Stay organized with collections
Save and categorize content based on your preferences.
The Pseudo-Random Function (PRF) primitive lets you produce stable, arbitrary
length, pseudo-random outputs for a given input.
Since Tink operates on keysets, this primitive exposes a
corresponding set of PRFs instead of a single PRF. The PRFs are indexed by a 32
bit key ID. This can be used to rotate the key used to redact a piece of
information, without losing the previous association.
PRF has the following properties:
Deterministic:
Computing a PRF for a given input will always produce the same output.
Randomness:
The output of a PRF is indistinguishable from random bytes.
Choose a key type
We recommend using HMAC_SHA256_PRF for most uses, but there are other
options as well.
In general, the following holds true:
HMAC_SHA512_PRF may or may not be faster depending on your input size and
the specifics of the hardware you use.
HMAC_SHA512_PRF is the most conservative mode that can be used for
practically unlimited number of messages.
AES_CMAC_PRF is fastest on systems that support the AES-NI hardware
acceleration.
Minimal security guarantees
Without knowledge of the key, the PRF is indistinguishable from a random
function
At least 128-bit security, also in multi-user scenarios (when an attacker is
not targeting a specific key, but any key from a set of up to 232
keys)
At least 16 bytes of output available
Example use cases
Use cases for PRF include deterministic redaction of personally identifiable
information (PII), keyed hash functions, and creating sub-IDs that don't allow
joining with the original dataset without knowing the key.
While PRFs can be used in order to prove authenticity of a message, using the
MAC primitive is recommended for that use case, as it has support for
verification, avoiding the security problems that often happen during
verification, and having automatic support for key rotation. It also allows for
non-deterministic algorithms.
[null,null,["Last updated 2024-11-14 UTC."],[[["\u003cp\u003eTink's PRF primitive provides stable, pseudo-random outputs for given inputs, enabling deterministic redaction and keyed hashing functionalities.\u003c/p\u003e\n"],["\u003cp\u003ePRFs in Tink are indexed by key IDs within keysets, allowing for key rotation without association loss.\u003c/p\u003e\n"],["\u003cp\u003eWhile offering strong security, PRFs are deterministic and do not guarantee anonymity, only pseudonymity, requiring careful application in privacy-sensitive systems.\u003c/p\u003e\n"],["\u003cp\u003eTink supports various PRF key types, with HMAC_SHA256_PRF recommended for most use cases and AES_CMAC_PRF potentially offering the best performance on hardware with AES-NI acceleration.\u003c/p\u003e\n"],["\u003cp\u003ePRFs provide a minimum of 128-bit security, even in multi-user environments with large key sets, and can generate at least 16 bytes of output.\u003c/p\u003e\n"]]],["Pseudo-Random Function (PRF) produces stable, pseudo-random outputs for a given input, managed via keysets indexed by a 32-bit key ID for rotation. Key properties include deterministic output and randomness. `HMAC_SHA256_PRF` is recommended, with alternatives like `HMAC_SHA512_PRF` and `AES_CMAC_PRF`. PRF provides pseudonymity, not anonymity, and is secure with at least 128-bit security. Use cases include deterministic PII redaction and creating non-joinable sub-IDs. MAC is recommended for proving authenticity.\n"],null,["# Pseudo-Random Function (PRF)\n\nThe Pseudo-Random Function (PRF) primitive lets you produce stable, arbitrary\nlength, pseudo-random outputs for a given input.\n\nSince Tink operates on [keysets](/tink/design/keysets), this primitive exposes a\ncorresponding set of PRFs instead of a single PRF. The PRFs are indexed by a 32\nbit key ID. This can be used to rotate the key used to redact a piece of\ninformation, without losing the previous association.\n\nPRF has the following properties:\n\n- **Deterministic**: Computing a PRF for a given input will always produce the same output.\n- **Randomness**: The output of a PRF is indistinguishable from random bytes.\n\n| **Caution:** Since PRFs operate deterministically on their input, using a PRF to redact will *not* provide anonymity, but only provide pseudonymity. It can be an important tool to build privacy-aware systems, but has to be used carefully.\n\nChoose a key type\n-----------------\n\nWe recommend using **`HMAC_SHA256_PRF`** for most uses, but there are other\noptions as well.\n\nIn general, the following holds true:\n\n- `HMAC_SHA512_PRF` may or may not be faster depending on your input size and the specifics of the hardware you use.\n- `HMAC_SHA512_PRF` is the most conservative mode that can be used for practically unlimited number of messages.\n- `AES_CMAC_PRF` is fastest on systems that support the [AES-NI](https://www.intel.com/content/www/us/en/developer/articles/technical/advanced-encryption-standard-instructions-aes-ni.html) hardware acceleration.\n\n| **Caution:** While `HMAC_SHA256_PRF`, `HMAC_SHA512_PRF`, and `HKDF_SHA256` behave like a cryptographically secure hash function if the key is revealed, and still provide some protection against revealing the input, `AES_CMAC_PRF` is only secure as long as the key is secure.\n\nMinimal security guarantees\n---------------------------\n\n- Without knowledge of the key, the PRF is indistinguishable from a random function\n- At least 128-bit security, also in multi-user scenarios (when an attacker is not targeting a specific key, but any key from a set of up to 2^32^ keys)\n- At least 16 bytes of output available\n\nExample use cases\n-----------------\n\nUse cases for PRF include deterministic redaction of personally identifiable\ninformation (PII), keyed hash functions, and creating sub-IDs that don't allow\njoining with the original dataset without knowing the key.\n\nWhile PRFs can be used in order to prove authenticity of a message, using the\n[MAC primitive](/tink/mac) is recommended for that use case, as it has support for\nverification, avoiding the security problems that often happen during\nverification, and having automatic support for key rotation. It also allows for\nnon-deterministic algorithms."]]
