A hash function that returns a value interpreted as integer

Cryptography Asked by jusmin on January 30, 2021

I am new in cryptography. I need to compute a hash of a string value represented as follows:
$name||i$ where $i$ is an integer.

I use the following pseudocode:

message = []byte(name||i)
hashize = 1536
// Using SHA256 full-domain-hash with 1536 bits
hashed = fdh.Sum(crypto.SHA256, hashize, message)

Here the hash is a vector of integer values. How can I have only one integer that represents the hash of the message?

One Answer

My guess is that the intention is to make an RSA-1536 (or Rabin) signature of name (as a string) and integer $i$ per Full Domain Hash. Thus I answer, form a crypto standpoint, a rephrasing of the question as:

How do I make a full-domain hash of the concatenation of a name (given as a string) and an integer, towards signing these per RSA-FDH.

In a nutshell, my recommendation is to make that as in RSA-PSS, but with a fixed salt.

An implementation of that could be

  1. Express name and $i$ as a bytestring per ASN.1 Distinguished Encoding Rules (DER). This will avoid ambiguities of string concatenation (so that name foo and integer 10 won't have the same hash as name foo1 and integer 0), and normalize the integer (so that integers 00 and 0 will result in the same hash). Formatting could be as a SEQUENCE (tag 16) with name as UTF8String (tag 12) then INTEGER (tag 2). See Burton S. Kaliski's A Layman's Guide to a Subset of ASN.1, BER, and DER (RSA labs, 1993), which is enough for an implementer, except for the UTF8String type.
  2. Apply to the resulting bytestring the EMSA-PSS transformation of PKCS#1v2.2 with SHA-256 hash, MGF1 with SHA-256 hash, $text{emBits}=1536$, and fixed salt (e.g. 256 bits at zero). Part of that step includes hasing the input bytestring with SHA-256.
  3. Convert the outcome to integer (per big-endian convention); this yields an integer as asked in the question.
  4. Apply textbook RSA signature $xmapsto x^dbmod N$ (or the Rabin alternative).
  5. Convert the integer outcome to a bytestring of $leftlceiltext{emBits}/8rightrceil=192$ bytes (per big-endian convention), yielding the signature.

Note: when targeting RSA, the combination of 2…5 is precisely signature per RSASSA-PSS of PKCS#1v2.2, and implementations of that should be reusable directly, if they have an input for the salt or for the salt-generating method.

Answered by fgrieu on January 30, 2021

Add your own answers!

Related Questions

Speed of a 16384-bit RSA key

1  Asked on March 2, 2021 by melab


Can I use ChaCha20-Poly1305 as my KDF?

2  Asked on February 23, 2021 by mint-branch-conditioner


Vulnerability in the Digital Signature Algorithm. Can I calculate k and x?

0  Asked on February 18, 2021 by confused-andstuck


Is Argon2 “sequential memory hard”?

0  Asked on January 22, 2021 by modal-nest


Hash Function Properties

0  Asked on January 19, 2021 by antonis-paragas


Why is it important that phi(n) is kept a secret, in RSA?

5  Asked on January 15, 2021 by johankj


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir