Suppose Alice wishes to authenticate herself to Bob, by proving she knows a secret that they share. With PRNG’s they could proceed as follows. They both seed a PRNG with the shared secret. Bob picks sends Alice some random number $i$, and Alice proves she knows the share secret by responding with the $i$th random number generated by the PRNG.

But this solution requires state, and they both have to compute $i$ random numbers. Instead, we would like "random access" to the sequence. This is the intuition behind pseudo-random functions: Bob gives alice some random $i$, and Alice returns $F_K(i)$, where $F_K(i)$ is indistinguishable from a random function, that is, given any $x_1,...,x_m,F_K(x_1),...,F_K(x_m)$, no adversary can predict $F_K(x_{m+1})$ for any $x_{m+1}$

Definition: a function $f:\{0,1\}^n \times \{0,1\}^s\rightarrow\{0,1\}^m$ is a $(t,\epsilon,q)$-PRF if

  • Given a key $K\in\{0,1\}^s$ and an input $X\in\{0,1\}^n$ there is an "efficient" algorithm to compute $F_K(X) = F(X, K)$.

  • For any $t$-time oracle algorithm $A$, we have

\[ |Pr_{K\leftarrow\{0,1\}^s}[A^{f_K}] - Pr_{f\in\mathcal{F}}[A^f]| \lt \epsilon \]

where $\mathcal{F} = \{f:\{0,1\}^n\rightarrow\{0,1\}^m\}$ and $A$ makes at most $q$ queries to the oracle.

PRF’s can also be used for symmetric encryption: pick random $R$, then output $E_K(M) = \langle F_K(R) \oplus M, R\rangle$ (roughly speaking, if $F$ is a PRF, then $E$ is semantically secure). They are also can be used as MAC’s: $MAC_K(M) = F_K(M)$.


PRNG’s can be used to construct PRF’s [GGM’84]. Let $G:\{0,1\}^s\rightarrow\{0,1\}^{2s}$ be a PRNG. Define $G_0,G_1$ to be the left and right halves of $G$, so that $G(X)=G_0(X)||G_1(X)$. For any $K \in \{0,1\}^s$, define $F_K:\{0,1\}^n\rightarrow\{0,1\}^s$ by

\[F_K(x_1...x_n) = G_{x_n}(G_{x_{n-1}}(...(G_{x_2}(G_{x_1}(K))...))\]

Theorem: If $G$ is a $(t,\epsilon)$-PRNG then $F$ is a $(t-cn,\epsilon q n,q)$-PRF for some constant $c$.

A Number Theoretic PRF

It is possible to construct a PRF based on the DDH assumption [NR’96]. Let $G$ be a cyclic group of prime order $q$ generated by $g$. Then a key has the form $\bar{K} = (K_0,...,K_n)\in\mathbb{Z}_q^{n+1}$, and for $X \in \{0,1\}^n$, define

\[F_K(X)=F_K(x_1 ... x_n) = g^{K_0 \prod_{i=1}^n K_i^{x_i}} \]

The running time is roughly two exponentiations.

Theorem: If $G$ satisfies the $(t,\epsilon)$-DDH assumption then $F$ is a $(t-cn,\epsilon Q n,Q)$-PRF for some constant $c$.

A Parallel PRF

The following construction [NR’95] can be evaluated efficiently in parallel. The seed is $[a_{1,0}, a_{1,1},...,a_{n,0},a_{n,1} \in \{0,1\}^s]$. Then to compute $F^{NR}(x_1 ... x_n)$, start with $a_{1,x_1} a_{2,x_2} ... a_{n,x_n}$, and squish pairs of strings together using $S : \{0,1\}^s \times \{0,1\}^s \rightarrow \{0,1\}^s$. Then take the $n/2$ outputs and squish them in pairs again. Then repeat the process until there is one string in $\{0,1\}^s$ left.

When $S$ is a synthesizer, $F^NR$ is a PRF. It turns out trapdoor permutations imply synthesizers. An open problem is to construct a parallel PRF from one-way permutations.

PRF’s as MAC’s

Recall a MAC is a pair of algorithms $(MAC, MAC-verify)$ such that

  • $MAC_K(M) : \{0,1\}^m \times \{0,1\}^s \rightarrow \{0,1\}^T$ is an "efficient" algorithm, where the tag length $T \ll n$.

  • $MAC-verify(M,T,K)$ is an "efficient" predicate.

The $MAC$ algorithm may be randomized.

