electromagnetic techniques and probes for side-channel … · side-channel analysis has become an...

Arenberg Doctoral School of Science, Engineering & Technology

Faculty of Engineering

Department of Electrical Engineering (ESAT)

Electromagnetic Techniques and Probesfor Side-Channel Analysis

on Cryptographic Devices

Elke De Mulder

Dissertation presented in partialfulfillment of the requirements forthe degree of Doctorin Electrical Engineering

November 24, 2010

Electromagnetic Techniques and Probesfor Side-Channel Analysis

on Cryptographic Devices

Elke De Mulder

Jury:Prof. Dr. Ir. Yves Willems, chairmanProf. Dr. Ir. Bart Preneel, promotorProf. Dr. Ir. Ingrid Verbauwhede, promotorProf. Dr. Ir. Joos Vandewalle Dissertation presented in partialProf. Dr. Ir. Guy Vandenbosch fulfillment of the requirements forProf. Dr. Ir. Dirk Stroobandt the degree of DoctorAss. Prof. Dr. Lejla Batina in Electrical Engineering

November 24, 2010

© Katholieke Universiteit Leuven – Faculty of EngineeringKasteelpark Arenberg 10, B-3001 Leuven (Belgium)

Alle rechten voorbehouden. Niets uit deze uitgave mag worden vermenigvuldigden/of openbaar gemaakt worden door middel van druk, fotocopie, microfilm,elektronisch of op welke andere wijze ook zonder voorafgaande schriftelijketoestemming van de uitgever.

All rights reserved. No part of the publication may be reproduced in any form byprint, photoprint, microfilm or any other means without written permission fromthe publisher.

Legal depot number D/2010/7515/120ISBN number 978-94-6018-281-5

The first sentence is always the most difficult one.

Acknowledgements

Writing a word of thanks usually ends up in a lengthy enumeration of names. Outof courtesy or in an attempt to be exhaustive.

To me, it has turned out to be a time to reflect on all the things that will stick inmy mind about the people whom I have relied upon and who were there for me invarious manners. Despite the fact that eloquence and clarity are not my greatestassets, I have decided to give it a fair try and simply say:

Thank you. This was a wonderful experience. . .

Elke De MulderLeuven, November 2010

iii

iv

I would like to acknowledge the K.U.Leuven and the Institute for the Promotion ofInnovation by Science and Technology in Flanders (IWT), for funding my researchwork and prof. Ingrid Verbauwhede and prof. Bart Preneel for giving me theopportunity to make this Ph.D.

Samenvatting

Nevenkanaalsanalyse is sinds de publicatie van “Timing Attacks on Implementa-tions of Diffie-Hellman, RSA, DSS, and Other Systems” door Kocher in 1996 eenbelangrijk onderzoeksgebied binnen de cryptanalyse. Sinds dan was niet enkel demathematische veiligheid van een cryptografisch systeem van belang, maar ook deveiligheid van de implementatie zelf werd een belangrijk aandachtspunt.

Een van deze zogenaamde nevenkanalen is de elektromagnetische emissie afkomstigvan de varierende stromen in een cryptografische chip. Ondanks het verhoogdaantal vrijheidsgraden bij het opmeten van de elektromagnetische emissie, bezitdit nevenkanaal een aantal eigenschappen dat het interessanter maakt dan hettraditionele vermogensnevenkanaal. Ondermeer de mogelijkheid om contactlozemetingen te doen en het verwerven van zeer lokale emissie-informatie, maken hettot een interessant onderzoeksonderwerp.

Deze thesis behandelt een groot aantal aspecten van de elektromagnetischenevenkanaalsanalyse.

In eerste instantie bekijken we de haalbaarheid van het gebruiken van deelektromagnetische straling voor nevenkanaalsanalyse op FPGA-gebaseerde cryp-tografische toestellen en een aantal signaalverwerkingstechnieken om de ruwemetingen interpreteerbaar te maken. We wijzen er ook op dat er manieren bestaanom deze interpretatie op een consistente manier te laten gebeuren.

Naast de verwerkingskant van de elektromagnetische straling als nevenkanaal,gaan we ook dieper in op de meetprobes die hiervoor kunnen gebruikt worden.We bekijken een aantal eigenschappen waaraan deze probes moeten voldoen aande hand van specifieke gevalstudies. Op deze manier geven we aan dat ook ditaspect een grote impact heeft op de effectiviteit van de analyse.

Als laatste deelprobleem bekijken en bespreken we een aantal tegenmaatregelen.Hier focussen we niet enkel op het elektromagnetische nevenkanaal, maar kijkenwe ook, en vooral, naar vermogensmetingen. De elektromagnetische emissiebevat immers minstens alle informatie die in het vermogen terug te vinden

v

vi

is en bescherming tegen vermogensanalyse is een vereiste om bescherming tebieden tegen elektromagnetische analyse. Bovendien moeten implementatiesbeschermd zijn tegen het totaalpakket aan nevenkanaalsanalyses en niet enkeltegen elektromagnetische analyse.

Summary

Side-channel analysis has become an important research area since the publicationof “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and OtherSystems” by Kocher in 1996. From then on, one realized that not only themathematical security of a cryptographic algorithm had to be ensured, but alsothe security of the implementation itself.

The electromagnetic side-channel, which originates from the varying currentsinside the implementation, is the side-channel studied in this thesis. Althoughthere are an increased number of degrees of freedom to measure the electromagneticemission, the side-channel possesses certain properties that turn it into one that ismore interesting than the traditional power consumption measurements. Amongthose properties, the ability to measure locally and in a contactless way make itvery appealing for further research.

This doctoral thesis treats a large number of aspects in the domain of electromag-netic analysis.

Firstly, the feasibility of using electromagnetic measurements to perform side-channel attacks on FPGA implementations and a number of signal processingtechniques to interpret the raw measurements, are studied. We also point out thatthere exist methods to ensure consistent interpretation of the results.

Besides the signal processing side of electromagnetic analysis, we examine amore practical aspect as well. The measurement setup has a big impact onthe effectiveness of the analysis and the measurement probe is one of the mostimportant pieces of this setup. Therefore, we study a number of properties thatdefine a probe’s suitability for electromagnetic analysis by means of case studies.

Finally, we take a look at countermeasures. We do not focus solely on theelectromagnetic side-channel, but also and even mostly on the power consumption.Indeed, protection measures against power analysis are a subset of those againstelectromagnetic analysis.

vii

Contents

Contents ix

List of Acronyms and Symbols xiii

List of Figures xxi

List of Tables xxvii

1 Introduction 1

1.1 Cryptography and Attack Models . . . . . . . . . . . . . . . . . . . 2

1.2 Implementation Attacks . . . . . . . . . . . . . . . . . . . . . . . . 5

1.3 Side-channel Analysis in More Detail . . . . . . . . . . . . . . . . . 8

1.4 Thesis Organization and Contributions . . . . . . . . . . . . . . . . 10

2 Electromagnetic Analysis 13

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.2 DEMA/DPA Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.3 The Distinguishers . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.3.1 Distance of Means . . . . . . . . . . . . . . . . . . . . . . . 15

2.3.2 T-test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.3.3 Variance Test . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.3.4 Pearson Correlation . . . . . . . . . . . . . . . . . . . . . . 17

ix

x CONTENTS

2.3.5 Spearman’s Rank Correlation . . . . . . . . . . . . . . . . . 17

2.4 The Electromagnetic Side-Channel . . . . . . . . . . . . . . . . . . 17

2.4.1 Vector Calculus. . . . . . . . . . . . . . . . . . . . . . . . . 18

2.4.2 Maxwell’s Equations . . . . . . . . . . . . . . . . . . . . . . 19

2.4.3 Properties of Electromagnetic Emissions/Fields . . . . . . . 21

2.4.4 The Circuit as an Antenna . . . . . . . . . . . . . . . . . . 29

2.5 The History of Electromagnetic Analysis . . . . . . . . . . . . . . . 30

2.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3 Electromagnetic Analysis of Elliptic Curve Cryptography Implementa-tions 37

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.2 Mathematical Background for Elliptic Curves over GF(p) . . . . . 38

3.3 The ECC Implementation . . . . . . . . . . . . . . . . . . . . . . . 40

3.4 Measurement Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.5 Simple Electromagnetic Analysis . . . . . . . . . . . . . . . . . . . 41

3.6 Differential Power and Electromagnetic Analysis Attacks . . . . . . 42

3.6.1 Pearson Correlation Analysis . . . . . . . . . . . . . . . . . 44

3.6.2 Difference of Mean Test . . . . . . . . . . . . . . . . . . . . 47

3.7 Comparison of the EMA Attack with Contemporary EMA Attackson FPGAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.8 Comparison of Distinguishers . . . . . . . . . . . . . . . . . . . . . 51

3.8.1 DES Architecture, Measurement Setup and Measurements . 51

3.8.2 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.8.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.9 A Survey on Implementation Attacks on ECC . . . . . . . . . . . . 54

3.9.1 Passive Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 56

3.9.2 Fault Attacks and Countermeasures . . . . . . . . . . . . . 61

3.9.3 Selection of Countermeasures . . . . . . . . . . . . . . . . . 66

CONTENTS xi

3.10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

4 The Measurement Probes 73

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

4.2 Overview of Probes in the Literature . . . . . . . . . . . . . . . . . 74

4.2.1 Near-Field Probes . . . . . . . . . . . . . . . . . . . . . . . 74

4.2.2 Far-Field Antennas . . . . . . . . . . . . . . . . . . . . . . . 76

4.3 Specifications for a Near-Field EM Sensor . . . . . . . . . . . . . . 77

4.4 Magnetic or Electric Fields . . . . . . . . . . . . . . . . . . . . . . 79

4.5 Balanced versus Unbalanced . . . . . . . . . . . . . . . . . . . . . . 80

4.6 Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

4.7 Case Study: Matching Shielded Magnetic Probes . . . . . . . . . . 84

4.7.1 Working Principle of Shielded Loops . . . . . . . . . . . . . 85

4.7.2 Different Type of Loops . . . . . . . . . . . . . . . . . . . . 86

4.7.3 Measurement Setup for the Matching Behavior . . . . . . . 88

4.7.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

4.7.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

4.8 Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

4.9 Bandwidth and Frequency Behavior . . . . . . . . . . . . . . . . . 94

4.10 Case Study: Resolution of Unshielded Loops as a Function of theBandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

4.10.1 Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

4.10.2 Maximal Resolution . . . . . . . . . . . . . . . . . . . . . . 99

4.10.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

4.11 Current Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . 107

4.12 Case Study: Dependence of RFID Reader Antenna Design on Read-Out Distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

4.12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 107

4.12.2 Loop Design . . . . . . . . . . . . . . . . . . . . . . . . . . 108

xii List of Acronyms and Symbols

4.12.3 Power Source and Current Enhancement . . . . . . . . . . . 116

4.12.4 Design Flowchart . . . . . . . . . . . . . . . . . . . . . . . . 119

4.12.5 Validation and Conclusions . . . . . . . . . . . . . . . . . . 121

4.13 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

5 Countermeasures 125

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

5.2 Side-Channel Resistant System-Level Design Flow for Public-KeyCryptography with GEZEL . . . . . . . . . . . . . . . . . . . . . . 127

5.2.1 A Secure Design Flow . . . . . . . . . . . . . . . . . . . . . 127

5.2.2 ECC Operations over GF(p) . . . . . . . . . . . . . . . . . 130

5.2.3 System Architecture . . . . . . . . . . . . . . . . . . . . . . 131

5.2.4 Verification of Side-Channel Resistance: Experimental Results132

5.3 A Practical Attack on an MDPL Implementation on an ASIC . . . 136

5.3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 136

5.3.2 MDPL and Known Weaknesses . . . . . . . . . . . . . . . . 137

5.3.3 Measurement Setup and Measurements . . . . . . . . . . . 138

5.3.4 Experiments and Results I: Warming Up . . . . . . . . . . 140

5.3.5 Experiments and Results II: Real Stuff . . . . . . . . . . . . 142

5.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

6 Conclusions and Future Work 151

6.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Bibliography 155

List of Publications 171

List of Acronyms and Symbols

Acronyms

AES Advanced Encryption Standard

AM Amplitude Modulation

BNC Bayonet Neill Concelman connector

CMOS Complementary Metal-Oxide-Semiconductor

DC Direct Current

DEMA Differential Electromagnetic Analysis

DES Data Encryption Standard

DFT Discrete Fourier Transform

DoM Distance of Means

DPA Differential Power Analysis

EC Elliptic Curve

ECC Elliptic Curve Cryptography

ECPM Elliptic Curve Point Multiplication

ECSM Elliptic Curve Scalar Multiplication

EM Electromagnetic

EMC Electromagnetic Compatibility

EMI Electromagnetic Interference

FDTC Fault Diagnosis and Tolerance in Cryptography

xiii

xiv List of Acronyms and Symbols

FM Frequency Modulated

FPGA Field-Programmable Gate Array

IC Integrated Circuit

ISO International Organisation for Standardization

MALU Modular Arithmetic Logic Unit

MDPL Masked Dual-Rail Pre-Charge Logic

MOSFET Metal-Oxide-Semiconductor Field Effect Transistor

NMOS n-type MOSFET

PCB Printed Circuit Board

PCD Proximity Coupling Device

PICC Proximity IC Card

PKC Public-Key Cryptography

PMOS p-type MOSFET

PRNG Pseudo-Random Number Generator

RFID Radio Frequency Identification

RSA Rivest-Shamir-Adleman Algorithm

RSL Random Switching Logic

RTF Reader Talks First

RTL Register Transfer Level

sCMOS standard CMOS

SEMA Simple Electromagnetic Analysis

SKC Secret-Key Cryptography

SPA Simple Power Analysis

TCPC Toggle Count Per Cycle

UHF Ultra High Frequency

VHF Very High Frequency

VNA Vector Network Analyzer

List of Acronyms and Symbols xv

WDDL Wave Dynamic Differential Logic

Symbols

(−→e r, −→e θ, −→

e φ) Basis of the (r, θ, φ) coordinate system

(r, θ, φ) Spherical coordinate system

(x, y, z) Cartesian coordinate system

ǫ Electric permittivity of a medium in [F/m]

ǫ0 Electric permittivity of free space in [F/m], equal to8.854187817× 10−12

ǫr Relative electric permittivity of a medium ǫr = ǫǫ0

λ Wavelength in [m]

λH Wavelength derived from fH in [m]

λL Wavelength derived from fL in [m]

O Point at infinity on an elliptic curve

µ Permeability in [H/m]

µ0 Permeability of free space in [H/m] or [N/2A], equal to4π × 10−7N/2A

∇· Divergence operator

∇× Curl operator

ν Speed in [m/s]

ω Angular frequency in [rad/s]

ωH Angular frequency derived from fH in [rad/s]

ωL Angular frequency derived from fL in [rad/s]

−→B Magnetic field in [T]

−→D Electric flux density expressed in [C/m2]

−→E Electric field in [V/m]

−→H Magnetic field intensity in [A/m]

−→Jf Free electric current density in [A/m2]

xvi List of Acronyms and Symbols

Φ Ensemble of the set of values to which leakage predictionsmap

φB Magnetic flux in [Wb]

ρ Pearson’s correlation coefficient

ρf Free electric charge density in [C/m3]

σ Electrical conductivity in [S/m]

τ Time complexity

−→

J Current in [A/m]

i = (im, . . . , i0) Plaintext vector

k, k′ Cryptographic key

L′ = (L′t′ , . . . , L′0) Characteristics of the extended powers of a white-boxattacker

Lk,i Prediction for input pi and a key guess k

L = (Lr, . . . , L0) Physical characteristics of the implementation

o = (op, . . . , o0) Ciphertext vector

S′ = (S′r′ , . . . , S0) Parameters of the extended powers of a white-box attacker

S = (Sr, . . . , S0) External parameters influencing the leakage

A Area in [m2]

c Speed of light, equal to 2.998x108 m/s

Ctt Turn-to-turn capacitance in a loop with multiple turns in[pF]

Cp Parallel capacitor in [F]

Cs Series capacitor in [F]

Cload Load capacitance in [F]

Cmut Mutual capacitor in [F]

cov (x) Empirical covariance of x

D Decryption algorithm, only in Chapter 1

D Diameter in [m]

List of Acronyms and Symbols xvii

d Distance between the centers of two wires in [mm]

E Encryption algorithm

f Frequency in [Hz]

fH Upper bound of a frequency interval in [Hz]

fL Lower bound of a frequency interval in [Hz]

fres Resonance frequency in [Hz]

GF (p) Galois Field with characteristic p

Hz z component of the magnetic field in [A/m]

I0 Current amplitude in [A]

Il Current through a loop in [A]

Idp Direct path current in [A]

Ileak Leakage current in [A]

IVDD Load current in [A]

k In electromagnetic wave equations: wavenumber in [/m]

Lt Inductance of one turn of a loop with multiple turns Lt =N × Lt,N=1 in [µH]

L1,N=1 Inductance of a single turn in absence of all other turns in[µH]

m Memory requirements

Mmut Mutual inductor in [H]

N Number of queries sent to the device under attack

N Number of turns of a loop, only in Chapter 4

Nk′,δ Cardinality of the set Sδ

P (k = k) Probability that the key guess k = k

Pdp Direct path current consumption in [W]

Pdyn Dynamic power consumption in [W]

Pstat Static power dissipation in [W]

Ptot Total power consumption in [W]

xviii List of Acronyms and Symbols

QRLC Quality factor of an RLC circuit

r Distance in [m]

rd Read out distance in [m]

Rl Intrinsic resistance of the loop in [Ω]

rl Loop diameter in [m]

rw Wire diameter in [m]

rw Wire radius in [mm]

Rext External added resistance in [Ω]

S11 Scattering parameter

t Insulation thickness in [mm]

t Time index

V + Voltage wave traveling from the cable towards the oscillo-scope

V − Voltage wave traveling towards the cable from the oscillo-scope

Vl Voltage over a loop in [V]

VDD Supply voltage in [V]

Vin Input voltage in [V]

Vmin Minimum voltage amplitude in [V]

Vout Output voltage in [V]

Z Impedance in [Ω]

Z0 Intrinsic impedance of free space, equal to 120π Ω

Zc Characteristic impedance in [Ω]

Zcoil Input impedance of a coil in [Ω]

Zin Input impedance in [Ω]

Zl Load impedance in [Ω]

Zosc Oscilloscope impedance in [Ω]

Zth Source impedance in [Ω]

List of Acronyms and Symbols xix

µk′,δ(t) Empirical mean of all mi(t) for which Lk′,i = δ

σ2k′,δ(t) Sample variance of all mi(t) for which Lk′,i = δ

mi(t) Measured side-channel trace

pi (i = 1, . . . , N) Plaintext vector

l Length in [m]

List of Figures

1.1 The black-box attack model. . . . . . . . . . . . . . . . . . . . . . 3

1.2 The grey-box attack model. . . . . . . . . . . . . . . . . . . . . . . 4

1.3 The white-box attack model. . . . . . . . . . . . . . . . . . . . . . 5

1.4 An overview of the main classes of implementation attacks catego-rized inside the space generated by their active or passive natureand the destructiveness of the attacks. . . . . . . . . . . . . . . . . 7

1.5 A static CMOS inverter consists of a PMOS (upper) and an NMOS(lower) transistor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.6 On the left the dynamic switching current is shown, the middlefigure depicts the situation of the short path current and the rightfigure explains the leakage currents in a CMOS inverter. . . . . . . 9

2.1 Differential side-channel attack model. . . . . . . . . . . . . . . . . 14

2.2 Graphical illustration of possible paths and transfer mechanismsbetween the source of the electromagnetic emission and themeasurement device. . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.3 The coordinate system for the magnetic and electric dipole analysis. 26

3.1 Partial measurement setup. . . . . . . . . . . . . . . . . . . . . . . 41

3.2 (a) Electromagnetic radiation trace of 7 steps of a 160-bit ellipticcurve point multiplication over GF (p) with Alg. 3.1, (b) Electro-magnetic radiation trace of 7 steps of a 160-bit elliptic curve pointmultiplication with Alg. 3.2. . . . . . . . . . . . . . . . . . . . . . . 42

xxi

xxii LIST OF FIGURES

3.3 (a) Sample average of demodulated electromagnetic radiation tracesof a 160-bit elliptic curve point multiplication with Alg. 3.2, (b)Sample average of demodulated electromagnetic radiation traces ofan elliptic curve point doubling with Alg. 3.3. . . . . . . . . . . . . 43

3.4 (a) Current consumption trace of a part of a 160-bit ECPM overGF (p) with Algorithm 3.2, (b) Electromagnetic radiation trace ofa part of a 160-bit ECPM over GF (p) of the same algorithm. . . . 43

3.5 (a) Current consumption trace around the point of attack, (b)Electromagnetic radiation trace around the point of attack. . . . . 45

3.6 (a) DFT of the current consumption trace of a measurementbetween 250 kHz and 375 kHz, (b) DFT of the electromagneticradiation trace of a measurement between 250 kHz and 375 kHz,(c) Current consumption trace of a measurement after taking themaximum value in every clock cycle, (d) Electromagnetic radiationtrace of a measurement after taking the maximum value in everyclock cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

3.7 (a) Correlation between the current consumption measurements andthe predictions of the third spike in Fig. 3.6(c) as a function ofthe number of measurements, (b) For the electromagnetic radiationside-channel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

3.8 Correlation between the electromagnetic radiation measurementsand the predictions of all spikes in Fig. 3.6(d) as a function of thenumber of measurements. . . . . . . . . . . . . . . . . . . . . . . . 47

3.9 (a) Current consumption bias signals for the third spike in Fig. 3.6(c)and the kl−2 = 0 and kl−2 = 1 guesses, (b) Electromagneticradiation bias signals for the third spike in Fig. 3.6(c) and thekl−2 = 0 and kl−2 = 1 guesses. . . . . . . . . . . . . . . . . . . . . 48

3.10 Electromagnetic radiation bias signal for the 1st, 2nd, 4th and 5thspike in Fig. 3.6(d). . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.11 (a) Current consumption bias signals for the third spike in Fig. 3.6(c)and the k′l−2 = 0 and k′l−2 = 1 guesses, (b) Change in theamplitude of the current consumption bias signal for the third spikein Fig. 3.6(c), the k′l−2 = 1 guess and for all clock cycles. . . . . . . 49

3.12 Maximum value of the electromagnetic radiation bias signal for the1st, 2nd, 4th and 5th spike in Fig. 3.6(d) as a function of the numberof measurements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.13 First order success rates: DoM (dotted, option a in grey), T-test(dashed, option a in grey), V-test (dash-dotted), Pearson’s ρ (solid). 53

LIST OF FIGURES xxiii

3.14 Guessing entropies: DoM (dotted, a grey, b black), T-test (dashed),V-test (dash-dotted), Pearson’s ρ (solid). . . . . . . . . . . . . . . . 53

3.15 Elliptic curve processor architecture and related physical attacks.(SE = Single Execution, ME = Multiple Executions, CI = ChosenInput) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.1 Hand-made magnetic probes from the open literature. . . . . . . . 74

4.2 Commercial sniffer probes. . . . . . . . . . . . . . . . . . . . . . . . 75

4.3 Different far-field antennas. . . . . . . . . . . . . . . . . . . . . . . 76

4.4 This system is neither balanced nor unbalanced if Z1 6= Z2. . . . . 81

4.5 Schematic drawing of a balun. A sleeve around the outer conductoracts as a λ/4 transmission line with an infinite input impedance. Cstands for the center conductor, O for the outer conductor of thecoaxial cable. B is the extra conductor for the balun. . . . . . . . . 82

4.6 Schematic drawing of a practical implementation of a balun. Cstand for the center conductor, O for the outer conductor of thecoaxial cable. B is the outer conductor of the coaxial cable used forthe balun. The antenna is connected to B and C and O is shortedto B. The bold points are shorted. . . . . . . . . . . . . . . . . . . 82

4.7 The Thevenin model of a source and a graphical illustration ofreflection loss matching. . . . . . . . . . . . . . . . . . . . . . . . . 83

4.8 A current pulse is measured with differing impedances of theoscilloscope and sensor. The top row depicts the original signal. Themiddle row shows the signal radiated by this current and measuredwith a magnetic sensor of 50 Ω input impedance. The last row ismeasured with a loop of Zin = 0. The left plots of the two last rowswere obtained with a scope at Zin = 1 MΩ. The right ones withZin = 50MΩ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

4.9 Photograph of the loops. The upper one is the EMCO loop. Belowfrom left to right are the unshielded, symmetrical, balanced andMœbius with and without short. . . . . . . . . . . . . . . . . . . . 88

4.10 Schematic drawings of the four loop types. . . . . . . . . . . . . . . 89

4.11 S11 of the loops for 22 MHz− 1 GHz. . . . . . . . . . . . . . . . . 90

4.12 S11 of the loops for 1 kHz− 50 MHz. . . . . . . . . . . . . . . . . . 91

4.13 S11 of the Mœbius with short on a Smith Chart. . . . . . . . . . . 92

xxiv LIST OF FIGURES

4.14 S11 of a Mœbius without short with different capacitances betweenthe two adjacent cables. . . . . . . . . . . . . . . . . . . . . . . . . 92

4.15 Layout of a loop that combines the balanced and Mœbius loop. . . 93

4.16 The contour lines of Eq. (4.9) as a function of rl and N , rl/rw = 16,f = 10 MHz and Z = 1 MΩ. . . . . . . . . . . . . . . . . . . . . . . 96

4.17 N and the minimum rl as function of the bandwidth fL = fH forZ =∞ and Z = 1 MΩ, Vmin = 1 mV. . . . . . . . . . . . . . . . . 100

4.18 N and the minimum rl as function of the bandwidth fL = fH forZ =∞ and Z = 1 MΩ, Vmin = 1 mV in a more practical scenario. 101

4.19 Minimum rl for two loop sensors with varying working frequencyband. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

4.20 N and the minimum rl with varying working frequency band in amore practical scenario. . . . . . . . . . . . . . . . . . . . . . . . . 102

4.21 Variation of Nswitch as function of rl/rw and d/2rw. . . . . . . . . 103

4.22 rl as function of fL = fH for unloaded loops with different d/2rw. 103

4.23 Minimum rl as function of fL = fH for some common oscilloscopeinput impedances. . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

4.24 Minimum rl for some common oscilloscope input impedances withvarying working frequency band. . . . . . . . . . . . . . . . . . . . 104

4.25 rl as function of fL = fH for Z = 1 MΩ ‖ 13 pF and several rw/rl. 105

4.26 A possible graphical representation of all the conditions in the ω-rl

plain for a fixed number of turns N . . . . . . . . . . . . . . . . . . 106

4.27 Communication setup for proximity cards, PICC stands for proxim-ity IC card, PCD for proximity coupling device. . . . . . . . . . . . 107

4.28 Reader loop geometry. . . . . . . . . . . . . . . . . . . . . . . . . . 110

4.29 Ratio of optimal loop radius and reading distance as a function ofreading distance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

4.30 Field degradation due to phase differences on a loop of considerablelength. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

4.31 Magnetic field as a function of reading distance for several N . . . . 113

4.32 Equivalent circuit of an inductor. . . . . . . . . . . . . . . . . . . . 115

LIST OF FIGURES xxv

4.33 Schematic of (top left – a) Series, (bottom left – c) Combined Series-Parallel, (top right – b) Parallel and (bottom right – d) CombinedParallel-Series RLC resonance circuit. . . . . . . . . . . . . . . . . 117

4.34 Flow Chart of the Design Method. . . . . . . . . . . . . . . . . . . 120

4.35 Layout drawing and pictures of loops designed and made to validatethe formulas and statements. In the schematic drawing 4.35(a): A =front view, B = cross section. The values for rl and d of the differentantennas can be found in Table 4.4. N = 1. The same schematicholds for N > 1, only more turns are stacked. The picture 4.35(b)shows the largest loop made (the copper tube loop) and the smallertwo turn loop made from solid copper. . . . . . . . . . . . . . . . . 121

4.36 Frequency dependent value of L for the copper tube loop as obtainedfrom simulation and measurement. A balanced to unbalancedsystem transition causes this value to fluctuate heavily around13 MHz so that the loop is useless unless fed in a balanced way. . . 122

5.1 GEZEL system-level design flow for security applications. . . . . . 129

5.2 An RTL expression, the corresponding circuit and the state table. 130

5.3 Results of the toggle simulation with only functional correctness.Trace of Hamming distance for all registers in the design of ECC-160p. DBL and ADD denote point doubling and point additionrespectively. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

5.4 Proposed system architecture. . . . . . . . . . . . . . . . . . . . . . 132

5.5 Partial simple-SPA verification; (a) Toggle simulation result of theMALU. (b) Toggle simulation result of the controller. . . . . . . . 133

5.6 Toggle simulation result for each register in the MALU; (a) Noside channel attacks-verified design (b) After side channel attacks-verification and bug-fix. . . . . . . . . . . . . . . . . . . . . . . . . 134

5.7 Design after simple-SPA verification and countermeasure. Trace ofthe toggle count per cycle for the whole design of ECC-160p. . . . 135

5.8 Architecture of the AES-128 implementation. . . . . . . . . . . . . 139

5.9 DPA results for sCMOS, corr. attack with prediction of MSB ofByte1 ⊕ Byte5; left: corr. traces for all key hypotheses using5000 measurements; right: evolution of min and max corr. per keyhypothesis over number of measurements. . . . . . . . . . . . . . . 141

xxvi LIST OF FIGURES

5.10 DPA results for MDPL with fixed mask, corr. attack with predictionof MSB of Byte1; left: corr. traces for all key hypotheses using400000 measurements; right: evolution of min and max corr. perkey hypothesis over number of measurements. . . . . . . . . . . . . 142

5.11 DPA results for MDPL with random mask, corr. attack withprediction of HW of Byte1; left: corr. traces for all key hypothesesusing 1.2M measurements; right: evolution of min and max corr.per key hypothesis over number of measurements. . . . . . . . . . . 143

5.12 The evolution of the histograms of a pre-charge phase in theleft column and an evaluation phase on the right for 50 000measurements. The first row shows the histograms for the meanof the complete clock cycle. The second row represents the timeintervals chosen to extract the final histograms which are shown inthe third row. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

5.13 Transition of measurements between groups from pre-charge toevaluation phase in the left tabular, transition of measurementsbetween groups from evaluation to pre-charge phase in the righttabular. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

5.14 DPA results for MDPL with random mask, corr. attack against HWof bit 2 of byte 1; top left: group A; top right: group B; bottom left:group C; bottom right:group D; corr. traces for all key hypothesesusing 1.2M measurements. . . . . . . . . . . . . . . . . . . . . . . . 146

5.15 DPA results for MDPL with random mask, corr. attack withprediction of HW of bit 2 of byte 1; left: corr. traces for all keyhypotheses using 1.2 M measurements; right: evolution of min andmax corr. per key hypothesis over number of measurements. . . . . 147

5.16 The histograms in case all plaintext bytes are chosen at random(left: pre-charge phase, right: evaluation phase). . . . . . . . . . . . 148

List of Tables

3.1 Attacks versus Countermeasures. . . . . . . . . . . . . . . . . . . . 68

4.1 Advantages and disadvantages of the four loop types.A good loop is only sensitive to magnetic fields and hence suppressesthe electric fields, has a good isolation between inner and outerside of the outer conductor (related to the antenna effect), hasno reflections as the impedance is matched and picks up a largeamplitude of the signal. . . . . . . . . . . . . . . . . . . . . . . . . 88

4.2 Measured resistance values (rounded) between connectors of thefour loop types. i stands for inner conductor, o for outer, sa standsfor same end, op for opposite end. 50 Ω will only be measured ifone port of the sensor is loaded with 50 Ω. If left open, ∞ will bemeasured. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

4.3 Self-resonance frequency of loops with rw = 1 mm with and withoutinsulation of 0.2 mm with ǫr = 4 for varying loop radius. The lastcolumn gives the resonance frequency for a single turn. . . . . . . . 116

4.4 Overview of the characteristics of the different loops, (*) readingdistance not measurable because of QRLC too high, (**) readingdistance not measurable because the reader could not supply enoughcurrent, an amplifier is needed. (a) = Solid copper wire loop 1, (b)= Solid copper wire loop 2, (c)= Copper tube loop. . . . . . . . . 123

xxvii

Chapter 1

Introduction

Whenever a new electronic product is brought to market, its needs to passcertification procedures to ensure that normal usage of the device does not causeinterference with another product. This influence is e.g. noticeable whenever acellphone is positioned in the vicinity of a (bad) loudspeaker, indeed, disturbingnoises will reverberate through the speaker. It is obvious that one does not wanta product to perturb the working of another device because of poor design of themanufacturer. Therefore, most products in Europe have to comply to the EMCDirective 2004/108/EC published in 2004 [59] and need to bear the CE Mark. Themain objective of this EMC Directive is to ensure compatibility between electronicequipment concerning EMC issues.

Although the superfluous radiation is restricted through the Directive, anyelectronic device, whether it is composed of a simple diode and some transistors orbuilt up out of a complex aggregate of microchips, will generate electromagneticfields dictated by the laws of physics. However, the danger residing in this physicaleffect is not only the malfunctioning of the device itself or of neighboring devices.Whenever these fields can be captured and properly interpreted, informationprocessed by the device might be partially reconstructed. This may be anundesirable feature as it can reveal information that should be kept secret forthe outside. The electromagnetic fields that carry secret information are calledcompromising emanations. Note that compromising emanations is a generalterm and does not only point to emanations of electromagnetic nature. They canbe purely electrical, mechanical, acoustical, optical, etc.

1

2 INTRODUCTION

1.1 Cryptography and Attack Models

In a world where people’s lives are increasingly entangled with the use of ubiquitousembedded devices, the threat of malicious abuse of exposed data continues to growat a high pace. The field of cryptography provides a range of tools to ensure thatinformation is kept secret from all unauthorized people (confidentiality), to certifydata transfers from sender to receiver without being altered by unauthorized orunknown sources (data authentication), to prove the identity of an entity or thesource of information (entity authentication), to obviate the denial of actions in thepast (non-repudiation), etc. In compliance with Kerckhoffs’ principle, we assumethat the complete security of a cryptographic system only relies on the secrecy ofthe key.

Traditionally, the assessment of the mathematical security of a cryptographicsystem is performed in one of the following ways:

• An information theoretic proof. Here, a mathematical proof isconstructed to validate the resistance of a cryptosystem against certain typesof attacks in a certain environment. In many situations perfect secrecy orauthenticity is not reachable and/or not practical because an adversary isassumed to have unlimited powers.

• Complexity theoretic proof. Therefore, the goal of perfect securityunder the assumption of unbounded computing power is abandoned anda more realistic approach is followed where the computational complexityof attacks is taken into account. Indeed, the security of, e.g. most ofthe contemporary public-key cryptosystems relies on the hardness of somecomputational problem.

• Heuristic proof. Cryptanalysis is the field that researches the attacksagainst cryptographic systems. New cryptographic primitives are investi-gated against their resistance to a vast set of cryptanalysis techniques. Again,the computational complexity is taken as a measure of security.

Usually, these security assessments are performed inside the boundaries of what iscalled the black-box attack model (Fig. 1.1). Typically, the goal of the attackeris the find out the secrets or keys1. The attacker has the following abilities:

• He has full algorithmic details of the algorithm under attack.

• He has access to an implementation that encrypts an input i = (im, . . . , i0)with the encryption algorithm E to generate o = (op, . . . , o0) under a key of

1Key extracting is not the only possible goal, an adversary might e.g. want to be able todistinguish between the cryptographic algorithm and a pseudo-random function.

CRYPTOGRAPHY AND ATTACK MODELS 3

interest k. In this case i is called the plaintext and o denotes the ciphertext.Reversely, the attacker also possesses an implementation that decrypts inputi = (im, . . . , i0) with decryption algorithm D to generate o = (op, . . . , o0)under the key of interest k′. Here i symbolizes the ciphertext and o theplaintext.

• He has the ability to send a limited amount plaintexts or ciphertexts to theimplementation and receive the corresponding answer.

i = (im, . . . , i0) o = (op, . . . , o0)E D

k k′

The attacker can ask for a limited amount of (i, o) pairs.

Figure 1.1: The black-box attack model.

This model only relates to reality when the cryptographic primitives areimplemented in ”secure hardware”. An example of what might be calledsecure hardware nowadays is a tamper resistant box which is electromagneticallyperfectly shielded, consuming a constant power consumption and made soundproof,containing a chip with the cryptographic primitive. The only connections from thechip to the outside world are the ones that carry i and o. The power source ismounted inside the box and the input and output connections are completelyuncoupled from the rest of the circuit. It can easily be seen that not many devicescan be called perfectly secure hardware. Note that “secure hardware” is evolvingterminology. What was called “secure hardware” 50 years ago can be totallyinsecure nowadays.

In 1996 Kocher et al. [107] showed that the black-box model has some defectswith respect to bearing resemblance to reality. They showed this by analyzing thephysical characteristics of an implementation of, among others, Diffie-Hellman,revealing the secret very easily. These physical characteristics are called side-channels. Although they were not the first ones to perform an attack outsidethe black-box model, they are seen as the founder of the field of side-channelanalysis in the cryptographic community. Side-channel attacks, together withother implementation attacks (see Section 1.2) belong to the grey-box attackmodel (Fig. 1.2). The grey-box attacker has more privileges than the black-boxattacker: he has the ability to exploit the imperfections of a real physical device.This attack model is mostly relevant if the attacker is nearby; very often theattacker is the owner of the device. The privileges of a grey-box attacker are:

4 INTRODUCTION

• He has access to specific physical characteristics of the implementationthrough L = (Lq, . . . , L0). These can be measurements of the power con-sumption, electromagnetic radiation (emanation), etc. External parametersinfluencing these leakages are represented by S = (Sr, . . . , S0).

• He also has the ability to influence the computation of the algorithm throughthe injection of faults. The fault injection parameters are set through S =(Sr, . . . , S0). In this case also o = (op, . . . , o0) can change.

i = (im, . . . , i0) o = (op, . . . , o0)E D

k k′

S = (Sr, . . . , S0) L = (Lr, . . . , L0)

The attacker can provide a limited number of input couples (i, S) and

receives the corresponding output couples (o, L).

Figure 1.2: The grey-box attack model.

Our society evolved from a world where access to cryptographic primitives wasrestricted to a handful of people to one where cryptography is “reduced” to a partof a bigger system available to everyone. Dedicated cryptographic machines maderoom for heterogeneous hardware and software implementations and an even moreadvanced attacker than the one that moves inside the grey-box attack model has tobe considered. This attack model is called the white-box attack model, and isimportant for software implementations, see Fig. 1.3. The powers of the adversarysupersede the ones of the previous two models. On top of the possibilities of ablack- and grey-box attacker, the following powers are attributed to the attackerin the white-box model (Chow et al.[42, 41]):

• The attacker has access to fully-privileged attack software that is connectedwith the cryptographic hardware. As such, complete access to theimplementation of the algorithm is guaranteed.

• The attacker can observe dynamic execution of the cryptographic primitiveswith instantiated keys.

• The internal behavior of all cryptographic primitives are completely observ-able and changeable at any moment and to any value. This implies that every

IMPLEMENTATION ATTACKS 5

program instruction can be traced, that the content of both the memory andthe cache can be consulted at any instant, that the code and/or the memorycan be adjusted to the attacker needs, . . .

In principle there is no attacker more powerful than the white box attacker, thatis why it is called the worst-case attack scenario. Figure 1.3 shows clearly howthe white-box model includes all the possibilities of both the grey- and black-boxmodels. The extra input S′ = (S′r′ , . . . , S0) symbolizes the parameters necessaryfor the extended powers of the attacker and L′ = (L′t′ , . . . , L′0) the correspondingoutputs.

i = (im, . . . , i0) o = (op, . . . , o0)

E D

k k′

S = (Sr, . . . , S0) L = (Lt, . . . , L0)

S′ = (S′r′ , . . . , S′0) L′ = (L′t′ , . . . , L′0)

Debuggers, emulators, . . .

The attacker can provide as many input triplets (i, S, S′) as wanted and

receives the corresponding output triplets (o, L, L′).

Figure 1.3: The white-box attack model.

This model is only added for completeness and the reader is referred to [185] foran overview and more references on the topic.

1.2 Implementation Attacks

Side-channel analysis forms a part of the group of implementation attacks. Thelatter set themselves apart from traditional cryptanalysis by putting emphasis onthe weaknesses of the implementation rather than on mathematical imperfectionsin the design of the cipher. Over the past years many attacks illustrated thediversity of the domain. To create structure in the abundance of different attackscenarios, they are usually categorized according to their active or passive natureat first instance and secondly to the destructiveness of the actions necessary toaccomplish the attack.

6 INTRODUCTION

Passive-Active. Passive attacks only observe the cryptographic device undernormal functioning. Physical properties of the device are used to reveal thesecret key. In contrast, an active attack utilizes the cryptographic device underexceptional circumstances. Tampering induces abnormal behavior which in histurn is exploited to disclose the secret.

Destructiveness. A different categorization, independent of the previous one,divides the attacks into invasive and non-invasive attacks. Invasive attacksbasically allow the attacker to perform any action on the device in order to pruneout the key. Depackaging the chip is typically one of these actions. Non-invasiveattacks on the other hand keep the cryptographic device intact so no evidenceis left behind. Sometimes there is a distinction made between invasive attackswhere the attacker makes contact with the electronic circuit so the passivationlayer gets damaged and the ones where after depackaging, the electronic circuitremains untouched. The first ones are the truly invasive attacks, the latter onesare labeled semi-invasive attacks [165].

All attacks reported on in literature fit in the space generated by the twoindependent categorization groups. In this two-dimensional space, three generalclasses of implementation attacks can be distinguished.

Probing Attacks. The first type of attacks are the probing attacks, broughtto the attention of the cryptography world by Handschuh et al. in [84]. Whilecumbersome and expensive to mount, they are the most powerful way of attackinga circuit as, in principle, every internal value can be read out. A probing attackis an invasive, passive attack. The reader is referred to [91, 92, 163, 17] for moreinformation on these type of attacks.

