Skip to main content
SpringerLink
Log in

Analyzing Side-Channel Leakage of RFID-Suitable Lightweight ECC Hardware

  • Conference paper
  • First Online:
Radio Frequency Identification (RFIDSec 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8262))

Abstract

Using RFID tags for security critical applications requires the integration of cryptographic primitives, e.g., Elliptic Curve Cryptography (ECC). It is specially important to consider that RFID tags are easily accessible to perform practical side-channel attacks due to their fields of applications. In this paper, we investigate a practical attack scenario on a randomized ECC hardware implementation suitable for RFID tags. This implementation uses a Montgomery Ladder, Randomized Projective Coordinates (RPC), and a digit-serial hardware multiplier. By using different analysis techniques, we are able to recover the secret scalar while using only a single power trace. One attack correlates two consecutive Montgomery ladder rounds, while another attack directly recovers intermediate operands processed within the digit-serial multiplier. All attacks are verified using a simulated ASIC model and an FPGA implementation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Note that we are aware of fault attacks, but those type of attacks are not subject of this paper.

  2. 2.

    For high-performance ECC implementations those registers are necessary in order to achieve the desired timings.

  3. 3.

    Note that this might be possible using more advanced power models.

References

  1. Aigner, H., Bock, H., Hütter, M., Wolkerstorfer, J.: A low-cost ECC coprocessor for smartcards. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 107–118. Springer, Heidelberg (2004)

    Google Scholar 

  2. Akishita, T., Takagi, T.: Power analysis to ECC using differential power between multiplication and squaring. In: Domingo-Ferrer, J., Posegga, J., Schreckling, D. (eds.) CARDIS 2006. LNCS, vol. 3928, pp. 151–164. Springer, Heidelberg (2006)

    Google Scholar 

  3. Amiel, F., Feix, B., Tunstall, M., Whelan, C., Marnane, W.P.: Distinguishing multiplications from squaring operations. In: Avanzi, R., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 346–360. Springer, Heidelberg (2009)

    Google Scholar 

  4. Batina, L., Mentens, N., Örs, S.B., Preneel, B.: Serial multiplier mrchitectures over GF(\(2^n\)) for elliptic curve cryptosystems. In: IEEE Mediterranean Electronical Conference - MELECON 2004, May 2004, pp. 779–782. IEEE (2004)

    Google Scholar 

  5. Batina, L., Mentens, N., Sakiyama, K., Preneel, B., Verbauwhede, I.: Low-cost elliptic curve cryptography for wireless sensor networks. In: Buttyán, L., Gligor, V., Westhoff, D. (eds.) ESAS 2006. LNCS, vol. 4357, pp. 6–17. Springer, Heidelberg (2006)

    Google Scholar 

  6. Bock, H., Braun, M., Dichtl, M., Hess, E., Heyszl, J., Kargl, W., Koroschetz, H., Meyer, B., Seuschek, H.: A milestone towards RFID products offering asymmetric authentication based on elliptic curve cryptography. Invited talk at RFIDsec 2008, July 2008

    Google Scholar 

  7. Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)

    Article  Google Scholar 

  8. Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010)

    Google Scholar 

  9. Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, C.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)

    Google Scholar 

  10. Dhem, J.-F., Kœune, F., Leroux, P.-A., Mestré, P., Quisquater, J.-J., Willems, J.-L.: A practical implementation of the timing attack. In: Quisquater, J.-J., Schneier, B. (eds.) CARDIS 2000. LNCS, vol. 1820, pp. 167–182. Springer, Heidelberg (2000)

    Google Scholar 

  11. Eberle, H., Gura, N., Shantz, S.C., Gupta, V.: A cryptographic processor for arbitrary elliptic curves over GF(\(2^m\)). In: Deprettere, E., Bhattacharyya, S., Cavallaro, J., Darte, A., Thiele, L. (eds.) Application-Specific Systems, Architectures, and Processors - ASAP 2003, pp. 444–454, June 2003

