[cryptography] OAEP for RSA signatures?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Jan 26 20:53:00 EST 2013


ianG <iang at iang.org> writes:

>Could OAEP be considered reasonable for signatures? 

You need to define "appropriate".  For example if you mean "interoperable"
then OAEP isn't even appropriate for encryption, let alone signatures.  If
you're worried about timing channels then OAEP is also pretty inappropriate
for any use.  PKCS #1 OTOH will interop with pretty much anything, and you can
do the padding check in close enough to constant time that it doesn't matter.

Peter.




More information about the cryptography mailing list