# A hash function that returns a value interpreted as integer

Cryptography Asked by jusmin on January 30, 2021

I am new in cryptography. I need to compute a hash of a string value represented as follows:
$$name||i$$ where $$i$$ is an integer.

I use the following pseudocode:

message = []byte(name||i)
hashize = 1536
// Using SHA256 full-domain-hash with 1536 bits
hashed = fdh.Sum(crypto.SHA256, hashize, message)
Print(hashed)


Here the hash is a vector of integer values. How can I have only one integer that represents the hash of the message?

My guess is that the intention is to make an RSA-1536 (or Rabin) signature of name (as a string) and integer $$i$$ per Full Domain Hash. Thus I answer, form a crypto standpoint, a rephrasing of the question as:

How do I make a full-domain hash of the concatenation of a name (given as a string) and an integer, towards signing these per RSA-FDH.

In a nutshell, my recommendation is to make that as in RSA-PSS, but with a fixed salt.

An implementation of that could be

1. Express name and $$i$$ as a bytestring per ASN.1 Distinguished Encoding Rules (DER). This will avoid ambiguities of string concatenation (so that name foo and integer 10 won't have the same hash as name foo1 and integer 0), and normalize the integer (so that integers 00 and 0 will result in the same hash). Formatting could be as a SEQUENCE (tag 16) with name as UTF8String (tag 12) then INTEGER (tag 2). See Burton S. Kaliski's A Layman's Guide to a Subset of ASN.1, BER, and DER (RSA labs, 1993), which is enough for an implementer, except for the UTF8String type.
2. Apply to the resulting bytestring the EMSA-PSS transformation of PKCS#1v2.2 with SHA-256 hash, MGF1 with SHA-256 hash, $$text{emBits}=1536$$, and fixed salt (e.g. 256 bits at zero). Part of that step includes hasing the input bytestring with SHA-256.
3. Convert the outcome to integer (per big-endian convention); this yields an integer as asked in the question.
4. Apply textbook RSA signature $$xmapsto x^dbmod N$$ (or the Rabin alternative).
5. Convert the integer outcome to a bytestring of $$leftlceiltext{emBits}/8rightrceil=192$$ bytes (per big-endian convention), yielding the signature.

Note: when targeting RSA, the combination of 2…5 is precisely signature per RSASSA-PSS of PKCS#1v2.2, and implementations of that should be reusable directly, if they have an input for the salt or for the salt-generating method.

Answered by fgrieu on January 30, 2021

## Related Questions

### Speed of a 16384-bit RSA key

1  Asked on March 2, 2021 by melab

### Practical use of semi direct product of group in Cryptography

1  Asked on February 23, 2021 by ssa

### Can I use ChaCha20-Poly1305 as my KDF?

2  Asked on February 23, 2021 by mint-branch-conditioner

### Elliptic curve group inverse addition in OpenSSL

0  Asked on February 21, 2021

### Forge valid token with misuse of OTP key reuse

0  Asked on February 19, 2021 by irwin

### Vulnerability in the Digital Signature Algorithm. Can I calculate k and x?

0  Asked on February 18, 2021 by confused-andstuck

### Inside attack (attack from participants) in secret sharing

1  Asked on February 18, 2021

### Does there exist a test vector for the Xoodoo permutation?

0  Asked on February 16, 2021

### Time-memory tradeoffs in Shor’s algorithm

0  Asked on February 13, 2021 by forest

### Is truncated hash collision resistant if original hash is collision resistant?

0  Asked on February 9, 2021 by doctopus

### A hash function that returns a value interpreted as integer

1  Asked on January 30, 2021 by jusmin

### Is the role of public key/private key determined arbitrarily or mathematically?

3  Asked on January 29, 2021 by 38fule

### How to simplify a the signing process in an elliptic curve signature scheme that involves a quadratic verification equation?

2  Asked on January 26, 2021 by columbida

### Decrypting small integers under RSA

3  Asked on January 22, 2021 by m-s-dousti

### Is Argon2 “sequential memory hard”?

0  Asked on January 22, 2021 by modal-nest

### Hash Function Properties

0  Asked on January 19, 2021 by antonis-paragas

### Which is the simplest cryptographic algorithm which is close to commercial-level security?

7  Asked on January 18, 2021

### Why is it important that phi(n) is kept a secret, in RSA?

5  Asked on January 15, 2021 by johankj

### What is a quantifier in game-based definitions?

0  Asked on January 14, 2021 by ay

### Why this isn’t second preimage resistance?

1  Asked on January 9, 2021