Constructions of Beyond-Birthday Secure PRFs from Random Permutations, Revisited

Abstract

In CRYPTO 2019, Chen et al. showed how to construct pseudorandom functions (PRFs) from random permutations (RPs), and they gave one beyond-birthday secure construction from sum of Even-Mansour, namely $\mathsf{SoEM}\mathsf{22}$ in the single-key setting. In this paper, we improve their work by proving the multi-key security of $\mathsf{SoEM}\mathsf{22}$, and further tweaking $\mathsf{SoEM}\mathsf{22}$ but still preserving beyond birthday bound (BBB) security. Furthermore, we use only one random permutation to construct parallelizable and succinct beyond-birthday secure PRFs in the multi-key setting, and then tweak this new construction. Moreover, with a slight modification of our constructions of tweakable PRFs, two parallelizable nonce based MACs for variable length messages are obtained.

1. Introduction

Random numbers are widely used in engineering practice. In particular, randomization is central to cryptography. One can generate random numbers by using physical random sources such as chaos-based [1] and quantum-based [2] random number generator. However, obtaining random numbers from physical phenomena requires high quality of the entropy source, and is also device-dependent so that the corresponding cost is not cheap. Besides, in some cryptographic applications, the way of generating random numbers above is not friendly due to its uncontrollability. Motivated by cryptographic applications, Blum and Micali [3] and Yao [4] formalized the modern notation of pseudorandom generators from the perspectives in computational complexity. Later, Goldreich et al. [5] proposed the concept of pseudorandom functions (PRFs). Informally, $F(K,·)$ is said to be a PRF where K is a uniformly random string with enough entropy, if for any input x, $F(K,x)$ can be computed efficiently and can not be distinguished from a truly random value. PRFs are important in cryptography with fruitful applications in encryption, identification, and authentication.

In theory, PRFs can be obtained from one-way functions [5,6], but this general transformation is not practical. Some other algebraic constructions, such as number theory-based [7,8] or lattice-based PRFs [9,10,11], are still inefficient. Therefore, it is significant to construct PRFs from symmetric primitives both in theory and practice. There are a series of works to build the PRFs from pseudorandom permutations (PRPs)/block ciphers [12,13,14]. Recently, Chen et al. [15] proposed a method to construct PRFs from random permutations (RPs). In [15], the construction $\mathsf{SoEM}\mathsf{22}$ (which means sum of one-round Even-Mansour based on two independent permutations) was proved beyond-birthday secure in the single-key setting.

About $\mathsf{SoEM}\mathsf{22}$, there are three questions we may ask: (i) Is $\mathsf{SoEM}\mathsf{22}$ beyond-birthday secure in the multi-key setting? (ii) Can $\mathsf{SoEM}\mathsf{22}$ be tweaked while preserving BBB security? (iii) If the underlying random permutations can be computed efficiently in both forward and inverse directions, can we construct beyond-birthday secure PRFs by using only one permutation in both multi-key and tweakable cases?

Fortunately, we can give positive answers to these questions. First, we prove that $\mathsf{SoEM}\mathsf{22}$ is beyond-birthday secure in the multi-key setting. Informally, it means that for any distinguisher who distinguishes m independent n-to-n-bit keyed functions from m independent ideal random functions, its advantage does not depend on m. However, in this case the distinguisher still needs to make at least $\mathcal{O}\left(2^{2n/3}\right)$ queries to achieve a noticeable advantage.

Second, we tweak the construction $\mathsf{SoEM}\mathsf{22}$, inspired by the work [16]. A tweakable PRF, $F:\mathcal{K}\times \mathcal{T}\times {\{0,1\}}^n\to {\{0,1\}}^n$, means that one can associate a tweak space $\mathcal{T}$ to the key space $\mathcal{K}$. For any key k randomly sampled from $\mathcal{K}$, one can choose different tweaks $t\in \mathcal{T}$ to compute $y=F(k,t,x)$ even on the same input x.

Following the idea in [17], we solve the third question, and construct beyond-birthday secure PRFs in the multi-key setting from one bidirectionally efficient random permutation. Then this new construction from a single permutation can also be tweaked while preserving BBB security.

1.1. Our Contributions

In this paper, we enhance the security of $\mathsf{SoEM}\mathsf{22}$ [15] by showing that

$$\begin{array}{c}\hfill F_{K_1,K_2}^{P_1,P_2}\left(x\right)=P_1(x\oplus K_1)\oplus P_2(x\oplus K_2)\oplus K_1\oplus K_2\end{array}$$

(1)

is beyond-birthday secure in the multi-key setting, where ⊕ denotes the bitwise XOR operator, $P_1$ and $P_2$ are two independent random permutations, x is an n-bit input, and $K_1$ and $K_2$ are two n-bit uniformly random strings. Furthermore, we can tweak the construction $\mathsf{SoEM}\mathsf{22}$, while preserving BBB security, as

$$\begin{array}{c}\hfill {\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^{P_1,P_2}(t,x)=P_1(x\oplus H_{K_h^1}\left(t\right))\oplus P_2(x\oplus H_{K_h^2}\left(t\right))\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right),\end{array}$$

(2)

where $H_{K_h^1}$ and $H_{K_h^2}$ are uniformly and independently sampled from the regular and almost-XOR universal (AXU) keyed hash family, t is a tweak, and x is an n-bit input.

Chen et al. [15] first constructed beyond-birthday secure PRFs from random permutations. Later, Chakraborti et al. [18] suggested and designed minimally structured beyond-birthday secure RPFs (i.e., by using only one random permutation). Following this line of study, we design a parallelizable beyond-birthday secure PRF in the multi-key setting from one bidirectionally efficient random permutation P as

$$\begin{array}{c}\hfill F_{K_1,K_2}^P\left(x\right)=P(x\oplus K_1)\oplus P^{-1}(x\oplus K_2)\oplus K_1\oplus K_2,\end{array}$$

(3)

where $K_1$, $K_2$, and x are the same as those in Equation (1). We tweak this new construction as

$$\begin{array}{c}\hfill {\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^P(t,x)=P(x\oplus H_{K_h^1}\left(t\right))\oplus P^{-1}(x\oplus H_{K_h^2}\left(t\right))\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right),\end{array}$$

(4)

where $H_{K_h^1}$, $H_{K_h^2}$, x, and t are the same as those in Equation (2).

Moreover, from our two constructions of tweakble PRFs, we can give two nonce based MACs for variable length messages. In particular, when one replaces the input x (resp. the tweak t) in Equations (2) and (4) by an n-bit nonce N (resp. a message M), one can obtain two parallelizable beyond-birthday secure nonce based MACs as

$$\begin{array}{c}\hfill T=P_1(N\oplus H_{K_h^1}\left(M\right))\oplus P_2(N\oplus H_{K_h^2}\left(M\right))\oplus H_{K_h^1}\left(M\right)\oplus H_{K_h^2}\left(M\right)\end{array}$$

(5)

and

$$\begin{array}{c}\hfill T=P(N\oplus H_{K_h^1}\left(M\right))\oplus P^{-1}(N\oplus H_{K_h^2}\left(M\right))\oplus H_{K_h^1}\left(M\right)\oplus H_{K_h^2}\left(M\right).\end{array}$$

(6)

1.2. Related Works

Based on two random permutations $P_1$ and $P_2$, Cogliati et al. [16] constructed a beyond-birthday secure tweakable Even-Mansour (TEM) as

$$\begin{array}{c}\hfill {\mathsf{TEM}}_{H_{K_h^1},H_{K_h^2}}^{P_1,P_2}(t,x)=P_2(P_1(x\oplus H_{K_h^1}\left(t\right))\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right))\oplus H_{K_h^2}\left(t\right),\end{array}$$

(7)

where $H_{K_h^1}$ and $H_{K_h^2}$ are uniformly and independently sampled from the uniform and AXU keyed hash family, t is a tweak, and x is an n-bit input. Later, Dutta [17] gave a beyond-birthday secure TEM from one permutation as

$$\begin{array}{c}\hfill {\mathsf{TEM}}_{H_{K_h^1},H_{K_h^2}}^P(t,x)=P(P(x\oplus H_{K_h^1}\left(t\right))\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right))\oplus H_{K_h^2}\left(t\right),\end{array}$$

(8)

where P is a random permutation, and $H_{K_h^1}$, $H_{K_h^1}$, t, and x are the same as those in (7). Compared with Equations (7) and (8), our constructions in Equations (2) and (4) are parallelizable.

Chakraborti et al. [18] constructed beyond-birthday secure PRFs from random permutations with minimal structure (i.e., from one random permutation P) as

$$P^{-1}(P(K\oplus x)\oplus 3K\oplus x)\oplus 2K,$$

where K is an n-bit key, x is an n-bit input, and 2 is a primitive element in the finite field ${\mathbb{F}}_{2^n}$ so that $2K$ denotes the multiplication of 2 and K over ${\mathbb{F}}_{2^n}$. Recently, Dutta et al. [19] proved that the construction

$$P(P(K_1\oplus x)\oplus K_2\oplus K_1\oplus x)\oplus K_1$$

is also a beyond-birthday secure PRF, where $K_1$ and $K_2$ are two n-bit uniformly random strings. However, all these two constructions were proved beyond-birthday secure only in the single-key setting. Compared with them, Equation (3) is parallelizable and can be proved beyond-birthday secure in the multi-key setting.

Besides, Chakraborti et al. [18] also gave a nonce based MAC for variable length messages as

$$T=P^{-1}(P(K\oplus N)\oplus 3K\oplus N\oplus H_{K_h}\left(M\right))\oplus 2K,$$

where K is an n-bit key, N is an n-bit nonce, M is a variable length message, and $H_{K_h}$ is uniformly sampled from the keyed hash family with three properties: regular, AXU, and 3-way regular.

1.3. Technical Overview

The basic technique to prove the BBB security of our constructions is the H-Coefficient technique [20,21]. As an example, we intuitively introduce the core idea of the security proof for the construction ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^P$ in Equation (4). Let $\Phi$ be a random function from $\mathcal{T}\times {\{0,1\}}^n$ to ${\{0,1\}}^n$, where $\mathcal{T}$ is the tweakable space. Denote ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^P:\mathcal{T}\times {\{0,1\}}^n\mapsto {\{0,1\}}^n$ as in Equation (4). Given a deterministic distinguisher D who has access query to the primitive oracle P and to the construction oracle ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^P$ or $\Phi$, the goal of D is to distinguish which construction oracle it interacts with. Set ${\overline{\mathcal{Q}}}_P=\{(u_1,v_1),\dots ,(u_p,v_p)\}$ as all p query-response tuples for the primitive oracle, and ${\overline{\mathcal{Q}}}_F=\{(t_1,x_1,y_1),\dots ,(t_q,x_q,y_q)\}$ as all q query-response tuples for the construction oracle. Then, ${\overline{\mathcal{Q}}}_F$ and ${\overline{\mathcal{Q}}}_P$ along with $H_{K_h^1}$ and $H_{K_h^2}$ are called a transcript, denoted by $\overline{\tau }=\{{\overline{\mathcal{Q}}}_F,{\overline{\mathcal{Q}}}_P,(H_{K_h^1},H_{K_h^2})\}$. When D interacts with $\Phi$, the transcript $\overline{\tau }$ is said in the ideal world; otherwise, $\overline{\tau }$ is said in the real world.

In general, all possible transcripts are divided into bad transcripts and good transcripts. The key to use the H-Coefficient technique is to define bad transcripts in the ideal world with a low proportion. Furthermore, one also needs to show that the probability of any good transcript in the ideal world is close to its probability in the real world. After observing the transcript, the distinguisher will use this information to test whether it is compatible with ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^P$. Based on this fact, one can briefly interpret how to define bad transcripts by the following example. Assume that there exist $(t,x,y)\in {\overline{\mathcal{Q}}}_F$ and $(u_1,v_1),(u_2,v_2)\in {\overline{\mathcal{Q}}}_P$ such that $H_{K_h^1}\left(t\right)\oplus x=u_1$ and $H_{K_h^2}\left(t\right)\oplus x=v_2$ (this event is denoted by ${\mathsf{Bad}}_1$). Then in the real world, one must have $y=v_1\oplus u_2\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right)$. However, in the ideal world, the probability that this equation holds is at most $1/2^n$. In this case, the distinguisher has a significant advantage. If $H_{K_h^1}$ and $H_{K_h^2}$ are independently chosen from the uniform keyed hash family, then one has

$$Pr[(H_{K_h^1}\left(t\right)=x\oplus u_1)\wedge (H_{K_h^2}\left(t\right)=x\oplus v_2)]\le \frac{1}{2^{2n}}.$$

By union bound, the probability of ${\mathsf{Bad}}_1$ in the ideal world can be upper bounded by $q{p}^2/2^{2n}$. This advantage is secure roughly up to $p=q=\mathcal{O}\left(2^{2n/3}\right)$ adversarial queries. We illustrate some other bad cases for transcript $\overline{\tau }$ in Figure 1, where (1) in Figure 1 is for the above example.

Figure 1. Graphical representation of the motivation to define bad cases for the transcript in the ideal world, which corresponds to the bad conditions from (C-1) to (C-12) in Section 4. In this graph, the same color in different lines means that there exists a collision between these places.

For any good transcript, to prove that its probability in the real world is almost close to the one in the ideal world, it needs to show that the number of choices for unfixed maps of P is large enough. Let $U=\{u_1\in {\{0,1\}}^n:(u_1,v_1)\in {\overline{\mathcal{Q}}}_P\}$, $V=\{v_1\in {\{0,1\}}^n:(u_1,v_1)\in {\overline{\mathcal{Q}}}_P\}$, $U_F=\{H_{K_h^1}\left(t\right)\oplus x:(t,x,y)\in {\overline{\mathcal{Q}}}_F\}$, and $V_F=\{H_{K_h^2}\left(t\right)\oplus x:(t,x,y)\in {\overline{\mathcal{Q}}}_F\}$. Then the good transcript ensures that $U\cap U_F=\varnothing$ (resp. $V\cap V_F=\varnothing$) and all items in $U_F$ (resp. $V_F$) are distinct. The next goal is to choose distinct values for $\{P(H_{K_h^1}\left(t\right)\oplus x):(t,x,y)\in {\overline{\mathcal{Q}}}_F\}$ (resp. $\{P^{-1}(H_{K_h^2}\left(t\right)\oplus x):(t,x,y)\in {\overline{\mathcal{Q}}}_F\}$) such that $\{P(H_{K_h^1}\left(t\right)\oplus x):(t,x,y)\in {\overline{\mathcal{Q}}}_F\}\cap (V\cup V_F)=\varnothing$, $\{P(H_{K_h^1}\left(t\right)\oplus x)\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right)\oplus y:(t,x,y)\in {\overline{\mathcal{Q}}}_F\}\cap (U\cup U_F)=\varnothing$, and all items in $\{P(H_{K_h^1}\left(t\right)\oplus x)\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right)\oplus y:(t,x,y)\in {\overline{\mathcal{Q}}}_F\}$ are distinct (resp. $\{P^{-1}(H_{K_h^2}\left(t\right)\oplus x):(t,x,y)\in {\overline{\mathcal{Q}}}_F\}\cap (U\cup U_F)=\varnothing$, $\{P^{-1}(H_{K_h^2}\left(t\right)\oplus x)\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right)\oplus y:(t,x,y)\in {\overline{\mathcal{Q}}}_F\}\cap (V\cup V_F)=\varnothing$, and all items in $\{P^{-1}(H_{K_h^2}\left(t\right)\oplus x)\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right)\oplus y:(t,x,y)\in {\overline{\mathcal{Q}}}_F\}$ are distinct). However, this strategy is not enough to achieve the BBB security. To deal with this problem, we adopt the main idea in [17,22] to count more possible choices for unfixed maps of P, and this idea allows that $\{P(H_{K_h^1}\left(t\right)\oplus x):(t,x,y)\in {\overline{\mathcal{Q}}}_F\}\cap V_F\ne \varnothing$. Informally, it means that there exist some pairs $((t,x,y),(t^{\prime },x^{\prime },y^{\prime }))\in {\overline{\mathcal{Q}}}_F\times {\overline{\mathcal{Q}}}_F$ such that $P(x\oplus H_{K_h^1}\left(t\right))\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right)\oplus y=x^{\prime }\oplus H_{K_h^1}\left(t^{\prime }\right)$ or $P^{-1}(x\oplus H_{K_h^2}\left(t\right))\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right)\oplus y=x^{\prime }\oplus H_{K_h^2}\left(t^{\prime }\right)$. Take the first case for example, one has

$$\{\begin{array}{c}x\oplus H_{K_h^1}\left(t\right)\stackrel{P}{⟼}{x}^{\prime }\oplus H_{K_h^1}\left(t^{\prime }\right)\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right)\oplus y,\hfill \\ x^{\prime }\oplus H_{K_h^1}\left(t^{\prime }\right)\stackrel{P}{⟼}x\oplus H_{K_h^2}\left(t\right),\hfill \\ x\oplus H_{K_h^2}\left(t\right)\oplus H_{K_h^1}\left(t^{\prime }\right)\oplus H_{K_h^2}\left(t^{\prime }\right)\oplus y^{\prime }\stackrel{P}{⟼}{x}^{\prime }\oplus H_{K_h^2}\left(t^{\prime }\right).\hfill \end{array}$$

(9)

To ensure that the maps in (9) are valid, $x^{\prime }\oplus H_{K_h^1}\left(t^{\prime }\right)\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right)\oplus y$ can not be equal to previous fixed inputs of P, and $x\oplus H_{K_h^2}\left(t\right)\oplus H_{K_h^1}\left(t^{\prime }\right)\oplus H_{K_h^2}\left(t^{\prime }\right)\oplus y^{\prime }$ can not be equal to previous fixed outputs of P. Since $\Phi$ is a random function from $\mathcal{T}\times {\{0,1\}}^n$ to ${\{0,1\}}^n$, then $y=\Phi (t,x)$ is uniformly and independently distributed for each distinct query $(t,x)$ in the ideal world. Due to this property, one can define the good transcripts to ensure that the number of rational maps in (9) is large enough. At the same time, it guarantees that the proportion of the corresponding bad transcripts in the ideal world can also achieve a beyond birthday bound. For more details, please refer to Section 4.

1.4. Organization

The rest of this paper is organized as follows. In Section 2, we introduce some necessary notations and basic tools. In Section 3, we prove the multi-key security of $\mathsf{SoEM}\mathsf{22}$, further tweak the construction $\mathsf{SoEM}\mathsf{22}$, and finally construct parallelizable nonce based MACs from two permutations. The constructions of beyond-birthday secure PRFs from one permutation in both multi-key and tweakable settings are given in Section 4, and we also design parallelizable nonce based MACs from one permutation in this section. Finally, Section 5 concludes this paper.

2. Preliminaries

2.1. Notations

For any $n\in \mathbb{Z}$, we simplify the set $\{1,\dots ,n\}$ as $\left[n\right]$, and denote the set of all n-bit strings by ${\{0,1\}}^n$. For any finite set $\mathcal{S}$, $s\stackrel{\$}{\leftarrow }\mathcal{S}$ means that s is sampled uniformly from $\mathcal{S}$. Besides, $\left|S\right|$ denotes the size of S. For any sets $\mathcal{X}$ and $\mathcal{Y}$, $\mathsf{Func}(\mathcal{X},\mathcal{Y})$ includes all functions from $\mathcal{X}$ to $\mathcal{Y}$, and we simply write $\mathsf{Func}\left(n\right)$ for $\mathsf{Func}({\{0,1\}}^n,{\{0,1\}}^n)$. Furthermore, $\mathsf{Perm}\left(n\right)$ denotes the set of all permutations on ${\{0,1\}}^n$. For any two integers q and N such that $1\le q\le N$, define ${\left(N\right)}_q=N(N-1)\dots (N-q+1)$. In particular, ${\left(N\right)}_0=1$.

