Skip to main content

CacheBleed: A timing attack on OpenSSL constant time RSA


Yuval Yarom, Daniel Genkin and Nadia Heninger

University of Adelaide


University of Pennsylvania

University of Maryland


The scatter-gather technique is a commonly implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4096-bit RSA our attack can fully recover the private key after observing 16,000 decryptions.

BibTeX Entry

    doi              = {10.1007/s13389-017-0152-y},
    month            = may,
    journal          = {Journal of Cryptographic Engineering},
    paperurl         = {},
    year             = {2017},
    slides           = {},
    volume           = {7},
    title            = {{CacheBleed}: A Timing Attack on {OpenSSL} Constant Time {RSA}},
    number           = {2},
    author           = {Yarom, Yuval and Genkin, Daniel and Heninger, Nadia},
    pages            = {99--112}