On Sat, January 26, 2013 5:53 pm, Peter Gutmann wrote: > ianG <[email protected]> writes: > > >Could OAEP be considered reasonable for signatures? > > You need to define "appropriate". For example if you mean "interoperable" > then OAEP isn't even appropriate for encryption, let alone signatures. If > you're worried about timing channels then OAEP is also pretty > inappropriate > for any use. PKCS #1 OTOH will interop with pretty much anything, and you > can > do the padding check in close enough to constant time that it doesn't > matter. > > Peter.
... Did you just suggest that the timing channels in PKCS#1 v1.5 are easier to get right than the timing channels of OAEP? The same PKCS#1 v1.5 encryption that's confounding people a decade [1] after the original attacks [2]? Encrypt vs signatures assign, what am I missing here? Implementing OAEP validation in constant time is trivial compared to the pain of not leaking if the padding was correct for PKCS#1. [1] http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/07/11/XMLencBleichenbacher.pdf [2] http://archiv.infsec.ethz.ch/education/fs08/secsem/Bleichenbacher98.pdf _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
