Skip to main content


CacheBleed: A timing attack on OpenSSL constant time RSA


Yuval Yarom, Daniel Genkin and Nadia Heninger

University of Adelaide


Technion - Israel Institute of Technology

Tel-Aviv University

University of Pennsylvania


The scatter-gather technique is a commonly-implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant-time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy-Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4,096 bit RSA our attack can fully recover the private key after observing 16,000 decryptions.

BibTeX Entry

    author           = {Yarom, Yuval and Genkin, Daniel and Heninger, Nadia},
    month            = aug,
    year             = {2016},
    keywords         = {side-channel attacks, cache attacks, cryptographic implementations, constant-time, rsa},
    title            = {{CacheBleed}: A Timing Attack on {OpenSSL} Constant Time {RSA}},
    booktitle        = {Conference on Cryptographic Hardware and Embedded Systems 2016 (CHES 2016)},
    pages            = {346-367},
    address          = {Santa Barbara, CA, US}


Served by Apache on Linux on seL4.
Served by Apache on Linux on seL4.