[cryptography] OAEP for RSA signatures?

James Muir muir.james.a at gmail.com
Sun Jan 27 10:58:48 EST 2013


On 13-01-26 08:53 PM, Peter Gutmann wrote:
> ianG <iang at iang.org> writes:
> 
>> Could OAEP be considered reasonable for signatures? 
> 
> You need to define "appropriate".  For example if you mean "interoperable"
> then OAEP isn't even appropriate for encryption, let alone signatures.  If
> you're worried about timing channels then OAEP is also pretty inappropriate
> for any use.

The only timing attack on OAEP that I've heard about relates to code
that checks whether two char arrays are equal.  If they aren't equal,
then the loop might exit early.

If we get back to the OP's question -- turning OAEP into a signature
scheme -- then I don't think the OAEP timing attack is a concern since
it would only occur in a signature verification operation.

-James

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130127/493baf69/attachment.asc>


More information about the cryptography mailing list