[cryptography] OAEP for RSA signatures?
pgut001 at cs.auckland.ac.nz
Tue Jan 29 07:20:25 EST 2013
Thierry Moreau <thierry.moreau at connotech.com> writes:
>The Bleichenbacher attack adaptation to OAEP is non-existent today and would
>be an even more significant academic result. I must assume that
>Bleichenbacher would have published results in this direction if his research
>would have given those.
Bleichenbacher didn't, but Manger did more than a decade ago:
However, the design of RSAES-OAEP makes it highly likely that
implementations will leak information between the decryption and integrity
check operations making them susceptible to a chosen ciphertext attack that
requires many orders of magnitude less effort than similar attacks against
PKCS #1 v1.5 block type 2 padding.
-- "A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding
(OAEP) as Standardized in PKCS #1 v2.0"
More information about the cryptography