduction. Additional techniques for silicon area reduction
are also presented.
I.

or openings to be unblocked, 3) the issue of

interoperability, different things to different people, is
being improved.
A problem that delays the improvement of contactless
smart card technology is the issue of security. The
security scenario in contactless smart card differs from
the scenario with contact smart cards [l]. The data
streams are transmitted through air and the information is
sensitive to attacks. Dedicated hardware crypto processor
is required to ensure the secure transaction. Architectures
for more secure features, without a system performance
decrease, are applied. Tamper-proof technologies are
used in order to avoid attackers to extract secret
information from the card.
The Data Encryption Standard was published by the
National Bureau of Standards, now the National Institute
of Standards and Technology (NIST), in 1977 [5,6]. DES
is an algorithm for bulk encryption and its combination
with random numbers from a random number generator
can guarantees encryption and authentication in a system.
In this paper, a crypto processor is proposed for the
bulk encryption unit of contactless smart cards. The
introduced design is based on the DES algorithm
standards. Also, the proposed crypto processor is built
under the specifications of I S 0 14443. The low
throughput requirement that I S 0 14443 specifies is
exploited in the proposed design. The system power
consumption and silicon area significantly reduced due to
the low throughput. Additionally, the use of power
management reducing techniques achieves 50% power
reduction. The required silicon area is reduced due to the
use of feedback design and shift-registers. The crypto
processor has been implemented in a FPGA device. The
operation frequency is 55 MHz with maximum data rate
42.5 Mbps.
This paper is organized as follows: In section I1 the
main hardware components of smart card devices are
presented. In section 111 a general overview of the power
consumption in CMOS design is given. The next section
presents a common smart card security system and a short
description of the DES algorithm. The proposed CryptoProcessor is explained in details in section V. The FPGA
synthesis results are given in section VI. Conclusions are
discussed in section VII.

INTRODUCTION

A smart card includes an embedded integrated circuit

chip that can be either a microcontroller with internal
memory or a memory chip alone. Smart card integrated
circuit development follows the evolutions of
semiconductor
technology,
mixed
technologies
integration, power consumption constrains and design
techniques [l]. The smart card integrated circuit has
become a real and complex Secure System on Chip
(SeSoC) including new CPU core, memory management,
security functions, dedicated IP blocks and native
embedded software [ 11.
The smart cards introduction in the market has been
rapidly increased the last years. Telecommunications
companies provide SIM cards for mobile telephony and
prepaid public telephone cards. Also, multimedia and
pay-TV cards are significant representatives of smart
cards. There are also several uses of smart cards in
transportations. An attempt for more secure financial
services cards (banking, shopping) enforces the
conversion of magnetic stripe and credit cards to smart
cards.
The cards connect to a reader through direct physical
contact or a remote contactless electromagnetic interface.
T h s difference separates smart cards into two basic
categories, contact (IS0 78 16) and contactIess smart card
(IS0 14443). There are also dual interface cards which
communicate with the external world with both of ways.
The last years many discussions were take placed and a
movement has been initiated for the development of a
new generation contactless smart card. Some advantages
of this technology are: 1) more than one person can be
serviced by the reader at the same time, 2) the lack of
physical electrical connection minimizes the maintenance
of reader since there are no worn contacts to be replaced

0-7803-827 1-4/04/$20.00 02004 IEEE

11.

SMART CARDS ISSUES

A . Hardware System
Fig. 1 shows the main hardware components of a smart
card system. The hardware system of contactless smart
803

card has two basic parts, the RF analog interface and the
digital. The analog part undertakes to demodulate the
received signal from the reader and to modulate the
transmitted signal that smart card generates. It
communicates with external world via an inductive loop
antenna. Another function of RF interface is the power
supply to all parts of smart card. The main elements of
microprocessor used in smart cards are: CPU, ROM,
RAM,and EEPROM. The smart card data and the keys
are stored usually in EEPROM while the operation
system in ROM. In addition the crypto processor and the
Random Number Generator satisfy the demand for secure
and reliable transactions.

