|
A '''Maskmask Generationgeneration Functionfunction''' ('''MGF''') is a cryptographic primitive similar to a [[Cryptographiccryptographic hash function]] except that while a hash function's output is a fixed size, a MGF supports output of a variable length. In this respect, a MGF can be viewed as a single-use [[Spongesponge function]],: it can absorb any length of input and process it to produce any length of output. Mask Generationgeneration Functionsfunctions are completely deterministic.: Forfor any given input and desired output length the output is always the same.
== Definition ==
== Applications ==
Mask Generationgeneration Functionsfunctions, as generalizations of hash functions, are useful in all the same caseswherever hash functions are useful. However, use of a MGF is desirable in cases where a fixed-size hash would be inadequate. Examples include generating [[Padding (cryptography)|padding]], producing [[One-time pad|one time pads]] or [[keystream|keystreams]] in [[Symmetric-key_algorithm|symmetric key encryption]], and yielding outputs for [[pseudorandom number generator|pseudorandom number generators]].
=== Padding Schemesschemes ===
Mask Generationgeneration Functionsfunctions were first proposed as part of the specification for padding in the [[Optimal_asymmetric_encryption_padding|RSA-OAEP]] algorithm. The OAEP algorithm required a cryptographic hash function that could generate an output equal in size to a "data block" whose length was proportional to arbitrarily sized input message.<ref name="rsa"/>
=== Keyed Encryptionencryption ===
The [[Salsa20]] stream cipher may be viewed as a Maskmask Generationgeneration Functionfunction as its [[keystream]] is produced by hashing the key and nonce with a counter, to yield an arbitrarily long output.<ref>{{cite web |url=https://cr.yp.to/snuffle/salsafamily-20071225.pdf | title=The Salsa20 family of stream ciphers |author=Daniel J. Bernstein}}</ref>
<blockquote>
<pre>
"Salsa20 generates the stream in 64-byte (512-bit) blocks. Each block is an independent hash of the key, the nonce, and a 64-bit block number; there is no chaining from one block to the next. The Salsa20 output stream can therefore be accessed randomly, and any number of blocks can be computed in parallel.
</blockquote>
independent hash of the key, the nonce, and a 64-bit block number; there is no
chaining from one block to the next. The Salsa20 output stream can therefore
be accessed randomly, and any number of blocks can be computed in parallel."
</pre>
=== Random Numbernumber Generatorsgenerators ===
The NIST Special Publication 800-90A<ref>{{cite web |url=http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf | title=Recommendation for Random Number Generation Using Deterministic Random Bit Generators |author=National Institute of Standards and Technology}}</ref> defines a class of cryptographically secure random number generators, one of which is the "Hash DRBG", which uses a hash function with a counter to produce a requested sequence of random bits equal in size to the requested number of random bits.
== Examples ==
Perhaps the most common and straight forwardstraightforward mechanism to build a MGF is to iteratively apply a hash function together with an incrementing counter value. The counter may be incremented indefinitely to yield new output blocks until a sufficient amount of output is collected. This is the approach used in MGF1 shown below.
=== MGF1 ===
MGF1 is a Maskmask Generationgeneration Functionfunction defined in the Public Key Cryptography Standard #1 published by RSA Laboratories<ref name="rsa"/>:
<blockquote>
====Options====
=== Example Code ===
Below is the python code implementing MGF1:
<source lang="python">
| 