Cryptology ePrint Archive: Report 2016/224

CacheBleed: A Timing Attack on OpenSSL Constant Time RSA

Yuval Yarom and Daniel Genkin and Nadia Heninger

Abstract: The scatter-gather technique is a commonly-implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant-time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4096-bit RSA our attack can fully recover the private key after observing 16,000 decryptions.

Category / Keywords: implementation / side-channel attacks, cache attacks, cryptographic implementations, constant-time, RSA

Date: received 1 Mar 2016, last revised 1 Mar 2016

Contact author: yval at cs adelaide edu au

Available format(s): PDF | BibTeX Citation

Version: 20160301:221414 (All versions of this report)

Short URL: ia.cr/2016/224

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]