How can I hash an input into an arbitrary domain point?
$begingroup$
I am trying to implement a signature scheme involving RSA signing of a message digest generated by SHA-$256$. I want to hash the input into an RSA domain point instead of the fixed $256$ bit digest generated by SHA.
Apparently, this can be achieved using a Full Domain Hashing
From the Wikipedia definition of Full Domain Hashing
In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.
How would one go about practically implementing the following part of the FDH process:
hashing a message using a function whose image size equals the size of the RSA modulus
I have tried randomly padding the $256$ bit digest, however, it requires sending extra values to remove the padding before verification.
I also looked at some papers on Random Oracles and FDH by Bellare and Rogaway(Paper 1,Paper 2) which are a little to esoteric for me and as such, I'm looking for simplified explanation of the process.
hash signature sha-256 padding random-oracle-model
asked Feb 5 at 7:19
Tabish MirTabish Mir
1706
$endgroup$
add a comment |
$begingroup$
I am trying to implement a signature scheme involving RSA signing of a message digest generated by SHA-$256$. I want to hash the input into an RSA domain point instead of the fixed $256$ bit digest generated by SHA.
Apparently, this can be achieved using a Full Domain Hashing
From the Wikipedia definition of Full Domain Hashing
In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.
How would one go about practically implementing the following part of the FDH process:
hashing a message using a function whose image size equals the size of the RSA modulus
I have tried randomly padding the $256$ bit digest, however, it requires sending extra values to remove the padding before verification.
I also looked at some papers on Random Oracles and FDH by Bellare and Rogaway(Paper 1,Paper 2) which are a little to esoteric for me and as such, I'm looking for simplified explanation of the process.
hash signature sha-256 padding random-oracle-model
asked Feb 5 at 7:19
Tabish MirTabish Mir
1706
$endgroup$
2
$begingroup$
Does the RSA-PSS is not enough for you?
$endgroup$
– kelalaka
Feb 5 at 7:22
1
$begingroup$
"provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
$endgroup$
– kasperd
Feb 5 at 12:47
add a comment |
$begingroup$
I am trying to implement a signature scheme involving RSA signing of a message digest generated by SHA-$256$. I want to hash the input into an RSA domain point instead of the fixed $256$ bit digest generated by SHA.
Apparently, this can be achieved using a Full Domain Hashing
From the Wikipedia definition of Full Domain Hashing
In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.
How would one go about practically implementing the following part of the FDH process:
hashing a message using a function whose image size equals the size of the RSA modulus
I have tried randomly padding the $256$ bit digest, however, it requires sending extra values to remove the padding before verification.
I also looked at some papers on Random Oracles and FDH by Bellare and Rogaway(Paper 1,Paper 2) which are a little to esoteric for me and as such, I'm looking for simplified explanation of the process.
hash signature sha-256 padding random-oracle-model
asked Feb 5 at 7:19
Tabish MirTabish Mir
1706
$endgroup$
I am trying to implement a signature scheme involving RSA signing of a message digest generated by SHA-$256$. I want to hash the input into an RSA domain point instead of the fixed $256$ bit digest generated by SHA.
Apparently, this can be achieved using a Full Domain Hashing
From the Wikipedia definition of Full Domain Hashing
In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.
How would one go about practically implementing the following part of the FDH process:
hashing a message using a function whose image size equals the size of the RSA modulus
I have tried randomly padding the $256$ bit digest, however, it requires sending extra values to remove the padding before verification.
I also looked at some papers on Random Oracles and FDH by Bellare and Rogaway(Paper 1,Paper 2) which are a little to esoteric for me and as such, I'm looking for simplified explanation of the process.
hash signature sha-256 padding random-oracle-model
hash signature sha-256 padding random-oracle-model
asked Feb 5 at 7:19
Tabish MirTabish Mir
1706
asked Feb 5 at 7:19
Tabish MirTabish Mir
1706
asked Feb 5 at 7:19
Tabish MirTabish Mir
1706
asked Feb 5 at 7:19
Tabish MirTabish Mir
1706
asked Feb 5 at 7:19
Tabish MirTabish Mir
1706
1706
2
$begingroup$
Does the RSA-PSS is not enough for you?
