According to Wikipedia, PRF is an abbreviation for Pseudorandom function family. But this answer says that PRF means Pseudorandom Function. Does that mean that a Pseudorandom Function is the same as a Pseudorandom function family? Or is the abbreviation PRF used inconsistently?
Asked
Active
Viewed 159 times
2 Answers
2
The word "family" can mean various things. For instance, you have the SHA-2 family of hash functions. In this case the algorithms are part of a family because they are based on the same hash construction.
However, in this case the "family" simply means that you have a PRF construction, say HMAC-SHA256. In that case the "family" is actually the set of all the possible HMAC-SHA256 functions that can be selected using the key.
In other words, say that you have a family of keyed hash functions called $H$ and a key $k_0$ consisting of $\{0\}^{256}$, then $H_{k_0}$ is the function chosen by $k_0$ from the family.
Maarten Bodewes
- 96,351
- 14
- 169
- 323
2
PRF is short for PseudoRandom Function. A single function $F:\{0,1\}^n\rightarrow \{0,1\}^n$ cannot be pseudorandom. Pseudorandomness asks that it is not feasible to distinguish an oracle for $F$ from an oracle for a truly random function $f:\{0,1\}^n\rightarrow \{0,1\}^n$ (meaning that $f(x)$ is uniformly distributed for every $x\in\{0,1\}$). This is very easy to distinguish for a single $F$: send $x$ to an oracle and check if the output is equal to $F(x)$. Since $f(x)$ is uniform, $f(x)=F(x)$ only with probability $2^{-n}$.
So whenever we speak of pseudorandom functions, we actually mean function families $\{F_k\}_{k\in\{0,1\}^\lambda}$. In the pseudorandom distinguishing game, the distinguisher is given an oracle to $F_k$ for a random unknown $k$. Since $F_k$ is now one of exponentially many functions, the "attack" outlined above for a single function does not work.
lamontap
- 1,119
- 7
- 14