Keywords

1 Introduction

The dominant building block for symmetric cryptographic modes is a pseudorandom permutation (PRP), such as AES [22]. However, for many such modes, most notably stream-based (authenticated) ciphers [24, 28, 39] and message authentication codes [5, 11, 16, 49], security is determined by the level at which the underlying primitive behaves like a random function rather than a random permutation. Stated differently, these modes benefit from being instantiated with a pseudorandom function (PRF) instead of a PRP. Yet, with an extreme abundance in PRP candidates [1,2,3,4, 13, 14, 22] (to name a few), and only very few dedicated PRFs [10, 41], people have resorted to generic methods of transforming a PRP into a PRF.

The well-known PRP-PRF switch [7, 9, 17, 30, 31] shows that an n-bit PRP behaves as a PRF up to approximately \(2^{n/2}\) evaluations. This “birthday bound” could be inadequate for lightweight block ciphers, and various “beyond birthday bound” modes, schemes that achieve security beyond \(2^{n/2}\) evaluations, have appeared. These include the xor of permutations [6, 8, 18, 23, 38, 42, 44,45,46], EDM [19, 23, 40], EDMD [40], and truncation [6, 12, 25,26,27, 30, 47]. We refer to Mennink and Neves [40, 41] for an extensive discussion of the four variants. In this work, we focus on truncation.

1.1 History of Truncation

Let \(n,m\in \mathbb {N}\) be such that \(m\le n\), and let p be an n-bit PRP. Truncation is defined as simply returning the m leftmost bits of p:

$$\begin{aligned} \mathsf {Trunc}^p(x) = \mathsf {left}_m(p(x)). \end{aligned}$$
(1)

Hall et al. [30], introduced the truncation construction, and demonstrated security up to around \(2^{n-m/2}\) evaluations, but not for the entire parameter spectrum. Bellare and Impagliazzo [6] gave an improved analysis that demonstrates security for a broader selection of n and m. Gilboa and Gueron [25] resolved the remaining gaps by proving security up to \(2^{n-m/2}\) evaluations for any choice of n and m. It turned out, however, that the problem was already solved in 1978 by Stam [47], and that Stam’s bound is stronger than the bounds of [6, 25, 30] altogether. Bhattacharya and Nandi [12] transformed Stam’s analysis to the chi-squared method [23], deriving an identical bound. We elaborate on this upper bound in Sect. 4.1. Gilboa et al. [27] presented a detailed comparison of the bounds of Hall et al. [30], Bellare and Impagliazzo [6], Gilboa and Gueron [25], and Stam [47].

With respect to insecurity, Hall et al. [30] also argued tightness of their bound by sketching a distinguisher. Gilboa and Gueron [26] presented a formal derivation of a lower bound, for various choices of nm, and the number of evaluations. They showed that the best distinguisher’s success probability is close to 1 for around \(2^{n-m/2}\) evaluations. See Sect. 4.1 for the lower bound.

The truncated permutation construction found application as key derivation function in GCM-SIV [28, 29, 37], although its use is disputed [15, 32].

1.2 Stam’s Bounds

Stam’s 1978 bound [47] is more general than suggested in Sect. 1.1. Intuitively (a formal treatment of Stam’s bounds is given in Sect. 3), it covers the idea of \(2^n\) possible outcomes being grouped into \(2^m\) colors (the number of occurrences per color not necessarily equal) and measures the distance between sampling with or without replacement, where the observer learns the color of every sample. In a later publication in 1986, Stam [48] generalized this result to the case where the number of colors and the grouping of the outcomes into the colors differs per sample.

The analysis of Stam is based on the Kullback-Leibler divergence \( KL (X;Y)\) [36] (see Sect. 2.1 for the details), and Pinsker’s inequality [21, 34, 35] stating that

$$\begin{aligned} \varDelta (X,Y) \le \left( \frac{1}{2} KL (X;Y)\right) ^{1/2}, \end{aligned}$$
(2)

where \(\varDelta (X,Y)\) denotes the statistical distance between X and Y. The exact same statistical tools were used in the chi-squared method of Dai et al. [23]. However, Dai et al. make an additional step, namely that the Kullback-Leibler divergence \( KL (X;Y)\) is at most the chi-squared divergence \(\chi ^2(X;Y)\) (see, again, Sect. 2.1 for the details). In this work, we rely on Stam’s results and perform analysis at the level of the Kullback-Leibler divergence.

1.3 Generalized Truncation

The goal of this work is to fully understand the implication of Stam’s bounds to truncation. To do so, we describe a generalized truncation function \(\mathsf {GTrunc}\) in Sect. 4. The function generalizes simple truncation by the evaluation of a post-processing function \(\mathsf {post}:\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{m}\) after permutation:

$$\begin{aligned} \mathsf {GTrunc}^p(x) = \mathsf {post}(x,p(x)). \end{aligned}$$
(3)

The function is depicted in Fig. 1. It covers plain truncation of (1) by taking the post-processing function that ignores its first input and evaluates \(\mathsf {left}_m\) on its second input.

However, \(\mathsf {GTrunc}\) is much more general than \(\mathsf {Trunc}\). Most importantly, it feed-forwards its input x to the post-processing function \(\mathsf {post}\). This, on the one hand, gives an adversary more power, but on the other hand, frustrates statistical analysis as the output function is not purely a post-processing function on the output of the permutation p. We consider the security of \(\mathsf {GTrunc}\) for various types of post-processing functions. In Sect. 4.2 we consider a simplified variant where \(\mathsf {post}\) is balanced and no feed-forward is involved, and show security-wise equivalence of the resulting construction with \(\mathsf {Trunc}\). In Sect. 4.3 we consider the general \(\mathsf {GTrunc}\) construction with balanced post-processing and link it with the bounds of Stam [47, 48]. The result shows that, in fact, \(\mathsf {GTrunc}\) achieves the same level of security as \(\mathsf {Trunc}\), regardless of the choice of post-processing function \(\mathsf {post}\) (as long as it is balanced). Finally, we extend the result to arbitrary (possibly unbalanced) \(\mathsf {post}\), and derive a security bound that is slightly worse, depending on the unbalancedness of \(\mathsf {post}\). The derivation is based on Stam’s bounds, with in addition an analysis of the statistical distance between unbalanced and balanced random samplings with replacement using the Kullback-Leibler divergence.

We comment on the affect of including a pre-processing function \(\mathsf {pre}\) in Sect. 5.

2 Security Model

Consider two natural numbers \(n,m\in \mathbb {N}\). We denote by \(\{0,1\}^{n}\) the set of n-bit strings. The set \(\mathsf {func}(n,m)\) denotes the set of all n-to-m-bit functions, and \(\mathsf {perm}(n)\) the set of all n-bit permutations. If \(m\le n\), the function \(\mathsf {left}_m:\{0,1\}^{n}\rightarrow \{0,1\}^{m}\) returns the left m bits of its input. We denote by \((m)_n\) the falling factorial \(m(m-1)\cdots (m-n+1)=m!/(m-n)!\). For a finite set \(\mathcal {X}\), \(x\xleftarrow {{\scriptscriptstyle \$}}\mathcal {X}\) denotes the uniform random drawing of x from \(\mathcal {X}\).

2.1 Statistical Tools

For two distributions XY over a finite space \(\varOmega \), the statistical distance between X and Y is defined as

$$\begin{aligned} \varDelta (X,Y)&= \frac{1}{2} \sum _{\omega \in \varOmega } \big |\mathbf {Pr}\left( X=\omega \right) - \mathbf {Pr}\left( Y = \omega \right) \big |\end{aligned}$$
(4)
$$\begin{aligned}&\, = \max _{\varOmega ^*\subseteq \varOmega } \left\{ \sum _{\omega \in \varOmega ^*} \mathbf {Pr}\left( X=\omega \right) - \mathbf {Pr}\left( Y = \omega \right) \right\} . \end{aligned}$$
(5)

The Kullback-Leibler divergence [36] between X and Y is defined as

$$\begin{aligned} KL (X;Y) = \sum _{\omega \in \varOmega } \mathbf {Pr}\left( X=\omega \right) \log \left( \frac{\mathbf {Pr}\left( X=\omega \right) }{\mathbf {Pr}\left( Y=\omega \right) }\right) , \end{aligned}$$
(6)

with the condition that \(\mathbf {Pr}\left( Y=\omega \right) >0\) for all \(\omega \in \varOmega \) and the convention that \(0\log (0)=0\). Pinsker’s inequality [21, 34, 35] gives

$$\begin{aligned} \varDelta (X,Y) \le \left( \frac{1}{2} KL (X;Y)\right) ^{1/2}. \end{aligned}$$
(7)

Remark 1

Dai et al. [23] recently introduced the chi-squared method to cryptography. The chi-squared method also relies on Pinsker’s inequality (7), but in addition uses that

$$\begin{aligned} KL (X;Y) \le \chi ^2(X;Y), \end{aligned}$$
(8)

where

$$\begin{aligned} \chi ^2(X;Y) = \sum _{\omega \in \varOmega } \frac{\big (\mathbf {Pr}\left( X=\omega \right) - \mathbf {Pr}\left( Y=\omega \right) \big )^2}{\mathbf {Pr}\left( Y=\omega \right) } \end{aligned}$$
(9)

is the chi-squared divergence [20, 43]. What then remains in order to bound \(\varDelta (X,Y)\) is an analysis of the chi-squared divergence between X and Y. In our work, we do not go that far, but instead, stop at the Kullback-Leibler divergence. (This is no critique on the chi-squared method; in many applications, bounding \(\chi ^2(X;Y)\) may be easier to do than bounding \( KL (X;Y)\)).

2.2 Pseudorandom Functions

A distinguisher \(\mathcal {D}\) is an algorithm that is given access to an oracle \(\mathcal {O}\); it can make a certain amount of queries to this oracle, and afterwards it outputs \(b\in \{0,1\}\). We focus on computationally unbounded distinguishers, whose complexities are measured by the number of oracle queries only. As usual, a scheme is secure if it withstands the strongest possible distinguisher, and we can without loss of generality restrict our focus to deterministic distinguishers. The reason for this is that for any probabilistic distinguisher there exists a deterministic distinguisher with the same success probability.

Let \(n,m\in \mathbb {N}\) such that \(m\le n\). Let \(p\in \mathsf {perm}(n)\), and consider a function \(F^p\in \mathsf {func}(n,m)\). We define the pseudorandom function (PRF) security of \(F^p\) as a random function against a distinguisher \(\mathcal {D}\) by

$$\begin{aligned} \mathbf {Adv}_{F}^{\mathrm {prf}}(\mathcal {D}) = \left|\mathbf {Pr}\left( \mathcal {D}^{F^p}=1\right) - \mathbf {Pr}\left( \mathcal {D}^{f}=1\right) \right|, \end{aligned}$$
(10)

where the first probability is taken over the random drawing of \(p\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\) and the second probability over \(f\xleftarrow {{\scriptscriptstyle \$}}\mathsf {func}(n,m)\). (Recall that \(\mathcal {D}\) is a deterministic distinguisher).

