Journal of Cryptographic Engineering

, Volume 7, Issue 2, pp 99–112 | Cite as

CacheBleed: a timing attack on OpenSSL constant-time RSA

CHES 2016


The scatter–gather technique is a commonly implemented approach to prevent cache-based timing attacks. In this paper, we show that scatter–gather is not constant time. We implement a cache timing attack against the scatter–gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4096-bit RSA, our attack can fully recover the private key after observing 16,000 decryptions.


Side-channel attacks Cache attacks Cryptographic implementations Constant-time RSA 


  1. 1.
    Acıiçmez, O.: Yet another microarchitectural attack: exploiting I-cache. In: CSAW, Fairfax, VA, US (2007)Google Scholar
  2. 2.
    Acıiçmez, O., Koç, Ç.K.: Microarchitectural attacks and countermeasures. In: Cryptographic engineering, pp. 475–504 (2009)Google Scholar
  3. 3.
    Acıiçmez, O., Gueron, S., Seifert, J.-P.: New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. In: 11th IMA International Conference on Cryptography and Coding, pp. 185–203. Cirencester, UK (2007a)Google Scholar
  4. 4.
    Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting secret keys via branch prediction. In: 2007 CT-RSA, pp. 225–242. (2007b)Google Scholar
  5. 5.
    Acıiçmez, O., Brumley, B.B., Grabher, P.: New results on instruction cache attacks. In: CHES, Santa Barbara, CA, US (2010)Google Scholar
  6. 6.
    Acıiçmez, O., Seifert, J.-P.: Cheap hardware parallelism implies cheap security. In: Fourth International Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 80–91. Vienna, AT (2007)Google Scholar
  7. 7.
    Alpert, D.B., Choudhury, M.R., Mills, J.D.: Interleaved cache for multiple accesses per clock cycle in a microprocessor. US Patent 5,559,986, Sept 1996Google Scholar
  8. 8.
  9. 9.
    Bernstein, D.J.: Cache-timing attacks on AES. Preprint (2005)
  10. 10.
    Bernstein, D.J., Schwabe, P.: A word of warning. In: CHES’13 Rump Session (2013)Google Scholar
  11. 11.
    Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Advances in Cryptology–CRYPTO 2003: 23rd Annual International Cryptology Conference, pp. 27–43. Berlin, Heidelberg (2003)Google Scholar
  12. 12.
  13. 13.
    Bos, J., Coster, M.: Addition chain heuristics. In: CRYPTO’89, pp. 400–407. Santa Barbara, CA, US (1989)Google Scholar
  14. 14.
    Brickell, E.: Technologies to improve platform security. In: CHES’11 Invited Talk. URL (2011)
  15. 15.
    Brickell, Ernie: The impact of cryptography on platform security. In: CT-RSA’12 Invited Talk. URL (2012)
  16. 16.
    Brickell, E., Graunke, G., Seifert, J.-P.: Mitigating cache/timing based side-channels in AES and RSA software implementations. In: RSA Conference 2006 session DEV-203, (2006)Google Scholar
  17. 17.
    Brumley, B.B., Hakala, R.M.: Cache-timing template attacks. In: 15th ASIACRYPT, pp. 667–684. Tokyo (2009)Google Scholar
  18. 18.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: 16th ESORICS, Leuven, BE (2011)Google Scholar
  19. 19.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. In: 12th USENIX Security, pp. 1–14. Washington, DC, US (2003)Google Scholar
  20. 20.
    Fog, A.: How to optimize for the Pentium processor. (1996)
  21. 21.
    Fog, A.: How to optimize for the Pentium family of microprocessors. (2004)
  22. 22.
    Fog, A.: The microarchitecture of Intel, AMD and VIA CPUs: an optimization guide for assembly programmers and compiler makers. (2016)
  23. 23.
    Garner, H.L.: The residue number system. IRE Trans. Electron. Comput. EC–8(2), 140–147 (1959)CrossRefGoogle Scholar
  24. 24.
    Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. doi:10.1007/s13389-016-0141-6
  25. 25.
    Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: CRYPTO 2014, pp. 444–461. Santa Barbara, CA, US (2014)Google Scholar
  26. 26.
    Gopal, V., Guilford, J., Ozturk, E., Feghali, W., Wolrich, G., Dixon, M.: Fast and constant-time implementation of modular exponentiation. In: Embedded Systems and Communications Security, Niagara Falls, NY, US (2009)Google Scholar
  27. 27.
    Gueron, Shay: Efficient software implementations of modular exponentiation. J. Cryptogr. Eng. 2(1), 31–43 (2012)CrossRefGoogle Scholar
  28. 28.
    Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: CRYPTO 2009, pp. 1–17, Santa Barbara, CA, US (2009)Google Scholar
  29. 29.
    Hily, S., Zhang, Z., Hammarlund, P.: Resolving false dependencies of speculative load instructions. U.S. Patent 7,603,527, Oct 2009Google Scholar
  30. 30.
    Hu, W.-M.: Reducing timing channels with fuzzy time. In: 1991 Computer Society Symposium. Research Security and Privacy, pp. 8–20. Oakland, CA, US (1991)Google Scholar
  31. 31.
    İnci, M.S., Gülmezoğlu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Seriously, get off my cloud! Cross-VM RSA key recovery in a public cloud. IACR Cryptology ePrint Archive, Report 2015/898 (2015)Google Scholar
  32. 32.
    Intel 64 & IA-32 AORM. Intel 64 and IA-32 Architectures Optimization Reference Manual. Intel Corporation (2012)Google Scholar
  33. 33.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: S$A: A shared cache attack that works across cores and defies VM sandboxing—and its application to AES. In: S&P, San Jose, CA, US (2015a)Google Scholar
  34. 34.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: Systematic reverse engineering of cache slice selection in Intel processors. In: Euromicro Conference on Digital System Design, Funchal, Madeira, Portugal (2015b)Google Scholar
  35. 35.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: CRYPTO, vol. 1666, LNCS, pp. 388–397 (1999)Google Scholar
  36. 36.
    Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. J. Cryptogr. Eng. 1, 5–27 (2011)CrossRefGoogle Scholar
  37. 37.
    Kocher, P.C.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In: 16th Annual International Cryptology Conference on Advances in Cryptology, pp. 104–113. Springer (1996)Google Scholar
  38. 38.
    Lampson, B.W.: A note on the confinement problem. CACM 16, 613–615 (1973)CrossRefGoogle Scholar
  39. 39.
    LibreSSL Project.
  40. 40.
    Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: S&P, pp. 605–622. San Jose, CA, US (2015)Google Scholar
  41. 41.
    Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering Intel last-level cache complex addressing using performance counters. In: RAID, Kyoto, Japan (2015)Google Scholar
  42. 42.
  43. 43.
    Neve, M., Seifert, J.-P.: Advances on access-driven cache attacks on AES. In: 13th International Workshop on Selected Areas in Cryptography, Montreal, CA (2006)Google Scholar
  44. 44.
    OpenSSL Project.
  45. 45.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: 2006 CT-RSA (2006)Google Scholar
  46. 46.
    Percival, C.: Cache missing for fun and profit. In: BSDCan 2005, Ottawa, CA (2005)Google Scholar
  47. 47.
    Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: Reverse engineering Intel DRAM addressing and exploitation. arXiv preprint arXiv:1511.08756 (2015)
  48. 48.
    Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (EMA): measures and counter-measures for smart cards. In: E-Smart’01, pp. 200–210. Cannes, FR (2001)Google Scholar
  49. 49.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. CACM 21, 120–126 (1978)MathSciNetCrossRefMATHGoogle Scholar
  50. 50.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(1), 37–71 (2010)MathSciNetCrossRefMATHGoogle Scholar
  51. 51.
    van de Pol, J., Smart, N.P., Yarom, Y.: Just a little bit more. In: 2015 CT-RSA, pp. 3–21. San Francisco, CA, USA (2015)Google Scholar
  52. 52.
    Wang, Y., Suh, G.E.: Efficient timing channel protection for on-chip networks. In: 6th NoCS, pp. 142–151, Lyngby, Denmark (2012)Google Scholar
  53. 53.
    Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: 21st USENIX Security, Bellevue, WA, US (2012)Google Scholar
  54. 54.
    Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: 23rd USENIX Security, pp. 719–732. San Diego, CA, US (2014)Google Scholar
  55. 55.
    Yarom, Y., Ge, Q., Liu, F., Lee, R.B., Heiser, G.: Mapping the Intel last-level cache. (2015)
  56. 56.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: 19th CCS, pp. 305–316. Raleigh, NC, US (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  1. 1.Data61, CSIRO and University of AdelaideAdelaideAustralia
  2. 2.University of PennsylvaniaPhiladelphiaUSA
  3. 3.University of MarylandCollege ParkUSA

Personalised recommendations