Skip to main content

CacheBleed: A timing attack on OpenSSL constant time RSA


Yuval Yarom, Daniel Genkin and Nadia Heninger

University of Adelaide


Technion — Israel Institute of Technology

Tel-Aviv University

University of Pennsylvania


The scatter-gather technique is a commonly-implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant-time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy-Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4,096 bit RSA our attack can fully recover the private key after observing 16,000 decryptions.

BibTeX Entry

    month            = aug,
    keywords         = {side-channel attacks, cache attacks, cryptographic implementations, constant-time, rsa},
    publisher        = {Springer},
    paperurl         = {},
    booktitle        = {Workshop on Cryptographic Hardware and Embedded Systems},
    author           = {Yarom, Yuval and Genkin, Daniel and Heninger, Nadia},
    year             = {2016},
    pages            = {346--367},
    address          = {Santa Barbara, CA, US},
    title            = {{CacheBleed}: A Timing Attack on {OpenSSL} Constant Time {RSA}}