Pseudorandom function family

Last updated February 01, 2024

In cryptography, a pseudorandom function family, abbreviated PRF, is a collection of efficiently-computable functions which emulate a random oracle in the following way: no efficient algorithm can distinguish (with significant advantage) between a function chosen randomly from the PRF family and a random oracle (a function whose outputs are fixed completely at random). Pseudorandom functions are vital tools in the construction of cryptographic primitives, especially secure encryption schemes.

Pseudorandom functions are not to be confused with pseudorandom generators (PRGs). The guarantee of a PRG is that a single output appears random if the input was chosen at random. On the other hand, the guarantee of a PRF is that all its outputs appear random, regardless of how the corresponding inputs were chosen, as long as the function was drawn at random from the PRF family.

A pseudorandom function family can be constructed from any pseudorandom generator, using, for example, the "GGM" construction given by Goldreich, Goldwasser, and Micali.^[1] While in practice, block ciphers are used in most instances where a pseudorandom function is needed, they do not, in general, constitute a pseudorandom function family, as block ciphers such as AES are defined for only limited numbers of input and key sizes.^[2]

Motivations from random functions

A PRF is an efficient (i.e. computable in polynomial time), deterministic function that maps two distinct sets (domain and range) and looks like a truly random function.

Essentially, a truly random function would just be composed of a lookup table filled with uniformly distributed random entries. However, in practice, a PRF is given an input string in the domain and a hidden random seed and runs multiple times with the same input string and seed, always returning the same value. Nonetheless, given an arbitrary input string, the output looks random if the seed is taken from a uniform distribution.

A PRF is considered to be good if its behavior is indistinguishable from a truly random function. Therefore, given an output from either the truly random function or a PRF, there should be no efficient method to correctly determine whether the output was produced by the truly random function or the PRF.

Formal definition

Pseudorandom functions take inputs $x\in \{0,1\}^{*}$ . Both the input size $I=|x|$ and output size $\lambda$ depend only on the index size $n:=|s|$ .

A family of functions,

$f_{s}:\left\{0,1\right\}^{I(n)}\rightarrow \left\{0,1\right\}^{\lambda (n)}$

is pseudorandom if the following conditions are satisfied:

There exists a polynomial-time algorithm that computes $f_{s}(x)$ given any $s$ and $x$ .
Let $F_{n}$ be the distribution of functions $f_{s}$ where $s$ is uniformly distributed over $\{0,1\}^{n}$ , and let $RF_{n}$ denote the uniform distribution over the set of all functions from $\{0,1\}^{I(n)}$ to $\{0,1\}^{\lambda (n)}$ . Then we require $F_{n}$ and $RF_{n}$ are computationally indistinguishable, where n is the security parameter. That is, for any adversary that can query the oracle of a function sampled from either $F_{n}$ or $RF_{n}$ , the advantage that she can tell apart which kind of oracle is given to her is negligible in $n$ .^[3]

Oblivious pseudorandom functions

In an oblivious pseudorandom function, abbreviated OPRF, information is concealed from two parties that are involved in a PRF.^[4] That is, if Alice cryptographically hashes her secret value, cryptographically blinds the hash to produce the message she sends to Bob, and Bob mixes in his secret value and gives the result back to Alice, who unblinds it to get the final output, Bob is not able to see either Alice's secret value or the final output, and Alice is not able to see Bob's secret input, but Alice sees the final output which is a PRF of the two inputs -- a PRF of Alice's secret and Bob's secret.^[5] This enables transactions of sensitive cryptographic information to be secure even between untrusted parties.

An OPRF is used in some implementations of password-authenticated key agreement.^[5]

An OPRF is used in the Password Monitor functionality in Microsoft Edge.^[6]

See the main article on Oblivious Pseudorandom Functions.

Application

PRFs can be used for:^[7]

dynamic perfect hashing; even if the adversary can change the key-distribution depending on the values the hashing function has assigned to the previous keys, the adversary can not force collisions.
Constructing deterministic, memoryless authentication schemes (message authentication code based) which are provably secure against chosen message attack.
Distributing unforgeable ID numbers, which can be locally verified by stations that contain only a small amount of storage.
Constructing identification friend or foe systems.

