[cryptography] OAEP for RSA signatures?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Jan 29 07:20:25 EST 2013

Thierry Moreau <thierry.moreau at connotech.com> writes:

>The Bleichenbacher attack adaptation to OAEP is non-existent today and would
>be an even more significant academic result. I must assume that
>Bleichenbacher would have published results in this direction if his research
>would have given those.

Bleichenbacher didn't, but Manger did more than a decade ago:

  However, the design of RSAES-OAEP makes it highly likely that
  implementations will leak information between the decryption and integrity
  check operations making them susceptible to a chosen ciphertext attack that
  requires many orders of magnitude less effort than similar attacks against
  PKCS #1 v1.5 block type 2 padding. 
  -- "A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding
     (OAEP) as Standardized in PKCS #1 v2.0"


More information about the cryptography mailing list