Fault Injection Attacks. The second class is the class of fault injection attacks.Faults are induced in the cryptographic system through e.g. variations in thesupply voltage, variations in the external clock, changes in the temperature ofthe environment, by striking the chip with a laser or white light, . . . They areclassified as active attacks, but can be invasive, semi-invasive or non-invasive. Thefirst paper exploiting faults to break a cryptographic system is of Boneh et al. [28].An extensive overview of the complete class of fault injection attacks with goodreferences, up to 2006, for further reading, is written by Bar-El et al. [21]. Morerecent publications can be found in the proceedings of e.g. FDTC.

Side-channel Analysis Attacks. The third and, so far, most studied classare side-channel analysis attacks where one or more physical properties ofthe cryptographic device is observed during algorithm execution to extract

IMPLEMENTATION ATTACKS 7

Invasive

Semi-invasive

Non-invasive

Passive Active

Probing

Fau

ltin

ject

ion

Sid

e-ch

annel

anal

ysi

s

Figure 1.4: An overview of the main classes of implementation attacks categorizedinside the space generated by their active or passive nature and the destructivenessof the attacks.

secret-dependent information. Among the side-channels studied, timing, powerconsumption and electromagnetic radiation are the most prominent. Thepioneering work for those three has been carried out by Kocher et al. for both theside-channels power consumption and timing [108, 107], and as a coinciding resultby Quisquater and Samyde [152] on the one hand and by Gandolfi et al. [68] for theelectromagnetic side-channel. Generally, side-channel analysis attacks are passiveand either non-invasive or semi-invasive. In the field of side-channel analysis twobasic types distinguish themselves: Simple Attacks and Differential Attacks.In short the difference between the types is the following: the first ones areperformed with the aid of only a few measurements. The weaknesses mainlyaddressed are differences in patterns generated by various operations or parametersthat relate back to the secret key. The latter type, differential attacks, exploitthe data dependent dynamic power consumption and electromagnetic radiation ofthe circuit. Differential attacks require much more measurements, in the rangeof a few hundreds for software implementations, a few thousands for hardwareimplementations and millions for protected circuits. The secret key is revealed byanalyzing the measurements with statistical tests. An elaborate treatment of thedomain of power analysis can be found in Mangard et al. [122].

A graphical overview of the active or passive nature and the destructiveness of thedifferent classes of implementation attacks is given in Fig. 1.4.

8 INTRODUCTION

1.3 Side-channel Analysis in More Detail

The robustness of static CMOS logic (Complementary Metal-Oxide-Semiconductor)and its minimal power consumption in steady-state conditions have determinedthe success of the technology in present-day consumer electronics. UnfortunatelyCMOS logic has a data dependent power consumption enlarging the risk of side-channel analysis.

The study of the power consumption of a CMOS inverter, by and large reputed asthe core of digital design, helps in understanding the origin of the data dependentpower consumption. The circuit diagram is given in Fig. 1.5. In this figure, Vin

denotes the input voltage, Vout the output voltage, VDD the supply voltage andCload is the symbolic representation of the capacitance seen from the output ofthe inverter. Although Cload is placed between the output node and the ground,in reality the output capacitance is a network of capacitances located betweenmultiple nodes.

Vin Vout

Cload

VDD

Figure 1.5: A static CMOS inverter consists of a PMOS (upper) and an NMOS(lower) transistor.

The total power consumption of the inverter, Ptot, is the result of three effectswhich are detailed further on : i) the dynamic dissipation attributable to thecharging and discharging of the load capacitance Pdyn, ii) the direct path currentPdp and iii) the static dissipation Pstat. Expressed in a formula:

Ptot = Pdyn + Pdp + Pstat . (1.1)

i) Dynamic Power Consumption. Every time the input voltage of the inverterswitches from VDD to 0, Cload is charged by a current IDD flowing from VDD

through the PMOS device. Reversely, whenever the input voltage switches backin the opposite direction, from 0 to VDD, Cload is discharged through the NMOStransistor. Here lies the origin of the existence of side-channel analysis. It is easyto see that the dynamic power consumption is data dependent. The left drawingin Fig. 1.6 shows the equivalent circuit of an inverter when the input changes fromhigh to low, resulting in a corresponding output change from low to high.

SIDE-CHANNEL ANALYSIS IN MORE DETAIL 9

ii) Direct Path Current. In a perfect situation where either the PMOS orthe NMOS conducts current, but never both, direct path currents do not exist.However, sometimes the finite value of rise and fall times of the input signalsand/or wrong input signals may result in a short moment in time where there isa direct path between the supply voltage and the ground. This manifests itselfthrough very sharp current spikes Idp in the power consumption. The situation isillustrated by the middle drawing of Fig. 1.6. A good choice of input and outputrise and fall times can minimize the direct path current, making it negligiblecompared to the other two components. In modern, correctly designed CMOScircuits, direct path current is not an issue.

iii) Static Power Consumption. The static power consumption is caused byleakage currents Ileak in the CMOS inverter in a steady-state situation. While inolder technologies, the static power consumption could be neglected, this is notthe case for newer technologies where due to scaling of the devices and the appliedvoltage, the static power dissipation becomes a major source of the total powerconsumption. Unfortunately the static power consumption is also data dependentand side-channel analysis will remain a threat with future technologies. Theequivalent circuit of static power consumption is shown on the right in Fig. 1.6. Thediodes in the schematic depict the reverse-biased diode junctions of the transistors.

Vin VoutVout

CloadCload

VDDVDD

VDD

VDD

IDD

Idp Vout = VDD

Ileak

Ileak

Figure 1.6: On the left the dynamic switching current is shown, the middle figuredepicts the situation of the short path current and the right figure explains theleakage currents in a CMOS inverter.

Every changing current or voltage generates an electromagnetic field. The relationbetween the current and the radiation is dictated by the Maxwell equations,discussed in Chapter 2.

Because the currents generating this electromagnetic radiation are data dependent,as explained above, the electromagnetic radiation will be too. And althoughsecrecy of the data processed by most of the devices is of no concern, this certainlychanges as soon as cryptography comes to the foreground. The most importantgoal of cryptography is exactly to protect the secrecy of the data or of the key.This means that compromising emanations generated by cryptographic devices

10 INTRODUCTION

are a potential weak link in the design of a cryptographic system. Historically,electromagnetic radiation generated by a broad range of information processingdevices has indeed been shown to be a source of information leakage andgovernments have invested millions of dollars not only to prevent it, but alsoto exploit it as an espionage technique.

It should be stressed that the problem of compromising emanations is not confinedto cryptographic devices only, but of concern for every device processing sensitiveinformation. An example of an attack on a non-cryptographic machine is describedin [16], where a vulnerability towards electromagnetic analysis of some votingmachines was revealed in The Netherlands.

In this doctoral dissertation the electromagnetic side-channel will be discussed inevery aspect necessary to exploit it.

Examples of Historical Exploitation of Unintended Electromagnetic Radiation

One of the earliest records of the exploitation of unintended electromagneticradiation dates back from 1914, [137]. The field telephones from the beginningof World War I utilized a single core insulated cable. The return path wasconstructed via ground spikes through the ground to minimize the weight ofthe telephone cable. On the Western Front battles were often settled out atfixed locations with trenches across each other for the opposing armies. Forthe authorities to stay in contact with the soldiers in the first line to pass onthe latest tactical orders, telephone connections were of uttermost importance.Soon it was discovered that there was a substantial amount of crosstalk on thetelephone circuits which originated not only from their own side (which is in thiscase The British Army), but was partially caused by telephone connections fromthe enemy side. In no time listening posts were installed to benefit from this freeinformation. Of course, The British Army took protective measures at the sametime, including the conversion of all telephone circuits to a twin core cable.

In 1985 Van Eck published a paper titled ”Electromagnetic Radiation from VideoDisplay Units: An Eavesdropping Risk?” [57]. Although he used poorly shielded,old display units, he showed that video display units generate electromagneticfields containing harmonics of the video signal which can be reconstructed using anormal TV receiver. According to his findings, reconstruction should be possibleup to 1 km.

1.4 Thesis Organization and Contributions

This section gives an overview of the structure of the thesis and highlights thepersonal contributions.

THESIS ORGANIZATION AND CONTRIBUTIONS 11

Chapter 1: Introduction. The first chapter introduces and motivates the topic.It positions the topic in the broad field of cryptography.

Chapter 2: Electromagnetic Analysis. The basic principles of electromagneticanalysis are explained in this chapter. Besides a quick focus on the well-known fundamentals of side-channel analysis attacks and a short overview of thedistinguishers, the origin and characteristics of the electromagnetic side-channelare reviewed and classified. Although none of the information in the chapter isnovel, the specific structuring brings some order in the field of electromagneticanalysis and points out the complexity of the leakage. The chapter is wound upwith an enumerating description of the most important papers on electromagneticanalysis published between the first papers of Gandolfi et al., and Quisquater andSamyde and the publication of this thesis.

Chapter 3: Electromagnetic Analysis in Practice. Chapter 3 presents the firstelectromagnetic analysis attack on a hardware implementation of ECC over GF (p)on an FPGA. This work was performed in collaboration with P. Buysschaert andS.B.Ors. While the attack in itself is not complex, the novelty lies (lied) in thefeasibility of the attack. Next, we focus on the security criteria originally used forthis work and the security criteria presented by Standaert et al. in their paper [170].By doing this, we explicitly promote the usage of sound criteria to compare attacks.The chapter concludes with a study of the published side-channel and fault analysisattacks on ECC and an overview of most of the countermeasures to defeat side-channel and fault analysis attacks on ECC, this positions the attack and serves asan aid for designers who wish to use ECC in their device. The latter analysis isjoint work with J. Fan and X. Guo.

Chapter 4: The Measurement Probes. The fourth chapter is the most extensivechapter. It starts with a survey of the components of the measurement setup forelectromagnetic analysis. All the properties of a near-field sensor for side-channelattacks are enumerated and explained. Three specific applications were chosenand elaborated upon. The work and experiments carried out in this chapter isjoint work with W. Aerts. In a first case study the matching of shielded magneticloops is investigated. A second case study applies to unshielded loops and relatesthe resolution of small magnetic loops with their frequency selectivity. The secondcase study treats very small loops, whereas the loops in the first case study aremedium sized loops. The third case study at the end of the chapter deals withlarge magnetic loops. Here a loop is designed to extend the reading range of anISO14443a RFID-reader.

12 INTRODUCTION

Chapter 5: Countermeasures. Chapter 5 focuses on a design-flow at systemlevel to counteract simple power analysis attacks; it describes an extensive casestudy of power analysis attacks against an MDPL prototype chip. The latter studyreveals that, although MDPL withstands standard DPA attacks, it can easily beweakened by choosing only a subset of the available power measurements based onan analysis of the power distribution profiles. The two topics specifically target thepower consumption side-channel and not the electromagnetic emanations, but itis argued that resistance against electromagnetic analysis attacks imply resistanceagainst power consumption analysis, justifying its discussion in the framework ofthis thesis. This chapter is joint work with K. Sakiyama and B. Gierlichs.

Chapter 6: Conclusions and Further Work In this final chapter, conclusions aredrawn and further work is discussed.

Chapter 2

Electromagnetic Analysis

2.1 Introduction

This chapter describes the principles of electromagnetic analysis and positions thefollowing chapters in the topic. Electromagnetic analysis brings together two fieldsof research:

1. the study of the origin, appearance and capturing of electromagnetic fieldssurrounding an electrical circuit;

2. generic side-channel analysis techniques.

The first two sections of this chapter deal with the latter topic. As mentionedin Chapter 1, there exist two main categories of side-channel attacks, simple side-channel attacks on the one hand, and differential and higher-order attacks on theother hand. While a simple side-channel attack looks for a clearly visible relationbetween the side-channel leakage and the secret stored in the device, a differentialside-channel analysis is computationally more complex. A short explanation ofthe differential analysis methodology and the statistical distinguishers commonlyused in this field, as an aid for the following chapters, is given in Section 2.2and Section 2.3. A study of the electromagnetic side-channel itself is given inSection 2.4. The theoretical framework of electromagnetic waves is discussed,besides the different ways of propagation of information through the side-channeland the physical properties of the diverse modes of electromagnetic analysis.Before reaching the conclusion in Section 2.6, the most important papers inelectromagnetic analysis research are summarized in Section 2.5.

13

14 ELECTROMAGNETIC ANALYSIS

2.2 DEMA/DPA Attacks

Differential side-channel attacks are feasible whenever a physical, measurableproperty of the device under attack deterministically depends on the data itprocesses. However, a differential attack is not as easy as measuring the powerconsumption or electromagnetic radiation and “reading off” the secret key dueto incomplete knowledge of the adversary, measurement imprecision, noise, etc.Instead, those attacks rely on statistical models and hypothesis testing.

Figure 2.1 visualizes the abstract differential or higher-order side-channel attackprocedure and environment.

Device under attack

Target signal

Key

Noise

Electromagnetic emission

Side-channel adversary

Preparation phase

Exploitation phase

Measurement setup

Sensor

Cables

Oscilloscope

Guess

Inputs

Outputs

Figure 2.1: Differential side-channel attack model.

The cryptographic device stores a fixed key and holds an implementation of acryptographic primitive which is sequentially fed with N known input vectors pi

(i = 1, . . . , N). The setup measures the side-channel trace, that is the physicalleakage, over time of a single call to the cryptographic function with input vectorpi; this measurement is denoted as mi(t). We assume the mi(t) to be vectorscovering the time span (t = 1, . . . , q) of the computation. The actual side-channelleakage is denoted as a physical observable [171]. The difference between thephysical observable and the physical leakage is made by the specific side-channel

THE DISTINGUISHERS 15

and the measurement setup. A (first-order) attack targets a chosen and sensitiveintermediate value of the cryptographic computation that depends both on (a partof) the input vector pi and a small part k of the key. Here small means that itmust be feasible to run statistics on the power consumption traces for each valueof k.

For an attack, the adversary needs to be able to predict the side-channel leakage(e.g. expected power consumption) of that intermediate result with a statisticalmodel, usually referred to as hypothetical leakage function. The prediction of thehypothetical leakage for input pi and a key guess k′ is denoted by Lk′,i.

The adversary predicts Lk′,i for all N input vectors and all values of k′. It isassumed that for the correct guess k′ = k, there exists a statistical correlationbetween the predictions Lk,i (i = 1, . . . , N) and the power consumption samplesmi(t) at some unknown point in time t. The adversary uses a statistical test, oftenreferred to as a distinguisher, to detect this interdependence which reveals boththe value of k and the point in time when the intermediate value is computed.Characterization of the cryptographic device is optionally done in a preparationphase prior to the exploitation phase. Both phases can be quantized by their timecomplexity τ , memory requirements m, and the number of queries N needed.

2.3 The Distinguishers

This section briefly describes the distinguishers used in the experiments. Tosimplify the description of selected distinguishers, we introduce more notation.Leakage predictions typically map to a small set of values whose nature dependson what exactly is predicted. For now we denote these values by lowercase Greekletters and their ensemble by Φ. Let µk′,δ(t) denote the empirical mean of allmi(t) for which Lk′,i = δ. Similarly, let σ2

k′,δ(t) denote the sample variance of allmi(t) for which Lk′,i = δ.

2.3.1 Distance of Means

The Distance of Means (DoM) test was proposed by Kocher et al. in theirseminal paper [108], it was thoroughly reviewed in Messerges et al. [127]. TheDoM test divides the set of curves into two sets Sδ = mi(t)|Lk′,i = δ andSγ = mi(t)|Lk′,i = γ 6= δ according to the hypothetical leakage values Lk′,i.For example, when focusing on a single bit Lk′,i ∈ 0, 1, one would partitionaccording to whether that bit flips (Lk′,i = 1) or not (Lk′,i = 0) because onlybit flips are assumed to consume power. Next, both sets of curves are reducedto their empirical means and the difference between the two resulting curves iscomputed. For the correct hypothesis k′ = k, the predictions Lk′,i are correct and


the partitioning indeed separates curves that are associated to different values ofLk′,i. This results in a peak in the differential curve at the point in time when thetargeted operation is computed. For all other hypotheses k′ 6= k, the partitioningis assumed to be more or less random and the differential curve is flat. The correctvalue of k can therefore be identified as the one that yields the highest peak in thedifferential curves. Formally, the DoM distinguisher computes

∆k′(t) = µk′,δ(t)− µk′,γ(t)

for each point in time and for all hypotheses k′ and selects the best hypothesisk = arg maxk′,t |∆k′(t)|.

2.3.2 T-test

The T-test, Coron et al. and Gierlichs et al. [52, 74], is a more elaborate differenceof means test that takes the sample variances σ2

k′,δ(t) and σ2k′,γ(t) in the two sets

into account. The cardinalities of the two sets are denoted as Nk′,δ and Nk′,γ . TheT-test distinguisher computes

Tk′(t) =µk′,δ(t)− µk′,γ(t)√

σ2

k′,δ(t)

Nk′,δ+

σ2

k′,γ(t)

Nk′,γ

,

for each point in time t and all hypotheses k′ and decides for k = arg maxk′,t |Tk′(t)|.

2.3.3 Variance Test

The Variance test (V-test), Standaert et al. [169], evaluates the ratio between thesample variance in the set of all curves (denoted by σ2(t)) and the weighted meanof the sample variances in the sets of the partition. The intuition is that the correctkey hypothesis minimizes the denominator and thus maximizes the expression. Foreach k′ and each time instant, the distinguisher computes

σ2k′(t) =

σ2(t)1N

∑

δ∈Φ Nk′,δσ2k′,δ(t)

and selects k = arg maxk′,t σ2k′(t).

THE ELECTROMAGNETIC SIDE-CHANNEL 17

2.3.4 Pearson Correlation

Brier et al. proposed to use the Pearson correlation coefficient in [30]. Thedistinguisher estimates the coefficient

ρk′(t) =cov (mi=1...N(t), Lk′,i=1...N)

σ2(mi=1...N(t))σ2(Lk′,i=1...N), (2.1)

for each t and all key hypotheses. The coefficients are values from the interval[−1, 1] that give an indication about the linear fit between the two variables. Thedistinguisher selects k = arg maxk′,t |ρk′(t)|.

2.3.5 Spearman’s Rank Correlation

By using Spearman’s rank correlation [22] an attacker does not rely anymore onthe linear relationship between the hypothetical leakage values and the measuredpower consumption. Instead, the test measures the monotonic relationshipbetween two variables. Spearman’s rank correlation is a non-parametric ordistribution-free rank statistic. The main idea of this coefficient is to rank thedata before estimating the correlation. If tied ranks exist (which is likely thecase), Spearman’s coefficient is merely Pearson’s ρ of the ranked data. Except forthe ranking step, the distinguisher works in the same way.

2.4 The Electromagnetic Side-Channel

The electromagnetic side-channel differs in a number of ways from the powerconsumption side-channel. The most important difference is that a powerconsumption measurement is a simple amplitude waveform over time, while theelectromagnetic side-channel is a three dimensional vector field that changes overtime. This implies that we are in need of vector calculus techniques to describeit. Therefore, the mathematical background of vector calculus is discussed ina first subsection. Once we have a fairly good notion about this concept, theholy grail of electromagnetic waves is discussed: the equations of Maxwell. Thismathematical framework describes the relations between currents and voltages onthe one hand, and electric and magnetic fields on the other hand. In principle,this framework provides the reader with all the elements necessary to calculatethe surrounding electromagnetic field of a chip, given that he knows the startconditions, the topology of the chip, the properties of all the materials used andthat he has an accurate idea of the locations of the currents and voltages in thechip. However, the complexity of the whole of materials, currents, voltages andtopology makes an exact computation of the field completely infeasible. That is


why we will continue this section with a discussion about specific properties of theelectromagnetic field that can be deduced without the need of a detailed modeland complex calculations. We will also introduce elementary building blocks andconcepts that are useful for further study of the electromagnetic field. Finally fourcommon ways to exploit this electromagnetic emission in side-channel analysis arementioned.

2.4.1 Vector Calculus.

An electromagnetic field is a vector field in a three dimensional space. Thedefinition of a vector field is a function F that maps elements x in R

n to a vectorF(x) in R

n.

There exists several operations on vector fields. To understand their meaning, weneed the definition of a line integral and a surface integral.

Line integral. A line integral of a vector field−→F along a curve C is defined by

∫

C

−→F · δr =

∫ a

b

−→F (C(t)) · C′(t)δt , (2.2)

where C(t) is a path in the field parametrized by t ∈ [a, b].

Surface integral. A surface integral of a vector field−→F over the surface S is

defined as∫

S

−→F · δa =

∫

S

(−→F · n)δa , (2.3)

where n is the unit vector normal to the surface a.

With these definitions in mind, we can study the divergence and curl of a vectorfield.

Divergence. The divergence is a measure for the existence of sources and sinks

inside the vector field. The divergence of a vector field−→F is a scalar field and the

value at point x is defined by [124]:

div−→F = ∇·−→F = lim

δV→0

1

δV

∫

∫

δS

−→F · n dS , (2.4)


where δV is a small volume enclosing x with a surface δS and n is the normal toδS, pointing outwards. It is the flux through δS divided by δV .

In a three dimensional Cartesian coordinate system denoted by x, y, z andthe corresponding unity vectors x, y, z, the definition of the divergence of a

continuously differentiable field−→F = (Fx, Fy, Fz) is defined by:

div−→F = ∇·−→F =

δFx

δx+

δFy

δy+

δFz

δz. (2.5)

Curl. The curl is a measure of the rotation or momentum at a specific point inthe vector field. The formal definition of the curl of a vector field F at point x isdefined by [124]:

(rot−→F )· n = ∇×−→F = lim

δA→0

∮

C

−→F dr

δA, (2.6)

where δA is a small area around x and C the boundary of δA and n is the unityvector perpendicular to the plane δA.

In Cartesian coordinates for a three dimensional vector field−→F , this becomes:

∇×−→F =

∣

∣

∣

∣

∣

∣

x y zδ

δxδ

δyδ

δz

Fx Fy Fz

∣

∣

∣

∣

∣

∣

. (2.7)

2.4.2 Maxwell’s Equations

The classic electromagnetic effects are all covered by a framework of fourfundamental mathematical equations called Maxwell’s equations. Maxwellcollected them in [125], although not in the form we use them nowadays. The creditfor that goes to Heaviside. The equations are based upon several experimentallaws: Gauss’ law, its magnetic counterpart, Faraday’s law and Ampere’s law. Tothis day, the equations still hold based on the observation that they still validateall non-quantum electromagnetic phenomena examined. In their differential form,


the equations are written as follows:

∇×−→E = −∂−→B∂t

, (2.8)

∇·−→D = ρf , (2.9)

∇×−→H =−→Jf +

∂−→D∂t

, (2.10)

∇·−→B = 0 . (2.11)

In these equations−→E denotes the electric field in V/m,

−→B is the magnetic field in T,−→D is the symbol for the electric flux density expressed in C/m2,−→H is the magnetic

field intensity in A/m, the free electric current density is symbolized by−→Jf in A/m2

and ρf is the free electric charge density in C/m3. The relationships between−→D and−→E , and,

−→H and−→B are respectively defined by the following constitutive equations:

−→D = ǫ−→E , (2.12)

−→B = µ−→H , (2.13)

where ǫ is the permittivity and µ is the permeability. Note that in general neitherǫ nor µ are constants, but rather functions over time and space. This enablesthe equations to deal with nonlinear (time dependent), anisotropic (directiondependent) and dispersive (frequency dependent) materials.

Equation (2.8) expresses that a time-changing magnetic flux induces an electricfield and is also known as Faraday’s law. The second equation, Eq. (2.9), Gauss’ lawexplains the relation between an electric field and the distribution of its originatingelectric charges. The equation originates from the attraction and repulsion forcesbetween electric charges. Equation (2.10), which is an extension of Ampere’s law,defines in symbols that a magnetic field can arise from an electric current and/ora changing electric field. The last equation of the set of Maxwell’s equations,Eq. (2.11) states that there exists no such thing as magnetic monopoles, theyalways come in pairs. Hence, magnetic field lines are always closed.

To be complete, although it can be deduced from the former equations, thecontinuity equation is given here as well:

∇·−→J = −∂ρ

∂t, (2.14)

This equation expresses the idea that a time-varying charge implies a currentsource and vice versa.


With this set of equations, the correct boundary conditions and the initial stateevery problem involving electromagnetic behavior can in principle be solved.

One of the derivations that can be observed from the Maxwell equations is thatelectromagnetic energy can propagate from one point to another point as a wave.An electromagnetic field generated at some location in space will exert a force inanother location at a later point in time. This means that electromagnetic wavescan transport energy and thus, they can also convey information.

Electromagnetic waves are nothing but time-varying electric and magnetic fields. Avarying current through a conductor causes a change in the surrounding magneticfield. This time-varying magnetic field generates in his turn a time-varying electricfield. This produces an magnetic field, etc. The result is an electromagnetic wavepropagating away from the source. In contrast to voltage and current waves,electromagnetic waves do not need guides to travel.

The points were the EM waves stop being guided by wires and start to travel freelyand unbounded, are called antennas. The term antenna needs to be interpretedbroadly, it can be a conductor in an electronic circuit or in a chip. The working ofthe antenna depends on the conductivity of the material, the shape of the antennaand the physical dimensions of the antenna (relative to the wavelength).

To study practical problems one often looks at the steady-state sinusoidalapproximation of an electromagnetic wave at a specific frequency ω. Thetime-harmonic, sinusoidal steady-state forms of Maxwell’s equations are recitedunderneath:

∇×−→E = −jω−→B , (2.15)

∇·−→D = ρ , (2.16)

∇×−→H =−→J + jω

−→D , (2.17)

∇·−→B = 0 . (2.18)

2.4.3 Properties of Electromagnetic Emissions/Fields

It is impossible to give an exact description of the electromagnetic emissionsgenerated by a cryptographic device or any circuit. Nevertheless, understandingsome basic notions about the origin of these emissions, helps in gaining insight inthe complexity of the matter. To structure the problem, an approach analogue tothe one in the domain of electromagnetic interference (EMI) will be followed [75].


The main variables to describe electromagnetic emissions are currents, voltages,electric fields and magnetic fields.

Note that we do not speak about electromagnetic radiation in particular; for now,the term electromagnetic emission will be used. In [7], the term electromagneticemanation is used instead. By explicitly avoiding the term radiation at this stage,it is clear that electromagnetic emanations or emissions manifest themselves inmore forms than radiation only.

In general, the capturing of electromagnetic emanation can be simply modeledwith the following parts:

1. The source that creates the electromagnetic emanation

2. The sensor or antenna or any other measurement device that picks up thesignal, this item will be discussed in Chapter 4

3. The path between the source and the sensor

Depending on the level of abstraction of the system under investigation, thedefinition of the above terms will differ. This can easily be explained withan example: Imagine a computer server in a bank with a cryptographic AES-coprocessor leaking the AES key through electromagnetic radiation. At asystem level the emission source might be the computer, at subsystem level, themotherboard can be seen as the emission source. One level below, at the printboard level, one might point to the cryptographic chip on the board as the originof the leakage. At the lowest level which is called the component level, the registerfile where some sensitive intermediate value of the cryptographic is stored can bepointed out to be the exact origin of the leakage.

Five different aspects of the electromagnetic field/emission will be discussed next,namely:

1. The difference between intentional and unintentional fields;

2. Electromagnetic zones and the importance of the notion of wavelength;

3. Different paths of propagation;

4. Transfer mechanisms for electromagnetic emissions from one circuit elementto another;

5. Time domain versus frequency domain analysis.


Topic 1: Unintentional and Intentional Emission

A source or emitting device generates intentional and/or unintentional emissions.These emissions can find their way through wanted and/or unwanted paths to endup in the electromagnetic environment where an attacker can “tap” the signalsout of this environment with some kind of measurement device.

The emission generated may either be intentional or unintentional. This divisioncan be interpreted in two different ways. In the first typification, intentionalemissions are those that are generated by building blocks which aim at deliberatelycreating the emission. This can be for example a crystal oscillator defining theexact frequency of the internal clock. Another example is an antenna. RFIDenabled cards all have an antenna connected to their chip to communicate withthe outside world. Unintentional fields are the ones originating from circuitelements that are not used to generate electromagnetic fields; these fields existssimply because the circuit elements consume power. Through the laws of Maxwell,electromagnetic fields do exist around them. The second meaning of the separationbetween unintentional and intentional electromagnetic fields is the one as explainedby Agrawal et al. [11]. For them, intentional electromagnetic fields are the onesdirectly generated by a current carrying element. Unintentional fields on the otherhand are the ones originating from modulation effects in the cryptographic chip.

Topic 2: Electromagnetic Zones and the Importance of the Wavelength Notion

When dealing with electromagnetic emissions, it is important to understand whatthe concepts ”small”, ”large”, ”far”, ”near” mean in the electromagnetic context.A sinusoidal signal with frequency f traveling from point A to B, placed at adistance r along the r-axis from each other, in a medium with a relative dielectricconstant ǫr and a relative permeability µr propagates with a speed ν = c/

√ǫrµr.

The constant c equals 2.998.108 m/s, the speed of electromagnetic waves in vacuum.The distance between point A and B is called ”small” if at time t = r/ν which isthe time needed for a variation at point A to travel to point B, the same variationcan still be seen at point A. This means that the signal is quasi-static. Thisproperty holds if t≪ T = 1/f . In practice we do not need to measure the time t,because λf = ν with λ the wavelength, t = r/ν ≪ 1/f becomes r ≪ λ. Note thatthis definition is not general and other more or less similar definitions exists.

The interpretation of expressions that define the electromagnetic behavior of smallelectromagnetic sources or antennas in space can be simplified by investigatingthem under two approximations: the near-field and the far-field approximation.The first region is bound by kr ≪ 1 with k = 2π/λ the wave number, resulting inr ≪ λ/(2π). The second by kr ≫ 1 or r ≫ λ/(2π).


Source Probe

Radiation

Capacitive coupling Inductive coupling

Conduction

Figure 2.2: Graphical illustration of possible paths and transfer mechanismsbetween the source of the electromagnetic emission and the measurement device.

Although each source or antenna has to be treated individually, there are a fewgeneral statements about electromagnetic fields that can be put forward.

Near-FieldIn the near-field the relationship between

−→E and−→H is very complex and to get an

idea of the total field surrounding the electromagnetic source, both−→E and

−→H areto be measured.

Far-FieldIn the far-field there is a clear relationship between

−→E and−→H. The relation

|−→E |

|−→H|

= Z0 holds, with Z0 the intrinsic impedance of free space. Furthermore, the

electric and magnetic fields are orthogonal to one another and they are in time

phase. In this region, it makes sense to measure only−→E as

−→B is easily deduced

from that and−→E is larger by a factor of Z0.

Whether or not an element A is electromagnetically small for an element B ishighly dependent on the largest wavelength that is of importance to element B.

Topic 3: Propagation Paths

Electromagnetic emanations travel away from their source through severalpropagation media. According to [7], there are four ways in which electromagneticemanations might propagate away from its origin: electromagnetic radiation,conduction, modulation of another signal and acoustic signals. We will followa slightly different approach and make a distinction between paths of propagationand transfer mechanisms, where the second category explains how a signal canswitch between different paths of propagation. We distinguish two possible pathsbetween a source and a receiver: radiation and a common path. Of course acombination or alternation of the two paths is within the bounds of possibility.


Direct RadiationThis is the most intuitive way of information propagation by electromagnetic

emanation. The laws of Maxwell define a relation between the originating currents,voltage levels and circuit architecture on the one hand and the electromagneticradiation on the other hand.

Computing the exact field distribution at some position in the neighborhood of adevice is an extremely complex problem. Not only because the source is a complexentity of current distributions in a geometrical jumble of conductors, but alsobecause the measurement environment plays a role in the resulting electromagneticenvironment. Reflections on the ground or any object in the neighborhood playan import role in the resulting field distributions. The complexity of the source isput aptly by Gandolfi et al. [68]:

Very much simplified, the chip’s global current consumption canbe looked upon as a big river concentrating the sum of the smalltributaries flowing into it. If the subcomponents’ contributions couldbe determined, then the small streams would be isolated.

Thus, a cryptographic chip is not a single source, but a multitude of radiationsources. Modeling the whole can be done by combining the electromagnetic fielddistributions of some elementary sources distributed over the chip: small currentloops can be replaced by magnetic dipoles and common-mode currents can bemodeled with electric dipoles, because the characteristics of their fields are verysimilar [117].

The electromagnetic field behavior of these elementary dipoles is a useful aid togain insight in the complexity and properties of the electromagnetic radiationsurrounding a chip.

In the case of an elementary electric dipole carrying a current density I with alength δl positioned in the origin of a Cartesian coordinate system along the Z-axis,the electromagnetic field expressions at a point P (r, θ, φ) in a spherical coordinatesystem with the origin colliding with the origin of the Cartesian coordinate system,are given by the following equations [111]:

Hφ(r) = −Iδlk2 sin θ

4πexp (−jkr)

(

1

jkr− 1

k2r2

)

, (2.19)

Er(r) =

√

µ

ǫ

Iδlk2 cos θ

2πexp (−jkr)

(

1

k2r2+

1

jk3r3

)

, (2.20)

Eθ(r) = −√

µ

ǫ

Iδlk2 sin θ

4πexp (−jkr)

(

1

jkr− 1

k2r2− 1

jk3r3

)

. (2.21)


The θ and r components of the magnetic field and the φ component of the electricfield are zero.

The analogous expressions for the second case where a magnetic dipole is used,positioned with its center in the origin of the Cartesian coordinate system in theXY -plane with radius a carrying a uniform current density I are given by [111]:

Hr(r) =jIπa2k3 sin θ

2πexp (−jkr)

(

1

k2r2+

1

jk3r3

)

, (2.22)

Hθ(r) =jIπa2k3 sin θ

4πexp (−jkr)

(

1

jkr− 1

k2r2− 1

jk3r3

)

, (2.23)

Eφ(r) = jωµIπa2k2 sin θ

4πexp (−jkr)

(

1

jkr− 1

k2r2

)

. (2.24)

The φ component of the magnetic field and the r and θ of the electric componentare zero.

Figure 2.3 shows the geometric and physical features of the electric and magneticdipole.

X

Y

Z

θ

φ

−→

J

P

−→e r

−→e θ

−→e φ

X

Y

Z

θ

φ

−→

J

P

−→e r

−→e θ

−→e φ

Figure 2.3: The coordinate system for the magnetic and electric dipole analysis.

Several statements can be deduced from these equations:

• Both the magnetic and electric dipole have a field component in the directionof propagation along the r-axis, Er for the electric dipole, Hr for the

magnetic dipole. Besides this one, they each have an−→E - and

−→H-componentorthogonal to the direction of propagation.


• In the near-field the field equations of the electric and magnetic dipole arealike but the field components are reversed. For an electric dipole the

near-field−→E components are of importance, for the magnetic dipole the−→H components are significant. The r−3-terms are the most important inside

the area bound by kr ≪ 1. For the electric dipole, Eq. (2.19) through (2.21)simplify to:

Er(r) =

√

µ

ǫ

Iδl

2πkr3cos θ, Eθ(r) =

√

µ

ǫ

Iδl

4πkr3sin θ , (2.25)

Equations (2.22) through (2.24) on the other hand translate to:

Hr(r) =Iπa2

2πr3cos θ, Hθ(r) =

Iπa2

4πr3sin θ . (2.26)

• For the far-field kr ≫ 1 the ratio is the constant Z0 ≈ 120π which is calledthe free space wave impedance.

• All terms are linear in I, the current density.

Common PathInstead of leaving the circuit, a signal can travel through the network ofconductors from its origin to the measurement probe. Through several couplingmechanisms, which will be discussed later a signal might cause a noticeable effecton a neighboring signal and travel further away from the source. The powermeasurements performed for power analysis attacks are a perfect example of thisprinciple. Although an attacker measures the current consumption of the device,it is highly likely that other signals are traveling along the same wire to the outsideworld.

Topic 4: Transfer Mechanisms

Four transfer mechanisms of electromagnetic emission between electric circuitelements are described below.

Conduction-Common ImpedanceTwo circuits are often connected through a common conductor with a non-zeroreal impedance for low frequencies. A voltage source in the first circuit will affectthe voltage over the load in the second circuit and vice versa. At higher frequenciesthe self-impedance of the conductor is not negligible and the common impedancehas a real and imaginary part. In this case inductive or magnetic coupling effectscan become important. Through the common impedance a fast varying currentmay end up in a second circuit enclosing a larger area. The second circuit will actas an antenna and emit the information in the common signal through radiation.


Capacitive/Electric CouplingThis coupling mechanism is usually less important than the effect of the othertransfer mechanisms. Capacitive coupling takes place when electric flux from onecircuit ends up in a second circuit. This type of coupling is represented by a mutualcapacitor Cmut between two circuits. The current injected into the second circuitequals I = Cmut

dVdt , with dV

dt the voltage changes in the first circuit. Capacitivecoupling has a high pass filter characteristic and changes in voltages are the catalystof the coupling.

Inductive/Magnetic CouplingMutual inductance is caused by a coupling of the magnetic flux of the current ofa first circuit into a second circuit. Magnetic coupling is symbolically representedby a mutual inductance Mmut. The voltage coupled into the second circuit bya current into the first circuit through magnetic coupling is defined as follows:V = Mmut

dIdt , with dI

dt the current changes in circuit one. Magnetic coupling hasa high pass filter characteristic and changes in current are the catalyst of thecoupling.

Electromagnetic CouplingThe most common transfer mechanism of signals between circuits is a combinationof electrical and magnetic coupling. The symbolic representation is a combinationof Cmut and Mmut as a distributed system.

Topic 5: Time Domain versus Frequency Domain

The standard procedure in side-channel analysis is to use an oscilloscope to samplethe desired side-channel before exploitation. An oscilloscope is an electronicdevice that digitizes analog input data and plots the digitized waveform as afunction of voltage over time. The sampling frequency defines the time resolutionof the digitized result. All information in between sampling points is lost. Onthe contrary, EMC analysis focuses mainly on frequency analysis. For a digitalspectrum analyzer, the frequency resolution is again set by the time the waveformis measured. A frequency analysis of a non-stationary waveform will use thefrequency content of the complete time series to define the amplitude of a certainfrequency component, which means that all time related information is sacrificed.A very short appearance of a sine with frequency fx with a high amplitude cannot be distinguished in the frequency domain from a sine with the same frequencyfx with low amplitude over a long period of time. Obviously this informationmight be of significance for performing side-channel analysis attacks. Indeed,electromagnetic emissions are time-varying and the frequency content is changingall the time. It might be beneficial to use the information of both the timeand frequency domain. Several signal processing techniques are available for thispurpose: the short-time Fourier transform, Gabor transform [67], Cohen’s class


distribution function [49], wavelet transform [80], etc.

2.4.4 The Circuit as an Antenna

Four common approaches to exploit electromagnetic emission in order to derivesecret information are discussed below. An adversary can either make direct localmeasurements in the near-field of the chip, look for stronger carriers on whichsecret information is modulated or perform a remote power or electromagneticanalysis at a higher distance from the device. The latter two only differ in theorigin of the electromagnetic field measured.

Direct Local Radiation

Local measurements based on the direct radiation of the underlying circuitsis technically the most difficult of the four possibilities. The radiation willusually have a very small amplitude, requiring a sensitive sensor, and it is oftenoverpowered by the radiation caused by e.g. the clock tree or the bonding wires.Because of the rapid changes in the current consumption of a digital circuit,the frequency content of the signal is quite broad. It is opportune to measurethe magnetic field when the field is generated by rapid changes in the currentconsumption

Modulated Signals

Signals can become modulated on top of stronger carriers. Unlike direct localradiation, the modulated signals are still measurable at a larger distance whichputs less stress in terms of sensitivity and resolution to the sensor. A signal withbandwidth fm modulated on top of a carrier at frequency fc, should be measured

in the frequency range [fc − fm, fc + fm]. Both the electric−→E as the magnetic

−→Hcan be measured.

Remote Electromagnetic Analysis

There are two types of remote electromagnetic analysis. The first type is used whenmeasurements are taken in the near-field of the device, but a rather large probeis used. In this way, the global power consumption is measured and a magneticprobe is preferred. We will call this the local remote electromagnetic analysis.

The second type is measured in the far-field. In this case both−→E - or

−→H-fieldscan be measured. Performing the second type of measurement is easier because ofthe larger amplitude of the field and a reduced need for directive measurements.


There is a small preference for measuring the electric field above the magnetic fieldin the far-field, because of the 120π. The signal will still have a large frequencycontent.

Remote Power Analysis

Remote power analysis is the same as remote electromagnetic analysis with theonly difference that the term remote power analysis is used when instead of theradiation originating from the power consumption on the chip, the field to powerup RFID cards is analyzed. The characteristics of the field are very similar to thecharacteristics for remote electromagnetic analysis. In the case of energy transferby means of a single frequency, the required signal frequency range is again limited.

2.5 The History of Electromagnetic Analysis

As mentioned before, two research groups published independently from each otherthe first papers on electromagnetic analysis around 2001.

2001: Quisquater and Samyde [152] This paper pays attention to theextra dimensions of the information available through electromagnetic radiationmeasurements. Indeed, timing analysis information is scalar, it only containsinformation about a single variable time. Power analysis makes use of powermeasurements over time which can be visualized in a 1-dimensional space.Electromagnetic analysis on the other hand uses spatial information over time,showing a 4-dimensional character. They also point out that the frequencyspectrum of each chip differs. With the aid of a motorized table controlledby stepper engines, they were able to show 3D signatures of several chips,revealing very clearly the different building blocks. This article also lists possiblecountermeasures: reducing the electromagnetic emission, a Faraday cage, designfor low power consumption, asynchronous design, dual line logic, new architectures(e.g. a distributed parallel architecture) and chip modifications (e.g. back to backattachment of two halves of a single chip). They also introduced the terms“Simple Electromagnetic Analysis” and “Differential Electromagnetic Analysis” atthe rump session of Eurocrypt 2000.

2001: Gandolfi et al. [68] The Gemplus team published the first practicalelectromagnetic attacks on three different CMOS chips (smart card microcon-trollors) with several cryptographic algorithms and various hardware protections.Compared to their power counterparts, the electromagnetic attacks performed

THE HISTORY OF ELECTROMAGNETIC ANALYSIS 31

better. In their own words, the merit of the electromagnetic side-channel lies inthis:

Very much simplified, the chip’s global current consumption canbe looked upon as a big river concentrating the sum of the smalltributaries flowing into it. If the subcomponents’ contributions couldbe determined, then the small streams would be isolated.

