Journal of Cryptographic Engineering

, Volume 7, Issue 2, pp 99–112 | Cite as

CacheBleed: a timing attack on OpenSSL constant-time RSA

  • Yuval YaromEmail author
  • Daniel Genkin
  • Nadia Heninger
CHES 2016


The scatter–gather technique is a commonly implemented approach to prevent cache-based timing attacks. In this paper, we show that scatter–gather is not constant time. We implement a cache timing attack against the scatter–gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4096-bit RSA, our attack can fully recover the private key after observing 16,000 decryptions.


Side-channel attacks Cache attacks Cryptographic implementations Constant-time RSA 



We would like to thank Daniel J. Bernstein for suggesting the name CacheBleed and for helpful comments. This material is based upon work supported by the US National Science Foundation under Grants No. CNS-1408734, CNS-1505799, and CNS-1513671, a gift from Cisco, the Blavatnik Interdisciplinary Cyber Research Center, the Check Point Institute for Information Security, a Google Faculty Research Award, the Israeli Centers of Research Excellence I-CORE program (center 4/11), the Leona M. & Harry B. Helmsley Charitable Trust, and NATO’s Public Diplomacy Division in the Framework of “Science for Peace.”


  1. 1.
    Acıiçmez, O.: Yet another microarchitectural attack: exploiting I-cache. In: CSAW, Fairfax, VA, US (2007)Google Scholar
  2. 2.
    Acıiçmez, O., Koç, Ç.K.: Microarchitectural attacks and countermeasures. In: Cryptographic engineering, pp. 475–504 (2009)Google Scholar
  3. 3.
    Acıiçmez, O., Gueron, S., Seifert, J.-P.: New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. In: 11th IMA International Conference on Cryptography and Coding, pp. 185–203. Cirencester, UK (2007a)Google Scholar
  4. 4.
    Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting secret keys via branch prediction. In: 2007 CT-RSA, pp. 225–242. (2007b)Google Scholar
  5. 5.
    Acıiçmez, O., Brumley, B.B., Grabher, P.: New results on instruction cache attacks. In: CHES, Santa Barbara, CA, US (2010)Google Scholar
  6. 6.
    Acıiçmez, O., Seifert, J.-P.: Cheap hardware parallelism implies cheap security. In: Fourth International Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 80–91. Vienna, AT (2007)Google Scholar
  7. 7.
    Alpert, D.B., Choudhury, M.R., Mills, J.D.: Interleaved cache for multiple accesses per clock cycle in a microprocessor. US Patent 5,559,986, Sept 1996Google Scholar
  8. 8.
  9. 9.
    Bernstein, D.J.: Cache-timing attacks on AES. Preprint (2005)
  10. 10.
    Bernstein, D.J., Schwabe, P.: A word of warning. In: CHES’13 Rump Session (2013)Google Scholar
  11. 11.
    Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Advances in Cryptology–CRYPTO 2003: 23rd Annual International Cryptology Conference, pp. 27–43. Berlin, Heidelberg (2003)Google Scholar
  12. 12.
  13. 13.
    Bos, J., Coster, M.: Addition chain heuristics. In: CRYPTO’89, pp. 400–407. Santa Barbara, CA, US (1989)Google Scholar
  14. 14.
    Brickell, E.: Technologies to improve platform security. In: CHES’11 Invited Talk. URL (2011)
  15. 15.
    Brickell, Ernie: The impact of cryptography on platform security. In: CT-RSA’12 Invited Talk. URL (2012)
  16. 16.
    Brickell, E., Graunke, G., Seifert, J.-P.: Mitigating cache/timing based side-channels in AES and RSA software implementations. In: RSA Conference 2006 session DEV-203, (2006)Google Scholar
  17. 17.
    Brumley, B.B., Hakala, R.M.: Cache-timing template attacks. In: 15th ASIACRYPT, pp. 667–684. Tokyo (2009)Google Scholar
  18. 18.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: 16th ESORICS, Leuven, BE (2011)Google Scholar
  19. 19.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. In: 12th USENIX Security, pp. 1–14. Washington, DC, US (2003)Google Scholar
  20. 20.
    Fog, A.: How to optimize for the Pentium processor. (1996)
  21. 21.
    Fog, A.: How to optimize for the Pentium family of microprocessors. (2004)
  22. 22.
    Fog, A.: The microarchitecture of Intel, AMD and VIA CPUs: an optimization guide for assembly programmers and compiler makers. (2016)
  23. 23.
    Garner, H.L.: The residue number system. IRE Trans. Electron. Comput. EC–8(2), 140–147 (1959)CrossRefGoogle Scholar
  24. 24.
    Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. doi: 10.1007/s13389-016-0141-6
  25. 25.
    Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: CRYPTO 2014, pp. 444–461. Santa Barbara, CA, US (2014)Google Scholar
  26. 26.