The definition of PRF security relates to the statistical distance of (45) in the following manner. Let \(q\in \mathbb {N}\), and consider a deterministic distinguisher \(\mathcal {D}\) making q queries. Let X denote the probability distribution of interactions with \(F^p\) and Y the probability distribution of interactions with f. Let \(\varOmega _1\) denote the set of query-response tuples for which distinguisher \(\mathcal {D}\) outputs 1. Then,

$$\begin{aligned} \mathbf {Adv}_{F}^{\mathrm {prf}}(\mathcal {D}) = \left|\sum _{\omega \in \varOmega _1} \mathbf {Pr}\left( X=\omega \right) - \mathbf {Pr}\left( Y=\omega \right) \right|\le \varDelta (X,Y). \end{aligned}$$
(11)

Equality is achieved for distinguisher \(\mathcal {D}\) that returns 1 for any query-response tuple in \(\varOmega ^*\), where \(\varOmega ^*\) is the set for which (5) achieves its maximum [12].

Remark 2

The above security model considers \(F^p\) to be “keyed” with a random permutation \(p\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\). A standard hybrid argument allows us to transform all results in this work to a complexity-theoretic setting where p is, instead, a block cipher E with secret key K, and the distinguisher’s capabilities are also bounded by a time parameter t.

3 Stam’s Bounds

Consider a finite set of N elements, of M types/colors. Denote the partition of the N elements into the M colors by \(A_1\cup \dots \cup A_M\). For color j, write \(a_j=|A_j|>0\), such that

$$\begin{aligned} a_1+\dots +a_M = N. \end{aligned}$$
(12)

Let \(q\in \mathbb {N}\). Denote by X the probability distribution of the obtained colors when sampling q elements without replacement, and by Y the probability distribution of the obtained colors when sampling with replacement. Both X and Y have range \(\{1,\dots ,M\}^q\). Stam [47] measures the distance between X and Y, and proves the following boundFootnote 1.

Theorem 1

(Stam’s bound [47, Theorems 2.2 and 2.3]). Let \(q,N,M\in \mathbb {N}\) such that \(M\le N\), and consider the configuration of M colors of color sizes \((a_1,\dots ,a_M)\) as in (12). Consider the two distributions X and Y over range \(\{1,\dots ,M\}^q\). We have,

$$\begin{aligned} \varDelta (X,Y) \le \frac{1}{2}\left( \frac{(M-1)q(q-1)}{(N-1)(N-q+1)}\right) ^{1/2}. \end{aligned}$$
(13)

Proof

We include Stam’s proof (in our terminology) for completeness.

Write \(X=(X_1,\dots ,X_q)\) and \(Y=(Y_1,\dots ,Y_q)\). Denote, for brevity, \(\varvec{X}_i=(X_1,\dots ,X_i)\) and \(\varvec{Y}_i=(Y_1,\dots ,Y_i)\) for \(i=1,\dots ,q\). The Kullback-Leibler divergence (6) can be rewritten as

$$\begin{aligned} KL (X;Y) \le KL (X_1;Y_1) + \sum _{i=1}^{q-1} KL (X_{i+1};Y_{i+1} \mid \varvec{X}_i, \varvec{Y}_i), \end{aligned}$$
(14)

where

$$\begin{aligned}&KL (X_{i+1};Y_{i+1} \mid \varvec{X}_i, \varvec{Y}_i) = \sum _{\varvec{j}_i\in \{1,\dots ,M\}^i} \mathbf {Pr}\left( \varvec{X}_i=\varvec{j}_i\right) \cdot \nonumber \\&\qquad \qquad \sum _{j=1}^M \mathbf {Pr}\left( X_{i+1}=j \mid \varvec{X}_i=\varvec{j}_i\right) \log \left( \frac{\mathbf {Pr}\left( X_{i+1}=j \mid \varvec{X}_i=\varvec{j}_i\right) }{\mathbf {Pr}\left( Y_{i+1}=j \mid \varvec{Y}_i=\varvec{j}_i\right) }\right) . \end{aligned}$$
(15)

We have

$$\begin{aligned} \mathbf {Pr}\left( X_{i+1}=j \mid \varvec{X}_i=\varvec{j}_i\right)&= \frac{a_j-h}{N-i},\end{aligned}$$
(16)
$$\begin{aligned} \mathbf {Pr}\left( Y_{i+1}=j \mid \varvec{Y}_i=\varvec{j}_i\right)&= \frac{a_j}{N}, \end{aligned}$$
(17)

where h denotes the number of occurrences of j in sample \(\varvec{j}_i\). Thus,

$$\begin{aligned} KL (X_{i+1};&Y_{i+1} \mid \varvec{X}_i, \varvec{Y}_i)\end{aligned}$$
(18)
$$\begin{aligned}&= \sum _{j=1}^M \sum _{\varvec{j}_i\in \{1,\dots ,M\}^i} \mathbf {Pr}\left( \varvec{X}_i=\varvec{j}_i\right) \cdot \frac{a_j-h}{N-i}\cdot \log \left( \frac{\frac{a_j-h}{N-i}}{\frac{a_j}{N}}\right) \end{aligned}$$
(19)
$$\begin{aligned}&= \sum _{j=1}^M \sum _{h=0}^{\min \{i,a_j-1\}} \mathbf {Pr}\left( HG ^N_{a_j}(i)=h\right) \cdot \frac{a_j-h}{N-i}\cdot \log \left( \frac{\frac{a_j-h}{N-i}}{\frac{a_j}{N}}\right) , \end{aligned}$$
(20)

where \( HG ^N_{a_j}(i)\) is a random variable of i hypergeometrically distributed draws from N elements with \(a_j\) success elements. We have

$$\begin{aligned} \mathbf {Pr}\left( HG ^N_{a_j}(i)=h\right) \cdot \frac{a_j-h}{N-i}&= \left( {\begin{array}{c}i\\ h\end{array}}\right) \frac{(a_j)_h(N-a_j)_{i-h}}{(N)_i}\cdot \frac{a_j-h}{N-i}\end{aligned}$$
(21)
$$\begin{aligned}&= \left( {\begin{array}{c}i\\ h\end{array}}\right) \frac{(a_j-1)_h(N-a_j)_{i-h}}{(N-1)_i}\cdot \frac{a_j}{N}\end{aligned}$$
(22)
$$\begin{aligned}&= \mathbf {Pr}\left( HG ^{N-1}_{a_j-1}(i)=h\right) \cdot \frac{a_j}{N}. \end{aligned}$$
(23)

Note furthermore that

$$\begin{aligned} \sum _{h=0}^{\min \{i,a_j-1\}} h\cdot \mathbf {Pr}\left( HG ^{N-1}_{a_j-1}(i) = h\right) = \mathbf {Ex}\left( HG ^{N-1}_{a_j-1}(i)\right) = \frac{i(a_j-1)}{N-1}. \end{aligned}$$
(24)

We subsequently derive the following for (20), where in the first bounding we use Jensen’s inequality (\(\log \) is concave) and in the second bounding we use that \(\log (\alpha )\le \alpha -1\) (for any \(\alpha >0\)):

$$\begin{aligned} KL (X_{i+1};&Y_{i+1} \mid \varvec{X}_i, \varvec{Y}_i)\end{aligned}$$
(25)
$$\begin{aligned}&= \sum _{j=1}^M \frac{a_j}{N}\cdot \sum _{h=0}^{\min \{i,a_j-1\}} \mathbf {Pr}\left( HG ^{N-1}_{a_j-1}(i)=h\right) \cdot \log \left( \frac{\frac{a_j-h}{N-i}}{\frac{a_j}{N}}\right) \end{aligned}$$
(26)
$$\begin{aligned}&\le \sum _{j=1}^M \frac{a_j}{N}\cdot \log \left( \sum _{h=0}^{\min \{i,a_j-1\}} \mathbf {Pr}\left( HG ^{N-1}_{a_j-1}(i)=h\right) \cdot \frac{\frac{a_j-h}{N-i}}{\frac{a_j}{N}}\right) \end{aligned}$$
(27)
$$\begin{aligned}&= \sum _{j=1}^M \frac{a_j}{N}\cdot \log \left( \frac{N}{a_j(N-i)}\left( a_j - \mathbf {Ex}\left( HG ^{N-1}_{a_j-1}(i)\right) \right) \right) \end{aligned}$$
(28)
$$\begin{aligned}&= \sum _{j=1}^M \frac{a_j}{N}\cdot \log \left( \frac{N}{a_j(N-i)}\left( a_j-\frac{i(a_j-1)}{N-1}\right) \right) \end{aligned}$$
(29)
$$\begin{aligned}&= \sum _{j=1}^M \frac{a_j}{N}\cdot \log \left( 1 + \frac{(N-a_j)i}{a_j(N-1)(N-i)}\right) \end{aligned}$$
(30)
$$\begin{aligned}&\le \sum _{j=1}^M \left( 1 - \frac{a_j}{N}\right) \cdot \frac{i}{(N-1)(N-i)}\end{aligned}$$
(31)
$$\begin{aligned}&= \frac{(M-1)i}{(N-1)(N-i)}. \end{aligned}$$
(32)

The theorem is concluded by combining (7), (14), and (32).    \(\square \)

It is interesting to note that the bound depends on q, N, and M, but not on the \(a_i\)’s. This is caused by the observation that the outcomes are hypergeometrically distributed and that the \(a_j\)’s drop out due to concavity of the function \(\log \).

This fact allowed Stam to generalize his result to partitions varying with \(i=1,\dots ,q\) at little effort [48]. More formally, consider a finite set of N elements, this time with q partitions into \(M_i\) types/colors \(A_{i,1}\cup \dots \cup A_{i,M_i}\) for \(i=1,\dots ,q\). For color j in sample i, write \(a_{i,j}=|A_{i,j}|>0\), such that for all \(i=1,\dots ,q\),

$$\begin{aligned} a_{i,1}+\dots +a_{i,M_i} = N. \end{aligned}$$
(33)

Let \(q\in \mathbb {N}\). Denote by X the probability distribution of the obtained colors when sampling q elements without replacement, and by Y the probability distribution of the obtained colors when sampling with replacement. Both X and Y have range

$$\begin{aligned} \{1,\dots ,M_1\}\times \dots \times \{1,\dots ,M_q\}. \end{aligned}$$
(34)

Stam [48] proves the following bound for the distance between X and Y.