- R

ENABLE

T 3 7 1
MANAGEMENT

EEPROM

PRoCESSoR
"'Yp"

1 1 yN:I

RAM

ROM

RF INTERFACE

Figurel: Smart card hardware system

The big challenge for smart card silicon manufacturers

is to quickly adapt the analog parts (charge pumps,
voltage and current regulators, embedded clock
generators, and security sensors) and EEPROM or flash
technologies to increasingly smaller digital technologies
121.

B. Power Consumption
The circuit of smart card is fabricated using CMOS
technology. Two basic features of CMOS technology are
cost efficiency and low power dissipation. The contact
less smart card system has not an internal battery placed
and it receives power from the antenna. Together, the
reader and the contact less smart card antennas comprise a
loosely coupled transformer [3]. When the smart card is
placed in the field, the energy passes through the loop
antenna of the card is received by the integrated circuit
[3]. The issue of power is major in smart card technology
because of the need of running more of one application in
the same time.
The energy consumption on a CMOS chip can be
classified as static and dynamic power dissipation. The
main difference between them is that dynamic power is
frequency dependent, while static is not. The static power
in CMOS circuits is mainly due to leakage currents. In
general it can be considered that static power consumption
is a small fraction of dynamic power consumption and can
be omitted in further analysis. Dynamic power can be
classified into power consumed internally by the cell and
power consumed due to driving the load. A first order
approximation of the dynamic energy consumption of
CMOS circuitry is given by the formula:

where Pd is the power in Watts, C,

is the switch

capacitance in Farads, Y is the supply voltage in Volts

and f is the frequency of operations in Hertz. C ,
combines two factors C, the capacitance being
chargeddischarged and the switching activity a , which
the probability that a transition occurs.
Cef =aC
(2)
Due to (1) and (2) equations the power could be
reduced by the reduction of the above power factors.
One technique for power minimization is the use of
gated clock. Gated clocks are used in power management
to shut down the components of the c h p that are inactive.
The clock to each component is gated so that the clock to
a given component can be disabled upon demand [ll].
The above technique is a switchng activity reduction
technique.
C. Security
Two components of the smart card hardware System,
Digital Encryption Standard (DES) engine and Random
Number Generator can provide secure transactions by
smart cards. DES operates on a 64-bit block. After an
initial permutation, the block is broken into a right half
and a left half, each 32 bits long. Then there are 16 rounds
of identical operations, called Function f, in which the
data are combined with the key. After the sixteenth round,
the right and left halves are joined, and a final permutation
finishes off the algorithm. In each round the key bits are
shifted, and then 48 bits are selected from the 64 bits of
the key. With the DES is possible to use the same h c t i o n
to encrypt or decrypt a block. The only difference is that
the keys must be used in reverse order. Many
implementations of DES have been proposed in systems
as wireless networks for authentication and bulk
encryption [7, 8, and 121.
The scenario of a secure transaction (Fig.2) is the
following: First smart card sends to reader a 32- bit
random number. Reader encrypts the 32-bit stream with
the secret key and sends it to smart card. Smart card
decrypts with the secret key the received 32-bit stream and
then verifies reader. The reverse process is required for
reader to verify smart card. In this manner, each can verify
that the other knows the key value without the key itself
ever being communicated and the authentication process
is completed. Afterwards a session key is generated for
the following encryptioddecryption process.
r - - - - - - -Two-side
- - - - - -authentication
_---_-_-_---_-__-'

random stream
I
I *
I
I
I +
I
II

enCNDted random stream

I
I
I
I
I

random stream
'

encNDted random stream

'1

L___--_-___--_____-------------l

Session Key generation

r------------------------------

II

EncNDted session kev transmition

Aareement to session kev selection

I.

U.

Data transaction

,I
1

'I

Figure2 Smart card authentication and encryption

804

111.

