Cryptography Reference
In-Depth Information
> MGF1 := proc(mgfSeed, maskLen, {H := 'SHA256', hLen := 32})
local T, i, C;
if (2ˆ32)*hLen < maskLen then
error "mask too long"
end if;
T:="";
for i from 0 to ceil(maskLen/hLen)-1 do
C := I2OSP(i, 4);
T := cat(T, H(cat(mgfSeed, C),hex))
end do;
StringTools:-Take(T, 2*maskLen)
end proc:
Observe that
MGF1
can be seen as a family of functions parameterized by the
value
maskLen
and also that
maskLen
can be either greater or smaller than the length
of
mgfSeed
, so that
MGF1
is a family of functions which, on input a byte string of any
length, produce as output a byte string of any desired length. Two of these instances
will supply the functions
G
,
H
used in the description of RSA-OAEP above.
Example 8.8
A typical example of the use of
MGF1
below will be to produce a 223-
byte string from a 32-byte seed. This corresponds to the case in which, as mentioned
above,
dbMask
:=
MGF
(
seed
,
k
−
hLen
−
1
)
with an RSA modulus of
k
=
256
bytes and
hLen
= 32 (the output length of SHA-256), so that 223
=
256
−
32
−
1:
> with(StringTools);
Randomize();
r := LowerCase(Random(64, xdigit));
"b0e6fca1ba6aecf51f88fbe04a22f65b8db9d7bb2fa84f0b76ae0eec074bf6ff"
> MGF1(r, 223);
"99a91043da0ddabbc27f8d730b30e256a4e5bcc195261792d54d41f5301e88197ed7598274df4ad12\
87cc7b5b52710e9124b359a48bd65779fd34f2ad03a3b26445d3b33f61d3e4d25c1ed9aa52fa9b93\
31654bc35b605e75de97cacedc5c9a2f71c99cd4434b67cd018f7febe4e91ef2c1d92b3570d2c3fc\
8ac763d9b8b0f07f2f5339524a455261b57c566da22f9c4e03a86e4e4660e9e0647d46c514c7dcce\
69ed56465a0c92a3339259207118ac9a620f79f78199cba93dd29a87288d18c01967952707eda541\
feb2140e78be82b9fe3ad28e0f853843a4dab6f1e6b9a"
The next function performs the EME-OAEP encoding operation following [154],
as described in our preceding discussion. The required inputs of the function are
M
,
which corresponds to the message given as an even-length hexadecimal string,
k
for
the byte length of the encoded message that will be produced by the function and
seed
, a byte string of length
hLen
which is used to specify a randomly generated
seed. The optional input parameters are
L
, in which a 'label' (a byte string) can be
specified (with the empty string as default),
H
for the name of the hash function to
be used (with
SHA256
as default) and
hLen
for the byte length of the hash function
output (with 32 as default). The output is a byte string
EM
of length
k
.
> EMEOAEPEnc := proc(M::string, k::posint, seed::string,
L::string := "", H::name := 'SHA256', hLen := 32)
local mLen, lHash, hhLen, PS, DB, s, dbMask, maskedDB, seedMask, maskedSeed;
mLen := iquo(StringTools:-Length(M), 2);
lHash := H(L, hex);
hhLen := 2*hLen;
PS := StringTools:-Repeat("00", k-mLen-hhLen-2);
DB := cat(lHash, PS, "01", M);
if _params['seed'] = NULL then
StringTools:-Randomize();
s := StringTools:-LowerCase(StringTools:-Random(hhLen, xdigit))
else