$\mathcal{Q}=\{(x_1,y_1),\dots ,(x_p,y_p)\}$ is said a well-defined n-bit permutation-compatible set if $x_1,\dots ,x_p\in {\{0,1\}}^n$ (resp. $y_1,\dots ,y_p\in {\{0,1\}}^n$) are all distinct. Given a well-defined permutation-compatible set $\mathcal{Q}$, we say that the permutation $P\in \mathsf{Perm}\left(n\right)$ extends $\mathcal{Q}$, denoted by $P⊢\mathcal{Q}$, if $P\left(x_i\right)=y_i$ for all $i\in \left[p\right]$. For another well-defined n-bit permutation-compatible set ${\mathcal{Q}}^{\prime }=\{(x_1^{\prime },y_1^{\prime }),\dots ,(x_{p^{\prime }}^{\prime },y_{p^{\prime }}^{\prime })\}$, ${\mathcal{Q}}^{\prime }$ and $\mathcal{Q}$ are called disjoint if $x_i\ne x_j^{\prime }$ and $y_i\ne y_j^{\prime }$ for any $i\in \left[p\right]$ and $j\in \left[p^{\prime }\right]$. Given the disjoint n-bit permutation-compatible set $\mathcal{Q}$ and ${\mathcal{Q}}^{\prime }$, for any random permutation $P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$ satisfying $P⊢\mathcal{Q}$, the probability of $P⊢{\mathcal{Q}}^{\prime }$ is $1/{(2^n-p)}_{p^{\prime }}$, which is denoted by

$$Pr[P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right):P⊢{\mathcal{Q}}^{\prime }|P⊢\mathcal{Q}]=\frac{1}{{(2^n-p)}_{p^{\prime }}}.$$

For any function $F:\mathcal{D}\to \mathcal{V}$, given the set $\mathcal{S}=\{(x_1,y_1),\dots ,(x_q,y_q):(x_i,y_i)\in \mathcal{D}\times \mathcal{V}\}$, $F⊢\mathcal{S}$ means that $F\left(x_i\right)=y_i$ for any $(x_i,y_i)\in \mathcal{S}$.

Given two sets U and $U^{\prime }$, we say that U is disjoint with $U^{\prime }$ if $U\cap U^{\prime }=\varnothing$. Let $\mathcal{U}=\{U_1,\dots ,U_m\}$ be a collection of finite sets. Then $\mathcal{U}$ is called a disjoint collection if for any $i\ne j\in \left[m\right]$, $U_i$ is disjoint with $U_j$. In this case, the size of $\mathcal{U}$ is defined as $\left|\mathcal{U}\right|=|U_1|+\dots +|U_m|$. Two disjoint collections $\mathcal{U}=\{U_1,\dots ,U_m\}$ and ${\mathcal{U}}^{\prime }=\{U_1^{\prime },\dots ,U_n^{\prime }\}$ are called inner disjoint if $U_i\cap U_{i^{\prime }}^{\prime }=\varnothing$ for any $i\in \left[m\right],i^{\prime }\in \left[n\right]$. Let $S_{\mathsf{mul}}$ be a multi-set, and let ${\delta }_{S_{\mathsf{mul}}}\left(x\right)$ denote the multiplicity of x in $S_{\mathsf{mul}}$. When $S_{\mathsf{mul}}$ is called a set, it means that all the repeated items in it are viewed as a unique item. Throughout this paper, when we discuss the size of $S_{\mathsf{mul}}$, which is denoted by $|S_{\mathsf{mul}}|$, the items in $S_{\mathsf{mul}}$ are counted without considering the multiplicity.

Definition 1

(Universal Hash Functions). Let n be a positive integer. Assume that ${\mathcal{K}}_H$ and $\mathcal{X}$ are two finite sets. Let $\mathcal{H}={\left(H_{K_h}\right)}_{K_h\in {\mathcal{K}}_H}$ be a keyed hash family from $\mathcal{X}$ to ${\{0,1\}}^n$, where ${\mathcal{K}}_H$ is the hash key space. $\mathcal{H}$ is called ${ϵ}_1$-regular if for any $t\in \mathcal{X}$ and any $y\in {\{0,1\}}^n$, it holds that

$$Pr[K_h\stackrel{\$}{\leftarrow }{\mathcal{K}}_H:H_{K_h}\left(t\right)=y]\le {ϵ}_1.$$

$\mathcal{H}$ is called ${ϵ}_2$-almost XOR-universal (${ϵ}_2$-AXU) if for any distinct $t,t^{\prime }\in \mathcal{X}$ and any $y\in {\{0,1\}}^n$, it holds that

$$Pr[K_h\stackrel{\$}{\leftarrow }{\mathcal{K}}_H:H_{K_h}\left(t\right)\oplus H_{K_h}\left(t^{\prime }\right)=y]\le {ϵ}_2.$$

$\mathcal{H}$ is said XOR-universal (resp. uniform) if it is $2^{-n}$-AXU (resp. $2^{-n}$-regular).

Next, we briefly describe an example of $\frac{l}{2^n}$-regular and $\frac{l}{2^n}$-AXU keyed hash family [18,23] for some constant $l\in \mathbb{N}$. Let M be any binary string with $\left|M\right|<l·n$, and set ${\mathcal{K}}_H={\{0,1\}}^n$. Then we pad M as $M\left|\right|{10}^s=M_1\left|\right|\dots \left|\right|M_l$, where $s=l·n-\left|M\right|-1$, $0^s$ denotes the all zero s bits, and $M_i\in {\{0,1\}}^n$ for each $i\in \left[l\right]$. For any $K_h\in {\mathcal{K}}_H$, the keyed hash is defined as:

$$\begin{array}{c}\hfill {\mathsf{Poly}}_{H_{K_h}}\left(M\right)=M_l·K_h\oplus M_{l-1}·K_h^2\oplus \dots \oplus M_1·K_h^l,\end{array}$$

(10)

where $K_h$ and $M_i$ ($i\in \left[l\right]$) are viewed as the elements in ${\mathbb{F}}_{2^n}$, and · denotes the multiplication in ${\mathbb{F}}_{2^n}$.

Remark 1.

The keyed hash family $\mathcal{H}$ is said to be ϵ-3-way regular, if for any $y\in {\{0,1\}}^n$ and any three distinct inputs t, $t^{\prime }$, and $t^{″}\in \mathcal{X}$, it holds that

$$Pr[K_h\stackrel{\$}{\leftarrow }{\mathcal{K}}_H:H_{K_h}\left(t\right)\oplus H_{K_h}\left(t^{\prime }\right)\oplus H_{K_h}\left(t^{″}\right)=y]\le ϵ.$$

2.2. The H-Coefficient Technique

One important tool used in our proofs is the H-Coefficient technique [21], which can be used to upper bound the statistical distance between the query-answers from two interactive systems. For convenience, we focus on the modernization version of Chen and Steinberger [20].

Let $P_1,\dots ,P_r\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$ be r independent random permutations, and $\mathcal{K}$ be the key space. In this paper, we only consider the case $r\in \{1,2\}$ and $\mathcal{K}={\{0,1\}}^{2n}$. The randomly sampled $2n$-bit key can be parsed as $(K_1,K_2)\stackrel{\$}{\leftarrow }{\{0,1\}}^{2n}$, where $K_1$ and $K_2$ are two independent n-bit uniformly random strings. Then based on r public permutations $P_1,\dots ,P_r$, $F_{K_1,K_2}^{P_1,\dots ,P_r}:{\{0,1\}}^n\to {\{0,1\}}^n$ denotes the keyed function indexed by $(K_1,K_2)\in {\{0,1\}}^{2n}$. Besides, let $\phi \stackrel{\$}{\leftarrow }\mathsf{Func}\left(n\right)$ be an ideal random function. Then for any deterministic distinguisher $\mathcal{D}$ who has query access to the oracle ${\mathcal{O}}_{\mathsf{re}}=(F_{K_1,K_2}^{P_1,\dots ,P_r};P_1^{\pm },\dots ,P_r^{\pm })$ in the real world, or the oracle ${\mathcal{O}}_{\mathsf{id}}=(\phi ;P_1^{\pm },\dots ,P_r^{\pm })$ in the ideal world, the advantage of $\mathcal{D}$ to distinguish which oracle it has access to is defined by

$$\begin{array}{c}\hfill {\mathbf{Adv}}_F\left(\mathcal{D}\right)=|Pr[{\mathcal{D}}^{{\mathcal{O}}_{\mathsf{re}}}=1]-Pr[{\mathcal{D}}^{{\mathcal{O}}_{\mathsf{id}}}=1]|.\end{array}$$

(11)

As shown in Figure 2, in the multi-key setting, the goal of distinguisher $\mathcal{D}$ is to distinguish m keyed functions $(F_{K_1^1,K_2^1}^{P_1,\dots ,P_r},\dots ,F_{K_1^m,K_2^m}^{P_1,\dots ,P_r})$ from m independent ideal random functions ${\phi }_1,\dots ,{\phi }_m\stackrel{\$}{\leftarrow }\mathsf{Func}\left(n\right)$, where $(K_1^1,K_2^1),\dots ,(K_1^m,K_2^m)\stackrel{\$}{\leftarrow }{\{0,1\}}^{2n}$ are m independent keys. In this case, let ${\mathcal{O}}_{\mathsf{id}}=({\phi }_1,\dots ,{\phi }_m, P_1^{\pm },\dots ,P_r^{\pm })$ be the oracle in the ideal world, and ${\mathcal{O}}_{\mathsf{re}}=(F_{K_1^1,K_2^1}^{P_1,\dots ,P_r},\dots ,F_{K_1^m,K_2^m}^{P_1,\dots ,P_r}, P_1^{\pm },\dots ,P_r^{\pm })$ be the oracle in the real world. The advantage of the distinguisher $\mathcal{D}$ to distinguish these two oracles can be defined as the same in (11), but here we use ${\mathbf{Adv}}_{F_{K_1,K_2}^{P_1,\dots ,P_r}}^{mk}\left(\mathcal{D}\right)$ to identify the multi-key case.

Figure 2. The illustration of the RP-based keyed function $F_{K_1,K_2}^{P_1,\dots ,P_r}$ in the multi-key setting, where the distinguisher D interacts with the real oracle at left, and with the ideal oracle at right.

Let $\mathcal{H}$ be an ${ϵ}_1$-regular and ${ϵ}_2$-AXU keyed hash family from $\mathcal{T}$ to ${\{0,1\}}^n$. Then we use two independent keyed hash functions $(H_{K_h^1},H_{K_h^2})\stackrel{\$}{\leftarrow }{\mathcal{H}}^2$ to tweak the keyed function $F_{K_1,K_2}^{P_1,\dots ,P_r}$ as ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^{P_1,\dots ,P_r}:\mathcal{T}\times {\{0,1\}}^n\to {\{0,1\}}^n$ such that ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^{P_1,\dots ,P_r}(t,x)=F_{(H_{K_h^1}\left(t\right),H_{K_h^2}\left(t\right))}^{P_1,\dots ,P_r}\left(x\right)$. In addition, the ideal tweakable random function can be denoted as $\Phi :\mathcal{T}\times {\{0,1\}}^n\to {\{0,1\}}^n$, i.e., $\Phi \stackrel{\$}{\leftarrow }\mathsf{Func}(\mathcal{T}\times {\{0,1\}}^n,{\{0,1\}}^n)$. In this case, let ${\mathcal{O}}_{\mathsf{re}}=({\mathsf{TPRF}}_{H_{K_1},H_{K_2}}^{P_1,\dots ,P_r}, P_1^{\pm },\dots ,P_r^{\pm })$ be the oracle in the real world, and ${\mathcal{O}}_{\mathsf{id}}=(\Phi , P_1^{\pm },\dots ,P_r^{\pm })$ be the oracle in the ideal world. For any distinguisher $\mathcal{D}$, its advantage can be defined as the same in (11), but here we use ${\mathbf{Adv}}_{{\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^{P_1,\dots ,P_r}}^{tweak}\left(\mathcal{D}\right)$ to identify the tweakable case.

The security proofs in both multi-key and tweakable settings are similar. Therefore, we prove these two cases in a unified approach. For two independently and randomly sampled functions $f_1$ and $f_2$ from $\mathsf{Func}(\mathcal{T},{\{0,1\}}^n)$, $(f_1,f_2)$ is said a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair if it satisfies two properties in the following:

(i)

${ϵ}_1$-$\mathbf{Regular}.$ For any $t\in \mathcal{T}$ and any $y\in {\{0,1\}}^n$, it holds that

$$Pr[f_i\left(t\right)=y]\le {ϵ}_1,\mathrm{for}i\in \{1,2\}.$$

(ii)

${ϵ}_2$-$\mathbf{AXU}.$ For any distinct $t,t^{\prime }\in \mathcal{T}$ and any $y\in {\{0,1\}}^n$, it holds that

$$Pr[f_i\left(t\right)\oplus f_i\left(t^{\prime }\right)=y]\le {ϵ}_2,\mathrm{for}i\in \{1,2\}.$$

The above two properties are enough for the security proofs in both tweakable and multi-key settings. In the tweakable setting, $(H_{K_h^1},H_{K_h^2})$ is a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair, where $(H_{K_h^1}, H_{K_h^2})\stackrel{\$}{\leftarrow }{\mathcal{H}}^2$. In the multi-key setting, set $\mathcal{T}=\left[m\right]$, and uniformly and randomly sample two independent random functions $f_1,f_2\stackrel{\$}{\leftarrow }\mathsf{Func}(\mathcal{T},{\{0,1\}}^n)$. Then $(f_1,f_2)$ is a good $(2^{-n},2^{-n})$-key-derivation pair. To show the security of the constructions in both tweakable and multi-key settings, we only need to prove the BBB security of the following “unified” function

$$\begin{array}{c}\hfill F_{f_1,f_2}^{P_1,\dots ,P_r}:\mathcal{T}\times {\{0,1\}}^n\to {\{0,1\}}^n,\end{array}$$

where $(f_1,f_2)$ is a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair and $P_1,\dots ,P_r$ ($r\in \{1,2\}$) are r independent random permutations. In this case, let ${\mathcal{O}}_{\mathsf{re}}=(F_{f_1,f_2}^{P_1,\dots ,P_r}, P_1^{\pm },\dots ,P_r^{\pm })$ be the oracle in the real world, and ${\mathcal{O}}_{\mathsf{id}}=(\Phi ,P_1^{\pm },\dots ,P_r^{\pm })$ be the oracle in the ideal world, where $\Phi \stackrel{\$}{\leftarrow }\mathsf{Func}(\mathcal{T}\times {\{0,1\}}^n,{\{0,1\}}^n)$. When the distinguisher $\mathcal{D}$ interactes with ${\mathcal{O}}_{\mathsf{re}}$ or ${\mathcal{O}}_{\mathsf{id}}$, any query-responses along with the good $({ϵ}_1,{ϵ}_2)$-key-derivation pair $(f_1,f_2)\in \mathsf{Func}{(\mathcal{T},{\{0,1\}}^n)}^2$ are called a transcript, denoted by $\tau =(Q_F,Q_{P_1},\dots ,Q_{P_r},(f_1,f_2))$. In addition, $Q_F$ (resp. $Q_{P_i}$, for $1\le i\le r$) records query-responses when the distinguisher D interacts with the construction oracle (resp. the primitive oracle $P_i$ for $1\le i\le r$). Furthermore, $T_{\mathsf{re}}$ (resp. $T_{\mathsf{id}}$) denotes the probability distribution of the interacting transcripts between $\mathcal{D}$ and ${\mathcal{O}}_{\mathsf{re}}$ (resp. ${\mathcal{O}}_{\mathsf{id}}$). A transcript $\tau$ is said attainable if $Pr[T_{\mathsf{id}}=\tau ]>0$. Finally, the advantage of the distinguisher $\mathcal{D}$, to distinguish which oracle it has access to, can be defined as the same in (11), but here we use ${\mathbf{Adv}}_{F_{f_1,f_2}^{P_1,\dots ,P_r}}^{unify}\left(\mathcal{D}\right)$ to identify this unified description.

Let $\mathsf{\Gamma }={\mathsf{\Gamma }}_{\mathsf{good}}\cup {\mathsf{\Gamma }}_{\mathsf{bad}}$ be a partition for the set $\mathsf{\Gamma }$ consisting of all attainable transcripts, where ${\mathsf{\Gamma }}_{\mathsf{good}}$ (resp. ${\mathsf{\Gamma }}_{\mathsf{bad}}$) contains all “good” (resp. “bad”) transcripts. Then the main result of the H-Coefficient technique can be described as the following lemma.

Lemma 1

(H-Coefficient Technique [20,21]). Let D be a deterministic distinguisher, and $T_{\mathsf{re}}$ (resp. $T_{\mathsf{id}}$) be the probability distribution of transcripts in the real world (resp. in the ideal world). Let ${\mathsf{\Gamma }}_{\mathsf{good}}$ and ${\mathsf{\Gamma }}_{\mathsf{bad}}$ be defined above. Assume that there exists $0\le {ϵ}_{\mathsf{ratio}}\le 1$ such that for any $\tau \in {\mathsf{\Gamma }}_{\mathsf{good}}$, it holds that

$$\begin{array}{c}\hfill \frac{Pr[T_{\mathsf{re}}=\tau ]}{Pr[T_{\mathsf{id}}=\tau ]}\ge 1-{ϵ}_{\mathsf{ratio}}.\end{array}$$

Then, ${\mathbf{Adv}}_{F_{f_1,f_2}^{P_1,\dots ,P_r}}^{unify}\left(\mathcal{D}\right)\le {ϵ}_{\mathsf{ratio}}+Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_{\mathsf{bad}}]$.

2.3. Useful Tools

Assume that there are $\mathsf{g}$ “rational” items in an N-size set S. When one samples $\mathsf{s}$ items from S without replacement, $\mathsf{H}$ denotes the random variable which counts the number of “rational” items among these $\mathsf{s}$ items. Then we say that $\mathsf{H}$ follows the hypergeometric distribution with parameters N, $\mathsf{s}$, and $\mathsf{g}$, denoted by $\mathsf{H}\sim {\mathsf{Hyp}}_{N,\mathsf{s},\mathsf{g}}$. For $0\le \alpha \le \mathsf{g}$, one has

$$Pr[\mathsf{H}=\alpha ]=\frac{\left(\genfrac{}{}{0pt}{}{\mathsf{g}}{\alpha }\right)·\left(\genfrac{}{}{0pt}{}{N-\mathsf{g}}{\mathsf{s}-\alpha }\right)}{\left(\genfrac{}{}{0pt}{}{N}{\mathsf{s}}\right)}.$$

In addition, the expectation value of $\mathsf{H}$ is $\mathsf{s}\mathsf{g}/N$, i.e., $\mathbb{E}\left(\mathsf{H}\right)=\mathsf{s}\mathsf{g}/N$.

The following lemma is useful in our proofs.

Lemma 2.

Let A, B, C, and N be positive integers satisfying $A+B\le N/2$ and $A+C\le N/2$. Then we have

$$\prod _{j=0}^{A-1}\frac{N(N-B-C-2j)}{(N-B-j)(N-C-j)}\ge 1-\frac{4A(A+B)(A+C)}{N^2}.$$

Proof. 

$$\begin{array}{cc}\hfill \prod _{j=0}^{A-1}\frac{N(N-B-C-2j)}{(N-B-j)(N-C-j)}& =\prod _{j=0}^{A-1}\frac{(N-B-j)(N-C-j)-(B+j)(C+j)}{(N-B-j)(N-C-j)}\hfill \\ \hfill & =\prod _{j=0}^{A-1}\left(1-\frac{(B+j)(C+j)}{(N-B-j)(N-C-j)}\right)\hfill \\ \hfill & \ge \prod _{j=0}^{A-1}\left(1-\frac{(B+A)(C+A)}{(N-B-A)(N-C-A)}\right)\hfill \\ \hfill & \stackrel{(*)}{\ge }\prod _{j=0}^{A-1}\left(1-\frac{4(B+A)(C+A)}{N^2}\right)\hfill \\ \hfill & \ge \left(1-\frac{4A(B+A)(C+A)}{N^2}\right),\hfill \end{array}$$

where $(*)$ holds since $A+B\le N/2$ and $A+C\le N/2$.  □

3. Multi-Key and Tweakable Secure PRFs from Two Random Permutations

In this section, we prove that the construction $\mathsf{SoEM}\mathsf{22}$ from two random permutations $P_1,P_2\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$ in [15], namely

$$\begin{array}{c}\hfill F_{K_1,K_2}^{P_1,P_2}\left(x\right)=P_1(x\oplus K_1)\oplus P_2(x\oplus K_2)\oplus K_1\oplus K_2,\end{array}$$

(12)

is beyond-birthday secure in the multi-key setting, where $(K_1,K_2)\stackrel{\$}{\leftarrow }{\{0,1\}}^{2n}$ and $x\in {\{0,1\}}^n$.

Let $\mathcal{H}$ be an ${ϵ}_1$-regular and ${ϵ}_2$-AXU keyed hash family from $\mathcal{T}$ to ${\{0,1\}}^n$. Then we can tweak $\mathsf{SoEM}\mathsf{22}$ as

$$\begin{array}{c}\hfill {\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^{P_1,P_2}(t,x)=P_1(x\oplus H_{K_h^1}\left(t\right))\oplus P_2(x\oplus H_{K_h^2}\left(t\right))\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right),\end{array}$$

(13)

where $t\in \mathcal{T}$, $x\in {\{0,1\}}^n$, and $(H_{K_h^1},H_{K_h^2})\stackrel{\$}{\leftarrow }{\mathcal{H}}^2$.

To show the security of $\mathsf{SoEM}\mathsf{22}$ in both multi-key and tweakable settings above, we only need to prove the BBB security of the following “unified” function

$$\begin{array}{c}\hfill F_{f_1,f_2}^{P_1,P_2}(t,x)=P_1(x\oplus f_1\left(t\right))\oplus P_2(x\oplus f_2\left(t\right))\oplus f_1\left(t\right)\oplus f_2\left(t\right),\end{array}$$

(14)

where $P_1,P_2\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$, $(f_1,f_2)\in \mathsf{Func}{(\mathcal{T},{\{0,1\}}^n)}^2$ is a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair, $t\in \mathcal{T}$, and $x\in {\{0,1\}}^n$.

Theorem 1.

Let $n\in \mathbb{N}$, and $(f_1,f_2)\in \mathsf{Func}{(\mathcal{T},{\{0,1\}}^n)}^2$ be a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair. Consider the function $F_{f_1,f_2}^{P_1,P_2}:\mathcal{T}\times {\{0,1\}}^n\to {\{0,1\}}^n$ defined in (14) based on two random permutations $P_1,P_2\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$. For any deterministic distinguisher $\mathcal{D}$ making at most $p_1$ queries to $P_1$, $p_2$ queries to $P_2$, and q queries to construction oracle $F_{f_1,f_2}^{P_1,P_2}$ or Φ such that $p_1+p_2+3q\le 2^{n-1}$, we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{F_{f_1,f_2}^{P_1,P_2}}^{unify}\left(\mathcal{D}\right)\le & 3q{p}_1{p}_2{ϵ}_1^2+\frac{{ϵ}_1({ϵ}_2{q}^2+2\sqrt{q})(p_1+p_2)}{2}+2{ϵ}_2^2{q}^3+{ϵ}_2{q}^{3/2}\hfill \\ \hfill & +\frac{4q{(p_1+p_2+2q)}^2}{2^{2n}}+\frac{2\sqrt{q}(p_1+p_2)}{2^n}+\frac{11q}{2^n}.\hfill \end{array}$$

(15)

In the multi-key setting, one sets $\mathcal{T}=\left[m\right]$ corresponding to m independent random keys, and randomly samples two independent random functions $f_1,f_2\stackrel{\$}{\leftarrow }\mathsf{Func}(\left[m\right],{\{0,1\}}^n)$. Then we can easily conclude that $(f_1,f_2)$ is a good $(2^{-n},2^{-n})$-key-derivation pair. By this fact, one can obtain the following corollary.

Corollary 1.

Let $n,m\in \mathbb{N}$. Consider the keyed function $F_{K_1,K_2}^{P_1,P_2}:{\{0,1\}}^n\to {\{0,1\}}^n$ defined in (12) based on two random permutations $P_1,P_2\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$. For any deterministic distinguisher $\mathcal{D}$ making at most $p_1$ queries to $P_1$, $p_2$ queries to $P_2$, and totally q queries to $F_{K_1^1,K_2^1}^{P_1,P_2},\dots ,F_{K_1^m,K_2^m}^{P_1,P_2}$ (resp. m independent ideal random functions ${\phi }_1,\dots ,{\phi }_m$) such that $p_1+p_2+3q\le 2^{n-1}$, we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{F_{K_1,K_2}^{P_1,P_2}}^{mk}\left(\mathcal{D}\right)\le & \frac{3p_1{p}_{2}q}{2^{2n}}+\frac{q^2(p_1+p_2)}{2^{2n+1}}+\frac{2q^3}{2^{2n}}+\frac{q^{3/2}}{2^n}\hfill \\ \hfill & +\frac{4q{(p_1+p_2+2q)}^2}{2^{2n}}+\frac{3\sqrt{q}(p_1+p_2)}{2^n}+\frac{11q}{2^n}.\hfill \end{array}$$

(16)

Corollary 1 shows that the construction $\mathsf{SoEM}\mathsf{22}$ in (12) is secure roughly up to $p_1=p_2=q=\mathcal{O}\left(2^{2n/3}\right)$ adversarial queries in the multi-key setting.

Similarly, given an ${ϵ}_1$-regular and ${ϵ}_2$-AXU keyed hash family $\mathcal{H}$ from $\mathcal{T}$ to ${\{0,1\}}^n$, one can obtain a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair $(H_{K_h^1},H_{K_h^2})$ for $(H_{K_h^1},H_{K_h^2})\stackrel{\$}{\leftarrow }{\mathcal{H}}^2$, and finally conclude the following corollary.

Corollary 2.

Let $n\in \mathbb{N}$, and $\mathcal{H}$ be an ${ϵ}_1$-regular and ${ϵ}_2$-AXU keyed hash family from $\mathcal{T}$ to ${\{0,1\}}^n$. Consider the tweakable function ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^{P_1,P_2}:\mathcal{T}\times {\{0,1\}}^n\to {\{0,1\}}^n$ defined in (13) from two random permutations $P_1,P_2\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$. For any deterministic distinguisher $\mathcal{D}$ making at most $p_1$ queries to $P_1$, $p_2$ queries to $P_2$, and q queries to ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^{P_1,P_2}$ or Φ such that $p_1+p_2+3q\le 2^{n-1}$, we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{{\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^{P_1,P_2}}^{tweak}\left(\mathcal{D}\right)\le & 3q{p}_1{p}_2{ϵ}_1^2+\frac{{ϵ}_1({ϵ}_2{q}^2+2\sqrt{q})(p_1+p_2)}{2}+2{ϵ}_2^2{q}^3+{ϵ}_2{q}^{3/2}\hfill \\ \hfill & +\frac{4q{(p_1+p_2+2q)}^2}{2^{2n}}+\frac{2\sqrt{q}(p_1+p_2)}{2^n}+\frac{11q}{2^n}.\hfill \end{array}$$

(17)

Assume that $\mathcal{H}$ is uniform (i.e., $2^{-n}$-regular) and XOR-universal (i.e., $2^{-n}$-AXU). Then Corollary 2 shows that ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^{P_1,P_2}$ in Equation (13) is secure roughly up to $p_1=p_2=q=\mathcal{O}\left(2^{2n/3}\right)$ adversarial queries. This means that ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^{P_1,P_2}$ is a beyond-birthday secure tweakable PRF.

Finally, let $\mathcal{M}$ denote a message space. Given an ${ϵ}_1$-regular and ${ϵ}_2$-AXU keyed hash family $\mathcal{H}$ from $\mathcal{M}$ to ${\{0,1\}}^n$, we can construct a nonce based MAC (denoted by $\mathsf{Sum}\mathsf{2}\mathsf{PMAC}$), from two random permutations $P_1,P_2\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$ and $\mathcal{H}$, as

$$\begin{array}{c}\hfill T=P_1(N\oplus H_{K_h^1}\left(M\right))\oplus P_2(N\oplus H_{K_h^2}\left(M\right))\oplus H_{K_h^1}\left(M\right)\oplus H_{K_h^2}\left(M\right),\end{array}$$

(18)

where $(H_{K_h^1},H_{K_h^2})\stackrel{\$}{\leftarrow }{\mathcal{H}}^2$, $M\in \mathcal{M}$ is message, and $N\in {\{0,1\}}^n$ is a nonce. Due to assumption of $\mathcal{H}$, when we set $\mathcal{T}=\mathcal{M}$, then $(H_{K_h^1},H_{K_h^2})$ is a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair. Therefore, the following corollary holds.

Corollary 3.

Let $n\in \mathbb{N}$, and $\mathcal{M}$ be a message space. Let $\mathcal{H}$ be an ${ϵ}_1$-regular and ${ϵ}_2$-AXU keyed hash family from $\mathcal{M}$ to ${\{0,1\}}^n$. Consider the nonce based MAC $\mathsf{Sum}\mathsf{2}\mathsf{PMAC}$ defined in (18) from two random permutations $P_1,P_2\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$. For any deterministic distinguisher $\mathcal{D}$ making at most $p_1$ queries to $P_1$, $p_2$ queries to $P_2$, and q evaluation queries, we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{\mathsf{Sum}\mathsf{2}\mathsf{PMAC}}^{\mathsf{prf}}\left(\mathcal{D}\right)\le & 3q{p}_1{p}_2{ϵ}_1^2+\frac{{ϵ}_1({ϵ}_2{q}^2+2\sqrt{q})(p_1+p_2)}{2}+2{ϵ}_2^2{q}^3+{ϵ}_2{q}^{3/2}\hfill \\ \hfill & +\frac{4q{(p_1+p_2+2q)}^2}{2^{2n}}+\frac{2\sqrt{q}(p_1+p_2)}{2^n}+\frac{11q}{2^n}.\hfill \end{array}$$

(19)

Assume that for any message $M\in \mathcal{M}$, one has $\left|M\right|<n·l$ for some integer $l\in \mathbb{N}$. Then the keyed hash family from $\mathcal{M}$ to ${\{0,1\}}^n$ can be instantiated by the ${\mathsf{Poly}}_{H_{K_h}}$ defined in (10), which is $\frac{l}{2^n}$-regular and $\frac{l}{2^n}$-AXU. In this case, when one sets $p_1=p_2=q$, then ${\mathbf{Adv}}_{\mathsf{Sum}\mathsf{2}\mathsf{PMAC}}^{\mathsf{prf}}\left(\mathcal{D}\right)$ in (19) can be bounded as

$$\frac{(6l^2+64)q^3}{2^{2n}}+\frac{(3l+4)q^{3/2}}{2^n}+\frac{11q}{2^n}.$$

If l is a constant, then $\mathsf{Sum}\mathsf{2}\mathsf{PMAC}$ is a beyond-birthday secure MAC.

Proof of Theorem 1.

For convenience, we follow some notations in [16,17] in this proof. Let $\tau =({\mathcal{Q}}_F,{\mathcal{Q}}_{P_1},{\mathcal{Q}}_{P_2},(f_1,f_2))$ be an attainable transcript, where $|{\mathcal{Q}}_F|=q$, $|{\mathcal{Q}}_{P_1}|=p_1$, and $|{\mathcal{Q}}_{P_2}|=p_2$. In addition, we write these sets more clearly as:

$$\begin{array}{cc}\hfill & {\mathcal{Q}}_F=\{(t_1,x_1,y_1),\dots ,(t_q,x_q,y_q)\},\hfill \\ \hfill & {\mathcal{Q}}_{P_1}=\{(u_{1,1},v_{1,1}),\dots ,(u_{1,p_1},v_{1,p_1})\},\hfill \\ \hfill & {\mathcal{Q}}_{P_2}=\{(u_{2,1},v_{2,1}),\dots ,(u_{2,p_2},v_{2,p_2})\}.\hfill \end{array}$$

We denote

$$\begin{array}{c}\hfill U_1=\{u_1\in {\{0,1\}}^n:(u_1,v_1)\in {\mathcal{Q}}_{P_1}\},V_1=\{v_1\in {\{0,1\}}^n:(u_1,v_1)\in {\mathcal{Q}}_{P_1}\},\end{array}$$

and

$$\begin{array}{c}\hfill U_2=\{u_2\in {\{0,1\}}^n:(u_2,v_2)\in {\mathcal{Q}}_{P_2}\},V_2=\{v_2\in {\{0,1\}}^n:(u_2,v_2)\in {\mathcal{Q}}_{P_2}\}.\end{array}$$

For each $u\in {\{0,1\}}^n$, two associated sets can be defined as:

$$\begin{array}{cc}\hfill & X_u^1=\{(t,x,y)\in {\mathcal{Q}}_F:x\oplus f_1\left(t\right)=u\},X_u^2=\{(t,x,y)\in {\mathcal{Q}}_F:x\oplus f_2\left(t\right)=u\}.\hfill \end{array}$$

Now we define four parameters for transcript $\tau =({\mathcal{Q}}_F,{\mathcal{Q}}_{P_1},{\mathcal{Q}}_{P_2},(f_1,f_2))$ as

$$\begin{array}{cc}\hfill & {\alpha }_1\stackrel{def}{=}\left|\{(t,x,y)\in {\mathcal{Q}}_F:x\oplus f_1\left(t\right)\in U_1\}\right|,\hfill \\ \hfill & {\alpha }_2\stackrel{def}{=}\left|\{(t,x,y)\in {\mathcal{Q}}_F:x\oplus f_2\left(t\right)\in U_2\}\right|,\hfill \\ \hfill & {\beta }_1\stackrel{def}{=}\left|\{(t,x,y)\in {\mathcal{Q}}_F:\exists (t,x,y)\ne (t^{\prime },x^{\prime },y^{\prime }),x\oplus f_1\left(t\right)=x^{\prime }\oplus f_1\left(t^{\prime }\right)\}\right|,\hfill \\ \hfill & {\beta }_2\stackrel{def}{=}\left|\{(t,x,y)\in {\mathcal{Q}}_F:\exists (t,x,y)\ne (t^{\prime },x^{\prime },y^{\prime }),x\oplus f_2\left(t\right)=x^{\prime }\oplus f_2\left(t^{\prime }\right)\}\right|.\hfill \end{array}$$

${\beta }_1$ and ${\beta }_2$ can be also expressed as

$$\begin{array}{c}\hfill {\beta }_1=\sum _{\genfrac{}{}{0pt}{}{x\in {\{0,1\}}^n:}{{\delta }_{D_1}\left(x\right)>1}}{\delta }_{D_1}\left(x\right),{\beta }_2=\sum _{\genfrac{}{}{0pt}{}{x\in {\{0,1\}}^n:}{{\delta }_{D_2}\left(x\right)>1}}{\delta }_{D_2}\left(x\right),\end{array}$$

where $D_1=\{x\oplus f_1\left(t\right):(t,x,y)\in {\mathcal{Q}}_F\}$ and $D_2=\{x\oplus f_2\left(t\right):(t,x,y)\in {\mathcal{Q}}_F\}$.

An attainable transcript $\tau =({\mathcal{Q}}_F,{\mathcal{Q}}_{P_1},{\mathcal{Q}}_{P_2},(f_1,f_2))$ is said bad if any one of the following conditions is satisfied:

• (B-1): $\exists i\in \left[q\right],j\in \left[p_1\right],j^{\prime }\in \left[p_2\right]$ for $(t_i,x_i,y_i)\in {\mathcal{Q}}_F$, $u_{1,j}\in U_1$, and $u_{2,j^{\prime }}\in U_2$ such that $x_i\oplus f_1\left(t_i\right)=u_{1,j}$ and $x_i\oplus f_2\left(t_i\right)=u_{2,j^{\prime }}$.
• (B-2): $\exists i\in \left[q\right],j\in \left[p_1\right],j^{\prime }\in \left[p_2\right]$ for $(t_i,x_i,y_i)\in {\mathcal{Q}}_F$, $(u_{1,j},v_{1,j})\in {\mathcal{Q}}_{P_1}$, and $v_{2,j^{\prime }}\in V_2$ such that $x_i\oplus f_1\left(t_i\right)=u_{1,j}$ and $v_{1,j}\oplus f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=v_{2,j^{\prime }}$.
• (B-3): $\exists i\in \left[q\right],j\in \left[p_1\right],j^{\prime }\in \left[p_2\right]$ for $(t_i,x_i,y_i)\in {\mathcal{Q}}_F$, $v_{1,j}\in V_1$, and $(u_{2,j^{\prime }},v_{2,j^{\prime }})\in {\mathcal{Q}}_{P_2}$ such that $x_i\oplus f_2\left(t_i\right)=u_{2,j^{\prime }}$ and $v_{2,j^{\prime }}\oplus f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=v_{1,j}$.
• (B-4): $\exists i,i^{\prime }\in \left[q\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\mathcal{Q}}_F$ such that $x_i\oplus f_1\left(t_i\right)=x_{i^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)$ and $y_i\oplus f_1\left(t_i\right)\oplus f_2\left(t_i\right)=y_{i^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)$.
• (B-5): $\exists i,i^{\prime }\in \left[q\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\mathcal{Q}}_F$ such that $x_i\oplus f_2\left(t_i\right)=x_{i^{\prime }}\oplus f_2\left(t_{i^{\prime }}\right)$ and $y_i\oplus f_1\left(t_i\right)\oplus f_2\left(t_i\right)=y_{i^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)$.
• (B-6): $\exists i,i^{\prime }\in \left[q\right],j\in \left[p_1\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\mathcal{Q}}_F$, and $u_{1,j}\in U_1$ such that $x_i\oplus f_1\left(t_i\right)=u_{1,j}$ and $x_i\oplus f_2\left(t_i\right)=x_{i^{\prime }}\oplus f_2\left(t_{i^{\prime }}\right)$.
• (B-7): $\exists i,i^{\prime }\in \left[q\right],j\in \left[p_2\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\mathcal{Q}}_F$, and $u_{2,j}\in U_2$ such that $x_i\oplus f_2\left(t_i\right)=u_{2,j}$ and $x_i\oplus f_1\left(t_i\right)=x_{i^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)$.
• (B-8): $\exists i,i^{\prime },i^{″}\in \left[q\right]$ for distinct tuples $(t_i,x_i,y_i),(t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }}),(t_{i^{″}},x_{i^{″}},y_{i^{″}})\in {\mathcal{Q}}_F$, such that $x_i\oplus f_1\left(t_i\right)=x_{i^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)$ and $x_i\oplus f_2\left(t_i\right)=x_{i^{″}}\oplus f_2\left(t_{i^{″}}\right)$.
• (B-9): $\exists i,i^{\prime }\in \left[q\right],j,j^{\prime }\in \left[p_1\right]$ for $(t_i,x_i,y_i),(t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\mathcal{Q}}_F$ and $(u_{1,j},v_{1,j})$, $(u_{1,j^{\prime }},v_{1,j^{\prime }})\in {\mathcal{Q}}_{P_1}$ such that $x_i\oplus f_1\left(t_i\right)=u_{1,j}$, $x_{i^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)=u_{1,j^{\prime }}$, and $f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus v_{1,j}\oplus y_i=f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus v_{1,j^{\prime }}\oplus y_{i^{\prime }}$.
• (B-10): $\exists i,i^{\prime }\in \left[q\right],j,j^{\prime }\in \left[p_2\right]$ for $(t_i,x_i,y_i),(t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\mathcal{Q}}_F$ and $(u_{2,j},v_{2,j})$, $(u_{2,j^{\prime }},v_{2,j^{\prime }})\in {\mathcal{Q}}_{P_2}$ such that $x_i\oplus f_2\left(t_i\right)=u_{2,j}$, $x_{i^{\prime }}\oplus f_2\left(t_{i^{\prime }}\right)=u_{2,j^{\prime }}$, and $f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus v_{2,j}\oplus y_i=f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus v_{2,j^{\prime }}\oplus y_{i^{\prime }}$.
• (B-11): ${\alpha }_1\ge \sqrt{q}$.
• (B-12): ${\alpha }_2\ge \sqrt{q}$.
• (B-13): ${\beta }_1\ge \sqrt{q}$ or ${\beta }_2\ge \sqrt{q}$.

Otherwise, we call $\tau$ a good transcript.

3.1. Analysis of Bad Transcripts

The proportion of all bad transcripts in the ideal world is upper bounded by the following lemma.

Lemma 3.

Let $T_{\mathsf{id}}$ be the probability distribution of transcript $\tau =({\mathcal{Q}}_F,{\mathcal{Q}}_{P_1},{\mathcal{Q}}_{P_2}, (f_1,f_2\left)\right)$ in the ideal world, where $|{\mathcal{Q}}_{P_1}|=p_1$, $|{\mathcal{Q}}_{P_2}|=p_2$, $|{\mathcal{Q}}_F|=q$, and $(f_1,f_2)$ is a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair. Then we have

$$\begin{array}{c}\hfill Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_{\mathsf{bad}}]\le 3q{p}_1{p}_2{ϵ}_1^2+\frac{{ϵ}_1({ϵ}_2{q}^2+2\sqrt{q})(p_1+p_2)}{2}+2{ϵ}_2^2{q}^3+\frac{q}{2^n}+{ϵ}_2{q}^{3/2}.\end{array}$$

Proof. 

Here we assume that there exists no repeated items in ${\mathcal{Q}}_{P_1}$, ${\mathcal{Q}}_{P_2}$, and ${\mathcal{Q}}_F$ w.l.o.g. Then for each distinct construction query $(t,x,y)\in {\mathcal{Q}}_F$, y is sampled uniformly and independently from ${\{0,1\}}^n$ in the ideal world. For each $i\in \left[13\right]$, the set of all transcripts satisfying (B-i) is denoted by ${\mathsf{\Gamma }}_i$. By union bound, one has

$$\begin{array}{c}\hfill Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_{\mathsf{bad}}]\le \sum _{i=1}^{13}Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_i].\end{array}$$

(20)

For each $i\in \left[13\right]$, the way to upper bound $Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_i]$ is similar to that in [16,17,22]. Hence, we give the details in Appendix A. By combining these upper bounds together, the proof of Lemma 3 is finished.  □

3.2. Analysis of Good Transcripts

In Lemma 4, we show that the probability of any good transcript $\tau$ in the real world is close to its probability in the ideal world.

Lemma 4.

Let $T_{\mathsf{id}}$ be the probability distribution of transcripts in the ideal world, and $T_{\mathsf{re}}$ be the probability distribution in the real world. Then for any good transcript $\tau =({\mathcal{Q}}_F,{\mathcal{Q}}_{P_1},{\mathcal{Q}}_{P_2}$, $(f_1,f_2))$ with parameters $p_1$, $p_2$, and q satisfying $p_1+p_2+3q\le 2^{n-1}$, one has

$$\begin{array}{c}\hfill \frac{Pr[T_{\mathsf{re}}=\tau ]}{Pr[T_{\mathsf{id}}=\tau ]}\ge 1-\frac{4q{(p_1+p_2+2q)}^2}{2^{2n}}-\frac{2\sqrt{q}(p_1+p_2)}{2^n}-\frac{10q}{2^n}.\end{array}$$

Proof. 

Given a good transcript $\tau$, we define the following probability

$$\mathsf{p}\left(\tau \right)\stackrel{\mathsf{def}}{=}Pr[P_1,P_2\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right):F_{f_1,f_2}^{P_1,P_2}⊢{\mathcal{Q}}_F|P_1⊢{\mathcal{Q}}_{P_1}\wedge P_2⊢{\mathcal{Q}}_{P_2}].$$

By a simple combinatorial argument, we have

$$\begin{array}{c}\hfill \frac{Pr[T_{\mathsf{re}}=\tau ]}{Pr[T_{\mathsf{id}}=\tau ]}=2^{nq}\mathsf{p}\left(\tau \right).\end{array}$$

(21)

The next goal is to lower bound $\mathsf{p}\left(\tau \right)$. For convenience, define five subsets of ${\mathcal{Q}}_F$ as follows:

$$\begin{array}{c}{\mathcal{Q}}_{U_1}=\{(t,x,y)\in {\mathcal{Q}}_F:x\oplus f_1\left(t\right)\in U_1\},{\mathcal{Q}}_{U_2}=\{(t,x,y)\in {\mathcal{Q}}_F:x\oplus f_2\left(t\right)\in U_2\},\hfill \\ {\mathcal{Q}}_{X_1}=\{(t,x,y)\in {\mathcal{Q}}_F:{\delta }_{D_1}(x\oplus f_1\left(t\right))>1\mathrm{and}x\oplus f_1\left(t\right)\notin U_1\},\hfill \\ {\mathcal{Q}}_{X_2}=\{(t,x,y)\in {\mathcal{Q}}_F:{\delta }_{D_2}(x\oplus f_2\left(t\right))>1\mathrm{and}x\oplus f_2\left(t\right)\notin U_2\},\hfill \\ {\mathcal{Q}}_0=\{(t,x,y)\in {\mathcal{Q}}_F:{\delta }_{D_1}(x\oplus h_1\left(t\right))={\delta }_{D_2}(x\oplus f_2\left(t\right))=1,x\oplus f_1\left(t\right)\notin U_1,\hfill \\ \mathrm{and}x\oplus f_2\left(t\right)\notin U_2\}.\hfill \end{array}$$

Note that $|{\mathcal{Q}}_{U_1}|={\alpha }_1$ and $|{\mathcal{Q}}_{U_2}|={\alpha }_2$. The following proposition tells us that these sets form a partition of ${\mathcal{Q}}_F$.

Proposition 1.

Let $\tau \in {\mathsf{\Gamma }}_{\mathsf{good}}$ be a good transcript. Then the sets $({\mathcal{Q}}_{U_1},{\mathcal{Q}}_{U_2},{\mathcal{Q}}_{X_1},$${\mathcal{Q}}_{X_2},{\mathcal{Q}}_0)$ defined above are pairwise disjoint.

Proof. 

By definition, we have ${\mathcal{Q}}_{U_1}\cap {\mathcal{Q}}_{X_1}=\varnothing$, ${\mathcal{Q}}_{U_2}\cap {\mathcal{Q}}_{X_2}=\varnothing$, and ${\mathcal{Q}}_{U_1}\cap {\mathcal{Q}}_0={\mathcal{Q}}_{U_2}\cap {\mathcal{Q}}_0={\mathcal{Q}}_{X_1}\cap {\mathcal{Q}}_0={\mathcal{Q}}_{X_2}\cap {\mathcal{Q}}_0=\varnothing$. Since $\tau$ does not satisfy (B-1), we have ${\mathcal{Q}}_{U_1}\cap {\mathcal{Q}}_{U_2}=\varnothing$. Moreover, ${\mathcal{Q}}_{U_1}\cap {\mathcal{Q}}_{X_2}=\varnothing$ (resp. ${\mathcal{Q}}_{U_2}\cap {\mathcal{Q}}_{X_1}=\varnothing$) since $\tau$ does not satisfy (B-6) (resp. (B-7)). Finally, ${\mathcal{Q}}_{X_1}\cap {\mathcal{Q}}_{X_2}=\varnothing$ holds due to the fact $\tau \notin {\mathsf{\Gamma }}_8$.  □

We use $E_{U_1}$, $E_{U_2}$, $E_{X_1}$, $E_{X_2}$, and $E_0$ to denote the events that $F_{f_1,f_2}^{P_1,P_2}⊢{\mathcal{Q}}_{U_1},{\mathcal{Q}}_{U_2},{\mathcal{Q}}_{X_1},{\mathcal{Q}}_{X_2}$, and ${\mathcal{Q}}_0$, respectively. Then $F_{f_1,f_2}^{P_1,P_2}⊢{\mathcal{Q}}_F$ is equivalent to $E_{U_1}\wedge E_{U_2}\wedge E_{X_1}\wedge E_{X_2}\wedge E_0$. Hence, it holds that

$$\begin{array}{cc}\hfill \mathsf{p}\left(\tau \right)& =Pr[F_{f_1,f_2}^{P_1,P_2}⊢{\mathcal{Q}}_F|P_i⊢{\mathcal{Q}}_{P_i},i=1,2]\hfill \\ \hfill & =Pr[E_{U_1}\wedge E_{U_2}\wedge E_{X_1}\wedge E_{X_2}\wedge E_0|P_i⊢{\mathcal{Q}}_{P_i},i=1,2]\hfill \\ \hfill & ={\mathsf{p}}^{\prime }\left(\tau \right){\mathsf{p}}^{″}\left(\tau \right),\hfill \end{array}$$

where

$${\mathsf{p}}^{\prime }\left(\tau \right)=Pr[E_{U_1}\wedge E_{U_2}|P_i⊢{\mathcal{Q}}_{P_i},i=1,2],$$

and

$${\mathsf{p}}^{″}\left(\tau \right)=Pr[E_{X_1}\wedge E_{X_2}\wedge E_0|E_{U_1}\wedge E_{U_2}\wedge (P_i⊢{\mathcal{Q}}_{P_i},i=1,2)].$$

The way to compute ${\mathsf{p}}^{\prime }\left(\tau \right)$ and ${\mathsf{p}}^{″}\left(\tau \right)$, and the way to lower bound $\frac{Pr[T_{\mathsf{re}}=\tau ]}{Pr[T_{\mathsf{id}}=\tau ]}$ are similar to those in [16] so that we show the details in Appendix B.  □

Finally, by Lemmas 1, 3, and 4, Theorem 1 can be proved.  □

4. Multi-Key and Tweakable Secure PRFs from One Random Permutation

In this section, we first use one bidirectionally efficient random permutation $P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$ to construct beyond-birthday and multi-key secure PRFs with a parallelizable structure as

$$\begin{array}{c}\hfill F_{K_1,K_2}^P\left(x\right)=P(x\oplus K_1)\oplus P^{-1}(x\oplus K_2)\oplus K_1\oplus K_2\end{array}$$

(22)

where $(K_1,K_2)\stackrel{\$}{\leftarrow }{\{0,1\}}^{2n}$ is the key and $x\in {\{0,1\}}^n$ is the input.

Let $\mathcal{H}$ be an ${ϵ}_1$-regular and ${ϵ}_2$-AXU keyed hash family from $\mathcal{T}$ to ${\{0,1\}}^n$. Then we can tweak the construction $F_{K_1,K_2}^P$ in Equation (22) as

$$\begin{array}{c}\hfill {\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^P(t,x)=P(x\oplus H_{K_h^1}\left(t\right))\oplus P^{-1}(x\oplus H_{K_h^2}\left(t\right))\oplus H_{K_h^1}\left(t\right)\oplus H_{K_h^2}\left(t\right),\end{array}$$

(23)

where $(H_{K_h^1},H_{K_h^2})\stackrel{\$}{\leftarrow }{\mathcal{H}}^2$, $t\in \mathcal{T}$, and $x\in {\{0,1\}}^n$.

As mentioned before, one can simultaneously show that the above two constructions are beyond-birthday secure in the multi-key and the tweakable settings by proving the BBB security of the “unified”function,

$$\begin{array}{c}\hfill F_{f_1,f_2}^P(t,x)=P(x\oplus f_1\left(t\right))\oplus P^{-1}(x\oplus f_2\left(t\right))\oplus f_1\left(t\right)\oplus f_2\left(t\right),\end{array}$$

(24)

where $(f_1,f_2)\in \mathsf{Func}{(\mathcal{T},{\{0,1\}}^n)}^2$ is a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair, $P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$, $t\in \mathcal{T}$, and $x\in {\{0,1\}}^n$.

Theorem 2.

Assume that $n\ge 6$ and $q\ge 64$ are two positive integers. Let $(f_1,f_2)\in \mathsf{Func}{(\mathcal{T},{\{0,1\}}^n)}^2$ be a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair, and $P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$ be a random permutation. Consider the function $F_{f_1,f_2}^P:\mathcal{T}\times {\{0,1\}}^n\to {\{0,1\}}^n$ defined in Equation (24). For any deterministic distinguisher $\mathcal{D}$ making at most p queries to P and q queries to the construction oracle $F_{f_1,f_2}^P$ or Φ such that $p+2q+6\sqrt{q}\le 2^{n-1}$, one has

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{F_{f_1,f_2}^P}^{unify}\left(\mathcal{D}\right)\le & (3q{p}^2+2q^{2}p){ϵ}_1^2+2q^3{ϵ}_2^2+2q^{2}p{ϵ}_1{ϵ}_2+q^{3/2}{ϵ}_2+2p\sqrt{q}{ϵ}_1+\frac{12q}{2^{2n/3}}\hfill \\ \hfill & +\frac{4q{(p+2q+6\sqrt{q})}^2+q^3}{2^{2n}}+\frac{18q^{3/2}+6p\sqrt{q}+9q}{2^n}+\frac{16\sqrt{q}}{2^{n/3}}.\hfill \end{array}$$

(25)

Same to Corollary 1, the following corollary holds.

Corollary 4.

Assume $n\ge 6$ and $q\ge 64$ are two positive integers. Let $P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$ be an n-bit random permutation. Consider the keyed function $F_{K_1,K_2}^P:{\{0,1\}}^n\to {\{0,1\}}^n$ defined in (22). For any deterministic distinguisher $\mathcal{D}$ making at most p queries to P and at most totally q queries to $F_{K_1^1,K_2^1}^P,\dots ,F_{K_1^m,K_2^m}^P$ (resp. m independent ideal random functions ${\phi }_1,\dots ,{\phi }_m$) satisfying $p+2q+6\sqrt{q}\le 2^{n-1}$, we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{F_{K_1,K_2}^P}^{mk}\left(\mathcal{D}\right)\le & \frac{4q{(p+2q+6\sqrt{q})}^2}{2^{2n}}+\frac{3q^3+3q{p}^2+4p{q}^2}{2^{2n}}\hfill \\ \hfill & +\frac{19q^{3/2}+8p\sqrt{q}+9q}{2^n}+\frac{16\sqrt{q}}{2^{n/3}}+\frac{12q}{2^{2n/3}}.\hfill \end{array}$$

(26)

Similarly, given an ${ϵ}_1$-regular and ${ϵ}_2$-AXU keyed hash family $\mathcal{H}$ from $\mathcal{T}$ to ${\{0,1\}}^n$, the following corollary holds.

Corollary 5.

Assume $n\ge 6$ and $q\ge 64$. Let $\mathcal{H}$ be an ${ϵ}_1$-regular and ${ϵ}_2$-AXU keyed hash family from $\mathcal{T}$ to ${\{0,1\}}^n$, and $P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$ be an n-bit random permutation. Consider the tweakable function ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^P:\mathcal{T}\times {\{0,1\}}^n\to {\{0,1\}}^n$ defined in (23). For any deterministic distinguisher $\mathcal{D}$ making at most p queries to P and q queries to ${\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^P$ or Φ such that $p+2q+6\sqrt{q}\le 2^{n-1}$, we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{{\mathsf{TPRF}}_{H_{K_h^1},H_{K_h^2}}^P}^{tweak}\left(\mathcal{D}\right)\le & (3q{p}^2+2q^{2}p){ϵ}_1^2+2q^3{ϵ}_2^2+2q^{2}p{ϵ}_1{ϵ}_2+q^{3/2}{ϵ}_2+2p\sqrt{q}{ϵ}_1+\frac{12q}{2^{2n/3}}\hfill \\ \hfill & +\frac{4q{(p+2q+6\sqrt{q})}^2+q^3}{2^{2n}}+\frac{18q^{3/2}+6p\sqrt{q}+9q}{2^n}+\frac{16\sqrt{q}}{2^{n/3}}.\hfill \end{array}$$

(27)

Denote $\mathcal{M}$ as a message space. Let $\mathcal{H}$ be an ${ϵ}_1$-regular and ${ϵ}_2$-AXU keyed hash family from $\mathcal{M}$ to ${\{0,1\}}^n$. Then we can construct a nonce based MAC denoted by $\mathsf{Sum}\mathsf{1}\mathsf{PMAC}$, from one random permutation $P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$ as

$$\begin{array}{c}\hfill T=P(N\oplus H_{K_h^1}\left(M\right))\oplus P^{-1}(N\oplus H_{K_h^2}\left(M\right))\oplus H_{K_h^1}\left(M\right)\oplus H_{K_h^2}\left(M\right),\end{array}$$

(28)

where $(H_{K_h^1},H_{K_h^2})\stackrel{\$}{\leftarrow }{\mathcal{H}}^2$, $M\in \mathcal{M}$ is message, and $N\in {\{0,1\}}^n$ is a nonce. In this case, $(H_{K_h^1},H_{K_h^2})$ is a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair, and we can obtain the following corollary.

Corollary 6.

Assume $n\ge 3$ and $q\ge 64$. Let $\mathcal{H}$ be an ${ϵ}_1$-regular and ${ϵ}_2$-AXU keyed hash family from $\mathcal{M}$ to ${\{0,1\}}^n$. Consider the nonce based MAC $\mathsf{Sum}\mathsf{1}\mathsf{PMAC}$ defined in (28) based on a random permutation $P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$ and $\mathcal{H}$. For any deterministic distinguisher $\mathcal{D}$ making at most p queries to P and q evaluation queries, we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{\mathsf{Sum}\mathsf{1}\mathsf{PMAC}}^{\mathsf{prf}}\left(\mathcal{D}\right)\le & (3q{p}^2+2q^{2}p){ϵ}_1^2+2q^3{ϵ}_2^2+2q^{2}p{ϵ}_1{ϵ}_2+q^{3/2}{ϵ}_2+2p\sqrt{q}{ϵ}_1+\frac{12q}{2^{2n/3}}\hfill \\ \hfill & +\frac{4q{(p+2q+6\sqrt{q})}^2+q^3}{2^{2n}}+\frac{18q^{3/2}+6p\sqrt{q}+9q}{2^n}+\frac{16\sqrt{q}}{2^{n/3}}.\hfill \end{array}$$

(29)

Let $\mathcal{M}$ denote a message space, where for some $l\in \mathbb{N}$, $\left|M\right|<n·l$ holds for each message $M\in \mathcal{M}$. Then, the keyed hash family from $\mathcal{M}$ to ${\{0,1\}}^n$ can be instantiated by the ${\mathsf{Poly}}_{H_{K_h}}$ defined in (10), which is $\frac{l}{2^n}$-regular and $\frac{l}{2^n}$-AXU. In this setting, when l is set to a constant, then $\mathsf{Sum}\mathsf{1}\mathsf{PMAC}$ is a beyond-birthday secure MAC.

Proof of Theorem 2.

In this proof, we follow some notations in [16,17] for convenience. Let $\overline{\tau }=({\overline{\mathcal{Q}}}_F,{\overline{\mathcal{Q}}}_P,(f_1,f_2))$ be an attainable transcript with $|{\overline{\mathcal{Q}}}_F|=q$ and $|{\overline{\mathcal{Q}}}_P|=p$. We write these sets more clearly as follows:

$$\begin{array}{cc}\hfill & {\overline{\mathcal{Q}}}_F=\{(t_1,x_1,y_1),\dots ,(t_q,x_q,y_q)\},\hfill \\ \hfill & {\overline{\mathcal{Q}}}_P=\{(u_1,v_1),\dots ,(u_p,v_p)\}.\hfill \end{array}$$

We also denote

$$\begin{array}{c}\hfill U=\{u_1\in {\{0,1\}}^n:(u_1,v_1)\in {\overline{\mathcal{Q}}}_P\}\mathrm{and}V=\{v_1\in {\{0,1\}}^n:(u_1,v_1)\in {\overline{\mathcal{Q}}}_P\}\end{array}$$

as domain and range of ${\overline{\mathcal{Q}}}_P$ respectively. For each $u\in {\{0,1\}}^n$, two associated sets can be defined as:

$$\begin{array}{cc}\hfill & {\overline{X}}_u^1=\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_1\left(t\right)=u\}\mathrm{and}{\overline{X}}_u^2=\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_2\left(t\right)=u\}.\hfill \end{array}$$

Now we define four parameters for transcript $\overline{\tau }=({\overline{\mathcal{Q}}}_F,{\overline{\mathcal{Q}}}_P,(f_1,f_2))$ as

$$\begin{array}{cc}\hfill & {\overline{\alpha }}_1\stackrel{def}{=}\left|\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_1\left(t\right)\in U\}\right|,\hfill \\ \hfill & {\overline{\alpha }}_2\stackrel{def}{=}\left|\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_2\left(t\right)\in V\}\right|,\hfill \\ \hfill & {\overline{\beta }}_1\stackrel{def}{=}\left|\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:\exists (t,x,y)\ne (t^{\prime },x^{\prime },y^{\prime }),x\oplus f_1\left(t\right)=x^{\prime }\oplus f_1\left(t^{\prime }\right)\}\right|,\hfill \\ \hfill & {\overline{\beta }}_2\stackrel{def}{=}\left|\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:\exists (t,x,y)\ne (t^{\prime },x^{\prime },y^{\prime }),x\oplus f_2\left(t\right)=x^{\prime }\oplus f_2\left(t^{\prime }\right)\}\right|,\hfill \end{array}$$

where ${\overline{\beta }}_1$ and ${\overline{\beta }}_2$ can be also expressed as

$$\begin{array}{c}\hfill {\overline{\beta }}_1=\sum _{\genfrac{}{}{0pt}{}{x\in {\{0,1\}}^n:}{{\delta }_{{\overline{D}}_1}\left(x\right)>1}}{\delta }_{{\overline{D}}_1}\left(x\right)\mathrm{and}{\overline{\beta }}_2=\sum _{\genfrac{}{}{0pt}{}{x\in {\{0,1\}}^n:}{{\delta }_{{\overline{D}}_2}\left(x\right)>1}}{\delta }_{{\overline{D}}_2}\left(x\right),\end{array}$$

where ${\overline{D}}_1=\{x\oplus f_1\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_F\}$ and ${\overline{D}}_2=\{x\oplus f_2\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_F\}$.

