Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [pseudo-random-function]

A pseudo-random function (PRF) is a family of deterministic functions indexed by a parameter, such that a randomly selected instance is computationally indistinguishable from a uniformly random function with the same input and output spaces.

A pseudorandom function family is a finite set of deterministic functions that share the same given (finite) input and output spaces, indexed by a parameter which selects the exact function. Pseudorandomness is achieved if an instance of the family, obtained with a uniformly random selection of the index parameter, is computationally indistinguishable from a function selected at random and uniformly among the whole set of possible deterministic functions with the same input and output spaces.

PRF are most useful when they are efficiently computable. There is no theoretical guarantee that PRF can really exist, but many candidates are known, which cannot be distinguished from random functions with non-negligible probability by attackers with finite computing power. A common example is HMAC/SHA-256; the key is then the selection parameter, with a size large enough to thwart exhaustive search.

431 questions
19
votes
3 answers

What is the difference between PRF and a Random Oracle?

What is the difference between Pseudo Random Functions and Random Oracles? Is the difference only about the domain of PRFs and Random Oracles, former having a fixed domain and latter can act on any input as long as it is well formatted? Having a…
Human
  • 301
  • 1
  • 5
13
votes
3 answers

How to construct a good PRF from a block cipher?

We want to explicitly construct a good (as tentatively defined below) Pseudo-Random Function $F$ with $b$-bit input and output, from (preferably just) one Pseudo-Random Permutation $E$ of $b$-bit, as instantiated in practice by TDEA for $b=64$ or…
fgrieu
  • 140,762
  • 12
  • 307
  • 587
11
votes
0 answers

What might be assumed about a PRF if the key has been chosen?

The defining feature of a PRF $f:\{0,1\}^k\times\{0,1\}^s\mapsto\{0,1\}^*$ is that, if the first parameter is selected at random, it should be indistinguishable from a function $g:\{0,1\}^s\mapsto\{0,1\}^*$ selected at random. But what if the key…
Henrick Hellström
  • 10,406
  • 1
  • 30
  • 58
9
votes
4 answers

How can I prove that a function F isn't a pseudo random function?

Let $F$ be a length-preserving pseudorandom function. For the following constructions of a keyed function $F' : \{0, 1\}^n \times \{0, 1\}^{n−1} \to \{0, 1\}^{2n}$, state whether $F'$ is a pseudorandom function. If yes, prove it; if not, show an…
thinker.92
  • 137
  • 1
  • 7
8
votes
2 answers

Why is this function pseudo random (PRF)?

First, I want to clarify this is not homework. I encountered this question (here How can I prove that a function F isn't a pseudo random function?) while studying for a test coming soon. $F'_k(x) = F_k(0||x) || F_k(1||x)$ $F'_k(x) = F_k(0||x) ||…
giselle
  • 81
  • 3
6
votes
2 answers

Proving the existence of a pseudorandom function

I've been reading the Introduction to Modern Cryptography book by Katz and Lindell as part of my own learning and have come across this exercise which I am not sure how to approach. The exercise is: (exercise 3.8) Prove unconditionally the…
Alex
  • 61
  • 1
  • 2
5
votes
2 answers

Are there any industry standards for PRFs?

I mean something like a NIST, ISO, FIPS or similar standard which defines a constructions for a PRF.
Elias
  • 4,903
  • 1
  • 14
  • 31
5
votes
2 answers

Show that G is not a PRF

$\DeclareMathOperator{concat}{\|}$ I'm trying to do the following assignment: Let $F : \{0,1\}^k \times \{0,1\}^n \to \{0,1\}^n$ be a PRF. Define function family $G : \{0,1\}^k \times \{0,1\}^{n-1} \to \{0,1\}^{2n}$, for all $x \in \{0,1\}^{n-1}$,…
Buff
  • 63
  • 4
4
votes
1 answer

Are these functions secure PRFs?

Let $F:\{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^n$ be a secure PRF (i.e. a PRF where the key space, input space, and output space are all $\{0,1\}^n$) and say $n=128$. My assignment is to show that the function $F'(k,x) = F(k,x)$ when $x \ne…
blueMountain
  • 41
  • 3
4
votes
2 answers

Construct PRF with longer output from existing PRF

Assume we have a secure PRF $F$ which takes a key of length $k$, a message of length $l$, and outputs an output of length $o$. The task it to construct a secure PRF $G$ which takes the same input parameters, but outputs an output of length $2 \cdot…
el-flor
  • 183
  • 5
4
votes
2 answers

Is $F(x) =Ax+b$ a pseudorandom function or not?

Consider the following keyed function $F$: For security parameter $n,$ the key is an $n\times n$ boolean matrix $A$ and an $n-$bit boolean vector $b$. Define $F_{A,b} : \{0, 1\}^n->\{0, 1\}^n$ by $F_{A,b}(x) = Ax + b$, where all operations are done…
zack h
  • 79
  • 6
4
votes
2 answers

secure PRF or not

I am new in Cryptography and I saw this question in a note I solved it but I'm not sure about my answers. Let $F : \{0, 1\}^n × \{0, 1\}^n→ \{0, 1\}^n$ be a secure PRF (i.e. a PRF where the key space, input space, and output space are all $\{0,…
Kiriptogeraaf
  • 43
  • 1
  • 3
4
votes
2 answers

Is pseudorandom function also a one-way function?

Can I assume this? Specifically, I want to know if the following two cases are valid. Suppose $prf_k(m)=c$ One-wayness: Only given $c$, we cannot reveal $m$. Without key $k$, even given $m$, cannot get $c$. They seem intuitive, but I want to be…
cryptodog
  • 163
  • 5
3
votes
1 answer

Why is it not ideal to rely on interactive assumption to build PRF?

I understood the meaning of interactive assumption from What is the notion of an interactive assumption? . However, I am not sure why there exists a research field of constructing PRF from standard assumption. What is the advantage of standard…
mallea
  • 1,605
  • 1
  • 9
  • 21
3
votes
2 answers

Building adversary to show a PRF is not secure

Let $F(k,x)$ be a secure PRF over $(\mathcal{K},\mathcal{X},\mathcal{Y})$ where $\mathcal{K} = \mathcal{X} = \mathcal{Y} = \{0,1\}^n$. Let $F'(k, x) = F(F(k, 0^n), x) \; \Vert \; F(k, x)$. $a \; \Vert \; b$ means $a$ concatenated to $b$. How can I…
Daniel
  • 457
  • 4
  • 14
1
2 3 4