Questions tagged [pseudo-random-function]

A pseudo-random function (PRF) is a family of deterministic functions indexed by a parameter, such that a randomly selected instance is computationally indistinguishable from a uniformly random function with the same input and output spaces.

A pseudorandom function family is a finite set of deterministic functions that share the same given (finite) input and output spaces, indexed by a parameter which selects the exact function. Pseudorandomness is achieved if an instance of the family, obtained with a uniformly random selection of the index parameter, is computationally indistinguishable from a function selected at random and uniformly among the whole set of possible deterministic functions with the same input and output spaces.

PRF are most useful when they are efficiently computable. There is no theoretical guarantee that PRF can really exist, but many candidates are known, which cannot be distinguished from random functions with non-negligible probability by attackers with finite computing power. A common example is HMAC/SHA-256; the key is then the selection parameter, with a size large enough to thwart exhaustive search.

454 questions

votes

4 answers

What is difference between PRG, PRF, and PRP

Until what I have gotten is: A PRG is generator is a part of PRF that produces pseudo-random values for the function. PRF is semantically secure and has no worries of being invertible. Fine, then where is PRP used? What is PRP, where it comes to,…

pseudo-random-function pseudo-random-generator

asked Sep 23 '12 at 19:14

Khunshan Ahmad

votes

6 answers

What is the practical impact of using System.Random which is not cryptographically random?

I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should…

keys random-number-generator key-derivation randomness pseudo-random-function

asked Aug 29 '19 at 19:46

learnerX

votes

3 answers

What is the difference between PRF and a Random Oracle?

What is the difference between Pseudo Random Functions and Random Oracles? Is the difference only about the domain of PRFs and Random Oracles, former having a fixed domain and latter can act on any input as long as it is well formatted? Having a…

pseudo-random-function

asked Apr 03 '14 at 01:52

Human

votes

1 answer

Security of KDF1 and KDF2 (hash based KDF's)

It's still common to come across implementations of KDF1 and KDF2. Basically these are KDF's that simply derive multiple keys from the key seed and a counter: $K_i = \operatorname{KDF}(K_{master}, i) = \operatorname{H}(K_{master} | c)$ In this…

hash key-derivation pseudo-random-function kbkdf

asked Apr 19 '14 at 16:41

Maarten Bodewes

96,351
14
169
323

votes

3 answers

Expected entropy in $P(x)\oplus x$ for random $x$, where $P$ is a random permutation

Let $P$ be a random permutation of $n>1$ bits. Let $F$ be the function on the same domain $\{0,1\}^n$, defined by $F(x)=P(x)\oplus x$. When $P$ is a block cipher with key a message block, that's the Davies-Meyer construction of a one-way compression…

entropy pseudo-random-function pseudo-random-permutation

asked Jan 31 '17 at 10:21

fgrieu

149,326
13
324
622

votes

1 answer

Is there a difference between PRF and a hash function?

Is there a difference between PRF and a hash function? For example: Creation of a secret key is using PRF and creating a secret key is using hash function.

hash pseudo-random-function

asked May 01 '14 at 17:57

user13342

votes

5 answers

Does Grover's algorithm really threaten symmetric security proofs?

By Shannon's theorem of perfect security, if I give you a ciphertext 'LOUPL', you can do a brute-force attack and then you would find plaintexts like 'HELLO', 'APPLE', 'SPOON', but you can't distinguish the true plaintext from the fake one, unless…

post-quantum-cryptography pseudo-random-function chosen-ciphertext-attack information-theory indistinguishability

asked Oct 16 '23 at 22:38

Victor Espinoza

votes

3 answers

How to construct a good PRF from a block cipher?

We want to explicitly construct a good (as tentatively defined below) Pseudo-Random Function $F$ with $b$-bit input and output, from (preferably just) one Pseudo-Random Permutation $E$ of $b$-bit, as instantiated in practice by TDEA for $b=64$ or…

pseudo-random-function

asked Nov 21 '12 at 09:49

fgrieu

149,326
13
324
622

votes

1 answer

Luby-Rackoff theorem confusion

The Luby-Rackoff theorem states that if a round function is a secure pseudorandom function (PRF) then 3 rounds are sufficient to make the block cipher a pseudorandom permutation (PRP). PRPs are invertible whereas PRFs are not. How come 3 rounds of a…

pseudo-random-function pseudo-random-permutation feistel-network luby-rackoff

asked Aug 12 '14 at 23:06

BlaX

votes

2 answers

What is the sponge construction in simple terms?

I suggested to my client to use SHA3 instead of SHA2. I know that SHA3 is based on Keccak algorithm which won the NIST's competition. I want to explain the structure of sponge functions in very simple terms; does anybody have a simple explanation of…

hash pseudo-random-function sha-3 sha-2 sponge

asked Aug 06 '20 at 13:40

Sam Claro

votes

1 answer

Does IND-CPA imply PRF?

It is well-known that a pseudorandom function (PRF) can be used to build a CPA-secure symmetric cryptosystem. My question: is PRF necessary for this, i.e., can one show something like "If there exists an IND-CPA scheme then there exist PRF?"

pseudo-random-function chosen-plaintext-attack

asked Mar 31 '17 at 15:05

Martin Hofmann

votes

1 answer

Cryptographic security of PHP mt_rand() function using Mersenne Twister algo

At StackOverflow, this question has been asked. It uses additional random entropy and a hash method (among others) to try and create a cryptographically secure pseudo-random number generator for PHP. PHP seems to use a Mersenne Twister algorithm…

random-number-generator pseudo-random-function

asked Mar 31 '12 at 13:53

Maarten Bodewes

96,351
14
169
323

votes

2 answers

Is 512 bits a more secure hashing than 256 bits?

I know that 512 bit hashing is more secure, but I don't really know why. I hope someone can help me to better understand it in more detail.

encryption hash pseudo-random-function

asked Aug 02 '20 at 07:04

Hinton Zsh

votes

1 answer

Which compression functions are PRFs?

In a 2006 paper Bellare showed that HMAC remains secure even if collision resistance for MD5/SHA-1 is broken as long they are still PRFs. The Wikipedia article on cryptographic hash functions mentions that In practice, collision resistance is…

hmac pseudo-random-function compression-function

asked Mar 14 '17 at 15:13

Elias

4,933
1
16
32

votes

0 answers

What might be assumed about a PRF if the key has been chosen?

The defining feature of a PRF $f:\{0,1\}^k\times\{0,1\}^s\mapsto\{0,1\}^*$ is that, if the first parameter is selected at random, it should be indistinguishable from a function $g:\{0,1\}^s\mapsto\{0,1\}^*$ selected at random. But what if the key…

pseudo-random-function

asked Mar 28 '14 at 14:44

Henrick Hellström

10,556
1
32
59

2 3

…

30 31 Next