[cryptography] OAEP for RSA signatures?
iang at iang.org
Sun Jan 27 03:49:05 EST 2013
On 27/01/13 04:53 AM, Peter Gutmann wrote:
> ianG <iang at iang.org> writes:
>> Could OAEP be considered reasonable for signatures?
> You need to define "appropriate". For example if you mean "interoperable"
> then OAEP isn't even appropriate for encryption, let alone signatures.
Oh, interoperable is not an issue. I've got that covered. The one
class that produces the signatures is exactly and always the same class
that verifies the signatures.
(This is what I would call better practice not "best practice" but not
everyone would agree, especially those that deal in multiple languages ;) )
> you're worried about timing channels then OAEP is also pretty inappropriate
> for any use. PKCS #1 OTOH will interop with pretty much anything, and you can
> do the padding check in close enough to constant time that it doesn't matter.
OK, timing channels are an issue in the back of my mind. As the client
platform is the android phone, I'm guessing other apps could sit there
and do timing attacks at my app.
However, I'm unsure about the above logic. If a transform like OAEP is
constant time, then this is bad for timing attacks coz its time drops
out of statistics. Ideally we want a transform that is either
* perfectly uncorrelated (0) and a time ratio >~ 2 std devs, or
* perfectly negatively-correlated (-1) with a factor of exactly 1.
As the latter is implausible, we want the former: some transform that
adds an amount of noise that is entirely independent, that swamps the
Or, where has my logic gone wrong?
More information about the cryptography