Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem E. De Mulder, P. Buysschaert, S. B. ¨ Ors, P. Delmotte, B. Preneel, G. Vandenbosch and I. Verbauwhede, Member, IEEE Abstract— This paper presents simple (SEMA) and differential (DEMA) electromagnetic analysis attacks on an FPGA implemen- tation of an elliptic curve processor. Elliptic curve cryptography is a public key cryptosystem that is becoming increasingly popular. Implementations of cryptographic algorithms should not only be fast, compact and power efficient, but they should also resist side channel attacks. One of the side channels is the electromagnetic radiation out of an integrated circuit. Hence it is very important to assess the vulnerability of implementations of cryptosystems against these attacks. A SEMA attack on an unprotected implementation can find all the key bits with only one measurement. We also describe a DEMA attack on an improved implementation and demonstrate that a correlation analysis requires 1000 measurements to find the key bits. Keywords— Elliptic Curve Cryptosystems, side channel at- tacks, SEMA, DEMA I. I NTRODUCTION Keeping information secret and authentic is a very old concern, but the exponential growth of technology exacerbates the need for secure communication. Cryptographic algorithms and protocols are essential in protecting the confidentiality and authentication of data; they replace the problem of protecting information by protecting short cryptographic keys. Ironically, the very same technology which forms the basis for the higher demand in security has a few annoying side effects. Kocher introduced the use of side channels to break a cryptosystem [1], [2]. He suggested to derive information on secret keys by measuring the execution time and the power consumption of implementations of cryptosystems. With this idea, cryptanalysis no longer focuses exclusively on the math- ematical aspects but also evaluates weaknesses of implemen- tations. The three main physical properties of cryptographic modules can be exploited in side channel attacks: power consumption, timing and electromagnetic radiation. Others such as sound and heat are currently being explored but seem less promising. Elliptic Curve Cryptography (ECC) was proposed indepen- dently by Miller [3] and Koblitz [4] in the 1980s. Since then a considerable amount of research has been performed on secure and efficient ECC implementations. This article reports on the first implementation of an elec- tromagnetic analysis (EMA) attack on a hardware implemen- tation of an elliptic curve (EC) processor with a key length of 160 bits [5]. Earlier work (discussed in Section II) is either Elke De Mulder is and Sıddıka Berna ¨ Ors was with K.U.Leuven, Dept. ESAT, Kasteelpark Arenberg 10, B-3001 Leuven, Belgium, email: edemulde@esat.kuleuven.ac.be. They were funded by research grants of the Katholieke Universiteit Leuven, Belgium. This work was supported in part by the FWO “Identification and Cryptography” project (G.0141.03), the FWO “Security for ambient intelligent systems” project (G.0450.04) and by the EU IST-SCARD project. We also thank E. Dewitte, N. Mentens and L. Batina theoretical or presents attacks on software implementations for 8-bit smart cards. The main difference between our implemen- tation of an EC processor and these software implementations is that in our hardware all operations are done in parallel. Hence the number of bit transitions during every clock cycle can be up to 160, compared to 8 for a smart card. This implies that predictions of the transitions are much harder. In order to detect the effect of any bit changes we have to increase the number of measurements by a factor of 20 or more. This paper is organized as follows: In Section II we discuss the previous work on EMA attacks, section III summarizes the mathematical background needed to understand the proposed work, in Section IV we describe our measurement setup, finally in Section V and VI we present the SEMA and DEMA attacks results on the EC processor. We conclude the paper and discuss further work in Sect. VII. II. PREVIOUS WORK It is well known that the US government has been aware of electromagnetic leakage since the 1950s. The resulting standards are called TEMPEST; partially available in [10]. The first published papers are work of Quisquater and Samyde [11] and the Gemplus team [12]. Quisquater and Samyde showed that it is possible to measure the electromagnetic radiation from a smart card. Quisquater also introduced the terms Simple EMA (SEMA) and Differential EMA (DEMA). The work of Gemplus deals with experiments on DES, RSA and COMP-128. They mentioned that EM radiation can also exploit local information and, although more noisy, the mea- surements can be performed from a distance. According to Agrawal et al. there are two types of radiations: intentional and unintentional [13], [14]. The first type results from direct current flows. The second type is caused by various couplings, modulations (AM and FM), etc. The real advantage of EM over other side channel attacks lies in exploring unintentional radiations [13], [14]. More precisely, EM leakage consists of multiple channels. More theoretical considerations are also given by Chari et al. in [15]. They discussed so-called template attacks in which the attacker uses a device that is identical to the target device. The authors themselves came up with an even stronger approach afterwards. Namely, an attacker can also focus on a combination of two or more side channels. Agrawal et al. defined these so-called multi-channel attacks in which the side channels are not necessarily of a different kind [16]. Mangard also showed that near-field EM attacks can be conducted with a simple hand-made coil in [18]. He also demonstrated that measuring the far-field emissions of a smart card also suffices to determine the secret key. Carlier et al.