Theorem 2

(Stam’s bound [48, Theorem 1]). Let \(q,N,M_1,\dots ,M_q\in \mathbb {N}\) such that \(M_1,\dots ,M_q\le N\), and consider the configuration of \(M_i\) colors of color sizes \(\{(a_{i,1},\dots ,a_{i,M_i})\}\) for \(i=1,\dots ,q\) as in (33). Consider the two distributions X and Y over range \(\{1,\dots ,M_1\}\times \dots \times \{1,\dots ,M_q\}\). We have,

$$\begin{aligned} \varDelta (X,Y) \le \frac{1}{2}\left( \sum _{i=1}^{q-1} \frac{2(M_{i+1}-1)i}{(N-1)(N-q+1)}\right) ^{1/2}. \end{aligned}$$
(35)

Proof

The proof is a straightforward extension of that of Theorem 1: the only differences are that the indices in the summations and summands of (15) are updated to the new range \(\{1,\dots ,M_1\}\times \dots \times \{1,\dots ,M_q\}\) and color sizes \(a_{i+1,j}\). In particular, for fixed \(i\in \{1,\dots ,q\}\), (3132) is superseded by

$$\begin{aligned} KL (X_{i+1};Y_{i+1} \mid \varvec{X}_i, \varvec{Y}_i)&\le \sum _{j=1}^{M_{i+1}} \left( 1-\frac{a_{i+1,j}}{N}\right) \frac{i}{(N-1)(N-i)}\end{aligned}$$
(36)
$$\begin{aligned}&= \frac{(M_{i+1}-1)i}{(N-1)(N-i)}. \end{aligned}$$
(37)

The result then immediately follows.    \(\square \)

If \(M_1=\dots =M_q=M\) (but not necessarily with identical color sizes \(\{(a_{i,1},\dots ,a_{i,M})\}\) for every sampling), the bound of Theorem 2 obviously simplifies to that of Theorem 1.

4 Generalized Truncation

We consider a generalization of \(\mathsf {Trunc}\) of (1) to arbitrary post-processing function. As before, let \(n,m\in \mathbb {N}\) such that \(m\le n\), and \(p\in \mathsf {perm}(n)\). Let \(\mathsf {post}:\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{m}\) be an arbitrary post-processing function. Generalized truncation is defined as

$$\begin{aligned} \mathsf {GTrunc}^p(x) = \mathsf {post}(x,p(x)). \end{aligned}$$
(38)

Generalized truncation is depicted in Fig. 1. For fixed \(x\in \{0,1\}^{n}\) and \(y\in \{0,1\}^{m}\), we define

$$\begin{aligned} \mathsf {post}[x]^{-1}(y) = \left\{ z\in \{0,1\}^{n} \mid \mathsf {post}(x,z)=y\right\} \!. \end{aligned}$$
(39)

The differences between \(\mathsf {GTrunc}\) and \(\mathsf {Trunc}\) are subtle but quite significant, depending on the choice of \(\mathsf {post}\).

  • The generalized description covers \(\mathsf {Trunc}\) of (1) by setting \(\mathsf {post}(x,z)=\mathsf {left}_m(z)\). In Sect. 4.1, we revisit the state of the art on \(\mathsf {Trunc}\) and re-derive the best security bound;

  • In Sect. 4.2, we consider \(\mathsf {GTrunc}\) with balanced and x-independent post-processing, i.e., where the feed-forward of x is discarded, and demonstrate that its security is equivalent to the security of \(\mathsf {Trunc}\);

  • In Sect. 4.3, we consider \(\mathsf {GTrunc}\) with balanced post-processing (not necessarily discarding the feed-forward). In this case a direct reduction to \(\mathsf {Trunc}\) seems impossible but we resort to Stam’s generalized bound of Theorem 2;

  • In Sect. 4.4, we consider \(\mathsf {GTrunc}\) with arbitrary post-processing. Also in this case, we resort to Theorem 2, but additional analysis is needed to make the result carry over.

We elaborate on using a pre-processing function in Sect. 5.

Fig. 1.
figure 1

\(\mathsf {GTrunc}\) of (38) based on n-bit permutation \(p\in \mathsf {perm}(n)\). \(\mathsf {post}\) is any function.

Full size image

4.1 Plain Truncation

We consider the case of plain truncation: \(\mathsf {Trunc}\) of (1), or equivalently \(\mathsf {GTrunc}\) of (38) with \(\mathsf {post}(x,z)=\mathsf {left}_m(z)\).

Truncation first appeared in Hall et al. [30]. It is known to be secure up to approximately \(2^{n-m/2}\) queries [6, 12, 25, 30, 47]. We describe the bound as a direct implication of Stam’s bound of Theorem 1. For educational interest, Bhattacharya and Nandi [12] gave a self-contained proof of this result in the chi-squared method: they derived the exact same bound, which should not come as surprise in light of Remark 1 in Sect. 2.1.

Theorem 3

(Security of \(\mathsf {Trunc}\)). Let \(q,n,m\in \mathbb {N}\) such that \(m\le n\). Consider \(\mathsf {GTrunc}\) of (38) with \(\mathsf {post}(x,z)=\mathsf {left}_m(z)\). For any distinguisher \(\mathcal {D}\) making at most q queries,

$$\begin{aligned} \mathbf {Adv}_{\mathsf {Trunc}}^{\mathrm {prf}}(\mathcal {D}) \le \frac{1}{2}\left( \frac{(2^m-1)q(q-1)}{(2^n-1)(2^n-q+1)}\right) ^{1/2}\,. \end{aligned}$$
(40)

Proof

Fix a deterministic distinguisher \(\mathcal {D}\) that makes q queries. Let \(X^{\mathsf {Trunc}^p}\) denote the probability distribution of interactions with \(\mathsf {Trunc}^p\) for \(p\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\), and \(Y^f\) the probability distribution of interaction with \(f\xleftarrow {{\scriptscriptstyle \$}}\mathsf {func}(n,m)\). By (11),

$$\begin{aligned} \mathbf {Adv}_{\mathsf {Trunc}}^{\mathrm {prf}}(\mathcal {D})\le \varDelta (X^{\mathsf {Trunc}^p},Y^{f}). \end{aligned}$$
(41)

