- Definition
- Applications Padding schemes Keyed encryption Random number generators
- Examples MGF1 Options Input Output Steps Example Code
- References
A mask generation function (MGF) is a cryptographic primitive similar to a cryptographic hash function except that while a hash function's output is a fixed size, a MGF supports output of a variable length. In this respect, a MGF can be viewed as a single-use sponge function: it can absorb any length of input and process it to produce any length of output. Mask generation functions are completely deterministic: for any given input and desired output length the output is always the same.
Definition
A mask generation function takes an octet string of variable length and a desired output length as input, and outputs an octet string of the desired length. There may be restrictions on the length of the input and output octet strings, but such bounds are generally very large. Mask generation functions are deterministic; the octet string output is completely determined by the input octet string. The output of a mask generation function should be pseudorandom, that is, if the seed to the function is unknown, it should be infeasible to distinguish the output from a truly random string.[1]
Applications
Mask generation functions, as generalizations of hash functions, are useful wherever hash functions are. However, use of a MGF is desirable in cases where a fixed-size hash would be inadequate. Examples include generating padding, producing one time pads or keystreams in symmetric key encryption, and yielding outputs for pseudorandom number generators.
Padding schemes
Mask generation functions were first proposed as part of the specification for padding in the RSA-OAEP algorithm. The OAEP algorithm required a cryptographic hash function that could generate an output equal in size to a "data block" whose length was proportional to arbitrarily sized input message.[1]
Keyed encryption
The Salsa20 stream cipher may be viewed as a mask generation function as its keystream is produced by hashing the key and nonce with a counter, to yield an arbitrarily long output.[2]
Salsa20 generates the stream in 64-byte (512-bit) blocks. Each block is an independent hash of the key, the nonce, and a 64-bit block number; there is no chaining from one block to the next. The Salsa20 output stream can therefore be accessed randomly, and any number of blocks can be computed in parallel.
Random number generators
NIST Special Publication 800-90A[3] defines a class of cryptographically secure random number generators, one of which is the "Hash DRBG", which uses a hash function with a counter to produce a requested sequence of random bits equal in size to the requested number of random bits.
Examples
Perhaps the most common and straightforward mechanism to build a MGF is to iteratively apply a hash function together with an incrementing counter value. The counter may be incremented indefinitely to yield new output blocks until a sufficient amount of output is collected. This is the approach used in MGF1.
MGF1
MGF1 is a mask generation function defined in the Public Key Cryptography Standard #1 published by RSA Laboratories[1]:
Options
hash function (denotes the length in octets of the hash function output)
Input
seed from which mask is generated, an octet stringintended length in octets of the mask, at mostOutput
mask, an octet string of length; or "mask too long"
Steps
{{Ordered list | list_style_type=decimal
| If, output "mask too long" and stop.
| Letbe the empty octet string.
| Forfrom
to
, do the following:
| Convertof length
with the primitive
:
| Concatenate the hash of the seedand
}}
| Output the leading
}}
Example Code
Below is python code implementing MGF1:
import hashlib
def i2osp(integer, size=4):
def mgf1(input, length, hash=hashlib.sha1):
counter = 0 output = '' while (len(output) < length): C = i2osp(counter, 4) output += hash(input + C).digest() counter += 1 return output[:length]
Example outputs of MGF1:
Python 2.7.6 (default, Sep 9 2014, 15:04:36)
[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.39)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from mgf1 import mgf1
>>> from binascii import hexlify
>>> from hashlib import sha256
>>> hexlify(mgf1('foo', 3))
'1ac907'
>>> hexlify(mgf1('foo', 5))
'1ac9075cd4'
>>> hexlify(mgf1('bar', 5))
'bc0c655e01'
>>> hexlify(mgf1('bar', 50))
'bc0c655e016bc2931d85a2e675181adcef7f581f76df2739da74faac41627be2f7f415c89e983fd0ce80ced9878641cb4876'
>>> hexlify(mgf1('bar', 50, sha256))
'382576a7841021cc28fc4c0948753fb8312090cea942ea4c4e735d10dc724b155f9f6069f289d61daca0cb814502ef04eae1'
References
2. ^{{cite web |url=https://cr.yp.to/snuffle/salsafamily-20071225.pdf | title=The Salsa20 family of stream ciphers |author=Daniel J. Bernstein}}
3. ^{{cite web |url=http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf | title=Recommendation for Random Number Generation Using Deterministic Random Bit Generators |author=National Institute of Standards and Technology}}
- Hansel and Gretel (1963 film)
- Hansel and Gretel (1982 film)
- Hansel and Gretel (1983 film)
- Hansel and Gretel (film)
- Hansel and Gretel Picture Garden
- Hansel and Gretel (TV play)
- Hansel and Gretel (TV program)
- Hansel and Gretel (TV special)
- Hans Elard Ludin
- Hans Eleonardus Møller, Sr.
- Hansel (Hansel and Gretel)
- Hansell, David
- Hansell, Thomas
- Hanselmann, Thomas
- Hans-Elmar Schwing
- Hansel Mieth Prize
- Hansemann, David
- Hansemannia
- Hans E. Mayer
- Hans Emil Boje Jensen
- Hans-Emil Lau
- HANSEN, Alf
- Hansen, Andrew
- Hansen, Bjørn
- Hansen, Brian