An attainable transcript $\overline{\tau }=({\overline{\mathcal{Q}}}_F,{\overline{\mathcal{Q}}}_P,(f_1,f_2))$ is said bad if any one of the following conditions is satisfied:

• (C-1): $\exists i\in \left[q\right]$ and $j,j^{\prime }\in \left[p\right]$ for $(t_i,x_i,y_i)\in {\overline{\mathcal{Q}}}_F$, $u_j\in U$, and $v_{j^{\prime }}\in V$ such that $x_i\oplus f_1\left(t_i\right)=u_j$ and $x_i\oplus f_2\left(t_i\right)=v_{j^{\prime }}$.
• (C-2): $\exists i\in \left[q\right]$ and $j,j^{\prime }\in \left[p\right]$ for $(t_i,x_i,y_i)\in {\overline{\mathcal{Q}}}_F$, $(u_j,v_j)\in {\overline{\mathcal{Q}}}_P$, and $u_{j^{\prime }}\in U$ such that $x_i\oplus f_1\left(t_i\right)=u_j$ and $v_j\oplus f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=u_{j^{\prime }}$.
• (C-3): $\exists i\in \left[q\right]$ and $j,j^{\prime }\in \left[p\right]$ for $(t_i,x_i,y_i)\in {\overline{\mathcal{Q}}}_F$, $(u_j,v_j)\in {\overline{\mathcal{Q}}}_P$, and $v_{j^{\prime }}\in V$ such that $x_i\oplus f_2\left(t_i\right)=v_j$ and $u_j\oplus f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=v_{j^{\prime }}$.
• (C-4): $\exists i,i^{\prime }\in \left[q\right]$ and $j\in \left[p\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\overline{\mathcal{Q}}}_F$ and $(u_j,v_j)\in {\overline{\mathcal{Q}}}_P$ such that $x_i\oplus f_1\left(t_i\right)=u_j$ and $v_j\oplus f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=x_{i^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)$.
• (C-5): $\exists i,i^{\prime }\in \left[q\right]$ and $j\in \left[p\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\overline{\mathcal{Q}}}_F$ and $(u_j,v_j)\in {\overline{\mathcal{Q}}}_P$ such that $x_i\oplus f_2\left(t_i\right)=v_j$ and $u_j\oplus f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=x_{i^{\prime }}\oplus f_2\left(t_{i^{\prime }}\right)$.
• (C-6): $\exists i,i^{\prime }\in \left[q\right]$ and $j\in \left[p\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\overline{\mathcal{Q}}}_F$ and $u_j\in U$ such that $x_i\oplus f_1\left(t_i\right)=u_j$ and $x_i\oplus f_2\left(t_i\right)=x_{i^{\prime }}\oplus f_2\left(t_{i^{\prime }}\right)$.
• (C-7): $\exists i,i^{\prime }\in \left[q\right]$ and $j\in \left[p\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\overline{\mathcal{Q}}}_F$ and $v_j\in V$ such that $x_i\oplus f_2\left(t_i\right)=v_j$ and $x_i\oplus f_1\left(t_i\right)=x_{i^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)$.
• (C-8): $\exists i,i^{\prime }\in \left[q\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\overline{\mathcal{Q}}}_F$ such that $x_i\oplus f_1\left(t_i\right)=x_{i^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)$ and $f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus y_{i^{\prime }}$.
• (C-9): $\exists i,i^{\prime }\in \left[q\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\overline{\mathcal{Q}}}_F$ such that $x_i\oplus f_2\left(t_i\right)=x_{i^{\prime }}\oplus f_2\left(t_{i^{\prime }}\right)$ and $f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus y_{i^{\prime }}$.
• (C-10):$\exists i,i^{\prime },$ and $i^{″}\in \left[q\right]$ for pairwise distinct $(t_i,x_i,y_i),(t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }}),$ and $(t_{i^{″}},x_{i^{″}},y_{i^{″}})\in {\overline{\mathcal{Q}}}_F$ such that $x_i\oplus f_1\left(t_i\right)=x_{i^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)$ and $x_i\oplus f_2\left(t_i\right)=x_{i^{″}}\oplus f_2\left(t_{i^{″}}\right)$.
• (C-11): $\exists i,i^{\prime }\in \left[p\right]$ and $j,j^{\prime }\in \left[p\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\overline{\mathcal{Q}}}_F$ and $(u_j,v_j)$,$(u_{j^{\prime }},v_{j^{\prime }})\in {\overline{\mathcal{Q}}}_P$ such that $x_i\oplus f_1\left(t_i\right)=u_j$, $x_{i^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)=u_{j^{\prime }}$ and $v_j\oplus f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=v_{j^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus y_{i^{\prime }}$.
• (C-12): $\exists i,i^{\prime }\in \left[p\right]$ and $j,j^{\prime }\in \left[p\right]$ for $(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\overline{\mathcal{Q}}}_F$ and $(u_j,v_j)$,$(u_{j^{\prime }},v_{j^{\prime }})\in {\overline{\mathcal{Q}}}_P$ such that $x_i\oplus f_2\left(t_i\right)=v_j$, $x_{i^{\prime }}\oplus f_2\left(t_{i^{\prime }}\right)=v_{j^{\prime }}$ and $u_j\oplus f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=u_{j^{\prime }}\oplus f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus y_{i^{\prime }}$.
• (C-13): ${\overline{\alpha }}_1\ge \sqrt{q}$.
• (C-14): ${\overline{\alpha }}_2\ge \sqrt{q}$.
• (C-15): ${\overline{\beta }}_1\ge \sqrt{q}$ or ${\overline{\beta }}_2\ge \sqrt{q}$.
• (C-16): $\exists i,i^{\prime },$ and $i^{″}\in \left[q\right]$ for pairwise distinct $(t_i,x_i,y_i),(t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }}),$ and $(t_{i^{″}},x_{i^{″}},y_{i^{″}})\in {\overline{\mathcal{Q}}}_F$ such that $f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus y_{i^{\prime }}$ and $f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=f_1\left(t_{i^{″}}\right)\oplus f_2\left(t_{i^{″}}\right)\oplus y_{i^{″}}$.
• (C-17): For sets ${\overline{\mathcal{Q}}}_0=\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:{\delta }_{{\overline{D}}_1}(x\oplus f_1\left(t\right))={\delta }_{{\overline{D}}_2}(x\oplus f_2\left(t\right))=1,x\oplus f_1\left(t\right)\notin U,x\oplus f_2\left(t\right)\notin V\}$, $\widehat{U}=U\cup \{v\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y:(t,x,y)\in {\overline{\mathcal{Q}}}_F,(u,v)\in {\overline{\mathcal{Q}}}_P,x\oplus f_1\left(t\right)=u\in U\}\cup \{x\oplus f_1\left(t\right):(t,x,y)\in {\mathcal{Q}}_F,x\oplus f_1\left(t\right)\notin U\}$, and $\widehat{V}=V\cup \{u\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y:(t,x,y)\in {\overline{\mathcal{Q}}}_F,(u,v)\in {\overline{\mathcal{Q}}}_P,x\oplus f_2\left(t\right)=v\in V\}\cup \{x\oplus f_2\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_F,x\oplus f_2\left(t\right)\notin V\}$ derived from the transcript, $D_{\widehat{U}}\stackrel{def}{=}\left|\{x_i\oplus f_2\left(t_i\right)\oplus f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus y_{i^{\prime }}\in \widehat{U}:(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\overline{\mathcal{Q}}}_0\}\right|\ge q^{3/2}$ or $D_{\widehat{V}}\stackrel{def}{=}\left|\{x_i\oplus f_1\left(t_i\right)\oplus f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus y_{i^{\prime }}\in \widehat{V}:(t_i,x_i,y_i)\ne (t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})\in {\overline{\mathcal{Q}}}_0\}\right|\ge q^{3/2}$.

Otherwise, $\tau$ is said a good transcript.

4.1. Analysis of Bad Transcripts

Let ${\mathsf{\Gamma }}_i^{\prime }$ be the set of all transcripts satisfying (C-i) for $i\in \left[17\right]$. The proportion of all bad transcripts in the ideal world can be upper bounded in the following lemma.

Lemma 5.

Let $T_{\mathsf{id}}$ be the probability distribution of transcript $\overline{\tau }=({\overline{\mathcal{Q}}}_F,{\overline{\mathcal{Q}}}_P, (f_1,f_2))$ in the ideal world, where $|{\overline{\mathcal{Q}}}_P|=p$, $|{\overline{\mathcal{Q}}}_F|=q$, and $(f_1,f_2)$ is a good $({ϵ}_1,{ϵ}_2)$-key-derivation pair. Then we have

$$\begin{array}{cc}\hfill Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_{\mathsf{bad}}]\le & (3q{p}^2+2q^{2}p){ϵ}_1^2+2q^3{ϵ}_2^2+2q^{2}p{ϵ}_1{ϵ}_2+q^{3/2}{ϵ}_2\hfill \\ \hfill & +2p\sqrt{q}{ϵ}_1+\frac{q+2\sqrt{q}(p+q)}{2^n}+\frac{q^3}{2^{2n}}.\hfill \end{array}$$

Proof. 

Let $T_{\mathsf{id}}=({\overline{\mathcal{Q}}}_F,{\overline{\mathcal{Q}}}_P,(f_1,f_2))$ be any attainable transcript in the ideal world, where ${\overline{\mathcal{Q}}}_P$ includes p permutation pairs from the interaction between distinguisher D and P. For each distinct construction query $(t,x,y)\in {\overline{\mathcal{Q}}}_F$, y is sampled uniformly and independently from ${\{0,1\}}^n$. Without loss of generality, we assume that there exists no repeated items in ${\overline{\mathcal{Q}}}_F$ and ${\overline{\mathcal{Q}}}_P$.

The probabilities of $T_{\mathsf{id}}$ in ${\mathsf{\Gamma }}_{\mathsf{bad}}$ can be upper bounded as

$$Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_{\mathsf{bad}}]\le \underset{{\mathsf{Bad}}_{M_1}}{\underbrace{{\sum }_{i=1}^{15}Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_i^{\prime }]}}+\underset{{\mathsf{Bad}}_{M_2}}{\underbrace{Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_{16}^{\prime }]+Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_{17}^{\prime }]}}.$$

(30)

For ${\mathsf{Bad}}_{M_1}$, one can obtain the following upper bound

$$\begin{array}{c}\hfill {\mathsf{Bad}}_{M_1}\le (3q{p}^2+2q^{2}p){ϵ}_1^2+2q^3{ϵ}_2^2+2q^{2}p{ϵ}_1{ϵ}_2+2p\sqrt{q}{ϵ}_1+q^{3/2}{ϵ}_2+\frac{q}{2^n},\end{array}$$

(31)

and more details can be found in Appendix C.

For ${\mathsf{Bad}}_{M_2}$, we need to study (C-16) and (C-17), respectively.

$\mathbf{Bounding}$ ($\mathbf{C}$-$\mathbf{16}$): For any three distinct construction queries $(t_i,x_i,y_i)$, $(t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }})$, and $(t_{i^{″}},x_{i^{″}},y_{i^{″}})\in {\overline{\mathcal{Q}}}_F$, $y_{i^{\prime }}$ and $y_{i^{″}}$ are independently and uniformly sampled from ${\{0,1\}}^n$. Hence, we have

$$\begin{array}{cc}\hfill Pr& [(f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus y_{i^{\prime }})\wedge \hfill \\ \hfill & (f_1\left(t_i\right)\oplus f_2\left(t_i\right)\oplus y_i=f_1\left(t_{i^{″}}\right)\oplus f_2\left(t_{i^{″}}\right)\oplus y_{i^{″}})]\le \frac{1}{2^{2n}}.\hfill \end{array}$$

Since the number of all possible tuples for $((t_i,x_i,y_i),(t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }}),(t_{i^{″}},x_{i^{″}},y_{i^{″}}))\in {\overline{\mathcal{Q}}}_F\times {\overline{\mathcal{Q}}}_F\times {\overline{\mathcal{Q}}}_F$ is at most $q^3$, by union bound, one has

$$Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_{16}^{\prime }]\le \frac{q^3}{2^{2n}}.$$

$\mathbf{Bounding}$ ($\mathbf{C}$-$\mathbf{17}$): First, we have $\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_1\left(t\right)\in U\}\cap \{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_1\left(t\right)\notin U\}=\varnothing$ (which means $|\widehat{U}|\le p+q$). Hence, by the definition of ${\overline{\mathcal{Q}}}_0$, it holds that $\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_1\left(t\right)\in U\}\cap {\overline{\mathcal{Q}}}_0=\varnothing$. Similarly, we also have $\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_2\left(t\right)\in V\}\cap \{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_2\left(t\right)\notin V\}=\varnothing$ (which means $|\widehat{V}|\le p+q$) and $\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_2\left(t\right)\in V\}\cap {\overline{\mathcal{Q}}}_0=\varnothing$. By combing these facts and the definitions of $\widehat{U}$, $\widehat{V}$, and ${\overline{\mathcal{Q}}}_0$, the random value y for each $(t,x,y)\in {\overline{\mathcal{Q}}}_0$ in the ideal world is independent of any elements in $\widehat{U}$ and $\widehat{V}$. Therefore, for each pair $((t_i,x_i,y_i),(t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }}))\in {\overline{\mathcal{Q}}}_0\times {\overline{\mathcal{Q}}}_0$, one has

$$Pr[x_i\oplus f_2\left(t_i\right)\oplus f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus y_{i^{\prime }}\in \widehat{U}]\le \frac{|\widehat{U}|}{2^n}\le \frac{p+q}{2^n}.$$

Then the expectation value of random variable $D_{\widehat{U}}$ can be bounded as

$$\begin{array}{ccc}\hfill \mathbb{E}\left[D_{\widehat{U}}\right]& \le & \sum _{\genfrac{}{}{0pt}{}{((t_i,x_i,y_i),(t_{i^{\prime }},x_{i^{\prime }},y_{i^{\prime }}))\in {\overline{\mathcal{Q}}}_0^2:}{}}Pr[x_i\oplus f_2\left(t_i\right)\oplus f_1\left(t_{i^{\prime }}\right)\oplus f_2\left(t_{i^{\prime }}\right)\oplus y_{i^{\prime }}\in \widehat{U}]\hfill \\ & \le & \frac{|{\overline{\mathcal{Q}}}_0{|}^2(p+q)}{2^n}\le \frac{q^2(p+q)}{2^n}.\hfill \end{array}$$

By Markov’s inequality, we have

$$Pr[D_{\widehat{U}}\ge q^{3/2}]\le \frac{\mathbb{E}[D_{\widehat{U}}]}{q^{3/2}}\le \frac{\sqrt{q}(p+q)}{2^n}.$$

Similarly, it holds that

$$Pr[D_{\widehat{V}}\ge q^{3/2}]\le \frac{\sqrt{q}(p+q)}{2^n}.$$

Therefore, one has

$$Pr[T_{\mathsf{id}}\in {\mathsf{\Gamma }}_{17}^{\prime }]\le \frac{2\sqrt{q}(p+q)}{2^n}.$$

Finally, by combining the upper bounds on ${\mathsf{Bad}}_{M_1}$ and ${\mathsf{Bad}}_{M_2}$ together, by (30), the proof of Lemma 5 is finished.  □

4.2. Analysis of Good Transcripts

In this part, we prove that for any good transcript $\overline{\tau }$, the probability to sample it in the real world is close to that in the ideal world, and this result can be formally stated in the following lemma.

Lemma 6.

Assume that $n\ge 6$ and $q\ge 64$. Let $T_{\mathsf{id}}$ be the probability distribution of transcripts in the ideal world, and $T_{\mathsf{re}}$ be in the real world. Then for any good transcript $\overline{\tau }=({\overline{\mathcal{Q}}}_F,{\overline{\mathcal{Q}}}_P,(f_1,f_2))\in {\mathsf{\Gamma }}_{\mathsf{good}}$ with parameters p and q satisfying $p+2q+6\sqrt{q}\le 2^{n-1}$, one has

$$\begin{array}{c}\hfill \frac{Pr[T_{\mathsf{re}}=\overline{\tau }]}{Pr[T_{\mathsf{id}}=\overline{\tau }]}\ge 1-ϵ,\end{array}$$

where $ϵ=\frac{4q{(p+2q+6\sqrt{q})}^2}{2^{2n}}+\frac{16q^{3/2}+4p\sqrt{q}+8q}{2^n}+\frac{16\sqrt{q}}{2^{n/3}}+\frac{12q}{2^{2n/3}}$.

Proof. 

Given a good transcript $\overline{\tau }$, we define the following probability

$$\mathsf{p}\left(\overline{\tau }\right)\stackrel{\mathsf{def}}{=}Pr[P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right):F_{f_1,f_2}^P⊢{\overline{\mathcal{Q}}}_F|P⊢{\overline{\mathcal{Q}}}_P].$$

By a simple combinatorial argument, it holds that

$$\frac{Pr[T_{\mathsf{re}}=\overline{\tau }]}{Pr[T_{\mathsf{id}}=\overline{\tau }]}=2^{nq}\mathsf{p}\left(\overline{\tau }\right).$$

We first introduce some subsets of ${\overline{\mathcal{Q}}}_F$ as follows:

$$\begin{array}{cc}\hfill & {\overline{\mathcal{Q}}}_U=\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_1\left(t\right)\in U\},{\overline{\mathcal{Q}}}_V=\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_2\left(t\right)\in V\},\hfill \\ \hfill & {\overline{\mathcal{Q}}}_{X_1}=\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:{\delta }_{{\overline{D}}_1}(x\oplus f_1\left(t\right))>1\mathrm{and}x\oplus f_1\left(t\right)\notin U\},\hfill \\ \hfill & {\overline{\mathcal{Q}}}_{X_2}=\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:{\delta }_{{\overline{D}}_2}(x\oplus f_2\left(t\right))>1\mathrm{and}x\oplus f_2\left(t\right)\notin V\},\hfill \\ \hfill & {\overline{\mathcal{Q}}}_0=\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:{\delta }_{{\overline{D}}_1}(x\oplus f_1\left(t\right))={\delta }_{{\overline{D}}_2}(x\oplus f_2\left(t\right))=1,\hfill \\ \hfill & x\oplus f_1\left(t\right)\notin U,\mathrm{and}x\oplus f_2\left(t\right)\notin V\}.\hfill \end{array}$$

Note that $|{\overline{\mathcal{Q}}}_U|={\overline{\alpha }}_1$, $|{\overline{\mathcal{Q}}}_V|={\overline{\alpha }}_2$, and ${\overline{\mathcal{Q}}}_0$ has been defined in (C-17). In fact, these sets form a partition of ${\overline{\mathcal{Q}}}_F$.

Proposition 2.

Let $\overline{\tau }\in {\mathsf{\Gamma }}_{\mathsf{good}}$ be a good transcript. Then $({\overline{\mathcal{Q}}}_U,{\overline{\mathcal{Q}}}_V,{\overline{\mathcal{Q}}}_{X_1},{\overline{\mathcal{Q}}}_{X_2},{\overline{\mathcal{Q}}}_0)$ defined above are pairwise disjoint.

Proof. 

