# The Advantage of Truncated Permutations

Conference paper

First Online:

- 545 Downloads

## Abstract

Constructing a Pseudo Random Function (PRF) from a pseudorandom permutation is a fundamental problem in cryptology. Such a construction, implemented by truncating the last This upper bound shows that the number of times that a truncated permutation can be used as a PRF can exceed the birthday bound by at least a factor of \(2^{m/2}\). In this paper we show that this upper bound is tight for every \(m<n\) and \(q>1\). This, in turn, verifies that the converse to the conjecture of Hall et al. is also correct, i.e., that \(\mathbf{Adv}_{n, m} (q)\) is negligible only for \(q = o (2^{(m+n)/2})\).

*m*bits of permutations of \(\{0, 1\}^{n}\) was suggested by Hall et al. (1998). They conjectured that the distinguishing advantage of an adversary with*q*quesires, \(\mathbf{Adv}_{n, m} (q)\), is small if \(q = o (2^{(m+n)/2})\), established an upper bound on \(\mathbf{Adv}_{n, m} (q)\) that confirms the conjecture for \(m < n/7\), and also declared a general lower bound \(\mathbf{Adv}_{n,m}(q)=\varOmega (q^2/2^{n+m})\). The conjecture was essentially confirmed by Bellare and Impagliazzo in 1999. Nevertheless, the problem of*estimating*\(\mathbf{Adv}_{n, m} (q)\) remained open. Combining the trivial bound 1, the birthday bound, and a result by Stam (1978) leads to the following upper bound:$$\mathbf{Adv}_{n,m}(q) \le O\left( \min \left\{ \frac{q^2}{2^n},\,\frac{q}{2^{\frac{n+m}{2}}},\,1\right\} \right) $$

## Keywords

Pseudo random permutations Pseudo random functions Advantage## Notes

### Acknowledgments

We thank Ron Peled for fruitful discussion.

This research was partially supported by: The Israel Science Foundation (grant No. 1018/16); The BIU Center for Research in Applied Cryptography and Cyber Security, in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office; The Center for Cyber Law and Policy at the University of Haifa in conjunction with the Israel National Cyber Directorate in the Prime Minister’s Office.

## References

- 1.Bellare, M., Impagliazzo, R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. ePrint 1999/024. http://eprint.iacr.org/1999/024
- 2.Gilboa, S., Gueron, S.: Distinguishing a truncated random permutation from a random function, manuscript (2015). https://arxiv.org/abs/1508.00462
- 3.Gilboa, S., Gueron, S., Morris, B.: How many queries are needed to distinguish a truncated random permutation from a random function? J. Cryptol.
**31**(1), 162–171 (2018)MathSciNetCrossRefGoogle Scholar - 4.Gueron, S., Langley, A., Lindell, Y.: AES-GCM-SIV: nonce misuse-resistant authenticated encryption. https://datatracker.ietf.org/doc/draft-irtf-cfrg-gcmsiv/
- 5.Gueron, S., Lindell, Y.: Better bounds for block cipher modes of operation via nonce-based key derivation. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1019–1036 (2017)Google Scholar
- 6.Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 370–389. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055742CrossRefGoogle Scholar
- 7.Stam, A.J.: Distance between sampling with and without replacement. Stat. Neerl.
**32**(2), 81–91 (1978)MathSciNetCrossRefGoogle Scholar

## Copyright information

© Springer Nature Switzerland AG 2019