On 27/01/13 04:53 AM, Peter Gutmann wrote:
ianG <[email protected]> writes:
Could OAEP be considered reasonable for signatures?
You need to define "appropriate". For example if you mean "interoperable"
then OAEP isn't even appropriate for encryption, let alone signatures.
Oh, interoperable is not an issue. I've got that covered. The one
class that produces the signatures is exactly and always the same class
that verifies the signatures.
(This is what I would call better practice not "best practice" but not
everyone would agree, especially those that deal in multiple languages ;) )
If
you're worried about timing channels then OAEP is also pretty inappropriate
for any use. PKCS #1 OTOH will interop with pretty much anything, and you can
do the padding check in close enough to constant time that it doesn't matter.
OK, timing channels are an issue in the back of my mind. As the client
platform is the android phone, I'm guessing other apps could sit there
and do timing attacks at my app.
However, I'm unsure about the above logic. If a transform like OAEP is
constant time, then this is bad for timing attacks coz its time drops
out of statistics. Ideally we want a transform that is either
* perfectly uncorrelated (0) and a time ratio >~ 2 std devs, or
* perfectly negatively-correlated (-1) with a factor of exactly 1.
As the latter is implausible, we want the former: some transform that
adds an amount of noise that is entirely independent, that swamps the
deviation.
Or, where has my logic gone wrong?
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
