Differential Electromagnetic Attack on an FPGA
Implementation of Elliptic Curve Cryptosystems
E. De Mulder
1
, S. B.
¨
Ors
2
, B. Preneel
1
, I. Verbauwhede
1
1
Katholieke Universiteit Leuven
Department of Electrical Engineering (ESAT), SCD/COSIC, Belgium
2
Istanbul Technical University
Department of Electronics and Communication Engineering, Turkey
Abstract
This pap er describes a differential electromagnetic analysis attack performed on a hardware
implementation of an elliptic curve cryptosystem. We describe the use of the distance of mean
test. The number of measurements needed to get a clear idea of the right guess of the key-bit is
taken as indication of the success of the attack. We can find the right key-bit by using only 2000
measurements. Also we give a electromagnetic model for the FPGA we use in our experiments.
The amplitude, the direction and the position of the current on the FPGA’s lines with respect to
the position of the antenna have an influence on the measured electromagnetic radiation in the
FPGA’s surrounding area.
Keywords: FPGA, Electromagnetic Analysis, Elliptic Curve Cryptosystems
1 Introduction
Elliptic Curve Cryptography (ECC) was proposed independently by Miller [12] and Koblitz [9] in the
80’s. Since then a considerable amount of research has been performed on secure and efficient ECC
implementations. The benefits of ECC, when compared with classical cryptosystems such as RSA [18],
include: higher speed, lower power consumption and smaller certificates, which are especially useful
for wireless applications.
There is a vast literature on differential electromagnetic radiation analysis (DEMA). This paper
describes a DEMA attack performed on an FPGA implementation of an elliptic curve cryptosystem
over GF (p) [14, 15]. The attacks in previous papers were performed on software implementations or
were only simulations of attacks. With the start of differential power analysis in [10], followed by
the differential electromagnetic analysis [8, 17], several metrics were used to decide for the correct
hypothesis. We use the distance of mean test as our metric. The number of measurements for the key
guess to stabilize is representative for the quality of the metric and the success of the DEMA attack.
We can find the right key bit by using only 2000 measurements.
The paper is structured as follows: In Section 2 the theoretical background of elliptic curves,
the electromagnetic radiation attacks and the distance of mean test are discussed. Section 3 gives an
overview of the previous work in this area. This section is followed by a description of the measurement
setup (Section 4) and by the electromagnetic model of the FPGA (Section 5). The DEMA attack is
given in Section 6. Section 7 concludes the paper.
2 Theoretical Background
2.1 Elliptic curves over GF (p)
An elliptic curve E is expressed in terms of the Weierstrass equation: y
2
= x
3
+ ax + b , where
a, b ∈ GF (p) with 4a
3
+ 27b
2
6= 0 (mod p). The point at infinity O plays a role analogous to that
of the number 0 in ordinary addition. The points on an elliptic curve together with the operation of
1
addition form an Abelian group. Then it is straightforward to introduce the point multiplication as
main op eration for elliptic curve cryptosystem (ECC). This operation can be calculated by with the
always double-and-add algorithm as shown in Algorithm 1. For details see [12, 9, 5].
Algorithm 1 Elliptic curve point multiplication (ECPM)
Input: EC point P = (x, y), integer k, 0 < k < M , k = (1, k
l−2
, · · · , k
0
)
2
and M
Output: Q = [k]P = (x
0
, y
0
)
1: Q ← P
2: for i from l − 2 downto 0
3: Q
1
← 2Q, Q
2
← Q
1
+ P
5: if k
i
= 0 then Q ← Q
1
else Q ← Q
2
2.2 Electromagnetic Analysis Attacks
The current consumption of CMOS circuits is data-dependent. However, for the attacker, the relevant
question is to know whether this data-dependent behavior is observable.
