How can I hash an input into an arbitrary domain point?












4












$begingroup$


I am trying to implement a signature scheme involving RSA signing of a message digest generated by SHA-$256$. I want to hash the input into an RSA domain point instead of the fixed $256$ bit digest generated by SHA.


Apparently, this can be achieved using a Full Domain Hashing


From the Wikipedia definition of Full Domain Hashing




In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.




How would one go about practically implementing the following part of the FDH process:




hashing a message using a function whose image size equals the size of the RSA modulus




I have tried randomly padding the $256$ bit digest, however, it requires sending extra values to remove the padding before verification.
I also looked at some papers on Random Oracles and FDH by Bellare and Rogaway(Paper 1,Paper 2) which are a little to esoteric for me and as such, I'm looking for simplified explanation of the process.










share|improve this question









$endgroup$








  • 2




    $begingroup$
    Does the RSA-PSS is not enough for you?
    $endgroup$
    – kelalaka
    Feb 5 at 7:22






  • 1




    $begingroup$
    "provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
    $endgroup$
    – kasperd
    Feb 5 at 12:47
















4












$begingroup$


I am trying to implement a signature scheme involving RSA signing of a message digest generated by SHA-$256$. I want to hash the input into an RSA domain point instead of the fixed $256$ bit digest generated by SHA.


Apparently, this can be achieved using a Full Domain Hashing


From the Wikipedia definition of Full Domain Hashing




In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.




How would one go about practically implementing the following part of the FDH process:




hashing a message using a function whose image size equals the size of the RSA modulus




I have tried randomly padding the $256$ bit digest, however, it requires sending extra values to remove the padding before verification.
I also looked at some papers on Random Oracles and FDH by Bellare and Rogaway(Paper 1,Paper 2) which are a little to esoteric for me and as such, I'm looking for simplified explanation of the process.










share|improve this question









$endgroup$








  • 2




    $begingroup$
    Does the RSA-PSS is not enough for you?
    $endgroup$
    – kelalaka
    Feb 5 at 7:22






  • 1




    $begingroup$
    "provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
    $endgroup$
    – kasperd
    Feb 5 at 12:47














4












4








4


3



$begingroup$


I am trying to implement a signature scheme involving RSA signing of a message digest generated by SHA-$256$. I want to hash the input into an RSA domain point instead of the fixed $256$ bit digest generated by SHA.


Apparently, this can be achieved using a Full Domain Hashing


From the Wikipedia definition of Full Domain Hashing




In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.




How would one go about practically implementing the following part of the FDH process:




hashing a message using a function whose image size equals the size of the RSA modulus




I have tried randomly padding the $256$ bit digest, however, it requires sending extra values to remove the padding before verification.
I also looked at some papers on Random Oracles and FDH by Bellare and Rogaway(Paper 1,Paper 2) which are a little to esoteric for me and as such, I'm looking for simplified explanation of the process.










share|improve this question









$endgroup$




I am trying to implement a signature scheme involving RSA signing of a message digest generated by SHA-$256$. I want to hash the input into an RSA domain point instead of the fixed $256$ bit digest generated by SHA.


Apparently, this can be achieved using a Full Domain Hashing


From the Wikipedia definition of Full Domain Hashing




In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.




How would one go about practically implementing the following part of the FDH process:




hashing a message using a function whose image size equals the size of the RSA modulus




I have tried randomly padding the $256$ bit digest, however, it requires sending extra values to remove the padding before verification.
I also looked at some papers on Random Oracles and FDH by Bellare and Rogaway(Paper 1,Paper 2) which are a little to esoteric for me and as such, I'm looking for simplified explanation of the process.







hash signature sha-256 padding random-oracle-model






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 5 at 7:19









Tabish MirTabish Mir

1717




1717








  • 2




    $begingroup$
    Does the RSA-PSS is not enough for you?
    $endgroup$
    – kelalaka
    Feb 5 at 7:22






  • 1




    $begingroup$
    "provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
    $endgroup$
    – kasperd
    Feb 5 at 12:47














  • 2




    $begingroup$
    Does the RSA-PSS is not enough for you?
    $endgroup$
    – kelalaka
    Feb 5 at 7:22






  • 1




    $begingroup$
    "provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
    $endgroup$
    – kasperd
    Feb 5 at 12:47








2




2




$begingroup$
Does the RSA-PSS is not enough for you?
$endgroup$
– kelalaka
Feb 5 at 7:22




$begingroup$
Does the RSA-PSS is not enough for you?
$endgroup$
– kelalaka
Feb 5 at 7:22




1




1




$begingroup$
"provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
$endgroup$
– kasperd
Feb 5 at 12:47




$begingroup$
"provably secure in the random oracle model"... I thought the random oracle model had fallen out of favor. Isn't the random sponge model the preferred model for analyzing protocols based on hash functions nowadays?
$endgroup$
– kasperd
Feb 5 at 12:47










2 Answers
2






active

oldest

votes


















7












$begingroup$

Hash functions we use, e.g. Sha-1, Sha-256, Sha-512, usually don’t have a sufficiently large range. But we can construct full domain hash via repeated application of a hash function $h$: $FDH(m) = h(m||0)||h(m||1)||cdots $, then take the leading n-bit. This way the hash value is deterministic and the size is arbitrary.



This is something like MGF1 defined in PKCS #1 v2.2, B.2.1.






share|improve this answer









$endgroup$













  • $begingroup$
    Thank you. This technique seems to be working perfectly.
    $endgroup$
    – Tabish Mir
    Feb 6 at 5:31



















4












$begingroup$

Why don't you use an eXtendible Output Function (XOF) for that ?