By the definition of these five subsets, it holds that ${\overline{\mathcal{Q}}}_U\cap {\overline{\mathcal{Q}}}_{X_1}=\varnothing$, ${\overline{\mathcal{Q}}}_V\cap {\overline{\mathcal{Q}}}_{X_2}=\varnothing$, and ${\overline{\mathcal{Q}}}_U\cap {\overline{\mathcal{Q}}}_0={\overline{\mathcal{Q}}}_V\cap {\overline{\mathcal{Q}}}_0={\overline{\mathcal{Q}}}_{X_1}\cap {\overline{\mathcal{Q}}}_0={\overline{\mathcal{Q}}}_{X_2}\cap {\overline{\mathcal{Q}}}_0=\varnothing$. Since $\overline{\tau }$ does not satisfy (C-1), one has ${\overline{\mathcal{Q}}}_U\cap {\overline{\mathcal{Q}}}_V=\varnothing$. Besides, ${\overline{\mathcal{Q}}}_U\cap {\overline{\mathcal{Q}}}_{X_2}=\varnothing$ (resp. ${\overline{\mathcal{Q}}}_V\cap {\overline{\mathcal{Q}}}_{X_1}=\varnothing$) holds since $\overline{\tau }$ does not satisfy (C-6) (resp. (C-7)). Finally, ${\overline{\mathcal{Q}}}_{X_1}\cap {\overline{\mathcal{Q}}}_{X_2}=\varnothing$ since $\overline{\tau }\notin {\mathsf{\Gamma }}_{10}^{\prime }$.   □

We use ${\overline{E}}_U$, ${\overline{E}}_V$, ${\overline{E}}_{X_1}$, ${\overline{E}}_{X_2}$, and ${\overline{E}}_0$ to denote the events $F_{f_1,f_2}^P⊢{\overline{\mathcal{Q}}}_U,$${\overline{\mathcal{Q}}}_V,{\overline{\mathcal{Q}}}_{X_1},$${\overline{\mathcal{Q}}}_{X_2}$, and ${\overline{\mathcal{Q}}}_0$, respectively. Note that $F_{f_1,f_2}^P⊢{\overline{\mathcal{Q}}}_F$ is equivalent to ${\overline{E}}_U\wedge {\overline{E}}_V\wedge {\overline{E}}_{X_1}\wedge {\overline{E}}_{X_2}\wedge {\overline{E}}_0$. Therefore, it holds that

$$\begin{array}{cc}\hfill \mathsf{p}\left(\overline{\tau }\right)& =Pr[P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right):F_{f_1,f_2}^P⊢{\overline{\mathcal{Q}}}_F|P⊢{\overline{\mathcal{Q}}}_P]\hfill \\ \hfill & =Pr[P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right):{\overline{E}}_U\wedge {\overline{E}}_V\wedge {\overline{E}}_{X_1}\wedge {\overline{E}}_{X_2}\wedge {\overline{E}}_0|P⊢{\overline{\mathcal{Q}}}_P]\hfill \\ \hfill & ={\mathsf{p}}^{\prime }\left(\overline{\tau }\right)·{\mathsf{p}}^{″}\left(\overline{\tau }\right),\hfill \end{array}$$

where

$${\mathsf{p}}^{\prime }\left(\overline{\tau }\right)=Pr[P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right):{\overline{E}}_U\wedge {\overline{E}}_V|P⊢{\overline{\mathcal{Q}}}_P],$$

and

$${\mathsf{p}}^{″}\left(\overline{\tau }\right)=Pr[P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right):{\overline{E}}_{X_1}\wedge {\overline{E}}_{X_2}\wedge {\overline{E}}_0|{\overline{E}}_U\wedge {\overline{E}}_V\wedge (P⊢{\overline{\mathcal{Q}}}_P)].$$

The next goal is to lower bound ${\mathsf{p}}^{\prime }\left(\overline{\tau }\right)$ and ${\mathsf{p}}^{″}\left(\overline{\tau }\right)$.

$\mathbf{Lower}\mathbf{Bounding}{\mathsf{p}}^{\prime }\left(\overline{\mathbf{\tau }}\right)$. Conditioned on $P⊢{\overline{\mathcal{Q}}}_P$, P is fixed on exactly p input-output pairs from U to V. For each $(t,x,y)\in {\overline{\mathcal{Q}}}_U$, there exists a unique $(u,v)\in {\overline{\mathcal{Q}}}_P$ satisfying $x\oplus f_1\left(t\right)=u$. Hence, $P(x\oplus f_1\left(t\right))=P\left(u\right)=v$. Then we define two sets:

$$\begin{array}{cc}\hfill & {\overline{U}}_1=\{P(x\oplus f_1\left(t\right))\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y:(t,x,y)\in {\overline{\mathcal{Q}}}_U\},\hfill \\ \hfill & {\overline{V}}_1=\{x\oplus f_2\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_U\}.\hfill \end{array}$$

All values in ${\overline{U}}_1$ (resp. ${\overline{V}}_1$) are distinct since $\tau$ does not satisfy (C-11) (resp. (C-6)). Moreover, since $\overline{\tau }\notin {\mathsf{\Gamma }}_2^{\prime }$ and $\overline{\tau }\notin {\mathsf{\Gamma }}_1^{\prime }$, one has ${\overline{U}}_1\cap U=\varnothing$ and ${\overline{V}}_1\cap V=\varnothing$ respectively.

For each $(t,x,y)\in {\overline{\mathcal{Q}}}_V$, there exists a unique $(u,v)\in {\overline{\mathcal{Q}}}_P$ satisfying $x\oplus f_2\left(t\right)=v$. In this case, $P^{-1}(x\oplus f_2\left(t\right))=u$. Then we can define two sets:

$$\begin{array}{cc}\hfill & {\overline{U}}_2=\{x\oplus f_1\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_V\},\hfill \\ \hfill & {\overline{V}}_2=\{P^{-1}(x\oplus f_2\left(t\right))\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y:(t,x,y)\in {\overline{\mathcal{Q}}}_V\}.\hfill \end{array}$$

All elements in ${\overline{U}}_2$ (resp. ${\overline{V}}_2$) are distinct since $\overline{\tau }$ does not satisfy (C-7) (resp. (C-12)). Due to the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_1^{\prime }$ and $\overline{\tau }\notin {\mathsf{\Gamma }}_3^{\prime }$, one has ${\overline{U}}_2\cap U=\varnothing$ and ${\overline{V}}_2\cap V=\varnothing$, respectively. Moreover, ${\overline{U}}_2\cap {\overline{U}}_1=\varnothing$ (resp. ${\overline{V}}_2\cap {\overline{V}}_1=\varnothing$) since $\overline{\tau }\notin {\mathsf{\Gamma }}_4^{\prime }$ (resp. $\overline{\tau }\notin {\mathsf{\Gamma }}_5^{\prime }$). Besides, it holds that $|{\overline{U}}_1|=|{\overline{V}}_1|=|{\overline{\mathcal{Q}}}_U|={\overline{\alpha }}_1$ and $|{\overline{U}}_2|=|{\overline{V}}_2|=|{\overline{\mathcal{Q}}}_V|={\overline{\alpha }}_2$. Therefore, one can obtain that

$$\begin{array}{c}\hfill {\mathsf{p}}^{\prime }\left(\overline{\tau }\right)=Pr[P\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right):E_U\wedge E_V|P⊢{\overline{\mathcal{Q}}}_P]=\frac{1}{{(2^n-p)}_{{\overline{\alpha }}_1+{\overline{\alpha }}_2}}.\end{array}$$

(32)

Now, we can define two disjoint collections $\mathcal{U}\stackrel{\mathsf{def}}{=}(U,{\overline{U}}_1,{\overline{U}}_2)$ and $\mathcal{V}\stackrel{\mathsf{def}}{=}(V,{\overline{V}}_1,{\overline{V}}_2)$. In this case, P is fixed on exactly $p+{\overline{\alpha }}_1+{\overline{\alpha }}_2$ input-output pairs from $U\cup {\overline{U}}_1\cup {\overline{U}}_2$ to $V\cup {\overline{V}}_1\cup {\overline{V}}_2$.

$\mathbf{Lower}\mathbf{Bounding}{\mathsf{p}}^{″}\left(\overline{\mathbf{\tau }}\right)$. When conditioned on ${\overline{E}}_U\wedge {\overline{E}}_V\wedge (P⊢{\overline{\mathcal{Q}}}_P)$, we next lower bound the number of all possible “new” and distinct input-output pairs of P such that the event ${\overline{E}}_{X_1}\wedge {\overline{E}}_{X_2}\wedge {\overline{E}}_0$ happens. First, one can define some multi-sets associated to ${\overline{\mathcal{Q}}}_{X_1}$ and ${\overline{\mathcal{Q}}}_{X_2}$ as follows:

$$\begin{array}{cc}\hfill & U_3=\{x\oplus f_1\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_{X_1}\},U_5=\{x\oplus f_1\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_{X_2}\},\hfill \\ \hfill & V_4=\{x\oplus f_2\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_{X_1}\},V_6=\{x\oplus f_2\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_{X_2}\}.\hfill \end{array}$$

Let ${\alpha }_3=\left|U_3\right|$, ${\alpha }_4=\left|V_4\right|$, ${\alpha }_5=\left|U_5\right|$, and ${\alpha }_6=\left|V_6\right|$. For convenience, we rewrite these sets as:

$$\begin{array}{cc}\hfill & U_3=\{u_{3,1},\dots ,u_{3,{\alpha }_3}\},U_5=\{u_{5,1},\dots ,u_{5,{\alpha }_5}\},\hfill \\ \hfill & V_4=\{v_{4,1},\dots ,v_{4,{\alpha }_4}\},V_6=\{v_{6,1},\dots ,v_{6,{\alpha }_6}\}.\hfill \end{array}$$

Let $V_3=P\left(U_3\right)$, $U_4=P^{-1}\left(V_4\right)$, $V_5=P\left(U_5\right)$, and $U_6=P^{-1}\left(V_6\right)$. These sets can be written more clearly as:

$$\begin{array}{cc}\hfill & V_3=\{P(x\oplus f_1\left(t\right)):(t,x,y)\in {\overline{\mathcal{Q}}}_{X_1}\},V_5=\{P(x\oplus f_1\left(t\right)):(t,x,y)\in {\overline{\mathcal{Q}}}_{X_2}\},\hfill \\ \hfill & U_4=\{P^{-1}(x\oplus f_2\left(t\right)):(t,x,y)\in {\overline{\mathcal{Q}}}_{X_1}\},U_6=\{P^{-1}(x\oplus f_2\left(t\right)):(t,x,y)\in {\overline{\mathcal{Q}}}_{X_2}\}.\hfill \end{array}$$

Recall that ${\overline{D}}_1=\{x\oplus f_1\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_F\}$ and ${\overline{D}}_2=\{x\oplus f_2\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_F\}$. Then, we get

$$\begin{array}{cc}\hfill & {\alpha }_3\le \sum _{\genfrac{}{}{0pt}{}{x\in {\{0,1\}}^n:}{{\delta }_{{\overline{D}}_1}\left(x\right)>1}}1\le \sum _{\genfrac{}{}{0pt}{}{x\in {\{0,1\}}^n:}{{\delta }_{{\overline{D}}_1}\left(x\right)>1}}\frac{{\delta }_{{\overline{D}}_1}\left(x\right)}{2}=\frac{{\overline{\beta }}_1}{2}\le \frac{\sqrt{q}}{2},\hfill \\ \hfill & {\alpha }_4\le \sum _{i=1}^{{\alpha }_3}{\delta }_{{\overline{D}}_1}\left(u_{3,i}\right)\le \sum _{\genfrac{}{}{0pt}{}{x\in {\{0,1\}}^n:}{{\delta }_{{\overline{D}}_1}\left(x\right)>1}}{\delta }_{{\overline{D}}_1}\left(x\right)={\overline{\beta }}_1\le \sqrt{q}.\hfill \end{array}$$

Similarly, it also holds that ${\alpha }_6\le \frac{\sqrt{q}}{2}$ and ${\alpha }_5\le \sqrt{q}$. Since $\overline{\tau }\notin {\mathsf{\Gamma }}_{10}^{\prime }$, there exists no repeated items in $V_4$ and $U_5$. Hence, one can conclude that ${\alpha }_4=\left|{\overline{\mathcal{Q}}}_{X_1}\right|$ and ${\alpha }_5=\left|{\overline{\mathcal{Q}}}_{X_2}\right|$. Now we define two multi-sets associated to ${\overline{\mathcal{Q}}}_0$ as

$$U_7=\{x\oplus f_1\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_0\},V_8=\{x\oplus f_2\left(t\right):(t,x,y)\in {\overline{\mathcal{Q}}}_0\}.$$

By the definition of ${\overline{\mathcal{Q}}}_0$, there exists no repeated items in $U_7$ and $V_8$. Based on these two sets, one can define two corresponding sets as:

$$\begin{array}{cc}\hfill & V_7=P\left(U_7\right)=\{P(x\oplus f_1\left(t\right)):(t,x,y)\in {\overline{\mathcal{Q}}}_0\},\hfill \\ \hfill & U_8=P^{-1}\left(V_8\right)=\{P^{-1}(x\oplus f_2\left(t\right)):(t,x,y)\in {\overline{\mathcal{Q}}}_0\}.\hfill \end{array}$$

Set ${\mathcal{U}}^{+}=(U_3,U_5,U_7)$ and ${\mathcal{V}}^{+}=(V_4,V_6,V_8)$ as two set collections. Then we can conclude the following proposition.

Proposition 3.

With notations as above, one has

(i) 

All sets in ${\mathcal{U}}^{+}$ (resp. ${\mathcal{V}}^{+}$) are disjoint, i.e., $U_3\cap U_5=\varnothing$, $U_3\cap U_7=\varnothing$, and $U_5\cap U_7=\varnothing$ (resp. $V_4\cap V_6=\varnothing$, $V_4\cap V_8=\varnothing$, and $V_6\cap V_8=\varnothing$).

(ii) 

${\mathcal{U}}^{+}$ is inner disjoint with $\mathcal{U}$, and ${\mathcal{V}}^{+}$ is inner disjoint with $\mathcal{V}$.

Proof. 

We first prove (i). From the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_{10}^{\prime }$, we have $U_3\cap U_5=\varnothing$. By the definition of ${\overline{\mathcal{Q}}}_{X_1}$ and ${\overline{\mathcal{Q}}}_0$, one can conclude that $U_3\cap U_7=\varnothing$. $U_5\cap U_7=\varnothing$ holds due to the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_{10}^{\prime }$, and the disjoint property of ${\overline{\mathcal{Q}}}_{X_1}$ and ${\overline{\mathcal{Q}}}_0$. We can conclude that $V_4\cap V_6=\varnothing$, $V_4\cap V_8=\varnothing$, and $V_6\cap V_8=\varnothing$ in a similar way.

Next we prove (ii) by enumerating all possible cases. For $U_3$, the definition of ${\overline{\mathcal{Q}}}_{X_1}$ means that $U_3\cap U=\varnothing$; $U_3\cap {\overline{U}}_1=\varnothing$ comes from the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_4^{\prime }$; $U_3\cap {\overline{U}}_2=\varnothing$ holds due to the disjoint property between ${\overline{\mathcal{Q}}}_{X_1}$ and ${\overline{\mathcal{Q}}}_V$, and the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_7^{\prime }$. For $U_5$, $U_5\cap U=\varnothing$ comes from the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_6^{\prime }$, and the definition of ${\overline{\mathcal{Q}}}_{X_2}$; $U_5\cap {\overline{U}}_1=\varnothing$ comes from the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_4^{\prime }$; By the disjoint property between ${\overline{\mathcal{Q}}}_{X_2}$ and ${\overline{\mathcal{Q}}}_V$, and the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_7^{\prime }$, we have $U_5\cap {\overline{U}}_2=\varnothing$. For $U_7$, the definition of ${\overline{\mathcal{Q}}}_0$ means $U_7\cap U=\varnothing$; $U_7\cap {\overline{U}}_1=\varnothing$ comes from the fact that $\overline{\tau }\notin {\mathsf{\Gamma }}_4^{\prime }$; By the disjoint property between ${\overline{\mathcal{Q}}}_0$ and ${\overline{\mathcal{Q}}}_V$, and the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_7^{\prime }$, we has $U_7\cap {\overline{U}}_2=\varnothing$.

For $V_4$, $V_4\cap V=\varnothing$ comes from the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_7^{\prime }$, and the definition of ${\overline{\mathcal{Q}}}_{X_1}$; $V_4\cap {\overline{V}}_1=\varnothing$ can be derived from the disjoint property between ${\overline{\mathcal{Q}}}_{X_1}$ and ${\overline{\mathcal{Q}}}_U$, and the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_6^{\prime }$; The fact $\overline{\tau }\notin {\mathsf{\Gamma }}_5^{\prime }$ means $V_4\cap {\overline{V}}_2=\varnothing$. For $V_6$, $V_6\cap V=\varnothing$ holds from definition of ${\overline{\mathcal{Q}}}_{X_2}$; $V_6\cap V_1=\varnothing$ comes from the definition of ${\overline{\mathcal{Q}}}_{X_2}$, and the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_6^{\prime }$; The fact $\overline{\tau }\notin {\mathsf{\Gamma }}_5^{\prime }$ means $V_6\cap {\overline{V}}_2=\varnothing$. For $V_8$, $V_8\cap V=\varnothing$ comes from definition of ${\overline{\mathcal{Q}}}_0$; $V_8\cap {\overline{V}}_1=\varnothing$ holds due to the disjoint property between ${\overline{\mathcal{Q}}}_0$ and ${\overline{\mathcal{Q}}}_U$, and the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_6^{\prime }$; Finally the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_5^{\prime }$ means $V_8\cap {\overline{V}}_2=\varnothing$.   □

Now we define two disjoint union sets $U^{++}=U\cup {\overline{U}}_1\cup {\overline{U}}_2\cup U_3\cup U_5\cup U_7$ (which equals to $\widehat{U}$ in (C-17)), and $V^{++}=V\cup {\overline{V}}_1\cup {\overline{V}}_2\cup V_4\cup V_6\cup V_8$ (which equals to $\widehat{V}$ in (C-17)).

Let ${\overline{q}}^{\prime }=|{\overline{\mathcal{Q}}}_0|=q-(|{\overline{\mathcal{Q}}}_U|+|{\overline{\mathcal{Q}}}_V|+|{\overline{\mathcal{Q}}}_{X_1}|+|{\overline{\mathcal{Q}}}_{X_2}\left|\right)=q-({\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_4+{\alpha }_5)$ (actually, ${\overline{q}}^{\prime }=|U_7|=|V_8|$) and $M=\lfloor \frac{{\overline{q}}^{\prime }}{2^{n/3}}\rfloor$. Then it holds that ${\overline{q}}^{\prime }-2M\ge {\overline{q}}^{\prime }/2$ if $n\ge 6$. Next we try to sample “new” values for $V_7$ and $U_8$ by allowing that there exist many construction queries $(t,x,y),(t^{\prime },x^{\prime },y^{\prime })\in {\overline{\mathcal{Q}}}_0$ such that $P(x\oplus f_1\left(t\right))\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y=x^{\prime }\oplus f_1\left(t^{\prime }\right)$ or $P^{-1}(x\oplus f_2\left(t\right))\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y=x^{\prime }\oplus f_2\left(t^{\prime }\right)$ holds. In the first case, we can obtain three maps like

$$\{\begin{array}{c}x\oplus f_1\left(t\right)\stackrel{P}{⟼}{x}^{\prime }\oplus f_1\left(t^{\prime }\right)\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y,\hfill \\ x^{\prime }\oplus f_1\left(t^{\prime }\right)\stackrel{P}{⟼}x\oplus f_2\left(t\right),\hfill \\ x\oplus f_2\left(t\right)\oplus f_1\left(t^{\prime }\right)\oplus f_2\left(t^{\prime }\right)\oplus y^{\prime }\stackrel{P}{⟼}{x}^{\prime }\oplus f_2\left(t^{\prime }\right).\hfill \end{array}$$

In the second case, we have

$$\{\begin{array}{c}{x}^{\prime }\oplus f_1\left(t^{\prime }\right)\stackrel{P}{⟼}x\oplus f_1\left(t\right)\oplus f_1\left(t^{\prime }\right)\oplus f_2\left(t^{\prime }\right)\oplus y^{\prime },\hfill \\ x\oplus f_1\left(t\right)\stackrel{P}{⟼}{x}^{\prime }\oplus f_2\left(t^{\prime }\right),\hfill \\ x^{\prime }\oplus f_2\left(t^{\prime }\right)\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y\stackrel{P}{⟼}x\oplus f_2\left(t\right).\hfill \end{array}$$

If $x\oplus f_2\left(t\right)\oplus f_1\left(t^{\prime }\right)\oplus f_2\left(t^{\prime }\right)\oplus y^{\prime }\notin U^{++}$ and $x^{\prime }\oplus f_1\left(t^{\prime }\right)\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y\notin V^{++}$, or $x^{\prime }\oplus f_2\left(t^{\prime }\right)\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y\notin U^{++}$ and $x\oplus f_1\left(t\right)\oplus f_1\left(t^{\prime }\right)\oplus f_2\left(t^{\prime }\right)\oplus y^{\prime }\notin V^{++}$, then the above permutation maps are compatible with ${\overline{\mathcal{Q}}}_F$ and ${\overline{\mathcal{Q}}}_P$. Intuitively, when we consider the above “collision” maps, there would be as many permutations chosen to be compatible with ${\overline{\mathcal{Q}}}_F$ and ${\overline{\mathcal{Q}}}_P$ as possible so that our construction can achieve BBB security.

Conditioned on ${\overline{E}}_U\wedge {\overline{E}}_V\wedge (P⊢{\overline{\mathcal{Q}}}_P)$, we next describe all possible permutations satisfying $E_{X_1}\wedge E_{X_2}\wedge E_0$, and finally compute and lower bound ${\mathsf{p}}^{″}\left(\overline{\tau }\right)$.

