Mask generation function: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 11:44, 11 January 2020 edit 2001:638:102:e1::102d (talk) Changed XOF to XOR ← Previous edit		Latest revision as of 20:03, 8 April 2024 edit undo Samf4u (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 70,126 edits m Reverted edits by 73.167.116.198 (talk) (HG) (3.4.12) Tags: Huggle Rollback
(19 intermediate revisions by 12 users not shown)
Line 1: {{Short description\|~~cryptographic~~Cryptographic tool}}▼ {{Use American English\|date = April 2019}} A '''mask generation function''' ('''MGF''') is a cryptographic primitive similar to a [[cryptographic hash function]] except that while a hash function's output ishas a fixed size, a MGF supports output of a variable length. In this respect, a MGF can be viewed as a ~~single~~[[extendable-~~use XOR~~output function]] (XOF): it can accept ~~any length~~input of ~~input~~any length and process it to produce ~~any length~~output of ~~output~~any length. Mask generation functions are completely deterministic: for any given input and any desired output length the output is always the same.▼ ▲{{Short description\|cryptographic tool}} ▲A '''mask generation function''' ('''MGF''') is a cryptographic primitive similar to a [[cryptographic hash function]] except that while a hash function's output is a fixed size, a MGF supports output of a variable length. In this respect, a MGF can be viewed as a single-use XOR function: it can accept any length of input and process it to produce any length of output. Mask generation functions are completely deterministic: for any given input and desired output length the output is always the same. == Definition == Line 11: == Applications == Mask generation functions, as generalizations of hash functions, are useful wherever hash functions are. However, use of a MGF is desirable in cases where a fixed-size hash would be inadequate. Examples include generating [[Padding (cryptography)\|padding]], producing [[~~One~~one-time pad~~\|one time pads~~]]s or [[keystream\|keystreams]] in [[Symmetric-key_algorithm\|symmetric -key encryption]], and yielding outputs for [[pseudorandom number generator~~\|pseudorandom number generators~~]]s. === Padding schemes === Line 19: === Random number generators === NIST Special Publication 800-90A<ref>{{cite ~~web~~journal \|url=http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf \| title=Recommendation for Random Number Generation Using Deterministic Random Bit Generators \|author=National Institute of Standards and Technology\|year=2012 \|doi=10.6028/NIST.SP.800-90A }}</ref> defines a class of cryptographically secure random number generators, one of which is the "Hash  DRBG", which uses a hash function with a counter to produce a requested sequence of random bits equal in size to the requested number of random bits. == Examples == Line 27: === MGF1 === MGF1 is a mask generation function defined in the Public Key Cryptography Standard #1 published by RSA Laboratories:<ref name="rsa"/>: <blockquote> ====Options==== Line 62: Below is Python code implementing MGF1: <~~source~~syntaxhighlight lang="python"> import hashlib def ~~i2osp~~mgf1(~~integer~~seed: ~~int~~bytes, ~~size~~length: int, hash_func= 4hashlib.sha1) -> ~~str~~bytes: ~~return ''.join([chr((integer >> (8 * i)) & 0xFF) for i in reversed(range(size))])~~ ~~def mgf1(input_str: str, length: int, hash=hashlib.sha1) -> str:~~ """Mask generation function.""" hLen = hash_func().digest_size # https://www.ietf.org/rfc/rfc2437.txt # 1. If l > 2^32(hLen), output "mask too long" and stop. if length > (hLen << 32): raise ValueError("mask too long") # 2. Let T be the empty octet string. T = b"" # 3. For counter from 0 to \lceil{l / hLen}\rceil-1, do the following: # Note: \lceil{l / hLen}\rceil-1 is the number of iterations needed, # but it's easier to check if we have reached the desired length. counter = 0 ~~output~~while =len(T) ''< length: # a. Convert counter to an octet string C of length 4 with the primitive I2OSP: C = I2OSP (counter, 4) ~~while (len(output) < length):~~ C = ~~i2osp~~int.to_bytes(counter, 4, "big") # b. Concatenate the hash of the seed Z and C to the octet string T: T = T \|\| Hash (Z \|\| C) ~~output~~T += ~~hash~~hash_func(~~input_str~~seed + C).digest() counter += 1 # 4. Output the leading l octets of T as the octet string mask. return ~~output~~T[:length] ~~</source>~~ </syntaxhighlight> Example outputs of MGF1: <~~source~~syntaxhighlight lang="pycon"> Python 23.710.64 (~~default~~main, ~~Sep~~Apr 16 ~~9 2014~~2022, 1516:0428:3641) [GCC 8.3.0] on linux ~~[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.39)] on darwin~~ Type "help", "copyright", "credits" or "license" for more information. >>> from mgf1 import mgf1 ~~>>> from binascii import hexlify~~ >>> from hashlib import sha256 >>> ~~hexlify(~~mgf1('b"foo'", 3).hex() '1ac907' >>> ~~hexlify(~~mgf1('b"foo'", 5).hex() '1ac9075cd4' >>> ~~hexlify(~~mgf1('b"bar'", 5).hex() 'bc0c655e01' >>> ~~hexlify(~~mgf1('b"bar'", 50).hex() 'bc0c655e016bc2931d85a2e675181adcef7f581f76df2739da74faac41627be2f7f415c89e983fd0ce80ced9878641cb4876' >>> ~~hexlify(~~mgf1('b"bar'", 50, sha256).hex() '382576a7841021cc28fc4c0948753fb8312090cea942ea4c4e735d10dc724b155f9f6069f289d61daca0cb814502ef04eae1' </syntaxhighlight> ~~</source>~~ == References == {{reflist}} [[Category:Articles with example Python (programming language) code]] ~~[[Category:Cryptography]]~~ [[Category:Cryptographic primitives]] [[Category:Cryptographic hash functions]]