Put \(N=2^n\), \(M=2^m\), and define the M colors by the first m bits of the sampling, i.e., two elements \(z,z'\in \{0,1\}^{n}\) have the same color if \(\mathsf {left}_m(z)=\mathsf {left}_m(z')\). Consider the samplings X and Y of Sect. 3. Clearly, \(\varDelta (X,X^{\mathsf {Trunc}^p})=0\): in \(X^{\mathsf {Trunc}^p}\) one samples without replacement and only reveals the first m bits of the drawing, which is equivalent to revealing the color. As all color sets are of equal size \(a_1=\dots =a_{2^m}=2^{n-m}\), we also have \(\varDelta (Y^f,Y)=0\). Thus, by the triangle inequality,

$$\begin{aligned} \mathbf {Adv}_{\mathsf {Trunc}}^{\mathrm {prf}}(\mathcal {D})\le \varDelta (X^{\mathsf {Trunc}^p},Y^{f}) = \varDelta (X,Y). \end{aligned}$$
(42)

The result now immediately follows from Theorem 1.    \(\square \)

A simple simplification simplifies the bound of Theorem 3 to \(\left( \left( {\begin{array}{c}q\\ 2\end{array}}\right) /2^{2n-m}\right) ^{1/2}\). The bound is known to be tight: Hall et al. [30] already presented a distinguisher \(\mathcal {D}\) meeting this bound up to a constant, but their distinguisher did not come with an exact analysis. Gilboa and Gueron presented a more detailed attack [26], and we repeat a simplification of their bound.

Theorem 4

(Insecurity of \(\mathsf {Trunc}\) [26, Proposition 2, simplified]). Let \(n,m\in \mathbb {N}\) such that \(m\le n\). Consider \(\mathsf {GTrunc}\) of (38) with \(\mathsf {post}(x,z)=\mathsf {left}_m(z)\). There exists a distinguisher \(\mathcal {D}\) making \(q=2^{n-m/2-3}\) queries, such that

$$\begin{aligned} \mathbf {Adv}_{\mathsf {Trunc}}^{\mathrm {prf}}(\mathcal {D}) \ge \frac{1}{400}\left( 1 - e^{-1/306}\right) . \end{aligned}$$
(43)

4.2 Balanced and x-Independent Post-processing

We consider security of \(\mathsf {GTrunc}\) in a limited setting where \(\mathsf {post}\) is independent of its first input x (\(\mathsf {post}(\cdot ,z)\) is constant for all z) and where it is balanced (the set \(\mathsf {post}[x]^{-1}(y)\) is of the same size for all xy). Already in the original introduction, Hall et al. [30] remarked that the analysis of \(\mathsf {Trunc}\) carries over to balanced post-processing functions, and it also follows immediately from Theorem 1 (with different color sets, but still all of equal size \(2^{n-m}\) as the function is balanced). As a bonus, we present an analysis of this case that reduces the security of \(\mathsf {GTrunc}\) with balanced and x-independent \(\mathsf {post}\) to \(\mathsf {Trunc}\).

Theorem 5

(Security of \(\mathsf {GTrunc}\) with balanced and x-independent \(\mathsf {post}\)). Let \(q,n,m\in \mathbb {N}\) such that \(m\le n\). Consider \(\mathsf {GTrunc}\) of (38) with balanced and x-independent \(\mathsf {post}\). For any distinguisher \(\mathcal {D}\),

$$\begin{aligned} \mathbf {Adv}_{\mathsf {GTrunc}}^{\mathrm {prf}}(\mathcal {D}) = \mathbf {Adv}_{\mathsf {Trunc}}^{\mathrm {prf}}(\mathcal {D}). \end{aligned}$$
(44)

Proof

Without loss of generality, consider \(\mathsf {post}:\{0,1\}^{n}\rightarrow \{0,1\}^{m}\) and write \(\mathsf {GTrunc}^p\) as

$$\begin{aligned} \mathsf {GTrunc}^p(x) = \mathsf {post}\circ p(x). \end{aligned}$$
(45)

As \(\mathsf {post}\) is balanced, there exists a balanced function \(\mathsf {post}':\{0,1\}^{n}\rightarrow \{0,1\}^{n}\) such that

$$\begin{aligned} \mathsf {post}= \mathsf {left}_m\circ \mathsf {post}'. \end{aligned}$$
(46)

Let \(p\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\), and consider any distinguisher \(\mathcal {D}\) whose goal it is to distinguish \(\mathsf {GTrunc}^p\) from \(f\xleftarrow {{\scriptscriptstyle \$}}\mathsf {func}(n,m)\). Defining \(p'=\mathsf {post}'\circ p\), we obtain that

$$\begin{aligned} \mathsf {GTrunc}^p = \mathsf {post}\circ p = \mathsf {left}_m\circ \mathsf {post}'\circ p = \mathsf {left}_m\circ p' = \mathsf {Trunc}^{p'}, \end{aligned}$$
(47)

and thus that

$$\begin{aligned} \mathbf {Adv}_{\mathsf {GTrunc}}^{\mathrm {prf}}(\mathcal {D}) = \mathbf {Adv}_{\mathsf {Trunc}}^{\mathrm {prf}}(\mathcal {D}), \end{aligned}$$
(48)

as \(p'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\) iff \(p\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\) (because \(\mathsf {post}'\) is n-to-n and balanced).    \(\square \)

4.3 Balanced Post-processing

We consider security of \(\mathsf {GTrunc}\) in a more general setting: \(\mathsf {post}\) is any balanced function. We consider this to be the most interesting configuration, as for unbalanced post-processing, security decreases (see Sect. 4.4).

