consequences of using fixed values with OAEP

Question

With DSA / ECDSA using a fixed $k$ means the private key can be trivially easily calculated from two different signatures. To remedy this RFC6979 Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) was developed.

OAEP / PSS, as described in PKCS#1 v2.0+, used randomized values as well.

For PSS I guess it isn't a huge problem since the only randomized element is the salt and the salt has a variable length with 0 being a valid length.

For OAEP my assumption is that the only issue with a fixed seed is that if the same message were encrypted twice you'd be see the same ciphertext each time. Or is there another more severe issue that the randomized seed protects against?

I note that the original encryption described in PKCS1 employees randomized padding as well.

score 2 · Accepted Answer · answered Jun 09 '19 at 05:31

2

If you encrypt something with low entropy but use a fixed seed for OAEP, it is trivial to brute force it, and verify your guesses with public key, while randomized all or nothing padding will make verifying a guess impossible.

In the context of signatures rather than encryption, it doesn't seem as severe, but you are supplying the attacker with a bunch of related plain text cipher text pairs which can't be a good idea.

answered Jun 09 '19 at 05:31

Meir Maor

11,835
1
23
54

This is not peculiar to OAEP—public-key encryption is necessarily randomized to defeat a mere CPA or even KPA distinguisher. (The same is not so for signatures: e.g., Ed25519 is a deterministic function of the signing key and message, and there are also VRFs which come with a verifiable proof of determinism. RSA-PSS has a funny history with randomization; more details.) – Squeamish Ossifrage Jun 09 '19 at 15:07

consequences of using fixed values with OAEP

1 Answers1