Indifferentiability of Truncated Random Permutations

  • Wonseok ChoiEmail author
  • Byeonghak LeeEmail author
  • Jooyoung LeeEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11921)


One of natural ways of constructing a pseudorandom function from a pseudorandom permutation is to simply truncate the output of the permutation. When n is the permutation size and m is the number of truncated bits, the resulting construction is known to be indistinguishable from a random function up to \(2^{{n+m}\over 2}\) queries, which is tight.

In this paper, we study the indifferentiability of a truncated random permutation where a fixed prefix is prepended to the inputs. We prove that this construction is (regularly) indifferentiable from a public random function up to \(\min \{2^{{n+m}\over 3}, 2^{m}, 2^\ell \}\) queries, while it is publicly indifferentiable up to \(\min \{ \max \{2^{{n+m}\over 3}, 2^{n \over 2}\}, 2^\ell \}\) queries, where \(\ell \) is the size of the fixed prefix. Furthermore, the regular indifferentiability bound is proved to be tight when \(m+\ell \ll n\).

Our results significantly improve upon the previous bound of \(\min \{ 2^{m \over 2}, 2^\ell \}\) given by Dodis et al. (FSE 2009), allowing us to construct, for instance, an \(\frac{n}{2}\)-to-\(\frac{n}{2}\) bit random function that makes a single call to an n-bit permutation, achieving \(\frac{n}{2}\)-bit security.


Random permutation Random function Truncation Indifferentiability Chi-square method 


  1. 1.
    Bellare, M., Impagliazzo, R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. In: IACR Cryptology ePrint Archive 1999/024 (1999)Google Scholar
  2. 2.
    Bellare, M., Krovetz, T., Rogaway, P.: Luby-Rackoff backwards: increasing security by making block ciphers non-invertible. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 266–280. Springer, Heidelberg (1998). Scholar
  3. 3.
    Bhattacharya, S., Nandi, M.: Full indifferentiable security of the Xor of two or more random permutations using the \(\chi ^2\) method. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 387–412. Springer, Cham (2018). Scholar
  4. 4.
    Cogliati, B., Lampe, R., Patarin, J.: The indistinguishability of the XOR of \(k\) permutations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 285–302. Springer, Heidelberg (2015). Scholar
  5. 5.
    Dai, W., Hoang, V.T., Tessaro, S.: Information-theoretic indistinguishability via the chi-squared method. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 497–523. Springer, Cham (2017). Scholar
  6. 6.
    Dodis, Y., Reyzin, L., Rivest, R.L., Shen, E.: Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 104–121. Springer, Heidelberg (2009). Scholar
  7. 7.
    Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damgård for practical applications. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 371–388. Springer, Heidelberg (2009). Scholar
  8. 8.
    Gilboa, S., Gueron, S., Morris, B.: How many queries are needed to distinguish a truncated random permutation from a random function? J. Cryptol. 31(1), 162–171 (2018)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Gueron, S., Langley, A., Lindell, Y.: AES-GCM-SIV: Specification and Analysis. IACR Cryptology ePrint Archive 2017:168 (2017)Google Scholar
  10. 10.
    Gueron, S., Lindell, Y.: GCM-SIV: full nonce misuse-resistant authenticated encryption at under one cycle per byte. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 109–119 (2015)Google Scholar
  11. 11.
    Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 370–389. Springer, Heidelberg (1998). Scholar
  12. 12.
    Iwata, T., Seurin, Y.: Reconsidering the security bound of AES-GCM-SIV. IACR Transactions on Symmetric Cryptology, pp. 240–267 (2017)Google Scholar
  13. 13.
    Lee, J.: Indifferentiability of the sum of random permutations toward optimal security. IEEE Trans. Inf. Theory 63(6), 4050–4054 (2017)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Lucks, S.: The sum of PRPs is a secure PRF. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 470–484. Springer, Heidelberg (2000). Scholar
  15. 15.
    Mandal, A., Patarin, J., Nachef, V.: Indifferentiability beyond the Birthday Bound for the Xor of Two public random permutations. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 69–81. Springer, Heidelberg (2010). Scholar
  16. 16.
    Mandal, A., Patarin, J., Seurin, Y.: On the public indifferentiability and correlation intractability of the 6-round Feistel construction. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 285–302. Springer, Heidelberg (2012). Scholar
  17. 17.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). Scholar
  18. 18.
    Mennink, B.: Linking Stam’s bounds with generalized truncation. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 313–329. Springer, Cham (2019). Scholar
  19. 19.
    Mennink, B., Preneel, B.: On the XOR of multiple random permutations. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 619–634. Springer, Cham (2015). Scholar
  20. 20.
    Patarin, J.: A proof of security in O(2n) for the Xor of two random permutations. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008). Scholar
  21. 21.
    Shrimpton, T., Stam, M.: Building a collision-resistant compression function from non-compressing primitives. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 643–654. Springer, Heidelberg (2008). Scholar
  22. 22.
    Yoneyama, K., Miyagawa, S., Ohta, K.: Leaky random oracle (Extended Abstract). In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 226–240. Springer, Heidelberg (2008). Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.KAISTDaejeonKorea

Personalised recommendations