Theorem 6

(Security of \(\mathsf {GTrunc}\) with balanced \(\mathsf {post}\)). Let \(q,n,m\in \mathbb {N}\) such that \(m\le n\). Consider \(\mathsf {GTrunc}\) of (38) with balanced \(\mathsf {post}\). For any distinguisher \(\mathcal {D}\) making at most q queries,

$$\begin{aligned} \mathbf {Adv}_{\mathsf {Trunc}}^{\mathrm {prf}}(\mathcal {D}) \le \frac{1}{2}\left( \frac{(2^m-1)q(q-1)}{(2^n-1)(2^n-q+1)}\right) ^{1/2}. \end{aligned}$$
(49)

Proof

Fix a deterministic distinguisher \(\mathcal {D}\) that makes q queries. Let \(X^{\mathsf {GTrunc}^p}\) denote the probability distribution of interactions with \(\mathsf {GTrunc}^p\) for \(p\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\), and \(Y^f\) the probability distribution of interaction with \(f\xleftarrow {{\scriptscriptstyle \$}}\mathsf {func}(n,m)\). By (11),

$$\begin{aligned} \mathbf {Adv}_{\mathsf {GTrunc}}^{\mathrm {prf}}(\mathcal {D})\le \varDelta (X^{\mathsf {GTrunc}^p},Y^f). \end{aligned}$$
(50)

Put \(N=2^n\), \(M=2^m\). For ease of reasoning, assume (for now) that the distinguisher makes queries \(x_1,\dots ,x_q\). For each query \(x_i\) (\(i=1,\dots ,q\)), define the M colors by the sets \(A_{i,j}:=\mathsf {post}^{-1}[x_i](j)\) for \(j\in \{0,1\}^m\). The q queries thus define q partitions of the N elements into M colors \(A_{i,1}\cup \dots \cup A_{i,M}\) for \(i=1,\dots ,q\). Consider the samplings X and Y of Sect. 3. Clearly, \(\varDelta (X,X^{\mathsf {GTrunc}^p})=0\) as in the proof of Theorem 3. As \(\mathsf {post}\) is balanced, all color sets are of equal size \(a_{i,1}=\dots =a_{i,M}=2^{n-m}\) for \(i=1,\dots ,q\). We therefore also have \(\varDelta (Y^f,Y)=0\). Thus, by the triangle inequality,

$$\begin{aligned} \mathbf {Adv}_{\mathsf {GTrunc}}^{\mathrm {prf}}(\mathcal {D})\le \varDelta (X,Y). \end{aligned}$$
(51)

We obtain our bound on the remaining distance from Theorem 2. As this bound holds for any possible distinguisher, and any possible selection of inputs \(x_1,\dots ,x_q\), we can maximize over all possible deterministic distinguishers. (Formally, the analysis of Theorem 2 consists of a per-query analysis of \( KL (X_{i+1};Y_{i+1} \mid \varvec{X}_i, \varvec{Y}_i)\), where the derived bound in (37) is independent of the \(a_{i+1,j}\)’s and thus of the input \(x_{i+1}\).) This completes the proof.    \(\square \)

It is not straightforward to analyze tightness for the general \(\mathsf {GTrunc}\) construction, i.e., to derive a lower bound. As demonstrated by Gilboa and Gueron [26], the analysis for plain truncation is already highly involved: including a feed-forward of the input only frustrates the analysis, and influences the per-query probability of a response to occur (unlike the case of plain \(\mathsf {Trunc}\) of Sect. 4.1 and \(\mathsf {GTrunc}\) without feed-forward of Sect. 4.2). However, it is possible to argue tightness for a reasonable simplification of \(\mathsf {GTrunc}\). In detail, if \(\mathsf {post}:\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{m}\) is linear in x, i.e.,

$$\begin{aligned} \mathsf {post}(x,y) = \mathbf {A}\cdot x \oplus \mathsf {post}'(y) \end{aligned}$$
(52)

for some matrix \(\mathbf {A}\in \{0,1\}^{m\times n}\) and arbitrary \(\mathsf {post}':\{0,1\}^{n}\rightarrow \{0,1\}^{m}\), an adversary can “undo the feed-forward” by deciding to attack

$$\begin{aligned} (\mathsf {GTrunc}')^p(x)&= \mathsf {GTrunc}^p(x) \oplus \mathbf {A}\cdot x \end{aligned}$$
(53)
$$\begin{aligned}&= \mathsf {post}'(p(x)). \end{aligned}$$
(54)

In this way, it returns to the simpler case of Theorem 5. More involved post-processing functions, where x is used to transform y (e.g., by rotation or multiplication) do not fall victim to this technique.

4.4 Arbitrary Post-processing

We finally consider \(\mathsf {GTrunc}\) with arbitrary post-processing, where we only assume that any value \(y\in \{0,1\}^{m}\) occurs with positive probability. Let \(\gamma \in \mathbb {N}\cup \{0\}\) be such that \(|\mathsf {post}^{-1}[x](y) - 2^{n-m}|\le \gamma \) for any \(x\in \{0,1\}^{n}\) and \(y\in \{0,1\}^{m}\). This value \(\gamma \) measures the unbalancedness of \(\mathsf {post}\): for \(\gamma \) close to 0, \(\mathsf {post}\) is close to a balanced function.

