[cryptography] OAEP for RSA signatures?

James Muir muir.james.a at gmail.com
Sat Jan 26 11:54:39 EST 2013


PSS is similar to OAEP, but is for signatures.  If you have OAEP
implemented, then it wouldn't take you long to do PSS, which is
described in the PKCS-1v2.1 document.

Hacking OAEP into a signature scheme sounds a little dangerous.
However, I guess the idea would idea would just be to hash your message
and "encrypt" the hash with the private exponent.  You want your
signature scheme to be existentially unforgeable.  If could forge one of
these signatures, then I not certain what that says about the security
of OAEP encryption (maybe nothing since anyone can create validate OAEP
ciphertexts).

Full-domain-hash RSA is quite easy to implement.  If you don't like PSS,
then you could look at it.

-James

On 13-01-26 10:00 AM, ianG wrote:
> Apologies in advance ;) but a cryptography question:
> 
> I'm coding (or have coded) a digital signature class in RSA.  In my
> research on how to frame the input to the RSA private key operation, I
> was told words to effect "just use OAEP and you're done and dusted."
> Which was convenient as that was already available/coded.
> 
> However I haven't seen any other code doing this - it is mostly PKCS1,
> etc, and RFC3447 doesn't enlighten in this direction.
> 
> Could OAEP be considered reasonable for signatures?  or is this a case
> of totally inappropriate?  Or somewhere in between?
> 
> 
> 
> iang
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130126/57e8bffa/attachment.asc>


More information about the cryptography mailing list