The Advantage of Truncated Permutations

  • Shoni Gilboa
  • Shay GueronEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11527)


Constructing a Pseudo Random Function (PRF) from a pseudorandom permutation is a fundamental problem in cryptology. Such a construction, implemented by truncating the last m bits of permutations of \(\{0, 1\}^{n}\) was suggested by Hall et al. (1998). They conjectured that the distinguishing advantage of an adversary with q quesires, \(\mathbf{Adv}_{n, m} (q)\), is small if \(q = o (2^{(m+n)/2})\), established an upper bound on \(\mathbf{Adv}_{n, m} (q)\) that confirms the conjecture for \(m < n/7\), and also declared a general lower bound \(\mathbf{Adv}_{n,m}(q)=\varOmega (q^2/2^{n+m})\). The conjecture was essentially confirmed by Bellare and Impagliazzo in 1999. Nevertheless, the problem of estimating \(\mathbf{Adv}_{n, m} (q)\) remained open. Combining the trivial bound 1, the birthday bound, and a result by Stam (1978) leads to the following upper bound:
$$\mathbf{Adv}_{n,m}(q) \le O\left( \min \left\{ \frac{q^2}{2^n},\,\frac{q}{2^{\frac{n+m}{2}}},\,1\right\} \right) $$
This upper bound shows that the number of times that a truncated permutation can be used as a PRF can exceed the birthday bound by at least a factor of \(2^{m/2}\). In this paper we show that this upper bound is tight for every \(m<n\) and \(q>1\). This, in turn, verifies that the converse to the conjecture of Hall et al. is also correct, i.e., that \(\mathbf{Adv}_{n, m} (q)\) is negligible only for \(q = o (2^{(m+n)/2})\).


Pseudo random permutations Pseudo random functions Advantage 



We thank Ron Peled for fruitful discussion.

This research was partially supported by: The Israel Science Foundation (grant No. 1018/16); The BIU Center for Research in Applied Cryptography and Cyber Security, in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office; The Center for Cyber Law and Policy at the University of Haifa in conjunction with the Israel National Cyber Directorate in the Prime Minister’s Office.


  1. 1.
    Bellare, M., Impagliazzo, R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. ePrint 1999/024.
  2. 2.
    Gilboa, S., Gueron, S.: Distinguishing a truncated random permutation from a random function, manuscript (2015).
  3. 3.
    Gilboa, S., Gueron, S., Morris, B.: How many queries are needed to distinguish a truncated random permutation from a random function? J. Cryptol. 31(1), 162–171 (2018)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Gueron, S., Langley, A., Lindell, Y.: AES-GCM-SIV: nonce misuse-resistant authenticated encryption.
  5. 5.
    Gueron, S., Lindell, Y.: Better bounds for block cipher modes of operation via nonce-based key derivation. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1019–1036 (2017)Google Scholar
  6. 6.
    Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 370–389. Springer, Heidelberg (1998). Scholar
  7. 7.
    Stam, A.J.: Distance between sampling with and without replacement. Stat. Neerl. 32(2), 81–91 (1978)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.The Open University of IsraelRa’ananaIsrael
  2. 2.University of HaifaHaifaIsrael
  3. 3.AmazonSeattleUSA

Personalised recommendations