Analyzing Side-Channel Leakage of RFID-Suitable Lightweight ECC Hardware

Using RFID tags for security critical applications requires the integration of cryptographic primitives, e.g., Elliptic Curve Cryptography (ECC). It is specially important to consider that RFID tags are easily accessible to perform practical side-channel attacks due to their fields of applications. In this paper, we investigate a practical attack scenario on a randomized ECC hardware implementation suitable for RFID tags. This implementation uses a Montgomery Ladder, Randomized Projective Coordinates (RPC), and a digit-serial hardware multiplier. By using different analysis techniques, we are able to recover the secret scalar while using only a single power trace. One attack correlates two consecutive Montgomery ladder rounds, while another attack directly recovers intermediate operands processed within the digit-serial multiplier. All attacks are verified using a simulated ASIC model and an FPGA implementation.

[1]  Christof Paar,et al.  A High Performance Reconfigurable Elliptic Curve Processor for GF(2m) , 2000, CHES.

[2]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[3]  Jasper G. J. van Woudenberg,et al.  Defeating RSA Multiply-Always and Message Blinding Countermeasures , 2011, CT-RSA.

[4]  Bart Preneel,et al.  Power-Analysis Attacks on an FPGA - First Experimental Results , 2003, CHES.

[5]  Christof Paar,et al.  Are standards compliant Elliptic Curve Cryptosystems feasible on RFID ? , 2006 .

[6]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[7]  J. A. Hartigan,et al.  A k-means clustering algorithm , 1979 .

[8]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[9]  Holger Bock,et al.  A Low-Cost ECC Coprocessor for Smartcards , 2004, CHES.

[10]  Jean-Jacques Quisquater,et al.  A Practical Implementation of the Timing Attack , 1998, CARDIS.

[11]  C. D. Walter,et al.  Simple Power Analysis of Unified Code for ECC Double and Add , 2004, CHES.

[12]  William P. Marnane,et al.  A Correlation Power Analysis Attack against Tate Pairing on FPGA , 2011, ARC.

[13]  Elisabeth Oswald,et al.  Template Attacks on ECDSA , 2009, WISA.

[14]  C. D. Walter,et al.  Sliding Windows Succumbs to Big Mac Attack , 2001, CHES.

[15]  Elisabeth Oswald,et al.  Enhancing Simple Power-Analysis Attacks on Elliptic Curve Cryptosystems , 2002, CHES.

[16]  B. Preneel,et al.  Serial multiplier architectures over GF(2/sup n/) for elliptic curve cryptosystems , 2004, Proceedings of the 12th IEEE Mediterranean Electrotechnical Conference (IEEE Cat. No.04CH37521).

[17]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[18]  Johannes Wolkerstorfer,et al.  ECC Processor with Low Die Size for RFID Applications , 2007, 2007 IEEE International Symposium on Circuits and Systems.

[19]  Ingrid Verbauwhede,et al.  Elliptic-Curve-Based Security Processor for RFID , 2008, IEEE Transactions on Computers.

[20]  Ingrid Verbauwhede,et al.  Low-Cost Elliptic Curve Cryptography for Wireless Sensor Networks , 2006, ESAS.

[21]  Bodo Möller,et al.  Securing Elliptic Curve Point Multiplication against Side-Channel Attacks , 2001, ISC.

[22]  Adi Shamir,et al.  Comparative Power Analysis of Modular Exponentiation Algorithms , 2010, IEEE Transactions on Computers.

[23]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[24]  Holger Bock,et al.  A Milestone Towards RFID Products Offering Asymmetric Authentication Based on Elliptic Curve Cryptography , 2008 .

[25]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[26]  Ricardo Dahab,et al.  Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation , 1999, CHES.

[27]  Berk Sunar,et al.  Low-Power Elliptic Curve Cryptography Using Scaled Modular Arithmetic , 2004, CHES.

[28]  Thomas Popp,et al.  Evaluation of Power Estimation Methods Based on Logic Simulations , 2007 .

[29]  Catherine H. Gebotys,et al.  Secure Elliptic Curve Implementations: An Analysis of Resistance to Power-Attacks in a DSP Processor , 2002, CHES.

[30]  Johann Großschädl,et al.  A Bit-Serial Unified Multiplier Architecture for Finite Fields GF(p) and GF(2m) , 2001, CHES.

[31]  Tsuyoshi Takagi,et al.  Power Analysis to ECC Using Differential Power Between Multiplication and Squaring , 2006, CARDIS.

[32]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[33]  Vipul Gupta,et al.  A cryptographic processor for arbitrary elliptic curves over GF(2m) , 2003, Int. J. Embed. Syst..

[34]  Benoit Feix,et al.  Distinguishing Multiplications from Squaring Operations , 2009, Selected Areas in Cryptography.

[35]  Christoph Herbst,et al.  Using Templates to Attack Masked Montgomery Ladder Implementations of Modular Exponentiation , 2008, WISA.