Security: A MAC is $(t,\epsilon,q)$-secure if no $t$-time algorithm can succeed with probability more than $\epsilon$ in existentially forging a MAC with a $q$-chosen message attack. In more detail, consider the following game:

  1. The challenger picks a random $K \leftarrow \{0,1\}^s$.

  2. The adversary asks for the MACs of messages $M_i$ for $1\le i \le q$.

  3. The adversary sends $\langle M, T \rangle$ where $M \ne M_i$ for any $1 \le i \le q$ and wins if $MAC-verify(M,T,K)$ is true.

The MAC is $(t,\epsilon,q)$-secure if for all $t$-time adversaries $A$ we have $Pr[A wins] \lt \epsilon$.

It is easily seen that if $F$ is a $(t,\epsilon,q)$-PRF then $F$ is also a $(t,\epsilon + 1/2^T,q)$-MAC.

Thus PRF’s imply (deterministic) MAC’s, but the converse is not true. For example, if $F$ is a $(t,\epsilon,q)$-PRF then $MAC_K(M) = F_K(M)||1$ is a $(t,\epsilon+1/2^T,q)$-MAC but not a PRF. In some sense, PRF’s are overkill for MAC’s. This motivates the following definition.

Unpredictable Functions

A function $f:\{0,1\}^n \times \{0,1\}^s \rightarrow \{0,1\}^T$ is a $(t,\epsilon,q)$-unpredictable function if

  1. Given $K \in \{0,1\}^s$, $f_K(x)$ can be "efficiently" computed.

  2. For all $t$-time algorithms $A$ that make at most $q$ queries to $f$,

\[ Pr_{K\leftarrow\{0,1\}^s}[A^{f_K} = (M,Tag), f_K(M) = Tag] \lt \epsilon \]

where $A$ did not query the oracle at $M$.

Every PRF is an UF, but not conversely. However, PRF’s can be constructed from UF’s via the Goldreich-Levin method: $F'_{K,R} = \langle F_K(X), R\rangle \in \{0,1\}$.

Enlarging the domain of PRF’s

Recall that CBC-F for a keyed function $F$ on a message $M$ is defined as follows. Break $M$ into blocks $M_i$. Then

\[ CBC-F(M) = F_K(...F_K(F_K(F_K(M_1) \oplus M_2) \oplus M_3) ...) \]

*Theorem: *[BRK’92] (Security of CBC-MAC)

Let $F:\{0,1\}^n \times \{0,1\}^s \rightarrow \{0,1\}^T$ be a $(t,\epsilon,q)$-PRF. Then $CBC-F(M_1,...,M_b)$ is a $(t,\epsilon+q^2 b^2 / 2^{n-1} ,q/b)$-PRF.

Intuitively, CBC-F is secure if $b \ll 2^{n/2}/q$. For larger $b$ there is a known attack (birthday attack).

Enlarging the domain of UF’s

We present three methods for doing this.

Theorem 1: Let $F:\{0,1\}^n\times\{0,1\}^s\rightarrow\{0,1\}^T$ be a $(t,\epsilon,q)$-UF, and let $H:\{0,1\}^*\rightarrow\{0,1\}^n$ be a collision-resistant hash function. Then

\[ HMAC_K(M) = F_K(H(M)) \]

is a $(t,\epsilon,q)$-UF.

Theorem 2: Let $f:\{0,1\}^n\times\{0,1\}^s\rightarrow\{0,1\}^T$ be a $(t,\epsilon,q)$-PRF, and let $H=\{h_K:\{0,1\}^N\rightarrow\{0,1\}^n$ be a family of hash functions such that for all $x\ne y \in \{0,1\}^N$, we have $Pr_{h\leftarrow H}[h(x) = h(y)] \lt \epsilon'$. Then

\[ HF_{K_1,K_2}(M) = f_{K_1}(h_{K_2}(M)) \]

is a $(t,\epsilon+\epsilon',q)$-MAC.

Theorem 3: Let $f:\{0,1\}^n\times\{0,1\}^s\rightarrow\{0,1\}^T$ be a $(t,\epsilon,q)$-PRF, and let $H=\{h_K:\{0,1\}^N\rightarrow\{0,1\}^n$ be a family of hash functions such that for all $x, y \in \{0,1\}^N$ and for all $r \in {0,1}^T$, we have $Pr_{h\leftarrow H}[h(x) \oplus h(y) = r] \lt \epsilon'$. Then

\[ CWH_{K_1,K_2}(M) = [h_{K_2}(M) \oplus f_{K_1}(R), R], R\leftarrow\{0,1\}^n \]

is a $(t,\epsilon+\epsilon',q)$-MAC.

Note the last theorem involves a nondeterministic MAC. In short, for a secure MAC, we can do PRF(UHF), or UF(CRHF) (so weaken the requirements on one function but strengthen the requirements on the other), or [UHF(M) $\oplus$ PRF®, R].