Hi, Is there a reason why you use (ctx->nbits - 1) when passing the size of the key to the OAEP and PSS functions? The functions round them to full bytes anyway but there at least in PSS some leading bits are cleared depending on the number of bits (i.e. if not a multiple of 8). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.