Mask generation function: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 21:56, 29 August 2018 edit Atropos235 (talk \| contribs) Extended confirmed users 811 edits m →Definition: format ← Previous edit		Latest revision as of 20:03, 8 April 2024 edit undo Samf4u (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 70,126 edits m Reverted edits by 73.167.116.198 (talk) (HG) (3.4.12) Tags: Huggle Rollback
(27 intermediate revisions by 17 users not shown)
Line 1: {{Short description\|Cryptographic tool}} A '''Mask Generation Function''' ('''MGF''') is a cryptographic primitive similar to a [[Cryptographic hash function]] except that while a hash function's output is a fixed size, a MGF supports output of a variable length. In this respect, a MGF can be viewed as a single-use [[Sponge function]], it can absorb any length of input and process it to produce any length of output. Mask Generation Functions are completely deterministic. For any given input and desired output length the output is always the same. {{Use American English\|date = April 2019}} A '''mask generation function''' ('''MGF''') is a cryptographic primitive similar to a [[cryptographic hash function]] except that while a hash function's output has a fixed size, a MGF supports output of a variable length. In this respect, a MGF can be viewed as a [[extendable-output function]] (XOF): it can accept input of any length and process it to produce output of any length. Mask generation functions are completely deterministic: for any given input and any desired output length the output is always the same. == Definition == Line 9 ⟶ 11: == Applications == Mask ~~Generation~~generation ~~Functions~~functions, as generalizations of hash functions, are useful ~~in all the same cases~~wherever hash functions are ~~useful~~. However, use of a MGF is desirable in cases where a fixed-size hash would be inadequate. Examples include generating [[Padding (cryptography)\|padding]], producing [[~~One~~one-time pad~~\|one time pads~~]]s or [[keystream\|keystreams]] in [[Symmetric-key_algorithm\|symmetric -key encryption]], and yielding outputs for [[pseudorandom number generator~~\|pseudorandom number generators~~]]s. === Padding ~~Schemes~~schemes === Mask ~~Generation~~generation ~~Functions~~functions were first proposed as part of the specification for padding in the [[Optimal_asymmetric_encryption_padding\|RSA-OAEP]] algorithm. The OAEP algorithm required a cryptographic hash function that could generate an output equal in size to a "data block" whose length was proportional to arbitrarily sized input message.<ref name="rsa"/> === ~~Keyed~~Random ~~Encryption~~number generators === NIST Special Publication 800-90A<ref>{{cite journal \|url=http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf \|title=Recommendation for Random Number Generation Using Deterministic Random Bit Generators \|author=National Institute of Standards and Technology\|year=2012 \|doi=10.6028/NIST.SP.800-90A }}</ref> defines a class of cryptographically secure random number generators, one of which is the "Hash DRBG", which uses a hash function with a counter to produce a requested sequence of random bits equal in size to the requested number of random bits. The [[Salsa20]] stream cipher may be viewed as a Mask Generation Function as its [[keystream]] is produced by hashing the key and nonce with a counter, to yield an arbitrarily long output.<ref>{{cite web \|url=https://cr.yp.to/snuffle/salsafamily-20071225.pdf \| title=The Salsa20 family of stream ciphers \|author=Daniel J. Bernstein}}</ref> ~~<pre>~~ ~~"Salsa20 generates the stream in 64-byte (512-bit) blocks. Each block is an~~ ~~independent hash of the key, the nonce, and a 64-bit block number; there is no~~ ~~chaining from one block to the next. The Salsa20 output stream can therefore~~ ~~be accessed randomly, and any number of blocks can be computed in parallel."~~ ~~</pre>~~ ~~=== Random Number Generators ===~~ The NIST Special Publication 800-90A<ref>{{cite web \|url=http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf \| title=Recommendation for Random Number Generation Using Deterministic Random Bit Generators \|author=National Institute of Standards and Technology}}</ref> defines a class of cryptographically secure random number generators, one of which is the "Hash DRBG" which uses a hash function with a counter to produce a requested sequence of random bits equal in size to the requested number of random bits. == Examples == Perhaps the most common and ~~straight forward~~straightforward mechanism to build a MGF is to iteratively apply a hash function together with an incrementing counter value. The counter may be incremented indefinitely to yield new output blocks until a sufficient amount of output is collected. This is the approach used in MGF1 ~~shown below~~. === MGF1 === MGF1 is a ~~Mask~~mask ~~Generation~~generation ~~Function~~function defined in the Public Key Cryptography Standard #1 published by RSA Laboratories.:<ref name="rsa"/> ~~The algorithm is described as follows:~~ <blockquote> ====Options==== <math>\mathsf{Hash}</math> : hash function (<math>\mathsf{hLen}</math> denotes the length in octets of the hash function output) ====Input==== ~~<pre>~~ <math>Z</math> ~~Hash hash function (hLen denotes the length in octets of the hash~~ :seed from which mask is generated, an octet string ~~function output)~~ <math>l</math> :intended length in octets of the mask, at most <math>2^{32}(\mathsf{hLen})</math> ====Output==== ~~Input:~~ <math>\mathsf{mask}</math> ~~Z seed from which mask is generated, an octet string~~ :mask, an octet string of length <math>l</math>; or "mask too long" ~~l intended length in octets of the mask, at most 2^32(hLen)~~ ====Steps==== ~~Output:~~ {{Ordered list \| list_style_type=decimal ~~mask mask, an octet string of length l; or "mask too long"~~ \| If <math>l > 2^{32}(\mathsf{hLen})</math>, output "mask too long" and stop. \| Let <math>T</math> be the empty octet string. \| For <math>\mathsf{counter}</math> from <math>0</math> to <math>\left\lceil{\tfrac{l}{\mathsf{hLen}}}\right\rceil-1</math>, do the following: {{Ordered list \| list_style_type=lower-alpha \| Convert <math>\mathsf{counter}</math> to an octet string <math>C</math> of length <math>4</math> with the primitive <math>\mathsf{I2OSP}</math>: : <math>C = \mathsf{I2OSP} (\mathsf{counter}, 4)</math> \| Concatenate the hash of the seed <math>Z</math> and <math>C</math> to the octet string <math>T</math>: : <math>T = T \shortparallel \mathsf{Hash} (Z \shortparallel C)</math> }} \| Output the leading <math>l</math> octets of <math>T</math> as the octet string mask. }} </blockquote> === Example code === ~~Steps:~~ Below is Python code implementing MGF1: ~~1.If l > 2^32(hLen), output "mask too long" and stop.~~ <syntaxhighlight lang="python"> ~~2.Let T be the empty octet string.~~ ~~3.For counter from 0 to \lceil{l / hLen}\rceil-1, do the following:~~ ~~a.Convert counter to an octet string C of length 4 with the primitive~~ ~~I2OSP: C = I2OSP (counter, 4)~~ ~~b.Concatenate the hash of the seed Z and C to the octet string T: T =~~ ~~T \|\| Hash (Z \|\| C)~~ ~~4.Output the leading l octets of T as the octet string mask.~~ ~~</pre>~~ ~~=== Example Code ===~~ ~~Below is the python code implementing MGF1:~~ ~~<source lang="python">~~ import hashlib def mgf1(seed: bytes, length: int, hash_func=hashlib.sha1) -> bytes: ~~def i2osp(integer, size=4):~~ """Mask generation function.""" ~~return ''.join([chr((integer >> (8 * i)) & 0xFF) for i in reversed(range(size))])~~ hLen = hash_func().digest_size # https://www.ietf.org/rfc/rfc2437.txt ~~def mgf1(input, length, hash=hashlib.sha1):~~ # 1. If l > 2^32(hLen), output "mask too long" and stop. ~~counter = 0~~ if length > (hLen << 32): ~~output = ''~~ raise ValueError("mask too long") ~~while (len(output) < length):~~ # 2. Let T be the empty octet string. ~~C = i2osp(counter, 4)~~ T = b"" ~~output += hash(input + C).digest()~~ # 3. For counter from 0 to \lceil{l / hLen}\rceil-1, do the following: ~~counter += 1~~ # Note: \lceil{l / hLen}\rceil-1 is the number of iterations needed, ~~return output[:length]~~ # but it's easier to check if we have reached the desired length. ~~</source>~~ counter = 0 while len(T) < length: # a. Convert counter to an octet string C of length 4 with the primitive I2OSP: C = I2OSP (counter, 4) C = int.to_bytes(counter, 4, "big") # b. Concatenate the hash of the seed Z and C to the octet string T: T = T \|\| Hash (Z \|\| C) T += hash_func(seed + C).digest() counter += 1 # 4. Output the leading l octets of T as the octet string mask. return T[:length] </syntaxhighlight> Example outputs of MGF1: <~~source~~syntaxhighlight lang="~~python~~pycon"> Python 23.710.64 (~~default~~main, ~~Sep~~Apr 16 ~~9 2014~~2022, 1516:0428:3641) [GCC 8.3.0] on linux ~~[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.39)] on darwin~~ Type "help", "copyright", "credits" or "license" for more information. >>> from mgf1 import mgf1 ~~>>> from binascii import hexlify~~ >>> from hashlib import sha256 >>> ~~hexlify(~~mgf1('b"foo'", 3).hex() '1ac907' >>> ~~hexlify(~~mgf1('b"foo'", 5).hex() '1ac9075cd4' >>> ~~hexlify(~~mgf1('b"bar'", 5).hex() 'bc0c655e01' >>> ~~hexlify(~~mgf1('b"bar'", 50).hex() 'bc0c655e016bc2931d85a2e675181adcef7f581f76df2739da74faac41627be2f7f415c89e983fd0ce80ced9878641cb4876' >>> ~~hexlify(~~mgf1('b"bar'", 50, sha256).hex() '382576a7841021cc28fc4c0948753fb8312090cea942ea4c4e735d10dc724b155f9f6069f289d61daca0cb814502ef04eae1' </syntaxhighlight> ~~</source>~~ == References == {{reflist}} [[Category:Articles with example Python (programming language) code]] ~~[[Category:Cryptography]]~~ [[Category:Cryptographic primitives]] [[Category:Cryptographic hash functions]]