They also touch on the topic of sensor specification when they discuss the tradeoff between bandwidth and frequency selectivity of their hand-made coils.

2002: Agrawal et al. [11] This article distinguishes between direct or intentionalelectromagnetic emanation caused by intentional current flows and unintentionalemanation originating from electric and electromagnetic coupling between differentcomponents in the circuit. The latter manifest themselves as amplitudemodulation or angle modulation on a carrier, e.g. the clock frequency. Also thedifference between radiated and conductive emanations is put forward. Allcategories are illustrated by experiments on smart cards. Next, they show theexistence of multiple channels/signals with different frequency characteristics ina single electromagnetic measurement. Finally some experiments present thepossibility of defeating some countermeasures against power analysis attacks withthe aid of “bad instructions”: instructions that leak more information throughelectromagnetic radiation compared to power measurements.

2003: Agrawal et al. [13, 12] At CHES 2003 Agrawal et al. introduce multi-channel attacks which combine (several) EM side-channel(s) and/or the power side-channel. They use the maximum likelihood principle to select the most profitablechannels and highlight the, at first sight counter-intuitive, choice of not combiningside-channels with the highest individual signal-to-noise ratio, but rather the oneswith low noise correlation.

2003: Agrawal et al. [9, 10] In [9], the principles of multi-channel attacks andattacks from a distance are demonstrated on a PCI-based SSL/RSA acceleratorinside an Intel-Linux server. From a distance of 12-15 m with an antennapositioned in a different room, timing information leaked from the EM side-channel.At a distance of ≈ 1.5 m several differential attacks could be mounted. Althoughmore noisy measurements were captured at an intermediate distance of 3-5 m,most attacks were still feasible.

2003: Mangard [119] Mangard showed an electromagnetic analysis attack inthe far-field from a distance of 5 meters on a smart card with a biconical antenna.


In a shielded environment only a few hundred measurements were needed, which iscomparable to the amount needed for near-field attacks. However, when repeatingthe same attack in a non-shielded environment, the number of measurement neededincreased to a few thousands and a trigger signal had to be drawn off the smartcard with a physical connections. To avoid these impracticality he suggests theusage of a superheterodyne receiver with a variable bandwidth.

2005: De Mulder et al. [34] This paper, at the same time with Carlier etal. [35], shows the first results of performing an electromagnetic analysis attack onan FPGA. The implementation under attack is an elliptic curve implementation.More information can be found in Chapter 3.

2005: Carlier et al. [35] This paper, together with [34], is one of the first to showresults on an FPGA. The FPGA used is an ALTERA Cyclone FPGA clocked at50 MHz. A square attack on AES shows the feasibility of using the electromagneticside-channel of an FPGA.

2005: Gebotys et al. [70] This paper of Gebotys shows EM analysis attacks ona real embedded system, more specifically a wireless Java-based PDA. In [70] theyintroduce a new differential attack technique established in the frequency domain,also called differential frequency analysis (DFA), in stead of the time domain.The main benefit of this approach is the ability to thwart uncorrelated temporalmisalignment. On the other hand a fast Fourier transform abolishes all timinginformation, hence data-dependent operations are not distinguishable anymore.Secondly, the longer the traces that are transformed to the frequency domain,the more likely it is that information giving rise to very short frequency peaksbecomes indiscernible. To bypass these drawbacks they introduce the usage of aspectrogram. A spectrogram is a way of representing spectral densities over time,resulting in a trade-off between the accuracy of time information and frequencyinformation. Gebotys and White elaborate on this attack in [73]. In the appendixof [70], they also introduce a split mask countermeasure for EM analysis where allS-box entries are masked randomly. Each entry is masked with a different mask.Gebotys et al. detail the countermeasure in [71].

2005: Li et al. [113] Li et al. discuss a design methodology to evaluate theelectromagnetic leakage of a smart card at design time in detail. The procedureimplies current flow simulation, extraction of chip layout parasitics followed by asimulation of the direct electromagnetic radiation or modulated emissions. Theyprove the significance of their approach through comparison of the results of theirprocedure and real measurements on a synchronous and an asynchronous processor.

THE HISTORY OF ELECTROMAGNETIC ANALYSIS 33

As expected, the synchronous processor revealed data dependent leakage while theasynchronous processor suffered from data dependent time shifts.

2005: Kuhn [109] In military environments standards and limits for emissionsecurity exist. As they are mostly kept secret, consumer products are in general nottested against the threat of information leakage through electromagnetic emissions.With this work, Kuhn aims at starting a discussion that leads towards an openstandard for emission-security tests. Although his work focuses on video displaysin his work, the underlying ideas can be extrapolated to all current carrying devicesof which the security should be guaranteed.

2006: Homma et al. [89] At CHES 2006, the authors explained a preprocessingstep for differential analysis attacks to align measurement traces with an accuracyhigher than the sampling rate. In particular for electromagnetic analysis, theproposed procedure showed remarkably better results with respect to the errorrates of the attack. They use phased based waveform matching to align temporally:one measurement is chosen as a reference, all other measurements are adjustedto this reference by 1. estimating the displacement error between the twomeasurements through analyzing the Inverse Discrete Fourier Transform (IDFT)of the cross-phase spectrum (called the phase-only correlation (POC) technique)and 2. rotating the phase of the second waveform in the frequency domain beforeconverting it back to the time domain. Afterwards a standard differential attackis performed.

2006: Oren and Shamir [140, 141] The authors describe a new attackon passive, backscatter RFID tags called a “Parasitic Backscatter Attack”.Unintentionally, these tags modulate the backscatter with the power consumptionof their internal computations. Attacks are mounted on EPC Class 1 Generation1 and 2 tags. The electromagnetic radiation captured with a directional antennashows a higher amplitude in the reflected signal whenever a tag was involvedin heaver computations because it needs to replenish itself with more energycompared to the case where less computations are performed. This phenomenonwas exploited by sending incorrect kill passwords, which allowes to find the correctone.

2007: Peeters et al. [148] A new leakage model for side-channel attacks,denoted as the “switching distance”, is introduced which is put next to the“Hamming weight” and “Hamming distance” model. Peeters et al. provethat it is feasible to discriminate between 0 to 1 and 1 to 0 transitions incertain implementations. They confirm that the electromagnetic side-channel is


particularly suited for this. This behavior is only observable if the sensor is placedaccurately above the correct spot.

2007: Gebotys and White [72, 69] To remove temporal misalignments betweenelectromagnetic traces, Gebotys et al. introduce a phase substitution techniqueas an element of the preprocessing phase of a DEMA attack. The phases ofthe measurements are all replaced with the phase of the reference measurement.Compared to Homma et al. [89], Gebotys and White claim that their techniqueis more suited for coarse misalignments. The alignment technique can cope withboth random delays and insertion of random operations.

2008: Real et al. [154] Instead of a manual search of the interesting locationsto perform near-field electromagnetic analysis attacks, Real et al. present anindicator which enables automated searching of so-called hot spots. They comparetraditional signal-to-noise indicators with indicators based on correlation analysis.In accordance to their findings, they propose the following strategy for attackingan AES implementation: 1. Take three measurements, one with plaintext M1,two with plaintext M2 on each spatial position i with the aid of a automatedmeasurement table. M1 and M2 are carefully chosen such that differences incalculation only occur in one S-box 2. Calculate the ratio of the difference of ameasurement with M1 and M2 over the difference between the two measurementsof M2 at each position i. As the measurements are done over time, the maximumvalue of the ratio or the integrated value is chose as the metric. 3. The best spatialposition is chosen based on the highest value of the metric.

2009 : Lomne et al. [115] Lomne at al. investigate in their DATE 2009 paper therobustness of dual-rail and triple-rail logic styles against power and electromagneticanalysis attacks. They come to the unmistakable conclusion that dual-rail logic ismore secure than single-rail logic and that triple-rail logic is more secure than dual-rail logic. Nevertheless, the most important concept the reader should perceivefrom this paper, is hidden in the following words:

In the author’s opinion, the quasi data independent timing behavior oftriple rail logic explains its increased resistance against EM. Indeed, si-multaneously balancing the switching current and timing theoreticallyallows to balancing the magnetic field, which is proportional to dI/dt,radiated by the whole chip. However, this block level balancing act doesnot warrant that all points of the chip radiate the same magnetic field,since the cell placement and the power/ground routing is unconstrained. . . Thus, effort must be done to properly place cells (i.e. distribute theactivity) and route the supply and ground rails . . . in order to reduceand balance the electromagnetic emissions.

CONCLUSION 35

With these sentences they again point out one of the strongest aspects ofelectromagnetic analysis. With sufficient small and accurate probes, the slightestdifference in current distribution should be detectable. From this line of argument,it follows naturally that electromagnetic analysis possesses almost all the powersof probing attacks, but is limited by the distance and the accuracy of the probes.

2009: Sauvage et al. [159] By using electromagnetic cartography of an FPGA,Sauvage et al. show a localization technique to enhance electromagnetic analysisattacks. They detail modus operandi to deal with the problem in either the time orthe frequency domain. Although the explained procedures do not reveal the exactlayout of the chip, active regions unfold themselves in the electromagnetic imageof the FPGA. At the most interesting positions they perform local electromagneticside-channel analysis attacks. In a follow up paper [158], they use the localizationmethod in the frequency domain to attack a WDDL implementation of DES onan FPGA1.

2.6 Conclusion

The principles of electromagnetic analysis are explained in this chapter. Besides aquick focus on the well-known fundamentals of side-channel analysis attacks anda short overview of the applied distinguishers, the origin and characteristics of theelectromagnetic side-channel are reviewed and classified. Although none of theinformation in the chapter is novel, the basic knowledge is provided to performa well-thought analysis and at the same time it points out the complexity of theleakage. The chapter is concluded with a description of the most important paperson electromagnetic analysis published between the first papers of Gandolfi et al.,and Quisquater and Samyde and the publication of this thesis.

1They did not pay attention to dedicated routing, rendering WDDL less effective.

Chapter 3

Electromagnetic Analysis ofElliptic Curve CryptographyImplementations

The content and text in this chapter is based on papers written in collaborationwith S. B. Ors [135, 134, 34], J. Fan and X. Guo [60].

3.1 Introduction

This chapter describes the first simple and differential power/electromagneticanalysis attacks performed on a hardware implementation of an elliptic curvecryptosystem on an FPGA. It also discusses the need of a fair comparisonbetween side-channel distinguishers and it gives a succinct overview of allknown implementation attacks on elliptic curve cryptosystems and proposedcountermeasures.

Elliptic Curve Cryptography (ECC) was proposed independently by Miller [129]and Koblitz [106] in the 80’s. Since then a considerable amount of research has beenperformed on secure and efficient ECC implementations. The benefits of ECC,when compared with classical cryptosystems such as RSA [155], include: higherspeed, lower power consumption and smaller certificates, which are especiallyuseful for wireless applications. Often mentioned drawbacks of ECC are thecomputation overhead because of the elliptic curve and that verification of the

37

38 ELECTROMAGNETIC ANALYSIS OF ELLIPTIC CURVE CRYPTOGRAPHY IMPLEMENTATIONS

of signatures is slow. Before this work, around 2004, attacks were performed onsoftware implementations or were only simulations of attacks. Note that in generala simulated attack is only as good as the accuracy of the model of the side-channelleakage and that the conclusion whether or not an implementation withstandscertain attacks should not rely on simulated attacks only.

3.2 Mathematical Background for Elliptic Curves

over GF(p)

An elliptic curve E over GF (p) is typically expressed in terms of the Weierstrassequation:

y2 = x3 + ax + b , (3.1)

where a, b ∈ GF (p) with 4a3+27b2 6= 0 ( mod p). The points on this curve togetherwith the point at infinity O form an additive Abelian group. The inverse of thepoint P = (x1, y1) is −P = (x1,−y1). The sum P + Q of the points P = (x1, y1)and Q = (x2, y2) (assume that P, Q 6= O, and P 6= ±Q) is the point R = (x3, y3)where:

x3 = λ2 − x1 − x2 , (3.2)

y3 = (x1 − x3)λ− y1 , (3.3)

λ =y2 − y1

x2 − x1. (3.4)

For P = Q, the “doubling” formulas are:

x3 = λ2 − 2x1 , (3.5)

y3 = (x1 − x3)λ− y1 , (3.6)

λ =3x2

1 + a

2y1. (3.7)

The point at infinity O plays a role analogous to that of the number 0 in anordinary addition. Thus, P +O = P and P + (−P ) = O for all points P .

The basic operation in curve based public key algorithms is the point multiplication.One point multiplication on an elliptic curve over GF (p) consists of multiple pointadditions and doublings. Each point addition or doubling is executed through asequence of operations in the underlying field GF (p), as will be shown later.

An EC point multiplication can be calculated with the left-to-right double-and-addalgorithm as shown in Algorithm 3.1, for details, see [129, 106, 26].

MATHEMATICAL BACKGROUND FOR ELLIPTIC CURVES OVER GF(P) 39

Algorithm 3.1 Left-to-right double-and-add elliptic curve point multiplication(ECPM).

Input: EC point P = (x, y), integer k, 0 < k < M , k = (1, kl−2, · · · , k0)2 andMOutput: Q = [k]P = (x′, y′)1: Q← P2: for i from l − 2 downto 03: Q← 2Q4: if ki = 1 then5: Q← Q + P6: end if7: end for8: Return Q

Because of the key-dependent conditional statement in step 4 of the algorithm,a straightforward implementation results in a vulnerability towards simple side-channel attacks and timing attacks. Algorithm 3.2 solves this problem by executinga point addition and doubling for each key bit. The algorithm is called the left-to-right always double-and-add algorithm.

Algorithm 3.2 Left-to-right always double-and-add elliptic curve pointmultiplication (ECPM).

Input: EC point P = (x, y), integer k, 0 < k < M , k = (1, kl−2, · · · , k0)2 andMOutput: Q = [k]P = (x′, y′)1: Q← P2: for i from l − 2 downto 03: Q1 ← 2Q4: Q2 ← Q1 + P5: if ki = 0 then6: Q← Q1

7: else8: Q← Q2

9: end if10: end for11: Return Q


3.3 The ECC Implementation

The ECC implementation under attack was developed by Ors et al. [142, 143].Points on the elliptic curve are represented with modified Jacobian coordinates asproposed by Cohen et al. [48]. Those ensure minimal usage of modular inversionsand faster arithmetic. Both Algorithms 3.1 and 3.2 are implemented as a sequenceof EC additions and doublings. In their turn the EC additions and doublingsconsist of series of modular multiplications and additions. Normally modularaddition can be executed much faster than modular multiplications in hardware.Therefore, if point doubling and addition have a different sequence of modularmultiplications and additions, they can be easily distinguished; the implementationis called unbalanced. An example is given in Algorithm 3.3: On the left, the ECpoint addition is given, on the right the EC point doubling is represented.

Algorithm 3.3 EC point addition and point doubling.

INPUT: P1 = (X1, Y1, 1, a)P2 = (X2, Y2, Z2, aZ4

2 )INPUT: P1 = (X1, Y1, Z1, aZ4

1 )

OUTPUT: P1 + P2 = P3

= (X3, Y3, Z3, aZ43 )

OUTPUT: 2P1 = P3

= (X3, Y3, Z3, aZ43 )

1. T1 ← Z22 1. T1 ← Y 2

1 T2 ← 2X1

2. T2 ← X1T1 2. T3 ← T 21 T2 ← 2T2

3. T1 ← T1Z2 T3 ← X2 − T2 3. T1 ← T2T1 T3 ← 2T3

4. T1 ← Y1T1 4. T2 ← X21 T3 ← 2T3

5. T4 ← T 23 T5 ← Y2 − T1 5. T4 ← Y1Z1 T3 ← 2T3

6. T2 ← T2T4 6. T5 ← T3(aZ41 ) T6 ← 2T2

7. T4 ← T4T3 T6 ← 2T2 7. T2 ← T6 + T2

8. Z3 ← Z2T3 T6 ← T4 + T6 8. T2 ← T2 + (aZ41 )

9. T3 ← T 25 9. T6 ← T 2

2 Z3 ← 2T4

10. T1 ← T1T4 X3 ← T3 − T6 10. T4 ← 2T1

11. T6 ← Z23 T2 ← T2 −X3 11. X3 ← T6 − T4

12. T3 ← T5T2 12. T1 ← T1 −X3

13. T6 ← T 26 Y3 ← T3 − T1 13. T2 ← T2T1 aZ4

3 ← 2T5

14. aZ43 ← aT6 14. Y3 ← T2 − T3

15. Return X3 15. Return X3

16. Return Y3 16. Return Y3

17. Return Z3 17. Return Z3

MEASUREMENT SETUP 41

3.4 Measurement Setup

The measurement setup consists of an FPGA board with a Xilinx Virtex 800FPGA presented in [144], a Tektronix TDS714L oscilloscope, a Tektronix CT1current probe with a bandwidth of 1 GHz, a handmade loop antenna, a functiongenerator serving as a clock generator and a power supply for the FPGA. The totalpower consumption and the electromagnetic radiation of the FPGA are measuredsimultaneously while it executes an elliptic curve point multiplication with the keyk and a point P on the curve. The FPGA is clocked at a very low frequency around300 kHz. This avoids cross-contamination in the power consumption betweendistinct clock cycles. The handmade antenna and the FPGA board are shown inFig. 3.1(a) and 3.1(b) respectively.

(a) Close up of the handmade sensor (b) The complete FPGA board

Figure 3.1: Partial measurement setup.

With this setup we performed both simple and differential side-channel analysisattacks.

3.5 Simple Electromagnetic Analysis

Figure 3.2(a) shows an unprocessed measurement of the electromagnetic radiationmeasured during the execution of a 160-bit EC point multiplication [33]. TheSEMA attack is implemented with the measurement setup described in Section 3.4.The FPGA contains an implementation of Alg. 3.1 to complete an EC pointmultiplication. The key, 11001100, is clearly visible in Fig. 3.2(a) because ofdifferent radiation patterns for an EC point addition and doubling due to theunbalanced implementation. The key-dependent conditional branch in step 4of Alg. 3.1 gives away the key. The most straightforward countermeasure to


counteract this attack is the implementation of the EC point multiplicationwith the always double-and-add algorithm as represented in Alg. 3.2. Anelectromagnetic radiation measurement of this architecture is shown in Fig. 3.2(b).In this case, the secret is not immediately deducible from one measurement onlyand more advanced techniques are needed.

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5

x 106

0

1

2

3

4

5

6

7

8

0011001

Samples

[mV

]

(a)

0 0.5 1 1.5 2 2.5

x 106

0

1

2

3

4

5

6

7

8

Samples

[mV

]

(b)

Figure 3.2: (a) Electromagnetic radiation trace of 7 steps of a 160-bit elliptic curvepoint multiplication over GF (p) with Alg. 3.1, (b) Electromagnetic radiation traceof 7 steps of a 160-bit elliptic curve point multiplication with Alg. 3.2.

Instead of exploiting the raw measurements directly to attack a vulnerableimplementation, it is possible to extract more detailed information by followingsome preprocessing steps. Taking the sample mean of several amplitudedemodulated measurements of a 160-bit elliptic curve point multiplication resultsin Fig. 3.3(a). The traces are demodulated at the clock frequency. As was thecase before, the key can be extracted from the trace through visual inspection. Aneven more detailed trace of an EC point doubling is given in Fig. 3.3(b). The 14computation steps of the point doubling in Alg. 3.3 are well-defined in the shapeof the trace. The absence of the more power consuming modular multiplicationsin steps 7, 8, 10, 11, 12 and 14 of the algorithm accounts for the apparent loweramplitude of the respective parts of the radiation trace. The sharp peaks in eachcomputation step divulge the exact position of a register update.

3.6 Differential Power and Electromagnetic AnalysisAttacks

The current consumption and the electromagnetic radiation traces mi(t) of oneEC point multiplication with the always double-and-add algorithm are shown inFig. 3.4(a) and Fig. 3.4(b).

DIFFERENTIAL POWER AND ELECTROMAGNETIC ANALYSIS ATTACKS 43

0 0.5 1 1.5 2 2.5 3 3.5 4

x 106

−50

−40

−30

−20

−10

0

10

20

30

40

0 0 0 0 0 1 1 Input/Output

Samples

[mV

]

(a) EC Point Multiplication

1 2 3 4 5 6 7 8 9 10 11

x 105

−30

−15

0

15

30

45

1 2 3 4 6 7 8 9 10 11 12 13 5 14

Samples[m

V]

(b) EC Point Doubling

Figure 3.3: (a) Sample average of demodulated electromagnetic radiation tracesof a 160-bit elliptic curve point multiplication with Alg. 3.2, (b) Sample average ofdemodulated electromagnetic radiation traces of an elliptic curve point doublingwith Alg. 3.3.

0 0.5 1 1.5 2 2.5x 10

6

−2

−1

0

1

2

3

4

5

6

7

8

9

[mA

]

Samples

(a) Power

0 0.5 1 1.5 2 2.5

x 106

0

1

2

3

4

5

6

7

8

[mV

]

Samples

(b) Electromagnetic

Figure 3.4: (a) Current consumption trace of a part of a 160-bit ECPM overGF (p) with Algorithm 3.2, (b) Electromagnetic radiation trace of a part of a160-bit ECPM over GF (p) of the same algorithm.


Because of our assumption that key bit kl−1 is always 1, the target for ourDPA/DEMA attack is the second most significant bit (MSB) of the key, kl−2, inAlg. 3.2. The two temporary point registers in the architecture, Q1 and Q2, andthe register containing the output point Q are updated in the following sequencethroughout the execution of the algorithm:

Step 1: Q← PStep 3: Q1 ← 2Q = 2PStep 4: Q2 ← Q1 + P = 3P

Step 5: Q←

Step 6: Q1 = 2P , if kl−2 = 0Step 8: Q2 = 3P , if kl−2 = 1

Step 3: Q1 ←

2Q = 4P , if kl−2 = 02Q = 6P , if kl−2 = 1

The time period of interest is visible on the current consumption trace of Fig. 3.4(a).The highest seven spikes on Fig. 3.4(a) represent the end of seven EC pointdoubling operations. Because these spikes are clearly higher and easier to measureaccurately without e.g. introducing extra quantization noise, our attack point isone of these seven spikes. The first one corresponds to the end of the first ECdoubling operation. As shown above this spike reveals the end of the secondoperation (Q1 ← 2P ), which is independent from any key bit. The third, fourthand later spikes need the knowledge of the kl−2, kl−3 etc. Our choice for themeasurement point is the second update of Q1 after the second EC point doubling(Step 3). As power consumption predictions Lk′,i, we use the Hamming distancebetween the previous value of Q1, 2P , and the new value at our target point, 4P or6P according to the value of kl−2. The same approach holds for the electromagneticradiation.

3.6.1 Pearson Correlation Analysis

We followed the common steps of a differential analysis attack. In a first step ofour attack, we have chosen N randomly distributed points Pi on the elliptic curveand one fixed, but random key, k. The FPGA executes N point multiplicationssuch that Qi = kPi for i = 1, 2, · · · , N . We have measured the power consumptionand the electromagnetic radiation of the FPGA during 2400 clock cycles aroundthe second update of Q1, denoted as mi(t). The clock frequency applied to thechip was around 300 kHz and the sampling frequency of the oscilloscope was250 MHz. The current consumption and electromagnetic radiation trace of one ofthese measurements, are shown in Fig. 3.5(a) and Fig. 3.5(b).

To reduce the amount of measurement data in every clock cycle, we have applieda pre-processing technique: we reduced the measurements points in a single


0 0.5 1 1.5 2

x 106

−3

−2

−1

0

1

2

3

4

5

6

7

Samples

[mA

]

(a) Power

0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2

x 106

0

1

2

3

4

5

6

7

Samples

[mV

]

(b) Electromagnetic

Figure 3.5: (a) Current consumption trace around the point of attack, (b)Electromagnetic radiation trace around the point of attack.

clock cycle to one by taking the maximum value of all measurement points ina clock cycle. Due to an unstable function generator, there is a significantdifference between the actual applied clock frequency in each measurement. Thereconstruction of the exact clock intervals in the time trace requires the knowledgeof the exact clock frequency. Therefore, we have calculated the discrete Fouriertransform (DFT) of each measurement. As the clock frequency can vary between250 kHz and 375 kHz, we have searched between these frequencies for the maximumvalue in the DFT trace. The result for the first measurement m1(t) for eachside-channel is shown in Fig. 3.6(a) and Fig. 3.6(b), for power consumptionand electromagnetic radiation respectively. According to these figures the clockfrequency during the first measurement is 302.8 kHz. Figure 3.6(c). Figure 3.6(d)show the first measurements for each side-channel after taking the maximum valuein every clock cycle.

The predictions Lk′,i are made with an implementation of the EC pointmultiplication with Alg. 3.2 in the C programming language. The C programcomputes N EC point multiplications with N EC points Pi and a hypothesisfor the first unknown key-bit k′l−2. During the execution of the EC pointmultiplications, the C program computes the number of bits that change from 0 to 1in some registers at the steps corresponding to the five spikes shown in Fig. 3.6(c).The number of transitions are used as the power consumption/electromagneticradiation prediction. We have predicted the 0 to 1 transitions by counting thenumber of transitions between the bits of the coordinates of Q1 and Q2; fork′l−2 = 0 we count the number of transitions between 2P and 4P and for k′l−2 = 1between 2P and 6P . The predictions correspond to the time instant in theelectromagnetic radiation trace at the third peak.


260 280 302.8 320 340 3600

2

4

6

8

10

12

14

16

18x 10

8

frequency [kHz](a) Power - frequency domain

260 280 302.8 320 340 3600

1

2

3

4

5

6x 10

7

frequency [kHz](b) Electromagnetic - frequencydomain

0 200 400 600 800 1000 1200 1400 1600 1800−1

0

1

2

3

4

5

6

7

clock cycle

[mA

] 1st 2nd

3rd

4th5th

(c) Power - time domain

0 200 400 600 800 1000 1200 1400 1600 18000

1

2

3

4

5

6

7

clock cycle

[mV

]

1st 2nd

3rd

4th5th

(d) Electromagnetic - time domain

Figure 3.6: (a) DFT of the current consumption trace of a measurement between250 kHz and 375 kHz, (b) DFT of the electromagnetic radiation trace of ameasurement between 250 kHz and 375 kHz, (c) Current consumption traceof a measurement after taking the maximum value in every clock cycle, (d)Electromagnetic radiation trace of a measurement after taking the maximum valuein every clock cycle.

0 2000 4000 6000 8000 100000

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

Number of measurements

Pea

rson

corr

elat

ion k

′ = 0k

′ = 1

(a) Power

0 1000 2000 3000 4000 5000 6000 7000 80000

0.05

0.1

0.15

0.2


Pea

rson

corr

elat

ion

k′ = 0

k′ = 1

(b) Electromagnetic

Figure 3.7: (a) Correlation between the current consumption measurements andthe predictions of the third spike in Fig. 3.6(c) as a function of the number ofmeasurements, (b) For the electromagnetic radiation side-channel.


It is visible from Fig. 3.7 that for both the current consumption and theelectromagnetic radiation the correlation for the prediction for the k′l−2 = 1 guessis higher than the correlation for the prediction for the k′l−2 = 0 guess. By usingthe first 3500 measurements of the power consumption the decision of kl−2 = 1can be made with a high certainty, for the electromagnetic radiation much lessmeasurements are needed: even 1000 measurements reveal the correct key.

The first and second peak in Fig. 3.6(c) and Fig. 3.6(d) are caused by the twelfthand thirteenth step of the EC point doubling algorithm. The fourth and fifth peakoccur at the end of the first and second step of the EC point addition. Because ofthe available knowledge of the implementation, we were able to make predictionsfor these time instances too. The correlation results are given in Fig. 3.8.

0 1000 2000 3000 4000 5000 6000 7000 80000

0.05

0.1

0.15

0.2

number of queries

corr

elat

ion k

′ = 0k

′ = 1

(a) First peak

0 1000 2000 3000 4000 5000 6000 7000 80000

0.05

0.1

0.15

0.2

number of queries

corr

elat

ion

k′ = 0

k′ = 1

(b) Second peak

0 1000 2000 3000 4000 5000 6000 7000 80000

0.05

0.1

0.15

0.2

number of queries

corr

elat

ion k

′ = 0k

′ = 1

(c) Fourth peak

0 1000 2000 3000 4000 5000 6000 7000 80000

0.05

0.1

0.15

0.2

number of queries

corr

elat

ion

k′ = 0

k′ = 1

(d) Fifth peak

Figure 3.8: Correlation between the electromagnetic radiation measurementsand the predictions of all spikes in Fig. 3.6(d) as a function of the number ofmeasurements.

3.6.2 Difference of Mean Test

For a computationally efficient DoM test, we reduce the amount of data to 20 datapoints around each spike. We use the same predictions as explained in Section 3.6.1


in order to split the measurements into sets. The sets are constructed based onwhether or not the prediction for each trace is less than the average number oftransitions. There are two sets for the k′l−2 = 0 guess and the k′l−2 = 1 guess. Thecurrent consumption and electromagnetic radiation bias signals for the k′l−2 = 0and k′l−2 = 1 guesses for the third spike are shown in Fig. 3.9(a) and Fig. 3.9(b).The figures show high peaks on the expected spot on the bias trace for the k′l−2 = 1guess. Hence the decision for the right key-bit is again equal to 1.

0 10 20 30 40 50 60 70 80 90 100−0.04

−0.03

−0.02

−0.01

0

0.01

0.02

0.03

0.04

0.05

Clock cycle

DoM

k′ = 0

k′ = 1

(a) Power

10 20 30 40 50 60 70 80 90 100−0.03

−0.015

0

0.015

0.03

0.045

0.06

0.075

Clock cycle

DoM

k′ = 0

k′ = 1

(b) Electromagnetic

Figure 3.9: (a) Current consumption bias signals for the third spike in Fig. 3.6(c)and the kl−2 = 0 and kl−2 = 1 guesses, (b) Electromagnetic radiation bias signalsfor the third spike in Fig. 3.6(c) and the kl−2 = 0 and kl−2 = 1 guesses.

The results for the electromagnetic radiation and the predictions of the other spikesare given in Fig. 3.10.

In order to compare the correlation analysis and DoM, we should also comparethe number of measurements needed to find the right key bit for the DoM test.Figure 3.11(a) and Fig. 3.11(b) show the change in the amplitude of all the clockcycles on the current consumption and the electromagnetic radiation bias signalsfor the k′l−2 = 1 guess. The number of measurements in this figure representsthe number of measurements in one set, hence we should multiply the number ofmeasurements seen in Fig. 3.11(a) by two in order to find the needed number ofmeasurements. As it is shown in Fig. 3.11(a), 9000 measurements are needed todistinguish the right clock cycle from the wrong ones. When we compare the resultsshown in Fig. 3.7 and Fig. 3.11(a), we could conclude that we need approximatelytwo times more measurements for the distance of mean test than for correlationanalysis. This result is based on a single experiment and does not represent asound and fair evaluation of both distinguishers. Section 3.8 will scrutinize thecomparison criteria.

The results for the electromagnetic radiation and the predictions of the other spikesare given in Fig.3.12.


10 20 30 40 50 60 70 80 90 100−0.06

−0.045

−0.03

−0.015

0

0.015

0.03

0.045

Clock cycle

DoM

k′ = 0

k′ = 1

(a) First peak

10 20 30 40 50 60 70 80 90 100−0.045

−0.03

−0.015

0

0.015

0.03

0.045

0.06

Clock cycle

DoM

k′ = 0

k′ = 1

(b) Second peak

10 20 30 40 50 60 70 80 90 100−0.06

−0.03

0

0.03

0.06

0.09

0.12

Clock cycle

DoM

k′ = 0

k′ = 1

(c) Fourth peak

10 20 30 40 50 60 70 80 90 100−0.06

−0.03

0

0.03

0.06

0.09

0.12

0.15

0.18

Clock cycle

DoM

k′ = 0

k′ = 1

(d) Fifth peak

Figure 3.10: Electromagnetic radiation bias signal for the 1st, 2nd, 4th and 5thspike in Fig. 3.6(d).

500 1000 1500 2000 2500 3000 3500 4000 4500−0.2

−0.16

−0.12

−0.08

−0.04

0

0.04

0.08

0.12

0.16

0.2

clock cycle for the 3rd spike


[mV

]

(a)

500 1000 1500 2000 2500 3000 3500 4000−0.225

−0.15

−0.075

0

0.075

0.15

0.225

clock cycle for the 3rd spike


[mV

]

(b)

Figure 3.11: (a) Current consumption bias signals for the third spike in Fig. 3.6(c)and the k′l−2 = 0 and k′l−2 = 1 guesses, (b) Change in the amplitude of the currentconsumption bias signal for the third spike in Fig. 3.6(c), the k′l−2 = 1 guess andfor all clock cycles.


500 1000 1500 2000 2500 3000 3500 4000−0.225

−0.15

−0.075

0

0.075

0.15

0.225

clock cycle for the 1st spike


[mV

]

(a) First peak

500 1000 1500 2000 2500 3000 3500 4000−0.225

−0.15

−0.075

0

0.075

0.15

0.225

clock cycle for the 2nd spike


[mV

]

(b) Second peak

500 1000 1500 2000 2500 3000 3500 4000−0.225

−0.15

−0.075

0

0.075

0.15

0.225

clock cycle for the 4th spike


[mV

]

(c) Fourth peak

500 1000 1500 2000 2500 3000 3500 4000−0.225

−0.15

−0.075

0

0.075

0.15

0.225 clock cycle for the 5th spike


[mV

]

(d) Fifth peak

Figure 3.12: Maximum value of the electromagnetic radiation bias signal forthe 1st, 2nd, 4th and 5th spike in Fig. 3.6(d) as a function of the number ofmeasurements.

3.7 Comparison of the EMA Attack with Contempo-

rary EMA Attacks on FPGAs

Carlier et al. [35] published a paper around the same time of the work mentionedin Section 3.6. They conduct electromagnetic radiation measurements on anALTERA Cyclone FPGA and use a small probe put very close to the surfaceof the FPGA. Neither the attack discussed above, nor the one published byCarlier et al. decapsulate the FPGA. The biggest difference in both attacks isthe size of the probe. While we used a fairly large probe, comparable to thedimensions of the package of the FPGA, Carlier et al. use a smaller probe. Theexact dimensions are not mentioned. While our probe measures the integralelectromagnetic radiation which is in principle highly correlated to the powerconsumption measurements, Carlier et al. have probably - this is not 100% surebecause of the absence of dimensions - more focussed measurements, at leastpartially discarding the radiation generated by the bonding wires.

More recent near-field attacks on FPGAs, e.g. Real et al. and Sauvage et al. [154,

COMPARISON OF DISTINGUISHERS 51

159], make use of a motorized XY-table and miniature probes. This has theadvantage of accurate and reproducible positioning and localized measurements,but it needs a careful investigation of the leakage. Indeed, not every positionwill give the desired result nor can every position with a potentially vulnerableleakage be attacked with the same leakage predictions. Leakage profiling and anaccurate knowledge of the circuit layout combined with a detailed knowledge ofthe implementation are very beneficial in this scenario, albeit not necessary if timeis at the attacker’s disposal.

3.8 Comparison of Distinguishers

The comparison between the DoM test and the Pearson correlation analysis shouldnot be passed over so lightly as was done in Section 3.6. Over the past years,a vast amount of distinguishers have been put forward to extract the secretinformation out of the leakage. The question “Which is the best distinguisher?”received increasingly more attention at some point but is in fact not straight-forward to answer for several reasons. One reason is the complexity of the attackscenarios. Numerous impacting parameters make it difficult to compare attackresults. Furthermore, “best” is not an objective notion. One adversary mightjudge a distinguisher solely by its ability to detect the correct key (accuracy) whileanother adversary’s criterion might be whether the correct key is among the topfive candidates (reliability). A distinguishers’ performance also varies for different(classes of) attack targets with diverse leakage behavior (robustness). Standaertet al. discuss these issues and propose a framework for the empirical comparison ofdistinguishers in [170, 171] which is put into practice on a software implementationin [169]. To show how a fair evaluation could be applied, we will give an exampleon a hardware implementation of the Data Encryption Standard (DES).

To ensure a fair evaluation and following the framework, we apply two criteria.The first-order success rate measures the probability of a distinguisher’s best guessbeing the correct key, i.e. P (k = k). The guessing entropy on the other handmeasures the position of the correct key in a list of key hypotheses ranked by adistinguisher. For the DoM test for example, the hypotheses would be listed indecreasing order of ∆k′(t).

3.8.1 DES Architecture, Measurement Setup and Measure-ments

The power consumption traces used in this experiment are made freely available inthe context of the “DPA Contest” [90]. The reference measurement set providedby the contest ensures the possibility of an objective comparison of novel and


existing attack techniques while excluding differences in measurement setups andenvironments between adversaries. In the long run this initiative aspires to be afirst step towards an international benchmarking reference.

The algorithm that has been selected for the competition is the Data EncryptionStandard (DES). The architecture is a straightforward parallel implementationwhere each round of DES is executed in a single clock cycle. The architecturecontains two registers: LR and CD. The register LR stores the plaintext andthe intermediate results of the 16 rounds of DES. Similarly, CD has the sameobjective for the key scheduling. More details about the architecture can be foundin Guilley et al. [81].

3.8.2 Attacks

We aim to attack the intermediate result after the first round of DES. For thepurpose of this evaluation, we restrict our attention to the four output bits ofS-Box 1, which allows to recover 6 out of 48 bits of the round key. A good attacktarget in the implementation is the update of the register LR, where these fourbits are stored after a permutation. We assume that the power consumption ofthe register update is related to the number of bits that flip and thus use theHamming distance as hypothetical leakage function. More precisely, we predictthe Hamming distance of the four bits stored in LR before the first round (i.e. theplaintext Pi after it passed through the initial permutation of the DES algorithm)denoted by LR0 and after the first round LR1 under the assumption of k′, thusLk′,i = HD(LR0, LR1) ∈ 0, . . . , 4.

We assume that no more than 350 measurements are required for a successfulattack. We can thus use the pool of 81000 measurements available to conduct230 independent experiments from which we compute average results. For theDoM test and the T-test we have to choose the two subsets of the partition ofwhich we compute the distance. Intuitively, the subsets for which Lk′,i equals 0and 4 respectively should yield the largest (and hence easiest to detect) distance.However, using only these two subsets means to discard the majority of themeasurements. Using the subsets for which Lk′,i is smaller/larger than 2 ensuresthe use of more measurements but yields a smaller distance to detect. Since it isunclear which choice is best we investigate both options and denote them a and brespectively.

3.8.3 Results

Figure 3.13 shows the 1st order success rates for the distinguishers DoM, T-test,V-test and Pearson’s ρ as a function of the number of measurements used for the

COMPARISON OF DISTINGUISHERS 53

attack.

50 100 150 200 250 300 3500

0.2

0.4

0.6

0.8

1

number of queries

1st

ord

er

su

cce

ss r

ate

Figure 3.13: First order success rates: DoM (dotted, option a in grey), T-test(dashed, option a in grey), V-test (dash-dotted), Pearson’s ρ (solid).

According to Fig. 3.13 both the DoM test and T-test type a show inferiorperformance. This is easy to understand if we take into account that most ofthe measurements are actually discarded in this setting. In case of a tailoredchosen plaintext attack, the distinguishers would probably move up in the ranking.Excluding DoM type a and T-test type a from the discussion, we can observe thatPearson’s ρ performs best, followed by Spearman’s ρ, the DoM type b and theT-test type b. The V-test is positioned last, which indicates that variance is thedominating characteristic of pooled power consumption samples in subsets. In thiscase, a plausible justification is the algorithmic noise. The small variance causedby the four bits that we do take into account is difficult to detect compared tothe changes in the power consumption caused by the 28 key-dependent bits thatwe do not consider. Although we would intuitively assume that T-test type b issuperior to DoM type b, they actually show equal performance. This corroboratesthe statement that, in this setting, taking the variances in the subsets in accountdoes not yield more exploitable information.

50 100 150 200 250 300 3500

10

20

30

number of queries

gu

essin

g e

ntr

op

y

Figure 3.14: Guessing entropies: DoM (dotted, a grey, b black), T-test (dashed),V-test (dash-dotted), Pearson’s ρ (solid).


Figure 3.14 shows the guessing entropies for all distinguishers. Surprisingly, theguessing entropy yields quite a different picture. The best distinguisher is theDoM type b, followed by Pearson’s ρ, Spearman’s ρ, T-test type b, V-test andDoM type a. T-test type a by far ends the enumeration. While in the picture ofthe success rate Pearson’s ρ yields the best success rates, it does not achieve thesmallest guessing entropies. This means that the distinguisher is often right, but inthe cases when it is wrong it ranks the correct key hypothesis low. We can also seea clear difference between the DoM test type b and the T-test type b. Both testsperformed similarly in the success rate comparison but with respect to guessingentropy the DoM test type b is better than the T-test type b variant. Hence, bothtests are equally good at detecting the correct key but when wrong, the T-testranks the correct key lower than the DoM test. Again, this can be attributed tothe inclusion of the variances into the test statistic. The same variances also affectthe performance of the V-test. Concerning the DoM test type a and T-test type a,we can say that for the guessing entropy the DoM test does not perform as poorlyas it did for the success rate. This means that it ranks the correct key guess ina fairly high position, but because of discarding a lot of the measurements, thisguess is rarely put at the highest position. The T-test type a suffers from the sameproblem as the T-test type b caused by the effect of the variances.

Even though only one implementation has been examined in one particular attackscenario, still three fairly general conclusions can be drawn from the study above.Firstly, a criterion independent optimal distinguisher does probably not exist.The choice of criterion, in this case the first-order success rate and the guessingentropy, influences the ranking of the different distinguishers remarkably and isan important parameter in the comparison. Secondly, the choice of attacking onlyone out of eight parallelized S-boxes results into a performance differentiation.The distinguishers that include the variance into their metric perform in generalworse than the ones that do not, which indicates that variance is the dominatingcharacteristic of the grouped measurements. Thirdly, an attacker bound by thepossibility of taking only a limited number of measurements in the random inputvector scenario benefits from including all the measurements into the sets of apartitioning distinguisher instead of aiming for a larger distance between the sets.Any other conclusion, e.g. an absolute ranking of the considered distinguishers, ismost likely particular to this implementation and attack scenario.

