Mask generation function: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 17:53, 24 October 2018 edit Conformancenut347 (talk \| contribs) 294 edits m ce ← Previous edit		Latest revision as of 20:03, 8 April 2024 edit undo Samf4u (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 70,126 edits m Reverted edits by 73.167.116.198 (talk) (HG) (3.4.12) Tags: Huggle Rollback
(25 intermediate revisions by 16 users not shown)
Line 1: {{Short description\|Cryptographic tool}} A '''mask generation function''' ('''MGF''') is a cryptographic primitive similar to a [[cryptographic hash function]] except that while a hash function's output is a fixed size, a MGF supports output of a variable length. In this respect, a MGF can be viewed as a single-use [[sponge function]]: it can absorb any length of input and process it to produce any length of output. Mask generation functions are completely deterministic: for any given input and desired output length the output is always the same.▼ {{Use American English\|date = April 2019}} ▲A '''mask generation function''' ('''MGF''') is a cryptographic primitive similar to a [[cryptographic hash function]] except that while a hash function's output ishas a fixed size, a MGF supports output of a variable length. In this respect, a MGF can be viewed as a ~~single-use~~ [[~~sponge~~extendable-output function]] (XOF): it can ~~absorb~~accept ~~any length~~input of ~~input~~any length and process it to produce ~~any length~~output of ~~output~~any length. Mask generation functions are completely deterministic: for any given input and any desired output length the output is always the same. == Definition == Line 9 ⟶ 11: == Applications == Mask generation functions, as generalizations of hash functions, are useful wherever hash functions are. However, use of a MGF is desirable in cases where a fixed-size hash would be inadequate. Examples include generating [[Padding (cryptography)\|padding]], producing [[~~One~~one-time pad~~\|one time pads~~]]s or [[keystream\|keystreams]] in [[Symmetric-key_algorithm\|symmetric -key encryption]], and yielding outputs for [[pseudorandom number generator~~\|pseudorandom number generators~~]]s. === Padding schemes === Mask generation functions were first proposed as part of the specification for padding in the [[Optimal_asymmetric_encryption_padding\|RSA-OAEP]] algorithm. The OAEP algorithm required a cryptographic hash function that could generate an output equal in size to a "data block" whose length was proportional to arbitrarily sized input message.<ref name="rsa"/> ~~=== Keyed encryption ===~~ The [[Salsa20]] stream cipher may be viewed as a mask generation function as its [[keystream]] is produced by hashing the key and nonce with a counter, to yield an arbitrarily long output.<ref>{{cite web \|url=https://cr.yp.to/snuffle/salsafamily-20071225.pdf \| title=The Salsa20 family of stream ciphers \|author=Daniel J. Bernstein}}</ref> ~~<blockquote>~~ Salsa20 generates the stream in 64-byte (512-bit) blocks. Each block is an independent hash of the key, the nonce, and a 64-bit block number; there is no chaining from one block to the next. The Salsa20 output stream can therefore be accessed randomly, and any number of blocks can be computed in parallel. ~~</blockquote>~~ === Random number generators === NIST Special Publication 800-90A<ref>{{cite ~~web~~journal \|url=http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf \| title=Recommendation for Random Number Generation Using Deterministic Random Bit Generators \|author=National Institute of Standards and Technology\|year=2012 \|doi=10.6028/NIST.SP.800-90A }}</ref> defines a class of cryptographically secure random number generators, one of which is the "Hash  DRBG", which uses a hash function with a counter to produce a requested sequence of random bits equal in size to the requested number of random bits. == Examples == Line 33 ⟶ 27: === MGF1 === MGF1 is a mask generation function defined in the Public Key Cryptography Standard #1 published by RSA Laboratories:<ref name="rsa"/>: <blockquote> ====Options==== Line 64 ⟶ 58: </blockquote> === Example ~~Code~~code === Below is ~~python~~Python code implementing MGF1: <~~source~~syntaxhighlight lang="python"> import hashlib def mgf1(~~input~~seed: bytes, length: int, ~~hash~~hash_func=hashlib.sha1) -> bytes:▼ ~~def i2osp(integer, size=4):~~ """Mask generation function.""" ~~return ''.join([chr((integer >> (8 * i)) & 0xFF) for i in reversed(range(size))])~~ hLen = hash_func().digest_size # https://www.ietf.org/rfc/rfc2437.txt ▲def mgf1(input, length, hash=hashlib.sha1): # 1. If l > 2^32(hLen), output "mask too long" and stop. counter = 0▼ if length > (hLen << 32): ~~output = ''~~ raise ValueError("mask too long") while (len(output) < length):▼ # 2. Let T be the empty octet string. C = i2osp(counter, 4)▼ T = b"" output += hash(input + C).digest()▼ # 3. For counter from 0 to \lceil{l / hLen}\rceil-1, do the following: ~~counter += 1~~ # Note: \lceil{l / hLen}\rceil-1 is the number of iterations needed, return output[:length]▼ # but it's easier to check if we have reached the desired length. ~~</source>~~ ▲ counter = 0 ▲ while (len(~~output~~T) < length): # a. Convert counter to an octet string C of length 4 with the primitive I2OSP: C = I2OSP (counter, 4) C = int.to_bytes(counter, 4, "big") # b. Concatenate the hash of the seed Z and C to the octet string T: T = T \|\| Hash (Z \|\| C) ▲ ~~output~~ T += ~~hash~~hash_func(~~input~~seed + C).digest() ▲ C = ~~i2osp(~~ counter, 4)+= 1 # 4. Output the leading l octets of T as the octet string mask. ▲ return ~~output~~T[:length] </syntaxhighlight> Example outputs of MGF1: <~~source~~syntaxhighlight lang="~~python~~pycon"> Python 23.710.64 (~~default~~main, ~~Sep~~Apr 16 ~~9 2014~~2022, 1516:0428:3641) [GCC 8.3.0] on linux ~~[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.39)] on darwin~~ Type "help", "copyright", "credits" or "license" for more information. >>> from mgf1 import mgf1 ~~>>> from binascii import hexlify~~ >>> from hashlib import sha256 >>> ~~hexlify(~~mgf1('b"foo'", 3).hex() '1ac907' >>> ~~hexlify(~~mgf1('b"foo'", 5).hex() '1ac9075cd4' >>> ~~hexlify(~~mgf1('b"bar'", 5).hex() 'bc0c655e01' >>> ~~hexlify(~~mgf1('b"bar'", 50).hex() 'bc0c655e016bc2931d85a2e675181adcef7f581f76df2739da74faac41627be2f7f415c89e983fd0ce80ced9878641cb4876' >>> ~~hexlify(~~mgf1('b"bar'", 50, sha256).hex() '382576a7841021cc28fc4c0948753fb8312090cea942ea4c4e735d10dc724b155f9f6069f289d61daca0cb814502ef04eae1' </syntaxhighlight> ~~</source>~~ == References == {{reflist}} [[Category:Articles with example Python (programming language) code]] ~~[[Category:Cryptography]]~~ [[Category:Cryptographic primitives]] [[Category:Cryptographic hash functions]]