Mask generation function: Difference between revisions

nature of the underlying hash." <ref>{{cite web |url=https://www.ietf.org/rfc/rfc2437.txt |title=RFC 2437 PKCS #1 |author=RSA Laboratories}}</ref>

Mask Generation Functions were first proposed as part of the specification for passing in the [[Optimal_asymmetric_encryption_padding|RSA-OAEP]] algorithm. The OAEP algorithm required a cryptographic hash function that could generate an output equal in size to a "data block" whose length to an arbitrarily sized input message. <ref>{{cite web |url=https://www.ietf.org/rfc/rfc2437.txt |title=RFC 2437 PKCS #1 |author=RSA Laboratories}}</ref>

The [[Salsa20]] stream cipher may be viewed as a Mask Generation Function as its [[keystream]] is produced by hashing the key and nonce with a counter, to yield an arbitrarily long output. <ref>{{cite web |url=https://cr.yp.to/snuffle/salsafamily-20071225.pdf | title=The Salsa20 family of stream ciphers |author=Daniel J. Bernstein}}</ref>

The NIST Special Publication 800-90A <ref>{{cite web |url=http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf | title=Recommendation for Random Number Generation Using Deterministic Random Bit Generators |author=National Institute of Standards and Technology}}</ref> defines a class of cryptographically secure random number generators, one of which is the "Hash DRBG" which uses a hash function with a counter to produce a requested sequence of random bits equal in size to the requested number of random bits.

MGF1 is a Mask Generation Function defined in the Public Key Cryptography Standard #1 published by RSA Labroatories.<ref>{{cite web |url=https://www.ietf.org/rfc/rfc2437.txt |title=RFC 2437 PKCS #1 |author=RSA Laboratories}}</ref> The algorithm is described as follows: