Read the title. I've seen in RFCs that some MAC functions are called "pseudorandom functions". What are those? How are they different than hash functions? Why can't a hash function be used instead?
Asked
Active
Viewed 7,169 times
1 Answers
3
A hash function is a stateless "primitive" function: given an input of X, it always produces the same output Y, where Y is a fixed length. A cryptographically secure hash function has some additional requirements: given output Y = hash(X), it is hard to deduce input X; given output Y = hash(X1), it is hard to find output Y = hash(X2); and that it is hard to find hash(X1) = hash(X2).
Common random number generators that are used for statistical simulations are designed to produce a statistically even distribution of bits, and a hash function may be fine for this purpose. But a statistics simulator doesn't need have the same security needs as a CSPRNG, as it isn't being used to generate cryptographic keys used to protect secrets. A cryptographically secure pseudorandom number generator (CSPRNG) needs to output bits that are unrelated to each other, so that given output bits 0-n, plus knowledge of all internal state used to produce those output bits, it is hard to determine bit n+1.
To achieve this level of unpredictability, a CSPRNG needs a source of unpredictability, called "entropy". Entropy is surprisingly difficult to come by inside a computer; as a computer is deterministic, it generally doesn't have an internal source of randomness. Sources of entropy are often based on unpredictable external analog data (thermal noise on a Zener diode, radioactive decay, nanosecond timing of human inputs, etc.) But the number of bits available are limited by the time required to collect them, so there is often not a large enough "quantity" of entropy to directly output the bits of entropy to all the clients who need random numbers.
To meet the higher demand of a modern computer system that needs lots of random numbers, the small quantity of entropy available is frequently expanded using a "cryptographic sponge" function. This is a complex algorithm built of primitive functions that are used to collect the available entropy (called "harvesting"), gather the bits in a pool, and they then "stretch" the few bits in the pool into a larger quantity of relatively unpredictable bits. A hash function is at the core of many of the sponge functions and can be used to expand a relatively small number of bits into a larger number of unpredictable bits, but the sponge needs extra logic in order to manage the incoming bits, to produce the queue of output bits, and to refresh itself.
John Deters
- 3,728
- 15
- 29
-
3I asked about pseudorandom functions, not pseudorandom number generators, although your answer does does answer some future questions I was going to ask. – Melab Feb 03 '15 at 02:43