1

Given the existence of a secure hash function $h: \{ 0,1 \}^* \rightarrow \{0,1\}^k$, how can I construct a secure hash function $h': \{ 0,1 \}^* \rightarrow \mathbb{Z}_q$ ?

Of course this is easy for $q=2^k$, as we can always see $\{ 0,1 \}^k$ as the set $\mathbb{Z}_{2^k}$, but what if $q$ is an arbitrary integer?

Thank you in advance.

richard
  • 178
  • 1
  • 10

1 Answers1

4

You can define $ h' $ as $ h'(m) := h(m) \mod q $.

As long as $ 2^k $ is larger than $ q $ by e.g. 128 bits, the resulting function $ h' $ is (almost) equally distributed in $ \mathbb Z_q $.

For a suitable hashfunction $ h $ you might pick a SHA-3 with variable output size, like SHAKE256.

raisyn
  • 491
  • 4
  • 16