Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [pseudo-random-function]

A pseudo-random function (PRF) is a family of deterministic functions indexed by a parameter, such that a randomly selected instance is computationally indistinguishable from a uniformly random function with the same input and output spaces.

A pseudorandom function family is a finite set of deterministic functions that share the same given (finite) input and output spaces, indexed by a parameter which selects the exact function. Pseudorandomness is achieved if an instance of the family, obtained with a uniformly random selection of the index parameter, is computationally indistinguishable from a function selected at random and uniformly among the whole set of possible deterministic functions with the same input and output spaces.

PRF are most useful when they are efficiently computable. There is no theoretical guarantee that PRF can really exist, but many candidates are known, which cannot be distinguished from random functions with non-negligible probability by attackers with finite computing power. A common example is HMAC/SHA-256; the key is then the selection parameter, with a size large enough to thwart exhaustive search.

405 questions
38
votes
4 answers

What is difference between PRG, PRF, and PRP

Until what I have gotten is: A PRG is generator is a part of PRF that produces pseudo-random values for the function. PRF is semantically secure and has no worries of being invertible. Fine, then where is PRP used? What is PRP, where it comes to,…
Khunshan Ahmad
  • 397
  • 1
  • 3
  • 3
31
votes
6 answers

What is the practical impact of using System.Random which is not cryptographically random?

I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should…
learnerX
  • 667
  • 1
  • 8
  • 15
17
votes
3 answers

What is the difference between PRF and a Random Oracle?

What is the difference between Pseudo Random Functions and Random Oracles? Is the difference only about the domain of PRFs and Random Oracles, former having a fixed domain and latter can act on any input as long as it is well formatted? Having a…
Human
  • 281
  • 1
  • 5
16
votes
1 answer

Security of KDF1 and KDF2 (hash based KDF's)

It's still common to come across implementations of KDF1 and KDF2. Basically these are KDF's that simply derive multiple keys from the key seed and a counter: $K_i = \operatorname{KDF}(K_{master}, i) = \operatorname{H}(K_{master} | c)$ In this…
Maarten Bodewes
  • 88,868
  • 12
  • 146
  • 304
15
votes
3 answers

Expected entropy in $P(x)\oplus x$ for random $x$, where $P$ is a random permutation

Let $P$ be a random permutation of $n>1$ bits. Let $F$ be the function on the same domain $\{0,1\}^n$, defined by $F(x)=P(x)\oplus x$. When $P$ is a block cipher with key a message block, that's the Davies-Meyer construction of a one-way compression…
fgrieu
  • 131,696
  • 12
  • 284
  • 553
14
votes
1 answer

Is there a difference between PRF and a hash function?

Is there a difference between PRF and a hash function? For example: Creation of a secret key is using PRF and creating a secret key is using hash function.
user13342
  • 141
  • 1
  • 3
13
votes
3 answers

How to construct a good PRF from a block cipher?

We want to explicitly construct a good (as tentatively defined below) Pseudo-Random Function $F$ with $b$-bit input and output, from (preferably just) one Pseudo-Random Permutation $E$ of $b$-bit, as instantiated in practice by TDEA for $b=64$ or…
fgrieu
  • 131,696
  • 12
  • 284
  • 553
12
votes
1 answer

Cryptographic security of PHP mt_rand() function using Mersenne Twister algo

At StackOverflow, this question has been asked. It uses additional random entropy and a hash method (among others) to try and create a cryptographically secure pseudo-random number generator for PHP. PHP seems to use a Mersenne Twister algorithm…
Maarten Bodewes
  • 88,868
  • 12
  • 146
  • 304
12
votes
1 answer

Luby-Rackoff theorem confusion

The Luby-Rackoff theorem states that if a round function is a secure pseudorandom function (PRF) then 3 rounds are sufficient to make the block cipher a pseudorandom permutation (PRP). PRPs are invertible whereas PRFs are not. How come 3 rounds of a…
BlaX
  • 726
  • 6
  • 17
11
votes
1 answer

Does IND-CPA imply PRF?

It is well-known that a pseudorandom function (PRF) can be used to build a CPA-secure symmetric cryptosystem. My question: is PRF necessary for this, i.e., can one show something like "If there exists an IND-CPA scheme then there exist PRF?"
Martin Hofmann
  • 171
  • 1
  • 6
11
votes
1 answer

Which compression functions are PRFs?

In a 2006 paper Bellare showed that HMAC remains secure even if collision resistance for MD5/SHA-1 is broken as long they are still PRFs. The Wikipedia article on cryptographic hash functions mentions that In practice, collision resistance is…
Elias
  • 4,873
  • 1
  • 13
  • 30
11
votes
0 answers

What might be assumed about a PRF if the key has been chosen?

The defining feature of a PRF $f:\{0,1\}^k\times\{0,1\}^s\mapsto\{0,1\}^*$ is that, if the first parameter is selected at random, it should be indistinguishable from a function $g:\{0,1\}^s\mapsto\{0,1\}^*$ selected at random. But what if the key…
Henrick Hellström
  • 10,336
  • 1
  • 29
  • 56
10
votes
2 answers

Is 512 bits a more secure hashing than 256 bits?

I know that 512 bit hashing is more secure, but I don't really know why. I hope someone can help me to better understand it in more detail.
Hinton Zsh
  • 331
  • 2
  • 9
10
votes
1 answer

Is $F'_k(x) = F_k(x) \oplus k$ a pseudo random function?

Let $F_k$ be a pseudo random function. Is $F'_k(x) = F_k(x) \oplus k$ necessarily a pseudo random function? I think that it is a PRF, but I just can't find a reduction that works with it.
porcupine
  • 103
  • 5
10
votes
1 answer

Are there any authoritative definitions of "key stretching"?

This is mostly a terminology question, but I suppose that it is best asked and answered here. After browsing the Internet I have come across a fair number of completely different definitions of the term "key stretching" and would like to know if…
Henrick Hellström
  • 10,336
  • 1
  • 29
  • 56
1
2 3
26 27