3.9 A Survey on Implementation Attacks on ECC

With new tampering methods and new attacks being continuously proposedand accumulated, designing a secure cryptosystem becomes increasingly difficult.While the adversary only needs to succeed in one out of many attack methods,the designers have to prevent all the applicable attacks simultaneously. Moreover,

A SURVEY ON IMPLEMENTATION ATTACKS ON ECC 55

countermeasures of one attack may surprisingly benefit another attack. As a result,keeping abreast of the most recent developments in the field of implementationattacks and with the corresponding countermeasures is a never ending task.

In this section a systematic overview of implementation attacks and countermea-sures on Elliptic Curve Cryptography (ECC) is provided. However, there is nointention to propose new attacks or new countermeasures. Instead, several generalprinciples for countermeasure selection are described. The survey can be used asa tool for selecting countermeasures in a first design iteration.

This survey has been influenced by Avanzi’s report [18] and the books by Blakeet al. [25] and Avanzi et al. [47]. All of them give an excellent overview of side-channel attacks on ECC and HECC up to their point of publication. This survey,however, differs from previous work in at least three aspects. Firstly, it includesrecently reported attacks such as the carry-based attack of Fouque et al. [64].Secondly, focus is put on the interaction of known attacks and countermeasuresin a systematic way. Thirdly, this survey proposes some guidelines for selectingcountermeasures. We would like to emphasize that, just as what was stressed inprevious reports [18, 25, 47], perfect (fully secure and low-cost) countermeasuresdo not exist up to now.

Throughout this section the following notation is used:

• K: a finite field;

• char(K): the characteristic of K;

• E(a1, a2, a3, a4, a6) : an elliptic curve with coefficients a1, a2, a3, a4, a6: E :y2 + a1xy + a3y = x3 + a2x2 + a4x + a6;

• P (x, y): a point with coordinates (x, y);

• O: point at infinity;

• E(K) : a group formed by the points on an elliptic curve E defined over thefinite field K;

• #E: the number of points on the curve E, i.e. the order of the curve E;

• weak curve: a curve whose order does not have big prime divisors;

• the order of point P : the smallest integer r such that rP = O;

• coordinate system: a system to represent a point in an n-dimensional space;

• affine coordinates: a point is represented with a two-tuple of numbers (x, y);

• projective coordinates: a point (x, y) is represented as (X, Y, Z), where x =X/Z, y = Y/Z;


• Jacobian projective coordinates: a point (x, y) is represented as (X, Y, Z),where x = X/Z2, y = Y/Z3.

Cryptographic transformations can be implemented in both software and hardware.While software implementations, running on general purpose microprocessors, areflexible and can easily be updated, hardware implementations, either on FPGAsor ASICs, can achieve higher performance.

Figure 3.15 shows the architecture of an ECC processor. Note that each componenthere may refer to different types of realizations. For example, the Arithmetic LogicUnit (ALU) can be a standard ALU of a general purpose processor or a dedicatedfield multiplier. The temporary storage can be a RAM or a register file. A non-volatile memory, e.g. flash ROM, is normally used to store curve parameters.

An elliptic curve scalar multiplication, ECSM, process starts with loading certainconfigurations (the definition of the curve, the underlying field, the coordinatesystem, the base point P ) and the scalar k. While the base point P can be readeither from the ROM or from outside, the scalar k is normally stored or generatedinside the chip and should be protected. The output point, Q = kP , is notcompletely visible from outside. For example, the ElGamal decryption algorithmonly returns the x-coordinate of Q.

In practice, the execution of ECSM leaks information of k in many ways.Figure 3.15 also shows various side-channel attacks on ECSM. The diversity ofattacks are grouped into passive and active attacks.

An important criterion to judge the relevance of a specific side-channel attack withrespect to the chosen ECC protocol is how many executions with the same key arerequired to reveal the complete key stream. In Fig. 3.15, each attack is tagged witheither a SE (Single Execution) or ME (Multiple Executions). Another importantcriterion is that some attacks, such as the doubling attack and refined poweranalysis, require the freedom of choosing the base point while some do not. Thebase point can be fixed, hardcoded, or stored internally in some implementations,which makes attacks with this requirement significantly harder to mount.

An adversary has a wide range of choice in attack strategies.

3.9.1 Passive Attacks

Timing Attacks and Simple Side-Channel Analysis

Timing attacks exploit the timing variance with different inputs [107]. Carelessimplementations contain a vast number of sources of timing leakage. Forexample, timing variations can be caused by RAM cache or conditional branches.


Passive attacks

Countermeasures

Record SC traces

Timing Analysis

ME

Double-and-add-always

Montgomery powering ladder

Indistinguishable PA and PD

Simple power analysisSimple EM analysis

SE

Double-and-add-always


Indistinguishable PA and PD

Window method

Differential power analysisDifferential EM ME

Random scalar

Base point blinding

Random projective coordinates

Random scalar splitting

Random field representation

Refined power analysisZero-value ME,CI

Random scalar

Base point blinding

Comparative SCA

ME,CI

Random scalar +

base point blinding

Elliptic CurveScalar Multiplication

Input: P(x,y)

Output: Q = k.P(x,y)

Load Configuration T, scalar k

T = E, F, C, P

E = a1, a2, a3, a4, a6

F =Field representation

C =Coordinate system

P =Base point

k = 1, kl−2, . . . , k0

Scalar Multiplication

R [0]← P, R [1]← 2P

for i = l− 2 downto 0

R [¬ki]← R [0] + R [1]

R [ki]← R [ki]

end for

Return R [0]

Active attacks

Countermeasures

Fault induction

M safe-error analysis

ME

Unified memory access pattern

C safe-error analysis

ME


Eliminate dummy operations

Invalid point analysis

ME

Point validity check at IO

Invalid curve analysis

ME

Curve integrity check

Twist-curve based analysis

ME

Use Montgomery with Y

Use twist-strong curves

Differential fault analysis

ME

Point coherence check

Repeated point validity check

Sign-change fault analysis

ME

Point coherence check

Using a combined curve

IO

FSM

ALU

ROM

Temp.

Storage

Figure 3.15: Elliptic curve processor architecture and related physical attacks. (SE= Single Execution, ME = Multiple Executions, CI = Chosen Input)


Although no papers have been published about a practical timing attack onECC, many papers do mention the threat and provide the reader with suitablecountermeasures.

Cryptographic implementations are vulnerable to simple power analysis attacks ifthe power traces show distinctive key-dependent patterns [108]. As shown earlier,the double-and-add algorithm for a point multiplication is vulnerable to this typeof attack. The value of a key bit can be revealed if the adversary can tell thedifference between point doubling and point addition from a power trace.

The double-and-add-always algorithm, introduced in Coron [51], ensures that thesequence of operations to compute a scalar multiplication is independent of thevalue of the secret scalar through insertion of dummy point additions. Another wayto prevent simple SCA is making point addition and doubling indistinguishable.For example, dummy operations can be added at the field arithmetic level. Thishas the advantage of less overhead. On the other hand, the Hamming weight ofthe secret scalar might still leak.

Instead of making the group operations indistinguishable, one can rewrite themas sequences of side-channel atomic blocks that are indistinguishable for simpleSCAs [39]. Implementations based on the Montgomery ladder [130, 101, 116],shown as Alg. 3.4, are protected against timing attacks and simple SCA since theexecution time of the scalar multiplication is inherently unrelated to the Hammingweight of the secret scalar.

Algorithm 3.4 Montgomery powering ladder [130].

Input: P ∈ E(F) and integer k =∑l−1

i=0 ki2i.

Output: Q = [k]P1: Q0 ← P , Q1 ← 2P2: for i = l − 2 downto 03: Q¬ki

← Q0 + Q1, Qki← 2Qki

4: end for5: Return Q0.

The last type of countermeasures is the usage of unified formulae for point doublingand addition, introduced by Brier and Joye [31]. Unified point addition formulaeuse a single formula to calculate both the doubling and the addition, resulting ina single sequence of operations for both.

Template Attacks

A template attack, published by Chari, Rao and Rohatgi [38], requires accessto a fully controllable device, and proceeds in two phases. In the first phase,the profiling phase, the attacker constructs a precise model of the wanted signal


source, including a characterization of the noise. The second phase comprises theactual attack. So far not much research has been done on template attacks forpublic key algorithms. Medwed and Oswald [126] showed the feasibility of thistype of attacks on an implementation of the ECSDA algorithm. In Herbst andMedwed [87] a template attack on a masked Montgomery ladder implementationis presented. Template attacks, if feasible, are a major threat. Neither the double-and-add-always algorithm, nor blinding the scalar or base point resist templateattacks. In fact, only randomizing the coordinates provides protection.

Differential Side-Channel Analysis

Differential attacks are elaborated upon in Section 3.6. A straightforwardcountermeasure against differential SCA is randomizing the intermediate data,thereby rendering the calculation of the hypothetical leakage values ratherimpossible. Coron [51] suggested three countermeasures to protect againstdifferential SCA attacks:

1. Blinding the private scalar by adding a multiple of #E. For any randomnumber r and k′ = k + r#E, we have k′P = kP since (r#E)P = O.

2. Blinding the point P , such that kP becomes k(P + R). The known valueS = kR is subtracted at the end of the computation.

3. Randomizing the homogeneous projective coordinates (X, Y, Z) with arandom λ 6= 0 to (λX, λY, λZ). The random variable λ can be updatedin every execution or after each doubling or addition.

Very similar, Joye and Tymen [100] suggested to make use of an elliptic curveisomorphism of the fixed curve or of an isomorphic representation of the field.Ciet and Joye [44] also suggested several similar randomization methods.

1. Random key splitting: k = k1 +k2 or k = ⌊k/r⌋r+(k mod r) for a randomr.

2. Randomized EC isomorphism.

3. Randomized field isomorphism. We refer to the corresponding paper for adetailed explanation [100].

Coron’s first two defense strategies were scrutinized by Okeya and Sakurai in [139]and judged weak if implemented as presented. The latter three countermeasuresare broken by a refined power analysis attack (RPA) in Goubin [76].


Comparative Side-Channel Attacks

Comparative SCA resides between a simple SCA and a differential SCA. Twoportions of the same or different leakage trace are compared to discover the reuseof values. The umbrella term was introduced in [88], but the first reported attackbelonging to this category is the doubling attack. The doubling attack by Fouqueand Valette [66] on ECC is an attack with chosen inputs and has been shownpowerful to attack some classic SPA-protected algorithms such as left-to-right(downward) double-and-add-always algorithm. The attacker does not need to knowwhether a computation being performed is a point doubling or addition. Moreprecisely, for two point doublings (2 × t1)P and (2 × t2)P , even if the attackercannot tell the exact values of t1 or t2, the attacker can still detect if t1 = t2.

To preclude this attack, blinding techniques can be effective. Care has to be takenhowever that neither blinding the base point or the scalar is applied solely. Thishas been proven insecure [66]. Combined use strengthens the security.

Refined Power Analysis

A refined side-channel analysis attack (RPA is short for Refined Power Analysis)directs its attention to the existence of a point P on the elliptic curve E(K)such that one of the coordinates is 0 in K and P 6= O. Randomized projectivecoordinates, randomized EC isomorphisms and randomized field isomorphismspreserve this specific property of the point P . Feeding to a device a point P thatleads to a special point R(0, y) (or R(x, 0)) at step i under the assumption of somespecific key bits will generate exploitable side-channel leakage [76, 114].

The attack can be precluded by using either a cofactor variant of a protocol forpoints of ”small order” or by using isogenous curves for points of ”large order”.The zero-value point attack (ZPA) generalizes this attack [14]: zero value pointsin intermediate results are also considered.

Carry-based Attack

The carry-based attack, reported by Fouque et al. [64], does not attack the scalarmultiplication itself but its countermeasures.

It relies on the carry propagation occurring when long-integer additions areperformed as repeated sub-word additions. For instance, on an 8-bit processor,Coron’s first countermeasure, k′ = k + r′ where r′ = r#E, is normally performedwith repeated 8-bit additions. Let ki and r′i denote the ith sub-word of k andr′, respectively. Note that ki is fixed and r′i is random in different executions.The crucial observation here is that, when adding ki with r′i, the probability of


the carry out c = 1 depends solely on the value of ki (the carry-in has negligibleimpact [64]). The adversary can then monitor the outgoing carry bit of the adderto estimate the probability of c = 1. With this probability, the value of ki can beguessed with high confidence.

So far, no countermeasures have been proposed to preclude this attack.

Electromagnetic Analysis Attacks

Most simple/differential analysis attacks and countermeasures summed up sofar are based on power consumption leakage. Most often, electromagneticradiation is considered as an extension of the power consumption leakage and theattacks/countermeasures are applied without change [133]. While this approachmakes sense in most cases, electromagnetic radiation measurements can be madelocally [64] and as such circumvent some countermeasures. Specifically craftedattacks or countermeasures for electromagnetic analysis have not been published.

3.9.2 Fault Attacks and Countermeasures

Besides passive side-channel analysis, adversaries can actively disturb the crypto-graphic devices and use the erroneous output (or not even the output, but thereaction of the disturbed device) to derive the secret. In order to do so, theadversary needs to induce faults on the victim device. Various methods can beused, such as changing one or more memory bits with a laser or violating setuptime with glitches in the clock or power. The difficulty in inducing a fault dependson its precision, both in time as well as in location. Random faults change anoperation or a variable at some point during the execution of a cryptographicalgorithm. Precise faults change a specific bit of a specific variable at a specificinstance during the execution. Clearly, random faults are easier to introduce, andthey are less costly, than precise faults.

In the following subsections, we focus on fault attacks and countermeasures onECSM. General tampering techniques and tamper-resistance methods will bebriefly mentioned.

We divide fault attacks on ECC into three categories, namely, safe-error basedanalysis, weak-curve based analysis and differential fault analysis. Safe-errorattacks are based on the observation that some errors will not change the results.Weak curve attacks try to move a scalar multiplication from a strong curve to acryptographically weak curve. The differential fault attacks analyzes the differencebetween the correct output and erroneous output to retrieve the scalar bit-by-bit.


Safe-error Analysis (M-type and C-type)

The concept of safe-error was introduced by Yen and Joye in [187, 101]. Two typesof safe-error are reported: C safe-error and M safe-error. What makes safe-erroranalysis special is that the adversary is not interested in the erroneous results, butsimply whether the output is affected or not.

C safe-errorThe C safe-error uses dummy operations that are introduced to achieve SPAresistance. Taking the add-and-double-always algorithms as an example, thedummy addition in step 4 makes safe-error possible. The adversary can inducetemporary faults in the ALU or memory during the dummy point addition. Notethat a point addition consists of several modular multiplications and additions,which makes it relatively easy to insert faults in this period. If the key-bit, ki, is1, then the final results will be faulty. Otherwise, the final results are not affected.The adversary can thus discover one key-bit in one execution.

In order to thwart C safe-error analysis, dummy operations should be avoided. Forexample, instead of the double-and-add-always algorithm, Montgomery’s poweringladder should be used. If for certain reasons dummy operations cannot be avoided,the key stream should be represented randomly in each point multiplication.

M safe-errorWhile the C safe-error attack explores the weakness of an algorithm, the M safe-error attack explores the possible safe-error in an implementation. The attack wasfirst proposed by Yen and Joye [187] to attack RSA. However, it also applies toECSM.

The basic observation of an M safe-error is that faults in some memory blocks willbe cleared. Consider Alg. 3.4 as an example. We assume that a fault is inducedto y of Q1 right after the calculation of λ during the point doubling in step 3. Ifki = 1, then the faults on y will be cleared. Otherwise, it propagates to the end ofthe ECSM. By simply checking whether the result is affected or not, the adversarycan reveal ki.

Joye and Yen [101] proposed a method to prevent this attack. The idea is toeliminate the possibility of inserting safe-errors. Using the modified Montgomerypowering ladder [101], any fault in Q1 or Q2 will be detected regardless of thevalue of ki.

Weak Curve Based Analysis

In 2000, Biehl et al. [24] described a new type of fault attack on elliptic curve scalarmultiplication. They observed that a6 was not used in a point multiplication. Animplementation of this algorithm for curve E : y2+a1xy+a3y = x3+a2x2+a4x+a6


generates correct results for any curve E′ that differs from E only in a6:

E′ : y2 + a1xy + a3y = x3 + a2x2 + a4x + a′6 . (3.8)

Thus, the adversary can cheat an ECC processor with a point P ′ ∈ E′(F) whereE′ is a cryptographically weak curve, simply stated , this means that the ellipticcurve discrete logarithm problem is easier to solve.

If an ECC processor does not check whether the base point, P , is a valid point onthe specified curve E, the adversary can then choose a point P ′ ∈ E′(K) and getthe result of the scalar multiplication, Q′ = kP ′. The adversary can then solvethe DLP in a subgroup of order rP ′ (the order of P ′) to retrieve kr = k mod rP ′ .This process can be repeated to generate kr for different r. At the end, theChinese Remainder Theorem can be used to retrieve k. This attack also shows usthat not all the fault-based attacks require expensive equipments or sophisticatedtampering techniques, and that a naive implementation can be broken with almostnegligible cost.

The method of moving a scalar multiplication from a strong curve E to a weakcurve E′ was then extended. With the help of faults, the adversary makes use ofinvalid points [24], invalid curves [45] and twist curves [65] to hit a weak curve.These methods are described below.

Invalid Point Attacks

The idea of the invalid point attack is to let the scalar multiplication start with apoint P ′ on a weak curve.

If the ECSM is performed without checking the validity of the base point, thenno faults need to be induced. If the ECC processor checks the validity of the basepoint, the adversary will try to change the point P right after the point validitycheck. Note that this attack requires fault induction at a specific time, which ismuch more difficult than the one described above.

For some applications such as EC ElGamal or ECDSA, the y-coordinate isnot present on the output. In this case, the adversary needs to derive E′,P ′(x′1, y1),Q′(x′2, y2) from E, P (x1, y1), x′2. Though it looks difficult, theadversary still has a non-negligible probability to succeed. Readers who areinterested can find the complete method in [24].

A possible countermeasure, as suggested in [24, 45], is Point Validation (PV) beforeand after scalar multiplication. PV checks if a point lies on an elliptic curve ornot. If the base point or result does not belong to the original curve, no outputshould be given. Note that in the case that the PV fails after the ECSM hasbeen executed, an attacker can still use a side-channel measurement to extractinformation.


Invalid Curve Attacks

Ciet and Joye [45] refined the attack in [24] by loosening the requirements onfault injection. They show that any unknown faults, including permanent faultsin non-volatile memory or transient faults caused on the bus, in any curveparameters, including field representation and curve parameters a1, a2, a3, a4, maycause information leakage on the scalar k.

Ciet and Joye suggested using error checking codes to ensure the integrity of curveparameters before the scalar multiplication.

Twist Curve Based Fault Analysis

In 2008, Fouque et al. [65] discovered a new way to hit a possibly weak curve, thequadratic twist curve. They observed that a point multiplication routine for somecurve E, without using the y-coordinate, gives correct results for ECSM on itstwist curve E. They also noticed that the twist curves of many cryptographicallystrong curves are cryptographically weak (see [65] for details). Equation (3.9)defines the twist curve of E, where ε is a quadratic non-residue in Fp.

E : (ε)y2 = x3 + ax + b . (3.9)

For elliptic curves defined over Fp, a random x ∈ Fp corresponds to a point oneither E or its twist. Since the order of E and E are close, the probability isapproximately 0.5 that a random abscissa corresponds to a point on E or E. Asa result, the adversary has a probability of one half to hit a point on E with arandom fault on x-coordinate of P on E.

There are three possible methods to preclude this attack. The first one is torepeat the point validity check during the scalar multiplication. The second one isto use the y-coordinate all the time. Both methods have some overhead in termsof computation time and storage. The third one is to choose twist-secure curves,namely, curves whose twist curve are also cryptographically strong.

Differential Fault Analysis

The Differential Fault Attack (DFA) uses the difference between the correct resultsand the faulty results to deduce certain bits of the scalar.

Biehl-Meyer-Muller DFABiehl et al. [24] reported the first DFA on an ECSM. We use a right-to-leftmultiplication algorithm to describe this attack.


Algorithm 3.5 Right-To-Left (upwards) binary method for point multiplication.

Input: P ∈ E(F) and integer k =∑l−1

i=0 ki2i.

Output: [k]P1: R← P , Q← O2: for i = 0 to l − 13: if ki = 1 then4: Q← Q + R5: end if6: R← 2R7: end for8: Return R

Let Qi and Ri denote the value of Q and R at the end of the ith iteration,respectively. Let ki = k div 2i. Let Q′i be the value of Q if faults have beeninduced. The attack reveals k from the Most Significant Bits (MSB) to the LeastSignificant Bits (LSB).

1. Run ECSM once and collect the correct result (Qn).

2. Run the ECSM again and induce an one-bit flip on Qi, where l−m ≤ i < l.We assume that m is small.

3. Note that Qn=Qi+(ki2i)P and Q′n=Q′i+(ki2

i)P . The adversary then triesall possible ki ∈ 0, 1, .., 2m − 1 to generate Qi and Q′i. The correct valueof ki will result in a Qi,Q

′i that have only one-bit difference.

The attack works for the left-to-right multiplication algorithm as well. It alsoapplies if k is encoded with any other deterministic codes such as Non-Adjacent-Form (NAF) and w-NAF. It is also claimed that a fault induced at randommoments during an ECSM is sufficient [24].

To preclude this attack, the validity of the intermediate results (Qi and Ri inAlg. 3.5) should be regularly checked. Another possible countermeasure is torandomize the scalar k such that the adversary can does not gain more bits of kin repeated executions.

Sign Change Fault Analysis

In 2006, Blomer et al. [27] proposed the sign change fault (SCF) attack. It attacksimplementations where the scalar is encoded in the Non-Adjacent Form (NAF).When using curves defined over a prime field, the sign change of a point impliesonly a sign change of its y-coordinate. The SCF attack does not force the ellipticcurve operations to leave the original group E(Fp), thus P is always a valid point.


A straightforward countermeasure against a SCF attack is to use the Montgomeryladder algorithm that does not use the y-coordinate for computing ECSM (e.g.Montgomery Scalar Multiplication with Lopez-Dahab coordinates [116]). Anothercountermeasure presented by Blomer et al. [27] uses a second elliptic curve whoseorder is a small prime number to verify the final results.

3.9.3 Selection of Countermeasures

One can not simply integrate all the countermeasures discussed above to precludeall attacks. The reasons for this are manifold. The complexity and extra overheadadded by countermeasures can significantly increase the design and manufacturingcost. Another important reason is that a countermeasure against one attack maybenefit another one. Thus, countermeasures should be carefully selected such thatthey do not add extra vulnerabilities. In this section, we discuss the relationshipbetween known attacks and countermeasures.

Countermeasures versus Attacks

Table 3.1 summarizes the most important attacks and their countermeasures. Thedifferent attacks, grouped into passive attacks and active attacks are listed column-wise, while each row represents one specific countermeasure. Let Aj and Ci denotethe attack in the jth column and countermeasure in the ith row, respectively. Thegrid (i, j), the cross of the ith row and the jth column, shows the relation betweenAj and Ci.

•√

: Ci is an effective countermeasure against Aj .

• ×: Ci is attacked by Aj .

• H: Ci helps Aj .

• ?: Ci might be an effective countermeasure against Aj , but the relationbetween Ci and Aj is unclear or unpublished.

• –: Ci and Aj are irrelevant (Ci is not effective against Aj).

It is important to make a difference between × and –. Here × means Ci is attackedby Aj , where – means that the use of Ci does not affect the effort or result of Aj atall. For example, scalar randomization using a 20-bit random number is attackedby a doubling attack, so we put a × at their cross. The Montgomery poweringladder is designed to preclude SPA, and it does not make a DPA attack harder oreasier, so we put a – there.


Below we discuss each countermeasure and its relation with the listed attacks.

Indistinguishable Point Addition Formulae. Indistinguishable groupoperations render a simple SCA impossible, but only if the underlying fieldarithmetic is implemented securely. This is discussed in [182, 172, 23]. Thismethod does not counteract differential SCA and RPA/ZPA [97].

Double-and-add-always. The double-and-add-always algorithm is the mainrepresentative of the countermeasures that use dummy instructions or operationsto withstand simple side-channel attacks.

The algorithm fails against doubling attacks. It does not remove vulnerabilities todifferential SCA attacks. It also makes the C safe-error fault attack possible.

Montgomery Powering Ladder. The Montgomery powering ladder isan algorithm level countermeasure running in fixed time without redundantoperations, hence it is SCA resistant. It avoids the usage of dummy instructionsand also resists the normal doubling attack. However, it is attacked by the relativedoubling attack proposed by Yen et al. [188]. This attack can reveal the relationbetween two adjacent secret scalar bits, thereby seriously decreasing the numberof key candidates.

With the Montgomery powering ladder, the y-coordinate is not necessary duringthe scalar multiplication, which prevents sign-change attacks. However, for curvesthat have weak twist curves, using the Montgomery powering ladder without they-coordinate is vulnerable to twist curve attacks.

Random Scalar Split. This countermeasure can resist DPA/DEMA attackssince it has a random scalar for each execution. In [66], the authors have alreadyanalyzed the effectiveness of Coron’s first countermeasure against the doublingattack. If we assume that the scalar k is randomly split into two full length scalars,the search space is extended to 281 for a 163-bit k (the birthday paradox applieshere). This is enough to resist the doubling attack. It can also help to precludeRPA/ZPA if it is used together with base point randomization [76, 14, 83].

However, this countermeasure is vulnerable to a carry-based attack if the key issplit as follows: choosing a random number r < #E, and k1 = r, k2 = k − r.

Scalar Randomization. With respect to the resistance against passive SCA,the above analysis of the random scalar split countermeasure against DPA/DEMAand RPA/ZPA also applies here. However, as mentioned in [66] the 20-bit randomvalue for blinding the scalar k is not enough to resist the doubling attack.

Like random scalar split, it renders the safe-error and sign-change attacks moredifficult. On the other hand, it is shown in [64] that the key randomization process,namely, k′ = k + r#E, leaks the scalar under the carry-based attack.


Tab

le3.

1:A

ttac

ks

vers

us

Cou

nte

rmea

sure

s.P

assiv

eA

tta

ck

sA

ctiv

eA

tta

ck

s

Sa

fe-E

rro

rW

ea

kC

urv

eD

iffe

re

ntia

l

TA

SPA/SEMA

TemplateAttack

DPA/DEMA

ComparativeSCA

RPA/ZPA

Carry-basedAttack

MSafe-Error

CSafe-Error

InvalidPoint

InvalidCurve

TwistCurve

SignChange

Differential

Ind

istin

gu

ish

ab

leP

oin

tA

dd

itio

nF

orm

ula

e[3

1]

√√

––

?–

––

––

––

––

Do

ub

le-a

nd

-ad

d-a

lwa

ys

[51

]√

√–

–×

[66

]–

––

×H

[18

7]

––

––

–

Mo

ntg

om

ery

Po

we

rin

gL

ad

de

r⊢

[10

1]

√√

––

×[1

88

]×

[14

]–

√√

––

H[6

5]

√–

Mo

ntg

om

ery

Po

we

rin

gL

ad

de

r⊣

[10

1]

√√

––

×[1

88

]×

[14

]–

√√

––

√–

–

Ra

nd

om

sc

ala

rsp

lit

[44

]–

–?

√?

√×

–?

––

√?

?

Sc

ala

rra

nd

om

iza

tio

n[5

1]

––

×[1

26

]×

[13

9]

×[6

6]

√×

[64

]–

?–

––

??

Ba

se

po

int

bli

nd

ing

[51

]–

–×

[12

6]

×[1

39

]×

[66

]√

––

–?

––

–?

Ra

nd

om

Pro

jec

tiv

eC

oo

rd

ina

te

s[5

1]

––

√√

?×

[76

]–

––

––

––

?

Ra

nd

om

ize

dE

CIs

om

orp

his

ms

[44

]–

–?

√?

×[7

6]

––

––

––

–?

Ra

nd

om

ize

dF

ield

Iso

mo

rp

his

ms

[44

]–

–?

√?

×[7

6]

––

––

––

–?

Po

int

va

lid

ity

ch

ec

k[2

4]

––

––

––

––

H√

?√

×H

[27

]√

Cu

rv

ein

te

grit

yc

he

ck

[45

]–

––

––

––

––

?√

––

–

Co

he

re

nc

ec

he

ck

[56

]–

––

––

––

–H

–?

–√

√

Le

tA

ja

nd

Ci

de

no

te

th

ea

tta

ck

inth

ej

th

co

lum

na

nd

co

un

te

rm

ea

su

re

inth

eit

hro

w,

re

sp

ec

tiv

ely

.

•√

:C

iis

an

eff

ec

tiv

ec

ou

nte

rm

ea

su

re

ag

ain

st

Aj

.

•×

:C

iis

atta

ck

ed

by

Aj

.

•H

:C

ih

elp

sA

j.

•?

:C

im

igh

tb

ea

ne

ffe

ctiv

ec

ou

nte

rm

ea

su

re

ag

ain

st

Aj

,b

ut

th

ere

latio

nb

etw

ee

nC

ia

nd

Aj

isu

nc

lea

ro

ru

np

ub

lish

ed

.

•–

:C

ia

nd

Aj

are

irre

lev

an

t(C

iis

no

te

ffe

ctiv

ea

ga

inst

Aj

).

⊣:

usin

gy

-co

ord

ina

te

⊢:

wit

ho

ut

usin

gy

-co

ord

ina

te


Base Point Blinding. For an ECSM, the scalar randomization and base pointblinding are based on the same idea of randomizing one component of the pointmultiplication. Therefore, their effectiveness against various passive attacks issimilar. It can resist DPA/DEMA as explained in [51]. In [66], the authorsconclude that this countermeasure is still vulnerable to the doubling attack sincethe point which blinds P is also doubled at each execution. This countermeasuremakes RPA/ZPA more difficult since it can break the assumption that the attackercan freely choose the base point (the base point is blinded).

This countermeasure might make the weak-curve based attacks more difficult sincethe attacker does not know the masking point R. In an attack based on an invalidpoint, the adversary needs to find out the faulty points P ′ and Q′ = kP ′. With thepoint blinding, it seams to be more difficult to reveal either P ′ or Q′. However, inthe case of an invalid curve attack, base point blinding does not make a difference.

Random projective coordinates. This countermeasure is effective againstdifferential SCA. It fails to resist the RPA as zero is not effectively randomized.Combination with a simple SCA countermeasure is essential. Note that also thosecoordinates can leak if uncarefully implemented [136].

Point validity check. This countermeasure checks if a certain point is on theauthentic curve or not. It is an effective countermeasure against invalid pointattacks. If the y-coordinate is used, it is also effective against a twist-curve attack.However, it is not effective against invalid curve attacks, sign-change attacks andC safe-error attacks.

Curve integrity check. The curve integrity check intends to detect faultinjections on curve parameters. Before starting an ECSM the curve parameterswill be read from the non-volatile memory (possibly on the data bus), whichare vulnerable to permanent or transient faults. So, the integrity of the curveparameters (including the base point) needs to be verified using a CRC (cyclicredundancy check) code before an ECSM execution.

Coherence check. A coherence check verifies the intermediate or final resultswith respect to a valid pattern. If an ECSM uses the Montgomery powering ladder,we can use the fact that the difference between R[0] and R[1] is always P . Thiscan be used to detect faults during an ECSM [56].

Selecting Countermeasures

After analyzing the existing attacks and countermeasures, the natural questionarises whether there exists a set of countermeasures that resists all the existingpassive and active attacks. While unified countermeasures to tackle both thepassive and active attacks are attractive, they are very likely weaker than whatis expected. Baek and Vasyltsov extended Shamir’s trick, which was proposed


for RSA-CRT, to secure ECC from DPA and FA [20]. However, Joye showedin [98] that a non-negligible portion of faults was undetected using the unifiedcountermeasure and settings in [20]. In this section, we describe several principlesto choose countermeasures.

Complete: A complete picture of attacks and countermeasures is the perfect baseto select countermeasures. As we pointed out above, an adversary needs to succeedin only one out of many possible attack methods to win. Keeping a summary ofup-to-date attacks and countermeasures is important for cryptosystem designers.

Specific: Whenever selecting countermeasures for a cryptosystem, a detaileddescription of the cryptosystem should be explicitly defined. A set of counter-measures that can preclude all known attacks is neither easy to find nor efficientin terms of area and performance. Within restricted boundaries, countermeasureselection is much easier and more efficient. For example, RPA and comparativeSCA assume that the attacker can choose the base point freely. If an ECC processoris targeting an application where the base point is fixed, then an RPA and doublingattack do not apply.

Additive: The selected countermeasures should be additive. Suppose that wechoose countermeasures from Table 3.1, we could proceed in two steps.

The first step is a column-wise selection. We inspect each column and select acountermeasure that suffices to preclude the attack in this column. If we havechosen two countermeasures, Ca and Cb, and their relation with Aj is as follows:(a, j) =

√, (b, j) = ×. In this case, we need to study whether Ca covers Cb or not.

H in the table should be avoided whenever possible. If eventually we can not getrid of all the H, extra countermeasures should be added to cover it.

The second step is to check if the selected countermeasures are additive. Usingmultiple countermeasures simultaneously might introduce new vulnerabilities.Thus, we need to evaluate the selected countermeasures as a new countermeasure.

3.10 Conclusion

In this chapter we demonstrated a simple analysis attack on a 160-bit elliptic curvecryptographic system over GF (p) implemented on an FPGA where we made use ofdemodulation techniques to gain more detailed information. We have also showna general differential electromagnetic analysis attack on a 160-bit elliptic curvecryptographic system over GF (p) on an FPGA where the EC multiplication wascomputed with the always-double-and-add algorithm to withstand simple analysisattacks. Again, we used a preprocessing technique to improve the analysis results:the discrete Fourier transform.

CONCLUSION 71

Two different distinguishers were compared with respect to their effectiveness tofind the secret with the least amount of measurements. Later in the chapterwe showed that the comparison lacked fairness and soundness. An examplewith a differential power analysis attack on a DES implementation in hardwaredemonstrated the usage of the security metrics ”guessing entropy” and ”first ordersuccess rate” in accordance to the framework presented by Standaert et al.

A systematic overview of the existing implementation attacks and countermeasureson ECC is given at the end of the chapter. While there is no intention toprovide new countermeasures, a complete overview of the wide range of attacksand the common classes of countermeasures is presented. Keeping track of the everevolving field of implementation attacks is of crucial importance to a cryptosystemdesigner and the last topic in this chapter provides a digest of existing attacks andcountermeasures.

Chapter 4

The Measurement Probes

The content and text in this chapter is based on papers written in collaborationwith W. Aerts [5, 6, 4].

4.1 Introduction

By definition, a side-channel attack exploits physical properties of a cryptographicdevice to extract secret information. The way to get hold of these physicalproperties is by effectively measuring them. No need to say that the quality of themeasurement setup has a major impact on the effectiveness and efficiency of theattack.

With respect to electromagnetic analysis attacks, the measurement setup usuallyconsists of the following parts: the sensor or antenna, a cable connection, ananalogue preprocessing element and an analog-to-digital converter. The choice ofa sensor, probe or antenna for a specific application is a tedious process where onehas to make decisions based on the desired properties. The antenna, that connectsthe free space with the measurement setup, partially prescribes the characteristicsof the measurements. It is an essential part of the measurement chain and shouldnot be passed over too lightly. Irrespective of the application, every antenna hassome fundamental properties that can be adjusted: radiation pattern, polarization,gain, impedance, matching properties and bandwidth. Every single property willbe discussed later on in this chapter.

73

74 THE MEASUREMENT PROBES

4.2 Overview of Probes in the Literature

The following two sections survey the utilization of near-field probes and far-fieldantennas for side-channel analysis in the open literature.

4.2.1 Near-Field Probes

The first probe described in literature was the probe of Gandolfi et al. in theirCHES paper [68]. The probe is shown in Fig. 4.1(a).

The article of Gandolfi et al. tested a multitude of probes including hard diskheads, integrated inductors and magnetic probes but ended up using a hand-madesolenoide stating that this yielded the best results in their case. In [11], Agrawalet al. mention a small plate attached to a coaxial cable. Compared to the previousone this plate shaped probe is an electrical probe, while the solenoid is a magneticprobe focused towards magnetic fields. Also Mangard and Peeters et al. use hand-made coils in [119] and [148] respectively. Fig. 4.1(b), 4.1(c) and 4.1(d) illustratesthese probes. Again, those are magnetic probes. Most of these sensors are simple

(a) Gandolfi et al. [68] (b) Mangard [119]

(c) Peeters et al. [148] (d) Peeters et al. [148]

Figure 4.1: Hand-made magnetic probes from the open literature.

coils, obtained without much design effort. In the past years, people started to usegeneric publicly available magnetic sensors designed for EMI/EMC analysis as the

OVERVIEW OF PROBES IN THE LITERATURE 75

ones mentioned in [159]. They are often called “sniffer”1 probes referring to theirtask to locate EMC problems. One such probe is pictured in Fig. 4.2(a). A typicalpassive near-field probe set incorporates both magnetic and electric field probes.As an example the ETS-EMCO’s Model 7405 Probe Set is discussed in moredetail [1]. A picture of one of the probes is given in Fig. 4.2(b). The set includesthree loop probes, sensitive to the magnetic field and directional. Their locationspecificity and sensitivity is related to the size of the loop diameter. The smallerthe loop’s diameter, the better the probe is suited for locating specific sources ofradiation. The ball probe and the stub probe are both selective towards the electricfield. In contrast with the three magnetic loops, these probes are omnidirectional.The probes are typically employed to locate and portray the emissions originatingfrom a PCB, IC, wires, etc. In general, near-field magnetic fields are dominant ifa current is flowing in a wire along a path that is not straight. Near-field electricfields on the other hand overpower the magnetic field when the current amplitudeis not high but significant electric potential differences exist. Because varyingcurrents are more important than large differences in electric potential in a normalCMOS chip, it is widely accepted that the most important near-field componentfor measuring direct radiation for side-channel analysis is the magnetic field. Thesize of the magnetic loop sensors is a very important characteristic to ensure theability to make a detailed mapping of the field. The smallest probe in the EMCOset has a diameter of 1 cm which is still of substantial size compared to the sizeof the devices under test in a standard side-channel analysis attack. There existalso commercial near-field microprobes with dimensions in the micrometer range.The size of such probes complicate manual operation and positioning, thereforethe need for automated or manually operated scanner equipment grows as doesthe requirement for amplifiers. Indeed, the signal strength at the probe’s end isrelated to the diameter of the loop.

(a) Sauvage et al. [159] (b) The EMCO 7405 set [1]

Figure 4.2: Commercial sniffer probes.

1A sniffer probe is a small transducer, usually used to locate RF sources. Because themagnitude of the radiation is of less importance, calibration of the probe is not really needed.


4.2.2 Far-Field Antennas

In several papers the usage of far-field antennas is mentioned. For example,Mangard alludes to a biconical antenna in [119]. Several others are suggested inrelated literature about TEMPEST. A first type is the Yagi-Uda array antenna,see Fig. 4.3(a). This type of antenna is commonly used in the VHF-UHF range(30 MHz to 3 GHz), more specific in the area of FM radio and television reception.A Yagi-Uda array antenna is a semi-directional antenna, reasonably frequencyselective and with a relatively high gain. This antenna is made out of an arrayof dipoles parallel to each other. A second type of antennas mentioned are thebiconical antennas. Biconical antennas are constructed with two cones connectedtop to top. The system is very wideband. The third type of antennas is a specificversion of the second type and is referred to as the discone antenna. A disconeantenna is a biconical antenna where one of the cones is replaced by a disc. Itinherits the property of widebandedness and it is omnidirectional, Fig. 4.3(b). Thepatch antenna is a fourth type of antenna. It consists of a metal patch positionedparallel to a ground plane. The working principle is based on the resonating wavescreated in the cavity. Figure 4.3(c) illustrate the patch antenna. A last variety ofantenna is the folded dipole, see Fig. 4.3(d). A folded dipole is a special typeof dipole where the ends are folded back to connect to the feed point. They aretypically used for the FM band.

(a) Yagi-Uda (b) Discone an-tenna

(c) Patch antenna (d) Folded dipole

Figure 4.3: Different far-field antennas.

SPECIFICATIONS FOR A NEAR-FIELD EM SENSOR 77

4.3 Specifications for a Near-Field EM Sensor

In this section we make an overview of all the specifications which should beconsidered in mind when designing or using a probe or antenna for near-fieldelectromagnetic analysis. Under normal circumstances an antenna is describedwith the following set of characteristics:

• Sensitivity towards electric and magnetic fields. Some types of antennasare more suited for electric field measurements while others are more sensitivetowards magnetic fields or a combination of both.

• The receiving/radiation pattern is probably the most important char-acteristic of the sensor, as this defines the spatial sensitivity of the sensortowards the electromagnetic fields. The shape of the pattern often definesthe suitability of a sensor for a specific task. A sensor with a narrow receivingpattern is for example suited for direction finding. Radiation patterns arecharacterized by their 3 dB-beamwidth and the side-lobe level. A notionclosely related to the radiation pattern is “directivity”. The directivity is themaximum of the ratio between the radiated power per unit of space (θ, φ) andthe mean radiated power per unit of space. The unknowns θ and φ are twoof the three parameters from the spherical coordinate system. The receivingand/or radiation pattern is defined by the type/topology of antenna/probeand the corresponding design parameters.

• A second important feature of an antenna is the polarization. Thepolarization of a wave defines the orientation and behavior of the tip ofthe total electric field vector over time in a fixed plane. The polarization ofan antenna equals the polarization of the wave transmitted by the antennaor the one it can receive.

• One of the quality figures for an antenna is the gain. The gain is definedas the maximum of the ratio of the radiated power per unit of space as afunction of (θ, φ) to the power fed to the antenna per unit of space. Thedifference between the directivity and the gain are the losses in the antenna.

• The input impedance of an antenna influences the efficiency of energytransfer to and from the antenna. This parameter has to be checked foreach target frequency. For simple geometrical shapes the analysis can bedone theoretically, but as soon as the shape deviates a bit, input impedancesshould be determined through a measurement procedure.

