CacheBleed: A Timing Attack on OpenSSL Constant Time RSA

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9813)


The scatter-gather technique is a commonly implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4096-bit RSA our attack can fully recover the private key after observing 16,000 decryptions.


Side-channel attacks Cache attacks Cryptographic implementations Constant-time RSA 


  1. 1.
    Acıiçmez, O.: Yet another microarchitectural attack: exploiting I-cache. In: CSAW, Fairfax, VA, US (2007)Google Scholar
  2. 2.
    Acıiçmez, O., Gueron, S., Seifert, J.-P.: New branch prediction vulnerabilities in openSSL and necessary software countermeasures. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 185–203. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting secret keys via branch prediction. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 225–242. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Acıiçmez, O., Brumley, B.B., Grabher, P.: New results on instruction cache attacks. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 110–124. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Acıiçmez, O., Seifert, J.-P.: Cheap hardware parallelism implies cheap security. In: 4th International Workshop on Fault Diagnosis and Tolerance in Cryptography, Vienna, AT, pp. 80–91 (2007)Google Scholar
  6. 6.
    Alpert, D.B., Choudhury, M.R., Mills, J.D.: Interleaved cache for multiple accesses per clock cycle in a microprocessor. US Patent 5559986, September 1996Google Scholar
  7. 7.
    Bernstein, D.J.: Cache-timing attacks on AES (2005). Preprint
  8. 8.
    Bernstein, D.J., Schwabe, P.: A word of warning. In: CHES 2013 Rump Session, August 2013Google Scholar
  9. 9.
    Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
  11. 11.
    Bos, J.N.E., Coster, M.J.: Addition chain heuristics. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 400–407. Springer, Heidelberg (1990)Google Scholar
  12. 12.
    Brickell, E.: Technologies to improve platform security. In: CHES 2011 Invited Talk, September 2011.
  13. 13.
    Brickell, E.: The impact of cryptography on platform security. In: CT-RSA 2012 Invited Talk, February 2012.
  14. 14.
    Brickell, E., Graunke, G., Seifert, J.-P.: Mitigating cache/timing based side-channels in AES and RSA software implementations. In: RSA Conference 2006 Session DEV-203, February 2006Google Scholar
  15. 15.
    Brumley, B.B., Hakala, R.M.: Cache-timing template attacks. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 667–684. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. In: 12th USENIX Security, Washington, DC, US, pp. 1–14 (2003)Google Scholar
  18. 18.
    Fog, A.: How to optimize for the Pentium processor, August 1996.
  19. 19.
    Fog, A.: How to optimize for the Pentium family of microprocessors, April 2004.
  20. 20.
    Fog, A.: The microarchitecture of Intel, AMD and VIA CPUs: an optimization guide for assembly programmers and compiler makers, January 2016.
  21. 21.
    Garner, H.L.: The residue number system. IRE Trans. Electron. Comput. EC–8(2), 140–147 (1959)CrossRefGoogle Scholar
  22. 22.
    Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 444–461. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  23. 23.
    Gopal, V., Guilford, J., Ozturk, E., Feghali, W., Wolrich, G., Dixon, M.: Fast and constant-time implementation of modular exponentiation. In: Embedded Systems and Communications Security, Niagara Falls, NY, US (2009)Google Scholar
  24. 24.
    Gueron, S.: Efficient software implementations of modular exponentiation. J. Crypt. Eng. 2(1), 31–43 (2012)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  26. 26.
    Wei-Ming, H.: Reducing timing channels with fuzzy time. In: 1991 Computer Society Symposium on Research Security and Privacy, Oakland, CA, US, pp. 8–20 (1991)Google Scholar
  27. 27.
    İnci, M.S., Gülmezoğlu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Seriously, get off my cloud! Cross-VM RSA key recovery in a public cloud. IACR Cryptology ePrint Archive, Report 2015/898, September 2015Google Scholar
  28. 28.
    Intel 64 & IA-32 AORM: Intel 64 and IA-32 Architectures Optimization Reference Manual. Intel Corporation, April 2012Google Scholar
  29. 29.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: S$A: a shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: S&P, San Jose, CA, US (2015)Google Scholar
  30. 30.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: Systematic reverse engineering of cache slice selection in Intel processors. IACR Cryptology ePrint Archive, Report 2015/690, July 2015Google Scholar
  31. 31.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  32. 32.
    Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. J. Cryptogr. Eng. 1, 5–27 (2011)CrossRefGoogle Scholar
  33. 33.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  34. 34.
    Lampson, B.W.: A note on the confinement problem. Commun. ACM 16, 613–615 (1973)CrossRefGoogle Scholar
  35. 35.
    LibreSSL Project.
  36. 36.
    Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: S&P, San Jose, CA, US, pp. 605–622, May 2015Google Scholar
  37. 37.
    Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel last-level cache complex addressing using performance counters. In: Bos, H., et al. (eds.) RAID 2015. LNCS, vol. 9404, pp. 48–65. Springer, Heidelberg (2015). doi:10.1007/978-3-319-26362-5_3 CrossRefGoogle Scholar
  38. 38.
  39. 39.
    OpenSSL Project.
  40. 40.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: 2006 CT-RSA (2006)Google Scholar
  41. 41.
    Percival, C.: Cache missing for fun and profit. In: BSDCan 2005, Ottawa, CA (2005)Google Scholar
  42. 42.
    Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: Reverse engineering Intel DRAM addressing and exploitation (2015). arXiv Preprint arXiv:1511.08756
  43. 43.
    Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (EMA): measures and counter-measures for smart cards. In: E-Smart 2001, Cannes, FR, pp. 200–210, September 2001Google Scholar
  44. 44.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. CACM 21, 120–126 (1978)MathSciNetCrossRefMATHGoogle Scholar
  45. 45.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(1), 37–71 (2010)MathSciNetCrossRefMATHGoogle Scholar
  46. 46.
    van de Pol, J., Smart, N.P., Yarom, Y.: Just a little bit more. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 3–21. Springer, Heidelberg (2015)Google Scholar
  47. 47.
    Wang, Y., Suh, G.E.: Efficient timing channel protection for on-chip networks. In: 6th NoCS, Lyngby, Denmark, pp. 142–151 (2012)Google Scholar
  48. 48.
    Zhenyu, W., Zhang, X., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: 21st USENIX Security, Bellevue, WA, US (2012)Google Scholar
  49. 49.
    Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: 23rd USENIX Security, San Diego, CA, US, pp. 719–732 (2014)Google Scholar
  50. 50.
    Yarom, Y., Ge, Q., Liu, F., Lee, R.B., Heiser, G.: Mapping the Intel last-level cache, September 2015.
  51. 51.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: 19th CCS, Raleigh, NC, US, pp. 305–316, October 2012Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.The University of Adelaide and NICTAAdelaideAustralia
  2. 2.Technion and Tel Aviv UniversityTel AvivIsrael
  3. 3.University of PennsylvaniaPhiladelphiaUSA

Personalised recommendations