    Google Scholar 

  12. Fürbass, F., Wolkerstorfer, J.: ECC processor with low die size for RFID applications. In: Proceedings of 2007 IEEE International Symposium on Circuits and Systems, May 2007. IEEE (2007)

    Google Scholar 

  13. Gebotys, C.H., Gebotys, R.J.: Secure elliptic curve implementations: an analysis of resistance to power-attacks in a DSP processor. In: Kaliski Jr, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 114–128. Springer, Heidelberg (2003)

    Google Scholar 

  14. Großschädl, J.: A bit-serial unified multiplier architecture for finite fields GF(\(p\)) and GF(\(2^m\)). In: Koç, C.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 202–219. Springer, Heidelberg (2001)

    Google Scholar 

  15. Hankerson, D., Menezes, A.J., Vanstone, S.: Guide to elliptic curve cryptography. Springer, Heidelberg (2004)

    MATH  Google Scholar 

  16. Hartigan, J.A., Wong, M.A.: Algorithm AS 136: A K-Means Clustering Algorithm, vol. 28, pp. 100–108. Blackwell Publishing for the Royal Statistical Society, London (1979)

    Google Scholar 

  17. Herbst, C., Medwed, M.: Using templates to attack masked montgomery ladder implementations of modular exponentiation. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 1–13. Springer, Heidelberg (2009)

    Google Scholar 

  18. Homma, N., Miyamoto, A., Aoki, T., Satoh, A., Shamir, A.: Comparative power analysis of modular exponentiation algorithms. IEEE Trans. Comput. 59(6), 795–807 (2010)

    Article  MathSciNet  Google Scholar 

  19. Kirschbaum, M., Popp, T.: Evaluation of power estimation methods based on logic simulations. In: Posch, K.C., Wolkerstorfer, J. (eds.) Proceedings of Austrochip 2007, 11 October 2007, Graz, Austria, pp. 45–51. Verlag der Technischen Universität Graz, Graz (2007). ISBN 978-3-902465-87-0

    Google Scholar 

  20. Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)

    Google Scholar 

  21. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

    Google Scholar 

  22. Kumar, S.S., Paar, C.: Are standards compliant elliptic curve cryptosystems feasible on RFID? In: Workshop on RFID Security - RFIDSec 2006 (2006)

    Google Scholar 

  23. Lee, Y.K., Sakiyama, K., Batina, L., Verbauwhede, I.: Elliptic-curve-based security processor for RFID. IEEE Trans. Comput. 57(11), 1514–1527 (2008)

    Article  MathSciNet  Google Scholar 

  24. López, J., Dahab, R.: Fast multiplication on elliptic curves over GF(\(2^{\rm m}\)) without precomputation. In: Koç, C.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 316–327. Springer, Heidelberg (1999)

    Google Scholar 

  25. Mangard, S., Oswald, E.: Power analysis attacks - revealing the secrets of smart cards. Springer, Heidelberg (2007). ISBN 978-0-387-30857-9

    MATH  Google Scholar 

  26. Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009)

    Google Scholar 

  27. Möller, B.: Securing elliptic curve point multiplication against side-channel attacks. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 324–334. Springer, Heidelberg (2001)

    Google Scholar 

  28. National Institute of Standards and Technology (NIST). FIPS-186-3: Digital Signature Standard (DSS). http://www.itl.nist.gov/fipspubs/ (2009)

  29. NXP. Jcop 41 v2.3.1 java card (2007)

    Google Scholar 

  30. Orlando, G., Paar, C.: A high-performance reconfigurable elliptic curve processor for GF(\(2^m\)). In: Koç, C.K., Paar, C. (eds.) CHES 2000. LNCS, vol. 1965, pp. 41–56. Springer, Heidelberg (2000)

