Hello, In master, I pushed my fixes for RSA and ElGamal. It is to minimize timing difference (between success case and failure case) in unpadding PKCS#1 v1.5 padding and OAEP padding. --