$endgroup$
– kelalaka
Feb 5 at 7:22
1
$begingroup$
"provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
$endgroup$
– kasperd
Feb 5 at 12:47
add a comment |
2
$begingroup$
Does the RSA-PSS is not enough for you?
$endgroup$
– kelalaka
Feb 5 at 7:22
1
$begingroup$
"provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
$endgroup$
– kasperd
Feb 5 at 12:47
2
2
$begingroup$
Does the RSA-PSS is not enough for you?
$endgroup$
– kelalaka
Feb 5 at 7:22
$begingroup$
Does the RSA-PSS is not enough for you?
$endgroup$
– kelalaka
Feb 5 at 7:22
1
1
$begingroup$
"provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
$endgroup$
– kasperd
Feb 5 at 12:47
$begingroup$
"provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
$endgroup$
– kasperd
Feb 5 at 12:47
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
Hash functions we use, e.g. Sha-1, Sha-256, Sha-512, usually don’t have a sufficiently large range. But we can construct full domain hash via repeated application of a hash function $h$: $FDH(m) = h(m||0)||h(m||1)||cdots $, then take the leading n-bit. This way the hash value is deterministic and the size is arbitrary.
This is something like MGF1 defined in PKCS #1 v2.2, B.2.1.
answered Feb 5 at 10:06
Changyu DongChangyu Dong
3,196915
$endgroup$
$begingroup$
Thank you. This technique seems to be working perfectly.
$endgroup$
– Tabish Mir
Feb 6 at 5:31
add a comment |
$begingroup$
Why don't you use an eXtendible Output Function (XOF) for that ?
For example, SHAKE-128, defined in the SHA-3 standard, allows you to hash a message and obtain as output as many bits as you want. This is flexible so that it can be easily adapted to the size of your RSA modulus.
answered Feb 5 at 11:44
RuggeroRuggero
4,2531529
$endgroup$
$begingroup$
While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
$endgroup$
– Tabish Mir
Feb 6 at 5:34
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67061%2fhow-can-i-hash-an-input-into-an-arbitrary-domain-point%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Hash functions we use, e.g. Sha-1, Sha-256, Sha-512, usually don’t have a sufficiently large range. But we can construct full domain hash via repeated application of a hash function $h$: $FDH(m) = h(m||0)||h(m||1)||cdots $, then take the leading n-bit. This way the hash value is deterministic and the size is arbitrary.
This is something like MGF1 defined in PKCS #1 v2.2, B.2.1.
answered Feb 5 at 10:06
Changyu DongChangyu Dong
3,196915
$endgroup$
$begingroup$
Thank you. This technique seems to be working perfectly.
$endgroup$
– Tabish Mir
Feb 6 at 5:31
add a comment |
$begingroup$
Hash functions we use, e.g. Sha-1, Sha-256, Sha-512, usually don’t have a sufficiently large range. But we can construct full domain hash via repeated application of a hash function $h$: $FDH(m) = h(m||0)||h(m||1)||cdots $, then take the leading n-bit. This way the hash value is deterministic and the size is arbitrary.
This is something like MGF1 defined in PKCS #1 v2.2, B.2.1.
answered Feb 5 at 10:06
Changyu DongChangyu Dong
3,196915
$endgroup$
$begingroup$
Thank you. This technique seems to be working perfectly.
$endgroup$
– Tabish Mir
Feb 6 at 5:31
add a comment |
$begingroup$
Hash functions we use, e.g. Sha-1, Sha-256, Sha-512, usually don’t have a sufficiently large range. But we can construct full domain hash via repeated application of a hash function $h$: $FDH(m) = h(m||0)||h(m||1)||cdots $, then take the leading n-bit. This way the hash value is deterministic and the size is arbitrary.
