1 // Copyright 2020 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 // 15 //////////////////////////////////////////////////////////////////////////////// 16 17 package com.google.crypto.tink.prf; 18 19 import com.google.errorprone.annotations.Immutable; 20 import java.security.GeneralSecurityException; 21 22 /** 23 * The Prf interface is an abstraction for an element of a pseudo random function family, selected 24 * by a key. 25 * 26 * <p>It has the following properties: 27 * 28 * <ul> 29 * <li>It is deterministic: {@link #compute(byte[], int)} will always return the same 30 * output if the same key is used. {@code compute(input, length1)} will be a prefix of {@code 31 * compute(input, length2)} if {@code length1 < length2} and the same key is used. 32 * <li>It is indistinguishable from a random function: Given the evaluation of n different inputs, 33 * an attacker cannot distinguish between the PRF and random bytes on an input different from 34 * the n that are known. 35 * </ul> 36 * 37 * <p>Use cases for PRF are deterministic redaction of PII, keyed hash functions, creating sub IDs 38 * that do not allow joining with the original dataset without knowing the key. While PRFs can be 39 * used in order to prove authenticity of a message, using the MAC interface is recommended for that 40 * use case, as it has support for verification, avoiding the security problems that often happen 41 * during verification. It also allows for non-deterministic MAC algorithms. 42 */ 43 @Immutable 44 public interface Prf { 45 /** 46 * Computes the PRF selected by the underlying key on input and returns the first outputLength 47 * bytes. 48 * 49 * @param input the input to compute the PRF on. 50 * @param outputLength the desired length of the output in bytes. When choosing this parameter 51 * keep the birthday paradox in mind. If you have 2^n different inputs that your system has to 52 * handle set the output length to ceil(n/4 + 4) This corresponds to 2*n + 32 bits, meaning a 53 * collision will occur with a probability less than 1:2^32. When in doubt, request a security 54 * review. 55 * @throws GeneralSecurityException if the algorithm fails or if the output of algorithm is less 56 * than outputLength. 57 */ compute(byte[] input, int outputLength)58 byte[] compute(byte[] input, int outputLength) throws GeneralSecurityException; 59 } 60