# The Advantage of Truncated Permutations

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11527)

## Abstract

Constructing a Pseudo Random Function (PRF) from a pseudorandom permutation is a fundamental problem in cryptology. Such a construction, implemented by truncating the last m bits of permutations of $$\{0, 1\}^{n}$$ was suggested by Hall et al. (1998). They conjectured that the distinguishing advantage of an adversary with q quesires, $$\mathbf{Adv}_{n, m} (q)$$, is small if $$q = o (2^{(m+n)/2})$$, established an upper bound on $$\mathbf{Adv}_{n, m} (q)$$ that confirms the conjecture for $$m < n/7$$, and also declared a general lower bound $$\mathbf{Adv}_{n,m}(q)=\varOmega (q^2/2^{n+m})$$. The conjecture was essentially confirmed by Bellare and Impagliazzo in 1999. Nevertheless, the problem of estimating $$\mathbf{Adv}_{n, m} (q)$$ remained open. Combining the trivial bound 1, the birthday bound, and a result by Stam (1978) leads to the following upper bound:
$$\mathbf{Adv}_{n,m}(q) \le O\left( \min \left\{ \frac{q^2}{2^n},\,\frac{q}{2^{\frac{n+m}{2}}},\,1\right\} \right)$$
This upper bound shows that the number of times that a truncated permutation can be used as a PRF can exceed the birthday bound by at least a factor of $$2^{m/2}$$. In this paper we show that this upper bound is tight for every $$m<n$$ and $$q>1$$. This, in turn, verifies that the converse to the conjecture of Hall et al. is also correct, i.e., that $$\mathbf{Adv}_{n, m} (q)$$ is negligible only for $$q = o (2^{(m+n)/2})$$.

## Keywords

Pseudo random permutations Pseudo random functions Advantage

## References

1. 1.
Bellare, M., Impagliazzo, R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. ePrint 1999/024. http://eprint.iacr.org/1999/024
2. 2.
Gilboa, S., Gueron, S.: Distinguishing a truncated random permutation from a random function, manuscript (2015). https://arxiv.org/abs/1508.00462
3. 3.
Gilboa, S., Gueron, S., Morris, B.: How many queries are needed to distinguish a truncated random permutation from a random function? J. Cryptol. 31(1), 162–171 (2018)
4. 4.
Gueron, S., Langley, A., Lindell, Y.: AES-GCM-SIV: nonce misuse-resistant authenticated encryption. https://datatracker.ietf.org/doc/draft-irtf-cfrg-gcmsiv/
5. 5.
Gueron, S., Lindell, Y.: Better bounds for block cipher modes of operation via nonce-based key derivation. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1019–1036 (2017)Google Scholar
6. 6.
Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 370–389. Springer, Heidelberg (1998).
7. 7.
Stam, A.J.: Distance between sampling with and without replacement. Stat. Neerl. 32(2), 81–91 (1978)