Side-Channel Analysis and Cryptography Engineering: Getting OpenSSL Closer to Constant-Time

Cesar Pereida Garcia

Research output: Book/ReportDoctoral thesisCollection of Articles


As side-channel attacks reached general purpose PCs and started to be more practical for attackers to exploit, OpenSSL adopted in 2005 a flagging mechanism to protect against SCA. The opt-in mechanism allows to flag secret values, such as keys, with the BN_FLG_CONSTTIME flag. Whenever a flag is checked and detected, the library changes its execution flow to SCA-secure functions that are slower but safer, protecting these secret values from being leaked. This mechanism favors performance over security, it is error-prone, and is obscure for most library developers, increasing the potential for side-channel vulnerabilities. This dissertation presents an extensive side-channel analysis of OpenSSL and criticizes its fragile flagging mechanism. This analysis reveals several flaws affecting the library resulting in multiple side-channel attacks, improved cache-timing attack techniques, and a new side channel vector. The first part of this dissertation introduces the main topic and the necessary related work, including the microarchitecture, the cache hierarchy, and attack techniques; then it presents a brief troubled history of side-channel attacks and defenses in OpenSSL, setting the stage for the related publications. This dissertation includes seven original publications contributing to the area of side-channel analysis, microarchitecture timing attacks, and applied cryptography. From an SCA perspective, the results identify several vulnerabilities and flaws enabling protocol-level attacks on RSA, DSA, and ECDSA, in addition to full SCA of the SM2 cryptosystem. With respect to microarchitecture timing attacks, the dissertation presents a new side-channel vector due to port contention in the CPU execution units. And finally, on the applied cryptography front, OpenSSL now enjoys a revamped code base securing several cryptosystems against SCA, favoring a secure-by-default protection against side-channel attacks, instead of the insecure opt-in flagging mechanism provided by the fragile BN_FLG_CONSTTIME flag.
Original languageEnglish
Place of PublicationTampere
ISBN (Electronic)978-952-03-2289-2
Publication statusPublished - 2022
Publication typeG5 Doctoral dissertation (articles)

Publication series

NameTampere University Dissertations - Tampereen yliopiston väitöskirjat
ISSN (Print)2489-9860
ISSN (Electronic)2490-0028


  • Chronic respiratory insufficiency
  • Noninvasive ventilation
  • long-term oxygen therapy
  • copd
  • interstitial lung disease
  • obesity hypoventilation syndrome
  • symptoms
  • Edmonton symptom assesstment system
  • depression
  • survival


Dive into the research topics of 'Side-Channel Analysis and Cryptography Engineering: Getting OpenSSL Closer to Constant-Time'. Together they form a unique fingerprint.

Cite this