Pseudo-Random Function (PRF)

The Pseudo-Random Function (PRF) primitive lets you produce stable, arbitrary length, pseudo-random outputs for a given input.

Since Tink operates on keysets, this primitive exposes a corresponding set of PRFs instead of a single PRF. The PRFs are indexed by a 32 bit key ID. This can be used to rotate the key used to redact a piece of information, without losing the previous association.

PRF has the following properties:

  • Deterministic: Computing a PRF for a given input will always produce the same output.
  • Randomness: The output of a PRF is indistinguishable from random bytes.

Choose a key type

We recommend using HMAC_SHA256_PRF for most uses, but there are other options as well.

In general, the following holds true:

  • HMAC_SHA512_PRF may or may not be faster depending on your input size and the specifics of the hardware you use.
  • HMAC_SHA512_PRF is the most conservative mode that can be used for practically unlimited number of messages.
  • AES_CMAC_PRF is fastest on systems that support the AES-NI hardware acceleration.

Minimal security guarantees

  • Without knowledge of the key, the PRF is indistinguishable from a random function
  • At least 128-bit security, also in multi-user scenarios (when an attacker is not targeting a specific key, but any key from a set of up to 232 keys)
  • At least 16 bytes of output available

Example use cases

Use cases for PRF include deterministic redaction of personally identifiable information (PII), keyed hash functions, and creating sub-IDs that don't allow joining with the original dataset without knowing the key.

While PRFs can be used in order to prove authenticity of a message, using the MAC primitive is recommended for that use case, as it has support for verification, avoiding the security problems that often happen during verification, and having automatic support for key rotation. It also allows for non-deterministic algorithms.