1. Introduction

Ultra-high-frequency (UHF) radio frequency identification (RFID) tags conforming to electronic product code (EPC) class 1 generation 2 version 1 (EPC C1 Gen2v1) protocol^[1] have been widely used in supply chain management. In order to protect consumers' privacy,such tags can be disabled at the point of sales (POS) by using the Kill command,which makes the information about the product no longer accessible. Recently,tagging of clothes,food,medicines,and luxuries after the POS is becoming popular in our daily life,which means these tags should not be simply killed at the POS. However,attacks to these tags may reveal sensitive information of customers,such as health condition,hobbies,locations,etc.,which should be protected with the help of an on-chip crypto engine. A CMOS security-enhanced passive tag is reported with sensitivities of -12 dBm and -11.6 dBm in insecure and secure modes^[2],but no read range protection is considered. Actually,the required read range of tags after the POS are usually much shorter than that in supply chain management. Thereby,the data in the tag can be protected by password-controlled command and the short-range protection^[3].

In this work,a dual-mode secure tag with an on-chip crypto engine is proposed to meet the needs of both the supply chain management and the security of user's privacy. The none-crypto mode with long-range read range is used for supply chain management; while the crypto mode with a much shorter read range is used as a physical protection to prevent readers farther than roughly 1.3 meters reading the tag,which will be explained in Section 2. In the non-crypto mode,the sensitivity is -12.8 dBm,the embedded secure engine stays inactive,and the baseband works according to the EPC generation 2 version 1 (Gen2v1) protocol^[1]. In the crypto mode,the embedded secure engine is activated and the tag bears a shorter read range due to reduced sensitivity (+2 dBm),which is an additional physical protection for the private data in the tag. At the POS,instead of being killed,the proposed tag is switched to the crypto mode. In the crypto mode,the tag will only respond to commands specified in EPC generation 2 version 2 (Gen2v2) protocol^[4] and behave according to the mutual authentication protocol specified in International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 9798-2 Mechanism 4.

The remainder of this paper is organized as follows. Section 2 presents the system analysis and architecture of the dual-mode secure tag. The circuit implementation of the tag is shown in Section 3,and experimental results are presented in Section 4. Finally,conclusions are given in Section 5.

2. System analysis and tag architecture

2.1 Physical protection by reducing read range

In a passive RFID system,the tag is powered up by the RF signal radiated from a reader. Thereby,the read range of the tag is limited by the RF power transmission^[5]. The minimum RF signal strength needed to power up the tag chip is the sensitivity of the tag. For a tag with a sensitivity of $P_{\rm sen}$ ,the read range ( $d$ ) can be calculated with the help of Friis transmission equation,which gives the relation between $P_{\rm sen}$ and $d$ :

${P_{{\text{sen}}}} = {\text{EIR}}{{\text{P}}_{{\text{reader}}}} \cdot {G_{{\text{tag}}}} \cdot {\left( {\frac{\lambda }{{4\pi d}}} \right)^2},$

((1))

where EIRP $_{\rm reader}$ is the effective isotropic radiation power (EIRP) of a reader, $G_{\rm tag}$ is the antenna gain of the tag. Equation (1) is plotted in Figure 1,in which EIRP $_{\rm reader}$ = 4 W,and $G_{\rm tag}$ = 0 dBi.

Note that as the sensitivity increases,the read range gets extended. Generally,passive tags are usually designed with higher sensitivity to increase the read range^{[6, 7, 8]}. For secure tags,the functions and circuit design are much more complex,thus need more power to operate correctly. Typically,the sensitivity of secure tags lies around -10 dBm^{[2, 9]}.

In this work,the dual-mode secure tag is designed with different sensitivity in the non-crypto mode and the crypto mode. In the non-crypto mode,the measured sensitivity of the proposed tag lies around -12.8 dBm,which corresponds to a 7.2 m read range under 4 W (36 dBm) EIRP. In the crypto mode,the measured sensitivity is +2 dBm,which corresponds to a much shorter read range (1.3 m) under the same situation. Thereby,in the crypto mode,the private information in the tag can be protected by an additional physical protection. Both situations are shown in Figure 1.

