Breaking ECDSA with Electromagnetic Side-Channel Attacks: Challenges and Practicality on Modern Smartphones

TL;DR

This work assesses the practicality of electromagnetic side-channel analysis on contemporary smartphone SoCs by adapting the Nonce@Once attack to Raspberry Pi 4 and Fairphone 4. It shows that ECDSA nonce leakage persists even with software countermeasures, across OpenSSL and libgcrypt, when considering full Android stacks and Linux environments. Through two case studies, the authors demonstrate that heterogeneous cores, dynamic frequency scaling, and scheduling do not prevent detectable EM leakage, underscoring the need for certified secure elements in smartphones for critical identities like the EUDI wallet. The study also surveys Android cryptographic implementations, analyzes threat models, and discusses mitigations, highlighting that secure hardware certification and standardized interfaces are essential for trust in mobile digital identities.

Abstract

Smartphones handle sensitive tasks such as messaging and payment and may soon support critical electronic identification through initiatives such as the European Digital Identity (EUDI) wallet, currently under development. Yet the susceptibility of modern smartphones to physical side-channel analysis (SCA) is underexplored, with recent work limited to pre-2019 hardware. Since then, smartphone system on chip (SoC) platforms have grown more complex, with heterogeneous processor clusters, sub 10 nm nodes, and frequencies over 2 GHz, potentially complicating SCA. In this paper, we assess the feasibility of electromagnetic (EM) SCA on a Raspberry Pi 4, featuring a Broadcom BCM2711 SoC and a Fairphone 4 featuring a Snapdragon 750G 5G SoC. Using new attack methodologies tailored to modern SoCs, we recover ECDSA secrets from OpenSSL by mounting the Nonce@Once attack of Alam et al. (Euro S&P 2021) and show that the libgcrypt countermeasure does not fully mitigate it. We present case studies illustrating how hardware and software stacks impact EM SCA feasibility. Motivated by use cases such as the EUDI wallet, we survey Android cryptographic implementations and define representative threat models to assess the attack. Our findings show weaknesses in ECDSA software implementations and underscore the need for independently certified secure elements (SEs) in all smartphones.

Figures (13)

• Figure 1: em traces for a single Montgomery ladder step for OpenSSL + secp521r1 (left) and three iterations for the double-and-always-add routine of libgcrypt and Ed25519 (right). The top row shows the unfiltered signals. The traces in the middle row are bandpass-filtered for 130MHz. The traces in the bottom row are additionally absolute and sliding-median filtered. The Raspberry Pi 4's clock frequency was 1.8GHz for this investigation.
• Figure 2: Leakage assessment results depicting t-values (solid, black line), a sample em trace (dotted, grey line) and the trigger window (marked in orange). The top plot shows the results for OpenSSL +secp521r1, the middle plot for libgcrypt + Ed25519 and the bottom plot for OpenSSL + secp128r1 with the countermeasure from alam_nonce_at_once.
• Figure 3: Excerpt of an ir die-shot of the Snapdragon 750G 5G soc overlaid with photon emission measurements for cpu identification. In this case, a simple benchmark program is scheduled to one of the six A55 cpu marked with orange rectangles. The two A77 cpu are highlighted with blue rectangles.
• Figure 4: Single step on the Montgomery ladder on one of the Snapdragon 750G 5G's Cortex-A55 cpu bandpass-filtered for 768MHz (top) and 40MHz (bottom).
• Figure 5: Single step on the Montgomery ladder on one of the Snapdragon 750G 5G's Cortex-A77 cpu bandpass-filtered for 787MHz.