[cryptography] OAEP for RSA signatures?
ryan+cryptography at sleevi.com
Sat Jan 26 21:06:32 EST 2013
On Sat, January 26, 2013 5:53 pm, Peter Gutmann wrote:
> ianG <iang at iang.org> writes:
> >Could OAEP be considered reasonable for signatures?
> You need to define "appropriate". For example if you mean "interoperable"
> then OAEP isn't even appropriate for encryption, let alone signatures. If
> you're worried about timing channels then OAEP is also pretty
> for any use. PKCS #1 OTOH will interop with pretty much anything, and you
> do the padding check in close enough to constant time that it doesn't
... Did you just suggest that the timing channels in PKCS#1 v1.5 are
easier to get right than the timing channels of OAEP? The same PKCS#1 v1.5
encryption that's confounding people a decade  after the original
Encrypt vs signatures assign, what am I missing here? Implementing OAEP
validation in constant time is trivial compared to the pain of not leaking
if the padding was correct for PKCS#1.
More information about the cryptography