• A final parameter is the bandwidth of the sensor or antenna. The definitionis not unambiguously fixed, but usually the bandwidth is the frequency rangein which the antenna satisfies some imposed specifications.


To be able to define the desired characteristics for the perfect sensor, the originor source of the captured radiation should be fully understood and qualified. Ofcourse this is a complex process that requires full knowledge of the chip: thelayout, the waveforms at every moment in time at every location in the chip, thelayout and parasitics of the circuit, material properties, dimensions etc. On top ofall this, it will almost always remain unclear what exactly is radiating the usefulinformation for a specific implementation. The result being that even a detailedfield description of the interesting part of the circuit only is difficult to extract.

Besides the complexity of the field surrounding a chip, the measurement can becarried out through several methods as discussed before:

• the electromagnetic field can be considered as a wireless prolongation of thepower consumption;

• some attackers try to pick up the radiation of a certain circuit elementdirectly;

• or maybe the information is modulated on top of a carrier and only thefrequency space around the carriers is interesting.

The type of measurement is of course of utmost importance in defining thecharacteristics of the field.

Despite the absence of a fixed set of characteristics, some properties of the sensorcan be extracted from the work flow and common sense understandings of thedevice under test.

1. For a first exploration of the device, the sensor should have a flat frequencycharacteristic to get as much information as possible from the circuit. Itis only in a second stage, when frequency characterization is done, that abandwidth limited sensor is in place to gain accuracy in the measurements.Depending on the type of measurement, frequency selectivity might ormight not be important. For wireless power measurements and directmeasurements, frequency selectivity is less important compared to extractionfrom modulated carriers.

2. Power analysis attacks rely on the variations in current consumption toextract key information. As these current variations mainly lead to magneticfields in the near-field area, a magnetic sensor is prefered to an electricselective one for measuring direct radiation in the near-field. Direct radiationshould be measured in the near-field as the amplitude of the direct radiationwill be low. The wireless power measurements or the modulated radiationare not restricted to the near-field as the fields will be of higher amplitude,resulting in a free choice of electric or magnetic antenna.

MAGNETIC OR ELECTRIC FIELDS 79

3. Most of the measurements done for electromagnetic analysis are carried outwith the aid of an oscilloscope. The input of an oscilloscope is a BNCconnector. This BNC connector and the circuit behind it form an unbalancedsystem. This means that the two wires that guide the signal do not have anidentical impedance between each of them and the ground. Indeed, one ofthe sides of the connector is directly connected to the ground itself. If a directconnection between a balanced antenna and an unbalanced feed/receive lineis made, it will distort the radiation pattern and it will lead to feed/receiveline radiation. To make measurements as accurate as possible without addingextra noise we want to avoid this. There are three possible ways to deal withthis issue:

• use an unbalanced probe;

• use a balanced probe and use the oscilloscope differentially;

• use a balun. The word balun is a contraction of balanced to unbalancedtransformer.

4. The major benefit of electromagnetic analysis over power analysis is thepossibility of making local measurements. For a loop sensor to be locationspecific it has to be physically small.

5. We also want to ensure that the signal amplitude measured is at least aslarge as the minimal amplitude that can be measured or amplified with themeasurement setup. Preferably the full dynamic range of the measurementdevice should be used to minimize quantization noise.

4.4 Magnetic or Electric Fields

Currents always have to run in a closed path. This closed path can be modeled asa loop. Then, two possible scenarios unfold themselves:

• In a first setup the sensor is small in a physical and electric way comparedto the circuit. In this case the origin of the radiation can be modeled as achain of elementary electric dipoles.

• In a second setup the sensor is large, physically and electrically, comparedto the circuit. Here, it makes more sense to model the current loop as anelementary magnetic dipole.

The field equations for an elementary electrical and magnetic dipole are given inChapter 2. The near-field approximation are mentioned in Eq. (2.25) and (2.26).Comparing the two sets of equations reveals that the electric dipole creates an


electric field in the near-field whereas the magnetic dipole has a large magneticfield component in the same area. For small current paths in a chip, whether it isa microcontrollor, FPGA or ASIC, the assumption that a sensor is larger than thecurrent loop is quite straightforward, hence there will be a larger magnetic fieldthan an electric field in the near-field range. As mentioned in the beginning ofthis chapter, as long as no special elements are used in the antenna, the radiationand receiving patterns of an antenna are equal. Hence, it is reasonable to assumethat a magnetic sensor is more suited for measuring the radiation than an electricsensor. This reasoning about the magnetic dipole is only valid under the correctassumptions and in the near-field. Indeed, when the ratio of the electric field tothe magnetic field is plotted as a function of the distance, we can see that theabove statement indeed holds for the near-field. For the far-field the ratio is theconstant Z0 ≈ 120π which is called the free space wave impedance. In between thenear-field and the far-field, there is an area where the electric field of the magneticdipole is larger than the magnetic field. The opposite reasoning holds for theelectric dipole. This region is often called the inductive field.

The loop is an outstanding example of a magnetic probe. In the remainder of thechapter, we will discuss some properties and techniques to achieve and analyze thedesired characteristics as mentioned above for a loop sensor.

The usage of a loop as a sensor to detect varying magnetic fields is based on the lawof Faraday-Lenz, which indicates that a varying magnetic flux through a surfacewill cause an extra voltage V along the line enclosing the surface:

V =

∮

s

Edl = −dφB

dt= −d

(∮

ABdA

)

dt. (4.1)

where E stands for the electric field vector and φB is the magnetic flux. Theintegral is taken over the line s or the surface A closed by the loop. By measuringthis voltage, e.g. with an oscilloscope, side-channel information leaking fromcryptographic devices can be captured.

It is clear from Eq. (4.1) that the loop should not deform as this alters the fluxthrough the surface and hence the measured signal. Therefore all loops should beimplemented rigidly.

4.5 Balanced versus Unbalanced

Transmission lines with two conductors are said to be [19]

• balanced, if the impedance between each of the conductors and the groundis equal; or

BALANCED VERSUS UNBALANCED 81

• unbalanced, if one of the conductors is connected to the ground.

Though the terminology suggests that each system should either be balanced orunbalanced, a third more general case is possible, where both impedances arenon-zero and not equal. This situation is depicted in Fig. 4.4

Z1−2

Z1 Z 2

conductor 1 conductor 2

ground

Figure 4.4: This system is neither balanced nor unbalanced if Z1 6= Z2.

Examples of balanced systems are the dipole antenna and loops. Coaxial cablesunder normal use are unbalanced because their outer conductor is connected tothe ground. This brings about the effect that current will only run in the centerconductor and at the inner side of the coaxial conductor. This gives the coaxialcable its good shielding property and its low sensitivity to radiation.

However, if a balanced antenna is connected to an unbalanced cable, current willrun at the outer side of the outer conductor of the unbalanced coaxial cablenear the point of connection to the balanced antenna, as a result of boundaryconditions. Especially in our case, this should be avoided as it deteriorates thelocation sensitivity of our sensor.

A balun can be used to avoid current flow on the outer side of the conductor. Onepossibility is to add a λ/4 transmission line around the outer conductor that isshortened at the end. The transmission line transforms this short circuit into anopen chain, hence ensuring that no signal can enter the transmission line. Anoutline of the balun is visualized in Fig. 4.5.

A common implementation of the same principle is depicted in Fig. 4.6. Atλ/4 from the end of the coaxial cable, an open stub is connected to the outerconductor. Usually a short is placed between the point O of the coax cable andE/B of the balun. The antenna itself is connected to C and B, as opposed to thescheme from Fig. 4.5 where the antenna is simply connected to C and O. Thisimplementation shows several correspondences with the shielded loops often usedfor EMC measurements.

Another way of making a balun, that is more broadband and also allows totransform the load to a value needed for matching, is using a transformer balun.This can be obtained by winding wires over a magnetic core, selecting theappropriate number of turns for primary and secondary side, and by grounding


CO OB B

λ4

Figure 4.5: Schematic drawing of a balun. A sleeve around the outer conductoracts as a λ/4 transmission line with an infinite input impedance. C stands for thecenter conductor, O for the outer conductor of the coaxial cable. B is the extraconductor for the balun.

CO OE BB

λ4

Figure 4.6: Schematic drawing of a practical implementation of a balun. C standfor the center conductor, O for the outer conductor of the coaxial cable. B is theouter conductor of the coaxial cable used for the balun. The antenna is connectedto B and C and O is shorted to B. The bold points are shorted.

different points in the primary and secondary coils. The use of a magnetic corehowever excludes usage for higher frequencies.

A huge disadvantage of these baluns is the narrow bandwidth: for the stub balundue to the stub length that must equal a quarter of a wavelength, and for thecurrent transformer balun due to the multiple turns of the coils. To avoid allthose problems, it is good practice to choose a symmetric antenna as sensor withtwo coaxial cables, both connected to the oscilloscope or one terminated with a50 Ω load, or to choose a symmetric antenna with the measurement device directlyconnected to it.

MATCHING 83

4.6 Matching

Whenever transmission lines, such as coaxial cables, are used, telecommunicationapplications require that the loads at both ends of the line are matched to thecharacteristic impedance of the line, in order to assure a maximum power transfer.However, when measuring magnetic fields, a transfer of power is not the issue, asno analog circuitry is driven but the voltage signal is sampled and stored in digitalform. The amplitude of the measured signal is what is to be maximized.

Imagine a source with a Thevenin equivalent as illustrated in Fig.4.7(a). For amaximum power transfer, the load Zl should be conjugate matched to the load ofthe generator, or

Zl = Z∗th . (4.2)

On the other hand, reflection loss matching requires the load to be equal to theThevenin load, or

Zl = Zth . (4.3)

Zth

Zl

Vth

(a) Thevenin model

Zth

Zl

Vth

Matc

hin

gn

etw

ork

Matc

hin

gn

etw

ork

Zc

Zth Zc Zc Zl

(b) Reflectionloss matching

Figure 4.7: The Thevenin model of a source and a graphical illustration ofreflection loss matching.

Fig. 4.7(b) shows how in a generic situation where a source impedance Zth anda load impedance Zl are connected with a transmission line with characteristicimpedance Zc; matching is applied to avoid reflections. As far as the oscilloscopeis concerned, if the amplitude is to be maximized but signal distortion should beavoided, the input impedance of the oscilloscope Zl = Zosc should be as high aspossible. Indeed, at low frequencies the signal over the oscilloscope input Vosc willbe large due to a voltage division:

Vosc =Zosc

Zosc + Zc× Vsensor , (4.4)

with Zosc the input impedance of the oscilloscope. The same holds for higherfrequencies. The signal will be enlarged because a high input impedance, in the


ideal case ∞, results in a total reflection and hence in a voltage that is twice theamplitude of the voltage wave:

Vosc = V + + V − = V + × (1 + S11) = 2× V + , (4.5)

with V + the voltage wave traveling from the cable towards the oscilloscope, V −

the voltage wave traveling in the opposite direction and S11 the input port voltagereflection coefficient, a scattering parameter of the cable-oscilloscope system. Ofcourse, if the oscilloscope is not matched to the characteristic impedance of thecable, the loop has to be matched, otherwise reflections would bounce back andforth resulting in an infinite number of reflections in the ideal case where the cablehas no losses. This is illustrated in Fig. 4.8. The top row shows an ideal currentpulse in a circuit. The figure in the middle row on the left, named (a), showsthe signal measured with a loop sensor with an input impedance of Zth = 50 Ωconnected to an oscilloscope with input impedance Zl = Zosc = 1 MΩ. To theright of this figure, (b), the sensor again has Zth = 50 Ω but the scope is set toZosc = 50 Ω. The signal amplitude is only half the amplitude of the previousone. On the last row, the result of the following settings is shown: Zth = 0 Ω andZosc = 1 MΩ on the left, subfigure (c) and Zth = 0 Ω and Zosc = 50 Ω on theright, (d). Figure (c) on the left shows the reflections because nor the sensor sidenor the oscilloscope is matched to the cable. Note that a signal with reflections inprinciple still contains all information. Nevertheless, reflections should be avoidedfor cryptographic analysis, because an oscilloscope has a limited number of bitsfor digitalizing. Dynamic range is traded against resolution if the signal growslarge. Also, a signal might suffer from destructive reflections or can be buriedin unrelated reflections of signals resulting a significant raise in the amount ofmeasurements needed to perform a differential analysis attack.

From Eq. (4.4), it is expected that an oscilloscope at 50 Ω and a loop with aninput impedance Zin = 0 results in the same amplitude of the measured signal, asan oscilloscope at ∞ and loop at 50 Ω. Figure 4.8,(a) and (d) show that this isnot entirely the case. In the second case, the current in the loop is much largerthan in the first case causing partial canceling of the measured field.

We investigated a large set of shielded magnetic loop sensors and their matching.The results are represented below as a case study.

4.7 Case Study: Matching Shielded Magnetic Probes

Though a vast amount of different magnetic field sensors are in use, we will discussonly four implementations, depicted in Fig. 4.9: an unshielded loop, a symmetricalloop, a balanced loop and a Mœbius loop. They are compared against each otherin terms of matching. The naming of the loops is in accordance with the naming

CASE STUDY: MATCHING SHIELDED MAGNETIC PROBES 85

0 1000 2000 3000 4000 5000 6000 7000 8000−0.5

0

0.5

1

1.5

2

0 1000 2000 3000 4000 5000 6000 7000 8000−0.5

0

0.5

1

1.5

2

0 1000 2000 3000 4000 5000 6000 7000 8000

−0.06

−0.04

−0.02

0

0.02

0.04

0.06

time

voltage

loop 50 Ohm and scope 1M (a)

0 1000 2000 3000 4000 5000 6000 7000 8000

−0.06

−0.04

−0.02

0

0.02

0.04

0.06

timevoltage

loop 50 Ohm and scope 50 Ohm (b)

0 1000 2000 3000 4000 5000 6000 7000 8000

−0.06

−0.04

−0.02

0

0.02

0.04

0.06

time

voltage

loop short and scope 1M (c)

0 1000 2000 3000 4000 5000 6000 7000 8000

−0.06

−0.04

−0.02

0

0.02

0.04

0.06

time

voltage

loop short and scope 50 Ohm (d)

Figure 4.8: A current pulse is measured with differing impedances of theoscilloscope and sensor. The top row depicts the original signal. The middle rowshows the signal radiated by this current and measured with a magnetic sensor of50 Ω input impedance. The last row is measured with a loop of Zin = 0. The leftplots of the two last rows were obtained with a scope at Zin = 1 MΩ. The rightones with Zin = 50MΩ.

in [58] and we will introduce them briefly with the necessary remarks. The EMCOloop probes mentioned earlier and displayed in Fig. 4.2(b) belong to this group ofshielded magnetic probes.

4.7.1 Working Principle of Shielded Loops

The working principle of a shielded loop can be briefly summarized as follows.Figure 4.10(b) shows an example of a shielded loop. The most important item tonotice here, is the gap in the shield. As with a normal loop, the induced voltageat the terminals is generated through the change in magnetic flux captured by theloop in accordance with the law of Faraday-Lenz. The voltage is induced over theslit at the outer surface of the conductor. Because of the skin effect, the innerside of the shield is electrically separated from the outer side of the shield. The


transmission line consisting out of the inner surface of the shield and the innerconductor is driven by the induced voltage over the slit. In a shielded loop theshield itself is the actual antenna. The current runs on the outer side of the shield.At the gap the current will return along the inside of the outer conductor. It isthis current that induces the current in the inner conductor.

4.7.2 Different Type of Loops

Unshielded Loop

A straightforward way to implement a loop sensor is to simply bend a wire andsolder one end to the center conductor and the other end to the outer conductorof a coaxial cable.

This system needs a balun and will, without balun, suffer from the antenna effect,i.e. the balanced current of the loop will run at the outer side of the outer conductorof the coax and will hence pick up signals and influence the output signal of thesensor. As a balun however never has an infinite bandwidth, it is omitted. Moreinformation about baluns can be found in Section 4.5.

Symmetrical Shielded Loop

A loop is formed by the connection of center and outer conductor at the end ofthe coaxial cable to the outer conductor of the coaxial cable at the beginning ofthe loop. In this way, a line integral similar to the one of the non-shielded loop isobtained.

The loop antennas of the EMCO near-field probe set model 7405 are of this type.This type is widely used in EMC diagnostics as it allows to measure values for themagnetic field strength without errors due to the presence of electric fields.

This antenna is indeed less sensitive to the electric field, compared to the non-shielded loop, due to the shielding of the outer conductor. A piece of outerconductor has to be cut away, however, obstructing current from flowing on theouter side of the outer conductor of the coax. Without this gap the current flowingwould cancel the magnetic field so that nothing will be measured. But the shortat the end of the coaxial cable will cause large reflections. Inserting a 50 Ω resistorcan solve this problem, at the cost of loosing signal strength and generating extranoise.


Balanced Shielded Loop

If a coaxial cable is taken and the two ends are connected to an oscilloscope withan input impedance of 50 Ω (or one to a oscilloscope and one to a 50 Ω load), thenthe problem with the reflections is avoided. Moreover, also the issue with currentflowing on the outer side of the sleeve is avoided, as now the interconnection of anunbalanced cable and a balanced loop is evaded by using two (unbalanced) cables,balancing each other.

The loop is obtained by bending the coaxial cable. Where the coaxial cable doesnot have to form a loop, some insulation is removed and the outer conductor ofthe adjacent coaxial cables is soldered together. Again a piece of outer conductorin the loop is cut away to prevent current from running on the outer side of theouter conductor.

The signal that is picked up will be of the same magnitude compared to theprevious types if the loop has more or less the same size. The signal however hasto be measured between the two ports of the oscilloscope, so that an oscilloscopewith mathematical functionality comes in handy.

Mœbius Shielded Loop

Starting from a balanced shielded loop, cutting the inner conductor at the slit andconnecting the inner conductor of the left part of the loop to the outer conductorof the right part and vice versa, results in a Mœbius loop, with two turns. Thistype was made with and without the short between adjacent outer conductorsbefore and behind the loop.

All real loop implementations are shown in Fig. 4.9, the circuit depictions are givenin Fig. 4.10.

All types should be isolated, to prevent contact with e.g. pins of components inthe measured circuit. Care should be taken that the loops do not deform whenused, as this alters the signal. This problem can be solved by attaching the loopsto cardboard with waxed cords. A solution like embedding the coax in injectionmolded plastic, used by EMCO for the near-field probe set model 7405 [1], is better.A PCB implementation of a shielded loop will also sidestep this issue.

In table 4.1 the advantages and disadvantages of each type, later explained indetail, are summarized.

Table 4.2 lists the DC resistance between inner and outer conductor of the sensors.This allows quick verification of the contacts before using the sensor and reveals thematching at low frequencies: the non-shielded, symmetrical and Mœbius shorted


Figure 4.9: Photograph of the loops. The upper one is the EMCO loop. Belowfrom left to right are the unshielded, symmetrical, balanced and Mœbius with andwithout short.

Table 4.1: Advantages and disadvantages of the four loop types.A good loop is only sensitive to magnetic fields and hence suppresses the electricfields, has a good isolation between inner and outer side of the outer conductor(related to the antenna effect), has no reflections as the impedance is matched andpicks up a large amplitude of the signal.

type E-suppress IO isolation impedance matching amplitude

non-shielded - - - - 1symmetrical + - - 1

balanced + + + 1Mœbius - + + 2

loop will have an S11 = 1 or 0 dB, whereas the balanced and Mœbius withoutshort are matched to 50 Ω so that S11 = 0 or −∞ dB.

4.7.3 Measurement Setup for the Matching Behavior

The scattering parameter S11 of the loops was measured with a HP8510C vectornetwork analyzer (VNA). As this device is only specified for frequencies higherthan 45 MHz due to an IF stage in the machine of 20 MHz, obtained by thesignal (or one of its harmonics) of a local oscillator between 65 MHz − 300 MHz


(a) Non-Shielded Loop (b) Symmetrical Shielded Loop

(c) Balanced Shielded Loop (d) Moebius Type Balanced Shielded Loop

Figure 4.10: Schematic drawings of the four loop types.

Table 4.2: Measured resistance values (rounded) between connectors of the fourloop types. i stands for inner conductor, o for outer, sa stands for same end, opfor opposite end. 50 Ω will only be measured if one port of the sensor is loadedwith 50 Ω. If left open, ∞ will be measured.

type o-i sa o-i op o-o op i-i op

non-shielded 0 Ω - - -symmetrical 0 Ω - - -

EMCO φ = 6 cm 0 Ω - - -balanced 50 Ω 50 Ω 0 Ω 0 ΩMœbius 50 Ω 0 Ω 50 Ω 50 Ω

Mœbius with short 0 Ω 0 Ω 0 Ω 0 Ω

[8], the measurements between 22 MHz and 45 MHz are not fully accurate. Theyare however in accordance with the measurements between 1 kHz and 20 MHzobtained with an oscilloscope and a function generator.


0

−5

−10

−15

−20

−25

−30

−35

−40

0 100 200 300 400 500 600 700 800 900 1000

frequency [MHz]S

11

[dB

]

unshielded

symmetrical

balanced

EMCO symm.

Mœbius

Mœbius with short

Figure 4.11: S11 of the loops for 22 MHz− 1 GHz.

4.7.4 Results

The measured values for S11 are displayed in Fig. 4.11 and 4.12.

For lower frequencies, all probe types with shorting have a scattering parameterS11 = 1. The balanced and Mœbius type without short are matched to 50 Ω. Forhigher frequencies however, a short between the inner and outer conductor cannot always be used by a current due to the length of the shorting which can entailhigh inductance. Hence the Mœbius with and without short behave the same forhigher frequencies.

The periodic peaks for both Mœbius types are due to the non-perfect Zc ofthe coaxial cable. The cable used was of the RG-58 type, defined in [128], butcanceled [138] and hence invalid as a standard. The manufacturer specified Zc

as 50 ± 2 Ω [175]. At 200 MHz, a value of 52 Ω was measured. This value wasobtained as the geometric mean of an impedance measurement with a short (Zin,0)and an open (Zin,∞). The validity of this technique is easily checked, by writing


0

−5

−10

−15

−20

−25

−30

−35

0 5 10 15 20 25 30 35 40 45 50

frequency [MHz]

S1

1[d

B]

unshieldedsymmetricalbalancedMœbiusMœbius with short

Figure 4.12: S11 of the loops for 1 kHz− 50 MHz.

out Zin in terms of scattering parameters and then filling in 0 and ∞ for ZL:

Zc =√

Zin,0 × Zin,∞ , (4.6)

= Zc

√

√

√

√

1 + ej2kl ZL,0−Zc

ZL,0+Zc

1− ej2kl ZL,0−Zc

ZL,0+Zc

×1 + ej2kl ZL,inf−Zc

ZL,inf+Zc

1− ej2kl ZL,inf−Zc

ZL,inf+Zc

,

= Zc

√

1− ej2kl

1 + ej2kl× 1 + ej2kl

1− ej2kl= Zc .

At higher frequencies Zc becomes complex, due to losses. Being e.g. 52 + 8i Ω at500 MHz, the cables transform the load on circles around the center of a Smithchart referenced to 52 + 8i Ω, see Fig. 4.13. On a Smith chart referenced to 50 Ω,those circles become egg shaped curves around the point corresponding to 52+8i Ω,i.e. a little up to the right from the center point.

The curve for the Mœbius without short comes up as high as −2 dB. This peak isdue to a short when the capacitance between the two adjacent outer conductorsbefore and behind the loop starts to conduct signals. The capacitance betweentwo cables of radius r is [118]:

C = l × c = l × ǫπ

log

(

dr +

√

( dr )2 − 1

) . (4.7)

This expression is not exact in the case of hollow coax outer conductors, but still,it can be concluded that the capacitance between the cables is influenced by boththe length l of the cables, and the distance d between them. Hence this peak


Figure 4.13: S11 of the Mœbius with short on a Smith Chart.

0

−5

−10

−15

−20

−25

−30

−35

−40

0 100 200 300 400 500 600 700 800 900

frequency [MHz]

S1

1[d

B]

Mœbius large CMœbius small C

Figure 4.14: S11 of a Mœbius without short with different capacitances betweenthe two adjacent cables.

can be avoided by moving the 50 Ω termination at the end of the second cable tojust behind the loop, so that the second cable has zero length. A measurement,shown in Fig. 4.14, indeed reveals that this action solves the matching issue. Thissensor is indeed matched sufficiently over the entire frequency range. Such sensorwould however not pick up any signals as the voltage induced by the magnetic fluxstands partly between the two outer conductors and does not contribute to thesignal that arrives at the scope.

This actually means that none of the four probe types is matched over the entirefrequency range of interest. If, for some application, only frequencies below e.g.50 MHz are to be used, the balanced loop can be used without matching problems.If, for another application a band will be used around a frequency of some hundreds


Figure 4.15: Layout of a loop that combines the balanced and Mœbius loop.

of MHz, that will be mixed down in a receiver, the Mœbius loop with short canbe used. Only if for some reason the entire band from (nearly) DC to 1 GHzis important, a combination of the balanced and Mœbius with short can be thesolution. A schematic layout is given in Fig. 4.15. Capacitances and an inductorare used to obtain the connections for a balanced loop at low frequencies and theconnections for a Mœbius loop at high frequencies.

4.7.5 Conclusion

The different nature of a setup to measure signals for cryptographic EMside-channel analysis makes that matching is not identical to matching radiocommunication systems. In the case of EM analysis, the sensor should be matchedto the cable, but the scope should have an input impedance as high as possible,in order to obtain a large signal at the scope, to keep the current in the loop assmall as possible and avoid reflections that spoil the measurement. Four types ofloops were compared but none seemed to meet the matching requirements overa frequency band from (nearly) DC up to 1 GHz. If, however, such broadbandsensor is desirable, a combination of the balanced loop, for lower frequencies, anda Mœbius loop with shorting between adjacent outer conductors outside the loop,for higher frequencies, will be an ideal sensor. The concrete design and test of thisprobe for this application is left as an open problem.


4.8 Resolution

Sensors for electromagnetic analysis should capture the radiation surrounding thedevice as accurately as possible with a reasonable amplitude. Shielded loops asthe ones discussed in Section 4.7 are quite large in comparison with a micro-controller, ASIC or even FPGA and are consequently not suited for localizedmeasurements. Smaller implementations of the same concept manage to achievesmaller resolutions, but they are not constructed with a manual process. Masudaet al. [123] report an aperture of 20 µm× 1 mm on a silicon substrate. One of thecommercially available high resolution sensors is the NEC CP-2S with a resolutionof ≈ 250µm. This is a shielded loop printed on glass ceramic multilayer with thinfilm technology. As various hand made unshielded coils are used in the literatureof electromagnetic analysis, it makes sense to investigate the resolution of suchcoils as a function of their frequency behavior, number of turns and diameterof the cross-section. We did this with the aid of a case study, written down inSection 4.10.

4.9 Bandwidth and Frequency Behavior

The exact bandwidth needed for electromagnetic or side-channel analysis stillremains an open research question. So far there have been no publications claimingthe ability to determine the bandwidth or the necessary frequency range neededfor the analysis. As a consequence, the problem has to be dealt with bottom up.Instead of concentrating on the required or optimal bandwidth, we focus on thefrequency spectrum of the signals generated by a digital circuit. By definition,a digital signal has a broad frequency spectrum. The upper frequency of thespectrum fHs is usually not defined by the clock frequency or a multiple of it (theharmonics), but merely by the rise time and its corresponding frequency.

Ideally, if we want to avoid loosing possible information a sensor should be able tocollect all frequencies from 0 − fHs Hz. The following case study shows how theresolution of an unshielded loop varies with the desired bandwidth.

CASE STUDY: RESOLUTION OF UNSHIELDED LOOPS AS A FUNCTION OF THE BANDWIDTH 95

4.10 Case Study: Resolution of Unshielded Loops asa Function of the Bandwidth

4.10.1 Theory

We evaluate the minimum achievable dimension of a circular inductive sensor forusage in a frequency interval [fL, fH ]. Values for the number of turns N and theloop radius rl are derived starting from the value of the magnetic field strengthB and a minimum amplitude Vmin that should be generated over a load Z, theinput impedance of the measurement device, in parallel with the loop. This valueVmin is determined by the measurement equipment and relates to the minimumvoltage that can be measured by an oscilloscope or the minimum signal amplitudethat has to be fed to an amplifier connected to the loop to obtain e.g. a reasonablesignal-to-noise ratio.

General Case: Arbitrary Z

Faraday-Lenz law states that a varying magnetic flux through a surface inducesan extra voltage V along the line enclosing the surface:

|V | =∣

∣

∣

∣

dφB

dt

∣

∣

∣

∣

= ωNAB , (4.8)

with φB the magnetic flux through the sensor, ω = 2πf , N the number of turnsin the loop, A the area surrounded by one turn and B the magnetic field strength.The rightmost equality sign implies that the loop is positioned orthogonally to themagnetic field. If a load Z is attached to the terminals of the loop sensor, currentwill flow, resulting in a voltage over Z equal to:

|V | = ωNAB

∣

∣

∣

∣

Z

jωL + R + Z

∣

∣

∣

∣

. (4.9)

Introduction of the interturn capacitance Ctt would increase the correctness of theformulation. Nevertheless, in this first evaluation we omit the influence on theinduced voltage. The loop inductance L [78] is defined by:

L = N2µ0rl

(

ln

(

8rl

rw

)

− 2

)

, (4.10)

with the wire radius rw, and the loop resistance R [75]:

R =2πrlN

σπ (r2w − (rw − δ)2)

. with δ =

√

2

µ0ωσ. (4.11)


In this equation, the skin depth is denoted by δ and the electrical conductivityof the metal by σ, e.g. 58 MS/m for copper. If δ > rw, δ should be replaced byrw in the formula. In this case, not the skin depth, but the wire diameter is thelimiting factor. Instead of introducing a discontinuity, one could also use an exactexpression of the current distribution in the sectional plane of the wire [85]. Fromthis distribution we can deduce a continuous formula for the resistance. This isleft as future work. The contour lines of Eq. (4.9) for rl/rw = 16, f = 10 MHzand Z = 1 MΩ are drawn in Fig. 4.16. Designing a loop sensor with maximalresolution for signal amplitude Vmin boils down to finding the pair (N, rl) on the|V | = Vmin contour where rl is minimum.

0.1

0.1

0.1

0.1

0.2

0.2

0.2

0.2

0.3

0.3

0.3

0.4

0.4

0.4

0.5

0.5

0.6

0.6

0.7

0.7

0.8

0.9

1

1.1

5 10 15 20 25 301

2

3

4

5

6

7

8

9

10x 10

−4

N

r lin

[m]

Figure 4.16: The contour lines of Eq. (4.9) as a function of rl and N , rl/rw = 16,f = 10 MHz and Z = 1 MΩ.

The optimum value for N is a trade off between increasing N to increase theinduced voltage of Eq. (4.8), and decreasing N to lower L ∝ N2 and R ∝ N ,avoiding that |jωL + R| ≫ |Z| in the denominator of Eq. (4.9).

Still, not all (N, rl) pairs found as the minimum on the appropriate contour arevalid. Eq. (4.9) implies that the total wire length of the loop is small to avoidsignal cancellation due to phase differences over the loop:

N2πrl <λH

10or Nrl <

λH

20π=

c

10ωH, (4.12)

with c the speed of light. The limit used here is common in the amateur radiocommunity [53, 62, 174], but again, a more detailed study will increase the


correctness of the underlying reasoning. Due to the inverse proportionality withω, the inequality condition has to be validated only for fH , the upper bound ofthe intended frequency band.

Moreover, for similar reasons, the resonance frequency of the system fres, consistingof the loop sensor and measuring device, should be higher than ten times thehighest frequency in the working frequency band:

fres =1

2π√

LtotCtot

=1

2π√

N2L1,N=1

(

Ctt

N + CZ

)

> 10fH , (4.13)

with CZ the capacitive part of Z. The capacitance between two turns Ctt can becalculated with Magnusson [118]:

Ctt = 2πrlǫ0π

ln(

d2rw

+√

( d2rw

)2 − 1) , (4.14)

with ǫ0 the dielectric constant and d = 2(rw + t) the distance between the centersof two turns, with t the insulation thickness. The inductance of one turn (in theabsence of the other turns) is:

L1,N=1 = µ0rl

(

ln

(

8rl

rw

)

− 2

)

, (4.15)

with µ0 the magnetic permeability of vacuum.

Filling in Eq. (4.14) and (4.15) into Eq. (4.13) results in:

λ

10> 2π

√

Nrl

√

√

√

√

(

ln(

8rl

rw

)

− 2)(

2π2rl + NCZ

ǫ0ln (α)

)

ln (α), (4.16)

with α =d

2rw+

√

(

d

2rw

)2

− 1 .

It can be concluded that, in the general case, for arbitrary values of Z, the minimafor rl on the contour lines of Eq. (4.9) must be sought for: e.g. by a minimumsearch, in the (N, rl) domain bound by the conditions Eq. (4.12) and (4.16), forall frequencies in the [fL, fH ] interval.


Ideal Case: Z =∞

In the ideal2 case that no load is attached to the loop sensor, the voltage betweenits terminals simply equals the voltage induced by the varying magnetic field, seeEq. (4.8).

Combining Eq. (4.12) with (4.8), only to be checked for fL, the lower bound ofthe intended frequency band, due to the proportionality of |V | ∝ ω, results in themaximum amplitude that can be obtained with the best sensor, still obeying thecondition imposed on the total wire length:

|V | ≤ πc2ωLB

100ω2HN

= Vmax . (4.17)

This leads to the obvious conclusion that, if Z = ∞, for maximum amplitude,N = 1. The loop radius, rl, related to the choice for N via Eq. (4.12), will thenbe as large as possible and A maximal.

If the voltage that is needed, Vmin < Vmax, then N ≥ 1. In this case a trade-offbetween good resolution, meaning small A, and large frequency band, meaningsmall N , can be made, still resulting in the same value for NA. As soon as N > 1,however, Eq. (4.16) again bounds the solution space.

Eq. (4.16) can be rewritten, in case Z =∞ and CZ = 0, as:

Nrl <c

10ωH

√

N

Nswitch, (4.18)

with Nswitch the value where both Eq. (4.12) and (4.16) are equivalent:

Nswitch = 2π2ln(

8rl

rw

)

− 2

ln

(

d2rw

+

√

(

d2rw

)2

− 1

) . (4.19)

If N > Nswitch, only Eq. (4.12) should be checked, and the (integer) number ofturns for the loop with minimal dimension or maximal resolution is found withEq. (4.17) as:

Nmax =

⌊

πωLc2B

100ω2HVmin

⌋

, (4.20)

else, only Eq. (4.18) should be checked. Eq. (4.18) combined with Eq. (4.8):

Nrl =

√

NVmin

πωLB<

c

10ωH

√

N

Nswitch, (4.21)

2This case is ideal in the sense that the voltage measured over the loop terminals is maximal.Any load between the terminals would cause a current through the loop, resulting in a smallerloop voltage.


reveals that this condition is independent of the value for N . Stated otherwise,Eq. (4.18) for any value of N is equivalent with Eq. (4.12) for N = Nswitch.Consequently, the design of an ideal inductive loop sensor with optimal resolutionconsists of: calculating Nmax with Eq. (4.20) and Nswitch with Eq. (4.19). IfNmax ≥ Nswitch, then N = Nmax, else N = 1. Once N is determined, rl followsfrom Eq. (4.8), again only to be evaluated for the lower working frequency, due to|V | ∝ ω:

rl =

√

Vmin

ωLBπN. (4.22)

4.10.2 Maximal Resolution

To give some realistic numeric values, this section evaluates the formulas inSection 4.10.1 for a circular inductive sensor to measure a magnetic field ofB = 2 µT that should deliver at least Vmin = 1 mV.

The values for rw and d are set to:

rw = rl/16 , (4.23)

d = 2.4rw , (4.24)

corresponding to the rules of thumb of bending radii of wires in [50] and breakdownvoltage between conductors.

The rl calculated below are of the order of magnitude of 10 µm. Loops with sucha small diameter, with conductors of even smaller dimensions can be produced, asis illustrated in e.g. Seidermann and Buttgenbach [164].

Ideal Case: Z =∞

Evaluating Eq. (4.19) with the values in Eq. (4.23) and (4.24) results in Nswitch =91. Calculating Nmax with Eq. (4.20) and evaluating Eq. (4.22) with theappropriate N as explained in Section 4.10.1, for zero bandwidth, meaningfL = fH , results in the radii depicted by the solid line in Fig. 4.17(b). Thisis the practical resolution limit for Vmin = 1 mV. The sudden discontinuity inthe curve as f = 10 GHz is due to the jump from N = 91 → 1, as indicatedon Fig. 4.17(a). Also note that the curve stops at f = 900 GHz, as above thisfrequency, no sensor can be designed to deliver V ≥ Vmin due to Eq. (4.17).

The number of turns in Fig 4.17(a) are impractically high, also, the introductionof inequalities Eq. (4.12) and Eq. (4.16) result in an artificial jump in the number


106

107

108

109

1010

1011

1012

100

101

102

103

104

105

106

PSfrag

fL = fH in [Hz]

N

Z =∞Z = 1 MΩ

(a) N

106

107

108

109

1010

1011

1012

0

1

2

3

4

5

6x 10

−5

fL = fH in [Hz]

r lin

[m]

Z =∞Z = 1 MΩ

(b) Minimum rl

Figure 4.17: N and the minimum rl as function of the bandwidth fL = fH forZ =∞ and Z = 1 MΩ, Vmin = 1 mV.

of turns. To get a feeling with more practical values, we have limited the numberof turns to 30 and the radius to 1 mm while ignoring the inequalities mentionedbefore. The results are shown in Fig. 4.18(a) and Fig. 4.18(b). Because we limitthe number of turns to 30 and the radius of the loop, there is no solution for thelower frequencies until the minimum voltage level is reached. The effect of loosingthe restrictions on the total wire length to avoid phase differences or coming toclose to the resonance conditions is noticeable because the jump in the number ofturns has disappeared. Neither of both sets of figures is exact, a solution has tobe found in between the two cases.

Figure 4.19 depicts the loop radius in the case fL is fixed and fH is varied from1 MHz → 10 GHz. This figure nicely illustrates the trade-off between resolutionand working frequency band. At a certain value for fH , no sensor can be designedto deliver V ≥ Vmin due to Eq. (4.17) and the curve goes to zero. The curve has nomeaning for values of fH < fL and is hence set to zero. The flat part in the curvescorresponds with N = 1. For zero bandwidth, Fig. 4.17(b), the radius decreasesagain with increasing frequency after the steep rise, due to the proportionality of Vwith ω in Eq. (4.8). For a non-zero bandwidth, fL limits the resolution, resultingin the flat part of the curve.

If we perform the analysis in the more practical setting described above, we obtainthe results in Fig. 4.20(b) and Fig. 4.20(a). This figure learns us that, given thesame input parameters, the practical limits now bound our solution space.


106

107

108

109

1010

1011

1012

0

5

10

15

20

25

30

fL = fH in [Hz]

N

Z =∞Z = 1 MΩ

(a) N

106

107

108

109

1010

1011

1012

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1x 10

−3

fL = fH in [Hz]

r lin

[m] Z =∞

Z = 1 MΩ

(b) Minimum rl

Figure 4.18: N and the minimum rl as function of the bandwidth fL = fH forZ =∞ and Z = 1 MΩ, Vmin = 1 mV in a more practical scenario.

108

109

1010

1011

0

1

2

3

4

5

6x 10

−4

fH in [Hz]

r lin

[m]

fL = 100 MHz fL = 1 GHz

Figure 4.19: Minimum rl for two loop sensors with varying working frequencyband.


108

109

1010

1011

0

5

10

15

20

25

30

PSfrag

fH in [Hz]

N

fL = 100 MHzfL = 1 GHz

(a) N

108

109

1010

1011

0

1

2

x 10−4

fH in [Hz]

r lin

[m]

fL = 100 MHzfL = 1 GHz

(b) Minimum rl

Figure 4.20: N and the minimum rl with varying working frequency band in amore practical scenario.

Effects of the Parameters on the Optimal Resolution

Eq. (4.19) reveals that Nswitch depends slightly on rw/rl and heavily on d/2rw

(especially for d/2rw ≈ 1, which is often the case when winding a conductor).Figure 4.21 plots this dependency in the interval of interest for rw/rl and d/2rw.If Nswitch drops, a higher frequency upper bound can be achieved with the sensor,although this implies that if the same resolution has to be kept, the lower frequencybound has to go up. Figure 4.22 shows the effect of varying ratio d/2rw on theresolution.

General Case: Arbitrary Z

As soon as a load is attached to the sensor, the resolution is equal to or worsethan in the ideal case of no load over the loop. This is due to the division inEq. (4.9). For Z = 1 MΩ, the difference in resolution is negligibly small, exceptfor lower frequencies. The dashed line in Fig. 4.17(b) indeed deviates from thesolid line below 300 MHz. This is due to the difference in N . For no load Z =∞,N should be taken as high as possible with Eq. (4.20). For a finite load, however,an excessive3 value for N results in a smaller loop voltage as |jωL + R| ≫ |Z| inEq. (4.9).

The cases of Section 4.10.2 are reviewed here, for Z = 50 Ω and Z = 1 MΩ ‖ 13 pF,which are typical oscilloscope input impedances. For the high impedance and zero

3From a practical point of view, N = 104 can be regarded as excessive too. This treatment ishowever purely mathematical as a starting point.


020

4060

80100

11.2

1.41.6

1.82

0

50

100

150

200

250

300

350

400

rl/rwd/2rw

Nsw

itch

Figure 4.21: Variation of Nswitch as function of rl/rw and d/2rw.

106

107

108

109

1010

1011

1012

0

1

2

3

4

5

6x 10

−5

fL = fH in [Hz]

r lin

[m]

d/2rw = 1.2d/2rw = 1.5d/2rw = 2

Figure 4.22: rl as function of fL = fH for unloaded loops with different d/2rw.


bandwidth case, in Fig. 4.23, the curve for rl shows several spikes. Those abruptchanges in resolution are due to a decrease of N by one (which has to be aninteger), similar to the spike in the ideal case for the transition of N : Nswitch → 1.The results in the non-zero bandwidth case are depicted in Fig. 4.24.

