[cryptography] OAEP for RSA signatures?

Thierry Moreau thierry.moreau at connotech.com
Sun Jan 27 08:04:55 EST 2013

James Muir wrote:
> PSS is similar to OAEP, but is for signatures.  If you have OAEP
> implemented, then it wouldn't take you long to do PSS, which is
> described in the PKCS-1v2.1 document.

This is the answer I suspected in reading the original post question.

> Hacking OAEP into a signature scheme sounds a little dangerous.
> However, I guess the idea would idea would just be to hash your message
> and "encrypt" the hash with the private exponent.  You want your
> signature scheme to be existentially unforgeable.  If could forge one of
> these signatures, then I not certain what that says about the security
> of OAEP encryption (maybe nothing since anyone can create validate OAEP
> ciphertexts).

I guess the original poster did not expect to create a new/modified 
signature scheme, but "just" implement a recognized one.

> Full-domain-hash RSA is quite easy to implement.  If you don't like PSS,
> then you could look at it.

Oh great ... I thought I was the only one to have taken note of 

My understanding is that full-domain-hash remains a useful academic 
contribution to the formal proofs of PK cryptosystems. It is also 
antagonistic to the push towards ECC signatures. Certainly NIST is not 
interested since this organization pushes for ECC technology development 
and adoption. At least I did not see any reference to an "FDH mode" for 
secure hash competition candidates.

In practice, full-domain-hash has a serious performance penalty if one 
takes the implementation suggestion from [1]. You would do me a favor in 
providing references to practical implementation strategies.

[1] Mihir Bellare, Phillip Rogaway: The Exact Security of Digital 
Signatures - How to Sign with RSA and Rabin. EUROCRYPT 1996: pp399–416

> -James
> On 13-01-26 10:00 AM, ianG wrote:
>> Apologies in advance ;) but a cryptography question:
>> I'm coding (or have coded) a digital signature class in RSA.  In my
>> research on how to frame the input to the RSA private key operation, I
>> was told words to effect "just use OAEP and you're done and dusted."
>> Which was convenient as that was already available/coded.

Maybe the advice should be taken with caution:

1) from this advice alone you were not warned that OAEP encryption 
principles turn into RSA-PSS for signatures, and

2) implementation-wise, RSA-PSS turns the secret random source into a 
critical system component (which is incrementally inconvenient if no 
other crypto usage of secret random numbers exists in the operational 
digital signature system -- the full-domain-hash avenue does not carry 
this secret random source dependency).

>> However I haven't seen any other code doing this - it is mostly PKCS1,
>> etc, and RFC3447 doesn't enlighten in this direction.
>> Could OAEP be considered reasonable for signatures?  or is this a case
>> of totally inappropriate?  Or somewhere in between?
>> iang


- Thierry Moreau

More information about the cryptography mailing list