For each $\alpha \in \left[M\right]$, we define the following set

$$S=\{(({\sigma }_1,{\xi }_1),({\sigma }_1^{\prime },{\xi }_1^{\prime })),\dots ,(({\sigma }_{\alpha },{\xi }_{\alpha }),({\sigma }_{\alpha }^{\prime },{\xi }_{\alpha }^{\prime }))\},$$

where for each $1\le k\le \alpha$, one has ${\sigma }_k=x_k\oplus f_1\left(t_k\right)$ (resp. ${\xi }_k=x_k\oplus f_2\left(t_k\right)$) for some query $(t_k,x_k,y_k)\in {\overline{\mathcal{Q}}}_0$ and ${\sigma }_k^{\prime }=x_k^{\prime }\oplus f_1\left(t_k^{\prime }\right)$ (resp. ${\xi }_k^{\prime }=x_k^{\prime }\oplus f_2\left(t_k^{\prime }\right)$) for another query $(t_k^{\prime },x_k^{\prime },y_k^{\prime })\in {\overline{\mathcal{Q}}}_0$.

Definition 2.

We say $S=\{(({\sigma }_1,{\xi }_1),({\sigma }_1^{\prime },{\xi }_1^{\prime })),\dots ,(({\sigma }_{\alpha },{\xi }_{\alpha }),({\sigma }_{\alpha }^{\prime },{\xi }_{\alpha }^{\prime }))\}$ a “good” set if the following four conditions are all satisfied

(1) 

$x_k\oplus f_2\left(t_k\right)\oplus f_1\left(t_k^{\prime }\right)\oplus f_2\left(t_k^{\prime }\right)\oplus y_k^{\prime }\notin U^{++}$,

(2) 

$x_k^{\prime }\oplus f_1\left(t_k^{\prime }\right)\oplus f_1\left(t_k\right)\oplus f_2\left(t_k\right)\oplus y_k\notin V^{++}$,

(3) 

$x_k\oplus f_2\left(t_k\right)\oplus f_1\left(t_k^{\prime }\right)\oplus f_2\left(t_k^{\prime }\right)\oplus y_k^{\prime }\ne x_{k^{\prime }}\oplus f_2\left(t_{k^{\prime }}\right)\oplus f_1\left(t_{k^{\prime }}^{\prime }\right)\oplus f_2\left(t_{k^{\prime }}^{\prime }\right)\oplus y_{k^{\prime }}^{\prime }$, for any $k^{\prime }<k$,

(4) 

$x_k^{\prime }\oplus f_1\left(t_k^{\prime }\right)\oplus f_1\left(t_k\right)\oplus f_2\left(t_k\right)\oplus y_k\ne x_{k^{\prime }}^{\prime }\oplus f_1\left(t_{k^{\prime }}^{\prime }\right)\oplus f_1\left(t_{k^{\prime }}\right)\oplus f_2\left(t_{k^{\prime }}\right)\oplus y_{k^{\prime }}$, for any $k^{\prime }<k$.

The next lemma shows that for each $\alpha \in \left[M\right]$, the number of all possible “good” sets derived from ${\overline{\mathcal{Q}}}_0$ is close to ${\left({\overline{q}}^{\prime }\right)}_{2\alpha }/\alpha !$.

Lemma 7.

Assume that $q\ge 64$ and $n\ge 6$. Let α be an integer with $0\le \alpha \le M=\lfloor \frac{{\overline{q}}^{\prime }}{2^{n/3}}\rfloor$. Let ${\mathcal{N}}_S\left(\alpha \right)$ be the number of all “good” sets derived from ${\overline{\mathcal{Q}}}_0$. Then we have

$${\mathcal{N}}_S\left(\alpha \right)\ge \frac{{\left({\overline{q}}^{\prime }\right)}_{2\alpha }}{\alpha !}\left(1-{ϵ}_0\right),$$

where ${ϵ}_0=\frac{6q}{2^{2n/3}}+\frac{16\sqrt{q}}{2^{n/3}}$.

Proof. 

We count all possible pairs in a “good” set step by step as follows. First, we decide all possible pairs for $(({\sigma }_1,{\xi }_1),({\sigma }_1^{\prime },{\xi }_1^{\prime }))$. There are ${\overline{q}}^{\prime }({\overline{q}}^{\prime }-1)$ possible pairs to be chosen for $(({\sigma }_1,{\xi }_1),({\sigma }_1^{\prime },{\xi }_1^{\prime }))$. Since $\tau \notin {\mathsf{\Gamma }}_{17}^{\prime }$, there are at most $2q^{3/2}$ pairs not satisfying the first two conditions in Definition 2. Then we can choose at least ${\overline{q}}^{\prime }({\overline{q}}^{\prime }-1)-2q^{3/2}$ possible pairs for $(({\sigma }_1,{\xi }_1),({\sigma }_1^{\prime },{\xi }_1^{\prime }))$.

After choosing $({\sigma }_1,{\xi }_1),({\sigma }_1^{\prime },{\xi }_1^{\prime })$, we decide all possible $(({\sigma }_2,{\xi }_2),({\sigma }_2^{\prime },{\xi }_2^{\prime }))$ in the following way. We first choose $({\sigma }_2,{\xi }_2)$ from the remaining ${\overline{q}}^{\prime }-2$ possible pairs, and then choose the corresponding pair $({\sigma }_2^{\prime },{\xi }_2^{\prime })$ outside of $({\sigma }_1,{\xi }_1)$, $({\sigma }_1^{\prime },{\xi }_1^{\prime })$, and $({\sigma }_2^{\prime },{\xi }_2^{\prime })$ to satisfy all four conditions in Definition 2. To satisfy the last two conditions $3)$ and $4)$ in Definition 2, ${\sigma }_2^{\prime }$ and ${\xi }_2^{\prime }$ should chosen such that

$$\{\begin{array}{c}{\xi }_2\ne {\xi }_1\oplus f_1\left(t_1^{\prime }\right)\oplus f_2\left(t_1^{\prime }\right)\oplus y_1^{\prime }\oplus f_1\left(t_2^{\prime }\right)\oplus f_2\left(t_2^{\prime }\right)\oplus y_2^{\prime },\hfill \\ {\sigma }_2^{\prime }\ne {\sigma }_1^{\prime }\oplus f_1\left(t_1\right)\oplus f_2\left(t_1\right)\oplus y_1\oplus f_1\left(t_2\right)\oplus f_2\left(t_2\right)\oplus y_2.\hfill \end{array}$$

In this case, from the definition of ${\overline{\mathcal{Q}}}_0$ and the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_{16}^{\prime }$, it excludes at most 3 possibilities to be chosen for $({\sigma }_2^{\prime },{\xi }_2^{\prime })$. Then there are at least $({\overline{q}}^{\prime }-2)({\overline{q}}^{\prime }-6)$ possibilities to be chosen for $(({\sigma }_2,{\xi }_2),({\sigma }_2^{\prime },{\xi }_2^{\prime }))$, when we only consider the last two conditions in Definition 2. Finally, from the fact $\tau \notin {\mathsf{\Gamma }}_{17}^{\prime }$, there are at most $2q^{3/2}$ pairs to be removed for all possibilities $(({\sigma }_2,{\xi }_2),({\sigma }_2^{\prime },{\xi }_2^{\prime }))$ if we want them to satisfy the first two conditions $1)$ and $2)$ in Definition 2. Overall, there are at least $({\overline{q}}^{\prime }-2)({\overline{q}}^{\prime }-6)-2q^{3/2}$ possible pairs to be chosen for $(({\sigma }_2,{\xi }_2),({\sigma }_2^{\prime },{\xi }_2^{\prime }))$.

After choosing $k-1$ pairs $(({\sigma }_1,{\xi }_1),({\sigma }_1^{\prime },{\xi }_1^{\prime }))$, …, $(({\sigma }_{k-1},{\xi }_{k-1}),({\sigma }_{k-1}^{\prime },{\xi }_{k-1}^{\prime }))$, there are at least $({\overline{q}}^{\prime }-2k)({\overline{q}}^{\prime }-5k-1)-2q^{3/2}$ possible pairs to be chosen for $(({\sigma }_k,{\xi }_k),({\sigma }_k^{\prime },{\xi }_k^{\prime }))$ by repeating the above step.

When we finish the choice of all possible cases for $((({\sigma }_1,{\xi }_1),({\sigma }_1^{\prime },{\xi }_1^{\prime })),\dots ,(({\sigma }_{\alpha },{\xi }_{\alpha })$, $({\sigma }_{\alpha }^{\prime },{\xi }_{\alpha }^{\prime })\left)\right)$ satisfying all four conditions in Definition 2, one can conclude that

$${\mathcal{N}}_S\left(\alpha \right)\ge \frac{1}{\alpha !}\prod _{k=0}^{\alpha -1}(({\overline{q}}^{\prime }-2k)({\overline{q}}^{\prime }-5k-1)-2q^{3/2}),$$

(33)

where the term $\alpha !$ appears because the set S is unordered.

Furthermore, ${\mathcal{N}}_S\left(\alpha \right)$ can be lower bounded as follows

$$\begin{array}{cc}\hfill {\mathcal{N}}_S\left(\alpha \right)& \ge \frac{1}{\alpha !}\prod _{k=0}^{\alpha -1}(({\overline{q}}^{\prime }-2k)({\overline{q}}^{\prime }-5k-1)-2q^{3/2})\hfill \\ \hfill & \ge \frac{{\left({\overline{q}}^{\prime }\right)}_{2\alpha }}{\alpha !}\prod _{k=0}^{\alpha -1}\frac{({\overline{q}}^{\prime }-2k)({\overline{q}}^{\prime }-5k-1)-2q^{3/2}}{({\overline{q}}^{\prime }-2k)({\overline{q}}^{\prime }-2k-1)}\hfill \\ \hfill & \ge \frac{{\left({\overline{q}}^{\prime }\right)}_{2\alpha }}{\alpha !}\prod _{k=0}^{\alpha -1}\left(1-\frac{3k{\overline{q}}^{\prime }-6k^2+2q^{3/2}}{({\overline{q}}^{\prime }-2k)({\overline{q}}^{\prime }-2k-1)}\right)\hfill \\ \hfill & \stackrel{\left(i\right)}{\ge }\frac{{\left({\overline{q}}^{\prime }\right)}_{2\alpha }}{\alpha !}\prod _{k=0}^{\alpha -1}\left(1-\frac{3k{\overline{q}}^{\prime }+2q^{3/2}}{{({\overline{q}}^{\prime }-2M)}^2}\right)\hfill \\ \hfill & \ge \frac{{\left({\overline{q}}^{\prime }\right)}_{2\alpha }}{\alpha !}\left(1-\frac{3{\overline{q}}^{\prime }{M}^2/2+2q^{3/2}M}{{({\overline{q}}^{\prime }-2M)}^2}\right)\hfill \\ \hfill & \stackrel{\left(ii\right)}{\ge }\frac{{\left({\overline{q}}^{\prime }\right)}_{2\alpha }}{\alpha !}\left(1-\frac{6{\overline{q}}^{\prime }{M}^2+8q^{3/2}M}{{\overline{q}}^{\prime 2}}\right)\hfill \\ \hfill & \stackrel{\left(iii\right)}{\ge }\frac{{\left({\overline{q}}^{\prime }\right)}_{2\alpha }}{\alpha !}\left(1-\frac{6{\overline{q}}^{\prime }}{2^{2n/3}}-\frac{8q^{3/2}}{q^{\prime }{2}^{n/3}}\right)\hfill \\ \hfill & \stackrel{\left(iv\right)}{\ge }\frac{{\left({\overline{q}}^{\prime }\right)}_{2\alpha }}{\alpha !}\left(1-\frac{6q}{2^{2n/3}}-\frac{16\sqrt{q}}{2^{n/3}}\right),\hfill \end{array}$$

where (i) follows as ${\overline{q}}^{\prime }-2k,q^{\prime }-2k-1\ge {\overline{q}}^{\prime }-2\alpha \ge {\overline{q}}^{\prime }-2M$, (ii) follows as ${\overline{q}}^{\prime }-2M>{\overline{q}}^{\prime }/2$, (iii) follows as $M\le \frac{{\overline{q}}^{\prime }}{2^{n/3}}$, and (iv) follows as $q/2\le q-4\sqrt{q}\le {\overline{q}}^{\prime }$ if $q>64$.   □

For a fixed $\alpha$ with $0\le \alpha \le M$ and a corresponding “good” set

$$S=\{(({\sigma }_1,{\xi }_1),({\sigma }_1^{\prime },{\xi }_1^{\prime })),\dots ,(({\sigma }_{\alpha },{\xi }_{\alpha }),({\sigma }_{\alpha }^{\prime },{\xi }_{\alpha }^{\prime }))\},$$

the following assignment (34) for P is well-defined by the definition of S:

$$\forall k\in \left[\alpha \right]\{\begin{array}{c}{\sigma }_k\stackrel{P}{⟼}{\sigma }_k^{\prime }\oplus f_1\left(t_k\right)\oplus f_2\left(t_k\right)\oplus y_k,\hfill \\ {\sigma }_k^{\prime }\stackrel{P}{⟼}{\xi }_k,\hfill \\ {\xi }_k\oplus f_1\left(t_k^{\prime }\right)\oplus f_2\left(t_k^{\prime }\right)\oplus y_k^{\prime }\stackrel{P}{⟼}{\xi }_k^{\prime }.\hfill \end{array}$$

(34)

Furthermore, based on the “good” set S, we define two subsets of $U_7$ and $V_8$ as

$$\begin{array}{cc}\hfill & U_{7,1}\stackrel{def}{=}\{{\sigma }_1=x_1\oplus f_1\left(t_1\right),{\sigma }_1^{\prime }=x_1^{\prime }\oplus f_1\left(t_1^{\prime }\right),\dots ,{\sigma }_{\alpha }=x_{\alpha }\oplus f_1\left(t_{\alpha }\right),{\sigma }_{\alpha }^{\prime }=x_{\alpha }^{\prime }\oplus f_1\left(t_{\alpha }^{\prime }\right)\},\hfill \\ \hfill & V_{8,1}\stackrel{def}{=}\{{\xi }_1=x_1\oplus f_2\left(t_1\right),{\xi }_1^{\prime }=x_1^{\prime }\oplus f_2\left(t_1^{\prime }\right),\dots ,{\xi }_{\alpha }=x_{\alpha }\oplus f_2\left(t_{\alpha }\right),{\xi }_{\alpha }^{\prime }=x_{\alpha }^{\prime }\oplus f_2\left(t_{\alpha }^{\prime }\right)\}.\hfill \end{array}$$

Besides, we can also denote two additional sets as

$$\begin{array}{cc}\hfill & U_{7,1}^{\prime }\stackrel{def}{=}\{{\xi }_1\oplus f_1\left(t_1^{\prime }\right)\oplus f_2\left(t_1^{\prime }\right)\oplus y_1^{\prime },\dots ,{\xi }_{\alpha }\oplus f_1\left(t_{\alpha }^{\prime }\right)\oplus f_2\left(t_{\alpha }^{\prime }\right)\oplus y_{\alpha }^{\prime }\},\hfill \\ \hfill & V_{8,1}^{\prime }\stackrel{def}{=}\{{\sigma }_1^{\prime }\oplus f_1\left(t_1\right)\oplus f_2\left(t_1\right)\oplus y_1,\dots ,{\sigma }_{\alpha }^{\prime }\oplus f_1\left(t_{\alpha }\right)\oplus f_2\left(t_{\alpha }\right)\oplus y_{\alpha }\},\hfill \end{array}$$

where $U_{7,1}^{\prime }\cap U^{++}=\varnothing$ (resp. $V_{8,1}^{\prime }\cap V^{++}=\varnothing$) and all items in $U_{7,1}^{\prime }$ (resp. $V_{8,1}^{\prime }$) are distinct. After the assignment (34) for P, P is fixed on $3\alpha$ input-ouput pairs from $U_{7,1}\cup U_{7,1}^{\prime }$ to $V_{8,1}\cup V_{8,1}^{\prime }$. In addition, we can define the corresponding co-subset of $U_{7,1}$ and $V_{8,1}$ as $U_{7,2}\stackrel{def}{=}{U}_7\backslash U_{7,1}$ and $V_{8,2}\stackrel{def}{=}{V}_8\backslash V_{8,2}$, respectively.

Until now, the random permutation P is fixed on p input-output pairs from U to V, ${\overline{\alpha }}_1$ input-output pairs from ${\overline{U}}_1$ to ${\overline{V}}_1$, ${\overline{\alpha }}_2$ input-output pairs from ${\overline{U}}_2$ to ${\overline{V}}_2$, and $3\alpha$ input-output pairs from $U_{7,1}\cup U_{7,1}^{\prime }$ to $V_{8,1}\cup V_{8,1}^{\prime }$. Based on these facts, the next work is to choose all other possible compatible items for $V_3=P\left(U_3\right)$, $U_4=P^{-1}\left(V_4\right)$, $V_5=P\left(U_5\right)$, $U_6=P^{-1}\left(V_6\right)$, $V_{7,2}=P\left(U_{7,2}\right)$ and $U_{8,2}=P^{-1}\left(V_{8,2}\right)$ to extend the fixed input-output pairs of P.

Note that once the items in $V_3=P\left(U_3\right)$ are fixed, the corresponding items in $U_4=P^{-1}\left(V_4\right)$ are uniquely determined since these two sets are both derived from ${\overline{\mathcal{Q}}}_{X_1}$. Similarly, the items in $V_5=P\left(U_5\right)$ (resp. $V_{7,2}=P\left(U_{7,2}\right)$) uniquely determine the items in $U_6=P^{-1}\left(V_6\right)$ (resp. $U_{8,2}=P^{-1}\left(V_{8,2}\right)$). Then we sample all possible items for these sets through three steps.

$\mathbf{Step}\mathbf{I}.\mathbf{Construct}{\mathbf{V}}_{\mathbf{3}}=\mathbf{P}\left({\mathbf{U}}_{\mathbf{3}}\right)\mathbf{and}{\mathbf{U}}_{\mathbf{4}}={\mathbf{P}}^{-\mathbf{1}}\left({\mathbf{V}}_{\mathbf{4}}\right)$.

Let $U^{3+}=U^{++}\cup U_{7,1}^{\prime }$ and $V^{3+}=V^{++}\cup V_{8,1}^{\prime }$. The size of $U^{3+}$ is ${\Delta }_1=p+{\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_3+{\alpha }_5+{\overline{q}}^{\prime }+\alpha$, and the size of $V^{3+}$ is ${\Delta }_2=p+{\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_4+{\alpha }_6+{\overline{q}}^{\prime }+\alpha$. Recall that ${\overline{X}}_u^1=\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_1\left(t\right)=u\}$ and ${\overline{X}}_u^2=\{(t,x,y)\in {\overline{\mathcal{Q}}}_F:x\oplus f_2\left(t\right)=u\}$. Let ${\mathcal{N}}_1\left(\alpha \right)$ be the number of distinct tuples $(v_{3,1},\dots ,v_{3,{\alpha }_3})$ in ${\{0,1\}}^n\backslash V^{3+}$ such that the following two conditions are satisfied

(i)

$\forall k\in \left[{\alpha }_3\right]$, for each $(t,x,y)\in {\overline{X}}_{u_{3,k}}^1$ where $u_{3,k}\in U_3$, $v_{3,k}\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y\notin U^{3+}$.

(ii)

$\forall k^{\prime },k\in \left[{\alpha }_3\right]$ with $k^{\prime }<k$, for each $(t,x,y)\in {\overline{X}}_{u_{3,k}}^1$, $v_{3,k}\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y\ne v_{3,k^{\prime }}\oplus f_1\left(t^{\prime }\right)\oplus f_2\left(t^{\prime }\right)\oplus y^{\prime }$ should be satisfied for each $(t^{\prime },x^{\prime },y^{\prime })\in {\overline{X}}_{u_{3,k^{\prime }}}^1$.