106

107

108

109

1010

1011

1012

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1x 10

−3

fL = fH in [Hz]

r lin

[m]

Z = 1 MΩ ‖ 13 pFZ = 50

Figure 4.23: Minimum rl as function of fL = fH for some common oscilloscopeinput impedances.

106

107

108

109

1010

1011

1012

0

0.002

0.004

0.006

0.008

0.01

0.012

0.014

0.016

fH in [Hz]

r lin

[m]

a

cb

d

Figure 4.24: Minimum rl for some common oscilloscope input impedances withvarying working frequency band.(a): fL = 0.1 MHz, Z = 1 MΩ ‖ 13 pF; (b): fL = 1 MHz, Z = 1 MΩ ‖ 13 pF; (c):

fL = 0.1 MHz, Z = 50 Ω; (d): fL = 1 MHz, Z = 50 Ω.

If we recalculate the result given the practical scenario limits, we do not see abig impact anymore on the resolution. The curves are very similar to the ones inFig. 4.23 and Fig. 4.24 except for a smoother return to zero at the end.


Effects of the Parameters on the Optimal Resolution

Now, d/2rw has no longer any effect. The curves for d/rw = 1.5 and 2 coincide withthe curve for d/rw = 1.2 (and Z = 1 MΩ ‖ 13 pF) on Fig. 4.23. Fig. 4.25 showsthe effect of varying ratio rw/rl on the resolution in case of Z = 1 MΩ ‖ 13 pF.

106

107

108

109

0

1

2

3

4

5

6

7

8x 10

−4

fL = fH in [Hz]

r lin

[m]

rl/rw = 16rl/rw = 20

Figure 4.25: rl as function of fL = fH for Z = 1 MΩ ‖ 13 pF and several rw/rl.

4.10.3 Conclusion

In this section, we have evaluated the practical resolution limit for a circular loopsensor, based on the magnetic field strength and the minimum voltage amplitudethat should be provided by the loop. This resulted in numerical values for loopswith an infinite load as well as for loops connected to a common oscilloscope inputimpedance. A straightforward design method could not be derived from the theorydeveloped. A numerical search routine was used to achieve the optimal values forloop radius and number of turns; the routine is described in the next section.

Note: Numerical Implementation of the Optimum Search Routine

The value of minimum rl was found by first determining the correspondingminimum value of rl for all values of N in the way described below. Afterwardsthe minimum rl out of this set for all values of N was selected.

To find the minimum value of rl for a fixed N , first the region in the (rl, ω) domainis determined where all conditions are satisfied. Fig. 4.26 depicts an imaginarycase to illustrate the procedure. The minimum and maximum frequency, resp. ωL

and ωH bound the possible solution area with two horizontal lines, the resonancecondition Eq. (4.12) bounds the r-dimension between 0 and rres.


If N > 1 the resonance frequency changes and also Eq. (4.16) should be satisfied.This condition, which is most restrictive for ω = ωH , bounds the r-dimensionfurther with two vertical lines r = ri1 and r = ri2. If rres > min (ri1, ri2), thesolution area is bounded by the rectangle formed by the lines ω = ωL, ω = ωH , r =max (min (ri1, ri2), 0) and r = min (max (ri1, ri2), rres). In case rres < min (ri1, ri2)there is no solution.

In this solution area, the minimum rl needs to be found such that ∀ω ∈ [ωL, ωH ]the voltage from Eq. (4.9) is at least Vmin. As the remark on δ > rw belowEq. (4.11) indicates, the formula to calculate this voltage differs left and right ofthe curve δ = rw. With Eq. (4.23) this curve ∆ can be determined. In Fig. 4.26,the contour lines for V = Vmin are drawn for the case where δ ≥ rw and δ < rw.Left from the line ∆ the area between W1 and W2 is the valid area. Right fromthe ∆-line the grey colored area bounded by K is part of the possible solutionarea. The shape of the contour lines is constructed to explain the next steps inthe search algorithm.

Inside this area the minimum rl can only be either 1) an intersection of the Wor K curve with the lines w = wL and w = wH or 2) points of inflection of theW or K curve. For each of this points it should be checked whether the verticalline through the point lies completely in the feasible interval. Of all the points towhich this final condition applies, the minimum one should be chosen. This is theminimum rl for this specific N .

r

ω

ωH

ωL

rres ri2ri3

W1

W2

K

∆

Figure 4.26: A possible graphical representation of all the conditions in the ω-rl

plain for a fixed number of turns N .

CURRENT DISTRIBUTION 107

4.11 Current Distribution

In all our previous case studies, we assumed that the circumference of the loopsensor/antenna was small enough to ensure the validity of the assumption of aconstant current along the loop. If this assumption is no longer valid, phasedifferences have to be taken into account. Section 4.12 shows the effect of phasedifferences on the field. The case study discusses the design of a loop antenna foran RFID reader to ensure an extended read-out range.

4.12 Case Study: Dependence of RFID ReaderAntenna Design on Read-Out Distance

4.12.1 Introduction

ISO-14443a 13.56 MHz RFID systems, defined in [93, 94, 95, 96] use inductivemagnetic coupling to set up a two-way communication between a reader and atag, and to provide the battery-less tag with energy. Therefore, both reader orproximity coupling device (PCD) and tag or proximity IC card (PICC) use a coilas antenna, see Fig. 4.27. The reader transmits a query to the tag by an amplitudemodulated (AM) magnetic field. The tag modulates the load seen by the readerat its coil of the transformer to pass an answer back to the reader.

Energy

Data

PICC

PCD

Figure 4.27: Communication setup for proximity cards, PICC stands for proximityIC card, PCD for proximity coupling device.

When RFID technology became widely adopted, several privacy and security issuescame up, which is reflected in publications of, amongst others, Juels [102] andLangheinrich [110]. The tags designed according to the ISO standard mentionedabove are usually “Reader talks first (RTF)” implementations. As a consequenceit may be possible to read out the tag can be read without the owner being awareof it. This threat is even more dangerous if the distance between tag and readercan be extended. Kfir and Wool [104] and Kirschenbaum and Wool [105] have


designed a system for relay attacks and a low-cost, extended range RFID skimmerrespectively. In these papers, little focus is put on the actual design of the antennaand the relevant theory to achieve larger read-out distances with it. This sectionfills the gap. Note that nothing is adjusted to the RFID tag itself as this doesnot belong to the possibilities of the adversary in this setting. First, we reviewthe relevant theory in a.o. Finkenzeller [61] and Yates et al. [186] for designing thereader antenna with a certain activation range4. We extend this and apply it toan ISO-14443a system. The resulting design flow is summarized in Fig. 4.34 at theend of the section. We emphasize the influence of the read-out distance, especiallyif this distance becomes reasonably large, in the order of magnitude of several tensof centimeters5. As most of the commercially available reader systems, such as theMIFARE Pegoda MF RD 700 used in this study, do not focus on larger readingdistance, current enhancement is most likely needed to provide enough currentto the coil. Some enhancement techniques are discussed as they might alter thedesign decisions.

The antennas treated in our work, are connected to the output of the reader IC. Ifthe antenna has to be placed at a larger distance from the reader hardware itself,a transmission line must be used. This also alters the design procedure, but istaken into consideration as well.

4.12.2 Loop Design

The reader antenna has to provide the tag with an electromagnetic field that issufficient to power up the hardware in the tag. Hence the antenna will be designedin such a way that the magnetic field at a certain read out distance rd is largeenough. In second order, the antenna should also be suited to receive the answerfrom the tag. This condition is not considered in this study, as an adversary ispresumed to have access to a separate receiving antenna if needed.

The read out distance cannot be infinite, because inductive coupling from the tagto the reader implies that the tag must be in the near-field of the reader. Indeed,if the tag receives a traveling wave instead of a quasi-static field, the modificationsto the field due to the tag will never travel back to the reader. This means thatthe tag must be located in the reactive near-field [186] around the antenna, in thiscase rd ≪ λ

2π ≈ 4 m. Furthermore, if the total wire length of the loop becomes aconsiderable part of the wavelength, the loop can not be considered as a lumpedelement. Standing waves will cause multiple resonances and decrease the totalfield. In such case rl should be decreased and the current increased even more.

4Activation range is defined as the distance from the reader where the field is still large enoughto power up the tag.

5Even if 10 cm is often suggested as the maximum range, the ISO-14443 standard does notmention this.

CASE STUDY: DEPENDENCE OF RFID READER ANTENNA DESIGN ON READ-OUT DISTANCE 109

The parameters of the loop that can be chosen are shape, size, number of turnsand wire diameter. These are discussed separately below and will lead to a designmethodology.

For a balun design, that is needed in the case of a balanced-unbalanced transition,the reader is referred to the literature. Baluns can be implemented as λ/4 stubs,but at 13.56 MHz these stubs would be impractically long. Another solution wouldbe using transformers [112]. A practical implementation is described in [2]. Yetanother solution is to feed the loop in a balanced way, e.g. by a push-pull amplifierinstead of a single ended amplifier.

Shape

Of all antennas that can be used to excite a magnetic field, a circular loop is clearlythe best choice if the current on the entire antenna is in phase. For a small loop,this is true. As the distance from the point where the tag is located to all currentcarrying parts of the antenna is equal in this case, the contributions of all parts ofthe antenna arrive in phase at the tag, resulting in constructive interference.

For a larger loop, where the current over the loop can not be supposed constant,it is less obvious. A spiral can slightly compensate for the phase difference overthe loop by a difference in propagation distance to the tag. Moreover, a spiralhas a lower inductance L than a circular coil with the same number of turns N ,resulting in an excellent coupling factor k [190]. While this may be interesting froma power transfer point of view, it is rather irrelevant for the application envisagedhere. When simply looking at maximum attainable magnetic field strength startingfrom a certain loop current Il, the circular loop is still the better choice. Moreoverthe circular loop outperforms the spiral in the case of lateral misalignment [63],which is very likely to occur when an adversary is secretly reading out tags. As aconsequence, the circular loop is the best choice here too.

Size

The larger the circular reader antenna loop is, the more current carrying partscontribute to the magnetic field. If the loop becomes too large, however, thesecontributions are very weak due to the large distance from the current carryingpart to the tag. Hence, there will be an optimal loop diameter and this diameteris ruled by the read-out distance. Suppose that the circular loop has a radius rl

and the read out distance is rd, then rl should be chosen so that the magnetic fieldat a distance rd from the center is maximal.


y

xz

Ir

rd

r l dH

α

Figure 4.28: Reader loop geometry.

When phase differences6 along the total wire length of the loop (2Nπrl) are takeninto account, the amplitude of the magnetic field in the direction perpendicular tothe tag, at a distance rd becomes (see Fig. 4.28 for conventions):

|Hz| =

∣

∣

∣

∣

∣

∫ 2πrlN

0

Il exp (j 2πlλ ) cos α

4π(r2d + r2

l )dl

∣

∣

∣

∣

∣

,

=Ilrlλ

√

2(1− cos ( 4π2rl

λ ))

8π2√

(r2l + r2

d)3

∣

∣

∣

∣

∣

N−1∑

n=0

ej4π2nrl

λ

∣

∣

∣

∣

∣

. (4.25)

with N the number of turns of the loop, Il the amplitude of the loop current andα the angle indicated in Fig. 4.28.

Finding the optimal value for rl thus boils down to (numerically) finding the rootof the derivative of (4.25):

d |Hz|dγ

= 0 with γ =rl

rd. (4.26)

For a single turn (N = 1), the optimal value for γ and hence rl is found as thesolution of:

(2γ2 − 1)λ

γ− sin ( 4π2γrd

λ )

1− cos ( 4π2γrd

λ )2π2rd(1 + γ2) = 0 , (4.27)

The result, as well as the solutions for N = 2, 3, 5, 10, plotted in Fig. 4.29, showthat as rd increases, rl also increases, even up to rd = 4 m. But the ratio between

6The phase due to the distance between the source current and the tag location is discardedas this distance is the same for all current carrying parts of the circular loop.


rl and rd decreases as rd increases. For any number of turns, the limit for rd → 0:

limrd→0

γ = limrd→0

rl

rd=√

2 . (4.28)

This can be expected as in this limiting case, the assumption of a constant currentover the entire wire length of the loop, leading to the ratio rl

rd=√

2 as published

in o.a. [61] and [189] surely holds.

0

0.5

1.0

1.5

0 1 2 3 4

N = 1

N = 2

N = 3

N = 5

N = 10

rd in [m]

r l/r

d

Figure 4.29: rl

rdas a function of rd.

Total wire length of loop small compared to wavelength. Under thisprecondition, the current can be assumed to be constant over the loop. The fieldis then found following Choudhury [40]:

|Hz| =∣

∣

∣

∣

∫ 2πrl

0

NIl cos α

4πr2dl

∣

∣

∣

∣

=

∣

∣

∣

∣

∣

NIlr2l

2√

(r2l + r2

d)3

∣

∣

∣

∣

∣

. (4.29)

The ISO-14443 standard [94] specifies the minimum (rms) magnetic field strengthfor the cards to operate7 as Hmin = 1.5 A/m. Combining equation (4.29) with(4.28) yields:

|Hz| =∣

∣

∣

∣

∣

NIlr2l

2√

(r2l + r2

d)3

∣

∣

∣

∣

∣

=

∣

∣

∣

∣

∣

NIlr2d

√

(3r2d)3

∣

∣

∣

∣

∣

=

∣

∣

∣

∣

NIl√27rd

∣

∣

∣

∣

. (4.30)

The minimum current (rms) Imin needed in the reader antenna (with rd in m) is:

Imin ×N =√

27×Hmin × rd = 7.8× rd . (4.31)

7That is to build up a voltage high enough to power up the hardware in the tag.


Assume, e.g. N = 1, rd = 0.1 m and L = 1 µH. The current with (4.31) will be0.78 A and the voltage:

|V | = |ωL√

27Hminrd| ,≈ 66 V . (4.32)

It is obvious that applying this voltage directly to the loop is not practical. Hencecurrent enhancement techniques, covered in Section 4.12.3, should be used.

Total wire length of loop comparable to wavelength. As soon as the total wirelength of the loop is considerable, say λ/10 as a rule of thumb, the magneticfield of the loop will be smaller than would be expected when using Eq. (4.29),which is indeed invalid in this case. Due to the phase differences over the loop,the contributions of all parts of the loop at the location of the tag will not bein phase and partial cancellation will occur. In that sense it might even be moreadvantageous to use a slightly smaller loop with more current, as Fig. 4.29 indeedindicates.

In Fig. 4.30, the amplitude of the magnetic field is given, relative to theapproximated field obtained if the current in the entire loop would be in phase. Thelarger the read-out distance, and the larger the loop itself, the more pronouncedthe difference becomes. Up to 0.5 m the field degradation is only 5%. If the readout distance is about 2.5 m, the perimeter of the loop is one wavelength and thefield will be zero.

0

10

20

30

40

50

60

70

80

90

100

0 1 2 3 4

rd in [m]

|Hz|/|H

z,a

pp

ro

x|i

n[%

]

Figure 4.30: Field degradation due to phase differences on a loop of considerablelength.


Total wire length of loop multiple of half wavelength. If the loop perimeterequals half a wavelength or a multiple there of, standing waves will occur. Theloop itself will then resonate and the reactance on the Smith chart crosses thereal axis, going from inductive to capacitive impedance. This dependence of thereactance on the frequency has its effect on the usage of the coil in an RLC circuitto enhance current. If the resonance condition for a combined series-parallel RLC,. Eq. (4.42), has, due to frequency dependence, multiple solutions for differentω, the RLC system will resonate at multiple frequencies and the energy will bedivided amongst them. Fig. 4.36 shows multiple crossings of the curves for theresonance condition and the imaginary part of the input impedance.

Number of Turns N . Looking at Eq. (4.29), which is only valid for small loopsand in the case the coil is fed with a current source, it is tempting to think that ahigh N will result in a high magnetic field H at the tag location. The considerationsbelow, however, argue against a value of N > 1.

Phase degradation. The more turns are used, the longer the total wire lengthof the loop and hence the more pronounced the effect described in Section 4.12.2becomes. For a small loop, fed by a current source, the magnetic field can beboosted by taking more turns. But as soon as the total wire length of the loop canno longer be regarded as small compared to the wavelength, it is advantageousto take N lower. Fig. 4.31 depicts the magnetic field as a function of rd forN = 1, 2, 3, 5, 10 when the optimal rl as calculated in Section 4.12.2 is used. Theconclusion that using more turns is only advantageous for smaller rd, is clear.

−30

−20

−10

0

10

20

0 1 2 3 4

N = 1

N = 2

N = 3

N = 5

N = 10

rd in [m]

|Hz|i

n[d

B]

Figure 4.31: |Hz| at rd when optimal rl for that value of rd is used. Il = 1 A.


Loop impedance. For a loop, fed by a voltage source, discarding the low ohmicand radiation resistance with respect to ωL, following Schrank and Mahony [82]:

NIl = NVl

ωL= N

Vl

ωN2L1,N=1∝ Vl

NL1,N=1, (4.33)

with L1,N=1 the inductance of a loop of the same size with only one turn. Thusmaximizing NIl, in order to maximize |Hz| in Eq. (4.29), means N = 1 and L1,N=1

small.

Bandwidth. When the loop antenna is placed in an RLC chain and used for acommunication link, raising N is not without a price. As L is proportional tothe quality factor, defined later on in Eq. (4.39), it can only be increased up to acertain level as otherwise the bandwidth of the system would become too small.This is not in contradiction with the results of Yates et al. [186], namely that thepower transfer ratio is proportional to N2, because they do not consider bandwidthissues.

Self-resonance frequency. When the loop perimeter is about half a wavelength,the loop will resonate. But if the loop has multiple turns, resonance at lowerfrequency occurs due to the parallel resonance of the inductance of the loop andthe capacitance between its turns. Above its resonance frequency, the loop startsto behave as a capacitance. Therefore it is important to know the resonancefrequency fres of the loop.

The capacitance between two turns Ctt can be calculated with Magnusson [118]:

Ctt = 2πrl ×ǫ0π

log(

d2rw

+√

( d2rw

)2 − 1) , (4.34)

where rw stands for the wire radius and d is the distance between the centers ofthe two wires.

If the wire has an insulation with a relative permittivity ǫr different from 1, inGrandi [79] the formula becomes:

Ctt = 2πrl ×ǫrǫ0π

log ( d2rw

), (4.35)

where the insulation of both wires is supposed to touch, resulting in d = 2rw + 2twith t the insulation thickness. This formula only holds for a radial electric field inthe insulation, which is surely not the case for ǫr → 1. Hence substituting ǫr = 1into Eq. (4.35) does not result in Eq. (4.34) due to approximations used in themodel that led to Eq. (4.35).


If an inductor with multiple turns is used, the equivalent capacitance is found asthe series circuit of all turn-to-turn capacitances. This is a simplification and itassumes that the capacitance between non-adjacent turns can be neglected. InFig. 4.32 the equivalent circuit of an inductor with all capacitances is drawn. Thecapacitances that are neglected are drawn with dashed lines.

L1

L2

L3

LN

C1

C2

C3

CN

. . .

. . .. . .

Figure 4.32: Equivalent circuit of an inductor.

Note that discarding the capacitance between non-adjacent turns implies that theself-resonance frequency only shifts downwards by a factor

√N when adding more

turns. Indeed, the resonance frequency is found as:

fres =1

2π√

L1Ctt

=1

2π√

NL1,N=1Ctt

=

√

2

Nfres,N=2 , (4.36)

where L1,N and Ctt indicate the inductance (in the presence of the other turns),respectively, the capacitance of a single turn. L1,N = N ×L1,N=1 still depends onthe number of turns, L1,N=1 is the inductance of a single turn in the absence ofall other turns. Table 4.3 shows the result obtained from Eq. (4.36).


Table 4.3: Self-resonance frequency of loops with rw = 1 mm with and withoutinsulation of 0.2 mm with ǫr = 4 for varying loop radius. The last column givesthe resonance frequency for a single turn.

rl Ctt Lt fres,N=2 (ǫ0) fres,N=2 (ǫr = 4) fres,N=1 (ǫ0)[m] [pF] [µH] [MHz] [MHz] [MHz]0.01 2.016 0.07729 403.2 125.6 47750.1 20.16 1.352 30.49 9.498 477.51 201.6 19.3 2.551 0.7947 47.75

Taking the inter-turn capacitance into account, the impedance of the coil equals:

Zcoil =jωN2L1,N=1

1− ω2NL1,N=1Ctt. (4.37)

which is again frequency dependent, possibly causing resonances at multiplefrequencies, similar to those mentioned for N = 1 in Section 4.12.2.

Resistance of Parallel Wires. Another disadvantage of multiturn loops, is theirincreased ohmic resistance. Due to the inter-turn coupling, the current in the loopwire is even more confined than should be expected due to the skin effect alone.Smith [166] provides formulas to calculate this effect in the case of a loop that issmall compared to the wavelength.

The argumentation above leads to the conclusion that N should be taken smallunless only power transfer is considered or the loop antenna is fed by a currentsource and rd is rather small.

Wire Diameter. Section 4.12.2 revealed that when a voltage source is used, or theloop is placed in an RLC chain and used for data communication, its inductanceL should be small. Using a wire with large diameter reduces L.

4.12.3 Power Source and Current Enhancement

As mentioned before and expressed in Eq. (4.31), a minimum amount of currentis needed to activate the RFID tag. This current can be directly drawn from anexternal power source, but sometimes it can be more convenient to enhance thecurrent if for example a powerful power source is not available. This can be doneeither passively by means of an RLC circuit or actively with the aid of an amplifier.The choice of power source and enhancement technique affects the design of theloop so these need to be taken into consideration. Some passive enhancement


Cs

R

L

a. Series

Cp

R

L

b. Parallel

Cs

Cp

R

L

c. Series-Parallel

Cp

Cs

R

L

d. Parallel-Series

Figure 4.33: Schematic of (top left – a) Series, (bottom left – c) Combined Series-Parallel, (top right – b) Parallel and (bottom right – d) Combined Parallel-SeriesRLC resonance circuit.

techniques are treated below. An active amplifier can enhance the current in thecoil even more. A class E amplifier, Sokal and Sokal [167], would e.g. be a goodchoice. This solution is not treated here.

When adding a capacitor and a resistor to the loop, in order to obtain an RLCcircuit, many combinations with a capacitor, inductor and resistor can be made.Only the ones with L, the inductance of the loop antenna, and R in series areconsidered for this application, because the loop resistance is inherently in serieswith the inductance of the antenna [75]. If an external resistor has to be added,it is preferably added in series with the loop, for the same reason. The internalresistance of the capacitors is smaller and will be neglected. An overview of thepossible circuits is given in Fig. 4.33. In this figure the top left configuration is thebest choice if a source can deliver an unlimited amount of current, the top rightsetup is optimal when a source can provide the circuit with high voltage. On theother hand, the bottom configurations ease the need for high voltage or current.

a. Series RLC chain. In this case, the current in the loop will be maximum whenCs = 1

ω2L , the impedance Zseries = R is minimal. The voltage over the loop is:

Vl = jωL

RVsource = jQRLCVsource, with QRLC =

ωL

R, (4.38)


where QRLC is the quality factor of the circuit. The higher QRLC , the larger thecurrent in, and the voltage over, the loop, but the lower the bandwidth B of thecircuit. This follows from the definitions [168]:

QRLC =stored energy

dissipated energy per cycleand QRLC =

f0

B, (4.39)

with f0 the resonance frequency. As a minimum bandwidth is needed for datatransfer, the value for QRLC is upper bounded by the data rate.

b. Parallel RLC chain. In this case, the current in the loop only depends on thevoltage applied to the RLC chain, but the current drawn from the source will beminimum if the condition

Cp =L

ω2L2 + R2, (4.40)

or

Zparallel = R +ω2L2

R, (4.41)

is met. In this case the impedance of the chain is maximal as is the currentamplification.

c. Combined series/parallel RLC chain. The loop current is maximized when

ω2Cs =1− 2ω2LCp + ω2C2

p(ω2L2 + R2)

L− Cp(ω2L2 + R2). (4.42)

Due to the second degree of freedom, Cp, any value for the impedance can beobtained:

ZcombinedSP =R

1− 2ω2LCp + ω2C2p(ω2L2 + R2)

. (4.43)

Hence this is the best choice for the resonance circuit, as it allows to match theinternal resistance of any source, to ensure maximum power transfer to the load.If the loop antenna is located at a distance from the reader, a transmission linehas to be used to connect both and the use of the combined chain is obligatory:of the four circuits, only this one can match the characteristic impedance of anyline.

d. Combined parallel/series RLC chain The loop current is maximized whenCs = 1/ω2L. This is identical to the resonance condition of the series resonance


chain. The second degree of freedom, Cp, can again be used to choose the inputimpedance of the chain:

ZcombinedPS =R− jωR2Cp

1 + ω2R2C2p

, (4.44)

but to a lesser extent than was the case in the series/parallel chain as ZcombinedPS

will always be smaller than R.

In order to use the RLC equations mentioned above, the inductance L of theantenna should be either calculated [78] with

L = µ0rl

(

ln

(

8rl

rw

)

− 2

)

, (4.45)

or measured [86]. Both ways of obtaining L are not very accurate. In addition,the value for L also depends on the surroundings, especially for larger loops. Thepresence of metal is one of the reasons for this alteration. Consequently, the valuefor the capacitance C needed after installation can differ slightly from the valuecalculated with the design equations given above. This problem is easily solvedby tuning8 the resonance circuit, using trimming capacitors. Automatic tuningcompensates on the fly, but, at the cost of increased complexity. One example[173] uses a control circuit to set the DC bias in a ferrite core to change theinductance of a coil.

The last parameter to determine is the resistance R. The total resistance R ofthe chain will be the sum of the internal resistance of the loop Rl and an externalresistor that is deliberately added. The equations above show that the value of Rcan also influence the resonance frequency of the chain. This deviation can alsobe corrected by tuning the capacitors, so that the value for R can be determinedonly based on the requirements for QRLC .

4.12.4 Design Flowchart

An overview of the proposed design method is given in Fig. 4.34. The readingdistance rd and the working frequency f result with the aid of the derivative ofEq. (4.25) in the ideal loop radius rl. The source and the quality factor Qsystem

determine the number of turns, N , according to Section 4.12.2. When choosingN , the self-resonance frequency of the loop should be checked to ensure that it is

8Try to find the values for the capacitors that result in the largest current in the loop.Monitoring of the current in the loop can be done by 1) using a current probe, but this addsanother inductance, 2) measuring the voltage over the loop, but voltage probes always form asmall loop and pick up fields or 3) using a field probe. The last method is preferred.


higher than the working frequency f . The loop radius is another parameter whichaffects this self-resonance. The specifications of the application also define Hmin.From this, together with f and rd, it is possible to calculate Imin, see Eq. (4.31).

If current enhancement is needed, a decision on the type of passive enhancementcan be taken based on the type of source. Together with the inductance of the loopL and the internal resistance Rl, which are defined by a number of characteristicsof the loop, the needed R and C for the RLC-circuit are easily found by applyingthe formulas in Section 4.12.3. After some additional manual tuning, the designis finished.

If no current enhancement is needed, the circuit should be checked for unwantedresonances; if these are present, suppression should be supplied.

rd f Qsystem Source Hmin

rl N

Self-resonance ok?

No

Yes

Imin

Enhancement?

No Yes

Type pass. enhancementWanted resonance?

No Yes R, C

Ctuned

Suppression

L, Rl

Material, thickness,. . .

Done

Figure 4.34: Flow Chart of the Design Method.


4.12.5 Validation and Conclusions

Three antennas were made to validate the formulas and statements: two solidcopper wire loops, one with N = 1, another one with N = 2 and one copper tubeloop, see Fig. 4.35. Their geometrical parameters are summarized in Table 4.4.

rl d

A B

(a) Layout (b) Photograph

Figure 4.35: Layout drawing and pictures of loops designed and made to validatethe formulas and statements. In the schematic drawing 4.35(a): A = front view,B = cross section. The values for rl and d of the different antennas can be foundin Table 4.4. N = 1. The same schematic holds for N > 1, only more turns arestacked. The picture 4.35(b) shows the largest loop made (the copper tube loop)and the smaller two turn loop made from solid copper.

The MIFARE Pegoda MF RD 700 is used as a reader. Its RF output is a voltagesource with internal resistance. For such a source, as explained in Section 4.12.3,the best choice is the series-parallel circuit. Tuning is necessary because thefrequency response of the circuit is very sensitive to L and neither the measuredLmeas nor the calculated Lcalc are accurate enough. The calculated inductancesLcalc were verified against values derived from measurements. Due to balunproblems the measurements were inaccurate for the copper tube loop; insteadthe loop was replaced by lumped elements until the resonance frequency matchedthe original one. The values obtained can be found in Table 4.4.

The resonance circuit used in the end is a variation on the series-parallel circuit:it consists of an upright and a mirrored version of a single series-parallel circuitto feed the antenna in a balanced way. If this is not done, problems as thoseshown in Fig. 4.36 can arise because of a transition from a balanced loop to anunbalanced vectorial network analyzer. The simulated curve is obtained from aNEC simulation with 400 divisions along the circle perimeter.


0

5

10

−5

10 20 30 40 50 60 70 80 90 100

L[µ

H]

f [MHz]

measurementequation (4.42)

simulation

Figure 4.36: Frequency dependent value of L for the copper tube loop as obtainedfrom simulation and measurement. A balanced to unbalanced system transitioncauses this value to fluctuate heavily around 13 MHz so that the loop is uselessunless fed in a balanced way.

Furthermore, Table 4.4 also lists some electrical parameters: the magnetic field Hat the origin of the loop and the maximum reading distance with a MIFARE card.For the latter measurement no other alterations were done to the setup but tuningthe resonance circuit. For the first measurement an EMCO-902, 3 cm magneticfield probe is utilized [1].

In Table 4.4 it is noticed that the loop with two turns generates a higher magneticfield compared to the loop with one turn, but this does not result in a largerreading distance because of a QRLC which is too high, so that even at a verysmall distance no communication can take place in this setup. Adding an externalresistor can solve this, but this is beyond the scope of validating the formulas andstatements. When holding a card very close to the copper tube, this card couldbe read by the reader, but the reader could not supply enough current to obtaina functioning system with a card at the origin or further along the z-axis.

Another difference between the two solid wire loops is the remarkably lower fres

of the two turn loop. This confirms the explanation of Eq. (4.35) where the effectof Ctt is demonstrated. Here, ǫr = 4 [55].

From these measurement results the conclusion can be drawn that the formulasto design a loop antenna for an ISO-14443 system summarized in this study arevalid.

4.13 Conclusion

This chapter discusses measurement probes for electromagnetic analysis. Thedesired characteristics for a near-field sensor are scrutinized with respect to certain

CONCLUSION 123

Table 4.4: Overview of the characteristics of the different loops, (*) readingdistance not measurable because of QRLC too high, (**) reading distance notmeasurable because the reader could not supply enough current, an amplifier isneeded. (a) = Solid copper wire loop 1, (b) = Solid copper wire loop 2, (c)=Copper tube loop.

coilN rl d Rl Lcalc Lmeas fres,calc fres,meas

[cm] [cm] [Ω] [µH] [µH] [MHz] [MHz](a) 1 8.25 0.001 0.5 0.537 0.569 579 583(b) 2 8.25 0.001 2.09 2.15 2.27 48 41(c) 1 56.5 1.5 200 3.1 3.45 85 27

RLC circuitH(xyz=0) rd

[A/m] [cm](a) 4.16 10(b) 5.35 (*)(c) 0.12 (**)

properties. Successively the following topics are discussed: the choice betweenan electric or magnetic field oriented sensor, the necessity to balance the sensor,the importance of matching between the sensor and the remaining measurementsetup, resolution criteria, bandwidth requirements, frequency characteristics andthe influence of the current distribution over the loop. All topics are discussedunder the assumption that we want to design a probe to measure the directradiation of the chip.

We start with an overview of the probes used in the literature with a special focuson the near-field probes, followed by a general list of properties required for anear-field probe. Because of the nature of the direct radiation, a magnetic probeis favored over an electric probe.

Three topics are illustrated with a case study. The matching of different subtypesof a specific category of magnetic probes, the shielded magnetic probes, is discussed.Firstly, it is concluded that the oscilloscope, by preference, should have a highinput impedance and that the sensor has to be matched to the cable. Secondly,a shielded magnetic probe that is matched over a broad frequency range is notavailable under the discussed probes; a combination of two types results in thedesired matching behavior.

The second case study relates the resolution of unshielded small loops to theirbandwidth. For local measurements, the resolution should be as high as possible.Unfortunately, the resolution of a loop sensor is not chosen without imposing


penalties on other properties of the sensor. Given the magnetic field strengthof a circuit and the minimum voltage level as input to the measurement device,the resolution limit in a certain frequency range is specified. Numerical searchroutines were constructed that return the optimal radius and number of turns forthe unshielded sensor.

The third case study investigates large loops in an RFID eavesdropping setting.In this case, the current distribution over the loop can not be seen as static andshould be taken into account. A design method is discussed that specifies theproperties of the loop with respect to the desired reading distance of an ISO14443smart card. Because of the need of very large currents to read the cards in caseof an extended reading range, some passive current enhancement techniques werepresented. An active enhancement technique is not discussed here, but has beeninvestigated by us in [131].

Chapter 5

Countermeasures

The content and text in this chapter is based on papers written in collaborationwith K. Sakiyama and B. Gierlichs [157, 132].

5.1 Introduction

The side-channel community focuses on several aspects of side-channel analysis. Afirst category of research is the one that fastens on new and improved models thatbear closer resemblance to the real leakage of a specific device or device group. Asecond category is the study of new statistical tests for side-channel distinguishers.The third distinct research topic deals with counteracting, preventing or renderingside-channel attacks more difficult. A fourth category examines improved signalprocessing techniques to enhance side-channel attacks.

In general, preventing the possibility of attacking a cryptographic device with side-channel techniques boils down to removing or degrading the dependency of theside-channel leakage and the secret-dependent intermediate values or operationsof the cryptographic algorithm.

Timing analysis prevention is in a sense very simple by ensuring equal algorithmexecution times. Countermeasures for power or electromagnetic analysis are morecomplex and demand a more thorough knowledge of the side-channel leakage, thealgorithm and/or side-channel attack techniques. Differential and higher orderattacks in particular have been intensively studied over the past decade and atremendous amount of effort is put into countermeasures for these attacks.

Embedded systems are usually resource limited and the implementation of

125

126 COUNTERMEASURES

the basic functionalities in the device already results in a trade-off betweenperformance, footprint and power consumption. The same holds for the insertionof cryptographic aspects in the embedded design, an aspect which is only slowlymigrating from an add-on feature to an essential component. Now, the trade-offhas to take an extra design dimension into account: security.

Countermeasures against side-channel analysis can be inserted at differentabstraction levels during the design flow: at the top one has the protocol level,one level below lies the algorithm level, followed by the architecture level. Thecircuit level closes the row. A very common and efficient countermeasure at theprotocol level is the usage of ephemeral keys or session keys. In this way differentialand higher order attacks are precluded because they usually require multiplemeasurements to extract the secret information and knowledge of the secret isonly exploitable for a short period of time. Beside this distinct countermeasure,all others can basically be categorized in two groups: hiding and maskingcountermeasures.

Hiding countermeasures target the dependency between intermediate valuesprocessed in the cryptographic device and the side-channel leakage itself. Maskingcountermeasures break the link between the intermediate values in the algorithmand the intermediate values actually processed in the device. By doing so, thedependency between the side-channel leakage and the original intermediate valuesis removed as well.

The intention of this chapter is not to give an extensive overview of all possiblecountermeasures and attacks on them. Those can be found in the literature, e.g.[122] is a good reference for this purpose. In the next two sections, we will discusstwo specific topics dealt with during this doctoral research. The first topic analyzesthe usage of GEZEL, defined by its author as a cycle-based hardware descriptionlanguage founded on the finite-state-machine and datapath model, to deal withtiming and simple side-channel problems in an early design stage. The second topicexamines a specific circuit level countermeasure that combines hiding and maskingtechniques towards its resistance against differential power analysis attacks.

Although both topics focus on the power consumption side-channel, this should notsurprise the reader. It has already been pointed out that all information residing inthe power consumption is measurable in electromagnetic radiation surrounding thecryptographic device. While it is not always the case that a countermeasure againstpower analysis attacks suffices to preclude the electromagnetic side channel [11],it will for sure render electromagnetic analysis attacks more difficult.

SIDE-CHANNEL RESISTANT SYSTEM-LEVEL DESIGN FLOW FOR PUBLIC-KEY CRYPTOGRAPHY WITHGEZEL 127

5.2 Side-Channel Resistant System-Level Design Flowfor Public-Key Cryptography with GEZEL

In embedded systems such as mobile phones, smart cards and RFIDs, a high-performance cryptographic function is required at low cost. It is a challenge toimplement Public-Key Cryptography (PKC) primitives such as RSA and ECCbecause they show a slower performance and larger area compared with Secret-Key Cryptography (SKC) (e.g. 3-DES or AES) and other cryptographic primitives.With limited silicon resources and a limited power budget, the short key-lengthsof ECC (proposed by Koblitz [106] and Miller [129]) are often preferred over themore traditional RSA-based systems.

From a side-channel analysis point of view, ECC needs to be resistant to protectsecret information (e.g. a secret key). Conventional hardware design flows onlyexplore the trade-off among area, power consumption and performance of a targetdevice. In this section, we take side-channel analysis into account and integrateit into a system level design flow at an early design stage, even before VHDL orVerilog design starts.

Our Design Approach

Countermeasures against side-channel attacks need to be taken into account atall abstraction levels. We chose ECC because it consists of multiple layersof computation. It is composed out of different layers of operation (pointmultiplication, addition/doubling, GF(p) operations) which each map into adatapath and/or controller in hardware. It does not make sense to protect theimplementation at the group operation level if the underlying field arithmetic isimplemented insecurely. This is demonstrated by Walter in [182].

At the cycle-true Register Transfer Level (RTL), several simple side-channelvulnerabilities can be modeled and detected and countermeasures can beimplemented. Of course, once a design is made resistant to simple side-channelattacks, the differential and higher order ones need to be addressed. They requiresolutions such as adding noise, introducing random delays or using a special styleof logic [179] depending on the desired level of resistance.

5.2.1 A Secure Design Flow

In this section, we look at a hardware design approach for system designwith consistent resistance against timing (TA) and simple power analysis(SPA). The main source of side-channel leakage vulnerable to these kinds ofattacks are conditional operations and condition-dependent signals. Hardware

128 SC Resistant System-Level Design Flow with GEZEL

implementations can be made to perform with constant-timing behavior andthus will show a better resistance against simple side-channel attacks thansoftware implementations. However, the condition-dependent signals still existin a hardware design and make it more susceptible to TA or SPA attacks. In ourdesign flow, we verify the side-channel attack-resistance at a system-level designstage. This way, side-channel attack-resistance can be taken into account jointlywith cost and performance optimizations at an early design stage.

System-level Design Tool

We use a simulation environment, called GEZEL [160], which allows us to estimateimmediate dynamic power consumption. We use the toggle count per clock cycle(TCPC) as an approximation for this power. The toggle count is obtained directlyout of the RTL model and does not require synthesis of the model. Despite thisapproximation, our experiments have shown that it is often sufficient for buildingcryptographic systems resistant to simple side-channel attacks. As mentionedbefore, higher order attacks, such as DPA, need to be addressed in an actualimplementation. However, system-level design gives the designer an environmentto get a quick and correct evaluation of first order attacks. It does not make senseto address higher order attacks (which are much more difficult and time consumingto mount) if simple first order attacks are possible. This is especially needed forcryptographic algorithms which contain multiple levels of complex arithmetic, asis the case for ECC and HECC. Because of the size and complexity of the design,these resistance tests are very time consuming at gate level and impossible atSPICE level.

The GEZEL design environment allows us to try out different alternatives for theperformance, area and side-channel resistance at a cycle-accurate level. For eachalternative, functional tests and simple side-channel resistance tests are verifiedas illustrated in Fig. 5.1. We obtain the toggle count of the hardware modules asa function of the clock cycle in order to predict the power pattern. These togglecounts allow us to analyze the risk for simple side channel attacks (especially SPA)and, if detected, to rewrite the HW module. After completing both tests by usingcycle-accurate simulation, the HW model is converted into VHDL, and synthesizedby a back-end. In the next section, we briefly discuss the mechanism for togglecounting at the RTL.

RTL Toggle Counting

Hardware descriptions in GEZEL are expressions of cycle-accurate registertransfers, containing operations and assignments on signals and registers. We

Countermeasures 129

Figure 5.1: GEZEL system-level design flow for security applications.

obtain toggle count estimates directly on these expressions, by means of a simpleset of rules:

• The toggle count per cycle (TCPC) for a register or a signal is the Hammingdistance between the value during the previous clock cycle and the valueduring the current clock cycle. In the case of a register, this toggle count ismeasured at the register input.

• The TCPC of a simple operation is given by the Hamming distance ofthe previous operation result and the current result. The toggle count ismeasured at the operation output. Simple operations includes additions,subtractions, shifts, multiplications, and so on.

• The TCPC of an expression composed of simple operations is given by thesum of the TCPC of individual operations.

For example, assume an RTL expression as follows.

This piece of code contains three operations: two assignments and an addition. Inthe first clock cycle, signal a changes from 0 to 3. The addition operation outputwill be 3 as well, and this value will be assigned to register b. The total togglecount for the first clock cycle thus equals 6. In the second clock cycle, signal a

does not change value. The output of the addition operator will now change from3 to 6 however (Hamming distance ’110’ - ’011’ = 2), and register b will changefrom 3 to 6 as well. The toggle count for the second clock cycle thus equals 4.We can also choose the direction of the toggle count depending on the type of thedata change, i.e., all transition (0-to-1 and 1-to-0), 0-to-1 or 1-to-0 transition. In


signal a;

register b;

a = 3;

b = b + a;

a

b

t0 t1 t2

Signal a 000 011 011

Register b 000 011 110

Addition 000 011 110

Figure 5.2: An RTL expression, the corresponding circuit and the state table.

the above case, the 0-to-1 Hamming distance will be 1. We can continue in thisway to obtain an approximation of the immediate dynamic power consumption.This methodology is very simple, and for example does not take glitching nor theimplementation complexity of operators into account. For the purpose of simpleside-channel attacks on the other hand, it is adequate.

