[cryptography] OAEP for RSA signatures?

ianG iang at iang.org
Sun Jan 27 03:49:05 EST 2013

On 27/01/13 04:53 AM, Peter Gutmann wrote:
> ianG <iang at iang.org> writes:
>> Could OAEP be considered reasonable for signatures?
> You need to define "appropriate".  For example if you mean "interoperable"
> then OAEP isn't even appropriate for encryption, let alone signatures.

Oh, interoperable is not an issue.  I've got that covered.  The one 
class that produces the signatures is exactly and always the same class 
that verifies the signatures.

(This is what I would call better practice not "best practice" but not 
everyone would agree, especially those that deal in multiple languages ;) )

> If
> you're worried about timing channels then OAEP is also pretty inappropriate
> for any use.  PKCS #1 OTOH will interop with pretty much anything, and you can
> do the padding check in close enough to constant time that it doesn't matter.

OK, timing channels are an issue in the back of my mind.  As the client 
platform is the android phone, I'm guessing other apps could sit there 
and do timing attacks at my app.

However, I'm unsure about the above logic.  If a transform like OAEP is 
constant time, then this is bad for timing attacks coz its time drops 
out of statistics.  Ideally we want a transform that is either
   * perfectly uncorrelated (0) and a time ratio >~ 2 std devs, or
   * perfectly negatively-correlated (-1) with a factor of exactly 1.

As the latter is implausible, we want the former:  some transform that 
adds an amount of noise that is entirely independent, that swamps the 

Or, where has my logic gone wrong?


More information about the cryptography mailing list