Submission declined on 21 April 2024 by
ToadetteEdit (
talk). This submission is not adequately supported by
reliable sources. Reliable sources are required so that information can be
verified. If you need help with referencing, please see
Referencing for beginners and
Citing sources.
Where to get help
How to improve a draft
You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Editor resources
|
This article includes a list of general
references, but it lacks sufficient corresponding
inline citations. (January 2024) |
In cryptography, domain separation is a construct used to implement multiple different functions using only one underlying template in an efficient way. [1] For example, multiple cryptographic hash functions can be constructed from a single hash implementation by prepending different "domain identifier" strings to the input message.
Suppose that a certain application needs two hash functions. Using the same function for both of them is not always possible ‒ there may be reasons why they must be independent [2] (cf. Random oracle § Domain separation). An obvious solution may be to pick two existing hash functions ‒ say, SHA-2 and SHA-3 ‒ and use them.
However, this solution is problematic. Different functions may have different performance and security characteristics, so it is desirable to use the one that suits best everywhere. New functions are designed to improve on the old ones or to support different use cases, not just to increase the number of different functions in existence. Also, using multiple functions like this increases implementation footprint and potential attack surface.
A much better solution is to use just one function, but to use a subset of the possible inputs for one hash, and another (disjoint) subset for the other. Because an input to a hash function is an arbitrarily long string, this is easy to implement: just prepend 0 to the input for one function, and 1 for the other. Formally, given a function , the new functions would be and (here, denotes concatenation).
The functions and produced like this behave as separate, independent hash functions: because their inputs to don't overlap and because the outputs of on different inputs are statistically independent (at least so far as a hash function is considered an approximation for a random oracle), the outputs of and on any inputs are likewise independent. This approach can be generalized to any number of functions, and to different kinds of functions. [3] [4]
Domain separation can be used with functions implementing different cryptographic primitives.
Domain separation is most commonly used with hash functions. Because the domain of a hash function is practically unlimited, it is not difficult to partition it among any number of sub-functions. This is commonly done by prepending or appending to the message a distinct string (domain separator) for each sub-function. [5] [1]
Domain separation is used within the implementation of some hash functions to produce multiple different functions from the same design. [6] For example, SHA-224 is almost identical to SHA-256 truncated to 224 bits. However, without additional modifications, it would have certain undesirable properties (for example, it would be possible to compute SHA-224 hash of a message knowing only its SHA-256 hash, something that is not possible for arbitrary different hash functions), so a modification was made to make SHA-224 produce a different output without changing its design (specifically, the initialization constants are different).
The security of symmetric ciphers and MACs critically depends of the key not being used for other purposes. If an application needs multiple keys but has only one source of keying material, it would typically employ a key derivation function to produce the keys. KDFs can usually produce output of arbitrary length, so they can be used to generate any number of keys. [7]
Also, just like hash functions, some symmetric ciphers and MACs use domain separation internally. [8]
In many cases, it is desirable to use a single signing key to produce digital signatures for different purposes. If this is done, it is important to make sure that signed messages intended for one purpose cannot be used for the other. A simple way to achieve this is to add to each message an identifier specifying the purpose, and to reject a message if the identifier doesn't match. [9]
This page needs additional or more specific
categories. (January 2024) |
Submission declined on 21 April 2024 by
ToadetteEdit (
talk). This submission is not adequately supported by
reliable sources. Reliable sources are required so that information can be
verified. If you need help with referencing, please see
Referencing for beginners and
Citing sources.
Where to get help
How to improve a draft
You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Editor resources
|
This article includes a list of general
references, but it lacks sufficient corresponding
inline citations. (January 2024) |
In cryptography, domain separation is a construct used to implement multiple different functions using only one underlying template in an efficient way. [1] For example, multiple cryptographic hash functions can be constructed from a single hash implementation by prepending different "domain identifier" strings to the input message.
Suppose that a certain application needs two hash functions. Using the same function for both of them is not always possible ‒ there may be reasons why they must be independent [2] (cf. Random oracle § Domain separation). An obvious solution may be to pick two existing hash functions ‒ say, SHA-2 and SHA-3 ‒ and use them.
However, this solution is problematic. Different functions may have different performance and security characteristics, so it is desirable to use the one that suits best everywhere. New functions are designed to improve on the old ones or to support different use cases, not just to increase the number of different functions in existence. Also, using multiple functions like this increases implementation footprint and potential attack surface.
A much better solution is to use just one function, but to use a subset of the possible inputs for one hash, and another (disjoint) subset for the other. Because an input to a hash function is an arbitrarily long string, this is easy to implement: just prepend 0 to the input for one function, and 1 for the other. Formally, given a function , the new functions would be and (here, denotes concatenation).
The functions and produced like this behave as separate, independent hash functions: because their inputs to don't overlap and because the outputs of on different inputs are statistically independent (at least so far as a hash function is considered an approximation for a random oracle), the outputs of and on any inputs are likewise independent. This approach can be generalized to any number of functions, and to different kinds of functions. [3] [4]
Domain separation can be used with functions implementing different cryptographic primitives.
Domain separation is most commonly used with hash functions. Because the domain of a hash function is practically unlimited, it is not difficult to partition it among any number of sub-functions. This is commonly done by prepending or appending to the message a distinct string (domain separator) for each sub-function. [5] [1]
Domain separation is used within the implementation of some hash functions to produce multiple different functions from the same design. [6] For example, SHA-224 is almost identical to SHA-256 truncated to 224 bits. However, without additional modifications, it would have certain undesirable properties (for example, it would be possible to compute SHA-224 hash of a message knowing only its SHA-256 hash, something that is not possible for arbitrary different hash functions), so a modification was made to make SHA-224 produce a different output without changing its design (specifically, the initialization constants are different).
The security of symmetric ciphers and MACs critically depends of the key not being used for other purposes. If an application needs multiple keys but has only one source of keying material, it would typically employ a key derivation function to produce the keys. KDFs can usually produce output of arbitrary length, so they can be used to generate any number of keys. [7]
Also, just like hash functions, some symmetric ciphers and MACs use domain separation internally. [8]
In many cases, it is desirable to use a single signing key to produce digital signatures for different purposes. If this is done, it is important to make sure that signed messages intended for one purpose cannot be used for the other. A simple way to achieve this is to add to each message an identifier specifying the purpose, and to reject a message if the identifier doesn't match. [9]
This page needs additional or more specific
categories. (January 2024) |