[cryptography] OAEP for RSA signatures?

Ryan Sleevi ryan+cryptography at sleevi.com
Sat Jan 26 21:06:32 EST 2013

On Sat, January 26, 2013 5:53 pm, Peter Gutmann wrote:
>  ianG <iang at iang.org> writes:
> >Could OAEP be considered reasonable for signatures?
>  You need to define "appropriate".  For example if you mean "interoperable"
>  then OAEP isn't even appropriate for encryption, let alone signatures.  If
>  you're worried about timing channels then OAEP is also pretty
>  inappropriate
>  for any use.  PKCS #1 OTOH will interop with pretty much anything, and you
>  can
>  do the padding check in close enough to constant time that it doesn't
>  matter.
>  Peter.

... Did you just suggest that the timing channels in PKCS#1 v1.5 are
easier to get right than the timing channels of OAEP? The same PKCS#1 v1.5
encryption that's confounding people a decade [1] after the original
attacks [2]?

Encrypt vs signatures assign, what am I missing here? Implementing OAEP
validation in constant time is trivial compared to the pain of not leaking
if the padding was correct for PKCS#1.

[2] http://archiv.infsec.ethz.ch/education/fs08/secsem/Bleichenbacher98.pdf

More information about the cryptography mailing list