Pseudorandom function family

In

functions which emulate a random oracle in the following way: no efficient algorithm can distinguish (with significant advantage) between a function chosen randomly from the PRF family and a random oracle (a function whose outputs are fixed completely at random). Pseudorandom functions are vital tools in the construction of cryptographic primitives, especially secure encryption schemes

.

Pseudorandom functions are not to be confused with

random

if the input was chosen at random. On the other hand, the guarantee of a PRF is that all its outputs appear random, regardless of how the corresponding inputs were chosen, as long as the function was drawn at random from the PRF family.

A pseudorandom function family can be constructed from any pseudorandom generator, using, for example, the "GGM" construction given by

block ciphers are used in most instances where a pseudorandom function is needed, they do not, in general, constitute a pseudorandom function family, as block ciphers such as AES are defined for only limited numbers of input and key sizes.^[2]

Motivations from random functions

A PRF is an efficient (i.e. computable in polynomial time), deterministic function that maps two distinct sets (domain and range) and looks like a truly random function.

Essentially, a truly random function would just be composed of a lookup table filled with uniformly distributed random entries. However, in practice, a PRF is given an input string in the domain and a hidden random seed and runs multiple times with the same input string and seed, always returning the same value. Nonetheless, given an arbitrary input string, the output looks random if the seed is taken from a uniform distribution.

A PRF is considered to be good if its behavior is indistinguishable from a truly random function. Therefore, given an output from either the truly random function or a PRF, there should be no efficient method to correctly determine whether the output was produced by the truly random function or the PRF.

Formal definition

Pseudorandom functions take inputs $x\in \{0,1\}^{*}$ . Both the input size $I=|x|$ and output size $\lambda$ depend only on the index size $n:=|s|$ .

A family of functions,

$f_{s}:\left\{0,1\right\}^{I(n)}\rightarrow \left\{0,1\right\}^{\lambda (n)}$

is pseudorandom if the following conditions are satisfied:

There exists a polynomial-time algorithm that computes

f_{s}(x)

given any

s

and

x

.

Let $F_{n}$ be the distribution of functions $f_{s}$ where $s$ is uniformly distributed over $\{0,1\}^{n}$ , and let $RF_{n}$ denote the uniform distribution over the set of all functions from $\{0,1\}^{I(n)}$ to $\{0,1\}^{\lambda (n)}$ . Then we require $F_{n}$ and $RF_{n}$ are computationally indistinguishable, where n is the security parameter. That is, for any adversary that can query the oracle of a function sampled from either $F_{n}$ or $RF_{n}$ , the advantage that she can tell apart which kind of oracle is given to her is negligible in $n$ .[3]

Oblivious pseudorandom functions

In an oblivious pseudorandom function, abbreviated OPRF, information is concealed from two parties that are involved in a PRF.^[4] That is, if Alice cryptographically hashes her secret value, cryptographically blinds the hash to produce the message she sends to Bob, and Bob mixes in his secret value and gives the result back to Alice, who unblinds it to get the final output, Bob is not able to see either Alice's secret value or the final output, and Alice is not able to see Bob's secret input, but Alice sees the final output which is a PRF of the two inputs -- a PRF of Alice's secret and Bob's secret.^[5] This enables transactions of sensitive cryptographic information to be secure even between untrusted parties.

An OPRF is used in some implementations of password-authenticated key agreement.^[5]

An OPRF is used in the Password Monitor functionality in Microsoft Edge.^[6]

See the main article on

Oblivious Pseudorandom Functions

.

Application

PRFs can be used for:^[7]

dynamic perfect hashing; even if the adversary can change the key-distribution depending on the values the hashing function has assigned to the previous keys, the adversary can not force collisions.
Constructing deterministic, memoryless authentication schemes (message authentication code based) which are provably secure against chosen message attack.
Distributing unforgeable
ID numbers
, which can be locally verified by stations that contain only a small amount of storage.
Constructing identification friend or foe systems.

Notes

doi:10.1145/6490.6503. web page and preprint

ISBN 978-1-58488-551-1
.

^ Goldreich's FoC, vol. 1, def. 3.6.4. Pass's notes, def. 96.2

^ M. Bellare; S. Keelveedhi; T. Ristenpart (August 2013). Dupless: server-aided encryption for deduplicated storage (PDF). Proceedings of the 22nd USENIX Security Symposium. Washington, DC, USA: USENIX Association. pp. 1–16.

^ ^a ^b Matthew Green. "Let’s talk about PAKE". 2018.

^ Lauter, Kristin; Kannepalli, Sreekanth; Laine, Kim; Cruz Moreno, Radames (January 1, 2021). "Password Monitor: Safeguarding passwords in Microsoft Edge". Microsoft Research Blog. Retrieved January 1, 2021.

ISBN 978-3-540-15658-1
.

References

ISBN 978-0-511-54689-1
.

Pass, Rafael, A Course in Cryptography (PDF), retrieved 22 December 2015

v
t
e
Cryptography
General

History of cryptography

Outline of cryptography

Cryptographic protocol
Authentication protocol

Cryptographic primitive

Cryptanalysis

Cryptocurrency

Cryptosystem

Cryptographic nonce

Cryptovirology

Hash function
Cryptographic hash function

Key derivation function

Digital signature

Kleptography

Key (cryptography)

Key exchange

Key generator

Key schedule

Key stretching

Keygen

Cryptojacking malware

Ransomware

Random number generation
Cryptographically secure pseudorandom number generator (CSPRNG)

Pseudorandom noise (PRN)

Secure channel

Insecure channel

Subliminal channel

Encryption

Decryption

End-to-end encryption

Harvest now, decrypt later

Information-theoretic security

Plaintext

Codetext

Ciphertext

Shared secret

Trapdoor function

Trusted timestamping

Key-based routing

Onion routing

Garlic routing

Kademlia

Mix network

Mathematics

Cryptographic hash function

Block cipher

Stream cipher

Symmetric-key algorithm

Authenticated encryption

Public-key cryptography

Quantum key distribution

Quantum cryptography

Post-quantum cryptography

Message authentication code

Random numbers

Steganography

Category

Retrieved from "https://en.wikipedia.org/w/index.php?title=Pseudorandom_function_family&oldid=1201384041"

[1] doi:10.1145/6490.6503. web page and preprint

[intromodern-2] ISBN 978-1-58488-551-1
.

[3] Goldreich's FoC, vol. 1, def. 3.6.4. Pass's notes, def. 96.2

[4] M. Bellare; S. Keelveedhi; T. Ristenpart (August 2013). Dupless: server-aided encryption for deduplicated storage (PDF). Proceedings of the 22nd USENIX Security Symposium. Washington, DC, USA: USENIX Association. pp. 1–16.

[mgreen-5] Matthew Green. "Let’s talk about PAKE". 2018.

[6] Lauter, Kristin; Kannepalli, Sreekanth; Laine, Kim; Cruz Moreno, Radames (January 1, 2021). "Password Monitor: Safeguarding passwords in Microsoft Edge". Microsoft Research Blog. Retrieved January 1, 2021.

[7] ISBN 978-3-540-15658-1
.

[2]

[4]

[5]

[6]

[7]

Motivations from random functions

Formal definition

Oblivious pseudorandom functions

Application

See also

Notes

References