2.2 Tag architecture

The fully integrated dual-mode secure tag consists of a dual-sensitivity analog front end and a digital baseband as shown in Figure 2. Note that the received RF signal gets into the tag through a differential port (ANT+ and ANT-).

The analog frontend includes a rectifier,a regulator with a shunt regulator,a demodulator,a modulator,a power-on-reset (POR),a clock generator (CLK)^[10],and a shunt resistor ( $R_{\rm shunt}$ ). Other necessary blocks such as voltage reference generator and low drop-out regulator (LDO) in the analog front end are similar to conventional UHF RFID passive tags and they are not shown in the diagram of the tag. Note that a shunt resistor is added at the output of the regulator,and it is controlled through a switch $S_{0}$ by the baseband signal EN,which decides the switch from the non-crypto mode to the crypto-mode. In the non-crypto mode, $S_{0}$ is OFF,and all the DC power is used to feed the baseband. In the crypto mode, $S_{0}$ is ON,and the shunt resistor ( $R_{\rm shunt}$ = 2 k $\Omega$ ) is parallel with the digital baseband. In this way,the converted DC current ( $I_{\rm DD}$ ) is bypassed by $R_{\rm shunt}$ ( $I_{\rm S}$ ). Then,in order to provide enough DC current for the digital baseband,more RF input power is needed at the input of the analog front end,which degrades the sensitivity.

The digital baseband is constructed by three function modules including a EPC Gen2v1 baseband,a EPC Gen2v2 baseband with an AES engine and memory. Some blocks in the function module are shared in the non-crypto mode and the crypto mode to reduce the chip area. In the non-crypto mode,the embedded secure engine stays inactive,and the baseband works according to the EPC Gen2v1 protocol^[1]. In the crypto mode,the embedded secure engine is activated and the tag will only respond to commands specified in EPC Gen2v2 protocol^[4] and behave according to the mutual authentication protocol specified in ISO/IEC 9798-2 Mechanism 4.

3. Circuit implementation

3.1 Rectifier

The rectifier is shown in Figure 3(a),which has a cross-coupled bridge configuration and is driven by a differential RF input signal,which is widely used in UHF RFID tags^{[5, 11, 12]}. The increase in stage number ( $N$ ) causes a higher output DC voltage ( $V_{\rm DD}$ ). In this work, $N$ is chosen to be 4 based on the load condition. A simple shunt regulator is shown in Figure 3 (b). The shunt regulator is used to keep the highest $V_{\rm DD}$ lower than 2 V. In the shunt regulator,a diode-connected transistor M3 is stacked on the main discharge transistor M1 to avoid breakdown. Since the input RF signal is amplitude modulated with a modulation depth from 80% to 100%^[1],a storage capacitor ( $C_{\rm storage}$ ) is connected at the rectifier output to provide power for the chip during the time period when the input RF signal is absent. The simulated $V_{\rm DD}$ is shown in Figure 4,in which the baseband is modeled by a load resistor $R_{\rm L}$ = 50 k $\Omega$ based on its estimated power consumption. Note that the maximum $V_{\rm DD}$ is limited lower than 2 V.

3.2 Demodulator

The amplitude shift keying (ASK) demodulator consists of an envelope detector,a low pass filter network ( $R_{1}$ / $C_{1}$ / $R_{2}$ / $C_{2}$ ) and a hysteresis comparator as shown in Figure 5. The envelope is detected by a rectifier-like topology with static threshold compensation technique^[13]. A peak detector together with divider is used in Reference ^[14] to generate the reference voltage for the negative input of the hysteresis comparator. In this work,it is replaced by two simple low pass filters,which is simpler and more power efficient. The hysteresis is accomplished by using the internal positive feedback as shown in Figure 5(b)^[15]. The input and output waveforms of the comparator are also shown in Figure 5(a) to illustrate the operation of the demodulator.

