[cryptography] OAEP for RSA signatures?

Thierry Moreau thierry.moreau at connotech.com
Mon Jan 28 10:27:32 EST 2013

Peter Gutmann wrote:
> the reason why Bleichenbacher attacked v1.5
> rather than OAEP is because use of the latter is [...]
> compared to v1.5, [...]

Please correct me if I'm wrong. My point is that the highly significant 
academic contributions (among which I would put Bleichenbacher attack) 
should not be mis-represented by authoritative contributors to this list.

Bleichenbacher attack uses 1) characteristics of the PKCS v1.5 specs 
according to which RSA is used in a hybrid cryptosystem, and 2) some 
oracle which tells the attacker whether a give ciphertext is well-formed 
or not.

The Bleichenbacher attack adaptation to OAEP is non-existent today and 
would be an even more significant academic result. I must assume that 
Bleichenbacher would have published results in this direction if his 
research would have given those.

The oracle needed for a practical deployment of the Bleichenbacher 
attack may be a timing/side channel attack vulnerability, but it may 
also be something like a too detailed error code reported in the "main 
channel" of a protocol. So the minefield from pure timing/side channel 
attacks versus Bleichenbacher is distinct (and overlapping).

"Protect against side channel attacks" is one motto.

"Spot the oracle" is another one.

I find the latter important these days (that's an opinion, no need to 
correct me on this one!).

Use of OAEP is a way to avoid the Bleichenbacher attack oracle 
vulnerability, i.e. resist Bleichenbacher even if the oracle still remains.


- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691

More information about the cryptography mailing list