Theorem 7

(Security of \(\mathsf {GTrunc}\) with arbitrary \(\mathsf {post}\)). Let \(q,n,m\in \mathbb {N}\) such that \(m\le n\). Consider \(\mathsf {GTrunc}\) of (38) with arbitrary \(\mathsf {post}\). For any distinguisher \(\mathcal {D}\) making at most q queries,

$$\begin{aligned} \mathbf {Adv}_{\mathsf {Trunc}}^{\mathrm {prf}}(\mathcal {D}) \le \frac{1}{2}\left( \frac{(2^m-1)q(q-1)}{(2^n-1)(2^n-q+1)}\right) ^{1/2} + \left( \frac{1}{2}q\left( \frac{\gamma }{2^{n-m}}\right) ^2\right) ^{1/2}. \end{aligned}$$
(55)

Proof

The proof is identical to that of Theorem 6, with one important exception: \(\mathsf {post}\) does not need to be balanced, and hence \(\varDelta (Y^f,Y)\ge 0\). We will use Pinsker’s inequality (7) on the chi-squared divergence (9) to bound this term. For any \(i=1,\dots ,q\), \(\varvec{j}_{i-1}\in \{1,\dots ,2^m\}^{i-1}\), and \(j\in \{1,\dots ,2^m\}\),

$$\begin{aligned}&\mathbf {Pr}\left( ({Y^f})_i=j \mid (\varvec{Y^f})_{i-1}=\varvec{j}_{i-1}\right) = \mathbf {Pr}\left( ({Y^f})_i=j\right) = \frac{1}{2^m},\end{aligned}$$
(56)
$$\begin{aligned}&\mathbf {Pr}\left( Y_i=j \mid \varvec{Y}_{i-1}=\varvec{j}_{i-1}\right) \qquad \quad = \mathbf {Pr}\left( Y_i=j\right) \quad \,\,= \frac{a_{i,j}}{2^n}. \end{aligned}$$
(57)

In particular, for both \(Y^f\) and Y the drawing of the i-th element is independent of the first \(i-1\) samples. From the chi-squared divergence (9), for which we translate its inductive formula [23] to our setting, we obtain

$$\begin{aligned} \chi ^2(Y;Y^f)&\le \sum _{i=1}^q \sum _{j=1}^{2^m} \frac{\big (\mathbf {Pr}\left( Y_{i}=j\right) - \mathbf {Pr}\left( (Y^f)_{i}=j\right) \big )^2}{\mathbf {Pr}\left( (Y^f)_{i}=j\right) }\end{aligned}$$
(58)
$$\begin{aligned}&= \sum _{i=1}^q \sum _{j=1}^{2^m} \frac{1}{2^{2n-m}} \left( a_{i,j} - 2^{n-m}\right) ^2. \end{aligned}$$
(59)

Using that \(|a_{i,j}-2^{n-m}|\le \gamma \), we can proceed:

$$\begin{aligned} \chi ^2(Y;Y^f)&\le \sum _{i=1}^q \sum _{j=1}^{2^m} \frac{\gamma ^2}{2^{2n-m}}\end{aligned}$$
(60)
$$\begin{aligned}&= q\left( \frac{\gamma }{2^{n-m}}\right) ^2. \end{aligned}$$
(61)

The proof is completed using Pinsker’s inequality (7).    \(\square \)

The first part of the bound of Theorem 7 is identical to that of Theorem 6, and the comments on tightness carry over. The second part of the bound comes from the bounding of \(\varDelta (Y^f,Y)\), and in this bounding we use the estimation \(|a_{i,j}-2^{n-m}|\le \gamma \), which is non-tight for most of the choices for (ij). We see no way of attacking the scheme with query complexity around \((2^{n-m}/\gamma )^2\), but it is reasonable to assume that the security degrades with the bias in the balancedness of \(\mathsf {post}\).

It is interesting to note that, had we used the Kullback-Leibler divergence (6) instead of the chi-squared divergence (9), we would have derived

$$\begin{aligned} KL (Y;Y^f) \le q \left( 1 + \frac{\gamma }{2^{n-m}}\right) \log \left( 1 + \frac{\gamma }{2^{n-m}}\right) , \end{aligned}$$
(62)

which is in turn at most

$$\begin{aligned} q \left( 1 + \frac{\gamma }{2^{n-m}}\right) \left( \frac{\gamma }{2^{n-m}}\right) \end{aligned}$$
(63)

as \(\log (\alpha )\le \alpha -1\) (for any \(\alpha >0\)). In other words, the non-tightness of \(|a_{i,j}-2^{n-m}|\le \gamma \) would have amplified into a slightly worse overall bound. We remark that this does not contradict (8).

5 Note on Including Pre-processing Function

One might consider generalizing \(\mathsf {GTrunc}\) of (38) even further to include an arbitrary pre-processing function \(\mathsf {pre}:\{0,1\}^{n}\rightarrow \{0,1\}^{n}\) as well:

$$\begin{aligned} (\mathsf {GTrunc}')^p(x) = \mathsf {post}(x,p(\mathsf {pre}(x))). \end{aligned}$$
(64)

However, we see no justification for doing so. If \(\mathsf {pre}\) is balanced, it is necessarily invertible and one can “absorb” it into p as done in the analysis of Sect. 4.2. If it is unbalanced, this means that there exist distinct \(x,x'\) such that \(\mathsf {pre}(x)=\mathsf {pre}(x')\), and consequently, the evaluations \((\mathsf {GTrunc}')^p(x)\) and \((\mathsf {GTrunc}')^p(x')\) use the same source of randomness:

$$\begin{aligned} p(\mathsf {pre}(x)) = p(\mathsf {pre}(x')). \end{aligned}$$
(65)

This does not immediately lead to an attack, most importantly as \(\mathsf {post}\) only outputs \(m\le n\) bits. If, in particular, \(m\ll n\), a distinguisher may not note that the same randomness is employed. Nevertheless, unbalanced \(\mathsf {pre}\)’s seem to set the stage for a weaker generalized truncation.