The current that flows during the switching of the CMOS gates, causes a variation of the electro-
magnetic field surrounding the chip that can be monitored by inductive probes which are particularly
sensitive to the related impulse. The electromotive force across the sensor (Lentz’ law) relates to the
variation of magnetic flux as follows [19]: V = −
dφ
dt
and φ =
RR
~
B · d
~
A, where V is the probe’s output
voltage, φ the magnetic flux sensed by probe, t is the time,
~
B is the magnetic field and
~
A is the area
that it penetrates.
Maxwell’s equation based on Amp`ere’s law relates the magnetic field to their origin:
~
∇ ×
~
B =
µ
~
J + ²µ
δ
~
E
δ t
, where
~
J is the current density,
~
E is the electrical field, ² is the dielectric permittivity and
µ is the magnetic permeability.
Two types of electromagnetic analysis attacks are distinguished. In a simple electromagnetic
analysis (SEMA) attack, an attacker uses the side-channel information from one measurement directly
to determine (parts of) the secret key. In a differential electromagnetic analysis (DEMA) attack, many
measurements are used in order to filter out noise.
2.2.1 Distance of Mean Test
. A distance of mean test begins by running the cryptographic algorithm for N random values of
input. For each of the N inputs, I
i
, a discrete time side-channel signal, S
i
[j], is collected and the
corresponding output, O
i
, may also be collected. The side-channel signal S
i
[j] is a sampled version of
the side-channel output of the device during the execution of the algorithm that is being attacked. The
index i corresponds to the I
i
that produces the signal and the index j corresponds to the time of the
sample. The S
i
[j] are split into two sets using a partitioning function, D(·): S
0
= {S
i
[j] |D(·) = 0 },
S
1
= {S
i
[j] |D(·) = 1 }.
The next step is to compute the average side-channel signal for each set: A
0
[j] =
1
|S
0
|
P
S
i
[j]∈S
0
S
i
[j],
A
1
[j] =
1
|S
1
|
P
S
i
[j]∈S
1
S
i
[j] where |S
0
| + |S
1
| = N. By subtracting the two averages, a discrete time
differential side-channel bias signal, T [j], is obtained: T [j] = A
0
[j] − A
1
[j] .
Selecting an appropriate D function results in a differential side channel bias signal that can be
used to verify guessed part of the secret key.
3 Previous Work
It is well known that the US government has been aware of electromagnetic leakage since the 1950’s.
The resulting standards are called TEMPEST; partially declassified documents can be found in [13].
The first published papers are work of Quisquater and Samyde [17] and the Gemplus team [8].
Quisquater and Samyde showed that it is possible to measure the electromagnetic radiation from
a smart card. Quisquater also introduced the terms Simple EMA (SEMA) and Differential EMA
(DEMA). The work of Gemplus deals with experiments on three algorithms: DES, RSA and COMP128.
According to Agrawal et al. there are 2 types of emanations: intentional and unintentional [2, 1].
The first type results from direct current flows. Th real advantage over other side-channel attacks lies
in exploring unintentional emanations [2, 1]. More precisely, EM leakage consists of multiple channels.
2
Figure 1: Measurement setup
Therefore, compromising information can be available even for DPA resistant devices which can be
detached from the measurement equipment.
Besides carefully exploring all available EM emanations an attacker can also focus on a combination
of two or more side-channels. Agrawal et al. defined these so-called multi-channel attacks in which
the side-channels are not necessarily of a different kind [3].
Mangard also showed that near-field EM attacks can be conducted even with a simple hand-made
coil in [11]. Besides that he showed that measuring the far-field emissions of a smart card connected
to a power supply unit also suffices to determine the secret key used in the smart card.
Carlier et al. showed that EM side channels from an FPGA implementation of AES can be
effectively used by an attacker to retrieve some secret information in [6].
De Mulder et al. presented a SEMA and a DEMA attack on an FPGA implementation of an
elliptic curve processor in [7].
4 Measurement Setup
The measurement setup consists of the FPGA board with a Xilinx Virtex 800 FPGA presented
in [16], an Tektronix TDS714L oscilloscope, a handmade loop antenna, a function generator and a
power supply. The total power consumption and the electromagnetic radiation of the FPGA were
measured simultaneously while it executes an elliptic curve point multiplication with the key and a
point on the curve.
