The Advantage of Truncated Permutations

Let $m < n$ be non-negative integers. An oracle chooses a permutation $\pi$ of $\{0, 1\}^{n}$ uniformly at random. When queried with an $n$-bit string $w$, it truncates the last $m$ bits of $\pi (w)$, and returns the remaining first $n-m$ bits. Such truncated random permutations were suggested by Hall et al., in 1998, as a construction of a Pseudo Random Function. They conjectured that the distinguishing advantage of this PRF, given a budget of $q$ queries, ${\bf Adv}_{n, m} (q)$, is small if $q = o (2^{(m+n)/2})$. They established a general upper bound on ${\bf Adv}_{n, m} (q)$, which confirms the conjecture only for $m < n/7$. The conjecture was essentialy confirmed by Bellare and Impagliazzo in 1999. Nevertheless, the problem of estimating ${\bf Adv}_{n, m} (q)$ remained open. Combining the trivial bound $1$, the birthday bound, and a result that Stam had published much earlier in 1978, in a different context, leads to the following upper bound: ${\bf Adv}_{n,m}(q)=O\left(\min\left\{\frac{q^2}{2^n},\,\frac{q}{2^{\frac{n+m}{2}}},\,1\right\}\right)$ This paper settles the open problem by showing that this bound is tight.