Notes

↑ Goldreich, Oded; Goldwasser, Shafi; Micali, Silvio (October 1986). "How to Construct Random Functions" (PDF). Journal of the ACM . 33 (4): 792–807. doi: 10.1145/6490.6503 . web page and preprint
↑ Lindell, Yehuda; Katz, Jonathan (2008). Introduction to Modern Cryptography. Chapman & Hall/CRC. p. 88. ISBN 978-1-58488-551-1.
↑ Goldreich's FoC, vol. 1, def. 3.6.4. Pass's notes, def. 96.2
↑ M. Bellare; S. Keelveedhi; T. Ristenpart (August 2013). Dupless: server-aided encryption for deduplicated storage (PDF). Proceedings of the 22nd USENIX Security Symposium. Washington, DC, USA: USENIX Association. pp. 1–16.
1 2 Matthew Green. "Let’s talk about PAKE". 2018.
↑ Lauter, Kristin; Kannepalli, Sreekanth; Laine, Kim; Cruz Moreno, Radames (January 1, 2021). "Password Monitor: Safeguarding passwords in Microsoft Edge". Microsoft Research Blog. Retrieved January 1, 2021.
↑ Goldreich, O.; Goldwasser, S.; Micali, S. (1985). "On the Cryptographic Applications of Random Functions (Extended Abstract)". Advances in Cryptology. Lecture Notes in Computer Science. Vol. 196. p. 276. doi:10.1007/3-540-39568-7_22. ISBN 978-3-540-15658-1.

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. The PRNG-generated sequence is not truly random, because it is completely determined by an initial value, called the PRNG's seed. Although sequences that are closer to truly random can be generated using hardware random number generators, pseudorandom number generators are important in practice for their speed in number generation and their reproducibility.

A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also loosely known as a cryptographic random number generator (CRNG).

In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, specifically the theory of polynomial time problems. Not being one-to-one is not considered sufficient for a function to be called one-way.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

In cryptography, a random oracle is an oracle that responds to every unique query with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time that query is submitted.

In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ciphertext of a certain message $, and the message's length, cannot determine any partial information on the message with probability non-negligibly higher than all other PPTA's that only have access to the message length. This concept is the computational complexity analogue to Shannon's concept of perfect secrecy. Perfect secrecy means that the ciphertext reveals no information at all about the plaintext, whereas semantic security implies that any information revealed cannot be feasibly extracted.$

In cryptography, a hard-core predicate of a one-way function f is a predicate b which is easy to compute but is hard to compute given f(x). In formal terms, there is no probabilistic polynomial-time (PPT) algorithm that computes b(x) from f(x) with probability significantly greater than one half over random choice of x. In other words, if x is drawn uniformly at random, then given f(x), any PPT adversary can only distinguish the hard-core bit b(x) and a uniformly random bit with negligible advantage over the length of x.

In computational complexity and cryptography, two families of distributions are computationally indistinguishable if no efficient algorithm can tell the difference between them except with negligible probability.

In cryptography, PBKDF1 and PBKDF2 are key derivation functions with a sliding computational cost, used to reduce vulnerability to brute-force attacks.

In theoretical computer science and cryptography, a pseudorandom generator (PRG) for a class of statistical tests is a deterministic procedure that maps a random seed to a longer pseudorandom string such that no statistical test in the class can distinguish between the output of the generator and the uniform distribution. The random seed itself is typically a short binary string drawn from the uniform distribution.

In cryptography, a verifiable random function (VRF) is a public-key pseudorandom function that provides proofs that its outputs were calculated correctly. The owner of the secret key can compute the function value as well as an associated proof for any input value. Everyone else, using the proof and the associated public key, can check that this value was indeed calculated correctly, yet this information cannot be used to find the secret key.

In cryptography, a pseudorandom permutation (PRP) is a function that cannot be distinguished from a random permutation (that is, a permutation selected at random with uniform probability, from the family of all permutations on the function's domain) with practical effort.

A randomness extractor, often simply called an "extractor", is a function, which being applied to output from a weak entropy source, together with a short, uniformly random seed, generates a highly random output that appears independent from the source and uniformly distributed. Examples of weakly random sources include radioactive decay or thermal noise; the only restriction on possible sources is that there is no way they can be fully controlled, calculated or predicted, and that a lower bound on their entropy rate can be established. For a given source, a randomness extractor can even be considered to be a true random number generator (TRNG); but there is no single extractor that has been proven to produce truly random output from any type of weakly random source.

