On 13-01-26 08:53 PM, Peter Gutmann wrote: > ianG <[email protected]> writes: > >> Could OAEP be considered reasonable for signatures? > > You need to define "appropriate". For example if you mean "interoperable" > then OAEP isn't even appropriate for encryption, let alone signatures. If > you're worried about timing channels then OAEP is also pretty inappropriate > for any use.
The only timing attack on OAEP that I've heard about relates to code that checks whether two char arrays are equal. If they aren't equal, then the loop might exit early. If we get back to the OP's question -- turning OAEP into a signature scheme -- then I don't think the OAEP timing attack is a concern since it would only occur in a signature verification operation. -James
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