PROPOSED ARCHITECTURE

shift-register matches a specific input with a specific

output and the only energy which consumed is came from
the additional wiring.
The power factor that can change easily, without
contactless smart cards specifications have been
modified, is switching activity. The use of a gated clock
manages the power consumption in a system due to
shutting down the inactive components and avoiding
unnecessary activity, For every clock cycle only a part of
the crypto processor consumes energy. During one clock
cycle, the data are transmitted from a part, which is active
for this current cycle, to another. For every round of DES
algorithm, two parallel processes take place, the basic
transformation round and the key generation procedures.
Only some components of these procedures are active for
a specific clock cycle.
With the conventional architectures, the register is
clocked all the time, whether new data is to be captured
or not. If the register must hold the old state, its output is
fed back into the data input through a multiplexer whose
enable line controls whether the register clocks in new
data or recycles the existing data. With a gated clock, the
signal that would otherwise control the select line on the
multiplexer now controls the gate. The result is that the
energy consumed in driving the registers clock input is
reduced in proportion to the decrease in average local
frequency. In fig.4 the architecture of proposed gated
clock is shown. The Des control unit feeds with a 6-bit
stream of enable signals a chain with six ANDs and
then they are gated with the clock.

The proposed architecture is designed according to the

reduced of resources environment that smart card
provides. However the implementation of crypto
processor follows the standards specifications of DES
algorithm. The proposed DES architecture is illustrated in
Fig.3
Encryption/
decryption

n
I
1
Managemen!

II

Round Key

Transformation

Round

64-bit
6&bit Register

Figure 3.Proposed DES implementation

In Fig.3 the basic procedures of DES algorithm are

presented. The one transformation round choice, reduces
the power and the area demands. The pipelining
architecture increases the throughput of the system but it
is prohibitive in such low resources systems as smart
carts. In addition the standard I S 0 14443 for contactless
smart cards requires a low throughput, 106 Kbps.
The Key Expansion Unit calculates one different key
for every transformation round. A usual technique is to
store the 16 different keys in a memory unit for the
decryption process. In the proposed Key Expansion Unit
implementation every key which generated for the
transformation round operation does not stored. Then
crypto processor is a totally independent unit, and there is
not need for connecting with memory components during
its operation. In processor based systems, a significant
fraction of the total energy budget is consumed in
memories and buses [lo]. Minimizing the memory
accesses minimizes the cost of bus transactions and can
reduce energy consumption [lo].
DES algorithm has a serious amount of tables that they
change the order of the block bits and bits are added or
removed in specific bit places of the block. These
processes are called permutations and they are the
following: initial and inverse initial permutation,
expansion permutation, P-BOX permutation, key
permutation and compression permutation. The
implementation of these components is built using shiftregisters, a power efficient solution since not any D FlipFlops or latches are used during the implementation. The

7
dec

nr

tion

r--

Figure 4. Gated clock implementation

IV.

VLSI SYNTHESIS RESULTS

The proposed archtecture has been captured by using

VHDL. All the internal components of the design were
synthesized placed and routed using XILINX FPGA
devices [12]. Synthesis results for the proposed system
implementation are illustrated in Table 1.
TABLE I.
FPGAIMPLEMENTATION OF PROPOSED SYSTEM

FPGA
DEVICE

XlLINX
(vlOOepq240)

The Crypto Processor unit implemented using a power

management unit (gated clock). A conventional
805

throughput is also far better compared with the needed

standards.
The area is reduced,with the one transformation round
feedback technique and the using of the shift-registers.
The one transformation round implementation is
synthesized and allocated 320 Configurable Logic Blocks
(Clbs) and 380 D Flip Flops. It is the most significant
component of DES implementation and its using from
sixteen times to one limits the covered area dramatically.

architecture of DES algorithm without gated clock can

easily be implemented for comparison without changing
the basic architecture of the built system. The Table 2
presents the estimated power distribution according the
operation clock cycle of one transformation round. A
specific area of the system is activated for every cycle. It
is obvious that the most power demanding case is during
cycle 2 when the energy consumption catches the highest
value. The power has estimated for the conventional
implementation too. The power reduction with a factor of
50% has been achieved. The power estimated using
XILINX power tools estimators for FPGA technology.

V.

The need of secure, express and reliable transactions

introduces crypto processor in contactless smart card
systems. Special efforts in hardware design are needed
because of the low resources environment that contactless
smart card provides. Crypto Processor architecture is
proposed for the bulk encryption unit of contactless smart
cards. The proposed system operates according the
specification standards of DES algorithm. Power
management reducing techniques achieve a power
reduction with a factor of 100% in comparison with
conventional DES architecture. In addition the one
transformation round technique and the using of shiftregisters limits the covered area. The system has lower
throughput in comparison with the no gated clock
implementations but is far better compared with the
needed standards value that smart cards devices specify.