In cryptography, SWIFFT is a collection of provably secure hash functions. It is based on the concept of the fast Fourier transform (FFT). SWIFFT is not the first hash function based on FFT, but it sets itself apart by providing a mathematical proof of its security. It also uses the LLL basis reduction algorithm. It can be shown that finding collisions in SWIFFT is at least as difficult as finding short vectors in cyclic/ideal lattices in the worst case. By giving a security reduction to the worst-case scenario of a difficult mathematical problem, SWIFFT gives a much stronger security guarantee than most other cryptographic hash functions.

Verifiable computing enables a computer to offload the computation of some function, to other perhaps untrusted clients, while maintaining verifiable results. The other clients evaluate the function and return the result with a proof that the computation of the function was carried out correctly. The introduction of this notion came as a result of the increasingly common phenomenon of "outsourcing" computation to untrusted users in projects such as SETI@home and also to the growing desire to enable computationally-weak devices to outsource computational tasks to a more powerful computation service, as in cloud computing. The concept dates back to work by Babai et al., and has been studied under various terms, including "checking computations", "delegating computations", "certified computation", and verifiable computing. The term verifiable computing itself was formalized by Rosario Gennaro, Craig Gentry, and Bryan Parno, and echoes Micali's "certified computation".

<span class="mw-page-title-main">Sponge function</span> Theory of cryptography

In cryptography, a sponge function or sponge construction is any of a class of algorithms with finite internal state that take an input bit stream of any length and produce an output bit stream of any desired length. Sponge functions have both theoretical and practical uses. They can be used to model or implement many cryptographic primitives, including cryptographic hashes, message authentication codes, mask generation functions, stream ciphers, pseudo-random number generators, and authenticated encryption.

Garbled circuit is a cryptographic protocol that enables two-party secure computation in which two mistrusting parties can jointly evaluate a function over their private inputs without the presence of a trusted third party. In the garbled circuit protocol, the function has to be described as a Boolean circuit.

In cryptography, black-box obfuscation was a proposed cryptographic primitive which would allow a computer program to be obfuscated in a way such that it was impossible to determine anything about it except its input and output behavior. Black-box obfuscation has been proven to be impossible, even in principle.

An Oblivious Pseudorandom Function (OPRF) is a cryptographic function, similar to a keyed-hash function, but with the distinction that an OPRF is cooperatively computed by two parties.

References

Goldreich, Oded (2001). Foundations of Cryptography: Basic Tools. Cambridge: Cambridge University Press. ISBN 978-0-511-54689-1.
Pass, Rafael, A Course in Cryptography (PDF), retrieved 22 December 2015

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Goldreich, Oded; Goldwasser, Shafi; Micali, Silvio (October 1986). "How to Construct Random Functions" (PDF). Journal of the ACM . 33 (4): 792–807. doi: 10.1145/6490.6503 . web page and preprint

[intromodern-2] Lindell, Yehuda; Katz, Jonathan (2008). Introduction to Modern Cryptography. Chapman & Hall/CRC. p. 88. ISBN 978-1-58488-551-1.

[3] Goldreich's FoC, vol. 1, def. 3.6.4. Pass's notes, def. 96.2

[4] M. Bellare; S. Keelveedhi; T. Ristenpart (August 2013). Dupless: server-aided encryption for deduplicated storage (PDF). Proceedings of the 22nd USENIX Security Symposium. Washington, DC, USA: USENIX Association. pp. 1–16.

[mgreen-5] 1 2 Matthew Green. "Let’s talk about PAKE". 2018.

[6] Lauter, Kristin; Kannepalli, Sreekanth; Laine, Kim; Cruz Moreno, Radames (January 1, 2021). "Password Monitor: Safeguarding passwords in Microsoft Edge". Microsoft Research Blog. Retrieved January 1, 2021.

[7] Goldreich, O.; Goldwasser, S.; Micali, S. (1985). "On the Cryptographic Applications of Random Functions (Extended Abstract)". Advances in Cryptology. Lecture Notes in Computer Science. Vol. 196. p. 276. doi:10.1007/3-540-39568-7_22. ISBN 978-3-540-15658-1.

[1]

[2]

[3]

[4]

[5]

[6]

[7]