5.2.2 ECC Operations over GF(p)

ECC is chosen as an example because of the complexity of its operations and thepossibility to attack at different levels in the arithmetic. The basic background ofECC over GF(p) is explained in Section 3.2.

The performance of a public-key cryptosystem is primarily determined by theefficiency of the arithmetic operations (addition, multiplication and/or inversion)in the underlying finite field. Therefore, the system architectures for ECCare designed to accelerate the field multiplication, as described in the followingsections. We assume here that we have an operational unit available to performmodular arithmetic, the MALU (Modular Arithmetic Logic Unit). This unit willbe designed to have a constant execution time to achieve simple side-channelresistance.

Countermeasures

Our proposed countermeasures are described as follows. As mentioned previously,modular multiplications and additions are basic operations for ECC. We create acountermeasure for TA by unifying the multiplication and addition instructions,i.e. we have a unified modular multiplication-and-add instruction which completes

Countermeasures 131

either operation in the same number of cycles. The MALU supports the (XY +S)mod N operation in a constant execution time.

In addition, a dedicated hardware controller for Algorithm 3.1 of Chapter 3 isimplemented. The stalling cycles can be concealed by evaluating the branchconditions beforehand. The dedicated controller also uses a queue buffer to ensurethat instructions for the MALU are dispatched constantly. This micro-codedcontroller is a secure controller. Hence, the imbalance of Algorithm 3.1 can besolved without extra dummy instructions.

The countermeasure has to be verified in an early stage of the design as well asthe functional correctness of the MALU and its controller. Moreover, the trade-offamong cost, performance, and security can easily be explored by our proposeddesign environment.

5.2.3 System Architecture

The proposed ECC cryptosystem is composed of the main controller, the MALUand a RAM.

Figure 5.3: Results of the toggle simulation with only functional correctness.Trace of Hamming distance for all registers in the design of ECC-160p. DBL andADD denote point doubling and point addition respectively.

The main controller has three in- and outputs; one of them is a signal which tellsthe controller to stop sending instructions when the instruction buffer is full. A 32-bit output is used to send instructions. A 32-bit input/output passes data back andforward between the controller and the datapath. A dedicated controller is choseninstead of a normal CPU because of two reasons. Firstly, instructions can be sentat a constant timing interval. Secondly, it is more compact and faster than othergeneral purpose CPUs because it is sufficient to support only a few instructions forthe proposed design case. The datapath is made with a Harvard architecture; it


has a separate data bus and instruction bus. The data transfer between the maincontroller and the MALU is controlled by a Data Bus Controller (DBC). This pathis only activated when an initial point and the parameters of an elliptic curve aresent to the RAM, or when the result is retrieved. During a point multiplication, thecontroller keeps on sending instructions to the instruction decoder. They are storedin an Instruction Queue Buffer (IQB) via the Instruction Bus Controller (IBC).Again, the role of the IQB is to dispatch instructions constantly, i.e., bufferingthe difference of the speed of issuing instructions and the processing speed. Theprogram ROM stores the MALU instructions which are sent by the main controller.Figure 5.4 shows the schematic of the architecture; more details can be foundin [156].

Figure 5.4: Proposed system architecture.

5.2.4 Verification of Side-Channel Resistance: ExperimentalResults

In this section, the method for verifying simple side-channel resistance for the ECC-160p implementation will be discussed. We collect toggle counts for every registerin the whole design by running a GEZEL simulation. We first observed the togglecount of registers as shown in Fig 5.3 after verifying only the functionality. Moreprecisely, we evaluate the Hamming distance of each input of the registers whenthe state changes from 0 to 1 and 1 to 0. In this experiment, the dynamic power

Countermeasures 133

estimation is based only upon the toggle counts. From a simple side-channelanalysis point of view, it is sufficient to run the cycle-accurate simulations toguarantee a certain resistance against simple side-channel attacks since the totalamount of Hamming distance is correlated with the power consumption of theimplemented LSI.

The trace of the GEZEL simulation shows peaks which have constant intervals.The period is precisely corresponding to one MALU’s operation time (93 cycles).We can claim that TA-resistance is successfully implemented as intended. In otherwords, TA-resistance can be checked with the cycle-true functional simulations.However, if we look at the height of the peaks, some peaks are higher than others(e.g. the fourth and fifth MALU operations in point addition). They are alwayslocated at the same position in a point doubling and addition. Therefore, thisdesign has bugs in terms of SPA-resistance although its functionality and TA-resistance are implemented correctly.

Figure 5.5: Partial simple-SPA verification; (a) Toggle simulation result of theMALU. (b) Toggle simulation result of the controller.

Then, in order to identify the reason of the “big peaks”, we evaluate the partialHamming distance: First we separate the toggle count into two parts; one isobtained from the MALU and the other one is from the controller including the IBCand IQB. From the results shown in Fig. 5.5, we know the “big peaks” are mainlycaused by the MALU. Moreover, the potential risk of SPA in the controller becomes


apparent because the periodical character of the peaks in the trace respond to pointoperations. Thus, by doing partial simulation of the toggle count, we can findthe hidden security bugs which can not be found by the conventional functionalsimulation. In the following sections, we focus on explaining how to debug thiswith partial toggle counts.

Figure 5.6: Toggle simulation result for each register in the MALU; (a) No sidechannel attacks-verified design (b) After side channel attacks-verification and bug-fix.

Security Bug in the MALU

The MALU is composed of several registers and the datapath logic for operating(XY ± S) mod N . The registers provide the input data for the datapath(REGX , REGY , REGS), store the intermediate values (REGC0, REGC1), andcollect the result (REGR). The toggle simulation result for each register in theMALU is shown in Fig. 5.6-a. From the trace, we can find that the toggle count ofregisters for S and Y is irregular. More specifically, the simulation result indicates

Countermeasures 135

that the irregular toggle count of the register S affects the height of the peaks andeventually leads to the “big peaks” in the first simulation.

The reason of the irregularity is explained as follows. When setting the inputvalues for each modular multiplication-and-addition, the MALU has three differentprocedures depending on the type of operation:

1) (XY + S) mod N : REGX/Y ← X/Y and REGS ← S.

2) (XY − S) mod N : REGX/Y ← X/Y and REGS ← S.3) XY mod N : REGX/Y ← X/Y and REGS ← 0.

S denotes the bit inversion of S. It is used for the subtraction with 2’s complementrepresentation. Assuming that the probability of each bit of S having a value of1 is 0.5, the Hamming distance in setting register S can be considered the same.However, no toggle occurs with register S in the third type of operation. Thisobservation completely agrees with the simulation result.

Fixing the Security Bug

The simplest way of fixing the bug is to add a register that compensates the lackof toggle counts in the register S. Fortunately, the output register, REGR, is notused when the register S is used for the datapath. Therefore, we decide to reuseREGR for adding dummy toggle counts. Thus, we can put side-channel resistanceinto the design without area and performance penalties. The simulation resultafter fixing the bug is shown in Fig. 5.6-b. If evaluating the subtotal of the togglecount of REGS , REGR ad REGY , we see a good regularity in the trace as shownin Fig. 5.7.

Figure 5.7: Design after simple-SPA verification and countermeasure. Trace of thetoggle count per cycle for the whole design of ECC-160p.


5.3 A Practical Attack on an MDPL Implementationon an ASIC

5.3.1 Introduction

The research on power analysis attack countermeasures got momentum throughthe growing market of embedded devices and the need to have them secured.Amongst the first ones were noise generators [127], masking at the algorithmiclevel [15, 145] and random process interrupts [46]. These countermeasures donot attempt to eliminate the source of the leakage, but rather to preclude itsexploitation. Later, commercial and academic research started to address theproblem at its root: the logic gate level.

Over the past years, numerous logic styles have been proposed to deal with leakageat the gate level. They can be grouped into three main categories: i) masked logic(single-rail) which is difficult to protect from glitches, ii) dual-rail pre-charge logicwhich requires custom routing to balance the loads of complementary wire pairs,and iii) masked dual-rail pre-charge logic, which is a combination of the two formercategories. In this paragraph we focus on one specific logic style from the lastcategory, though our findings may affect logic styles with similar constructions aswell.

Masked Dual-rail Pre-charge Logic (MDPL) was published at CHES in 2005 byPopp et al. [151]. It follows straight and simple design principles in order toeliminate the exploitable side-channel leakage of logic gates. One year later, atCHES in 2006, Suzuki and Saeki described a systematic weakness of MDPL, knownas the early propagation effect (EPE) [176]. Another year later, at CHES in 2007,the authors of MDPL presented results of power analysis experiments based on anMDPL prototype chip [150]. They confirmed the EPE in practice but pointed outthat highly regular hardware designs seem unaffected. At the same conference,Tiri and Schaumont announced a new attack [161] known as the folding attackand showed that (in theory) dual-rail pre-charge logic and masking do not add upto a higher level of protection. The most recent paper on the topic is by Popp etal. [149], again presenting results of practical attacks. They show that the EPEdoes not “unconditionally break” a regularly structured MDPL implementationand, in contrast to our work, report that they were not able to implement asuccessful attack based on the principles of the folding attack.

As a matter of fact, most of the papers discussing the security of MDPL are purelytheoretical or provide evidence based on simulations. At present, it is unclear towhat extent these concepts affect the security provided by MDPL in practice. Theunsuccessful attacks of [150, 149] are only weak evidence of security. We fill thisgap and explore the level of protection provided by MDPL in praxis. We exposean MDPL prototype chip to a series of standard and particularly crafted power

A PRACTICAL ATTACK ON AN MDPL IMPLEMENTATION ON AN ASIC 137

analysis attacks. Our main results are successful and doubtless attacks as wellas novel insights into the power consumption properties of MDPL in real silicon.Our most remarkable observation is that random masks render the circuit morevulnerable to attacks than a fixed mask.

5.3.2 MDPL and Known Weaknesses

MDPL combines the ideas of Wave Dynamic Differential Logic (WDDL) [180] andRandom Switching Logic (RSL) [177]. The former is a dual-rail pre-charge logicstyle, designed to consume a constant amount of dynamic power with respect todata that is handled, but requiring a custom routing step to achieve this goal.The latter uses a mask bit to randomize the data processed by internal nodes,ensuring that the power consumption is uncorrelated to predictable values. Notethat the randomness is determined by the quality of the (pseudo-)random numbergenerator.

By combining the concepts of dual-rail pre-charge and masked logic, the authorsof MDPL aimed at getting rid of two problems at once. Using dual-rail pre-charge logic in combination with a mask bit, the authors wanted to avoid thetedious balancing of differential wire pairs. The imbalances would be acceptedbut randomized and thus not exploitable. The combination of dual-rail pre-chargelogic and the use of monotonic increasing positive functions guarantees that noglitches, which render masking useless, will occur.

In an MDPL circuit, all logic gates are masked with a mask bit m and itscomplement m. All MDPL flip-flops are fed with masks m ⊕ mn and m⊕mn

(where mn is the mask of the next clock cycle) to entail that the masks are switchedcorrectly from one cycle to the next. MDPL works in two phases: when the clock ishigh, the pre-charge wave is started by the MDPL flip-flops and travels graduallythrough the circuit bringing all differential pairs to a (0, 0)-state. At the sametime, also the signal trees for all mask signals are pre-charged to (0, 0). In thenext phase, the evaluation phase, when the clock is low, the flip-flops output theinternally stored values and all combinational logic gates evaluate to either (0, 1)or (1, 0) depending on the input data and the masks.

Early Propagation

Suzuki and Saeki showed that MDPL suffers from a systematic weakness knownas the early propagation effect (EPE) [176]. If inputs to a combinational gatehave different delay times, the MDPL gate will leak side-channel informationbecause the evaluation of the output does not wait until all inputs have arrived.This can result in a transient, data dependent, and mask independent leakage.


Suzuki and Saeki explained the theory behind the EPE in MDPL gates andinvestigated the leakage of different delay scenarios with the aid of an FPGAimplementation of 32 MDPL AND gates. Popp et al. investigated the samedeficiency in [150] by analyzing the leakage of an 8051 microcontroller implementedon an MDPL core while it executes a MOV operation. The DPA traces showedsevere leakage. Oddly enough, the likewise analyzed AES coprocessor implementedin MDPL did not show the same leakage. This phenomenon was attributedto the different implementation procedures. Popp et al. explained that themicrocontroller implementation leaked because it is an irregular design, whichprovokes the EPE, while the AES coprocessor is based on a highly regular design.

The Folding Attack

A folding attack as described by Schaumont and Tiri in [178, 161] exploits thefact that a random mask bit switches the circuit between two complementarystates with different power consumption profiles. They explain how a single maskbit influences the power consumption in a binary way. In a masked dual-railpre-charge circuit, the mask bit decides which of the complementary signal treespropagates the correct values. If the complementary signal trees have unbalancedloads, they have distinct power consumption profiles. When constructing theprobability density function (PDF) of the mean power consumption of a maskedcircuit in one evaluation or pre-charge phase of a single clock cycle, these twoprofiles show up as two symmetric and distinguishable distributions. Tiri andSchaumont clarified that these distributions are directly related to the values ofthe mask bit. Given this fact, an adversary can construct the PDF, fold the leftarea on top of the right area, which cancels the effect of the mask, and perform astandard DPA attack. Note that this approach would not succeed if the dual-railswere perfectly balanced because the two distributions would perfectly match. Tiriand Schaumont confirmed their theory with cycle accurate weighted toggle countsimulations whereas Popp et al. in [149] report that the attack does not work inpractice. We note that the folding attack is equivalent to the zero-offset secondorder DPA attack by Waddle and Wagner [181].

5.3.3 Measurement Setup and Measurements

Our goal is to investigate the security provided by MDPL in real-world experimentsusing a prototype chip. As for all empirical studies, experimental settings areimportant and we thus describe our setup in detail.

Our experimental platform is a prototype chip that consists of an Intel 8051-compatible microcontroller and an AES-128 cryptographic co-processor in 0.13 µmtechnology. These two components are implemented in several cores using several


DPA-resistant logic styles and standard CMOS logic (sCMOS). The chip furthercomprises a pseudo-random number generator (PRNG) that can be used to providerandom bits to the cores implemented in masked logic styles. We focus our analysison the AES-coprocessor in the core implemented in MDPL.

The AES implementation follows the highly regular architecture described in [121].Figure 5.8 shows the architecture of the AES-128 coprocessor.

Figure 5.8: Architecture of the AES-128 implementation.

The AES encryption operation is included in the data unit of the core, nextto it is the round key generation unit. The AES state is represented by 16data cells Ci,j with i, j ∈ [0, 1, 2, 3] in a 4 × 4 matrix outline. Each data cellcan perform the bitwise-xor addition of the round key. Below this matrix is arow of four implementations of the AES S-box, which are all one-stage pipelinedimplementations, such as the one described in [184]. On the left side of the matrixis an implementation of the MixColumn operation.

Encryption works as follows: the plaintext bytes are shifted into the data unitfrom right to left, four bytes (one column) at a time. After simultaneous round-key addition in all data cells, the rows are rotated vertically through the S-boxesand bytes within the rows are shifted horizontally according to the ShiftRowstransformation. After 5 clock cycles all bytes have been processed by SubBytes


and Shiftrows. Next, the columns of the matrix are rotated horizontally throughthe MixColumns implementation.

All experiments we describe in this paper focus on the power consumption ofdata cells C0,0 and C0,1 that store the S-box output values related to plaintextbytes 1 and 5 in the first round of AES. We choose these two plaintext bytesuniformly at random, while keeping the other 14 plaintext bytes constant to reducealgorithmic noise. This particular choice reflects a chosen plaintext attack scenario.Later on, before reaching conclusions, we show that the same results could havebeen achieved in a known plaintext setting where all plaintext bytes are chosen atrandom.

The measurement setup consists mainly of a printed circuit board, that containsthe chip and an on board measurement circuit. The measurement circuit includesan active circuit as introduced by Bucci et al. in [32]. The clock signal is providedby a waveform generator and the power traces are recorded with an oscilloscopewith 1 GHz bandwidth and 8bit resolution at a sampling rate of 2 GS/s.

We had to take special care to ensure that the measurement does not clip while atthe same time using as much of the vertical (amplitude) range of the oscilloscopeas possible to allow a good sampling resolution. Clipping causes annoying artifactsin the histograms and blurs the information.

5.3.4 Experiments and Results I: Warming Up

All attacks that we conducted used a difference of means test [108] and a correlationtest [52] in combination with each of the following prediction functions: theHamming weight of each single bit stored in cells C0,0 and C0,1 after the S-boxcomputation, the Hamming weights of the bytes stored in cells C0,0 and C0,1,the Hamming distances between the single bits stored in cells C0,0 and C0,1, andthe Hamming distance of the bytes in the two cells. However, we report only themost meaningful results, i.e. the combinations of prediction function and statisticaltest that lead to the clearest results. When using Hamming distance predictionfunctions we assumed that the key byte associated to cell C0,1 is known and triedto reveal the other key byte, which decreases the computational load withoutaffecting the generality of the result. It turned out that both statistical tests,difference of means and correlation analysis, perform very similar in our attacksand that in all cases both or none of them would reveal the key. We decided toreport the results of the correlation test, because the coefficient is normalized andhence to some extend interpretable.

Before diving into the analysis of the MDPL core with random masks, weperformed attacks on the sCMOS core and on the MDPL core with fixed maskvalues.


Attacks on the sCMOS Core

We first attacked the sCMOS core to have a reference in terms of difficultyto compare the attacks against MDPL. For this attack we used a set of 5000measurements. As expected, attacks with Hamming distance prediction functionsworked best as these relate to bit-flips. Oddly enough, we observed that not allbits leak similarly when flipping. Figure 5.9 shows the result of a correlation DPAattack using the HD of the MSB in cells C0,0 and C0,1 as prediction function.

Figure 5.9: DPA results for sCMOS, corr. attack with prediction of MSB of Byte1⊕ Byte5; left: corr. traces for all key hypotheses using 5000 measurements; right:evolution of min and max corr. per key hypothesis over number of measurements.

On the left side of the figure we show the correlation traces for all key hypotheseswhen using 5000 measurements. On the right side of the figure we show how themaximum and the minimum correlation coefficient for each key hypothesis (takenfrom the overall time interval) evolve over an increasing number of measurements.The traces for the correct hypothesis are plotted in black, all other are plotted ingrey. Note that the DPA peak appears in the clock cycle when the data in cellC0,1 is shifted to the left into cell C0,0 at a time index about 2600.

MDPL with Fixed Masks

Next we attacked the MDPL core with the mask value being permanently fixedto 0. In this setting, MDPL is dual rail pre-charge logic with unbalancedrouting of the complementary wire pairs and therefore vulnerable to DPA attacks.One can expect that the outcome of an attack mostly depends on measurementprecision and the number of measurements, as the exploitable imbalance betweencomplementary wires is tiny. For our attack we obtained a set of 400 000measurements. We obtained the best results, shown in Fig. 5.10, when predictingthe HW of the MSB of C0,0 right after the S-box computation. We assume thatthe net carrying this bit is somehow particularly difficult to route. Note that aclear DPA peak appears at a time index of about 2600. The peak appears at afalling clock edge because MDPL evaluates at falling clock edges.


Figure 5.10: DPA results for MDPL with fixed mask, corr. attack with prediction ofMSB of Byte1; left: corr. traces for all key hypotheses using 400000 measurements;right: evolution of min and max corr. per key hypothesis over number ofmeasurements.

5.3.5 Experiments and Results II: Real Stuff

For the next experiments we made sure that the PRNG that generates the maskbits for MDPL is seeded, initialized and started up correctly. We obtained a setof 1.2 million measurements.

Standard DPA against MDPL

In a first attempt we simply tried a “brute-force” DPA attack. Theoretically,MDPL should withstand standard DPA attacks independent of the statistical test,prediction function or number of measurements used. As mentioned earlier, theEPE may open a security hole but previous work indicated that the highly regulardesign of the AES co-processor prevents the EPE [150].

Figure 5.11 shows the result of an attack using the HW of byte 1 as prediction.We can see local DPA peaks near the rising clock edges at about time indexes 1000and 2000.

However, as the plot on the right side of Fig. 5.11 shows, these peaks do not standout with respect of the overall time frame. One could speculate whether using moremeasurements would lead to unambiguous results, but we consider this attack notsuccessful.

Features in Histograms of MDPL Power Consumption

In order to perform a folding attack, the adversary has to generate histogramsof the measurements. In [178, 161] the attack was performed based onsimulations done in GEZEL [162]. The simulation provides toggle counts of 0


Figure 5.11: DPA results for MDPL with random mask, corr. attack withprediction of HW of Byte1; left: corr. traces for all key hypotheses using 1.2Mmeasurements; right: evolution of min and max corr. per key hypothesis overnumber of measurements.

to 1 transitions that replace real measurements. The resulting histograms ofthe “power consumption” of the simulated MDPL circuit showed two distinctsymmetric distributions. In order to mimic the toggle count with physical powermeasurements, we need to reduce the parts of each measurement trace that areassociated with either of the two phases in every clock cycle to one value. Wedecided to represent the toggle count for each pre-charge and evaluation phase bythe empirical mean of the power consumption during that period.

The resulting histograms of an evaluation phase and a pre-charge phase are shownin the first row of Fig. 5.12. We used 50 000 physical measurements to generatethese histograms. At first glance, the histograms of the pre-charge phase followthe theory of Tiri and Schaumont, but the histogram of the evaluation phase looksremarkably different than what is expected. To reduce the noise in the histograms,we decided to take only particularly meaningful points in time into account andto represent the toggle count by the empirical mean of the power consumptionat those points in time. To identify this interesting part of the power traces, wecalculated the sum of the absolute differences of the measurements. The resultis shown in the second row of Fig. 5.12. The solid black line is the sum of theabsolute difference per time instant computed from 50 000 measurements. Thegrey lines indicate the exact time span we used to generate new histograms andthe dashed black line is a power trace for reference. Essentially, we skip thetransient oscillations in the beginning and the fading out time at the end of eachphase. The new histograms based on the selected time span are shown in thethird row of Fig. 5.12. Each of the phases shows four distinct distributions inthe histograms, although less visible in the pre-charge phase, very explicit in theevaluation phase. In the pre-charge phase the areas under the four distributionsare equal. In the evaluation phase the first and last distribution contain each 1

8 -thof the measurements, the two in the middle each 3

8 -th.

The four distinct distributions are due to the masking. MDPL flip-flops are fed


Precharge Evaluation

Figure 5.12: The evolution of the histograms of a pre-charge phase in the leftcolumn and an evaluation phase on the right for 50 000 measurements. The firstrow shows the histograms for the mean of the complete clock cycle. The secondrow represents the time intervals chosen to extract the final histograms which areshown in the third row.

with a different mask signal than the combinational MDPL logic, namely m⊕mn

instead of m. The combination of m and m⊕mn puts the circuit (more preciselythe mask signal trees) in four different states. Tiri and Schaumont reported ononly two of them because they did not take the MDPL flip-flops and thus thesignal tree m ⊕ mn into account. This results in a fourfold appearance of thedistribution that one could expect for an unmasked single-rail circuit.

Herding Measurements

The interesting observation that we made there is a strong correlation betweenthe four distributions that occur during each pre-charge and evaluation phase.


We begin with a pre-charge phase and assign each out of 50 000 measurementsto one out of four possible groups according to its membership to one of the fourvisible distributions. This yields a partitioning in four groups (PrA,PrB ,PrC ,PrD)of equal size. Next, we consider the following evaluation phase and repeatthe partitioning which yields four groups (EvA,EvB ,EvC ,EvD) with relativecardinalities 1,3,3,1.

The table on the left side of Fig. 5.13 shows how the 50 000 measurements transferbetween groups PrA,PrB ,PrC ,PrD and EvA,EvB ,EvC ,EvD when the circuitswitches from pre-charge phase to evaluation phase. We repeated the same analysisfor a transition from evaluation to pre-charge phase and show the transitionsbetween groups EvA,EvB ,EvC ,EvD and PrA,PrB ,PrC ,PrD in the table on theright side. The numbers are given as percentages and we note that the numbersin one row do not necessarily add up to 100% as outliners are not counted.

ր EvA EvB EvC EvD

PrA 47 49 2 0PrB 3 49 46 0PrC 0 42 53 4PrD 0 5 50 43

ր PrA PrB PrC PrD

EvA 1 2 82 7EvB 30 33 28 5EvC 31 32 5 26EvD 2 3 11 77

Figure 5.13: Transition of measurements between groups from pre-charge toevaluation phase in the left tabular, transition of measurements between groupsfrom evaluation to pre-charge phase in the right tabular.

Roughly said, the groups from the pre-charge phase split into two equally sizedparts when making the transition to the evaluation phase. In the other case, whena transition from evaluation phase to pre-charge phase is made, the measurementsfrom EvA and EvD are completely transfered to PrC and PrD, respectively, whilethe two larger groups EvB and EvC are spread equally over three groups of thepre-charge each. A reasonable explanation for this observation would be somecircuit effect that, in addition to m and m⊕mn, has a systematic impact on thepower consumption. One can think of the EPE, but this is only speculation.

Subset Attacks on MDPL

During our research it became clear that we can easily assign each singlemeasurement to one out of four distinct groups for each pre-charge and evaluationphase. Instead of folding directly, we first followed a different approach. Weassumed that each of the four distributions represents a particular state of themasks m and m ⊕mn. Thus, selecting a subset of measurements that all belongto the same distribution should yield a strong bias of the masks.


For each pre-charge and evaluation phase, we assigned the 1.2 million measure-ments to one of four distinct groups according to their distribution membershipbased on the histogram for that particular phase. We denote the groups A to Din the order of their appearance in the histograms from left to right. Next, wemounted DPA attacks using the original power traces as follows: i) dependingon the time index use the grouping previously determined for that particular pre-charge or evaluation phase ii) evaluate the prediction functions as usual iii) attackthe four groups of measurements separately.

Figure 5.14 shows the result of this approach when using the prediction functionHamming weight of bit 2 of byte 1. The plot on the top left hand side shows the

Figure 5.14: DPA results for MDPL with random mask, corr. attack against HW ofbit 2 of byte 1; top left: group A; top right: group B; bottom left: group C; bottomright:group D; corr. traces for all key hypotheses using 1.2M measurements.

DPA results based on measurements that were assigned to group A for the pointin time considered. Next to it, on the top right hand side, the plot shows theresult for measurements assigned to group B. The same for groups C and D in thesecond row. We can see that all four attacks lead to peaks that reveal the correctkey, in particular the attacks against groups B and C. These two attacks lead toclear peaks at the beginning of the same pre-charge phase at time index 1000.

The attack launched on measurements belonging to group C yielded an unexpect-edly clear DPA peak. We were interested in finding out how many measurementswould be necessary to reproduce this attack. The answer can be deduced from theplot on the right hand side of Fig. 5.15. According to our results, 300 000 samplesshould be enough for this attack to be successful.

The next step towards implementing the folding attack, is to fold the PDFs of each


pre-charge and evaluation phase. It turned out that, using real measurements,the folding is not as straight-forward as described by Schaumont and Tiri. Themain problem is that neither the PDFs of pre-charge phases nor the PDFs ofevaluation phases are symmetric, which makes it difficult to decide where to fold.Nevertheless, we folded all PDFs once around the empirical mean, which yieldsPDFs with two distributions. Exposing one of them to a DPA attack resultedindeed in correlation peaks in some cases, but they were less clear than the peakswe achieved with our subset attack.

Figure 5.15: DPA results for MDPL with random mask, corr. attack withprediction of HW of bit 2 of byte 1; left: corr. traces for all key hypotheses using1.2 M measurements; right: evolution of min and max corr. per key hypothesisover number of measurements.

Extrapolation to a Known Plaintext Scenario. We were interested in determin-ing whether our subset attack could be reproduced in known plaintext scenarioswhere the measurements are polluted with algorithmic noise, and in quantifyinghow difficult the attack would be.

We obtained a set of 50 000 measurements for which all 16 plaintext bytes wererandomly chosen from a uniform distribution and generated histograms for allpre-charge and evaluation phases as described in Section 5.3.5. Figure 5.16 showsexemplary histograms for a pre-charge and an evaluation phase. Again, the PDFcontains four distinct distributions, though they appear slightly blurred due tothe enhanced algorithmic noise. Nevertheless, it is clear that the division in fourdifferent sets can be carried out.

In order to determine how difficult our attack would be in this scenario, i.e. howmany measurements would be necessary, we first compute the expected height ofthe correlation peak and then use this number to estimate how many measurementswould be required.

The correlation peak for the correct key hypothesis in Fig. 5.15 converges towardsa value of ρ = 0.023. Note that this peak is caused by partial correlation as we


Figure 5.16: The histograms in case all plaintext bytes are chosen at random (left:pre-charge phase, right: evaluation phase).

target a single bit while 16 bits (the 2 chosen bytes) are active. Using the formulasfor partial correlation from [30] we calculate that, in the known plaintext scenario,

the correlation peak decreases to ρ′ = ρ ·√

16160 = 0.0073 (where 160 is the number

of active bits: 128 in the AES state and 32 in the four S-box implementations).

With the formulas provided by Mangard in [120] we estimate the number of samplesrequired for our attack to reveal the key byte with high probability (α = 0.9999)as ∼ 520 000. This is however only a very rough estimation.

5.4 Conclusion

In this chapter we present research towards two side-channel countermeasureswith a specific focus on the power consumption side-channel. Although this isnot the main topic of the dissertation, it is pointed out that resistance againstpower consumption analysis is a prerequisite to withstand electromagnetic analysisattacks.

Firstly, we introduce a simple side-channel resistant design flow at system-level.In our experiment, it is effective to evaluate the partial toggle count in orderto identify potential security bugs. SPA-resistant design needs the additionalverification step, although TA-resistance can be checked in the functionalsimulation.

Secondly, we present results of an extensive case study of power analysis attacksagainst an MDPL prototype chip. MDPL withstands standard DPA attacksbut it can be easily weakened by choosing only a subset of the available powermeasurements based on an analysis of the power distribution profiles. MDPLdoes not resist Standard DPA attacks using only subsets of the measurements.This is a simple, yet practical and thus important result. Analysis of powerprobability densities indeed exposes MDPL’s greatest weakness: the masking

CONCLUSION 149

renders the circuit more vulnerable to attacks than a circuit with deactivatedmasking. Additionally, our analysis leads to novel insights into the powerconsumption properties of MDPL in real silicon: instead of showing two distinctpower distributions in each phase of an MDPL cycle as expected by Tiri andSchaumont, we demonstrate the existence of four distributions.

The previous sentence reveals a weakness of the first study presented in this chapter.Because the GEZEL toggle count is used as a model for the power consumption,care has to be taken that all power consumption effects are taken into account. Amodel is indeed only as good as it resemblance to reality.

Chapter 6

Conclusions and Future Work

6.1 Conclusions

In this thesis, we dealt with a series of topics in the field of electromagnetic analysis.The core contributions were discussed in Chapter 3, 4 and 5.

In Chapter 1 and 2, we started with a simple introduction on implementationattacks and the basics of side-channel analysis attacks. Next the electromagneticside-channel was discussed. We zoomed in on the origin of the radiation andthe theoretical framework to describe the relation between origin and resultingfields, the Maxwell equations. Because of the complexity of the current andcharge distributions inside a circuit, it is in practice impossible to calculatethe exact surrounding electromagnetic field. This did not prevent us to discusssome properties and basic notions about these fields that enlightened the topicsdiscussed further on in the thesis. We also mentioned four common ways to exploitelectromagnetic radiation. In the remaining chapters, three of them were used. Wediscussed both local remote electromagnetic analysis and analysis of modulatedsignals in Chapter 3. The use of direct local radiation was discussed in Chapter4. The exploitation is not shown in practice, but the requirements for the sensorsneeded to perform this kind of analysis are detailed upon in a theoretical setting.

Main conclusion for Chapter 1 and 2. The electromagnetic analysis side-channelis a very complex problem. In practice, it is impossible to calculate the exact fielddistribution of a circuit at every moment in time. However, we discuss certainproperties which an attacker can bear in mind during his analysis.

Next, in Chapter 3 we described electromagnetic analysis attacks in practice on

151

152 CONCLUSIONS AND FUTURE WORK

elliptic curve cryptosystems. We showed the feasibility of using demodulationtechniques and local remote electromagnetic analysis. The attack described wasthe first published simple and differential electromagnetic analysis attack of anECC implementation on an FPGA. At the time of writing down the results,a quick comparison between the Pearson correlation results and Kocher DPAwas introduced. Although the difference between them is not negligible, thecomparison was not performed in a sound and fair way; therefore we presentedin the same chapter an example of how the analysis should have been done inaccordance with the theoretical framework introduced by Standaert et al. Theattack is only one of the many options an attacker has to break the security of anECC implementation. A state-of-the-art overview of most of the implementationattacks and countermeasures published so far was added to the chapter to completethe topic and position the attack in the abundance of attack possibilities, butalso to help a future designer to make the correct choices with respect to thecountermeasures he introduces in his design.

Main conclusion for Chapter 3. Different types of electromagnetic analysisattacks are possible on an FPGA ECC implementation. We also point out thatwhen a designer wants to use ECC to secure his device, he needs to be fullyaware of the whole range of implementation attacks and the effect of insertingcountermeasures. Countermeasures need to be specific, additive and complete.

Chapter 4 was dedicated to the design of measurement probes for direct localnear-field measurements. Although the desired properties depend on what anattacker wants to measure, we discussed some of them and illustrated them withcase studies in a specific setting: magnetic and electric field sensitivity properties,balancing, matching, resolution, frequency behavior and current distribution.

Main conclusion for Chapter 4. The measurement probe is an important elementof the measurement setup. Measurement probes need to be designed for aspecific application and purpose if an attacker wants to take full advantage ofthe measurement setup.

Finally, the last chapter, Chapter 5, discussed first a design flow as an aid toimplement simple side-channel resistant cryptographic algorithms at the RTLlevel. The proposed flow is for sure not waterproof, but as the implementationof side-channel resistant algorithms is an iterative procedure, it can serve as afirst indicative step. After that, we discussed the resistance against power analysisattacks of a specific logic style that was specifically designed to preclude this attack.We showed that, although the security level increases substantially, it is again notperfect. This once more proves that the perfect countermeasures does not existor that it is at least very hard to implement. Both topics are only researched infunction of their resistance towards power analysis. This does not mean that they

FUTURE WORK 153

stand outside the topic of this thesis as it is pointed out that an implementationthat is secure against electromagnetic analysis attacks is by definition also secureagainst power analysis attacks.

Main conclusion for Chapter 5. Implementing side-channel resistant crypto-graphic algorithms is an iterative process. A design flow at the RTL level ofdesign is introduced to serve as a first indicative step towards simple power analysisresistance. Besides an iterative process, we confirm that perfect countermeasuresdo not exist or are at least hard to implement due to the complexity of theunderlying hardware.

6.2 Future Work

This thesis contains some loose ends that need more work before certain topicscan be closed.

In Chapter 3 we made a survey on implementation attacks on elliptic curvecryptography which resulted in Table 3.1. As pointed out over there, this tableis far from complete and many interesting research topics are left. Besides that,it is interesting to evaluate the effectiveness of combined countermeasures and togive a good estimate on the cost of the countermeasures and the trade-off betweensecurity and cost for different sets of countermeasures.

The study in Section 4.7 resulted in a proposal for a loop type to perform a firstexamination of the field generated by the device under attack. The proposal neverleft the design table and an actual implementation and measurements should bemade to conform the usability of the probe.

In the same chapter in Section 4.10, we make a first evaluation of the relationbetween small probes and their resolution as a function of the desired bandwidthand given field amplitudes. In this reasoning, we introduced some artifacts in theresults which require careful interpretation. Hence, a more rigorous investigationshould be performed. The whole design process should be re-examined and a moreanalytical approach should be followed to remove the discontinuities in the results.

Besides the loose ends, some long term research topics arose from the work thathas been done over the past years.

It has been stressed throughout this work that the measurement setup is a crucialelement in an electromagnetic side-channel analysis experiment. The degrees offreedom to take electromagnetic measurements are much higher than for powerconsumption measurements. Nowadays, more and more universities and evaluationlabs possess an automated XY table to scan the surface of the chip. Although the

154 CONCLUSIONS AND FUTURE WORK

freedom to position the probe is for sure one of the strong points of electromagneticanalysis, it also creates the need for an enormous amount of measurement dataif each point (x, y, z) has to be tested for its sensitivity towards side-channelvulnerabilities.

Some research has been done to select appropriate coordinates without having totest all points for its resistance against side-channel attacks, e.g. [154, 159], butso far, none of the algorithms has been compared against each other or extensivelytested on various platforms and algorithms.

Another interesting problem that has not been solved yet, is the frequency rangewhere an adversary wants to measure and what signal processing he wants toapply to these measurements. Nor an analytical, nor a practical approach hasbeen studied in much detail. While an analytical approach might be very hard toconstruct, it would be advantageous to decide on a public measurement strategyinstead of the commonly used trial-and-error method.

Bibliography

[1] Users’s Manual Near-Field Probe Set Model 7405.

[2] HF Antenna Cookbook – Technical Application Report – Radio FrequencyIdentification Systems. Technical report, Texas Instruments, 2004.

[3] Design, Automation and Test in Europe Conference and Exposition - DATE2009, Nice, France, April 20-24, 2009, Proceedings. IEEE, 2009.

[4] W. Aerts, E. De Mulder, B. Preneel, G. Vandenbosch, and I. Verbauwhede.Matching Shielded Loops for Cryptographic Analysis. In 1st EuropeanConference on Antennas and Propagation - EuCAP 2006, pages 1–6,Nice,FR, 2006. IEEE.

[5] W. Aerts, E. De Mulder, B. Preneel, G. Vandenbosch, and I. Verbauwhede.Dependence of RFID Reader Antenna Design on Read Out Distance. IEEETransactions on Antennas & Propagation, 56(12):3829–3837, 2008.

[6] W. Aerts, E. De Mulder, B. Preneel, G. Vandenbosch, and I. Verbauwhede.Designing Maximal Resolution Loop Sensors for Cryptographic Analysis.In 3rd European Conference on Antennas and Propagation - EuCAP 2009,pages 1–5, Berlin,GE, 2009. IEEE.

[7] National Security Agency. NACSIM 5000: TEMPEST Fundamentals.Partially released, February 1982.

[8] Agilent. Agilent Technologies 8510C Network Analyzer System – Operatingand Programming Manual.

[9] D. Agrawal, B. Archambeault, S. Chari, J. R. Rao, and P. Rohatgi. Advancesin Side-Channel Cryptanalysis Electromagnetic Analysis and TemplateAttacks. RSA Laboratories Cryptobytes, 6:20–32, 2003.

[10] D. Agrawal, B. Archambeault, S. Chari, J. R. Rao, and P. Rohatgi. Power,EM and All That: Is your Crypto Device Really Secure? Presentationat Workshop on Elliptic Curve Cryptography, August 11-13 2003.

155

156 BIBLIOGRAPHY

http://www.cacr.math.uwaterloo.ca/conferences/2003/ecc2003/

rohatgi.ppt.

[11] D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi. The EM Side-Channel(s). In Kaliski et al. [103], pages 29–45.

[12] D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi. TheEM Side-Channel(s): Attacks and Assessment Methodologies.http://www.research.ibm.com/intsec/emf-paper.ps, 2003.

[13] D. Agrawal, J. R. Rao, and P. Rohatgi. Multi-channel Attacks. In Walteret al. [183], pages 2–16.

[14] T. Akishita and T. Takagi. Zero-Value Point Attacks on Elliptic CurveCryptosystem. In C. Boyd and W. Mao, editors, ISC, volume 2851 of LectureNotes in Computer Science, pages 218–233. Springer, 2003.

[15] M.-L. Akkar and C. Giraud. An Implementation of DES and AES, Secureagainst Some Attacks. In C.K. Koc et al. [36], pages 309–318.

[16] Nationaal Bureau voor Verbindingsbeveiliging AlgemeneInlichtingen-en Veiligheidsdienst, Directie Beveiliging. Aanvallenop het Stemgeheim via Elektromagnetische Effecten.http://wijvertrouwenstemcomputersniet.nl/images/c/c0/

20061027_aivd_rapport.pdf, 2006.

[17] Ross Anderson. Security Engineering. John Wiley & Sons, 2008.

[18] R. M. Avanzi. Side Channel Attacks on Implementations of Curve-BasedCryptographic Primitives. Cryptology ePrint Archive, Report 2005/017,2005. http://eprint.iacr.org/.

[19] A.D. Olver A.W. Rudge, K. Milne and P. Knight, editors. The Handbook ofAntenna Design. IEE Electromagnetic Waves Series, 1983.

[20] Y.-J. Baek and I. Vasyltsov. How to Prevent DPA and Fault Attack in aUnified Way for ECC Scalar Multiplication - Ring Extension Method. InE. Dawson and D. S. Wong, editors, ISPEC, volume 4464 of Lecture Notesin Computer Science, pages 225–237. Springer, 2007.

[21] H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan. TheSorcerer’s Apprentice Guide to Fault Attacks. Proceedings of the IEEE,94(2):370–382, Feb. 2006.

[22] L. Batina, B. Gierlichs, and K. Lemke-Rust. Comparative Evaluation ofRank Correlation Based DPA on an AES Prototype Chip. In Proceedingsof the 11th international conference on Information Security - ISC 2008:,pages 341–354, Berlin, Heidelberg, 2008. Springer.

http://www.cacr.math.uwaterloo.ca/conferences/2003/ecc2003/ rohatgi.ppt

http://www.research.ibm.com/intsec/emf-paper.ps

http://wijvertrouwenstemcomputersniet.nl/images/c/c0/ 20061027_aivd_rapport.pdf

http://eprint.iacr.org/

BIBLIOGRAPHY 157

[23] D.J. Bernstein and T. Lange. Faster Addition and Doubling on EllipticCurves. In K. Kurosawa, editor, ASIACRYPT, volume 4833 of Lecture Notesin Computer Science, pages 29–50. Springer, 2007.