TABLE 11.
POWERESTIMATION

Cycle2
Cycle3
Cycle4
Cycle5
Cvcle6
Conventional

33
33
310

65

65

444

CONCLUSION

26 mW
30 mW
30 mw
66mW

A processor that consumes more power than a

competitors may or may not consume more energy to
run a program. For example, even if processor As power
consumption is twice that of processor B, As energy
consumption could actually be less if it can execute the
same program more than twice as quickly as B [lo]. In
other worlds, it is important to note that the energy per
operation is independent of the clock frequency.
Reducing the frequency will lower the power
consumption but will not change the energy required to
perform a given operation. Since the energy consumption
is what determines the battery life, it is imperative to
reduce the energy rather than just the power [ 111.
In contactless smart cards, because of the fact that the
power is extracted from the RF field, no battery is
required. However the RF field has a maximum value of
power that supplies the circuit at a given time. For this
reason attention in power consumption must be taken.
The issue of energy can be solved with a delay in the RF
linking between smart card and reader. For this reason,
the above attempt to reduce the power requirements
during the operation drove to a slower implementation.
The operation of one transformation round is completed
in five clock cycles but the power requirements of the
circuit are lower approximately .with a factor of
100%.This result is being achieved by the introducing of
gated clock. The gated clock technique can be distributed
to all components of the hardware smart card system. In
addition global gating results in much larger energy
reductions and is often used in implementing power down and power-management modes [lo].
As it is explained in Section I11 several techniques are
used in an attempt DES algorithm to be adapted in smart
card conditions. Memory accesses are minimized and the
crypto processor is a totally independent unit without
central control required by smart card. The achieved

REFERENCES

RESET ROADMAP 5.0, Roadmap for European Research on

Smartcard related technologies, Version 5, www.ercim.org/reset/,
2003.
Jean-Francois Dhem and Natalie Feyt, Hardware and Software
Symbiosis Helps Smart card Evolution, published in IEEE Micro
21(6):14-25, 2001.
Patrick Rakers, Larry Connel, Tim Collins and Dan Russel,
Secure Contactless Smartcard ASIC with DPA Protection, IEEE
Journal of solid-sate circuits, vo1.36, NO. 3 March 2001.
James Goodman and Anantha p. Chandrakasan, An EnergyEfficient Reconfigurable public-key Cryptography Processor,
IEEE Journal of solid-state circuits, vo1.36, NO. 1 I , November
2001.
Data Encryption Standard, Federal Information Processing
Standard (GIPS) 46, National Bureau of Standards, 1977.
Federal Information Processing Standards 140-1, Security
Requirements for Cryptographic Modules U.S. Department of
Commerce/NIST, Springfield, 1994.
N.Sklavos, and O.Koufopavlou, Mobile Communications World
: Security Implementations Aspects - A state of the Art,
Computer Science Journal of Moldova, Institute of Mathematics
and Computer Science, Vol. 11 ,Number 2,2003.
N. Sklavos, P. Kitsos and 0. Koufopavlou, VLSI Implementation
of Password (PIN) authentication Unit, proceedings of 9h IEEE
International Conference of Electronics, Circuits and Systems
(ICECS 2002), Vol 111, pp. 1147-1 150, Croatia, September 15-18,
2002.
Havinga P.J.M., Smit, G.J.M.: Design techniques for low power
systems, Journal of Systems Architecture, Vo1.46, Iss. 1, 2000.
Edgar Sanchez-Sinecio, and Andreas G.Andreou, Low-Voltage/
Low Power Integrated Circuits and Systems: Low Voltage MixedSignal Circuits, IEEE Press Series on Microelectronic Systems.
Xilinx, San Jose, California, USA, Virtex, 2.5 V Field
Programmable Gate Arrays, www.xilinx.com, 2003.
J. P. Kaps, C. Paar, Fast DES Implementation for FPGAs and its
Application to a Universal Key-Search Machine, 5h Annual
Workshop on Selected Areas in Cryptography (SAC 98).

806