Mask generation function

(Redirected from MGF1)

A mask generation function (MGF) is a cryptographic primitive similar to a cryptographic hash function except that while a hash function's output has a fixed size, a MGF supports output of a variable length. In this respect, a MGF can be viewed as a extendable-output function (XOF): it can accept input of any length and process it to produce output of any length. Mask generation functions are completely deterministic: for any given input and any desired output length the output is always the same.

Definition

edit

A mask generation function takes an octet string of variable length and a desired output length as input, and outputs an octet string of the desired length. There may be restrictions on the length of the input and output octet strings, but such bounds are generally very large. Mask generation functions are deterministic; the octet string output is completely determined by the input octet string. The output of a mask generation function should be pseudorandom, that is, if the seed to the function is unknown, it should be infeasible to distinguish the output from a truly random string.[1]

Applications

edit

Mask generation functions, as generalizations of hash functions, are useful wherever hash functions are. However, use of a MGF is desirable in cases where a fixed-size hash would be inadequate. Examples include generating padding, producing one-time pads or keystreams in symmetric-key encryption, and yielding outputs for pseudorandom number generators.

Padding schemes

edit

Mask generation functions were first proposed as part of the specification for padding in the RSA-OAEP algorithm. The OAEP algorithm required a cryptographic hash function that could generate an output equal in size to a "data block" whose length was proportional to arbitrarily sized input message.[1]

Random number generators

edit

NIST Special Publication 800-90A[2] defines a class of cryptographically secure random number generators, one of which is the "Hash DRBG", which uses a hash function with a counter to produce a requested sequence of random bits equal in size to the requested number of random bits.

Examples

edit

Perhaps the most common and straightforward mechanism to build a MGF is to iteratively apply a hash function together with an incrementing counter value. The counter may be incremented indefinitely to yield new output blocks until a sufficient amount of output is collected. This is the approach used in MGF1.

MGF1

edit

MGF1 is a mask generation function defined in the Public Key Cryptography Standard #1 published by RSA Laboratories:[1]

Options

edit

 

hash function (  denotes the length in octets of the hash function output)

Input

edit

 

seed from which mask is generated, an octet string

 

intended length in octets of the mask, at most  

Output

edit

 

mask, an octet string of length  ; or "mask too long"

Steps

edit
  1. If  , output "mask too long" and stop.
  2. Let   be the empty octet string.
  3. For   from   to  , do the following:
    1. Convert   to an octet string   of length   with the primitive  :
       
    2. Concatenate the hash of the seed   and   to the octet string  :
       
  4. Output the leading   octets of   as the octet string mask.

Example code

edit

Below is Python code implementing MGF1:

import hashlib

def mgf1(seed: bytes, length: int, hash_func=hashlib.sha1) -> bytes:
    """Mask generation function."""
    hLen = hash_func().digest_size
    # https://www.ietf.org/rfc/rfc2437.txt
    # 1. If l > 2^32(hLen), output "mask too long" and stop.
    if length > (hLen << 32):
        raise ValueError("mask too long")
    # 2. Let T be the empty octet string.
    T = b""
    # 3. For counter from 0 to \lceil{l / hLen}\rceil-1, do the following:
    # Note: \lceil{l / hLen}\rceil-1 is the number of iterations needed,
    #       but it's easier to check if we have reached the desired length.
    counter = 0
    while len(T) < length:
        # a. Convert counter to an octet string C of length 4 with the primitive I2OSP: C = I2OSP (counter, 4)
        C = int.to_bytes(counter, 4, "big")
        # b. Concatenate the hash of the seed Z and C to the octet string T: T = T || Hash (Z || C)
        T += hash_func(seed + C).digest()
        counter += 1
    # 4. Output the leading l octets of T as the octet string mask.
    return T[:length]

Example outputs of MGF1:

Python 3.10.4 (main, Apr 16 2022, 16:28:41) [GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from mgf1 import mgf1
>>> from hashlib import sha256
>>> mgf1(b"foo", 3).hex()
'1ac907'
>>> mgf1(b"foo", 5).hex()
'1ac9075cd4'
>>> mgf1(b"bar", 5).hex()
'bc0c655e01'
>>> mgf1(b"bar", 50).hex()
'bc0c655e016bc2931d85a2e675181adcef7f581f76df2739da74faac41627be2f7f415c89e983fd0ce80ced9878641cb4876'
>>> mgf1(b"bar", 50, sha256).hex()
'382576a7841021cc28fc4c0948753fb8312090cea942ea4c4e735d10dc724b155f9f6069f289d61daca0cb814502ef04eae1'

References

edit
  1. ^ a b c RSA Laboratories. "RFC 2437 PKCS #1".
  2. ^ National Institute of Standards and Technology (2012). "Recommendation for Random Number Generation Using Deterministic Random Bit Generators" (PDF). doi:10.6028/NIST.SP.800-90A. {{cite journal}}: Cite journal requires |journal= (help)