    Gopal, V., Guilford, J., Ozturk, E., Feghali, W., Wolrich, G., Dixon, M.: Fast and constant-time implementation of modular exponentiation. In: Embedded Systems and Communications Security, Niagara Falls, NY, US (2009)Google Scholar
  27. 27.
    Gueron, Shay: Efficient software implementations of modular exponentiation. J. Cryptogr. Eng. 2(1), 31–43 (2012)CrossRefGoogle Scholar
  28. 28.
    Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: CRYPTO 2009, pp. 1–17, Santa Barbara, CA, US (2009)Google Scholar
  29. 29.
    Hily, S., Zhang, Z., Hammarlund, P.: Resolving false dependencies of speculative load instructions. U.S. Patent 7,603,527, Oct 2009Google Scholar
  30. 30.
    Hu, W.-M.: Reducing timing channels with fuzzy time. In: 1991 Computer Society Symposium. Research Security and Privacy, pp. 8–20. Oakland, CA, US (1991)Google Scholar
  31. 31.
    İnci, M.S., Gülmezoğlu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Seriously, get off my cloud! Cross-VM RSA key recovery in a public cloud. IACR Cryptology ePrint Archive, Report 2015/898 (2015)Google Scholar
  32. 32.
    Intel 64 & IA-32 AORM. Intel 64 and IA-32 Architectures Optimization Reference Manual. Intel Corporation (2012)Google Scholar
  33. 33.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: S$A: A shared cache attack that works across cores and defies VM sandboxing—and its application to AES. In: S&P, San Jose, CA, US (2015a)Google Scholar
  34. 34.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: Systematic reverse engineering of cache slice selection in Intel processors. In: Euromicro Conference on Digital System Design, Funchal, Madeira, Portugal (2015b)Google Scholar
  35. 35.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: CRYPTO, vol. 1666, LNCS, pp. 388–397 (1999)Google Scholar
  36. 36.
    Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. J. Cryptogr. Eng. 1, 5–27 (2011)CrossRefGoogle Scholar
  37. 37.
    Kocher, P.C.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In: 16th Annual International Cryptology Conference on Advances in Cryptology, pp. 104–113. Springer (1996)Google Scholar
  38. 38.
    Lampson, B.W.: A note on the confinement problem. CACM 16, 613–615 (1973)CrossRefGoogle Scholar
  39. 39.
    LibreSSL Project.
  40. 40.
    Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: S&P, pp. 605–622. San Jose, CA, US (2015)Google Scholar
  41. 41.
    Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering Intel last-level cache complex addressing using performance counters. In: RAID, Kyoto, Japan (2015)Google Scholar
  42. 42.
  43. 43.
    Neve, M., Seifert, J.-P.: Advances on access-driven cache attacks on AES. In: 13th International Workshop on Selected Areas in Cryptography, Montreal, CA (2006)Google Scholar
  44. 44.
    OpenSSL Project.
  45. 45.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: 2006 CT-RSA (2006)Google Scholar
  46. 46.
    Percival, C.: Cache missing for fun and profit. In: BSDCan 2005, Ottawa, CA (2005)Google Scholar
  47. 47.
    Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: Reverse engineering Intel DRAM addressing and exploitation. arXiv preprint arXiv:1511.08756 (2015)
  48. 48.
    Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (EMA): measures and counter-measures for smart cards. In: E-Smart’01, pp. 200–210. Cannes, FR (2001)Google Scholar
  49. 49.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. CACM 21, 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  50. 50.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(1), 37–71 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  51. 51.
    van de Pol, J., Smart, N.P., Yarom, Y.: Just a little bit more. In: 2015 CT-RSA, pp. 3–21. San Francisco, CA, USA (2015)Google Scholar
  52. 52.
    Wang, Y., Suh, G.E.: Efficient timing channel protection for on-chip networks. In: 6th NoCS, pp. 142–151, Lyngby, Denmark (2012)Google Scholar
  53. 53.
    Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: 21st USENIX Security, Bellevue, WA, US (2012)Google Scholar
  54. 54.
    Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: 23rd USENIX Security, pp. 719–732. San Diego, CA, US (2014)Google Scholar
  55. 55.
    Yarom, Y., Ge, Q., Liu, F., Lee, R.B., Heiser, G.: Mapping the Intel last-level cache. (2015)
  56. 56.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: 19th CCS, pp. 305–316. Raleigh, NC, US (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  1. 1.Data61, CSIRO and University of AdelaideAdelaideAustralia
  2. 2.University of PennsylvaniaPhiladelphiaUSA
  3. 3.University of MarylandCollege ParkUSA

Personalised recommendations