    Google Scholar 

  31. Örs, S.B., Oswald, E., Preneel, B.: Power-analysis attacks on an FPGA – first experimental results. In: Walter, C.D., Koç, C.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 35–50. Springer, Heidelberg (2003)

    Google Scholar 

  32. Oswald, E.: Enhancing simple power-analysis attacks on elliptic curve cryptosystems. In: Kaliski Jr, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 82–97. Springer, Heidelberg (2003)

    Google Scholar 

  33. Öztürk, E., Sunar, B., Savas, E.: Low-power elliptic curve cryptography using scaled modular arithmetic. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 92–106. Springer, Heidelberg (2004)

    Google Scholar 

  34. Pan, W., Marnane, W.P.: A correlation power analysis attack against tate pairing on FPGA. In: Koch, A., Krishnamurthy, R., McAllister, J., Woods, R., El-Ghazawi, T. (eds.) ARC 2011. LNCS, vol. 6578, pp. 340–349. Springer, Heidelberg (2011)

    Google Scholar 

  35. Side-channel attack standard evaluation board. The SASEBO Website. http://staff.aist.go.jp/akashi.satoh/SASEBO/en/index.html

  36. Walter, C.D.: Sliding windows succumbs to Big Mac attack. In: Koç, C.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 286–299. Springer, Heidelberg (2001)

    Google Scholar 

  37. Walter, C.D.: Simple power analysis of unified code for ECC double and add. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 191–204. Springer, Heidelberg (2004)

    Google Scholar 

  38. Witteman, M.F., van Woudenberg, J.G.J., Menarini, F.: Defeating RSA multiply-always and message blinding countermeasures. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 77–88. Springer, Heidelberg (2011)

    Google Scholar 

  39. Wolkerstorfer, J.: Is elliptic-curve cryptography suitable for small devices? In: Workshop on RFID and Lightweight Crypto, 13–15 July 2005, Graz, Austria, pp. 78–91 (2005)

    Google Scholar 

Download references

Acknowledgments

The research described in this paper has been supported, in parts, by the European Commission through the ICT Program under contract ICT-SEC-2009-5-258754 TAMPRES, and by the Austrian Research Promotion Agency (FFG) and the Styrian Business Promotion Agency (SFG) under grant number 836628 (SeCoS).

Author information

Authors and Affiliations

  1. Institute for Applied Information Processing and Communications, Graz University of Technology, Inffeldgasse 16a, 8010, Graz, Austria

    Erich Wenger, Thomas Korak & Mario Kirschbaum

Authors
  1. Erich Wenger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas Korak
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mario Kirschbaum
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Erich Wenger or Thomas Korak .

Editor information

Editors and Affiliations

  1. Technische Universität Graz, Graz, Austria

    Michael Hutter

  2. Graz University of Technology, Graz, Austria

    Jörn-Marc Schmidt

Appendix A: Used Double-And-Add Formula

Appendix A: Used Double-And-Add Formula

In this paper we used a slight modification of the Montgomery Ladder by López and Dahab. Algorithm 1 shows three iterations of the used double-and-add algorithm for three consecutive key bits. The modification from the original formula can be found in line 6. Here we swapped the order of \(x\) and \(Z_1\), which is allowed according to the law of commutativity. During the first two iterations (left and middle column), an identical key bit is handled. So there is only a correlation when the constant \(c\) is used. During the second and third iteration, in which the key bit differs, \(Z_1\) is used multiple times. Consequently in Fig. 4 three easily distinguishable peaks occur. A correlation of \(c\) and \(Z_1\) can be observed.

figure a

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wenger, E., Korak, T., Kirschbaum, M. (2013). Analyzing Side-Channel Leakage of RFID-Suitable Lightweight ECC Hardware. In: Hutter, M., Schmidt, JM. (eds) Radio Frequency Identification. RFIDSec 2013. Lecture Notes in Computer Science(), vol 8262. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41332-2_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41332-2_9

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41331-5

  • Online ISBN: 978-3-642-41332-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation