Constructing a Pseudo Random Function (PRF) from a pseudorandom permutation is a fundamental problem in cryptology. Such a construction, implemented by truncating the last $m$ bits of permutations of $\{0, 1\}^{n}$ was suggested by Hall et al. (1998). They conjectured that the distinguishing advantage of an adversary with $q$ queries, ${\bf Adv}_{n, m} (q)$, is small if $q = o (2^{(n+m)/2})$, established an upper bound on ${\bf Adv}_{n, m} (q)$ that confirms the conjecture for $m < n/7$, and also declared a general lower bound ${\bf Adv}_{n,m}(q)=\Omega(q^2/2^{n+m})$. The conjecture was essentially confirmed by Bellare and Impagliazzo in 1999. Nevertheless, the problem of {\em estimating} ${\bf Adv}_{n, m} (q)$ remained open. Combining the trivial bound $1$, the birthday bound, and a result by Stam (1978) leads to the following upper bound: $${\bf Adv}_{n,m}(q) \le O\left(\min\left\{\frac{q^2}{2^n},\,\frac{q}{2^{\frac{n+m}{2}}},\,1\right\}\right)$$ In this paper we show that this upper bound is tight for every $m

Thanks. We have received your report. If we find this content to be in
violation of our guidelines,
we will remove it.

Ok