5

Do we still need MGF1 as used in the PKCS#1 v2.x specifications for SHA-3 hash functions? MGF1 is currently used for OAEP and PSS as Mask Generation Function. Now that the SHA-3 specification contains SHAKE128 and SHAKE256 could MGF1 be replaced?

It seems to me that there is only one input to MGF1, called the seed. It seems that MGF1 is directly replaceable with a XOF which also has one input and one output. In that case we could call MGF2 = XOF, and the XOF (hash) function would simply be one of the SHAKE functions specified in the SHA-3 standard.

Will a extendable-output function directly cover the security requirements expected from a mask generation function?

Maarten Bodewes
  • 88,868
  • 12
  • 146
  • 304
  • MGF1 will still need to be supported (because it's so super-widespread) and for the rest it really depends on general adoption of XOFs, but AFAIK XOFs should do the trick just as well (if not better) than MGF1. – SEJPM Jul 15 '16 at 11:34
  • @SEJPM Obviously I'm not in favor of dropping MGF1 for legacy applications once SHA-3 becomes commonplace, I'll edit the question to make this clear. Thanks for the hint. – Maarten Bodewes Jul 15 '16 at 11:35
  • 1
    Related (notice the editor? :P): [What is the use case for XOF functions (i.e. SHAKE128/256)?](https://crypto.stackexchange.com/q/30587/23623) – SEJPM Jul 15 '16 at 11:37

1 Answers1

6

It seems that the authors of Keccak sponge (the algorithm chosen to be SHA-3) do think their SHAKE functions can directly be used for simplifying OAEP and PSS:

The introduction of extendable-output functions (or XOFs, pronounced zoff) is a particularly nice feature of the standard. A XOF like SHAKE128 or SHAKE256 can be seen as a generalization of hash functions where the output length is not fixed but is potentially infinite. Concretely, XOFs can be used instead of complex constructions involving hash functions and counters such as MGF1. With RSA, this is of immediate benefit to full domain hashing (edit: also known as FDH), to RSA OAEP (Optimal Asymmetric Encryption Padding) and to RSA PSS (Probabilistic Signature Scheme). Other use cases are key derivation functions and stream ciphers.

Maarten Bodewes
  • 88,868
  • 12
  • 146
  • 304