[24] I. Biehl, B. Meyer, and V. Muller. Differential Fault Attacks on EllipticCurve Cryptosystems. In M. Bellare, editor, CRYPTO, volume 1880 ofLecture Notes in Computer Science, pages 131–146. Springer, 2000.

[25] I. Blake, G. Seroussi, N. Smart, and J. W. S. Cassels. Advances in EllipticCurve Cryptography (London Mathematical Society Lecture Note Series).Cambridge University Press, New York, NY, USA, 2005.

[26] I. Blake, G. Seroussi, and N. P. Smart. Elliptic Curves in Cryptography.London Mathematical Society Lecture Note Series. Cambridge UniversityPress, 1999.

[27] J. Blomer, M. Otto 0002, and J.-P. Seifert. Sign Change Fault Attacks onElliptic Curve Cryptosystems. In L. Breveglieri, I. Koren, D. Naccache, andJ.-P. Seifert, editors, FDTC, volume 4236 of Lecture Notes in ComputerScience, pages 36–52. Springer, 2006.

[28] D. Boneh, R. A. DeMillo, and R. J. Lipton. On the Importance of CheckingCryptographic Protocols for Faults (Extended Abstract). In W. Fumy, editor,Advances in Cryptology - EUROCRYPT 1997, International Conferenceon the Theory and Application of Cryptographic Techniques, Konstanz,Germany, May 11-15, 1997, Proceeding, volume 1233 of Lecture Notes inComputer Science, pages 37–51. Springer, 1997.

[29] L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J.-P. Seifert,editors. Fifth International Workshop on Fault Diagnosis and Tolerance inCryptography, 2008, FDTC 2008, Washington, DC, USA, 10 August 2008.IEEE Computer Society, 2008.

[30] E. Brier, C. Clavier, and F. Olivier. Correlation Power Analysis with aLeakage Model. In Joye and Quisquater [99], pages 16–29.

[31] E. Brier and M. Joye. Weierstraß Elliptic Curves and Side-Channel Attacks.In D. Naccache and P. Paillier, editors, Public Key Cryptography, volume2274 of Lecture Notes in Computer Science, pages 335–345. Springer, 2002.

[32] M. Bucci, L. Giancane, R. Luzzi, G. Scotti, and A. Trifiletti. EnhancingPower Analysis Attacks Against Cryptographic Devices. IEEE, 2006.

[33] P. Buysschaert and E. De Mulder. Elektromagnetische Analyse (EMA) vaneen FPGA implementatie van een elliptische krommen cryptosysteem. Mas-ter’s thesis, Katholieke Universiteit Leuven, Departement Elektrotechniek -ESAT, Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium, May 2004.

158 BIBLIOGRAPHY

[34] P. Buysschaert, E. De Mulder, S. B.Ors, P. Delmotte, B. Preneel,G. Vandenbosch, and I. Verbauwhede. Electromagnetic Analysis Attack onan FPGA Implementation of an Elliptic Curve Cryptosystem. In EUROCON2005 - The International Conference on ”Computer as a Tool”, pages 1879–1882, Belgrade,CS, 2005. IEEE.

[35] V. Carlier, H. Chabanne, E. Dottax, and H. Pelletier. Generalizing SquareAttack using Side-Channels of an AES Implementation on an FPGA. InT. Rissa, S. J. E. Wilton, and P. H. W. Leong, editors, FPL, pages 433–437.IEEE, 2005.

[36] C. K. Koc, D. Naccache, and C. Paar, editors. Cryptographic Hardware andEmbedded Systems - CHES 2001, 3rd International Workshop, Paris, France,May 14-16, 2001, Proceedings, volume 2162 of Lecture Notes in ComputerScience. Springer, 2001.

[37] C. K. Koc and C. Paar, editors. Cryptographic Hardware and EmbeddedSystems - CHES 1999, 1st International Workshop, Worcester, MA, USA,August 12-13, 1999, Proceedings, volume 1717 of Lecture Notes in ComputerScience. Springer, 1999.

[38] S. Chari, J.R. Rao, and P. Rohatgi. Template Attacks. In Kaliski et al. [103],pages 15–29.

[39] B. Chevallier-Mames, M. Ciet, and M. Joye. Low-Cost Solutions forPreventing Simple Side-Channel Analysis: Side-Channel Atomicity. IEEETrans. Computers, 53(6):760–768, 2004.

[40] M. H. Choudhury. Electromagnetism. Ellis Horwood Limited, 1989.

[41] S. Chow, P. A. Eisen, H. Johnson, and P. C. van Oorschot. A White-Box DESImplementation for DRM Applications. In J. Feigenbaum, editor, DigitalRights Management Workshop, volume 2696 of Lecture Notes in ComputerScience, pages 1–15. Springer, 2002.

[42] S. Chow, P. A. Eisen, H. Johnson, and P. C. van Oorschot. White-BoxCryptography and an AES Implementation. In K. Nyberg and H. M. Heys,editors, Selected Areas in Cryptography, volume 2595 of Lecture Notes inComputer Science, pages 250–270. Springer, 2002.

[43] K.-Il Chung, K. Sohn, and M. Yung, editors. Information SecurityApplications, 9th International Workshop - WISA 2008, Jeju Island, Korea,September 23-25, 2008, Revised Selected Papers, volume 5379 of LectureNotes in Computer Science. Springer, 2009.

[44] M. Ciet and M. Joye. (Virtually) Free Randomization Techniques for EllipticCurve Cryptography. In S. Qing, D. Gollmann, and J. Zhou, editors, ICICS,

BIBLIOGRAPHY 159

volume 2836 of Lecture Notes in Computer Science, pages 348–359. Springer,2003.

[45] M. Ciet and M. Joye. Elliptic Curve Cryptosystems in the Presence ofPermanent and Transient Faults. Des. Codes Cryptography, 36(1):33–43,2005.

[46] C. Clavier, J.-S. Coron, and N. Dabbous. Differential Power Analysis in thePresence of Hardware Countermeasures. In C K. Koc and C. Paar, editors,CHES, volume 1965 of Lecture Notes in Computer Science, pages 252–263.Springer, 2000.

[47] H. Cohen, G. Frey, and R. Avanzi. Handbook of Elliptic and HyperellipticCurve Cryptography. Chapman & Hall/CRC, 2006.

[48] H. Cohen, A. Miyaji, and T. Ono. Efficient Elliptic Curve ExponentiationUsing Mixed Coordinates. In K. Ohta and D. Pei, editors, ASIACRYPT,volume 1514 of Lecture Notes in Computer Science, pages 51–65. Springer,1998.

[49] L. Cohen. Generalized Phase-Space Distribution Functions. Journal ofMathematical Physics, 7(5):781–786, 1966.

[50] The Okonite Company. Minimum Bending Radii. Technical report, TheOkonite Company, September 2008.

[51] J.-S. Coron. Resistance against Differential Power Analysis for Elliptic CurveCryptosystems. In C. K. Koc and Paar [37], pages 292–302.

[52] J.-S. Coron, P.C. Kocher, and D. Naccache. Statistics and Secret Leakage.In Financial Cryptography, pages 157–173, 2000.

[53] J. Dale. Loop Antennas. http://www.frontiernet.net/˜jadale/Loop.htm.

[54] Y. Desmedt, editor. Public Key Cryptography - PKC 2003, 6th InternationalWorkshop on Theory and Practice in Public Key Cryptography, Miami, FL,USA, January 6-8, 2003, Proceedings, volume 2567 of Lecture Notes inComputer Science. Springer, 2002.

[55] I. Diaconu and D. Dorohoi. Properties of Polyurethane Thin Films.Optoelectronics and Advanced Materials, 7(2):921–924, April 2005.

[56] A. Dominguez-Oviedo. On Fault-based Attacks and Countermeasures forElliptic Curve Cryptosystems. Canada, 2008.

[57] W. Van Eck and N. Laborato. Electromagnetic Radiation from Video DisplayUnits: An Eavesdropping Risk? Computers & Security, 4:269–286, 1985.

http://www.frontiernet.net/~jadale/Loop.htm

160 BIBLIOGRAPHY

[58] R. Ediss. Probing the Magnetic Field Probe. EMC & Compliance Journal,47:1–6, July 2003.

[59] European Parliament and of the Council of 15 December 2004. Directive2004/108/EC of the European Parliament and of the Council of 15 December2004 on the approximation of the laws of the Member States relating toelectromagnetic compatibility and repealing Directive 89/336/EEC. OfficialJournal of the European Union, L 390:24–37, December 31 2004.

[60] J. Fan, X. Guo, E. De Mulder, P. Schaumont, B. Preneel, andI. Verbauwhede. State-of-the-art of secure ECC implementations: asurvey on known side-channel attacks and countermeasures. In 3rd IEEEInternational Workshop on Hardware-Oriented Security and Trust - HOST2010, page 12, Anaheim Convention Center,CA,USA, 2010. IEEE.

[61] K. Finkenzeller. RFID Handbook. John Wiley and Sons, 2 edition, 2003.

[62] Radio Reference Forum. Radioreference.com.http://forums.radioreference.com/antennas-coax-forum/

171090-making-receive-loop-antenna-2.html.

[63] K. Fotopoulou and Br. W. Flynn. Optimum Antenna Coil Structure forInductive Powering of Passive RFID Tags. In IEEE International Conferenceon RFID, pages 71–77, 2007.

[64] P. Fouque, D. Real, F. Valette, and M. Drissi. The Carry Leakage on theRandomized Exponent Countermeasure. In Oswald and Rohatgi [146], pages198–213.

[65] P.-A. Fouque, R. Lercier, D. Real, and F. Valette. Fault Attack onEllipticCurve Montgomery Ladder Implementation. In Breveglieri et al. [29], pages92–98.

[66] P.-A. Fouque and F. Valette. The Doubling Attack - Why Upwards Is Betterthan Downwards. In Walter et al. [183], pages 269–280.

[67] D. Gabor. Theory of Communication. J. Inst. Electrical Engineering,93(III):429–457, Nov 1946.

[68] K. Gandolfi, C. Mourtel, and F. Olivier. Electromagnetic Analysis: ConcreteResults. In C. K. Koc et al. [36], pages 251–261.

[69] C. Gebotys and B. White. EM Alignment Using Phase for Secure EmbeddedSystems. Design Automation for Embedded Systems, 12(3):185–206, 2008.

[70] C. H. Gebotys, S. Ho, and C. C. Tiu. EM Analysis of Rijndael and ECC ona Wireless Java-Based PDA. In Rao and Sunar [153], pages 250–264.

http://forums.radioreference.com/antennas-coax-forum/ 171090-making-receive-loop-antenna-2.html

BIBLIOGRAPHY 161

[71] C. H. Gebotys, C. C. Tiu, and X. Chen. A Countermeasure for EM Attackof a Wireless PDA. In International Symposium on Information Technology:Coding and Computing (ITCC 2005), Volume 1, 4-6 April 2005, Las Vegas,Nevada, USA, pages 544–549. IEEE Computer Society, 2005.

[72] C. H. Gebotys and B. A. White. A Phase Substitution Technique forDEMA of Embedded Cryptographic Systems. In ITNG, pages 868–869.IEEE Computer Society, 2007.

[73] C. H. Gebotys and B. A. White. EM Analysis of a Wireless Java-BasedPDA. ACM Trans. Embed. Comput. Syst., 7(4):1–28, 2008.

[74] B. Gierlichs, K. Lemke-Rust, and C. Paar. Templates vs. Stochastic Methods.In Goubin and Matsui [77], pages 15–29.

[75] Dr. J.J. Goedbloed. Elektromagnetische compatibiliteit. Ten Hagen en Stam,Den Haag/Deventer, 2000.

[76] L. Goubin. A Refined Power-Analysis Attack on Elliptic CurveCryptosystems. In Desmedt [54], pages 199–210.

[77] L. Goubin and M. Matsui, editors. Cryptographic Hardware and EmbeddedSystems - CHES 2006, 8th International Workshop, Yokohama, Japan,October 10-13, 2006, Proceedings, volume 4249 of Lecture Notes in ComputerScience. Springer, 2006.

[78] F. W. Gover. Inductance Calculations: Working Formulas and Tables. DoverPublications, 1946.

[79] G. Grandi, M. K. Kazimierczuk, A. Massarini, and U. Reggiani. Stray Ca-pacitances of Single-Layer Solenoid Air-Core Inductors. IEEE Transactionson Industry Applications, 35(5):1162–1168, September/October 1999.

[80] A. Grosssmann and J. Morlet. Decomposition of Hardy Functionsinto Square Integrable Wavelets of Constant Shape. SIAM Journal onMathematical Analysis, 15:723–736, 1984.

[81] S. Guilley, P. Hoogvorst, and R. Pacalet. A Fast Pipelined Multi-Mode DESArchitecture Operating in IP Representation. Integr. VLSI J., 40(4):479–489,2007.

[82] H. Schrank and J. D. Mahony. Approximations to the RadiationResistance and Directivity of Circular-Loop Antennas. IEEE Antennnasand Propagation Magazine, 36(4):52–55, August 1994.

[83] J. Ha, J. Park, S.-J. Moon, and S.-M. Yen. Provably Secure CountermeasureResistant to Several Types of Power Attack for ECC. In S. Kim, M. Yung,and H.-W. Lee, editors, WISA, volume 4867 of Lecture Notes in ComputerScience, pages 333–344. Springer, 2007.

162 BIBLIOGRAPHY

[84] H. Handschuh, P. Paillier, and J. Stern. Probing Attacks on Tamper-Resistant Devices. In C. K. Koc and Paar [37], pages 303–315.

[85] R.F. Harrington. Time-Harmonic Electromagnetic Fields. Wiley-IEEEPress, 2 edition, 2001.

[86] S. Harris. An Extension of the Method of Measuring Inductances andCapacities. Proceedings of the IRE, 17(3):516–518, March 1929.

[87] C. Herbst and M. Medwed. Using Templates to Attack Masked MontgomeryLadder Implementations of Modular Exponentiation. In Chung et al. [43],pages 1–13.

[88] N. Homma, A. Miyamoto, T. Aoki, A. Satoh, and A. Shamir. Collision-BasedPower Analysis of Modular Exponentiation Using Chosen-Message Pairs. InOswald and Rohatgi [146], pages 15–29.

[89] N. Homma, S. Nagashima, Y. Imai, T. Aoki, and A. Satoh. High-ResolutionSide-Channel Attack Using Phase-Based Waveform Matching. In Goubinand Matsui [77], pages 187–200.

[90] CNRS Institut Telecom, Telecom ParisTech. The DPA Contest.http://www.dpacontest.org/, 2009.

[91] Y. Ishai, M. Prabhakaran, A. Sahai, and D. Wagner. Private Circuits II:Keeping Secrets in Tamperable Circuits. In S. Vaudenay, editor, Advancesin Cryptology - EUROCRYPT 2006, 25th Annual International Conferenceon the Theory and Applications of Cryptographic Techniques, St. Petersburg,Russia, May 28 - June 1, 2006, Proceedings, volume 4004 of Lecture Notesin Computer Science, pages 308–327. Springer, 2006.

[92] Y. Ishai, A. Sahai, and D. Wagner. Private Circuits: Securing Hardwareagainst Probing Attacks. In D. Boneh, editor, Advances in Cryptology -CRYPTO 2003, 23rd Annual International Cryptology Conference, SantaBarbara, California, USA, August 17-21, 2003, Proceedings, volume 2729 ofLecture Notes in Computer Science, pages 463–481. Springer, 2003.

[93] ISO/IEC/JTC1 Information technology. Identification cards - contactlessintegrated circuit(s) cards - proximity cards - part 1:physical characteristics.International standard ISO/IEC 14443-1, ISO/IEC/JTC1, 1997.

[94] ISO/IEC/JTC1 Information technology. Identification cards - contactlessintegrated circuit(s) cards - proximity cards - part 2:radio frequencypower and signal interface. International standard ISO/IEC 14443-2,ISO/IEC/JTC1, 1999.

http://www.dpacontest.org/

BIBLIOGRAPHY 163

[95] ISO/IEC/JTC1 Information technology. Identification cards - contactlessintegrated circuit(s) cards - proximity cards - part 3:initialization andanticollision. International standard ISO/IEC 14443-3, ISO/IEC/JTC1,1999.

[96] ISO/IEC/JTC1 Information technology. Identification cards - contactlessintegrated circuit(s) cards - proximity cards - part 4:transmission protocol.International standard ISO/IEC 14443-1, ISO/IEC/JTC1, 2000.

[97] T. Izu and T. Takagi. Exceptional Procedure Attack on Elliptic CurveCryptosystems. In Desmedt [54], pages 224–239.

[98] M. Joye. On the Security of a Unified Countermeasure. In Breveglieri et al.[29], pages 87–91.

[99] M. Joye and J.-J. Quisquater, editors. Cryptographic Hardware andEmbedded Systems - CHES 2004, 6th International Workshop Cambridge,MA, USA, August 11-13, 2004, Proceedings, volume 3156 of Lecture Notesin Computer Science. Springer, 2004.

[100] M. Joye and C. Tymen. Protections against Differential Analysis for EllipticCurve Cryptography. In C. K. Koc et al. [36], pages 377–390.

[101] M. Joye and S.-M. Yen. The Montgomery Powering Ladder. In Kaliski et al.[103], pages 291–302.

[102] A. Juels. RFID Security and Privacy: a Research Survey. IEEE Journal onSelected Areas in Communications, 24(2):381–394, Feb. 2006.

[103] B. S. Jr. Kaliski, C. K. Koc, and C. Paar, editors. Cryptographic Hardwareand Embedded Systems - CHES 2002, 4th International Workshop, RedwoodShores, CA, USA, August 13-15, 2002, Proceedings, volume 2523 of LectureNotes in Computer Science. Springer, 2002.

[104] Z. Kfir and A. Wool. Picking Virtual Pockets using Relay Attacks onContactless Smartcard Systems, 2005.

[105] I. Kirschenbaum and A. Wool. How to Build a Low-Cost, Extended-RangeRFID Skimmer. In Proceedings of the 15th USENIX Security Symposium,pages 43–57. USENIX, 31th of July - 4th of August 2006.

[106] N. Koblitz. Elliptic Curve Cryptosystem. Math. Comp., 48:203–209, 1987.

[107] P. C. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA,DSS, and Other Systems. In N. Koblitz, editor, Advances in Cryptology- CRYPTO 1996, 16th Annual International Cryptology Conference, SantaBarbara, California, USA, August 18-22, 1996, Proceedings, volume 1109 ofLecture Notes in Computer Science, pages 104–113. Springer, 1996.

164 BIBLIOGRAPHY

[108] P. C. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. InM. J. Wiener, editor, Advances in Cryptology - CRYPTO 1999, 19thAnnual International Cryptology Conference, Santa Barbara, California,USA, August 15-19, 1999, Proceedings, volume 1666 of Lecture Notes inComputer Science, pages 388–397. Springer, 1999.

[109] M. G. Kuhn. Security Limits for Compromising Emanations. In Rao andSunar [153], pages 265–279.

[110] M. Langheinrich. RFID and Privacy. In Milan Petkovic and WillemJonker, editors, Security, Privacy, and Trust in Modern Data Management,chapter 28, pages 433–450. Springer, Berlin Heidelberg New York, July 2007.

[111] K. F. Lee. Principles of Antenna Theory. Wiley, 1984.

[112] R. W. Lewallen W7EL. Baluns: What They Do and How They Do It. ARRLAntenna Compendium, pages 157–164, 1985.

[113] H. Li, A. T. Markettos, and S. W. Moore. Security Evaluation AgainstElectromagnetic Analysis at Design Time. In Rao and Sunar [153], pages280–292.

[114] P.-Y. Liardet and N. P. Smart. Preventing SPA/DPA in ECC Systems Usingthe Jacobi Form. In C. K. Koc et al. [36], pages 391–401.

[115] V. Lomne, T. Ordas, P. Maurine, L. Torres, M. Robert, R. I. Soares, andN. L. V. Calazans. Evaluation on FPGA of Triple Rail Logic Robustnessagainst DPA and DEMA. In Design, Automation and Test in Europe - DATE2009, Nice, France, April 20-24, 2009 [3], pages 634–639.

[116] J. Lopez and R. Dahab. Fast Multiplication on Elliptic Curves over GF(2m)without Precomputation. In C. K. Koc and Paar [37], pages 316–327.

[117] G.A. Machado. Low-power HF Microelectronics: a Unified Approach.Number 8 in IEE Circuits & Systems Series. The Institution of Engineeringand Technology, 1996.

[118] P. C. Magnusson, G. C. Alexander, V. K. Tripathi, and A. Weisshaar.Transmission Lines and Wave Propagation. CRC Press, 2001.

[119] S. Mangard. Exploiting Radiated Emissions - EM Attacks on CryptographicICs. In Proceedings of Austrochip, Linz, Austria, October 3 2003.

[120] S. Mangard. Hardware Countermeasures Against DPA – A StatisticalAnalysis of Their Effectiveness. In T. Okamoto, editor, CT-RSA, volume2964 of Lecture Notes in Computer Science, pages 222–235. Springer, 2004.

BIBLIOGRAPHY 165

[121] S. Mangard, M. Aigner, and S. Dominikus. A Highly Regular and ScalableAES Hardware Architecture. In IEEE Transactions on Computers, volume52 issue 4, pages 483–491. IEEE, 2003.

[122] S. Mangard, E. Oswald, and T. Popp. Power Analysis Attacks: Revealingthe Secrets of Smart Cards. Springer, Secaucus, NJ, USA, 2007.

[123] N. Masuda, N. Tamaki, T. Kuriyama, J. C. Bu, M. Yamaguchi, and K.-I.Arai. High Frequency Magnetic Near Field Measurement on LSI Chip usingPlanar Multi-Layer Shielded Loop Coil. In IEEE International Symposiumon Electromagnetic Compatibility, 2003.

[124] P.C. Matthews. Vector Calculus. Springer, 2005.

[125] J. C. Maxwell. A Treatise on Electricity and Magnetism, Volume 2.Clarendon Press, 1873.

[126] Marcel Medwed and Elisabeth Oswald. Template Attacks on ECDSA. InChung et al. [43], pages 14–27.

[127] T. S. Messerges, E. A. Dabbish, and R. H. Sloan. Examining Smart-CardSecurity under the Threat of Power Analysis Attacks. IEEE Transactionson Computers, 51(5):541–552, May 2002.

[128] MIL-HDBK-216. Military Standardization Handbook - RF TransmissionLines and Fittings. Defense Supply Agency, 4 January 1962.

[129] V. Miller. Uses of Elliptic Curves in Cryptography. In H. C. Williams, editor,CRYPTO, volume 218 of Lecture Notes in Computer Science, pages 417–426.Springer, 1985.

[130] P.L. Montgomery. Speeding the Pollard and elliptic curve methods offactorization. Mathematics of Computation, 48(177):243–264, 1987.

[131] E. De Mulder, W. Aerts, B. Preneel, G. Vandenbosch, and I. Verbauwhede.A class E Power Amplifier for ISO-14443A. In 12th IEEE Workshop onDesign and Diagnostics of Electronic Circuits & Systems - DDECS 2009,pages 20–23, Liberec,CZ, 2009. IEEE.

[132] E. De Mulder, B. Gierlichs, B. Preneel, and I. Verbauwhede. Practical DPAAttacks on MDPL. In 1st IEEE International Workshop on InformationForensics and Security - WIFS 2009, page 5, London,UK, 2009. IEEE.

[133] E. De Mulder, S. Ors, B. Preneel, and I. Verbauwhede. Differential Powerand Electromagnetic Attacks on a FPGA Implementation of Elliptic CurveCryptosystems. Computers & Electrical Engineering, 33(5-6):367–382, 2007.

166 BIBLIOGRAPHY

[134] E. De Mulder, S. B. Ors, B. Preneel, and I. Verbauwhede. DifferentialElectromagnetic Attack on an FPGA. In World Automation Congress -WAC 2006, pages 1–7, Budapest,HU, 2006. IEEE.

[135] E. De Mulder, S. B. Ors, B. Preneel, and I. Verbauwhede. Differential Powerand Electromagnetic Attacks on a FPGA Implementation of Elliptic CurveCryptosystems. Computers & Electrical Engineering, 33(5-6):367–382, 2007.

[136] D. Naccache, N.P. Smart, and J. Stern. Projective Coordinates Leak. InC. Cachin and J. Camenisch, editors, EUROCRYPT, volume 3027 of LectureNotes in Computer Science, pages 257–267. Springer, 2004.

[137] RFH Nalder. History of the Royal Corps of Signals. 1958.

[138] MIL-HDBK-216 notice 11. Cancellation Notice. Defense Supply CenterColumbus, 6 September 2001.

[139] K. Okeya and K. Sakurai. Power Analysis Breaks Elliptic CurveCryptosystems even Secure against the Timing Attack. In B. K. Royand E. Okamoto, editors, INDOCRYPT, volume 1977 of Lecture Notes inComputer Science, pages 178–190. Springer, 2000.

[140] Y. Oren and A. Shamir. Power Analysis of RFID Tags.http://www.wisdom.weizmann.ac.il/˜yossio/rfid/, 2006.

[141] Y. Oren and A. Shamir. Remote Password Extraction from RFID Tags.IEEE Trans. Computers, 56(9):1292–1296, 2007.

[142] S. B. Ors, L. Batina, B. Preneel, and J. Vandewalle. HardwareImplementation of an Elliptic Curve Processor over GF (p). In IEEE 14thInternational Conference on Application-specific Systems, Architectures andProcessors (ASAP), pages 433–443, The Hague, The Netherlands, June 24-26 2003.

[143] S. B. Ors, L. Batina, B. Preneel, and J. Vandewalle. HardwareImplementation of an Elliptic Curve Processor over GF (p) with MontgomeryModular Multiplier. International Journal of Embedded Systems, February2005.

[144] S. B. Ors, E. Oswald, and B. Preneel. Power-Analysis Attacks on an FPGA– First Experimental Results. In Walter et al. [183], pages 35–50.

[145] E. Oswald, S. Mangard, N. Pramstaller, and V. Rijmen. A Side-ChannelAnalysis Resistant Description of the AES S-box. In H. Gilbert andH. Handschuh, editors, FSE, volume 3557 of Lecture Notes in ComputerScience, pages 413 – 423. Springer, 2005.

http://www.wisdom.weizmann.ac.il/~yossio/rfid/

BIBLIOGRAPHY 167

[146] E. Oswald and P. Rohatgi, editors. Cryptographic Hardware and EmbeddedSystems - CHES 2008, 10th International Workshop, Washington, D.C.,USA, August 10-13, 2008. Proceedings, volume 5154 of Lecture Notes inComputer Science. Springer, 2008.

[147] P. Paillier and I. Verbauwhede, editors. Cryptographic Hardware andEmbedded Systems - CHES 2007, 9th International Workshop, Vienna,Austria, September 10-13, 2007, Proceedings, volume 4727 of Lecture Notesin Computer Science. Springer, 2007.

[148] E. Peeters, F.-X. Standaert, and J.-J. Quisquater. Power andElectromagnetic Analysis: Improved Model, Consequences and Comparisons.Integration, the VLSI Journal, 40(1):52–60, 2007.

[149] T. Popp, M. Kirschbaum, and S. Mangard. Practical Attacks on MaskedHardware. In M. Fischlin, editor, CT-RSA, volume 5473 of Lecture Notes inComputer Science, pages 211 – 225. Springer, 2009.

[150] T. Popp, M. Kirschbaum, T. Zefferer, and S. Mangard. Evaluation ofthe Masked Logic Style MDPL on a Prototype Chip. In Paillier andVerbauwhede [147], pages 81–94.

[151] T. Popp and S. Mangard. Masked Dual-Rail Pre-charge Logic: DPA-Resistance Without Routing Constraints. In Rao and Sunar [153], pages172–186.

[152] J.-J. Quisquater and D. Samyde. ElectroMagnetic Analysis (EMA):Measures and Counter-Measures for Smart Cards. In I. Attali and T. P.Jensen, editors, Smart Card Programming and Security (E-smart 2001),volume 2140 of Lecture Notes in Computer Science, pages 200–210. Springer,2001.

[153] J. R. Rao and B. Sunar, editors. Cryptographic Hardware and EmbeddedSystems - CHES 2005, 7th International Workshop, Edinburgh, UK, August29 - September 1, 2005, Proceedings, volume 3659 of Lecture Notes inComputer Science. Springer, 2005.

[154] D. Real, F. Valette, and M. Drissi. Enhancing Correlation ElectroMagneticAttack Using Planar Near-Field Cartography. In Design, Automation andTest in Europe - DATE 2009, Nice, France, April 20-24, 2009 [3], pages628–633.

[155] R. L. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining DigitalSignatures and Public-Key Cryptosystems. Communications of the ACM,21(2):120–126, 1978.

168 BIBLIOGRAPHY

[156] K. Sakiyama, E. De Mulder, B. Preneel, and I. Verbauwhede. A ParallelProcessing Hardware Architecture for Elliptic Curve Cryptosystems. InIEEE International Conference on Acoustics, Speech, and Signal Processing- ICASSP 2006, pages III–904–III–907. IEEE, 2006.

[157] K. Sakiyama, E. De Mulder, B. Preneel, and I. Verbauwhede. Side-channel Resistant System-level Design Flow for Public-key Cryptography. InProceedings of the 17th ACM Great Lakes symposium on VLSI - GLSVLSI2007, pages 144–147, Stresa-Lago Maggiore, 2007. ACM.

[158] L. Sauvage, S. Guilley, J.-L. Danger, Y. Mathieu, and M. Nassar. SuccessfulAttack of an FPGA-Based WDDL DES Cryptoprocessor without Place andRoute Constraints. In Design, Automation and Test in Europe - DATE 2009,Nice, France, April 20-24, 2009 [3], pages 640–645.

[159] L. Sauvage, S. Guilley, and Y. Mathieu. Electromagnetic Radiationsof FPGAs: High Spatial Resolution Cartography and Attack on aCryptographic Module. ACM Trans. Reconfigurable Technol. Syst., 2(1):1–24, 2009.

[160] P. Schaumont, D. Ching, and I. Verbauwhede. An interactive codesignenvironment for domain-specific coprocessors. ACM Trans. Des. Autom.Electron. Syst., 11(1):70–87, 2006.

[161] P. Schaumont and K. Tiri. Masking and Dual-Rail Logic Don’t Add Up. InPaillier and Verbauwhede [147], pages 95–106.

[162] P. Schaumont and I. Verbauwhede. Domain Specific Tools and Methods forApplication in Security Processor Design. Design Automation for EmbeddedSystems, 7:365–383(19), November 2002.

[163] J.-M. Schmidt and C. H. Kim. A Probing Attack on AES. In Chung et al.[43], pages 256–265.

[164] V. Seidermann and S. Buttgenbach. Closely Coupled Micro Coils withIntegrated Flux guidance: Fabrication Technology and Application toProximity and Magnetoelastic Force Sensors. IEEE Sensors Journal, 2003.

[165] S. P. Skorobogatov and R. J. Anderson. Optical Fault Induction Attacks. InKaliski et al. [103], pages 2–12.

[166] G. S. Smith. Radiation Efficiency of Electrically Small Multiturn LoopAntennas. IEEE Transactions on Antennas and Propagation, september1972.

[167] N.O. Sokal and A.D. Sokal. Class E – A New Class of High-EfficiencyTuned Single-Ended Switching Power Amplifiers. IEEE Journal of Solid-State Circuits, SC-10(3):168–176, June 1975.

BIBLIOGRAPHY 169

[168] D.H. Staelin, A.W. Morgenthaler, and J.A. Kong. Electromagnetic Waves.Prentice-Hall International, 1994.

[169] F.-X. Standaert, B. Gierlichs, and I. Verbauwhede. Partition vs. ComparisonSide-Channel Distinguishers: An Empirical Evaluation of Statistical Testsfor Univariate Side-Channel Attacks against Two Unprotected CMOSDevices. In P. J. Lee and J. H. Cheon, editors, ICISC, volume 5461 ofLecture Notes in Computer Science, pages 253–267. Springer, 2008.

[170] F.-X. Standaert, T. Malkin, and M. Yung. A Unified Framework forthe Analysis of Side-Channel Key Recovery Attacks. In A. Joux, editor,EUROCRYPT, volume 5479 of Lecture Notes in Computer Science, pages443–461. Springer, 2009.

[171] F.-X. Standaert, T.G. Malkin, and M. Yung. A Formal Practice-OrientedModel For The Analysis of Side-Channel Attacks. Cryptology ePrint Archive,Report 2006/139, 2006. http://eprint.iacr.org/.

[172] D. Stebila and N. Theriault. Unified Point Addition Formulæ and Side-Channel Attacks. In Goubin and Matsui [77], pages 354–368.

[173] G. Steiner, H. Zangl, P. Fulmek, and G. Brasseur. A Tuning Transformerfor Automatic Adjustment of Resonant Loop Antennas in RFID Systems. InIEEE Conference on Industrial Technology - ICIT 2004, 2004.

[174] R.D. Straw, editor. AARL Antenna Book. American Radio Relay League,2000.

[175] Huber Suhner. Huber Suhner. http://www.hubersuhner.com.

[176] D. Suzuki and M. Saeki. Security Evaluation of DPA Countermeasures UsingDual-Rail Pre-charge Logic Style. In Goubin and Matsui [77], pages 255–269.

[177] D. Suzuki, M. Saeki, and T. Ichikawa. Random Switching Logic: ACountermeasure against DPA based on Transition Probability. CryptologyePrint Archive, Report 2004/346, 2004.

[178] K. Tiri and P. Schaumont. Changing the Odds Against Masked Logic. InE. Biham and A. M. Youssef, editors, Selected Areas in Cryptography, volume4356 of Lecture Notes in Computer Science, pages 134–146. Springer, 2006.

[179] K. Tiri and I. Verbauwhede. Simulation Models for Side-ChannelInformation Leaks. In W. H. Joyner Jr., G. Martin, and A. B. Kahng,editors, DAC, pages 228–233. ACM, 2005.

[180] K. Tiri and I. Verbauwhede. A Digital Design Flow for Secure IntegratedCircuits. IEEE Transactions on Computer-Aided Design of IntegratedCircuits and Systems, 25:1197–1208, 2006.

http://eprint.iacr.org/

http://www.hubersuhner.com

170 BIBLIOGRAPHY

[181] J. Waddle and D. Wagner. Towards Efficient Second-Order Power Analysis.In Joye and Quisquater [99], pages 1–15.

[182] C. D. Walter. Simple Power Analysis of Unified Code for ECC Double andAdd. In Joye and Quisquater [99], pages 191–204.

[183] C. D. Walter, C. K. Koc, and C. Paar, editors. Cryptographic Hardwareand Embedded Systems - CHES 2003, 5th International Workshop, Cologne,Germany, September 8-10, 2003, Proceedings, volume 2779 of Lecture Notesin Computer Science. Springer, 2003.

[184] J. Wolkerstorfer, E. Oswald, and M. Lamberger. An ASIC Implementationof the AES SBoxes. In B. Preneel, editor, CT-RSA, volume 2271 of LectureNotes in Computer Science, pages 67–78. Springer, 2002.

[185] B. Wyseur. White-Box Cryptography. PhD thesis, Katholieke UniversiteitLeuven, 2009.

[186] D. C. Yates, A. S. Holmes, and A. J. Burdett. Optimal TransmissionFrequency for Ultralow-Power Short-Range Radio Links. IEEE Transactionson Circuits and Systems, 51(7):1405–1413, July 2004.

[187] S. M. Yen and M. Joye. Checking Before Output May Not Be EnoughAgainst Fault-Based Cryptanalysis. IEEE Trans. Computers, 49(9):967–970,2000.

[188] S.-M. Yen, L.-C. Ko, S.-J. Moon, and J. Ha. Relative Doubling AttackAgainst Montgomery Ladder. In D. Won and S. Kim, editors, ICISC, volume3935 of Lecture Notes in Computer Science, pages 117–128. Springer, 2005.

[189] L. Youbok. RFID Coil Design. Technical report, Microchip Technology Inc.,1998.

[190] C M Zierhofer and E. S. Hochmair. Geometric Approach for CouplingEnhancement of Magnetically Coupled Coils. IEEE Transactions onBiomedical Engineering, 43(7):708–714, July 1996.

List of Publications

International Journals

[ABM+09] W. Aerts, E. Biham, D. De Moitie, E. De Mulder, O. Dunkelman,S. Indesteege, N. Keller, B. Preneel, G. Vandenbosch, andI. Verbauwhede. A Practical Attack on KeeLoq. Journal of Cryptology,pages 1–26, Accepted, Submitted in 2009.

[AMP+08] W. Aerts, E. De Mulder, B. Preneel, G. Vandenbosch, andI. Verbauwhede. Dependence of RFID Reader Antenna Design onRead Out Distance. IEEE Transactions on Antennas & Propagation,56(12):3829–3837, 2008.

[MOPV07] E. De Mulder, S. B. Ors, B. Preneel, and I. Verbauwhede. DifferentialPower and Electromagnetic Attacks on a FPGA Implementation ofElliptic Curve Cryptosystems. Computers & Electrical Engineering,33(5-6):367–382, 2007.

International Conferences

[AMP+06] W. Aerts, E. De Mulder, B. Preneel, G. Vandenbosch, andI. Verbauwhede. Matching Shielded Loops for Cryptographic Analysis.In 1st European Conference on Antennas and Propagation - EuCAP2006, pages 1–6, Nice,FR, 2006. IEEE.

[AMP+09] W. Aerts, E. De Mulder, B. Preneel, G. Vandenbosch, andI. Verbauwhede. Designing Maximal Resolution Loop Sensors forCryptographic Analysis. In 3rd European Conference on Antennasand Propagation - EuCAP 2009, pages 1–5, Berlin,GE, 2009. IEEE.

[BMB+05] P. Buysschaert, E. De Mulder, S. B.Ors, P. Delmotte, B. Preneel,G. Vandenbosch, and I. Verbauwhede. Electromagnetic Analysis At-

171

172 INTERNATIONAL CONFERENCES

tack on an FPGA Implementation of an Elliptic Curve Cryptosystem.In EUROCON 2005 - The International Conference on ”Computer asa Tool”, pages 1879–1882, Belgrade,CS, 2005. IEEE.

[FGM+10] J. Fan, X. Guo, E. De Mulder, P. Schaumont, B. Preneel, andI. Verbauwhede. State-of-the-art of secure ECC implementations:a survey on known side-channel attacks and countermeasures. In3rd IEEE International Workshop on Hardware-Oriented Security andTrust - HOST 2010, page 12, Anaheim Convention Center,CA,USA,2010. IEEE.

[GMPV09] B. Gierlichs, E. De Mulder, B. Preneel, and I. Verbauwhede. EmpiricalComparison of Side Channel Analysis Distinguishers on DES inHardware. In Proc. European Conference on Circuit Theory andDesign - ECCTD 2009, pages 391–394, Antalya,TUR, 2009.

[MAP+09] E. De Mulder, W. Aerts, B. Preneel, G. Vandenbosch, andI. Verbauwhede. A class E Power Amplifier for ISO-14443A. In 12thIEEE Workshop on Design and Diagnostics of Electronic Circuits &Systems - DDECS 2009, pages 20–23, Liberec,CZ, 2009. IEEE.

[MGPV09] E. De Mulder, B. Gierlichs, B. Preneel, and I. Verbauwhede. PracticalDPA Attacks on MDPL. In 1st IEEE International Workshop onInformation Forensics and Security - WIFS 2009, page 5, London,UK,2009. IEEE.

[MOPV06] E. De Mulder, S. B. Ors, B. Preneel, and I. Verbauwhede. DifferentialElectromagnetic Attack on an FPGA. In World Automation Congress- WAC 2006, pages 1–7, Budapest,HU, 2006. IEEE.

[SMPV06] K. Sakiyama, E. De Mulder, B. Preneel, and I. Verbauwhede.A Parallel Processing Hardware Architecture for Elliptic CurveCryptosystems. In IEEE International Conference on Acoustics,Speech, and Signal Processing - ICASSP 2006, pages III–904–III–907.IEEE, 2006.

[SMPV07] K. Sakiyama, E. De Mulder, B. Preneel, and I. Verbauwhede.Side-channel Resistant System-level Design Flow for Public-keyCryptography. In Proceedings of the 17th ACM Great Lakes symposiumon VLSI - GLSVLSI 2007, pages 144–147, Stresa-Lago Maggiore, 2007.ACM.

OTHER INTERNATIONAL PUBLICATIONS 173

Other International Publications

[BMD+06] P. Buysschaert, E. De Mulder, P. Delmotte, S. B.Ors, B. Preneel,G. Vandenbosch, and I. Verbauwhede. Measuring the Vulnerabilityof Cryptographic Algorithms. IEEE Potentials, 25(2):13–17, 2006.

[KBM+10] M. Knezevic, L. Batina, E. De Mulder, J. Fan, B; Gierlichs, Y. K. Lee,R. Maes, and I. Verbauwhede. Signal Processing for Cryptographyand Security Applications. In Handbook of Signal Processing Systems,page 17. Springer, 2010.

National Journals

[BBM+04] Lejla Batina, P. Buysschaert, E. De Mulder, Nele Mentens, B. Preneel,G. Vandenbosch, I. Verbauwhede, and S. B. Ors. Side Channel Attacksand Fault Attacks on Cryptographic Algorithms. Revue HF Tijdschrift,2004(3):36–45, 2004.

Curriculum Vitae

Elke De Mulder was born on January 27, 1981 in Duffel, Belgium. She receivedher degree of Burgerlijk Electrotechnisch Ingenieur (Electrical Engineering, ICT –Telecommunications) from the Katholieke Universiteit Leuven in July 2004. Hermaster thesis “Electromagnetic Analysis on an FPGA implementation of EllipticCurve Cryptography” inspired her to start research in this field. She joinedthe research group COSIC (COmputer Security and Industrial Cryptography) atthe Departement of Electrical Engineering (ESAT) of the Katholieke UniversiteitLeuven. Her PhD research was partially sponsored by the Agency for Innovationby Science and Technology (IWT).

175

Arenberg Doctoral School of Science, Engineering & Technology

Faculty of Engineering

Department of Electrical Engineering (ESAT)

COmputer Security and Industrial Cryptography (COSIC)

Kasteelpark Arenberg 10, 2446, 3001 Heverlee, Belgium

electromagnetic techniques and probes for side-channel … · side-channel analysis has become an...

Documents