Submission declined on 21 April 2024 by ToadetteEdit ( talk). This submission is not adequately supported by reliable sources. Reliable sources are required so that information can be verified. If you need help with referencing, please see Referencing for beginners and Citing sources. If you would like to continue working on the submission, click on the "Edit" tab at the top of the window. If you have not resolved the issues listed above, your draft will be declined again and potentially deleted. If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors. Please do not remove reviewer comments or this notice until the submission is accepted. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Find sources:  Google ( books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL Easy tools: Citation bot ( help) | Advanced: Fix bare URLs Declined by ToadetteEdit 6 days ago. Last edited by ToadetteEdit 6 days ago. Reviewer: Inform author. Resubmit Please note that if the issues are not fixed, the draft will be declined again.

• Comment: Feels that there are some original research. Toadette ^{( Let's talk together!)} 09:04, 21 April 2024 (UTC)

This article includes a list of general references, but it lacks sufficient corresponding inline citations. Please help to improve this article by introducing more precise citations. (January 2024) ( Learn how and when to remove this template message)

In cryptography, domain separation is a construct used to implement multiple different functions using only one underlying template in an efficient way. ^[1] For example, multiple cryptographic hash functions can be constructed from a single hash implementation by prepending different "domain identifier" strings to the input message.

Example

Suppose that a certain application needs two hash functions. Using the same function for both of them is not always possible ‒ there may be reasons why they must be independent ^[2] (cf. Random oracle § Domain separation). An obvious solution may be to pick two existing hash functions ‒ say, SHA-2 and SHA-3 ‒ and use them.

However, this solution is problematic. Different functions may have different performance and security characteristics, so it is desirable to use the one that suits best everywhere. New functions are designed to improve on the old ones or to support different use cases, not just to increase the number of different functions in existence. Also, using multiple functions like this increases implementation footprint and potential attack surface.

A much better solution is to use just one function, but to use a subset of the possible inputs for one hash, and another (disjoint) subset for the other. Because an input to a hash function is an arbitrarily long string, this is easy to implement: just prepend 0 to the input for one function, and 1 for the other. Formally, given a function ${\displaystyle {\mathcal {H}}(x)}$, the new functions would be ${\displaystyle {\mathcal {H}}_{1}(x)={\mathcal {H}}(0||x)}$ and ${\displaystyle {\mathcal {H}}_{2}(x)={\mathcal {H}}(1||x)}$ (here, ${\displaystyle ||}$ denotes concatenation).

The functions ${\displaystyle {\mathcal {H}}_{1}}$ and ${\displaystyle {\mathcal {H}}_{2}}$ produced like this behave as separate, independent hash functions: because their inputs to ${\displaystyle {\mathcal {H}}}$ don't overlap and because the outputs of ${\displaystyle {\mathcal {H}}}$ on different inputs are statistically independent (at least so far as a hash function is considered an approximation for a random oracle), the outputs of ${\displaystyle {\mathcal {H}}_{1}}$ and ${\displaystyle {\mathcal {H}}_{2}}$ on any inputs are likewise independent. This approach can be generalized to any number of functions, and to different kinds of functions. ^{[3] [4]}

Kinds of functions

Domain separation can be used with functions implementing different cryptographic primitives.

Hash functions

Domain separation is most commonly used with hash functions. Because the domain of a hash function is practically unlimited, it is not difficult to partition it among any number of sub-functions. This is commonly done by prepending or appending to the message a distinct string (domain separator) for each sub-function. ^{[5] [1]}

Domain separation is used within the implementation of some hash functions to produce multiple different functions from the same design. ^[6] For example, SHA-224 is almost identical to SHA-256 truncated to 224 bits. However, without additional modifications, it would have certain undesirable properties (for example, it would be possible to compute SHA-224 hash of a message knowing only its SHA-256 hash, something that is not possible for arbitrary different hash functions), so a modification was made to make SHA-224 produce a different output without changing its design (specifically, the initialization constants are different).

Symmetric ciphers and MACs

The security of symmetric ciphers and MACs critically depends of the key not being used for other purposes. If an application needs multiple keys but has only one source of keying material, it would typically employ a key derivation function to produce the keys. KDFs can usually produce output of arbitrary length, so they can be used to generate any number of keys. ^[7]

Also, just like hash functions, some symmetric ciphers and MACs use domain separation internally. ^[8]

Signatures

In many cases, it is desirable to use a single signing key to produce digital signatures for different purposes. If this is done, it is important to make sure that signed messages intended for one purpose cannot be used for the other. A simple way to achieve this is to add to each message an identifier specifying the purpose, and to reject a message if the identifier doesn't match. ^[9]

References

Sources

• Hampiholi, Brinda; Alpár, Gergely; van den Broek, Fabian; Jacobs, Bart (2015). "Towards Practical Attribute-Based Signatures". Security, Privacy, and Applied Cryptography Engineering. Vol. 9354. Cham: Springer International Publishing. pp. 310–328. doi: 10.1007/978-3-319-24126-5_18. ISBN  978-3-319-24125-8.

External links

• Hashing Apples, Bananas and Cherries

This page needs additional or more specific categories. Please help out by adding categories to it so that it can be listed with similar articles. (January 2024)