This is something like MGF1 defined in PKCS #1 v2.2, B.2.1.
answered Feb 5 at 10:06
Changyu DongChangyu Dong
3,196915
$endgroup$
Hash functions we use, e.g. Sha-1, Sha-256, Sha-512, usually don’t have a sufficiently large range. But we can construct full domain hash via repeated application of a hash function $h$: $FDH(m) = h(m||0)||h(m||1)||cdots $, then take the leading n-bit. This way the hash value is deterministic and the size is arbitrary.
This is something like MGF1 defined in PKCS #1 v2.2, B.2.1.
answered Feb 5 at 10:06
Changyu DongChangyu Dong
3,196915
answered Feb 5 at 10:06
Changyu DongChangyu Dong
3,196915
answered Feb 5 at 10:06
Changyu DongChangyu Dong
3,196915
answered Feb 5 at 10:06
Changyu DongChangyu Dong
3,196915
3,196915
$begingroup$
Thank you. This technique seems to be working perfectly.
$endgroup$
– Tabish Mir
Feb 6 at 5:31
add a comment |
$begingroup$
Thank you. This technique seems to be working perfectly.
$endgroup$
– Tabish Mir
Feb 6 at 5:31
$begingroup$
Thank you. This technique seems to be working perfectly.
$endgroup$
– Tabish Mir
Feb 6 at 5:31
$begingroup$
Thank you. This technique seems to be working perfectly.
$endgroup$
– Tabish Mir
Feb 6 at 5:31
add a comment |
$begingroup$
Why don't you use an eXtendible Output Function (XOF) for that ?
For example, SHAKE-128, defined in the SHA-3 standard, allows you to hash a message and obtain as output as many bits as you want. This is flexible so that it can be easily adapted to the size of your RSA modulus.
answered Feb 5 at 11:44
RuggeroRuggero
4,2531529
$endgroup$
$begingroup$
While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
$endgroup$
– Tabish Mir
Feb 6 at 5:34
add a comment |
$begingroup$
Why don't you use an eXtendible Output Function (XOF) for that ?
For example, SHAKE-128, defined in the SHA-3 standard, allows you to hash a message and obtain as output as many bits as you want. This is flexible so that it can be easily adapted to the size of your RSA modulus.
answered Feb 5 at 11:44
RuggeroRuggero
4,2531529
$endgroup$
$begingroup$
While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
$endgroup$
– Tabish Mir
Feb 6 at 5:34
add a comment |
$begingroup$
Why don't you use an eXtendible Output Function (XOF) for that ?
For example, SHAKE-128, defined in the SHA-3 standard, allows you to hash a message and obtain as output as many bits as you want. This is flexible so that it can be easily adapted to the size of your RSA modulus.
answered Feb 5 at 11:44
RuggeroRuggero
4,2531529
$endgroup$
Why don't you use an eXtendible Output Function (XOF) for that ?
For example, SHAKE-128, defined in the SHA-3 standard, allows you to hash a message and obtain as output as many bits as you want. This is flexible so that it can be easily adapted to the size of your RSA modulus.
answered Feb 5 at 11:44
RuggeroRuggero
4,2531529
answered Feb 5 at 11:44
RuggeroRuggero
4,2531529
answered Feb 5 at 11:44
RuggeroRuggero
4,2531529
answered Feb 5 at 11:44
RuggeroRuggero
4,2531529
4,2531529
$begingroup$
While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
$endgroup$
– Tabish Mir
Feb 6 at 5:34
add a comment |
$begingroup$
While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
$endgroup$
– Tabish Mir
Feb 6 at 5:34
$begingroup$
While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
$endgroup$
– Tabish Mir
Feb 6 at 5:34
$begingroup$
While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
$endgroup$
– Tabish Mir
Feb 6 at 5:34
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67061%2fhow-can-i-hash-an-input-into-an-arbitrary-domain-point%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
$begingroup$
Does the RSA-PSS is not enough for you?
$endgroup$
– kelalaka
Feb 5 at 7:22
1
$begingroup$
"provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
$endgroup$
– kasperd
Feb 5 at 12:47