5 Electromagnetic Model of the FPGA
The following model gives an explanation of why we use a loop antenna and mentions some properties
of the measured field which could be taken into account in the prediction phase of an attack. The
current in an FPGA flows from the power source to the ground, in this way a loop is formed. At
first approximation, the currents in an FPGA form small loops, that is why these currents could be
modeled with a magnetic dipole as elementary building block. If the current loop is situated in the
xy-plane and if we suppose that the medium where the loop is situated can be thought as free of loss;
this suggests that σ = 0, then the electrical and magnetic field is defined by the following equations:
H
r
=
IA
2π
jk
g
cos(θ)e
−jk
g
r
r
−2
(1 + (jk
g
r)
−1
), H
θ
=
IA
4π
(−k
2
g
) sin(θ)e
−jk
g
r
r
−1
(1 + (jk
g
r)
−1
+ (jk
g
r)
−2
),
E
φ
=
IA
4π
k
2
g
Z
c
sin(θ)e
−jk
g
r
r
−1
(1 + (jk
g
r)
−1
), where Z
c
is the characteristic impedance of the medium.
In air this equals 120π and k
g
the wavenumber, A is the surface of the loop, I is the current through
the loop and r is the distance from the center of the loop untill the point where the field is calculated.
Because we are measuring in the near field, only the near-field terms are important, this leaves:
H
r
=
IA
2π
cos(θ)e
−jk
g
r
r
−3
(1) H
θ
= −j
IA
4π
sin(θ)e
−jk
g
r
r
−3
(2)
¿From this we can observe that in the near field, with the assumption of the magnetic dipole as
elementary building block, only the magnetic field is important. To fully profit from this knowledge
an inductive antenna should be used. We used this kind of antenna to measure the magnetic near
3
field of the FPGA, more specific we used a circular loop antenna. They are more used to receive than
to transmit, especially when the efficiency of the antenna is not more important than the signal-to-
noise-ratio [4].
Our FPGA is divided into several banks each of which has one or more power pins and ground pins.
So, if we use first order modeling we could imagine current flowing from the power pins in 1 bank,
trough the bank, to the ground pins in the same bank. Figure 2 shows the explanation graphically
and Fig. 3 shows the first order model of the current flow in the FPGA.
Figure 2: Area which is fed by one power pin
Figure 3: First order model of the current flow in
an FPGA
Equations 1 and 2 show that the size of the current loop in the FPGA, the amplitude of the
current, the direction of the current and the position of the current with respect to the position of the
antenna have an influence on the measured field and hence should be taken into account in an EMA
attack.
6 DEMA Attack on an FPGA Implementation of an Elliptic
Curve Cryptosystem over GF (p)
In this section, we conduct a DEMA attack on a FPGA implementation of an elliptic curve pro cessor
over GF (p) [14, 15]. The electromagnetic radiation trace of one EC point multiplication is shown in
Fig. 4.(a).
The target for our DEMA attack is the second most significant bit (MSB) of the key, k
l−2
, in
Algorithm 1. There are two temporary point registers in the design, Q
1
and Q
2
. These temporary
points and the output point Q are updated in the following order: Q = P , Q
1
= 2P , Q
2
= 3P ,
Q =
½
2P ifk
l−2
= 0
3P ifk
l−2
= 1
, Q
1
=
½
4P ifk
l−2
= 0
6P ifk
l−2
= 1
.
The first step of the DEMA attack is to find the point to measure. The electromagnetic radiation
trace of an EC point multiplication is shown in Fig. 4.(a). Our choice for the measurement point is
the fifth spike shown on Fig. 4.(a). This spike corresponds to the second update of Q
1
after the second
EC point doubling.
