Expand description
RSA-OAEP encryption padding (RFC 8017 / PKCS#1 v2.2 §7.1).
OAEP is the modern RSA encryption padding and supersedes PKCS#1 v1.5 in every protocol designed after the Bleichenbacher era. Uses SHA-256 for both the label hash and the MGF1 mask generation.
§Side-channel posture
OAEP is structurally harder to break with padding-oracle
attacks than PKCS#1 v1.5, because the label-hash check at the
top of decryption is naturally constant-time when implemented
carefully. Items on the audit list (T2-J is the workspace
roadmap entry covering both PKCS#1 v1.5 and OAEP):
- The
H(L)comparison must usesilentops::ct_eq, not==. - The
0x01separator byte search must not branch on its position (CT scan + branchless flag accumulation). - All decrypt errors must produce the same byte length and the same elapsed time.
This module relies on super::rsa::rsa_decrypt_raw, which
is itself not yet protected against Bellcore (roadmap
item T1-C). A CRT-faulted decrypt produces a malformed
plaintext that OAEP rejects, but the rejection itself can
leak gcd(N, S - S') to the attacker. See
arcana/doc/sca/countermeasures/rsa.rst.
Functions§
- oaep_
decrypt - OAEP decrypt a ciphertext.
- oaep_
encrypt - OAEP encrypt a message with RSA.