[cryptography] OAEP for RSA signatures?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Jan 27 20:15:35 EST 2013

Ryan Sleevi <ryan+cryptography at sleevi.com> writes:

>Did you just suggest that the timing channels in PKCS#1 v1.5 are easier to
>get right than the timing channels of OAEP? 


>The same PKCS#1 v1.5 encryption that's confounding people a decade [1] after
>the original attacks [2]?

You're confusing two things, an implementation that doesn't even consider
timing channels and an implementation that does.  For the former, OAEP is just
as vulnerable as PKCS #1 v1.5, the reason why Bleichenbacher attacked v1.5
rather than OAEP is because use of the latter is practically nonexistent
compared to v1.5, which for starters is used in every web server on the
planet.  However, once you do decide to defend against timing channels, v1.5
is quite a bit easier to deal with than OAEP.

>Implementing OAEP validation in constant time is trivial

Care to provide an example of how you'd do this?


[1] NMF.
[2] NMF.

More information about the cryptography mailing list