the ``sentinel`` (in case of an error).

.. warning::
    PKCS#1 v1.5 decryption is intrinsically vulnerable to timing
    attacks (see `Bleichenbacher's`__ attack).
    **Use PKCS#1 OAEP instead**.

    This implementation attempts to mitigate the risk
    with some constant-time constructs.
    However, they are not sufficient by themselves: the type of protocol you
    implement and the way you handle errors make a big difference.

    Specifically, you should make it very hard for the (malicious)
    party that submitted the ciphertext to quickly understand if decryption
    succeeded or not.

    To this end, it is recommended that your protocol only encrypts
    plaintexts of fixed length (``expected_pt_len``),
    that ``sentinel`` is a random byte string of the same length,
    and that processing continues for as long
    as possible even if ``sentinel`` is returned (i.e. in case of
    incorrect decryption).

    .. __: https://dx.doi.org/10.1007/BFb0055716
z/Ciphertext with incorrect length (not %d bytes)r