3.3 Digital baseband

The functional block diagram of the digital baseband is shown in Figure 6. DEMOD and DECODE are used to handle pulse-interval encoding (PIE) signals demodulated from the analog frontend. CONTROL acts as the state machine and gives out signals to control other modules in different scenarios. The CRC module performs a cyclic redundancy check for the tag baseband. MEMORY is the memory to store tag parameters and security related information. MOD and OCU modules handle the reply messages and the FM0 (bi-phase space) modulation. PRNG is a pseudo random number generator. CLK_CON is implemented as the clock control module to cut unnecessary power consumption. AES_CTRL,AES and REG FILE form the secure engine to deal with the encryption/decryption in the crypto mode and they are active only in the crypto mode.

The baseband works in two modes. In the non-crypto mode,the digital baseband works as a standard EPC G2V1 baseband,and is capable of communicating with existing standard EPC C1G2 readers in long-range management applications. In the crypto mode,crypto commands are involved in the reader commands,and the secure engine would be activated to provide a decryption session key. In this mode,the digital baseband works as a standard EPC G2V2 baseband with security considerations based on an advanced encryption standard (AES) secure engine to protect the customer's private information.

A customized command named Crypto_En is designed to switch the tag from the non-crypto mode to the crypto mode. Table 1 depicts the structure of the switch command. With the correct Crypto_En commands detected,the tag will be switched into the crypto mode. In this case,the baseband will activate the secure AES engine,and turn the $S_{0}$ ON in the analog frontend. After switching to the crypto mode,an authentication is required in prior to any privacy involved communication.

4. Experimental results

The dual-mode secure tag is fabricated in a standard 0.13- $\mu$ m CMOS process,which consists of an analog front end,a digital baseband with an on-chip AES engine and a memory block as shown in Figure 7. The chip area is 1.416 $\times$ 1.148 mm $^{2}$ including pads for testing and some configurable options. A signal generator is used to transmit a continuous wave (CW) to power up the tag,and the reader command is implemented using a commercial field-programmable gate array (FPGA) chip.

The measured output DC voltages of the tag in the non-crypto mode and the crypto mode versus input power sweep are shown in Figure 8. The minimum required supply voltage of the baseband is 0.8 V. The sensitivities are estimated at 0.8~V output voltage as -12.8 dBm and +2 dBm for the non-crypto mode and the crypto mode,respectively.

In the non-crypto mode,the tag works as a standard EPC G2V1 tag,and the measured link timing is shown in Figure 9,which follows the EPC G2V1 protocol^[1]. The measured command sequence of the non-crypto mode to the crypto mode switch is shown in Figure 10. The reader sends two successive Cypto_En commands (1st Crypto_En and 2nd Crypto_En) to switch the tag from the non-crypto mode to the crypto mode. The HANDLE in the tag reply after the 2nd Crypto_En reader command indicates a successful switch action. After the successful command sequence,the AES engine in the baseband is enabled,and the baseband works in the crypto mode.

In the crypto mode,an authentication flow is needed before the reader reads the private information in the tag's memory. The authentication flow complies with ISO/IEC 9798-2 Mechanism 4. As shown in Figure 11,the reader sends commands named AUTHENTICATE_1 and AUTHENTICATE_2 to which the tag responds with a CHALLENGE. The HANDLE after the CHALLENGE indicates a successful mutual authenticate in the crypto mode.

The measured power consumption of the baseband in standard non-crypto mode and crypto mode is 11.36 $\mu$ W and 17.84~ $\mu$ W,respectively. Finally,the proposed dual-mode tag is compared with other works in Table 2.

5. Conclusion

A dual-mode secure tag including the non-crypto mode and the crypto mode is presented in this work. The non-crypto mode works with a high sensitivity (-12.8 dBm) for long range management applications. The crypto mode with an on-chip crypto engine is designed to protect the user's privacy,and the tag in the crypto mode works with a low sensitivity (+2 dBm) for short range as a physical protection to prevent readers further than roughly 1.3 meters reading the tag.