We have produced a electromagnetic radiation file. For this purpose, we have chosen N random
points on the EC and one fixed, but random key, k. The FPGA executes N point multiplications
such that Q
i
= [k]P
i
for i = 1, 2, · · · , N. We have measured the electromagnetic radiation of the
FPGA during 2400 clock cycles around the second update of Q
1
. The clock frequency applied to the
chip was around 300 kHz and the sampling frequency of the oscilloscope was 250 MHz. With these
measurements, we have produced M
1
, in which M
1
(i) is the ith measurement. The electromagnetic
radiation trace of one of these measurements is shown in Fig. 4.(b).
We have applied a pre-processing technique to reduce the amount of measurement data in every
clock cycle. We have found the maximum value of the measurement data in each clock cycle and taken
the data in 20 clo ck cycles around the clock cycles that correspond to the five spikes in Fig. 4.(b).
4
0.5 1 1.5 2 2.5
x 10
6
Sample
Attack point
0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2
x 10
6
0
1
2
3
4
5
6
7
sample
Electromagnetic radiation (mV)
(a) (b)
Figure 4: Electromagnetic radiation trace of a 160-bit ECPM over GF (p) with Algorithm 1: (a)
complete, (b) around the attack point
Thus, M
2
has 100 columns and N rows. We used the discrete Fourier transform to find the exact
clock frequency and the number of samples per clock cycle.
We have implemented the EC point multiplication with Algorithm 1 in the C programming lan-
guage. During the execution of the EC point multiplications, the C program computes the number
of bits that change from 0 to 1 in some registers at the step corresponding to the fifth spike shown in
Fig. 4.(b). The number of transitions is used as the electromagnetic radiation prediction.
We have produced two electromagnetic radiation prediction matrices, M
3
and M
4
, for the k
l−2
= 0
and k
l−2
= 1 guesses, respectively. M
3
and M
4
have one column for the fifth spike and N rows for
the N EC points.
We use the prediction matrices M
3
(for k
l−2
= 0 guess) and M
4
(for k
l−2
= 1 guess) in order to
split the measurements in M
2
into sets. For each guess, we divide the N measurements into two sets.
First we calculate the mean value of the prediction matrix M
3
, E(M
3
). Measurement by measurement,
we check if the predicted value is lower than the average value. If so, we put the measurement in set
S
1,1
, otherwise in set S
1,2
. Then we calculate the mean value for each of the two sets and calculate
the bias signal as T
1
= E(S
1,2
) − E(S
1,1
) . We do the same for the prediction matrix M
4
, the sets are
now called S
2,1
and S
2,2
and the bias signal is T
2
. The current consumption bias signals for k
l−2
= 0
and k
l−2
= 1 guesses are shown in Fig. 5. The figure shows a high peak on the expected spot on the
trace for the k
l−2
= 1 guess. Hence the decision for the right key-bit is equal to 1.
Figure 6 shows the change in the amplitude of all the clock cycles of the current consumption
bias signals for the k
l−2
= 1 guess. The number of measurements on these traces are the number of
measurements in the sets S
2,1
, S
2,2
described ab ove. The number of measurements in these sets are
nearly the same. Hence we should multiply the number of measurements seen in Fig. 6 by two in
order to find the needed number of measurements. As it is shown in Fig. 6 2000 measurements are
needed to distinguish the right clock cycle from the wrong ones.
10 20 30 40 50 60 70 80 90 100
−0.06
−0.03
0
0.03
0.06
0.09
0.12
0.15
0.18
clock cycle
mV
guess: key−bit=0
guess: key−bit=1
Figure 5: Electromagnetic radiation bias signals
for the k
l−2
= 0 and k
l−2
= 1 guesses
500 1000 1500 2000 2500 3000 3500 4000
−0.225
−0.15
−0.075
0
0.075
0.15
0.225
number of measurements
mV
clock cycle for the 5th spike
Figure 6: Change in the amplitude of the electro-
magnetic radiation bias signal for the k
l−2
= 1
guess and all clock cycles
5
