Paper 2016/594

"Make Sure DSA Signing Exponentiations Really are Constant-Time''

Cesar Pereida García, Billy Bob Brumley, and Yuval Yarom


TLS and SSH are two of the most commonly used protocols for securing Internet traffic. Many of the implementations of these protocols rely on the cryptographic primitives provided in the OpenSSL library. In this work we disclose a vulnerability in OpenSSL, affecting all versions and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005, which renders the implementation of the DSA signature scheme vulnerable to cache-based side-channel attacks. Exploiting the software defect, we demonstrate the first published cache-based key-recovery attack on these protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server.

Note: Footnote information about patches updated.

Available format(s)
Publication info
Published elsewhere. Minor revision. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
applied cryptographydigital signaturesside-channel analysistiming attackscache-timing attacksDSAOpenSSLCVE-2016-2178
Contact author(s)
cesar pereidagarcia @ tut fi
2016-11-10: revised
2016-06-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Cesar Pereida García and Billy Bob Brumley and Yuval Yarom},
      title = {"Make Sure DSA Signing Exponentiations Really are Constant-Time''},
      howpublished = {Cryptology ePrint Archive, Paper 2016/594},
      year = {2016},
      doi = {10.1145/2976749.2978420},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.