For example, SHAKE-128, defined in the SHA-3 standard, allows you to hash a message and obtain as output as many bits as you want. This is flexible so that it can be easily adapted to the size of your RSA modulus.






share|improve this answer









$endgroup$













  • $begingroup$
    While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
    $endgroup$
    – Tabish Mir
    Feb 6 at 5:34











Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67061%2fhow-can-i-hash-an-input-into-an-arbitrary-domain-point%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









7












$begingroup$

Hash functions we use, e.g. Sha-1, Sha-256, Sha-512, usually don’t have a sufficiently large range. But we can construct full domain hash via repeated application of a hash function $h$: $FDH(m) = h(m||0)||h(m||1)||cdots $, then take the leading n-bit. This way the hash value is deterministic and the size is arbitrary.



This is something like MGF1 defined in PKCS #1 v2.2, B.2.1.






share|improve this answer









$endgroup$













  • $begingroup$
    Thank you. This technique seems to be working perfectly.
    $endgroup$
    – Tabish Mir
    Feb 6 at 5:31
















7












$begingroup$

Hash functions we use, e.g. Sha-1, Sha-256, Sha-512, usually don’t have a sufficiently large range. But we can construct full domain hash via repeated application of a hash function $h$: $FDH(m) = h(m||0)||h(m||1)||cdots $, then take the leading n-bit. This way the hash value is deterministic and the size is arbitrary.



This is something like MGF1 defined in PKCS #1 v2.2, B.2.1.






share|improve this answer









$endgroup$













  • $begingroup$
    Thank you. This technique seems to be working perfectly.
    $endgroup$
    – Tabish Mir
    Feb 6 at 5:31














7












7








7





$begingroup$

Hash functions we use, e.g. Sha-1, Sha-256, Sha-512, usually don’t have a sufficiently large range. But we can construct full domain hash via repeated application of a hash function $h$: $FDH(m) = h(m||0)||h(m||1)||cdots $, then take the leading n-bit. This way the hash value is deterministic and the size is arbitrary.



This is something like MGF1 defined in PKCS #1 v2.2, B.2.1.






share|improve this answer









$endgroup$



Hash functions we use, e.g. Sha-1, Sha-256, Sha-512, usually don’t have a sufficiently large range. But we can construct full domain hash via repeated application of a hash function $h$: $FDH(m) = h(m||0)||h(m||1)||cdots $, then take the leading n-bit. This way the hash value is deterministic and the size is arbitrary.



This is something like MGF1 defined in PKCS #1 v2.2, B.2.1.







share|improve this answer












share|improve this answer



share|improve this answer










answered Feb 5 at 10:06









Changyu DongChangyu Dong

3,296915




3,296915












  • $begingroup$
    Thank you. This technique seems to be working perfectly.
    $endgroup$
    – Tabish Mir
    Feb 6 at 5:31


















  • $begingroup$
    Thank you. This technique seems to be working perfectly.
    $endgroup$
    – Tabish Mir
    Feb 6 at 5:31
















$begingroup$
Thank you. This technique seems to be working perfectly.
$endgroup$
– Tabish Mir
Feb 6 at 5:31




$begingroup$
Thank you. This technique seems to be working perfectly.
$endgroup$
– Tabish Mir
Feb 6 at 5:31











4












$begingroup$

Why don't you use an eXtendible Output Function (XOF) for that ?



For example, SHAKE-128, defined in the SHA-3 standard, allows you to hash a message and obtain as output as many bits as you want. This is flexible so that it can be easily adapted to the size of your RSA modulus.






share|improve this answer









$endgroup$













  • $begingroup$
    While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
    $endgroup$
    – Tabish Mir
    Feb 6 at 5:34
















4












$begingroup$

Why don't you use an eXtendible Output Function (XOF) for that ?



For example, SHAKE-128, defined in the SHA-3 standard, allows you to hash a message and obtain as output as many bits as you want. This is flexible so that it can be easily adapted to the size of your RSA modulus.






share|improve this answer









$endgroup$













  • $begingroup$
    While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
    $endgroup$
    – Tabish Mir
    Feb 6 at 5:34














4












4








4





$begingroup$

Why don't you use an eXtendible Output Function (XOF) for that ?



For example, SHAKE-128, defined in the SHA-3 standard, allows you to hash a message and obtain as output as many bits as you want. This is flexible so that it can be easily adapted to the size of your RSA modulus.






share|improve this answer









$endgroup$



Why don't you use an eXtendible Output Function (XOF) for that ?



For example, SHAKE-128, defined in the SHA-3 standard, allows you to hash a message and obtain as output as many bits as you want. This is flexible so that it can be easily adapted to the size of your RSA modulus.







share|improve this answer












share|improve this answer



share|improve this answer










answered Feb 5 at 11:44









RuggeroRuggero

4,3881529




4,3881529












  • $begingroup$
    While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
    $endgroup$
    – Tabish Mir
    Feb 6 at 5:34


















  • $begingroup$
    While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
    $endgroup$
    – Tabish Mir
    Feb 6 at 5:34
















$begingroup$
While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
$endgroup$
– Tabish Mir
Feb 6 at 5:34




$begingroup$
While that would address the problem I have, I would like a method of extending the hash output based on any simpler hash function (SHA256) in my case.
$endgroup$
– Tabish Mir
Feb 6 at 5:34


















draft saved

draft discarded




















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67061%2fhow-can-i-hash-an-input-into-an-arbitrary-domain-point%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Probability when a professor distributes a quiz and homework assignment to a class of n students.

Aardman Animations

Are they similar matrix