Now we count the number of all possible distinct tuples $(v_{3,1},\dots ,v_{3,{\alpha }_3})\in {\{0,1\}}^n\backslash V^{3+}$ satisfying these two conditions. First, one has ${|\{0,1\}}^n\backslash V^{3+}|=2^n-(p+{\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_4+{\alpha }_6+{\overline{q}}^{\prime }+\alpha )$. The first condition can remove at most $(p+{\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_3+{\alpha }_5+{\overline{q}}^{\prime }+\alpha )|{\overline{X}}_{u_{3,k}}^1|$ items for each k, and the second condition can exclude at most $|{\overline{X}}_{u_{3,k}}^1\left|\right(|{\overline{X}}_{u_{3,1}}^1|+\dots +|{\overline{X}}_{u_{3,k-1}}^1\left|\right)\le {\alpha }_4·|{\overline{X}}_{u_{3,k}}^1|$ values for each choice of $v_{3,k}$. By the choice of $v_{3,k}$ above, we obtain that

$$\begin{array}{c}\hfill {\mathcal{N}}_1\left(\alpha \right)\ge \prod _{k=0}^{{\alpha }_3-1}\left(2^n-{\Delta }_2-k-({\Delta }_1+{\alpha }_4)·\left|{\overline{X}}_{u_{3,k+1}}^1\right|\right).\end{array}$$

(35)

Let $V_3=\{v_{3,1},\dots ,v_{3,{\alpha }_3}\}$ and $U_4=\{v_{3,k}\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y:k\in \left[{\alpha }_3\right],(t,x,y)\in {\overline{X}}_{u_{3,k}}^1\}$. The first condition ensures that $U_4$ is disjoint with $U^{3+}$. Items in $U_4$ are distinct due to the second condition and the fact $\overline{\tau }\notin {\mathsf{\Gamma }}_8^{\prime }$. This fact tells us that for each $k\in \left[{\alpha }_3\right]$ and $(t,x,y)\ne (t^{\prime },x^{\prime },y^{\prime })\in {\overline{X}}_{u_{3,k}}^1$, it holds that $x\oplus f_1\left(t\right)=x^{\prime }\oplus f_1\left(t^{\prime }\right)=u_{3,k}$ but $f_1\left(t\right)\oplus f_2\left(t\right)\oplus y\ne f_1\left(t^{\prime }\right)\oplus f_2\left(t^{\prime }\right)\oplus y^{\prime }$, which means that $v_{3,k}\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y\ne v_{3,k}\oplus f_1\left(t^{\prime }\right)\oplus f_2\left(t^{\prime }\right)\oplus y^{\prime }$. Moreover, items in $V_3$ are distinct, and $V_3$ is disjoint with $V^{3+}$ by the choice of $(v_{3,1},\dots ,v_{3,{\alpha }_3})$. Let $U^{4+}=U^{3+}\cup U_4$, and $V^{4+}=V^{3+}\cup V_3$. The size of $U^{4+}$ is ${\Delta }_3={\Delta }_1+{\alpha }_4$, and the size of $V^{4+}$ is ${\Delta }_4={\Delta }_2+{\alpha }_3$.

$\mathbf{Step}\mathbf{I}\mathbf{I}.\mathbf{Construct}{\mathbf{V}}_{\mathbf{5}}=\mathbf{P}\left({\mathbf{U}}_{\mathbf{5}}\right),\mathbf{and}{\mathbf{U}}_{\mathbf{6}}={\mathbf{P}}^{-\mathbf{1}}\left({\mathbf{V}}_{\mathbf{6}}\right)$.

Recall that $V_6=\{v_{6,1},\dots ,v_{6,{\alpha }_6}\}$. Let ${\mathcal{N}}_2\left(\alpha \right)$ be the number of all distinct tuples $(u_{6,1},\dots ,u_{6,{\alpha }_6})$ in ${\{0,1\}}^n\backslash U^{4+}$ satisfying the following two conditions:

(i)

$\forall k\in \left[{\alpha }_6\right]$, for each $(t,x,y)\in {\overline{X}}_{v_{6,k}}^2$, $u_{6,k}\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y\notin V^{4+}$.

(ii)

$\forall k^{\prime },k\in \left[{\alpha }_6\right]$ with $k^{\prime }<k$, for each $(t,x,y)\in X_{v_{6,k}}^2$, $u_{6,k}\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y\ne u_{6,k^{\prime }}\oplus f_1\left(t^{\prime }\right)\oplus f_2\left(t^{\prime }\right)\oplus y^{\prime }$ should be satisfied for each $(t^{\prime },x^{\prime },y^{\prime })\in X_{v_{6,k^{\prime }}}^2$.

Now we count the number of all possible distinct tuples $(u_{6,1},\dots ,u_{6,{\alpha }_6})\in {\{0,1\}}^n\backslash U^{4+}$ satisfying these two conditions. Similarly, one has ${|\{0,1\}}^n\backslash U^{4+}|=2^n-(p+{\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_3+{\alpha }_5+{\overline{q}}^{\prime }+\alpha +{\alpha }_4)$. The first condition can remove at most $(p+{\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_4+{\alpha }_6+{\overline{q}}^{\prime }+\alpha +{\alpha }_3)·|{\overline{X}}_{v_{6,k}}^2|$ values for each k, and the second condition can exclude at most $\left(\right|{\overline{X}}_{v_{6,1}}^2|+\dots +|{\overline{X}}_{v_{6,k-1}}^2\left|\right)·|{\overline{X}}_{v_{6,k}}^2|\le {\alpha }_5·|{\overline{X}}_{v_{6,k}}^2|$ items for each choice of $u_{6,k}$. By the choice of ${\left(u_{6,k}\right)}_{k\in \left[{\alpha }_6\right]}$, we obtain that

$$\begin{array}{c}\hfill {\mathcal{N}}_2\left(\alpha \right)\ge \prod _{k=0}^{{\alpha }_6-1}\left(2^n-{\Delta }_3-k-({\Delta }_4+{\alpha }_5)·\left|{\overline{X}}_{v_{6,k}}^2\right|\right).\end{array}$$

(36)

Let $U_6=P^{-1}\left(V_6\right)\stackrel{def}{=}\{u_{6,1},\dots ,u_{6,{\alpha }_6}\}$, and $V_5=P\left(U_5\right)\stackrel{def}{=}\{u_{6,k}\oplus f_1\left(t\right)\oplus f_2\left(t\right)\oplus y:k\in \left[{\alpha }_6\right],(t,x,y)\in X_{v_{6,k}}^2\}$. It holds that items in $P^{-1}\left(V_6\right)$ are distinct. Furthermore, $P^{-1}\left(V_6\right)$ is disjoint with $U^{4+}$ by the choice of $(u_{6,1},\dots ,u_{6,{\alpha }_6})$. Let $U^{5+}=U^{4+}\cup U_6$, and $V^{5+}=V^{4+}\cup V_5$. The size of $U^{5+}$ is ${\Delta }_5={\Delta }_3+{\alpha }_6$, and the size of $V^{5+}$ is ${\Delta }_6={\Delta }_4+{\alpha }_5$.

$\mathbf{Step}\mathbf{I}\mathbf{I}\mathbf{I}.\mathbf{Construct}{\mathbf{V}}_{\mathbf{7},\mathbf{2}}=\mathbf{P}\left({\mathbf{U}}_{\mathbf{7},\mathbf{2}}\right),\mathbf{and}{\mathbf{U}}_{\mathbf{8},\mathbf{2}}={\mathbf{P}}^{-\mathbf{1}}\left({\mathbf{V}}_{\mathbf{8},\mathbf{2}}\right)$.

Let ${\overline{q}}^{″}={\overline{q}}^{\prime }-2\alpha$ (${\overline{q}}^{″}=|U_{7,2}|=|V_{8,2}|$). Let m be the number of all distinct tweaks appearing in ${\overline{\mathcal{Q}}}_F$, and then we use ${\overline{t}}_1,\dots ,{\overline{t}}_m$ to denote these m distinct tweaks. We denote $\widetilde{{\mathcal{Q}}_{0,i}}=\{({\overline{t}}_i,x,y)\in {\overline{\mathcal{Q}}}_0:x\oplus f_1\left({\overline{t}}_i\right)\in U_{7,2}\wedge x\oplus f_2\left({\overline{t}}_i\right)\in V_{8,2}\}$ and ${\overline{q}}_i^{″}=|\widetilde{{\mathcal{Q}}_{0,i}}|$. In this case, it holds that ${\overline{q}}^{″}={\sum }_{i=1}^m{\overline{q}}_i^{″}$. For convenience to count, we denote $\widetilde{{\mathcal{Q}}_0}={\bigcup }_{i=1}^m\widetilde{{\mathcal{Q}}_{0,i}}$ and rewrite the items in $\widetilde{{\mathcal{Q}}_0}$ indexed by the m distinct tweaks as

$$\begin{array}{c}\hfill \widetilde{{\mathcal{Q}}_0}=\{({\overline{t}}_1,x_{1,1},y_{1,1}),\dots ,({\overline{t}}_1,x_{1,{\overline{q}}_1^{″}},y_{1,{\overline{q}}_1^{″}}),\dots ,({\overline{t}}_m,x_{m,1},y_{m,1}),\dots ,({\overline{t}}_m,x_{m,{\overline{q}}_m^{″}},y_{m,{\overline{q}}_m^{″}})\}.\end{array}$$

For $i=1,\dots ,m$ and $j=1,\dots ,{\overline{q}}_i^{″}$, denote

$$\begin{array}{cc}\hfill & u_{7,i,j}=x_{i,j}\oplus f_1\left({\overline{t}}_i\right)\mathrm{and}{v}_{8,i,j}=x_{i,j}\oplus f_2\left({\overline{t}}_i\right).\hfill \end{array}$$

For convenience, $U_{7,2}$ and $V_{8,2}$ can be written as $U_{7,2}={\left\{u_{7,i,j}\right\}}_{1\le i\le m,1\le j\le {\overline{q}}_i^{″}}$ and $V_{8,2}={\left\{v_{8,i,j}\right\}}_{1\le i\le m,1\le j\le {\overline{q}}_i^{″}}$, respectively. Let ${\left(v_{7,i,j}\right)}_{1\le i\le m,1\le j\le {\overline{q}}_i^{″}}$ be all possible different tuples in ${\{0,1\}}^n\backslash V^{5+}$ such that the following two conditions are satisfied.

(i)

For each $i=1,\dots ,m$ and $j=1,\dots ,{\overline{q}}_i^{″}$, $v_{7,i,j}\oplus f_1\left({\overline{t}}_i\right)\oplus f_2\left({\overline{t}}_i\right)\oplus y_{i,j}\notin U^{5+}$.

(ii)

For each $i=1,\dots ,m$ and $j=1,\dots ,{\overline{q}}_i^{″}$, $v_{7,i,j}\oplus f_1\left({\overline{t}}_i\right)\oplus f_2\left({\overline{t}}_i\right)\oplus y_{i,j}$ is distinct from the values $v_{7,k,l}\oplus f_1\left({\overline{t}}_k\right)\oplus f_2\left({\overline{t}}_k\right)\oplus y_{k,l}$ for $k<i$ and $l\in \left[{\overline{q}}_k^{″}\right]$. Furthermore, $v_{7,i,j}\oplus f_1\left({\overline{t}}_i\right)\oplus f_2\left({\overline{t}}_i\right)\oplus y_{i,j}$ should be distinct from the values $v_{7,i,j^{\prime }}\oplus f_1\left({\overline{t}}_i\right)\oplus f_2\left({\overline{t}}_i\right)\oplus y_{i,j^{\prime }}$ for $j^{\prime }\in \left[{\overline{q}}_i^{″}\right]$ with $j^{\prime }<j$.

Except these two conditions, each $v_{7,i,j}$ must be different from each other. By a simple computation, one has $|V^{5+}|=|U^{5+}|=p^{\prime }+{\overline{q}}^{\prime }+\alpha$, where $p^{\prime }=p+{\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_3+{\alpha }_4+{\alpha }_5+{\alpha }_6$ and ${\overline{q}}^{\prime }=q-({\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_4+{\alpha }_5)$. So ${|\{0,1\}}^n\backslash V^{5+}|=2^n-(p^{\prime }+{\overline{q}}^{\prime }+\alpha )$. Now we bound the number of all possible distinct tuples ${\left(v_{7,i,j}\right)}_{1\le i\le m,1\le j\le {\overline{q}}_i^{″}}$ satisfying these two conditions. The first condition excludes at most $p^{\prime }+{\overline{q}}^{\prime }+\alpha$ values, and the second condition excludes at most ${\sum }_{k=1}^{i-1}{\overline{q}}_k^{″}-j+1$ values for each choice of $v_{7,i,j}$. Furthermore, $v_{7,i,j}$ should not be same as any one of previous ${\sum }_{k=1}^{i-1}{\overline{q}}_k^{″}-j+1$ items. By combining these facts, one can conclude that

$$\begin{array}{cc}\hfill {\mathcal{N}}_0\left(\alpha \right)& \ge \prod _{i=1}^m\prod _{j=0}^{{\overline{q}}_i^{\prime \prime }-1}(2^n-2p^{\prime }-2{\overline{q}}^{\prime }-2\alpha -2\sum _{k=1}^{i-1}{\overline{q}}_k^{″}-2j).\hfill \end{array}$$

(37)

Overall, by combining (33), (35), (36), and (37), one has

$$\begin{array}{c}\hfill {\mathsf{p}}^{″}\left(\overline{\tau }\right)=\sum _{0\le \alpha \le M}\frac{{\mathcal{N}}_S\left(\alpha \right)·{\mathcal{N}}_1\left(\alpha \right)·{\mathcal{N}}_2\left(\alpha \right)·{\mathcal{N}}_0\left(\alpha \right)}{{(2^n-p-{\overline{\alpha }}_1-{\overline{\alpha }}_2)}_{{\alpha }_3+{\alpha }_4+{\alpha }_5+{\alpha }_6+2{\overline{q}}^{″}+3\alpha }}.\end{array}$$

(38)

By combining (32) and (38), we have

$$\begin{array}{c}\hfill \mathsf{p}\left(\overline{\tau }\right)=\sum _{0\le \alpha \le M}\frac{N_S\left(\alpha \right)·{\mathcal{N}}_1\left(\alpha \right)·{\mathcal{N}}_2\left(\alpha \right)·{\mathcal{N}}_0\left(\alpha \right)}{{(2^n-p)}_{{\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_3+{\alpha }_4+{\alpha }_5+{\alpha }_6+2{\overline{q}}^{″}+3\alpha }}.\end{array}$$

(39)

Recall that

$$\frac{Pr[T_{\mathsf{re}}=\overline{\tau }]}{Pr[T_{\mathsf{id}}=\overline{\tau }]}=2^{nq}\mathsf{p}\left(\overline{\tau }\right).$$

(40)

By combining (39) and (40), we conclude that

$$\begin{array}{cc}\hfill \frac{Pr[T_{\mathsf{re}}=\overline{\tau }]}{Pr[T_{\mathsf{id}}=\overline{\tau }]}& \ge \sum _{0\le \alpha \le M}\frac{2^{nq}·{\mathcal{N}}_S\left(\alpha \right)·{\mathcal{N}}_1\left(\alpha \right)·{\mathcal{N}}_2\left(\alpha \right)·{\mathcal{N}}_0\left(\alpha \right)}{{(2^n-p)}_{{\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_3+{\alpha }_4+{\alpha }_5+{\alpha }_6+2q^{″}+3\alpha }}\hfill \\ \hfill & =\sum _{0\le \alpha \le M}\underset{R_1\left(\alpha \right)}{\underbrace{\frac{{\mathcal{N}}_1\left(\alpha \right)}{{\left(2^n-p\right)}_{{\alpha }_3}}}}·\underset{R_2\left(\alpha \right)}{\underbrace{\frac{{\mathcal{N}}_2\left(\alpha \right)}{{\left(2^n-p-{\alpha }_3\right)}_{{\alpha }_6}}}}\hfill \\ \hfill & ·\underset{\ge 1(*)}{\underbrace{\frac{2^{n(q-{\overline{q}}^{\prime })}}{{\left(2^n-p-{\alpha }_3-{\alpha }_6\right)}_{{\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_4+{\alpha }_5}}}}\hfill \\ \hfill & ·\underset{R_0\left(\alpha \right)}{\underbrace{\frac{2^{n{\overline{q}}^{\prime }}·{\mathcal{N}}_S\left(\alpha \right)·{\mathcal{N}}_0\left(\alpha \right)}{{\left(2^n-p-{\overline{\alpha }}_1-{\overline{\alpha }}_2-{\alpha }_3-{\alpha }_4-{\alpha }_5-{\alpha }_6\right)}_{2{\overline{q}}^{\prime \prime }+3\alpha }}}},\hfill \end{array}$$

(41)

where $(*)$ follows as $q-{\overline{q}}^{\prime }={\overline{\alpha }}_1+{\overline{\alpha }}_2+{\alpha }_4+{\alpha }_5$.

Lower bounds on $R_1\left(\alpha \right)$, $R_2\left(\alpha \right)$, and $R_0\left(\alpha \right)$ are given in Appendix D, and the results are showed as follows:

$$R_1\left(\alpha \right)\ge 1-{ϵ}_1,\mathrm{where}{ϵ}_1=\frac{8q^{3/2}}{2^n}+\frac{2p\sqrt{q}}{2^n}+\frac{4q}{2^n}.$$

(42)

$$R_2\left(\alpha \right)\ge 1-{ϵ}_2,\mathrm{where}{ϵ}_2=\frac{8q^{3/2}}{2^n}+\frac{2p\sqrt{q}}{2^n}+\frac{4q}{2^n}.$$

(43)

$$R_0\left(\alpha \right)\ge (1-{ϵ}_0)·(1-{ϵ}_3)·(1-{ϵ}_4)·{\mathsf{Hyp}}_{2^n-p^{\prime },{\overline{q}}^{\prime },{\overline{q}}^{\prime }}\left(\alpha \right),$$

(44)

where ${ϵ}_0=\frac{6q}{2^{2n/3}}+\frac{16\sqrt{q}}{2^{n/3}}$, ${ϵ}_3=\frac{4q}{2^{2n/3}}$, and ${ϵ}_4=\frac{4q{(p+2q+6\sqrt{q})}^2}{2^{2n}}$.

Putting (42), (43), and (44) into (41), we obtain

$$\begin{array}{cc}\hfill \frac{Pr[T_{\mathsf{re}}=\overline{\tau }]}{Pr[T_{\mathsf{id}}=\overline{\tau }]}& \ge (1-{ϵ}_0)(1-{ϵ}_1)(1-{ϵ}_2)(1-{ϵ}_3)(1-{ϵ}_4)\sum _{0\le \alpha \le M}{\mathsf{Hyp}}_{2^n-p^{\prime },{\overline{q}}^{\prime },{\overline{q}}^{\prime }}\left(\alpha \right).\hfill \end{array}$$

(45)

The last term in (45) can be bounded as

$$\begin{array}{cc}\hfill \sum _{0\le \alpha \le M}{\mathsf{Hyp}}_{2^n-p^{\prime },{\overline{q}}^{\prime },{\overline{q}}^{\prime }}\left(\alpha \right)& =1-\sum _{\alpha >{\overline{q}}^{\prime }/2^{n/3}}{\mathsf{Hyp}}_{2^n-p^{\prime },{\overline{q}}^{\prime },{\overline{q}}^{\prime }}\left(\alpha \right)\hfill \\ \hfill & \stackrel{\left(v\right)}{\ge }\left(1-\frac{\mathbb{E}\left[{\mathsf{Hyp}}_{2^n-p^{\prime },{\overline{q}}^{\prime },{\overline{q}}^{\prime }}\left(\alpha \right)\right]}{{\overline{q}}^{\prime }/2^{n/3}}\right)\hfill \\ \hfill & =\left(1-\frac{{\left({\overline{q}}^{\prime }\right)}^2}{(2^n-p^{\prime }){\overline{q}}^{\prime }/2^{n/3}}\right)\hfill \\ \hfill & =\left(1-\frac{{\overline{q}}^{\prime }·2^{\frac{n}{3}}}{2^n-p^{\prime }}\right)\hfill \\ \hfill & \stackrel{\left(vi\right)}{\ge }\left(1-\frac{2q}{2^{2n/3}}\right),\hfill \end{array}$$

(46)

where $\left(v\right)$ follows as Markov’s inequality and $\left(vi\right)$ follows as $2^n-p^{\prime }\ge 2^n-p-6\sqrt{q}\ge 2^{n-1}$ which comes from the assumption $p+6\sqrt{q}\le p+6\sqrt{q}+2q\le 2^{n-1}$ and the fact ${\overline{q}}^{\prime }\le q$. Let ${ϵ}_5=\frac{2q}{2^{2n/3}}$. Then we can write (45) as

$$\begin{array}{cc}\hfill \frac{Pr[T_{\mathsf{re}}=\overline{\tau }]}{Pr[T_{\mathsf{id}}=\overline{\tau }]}& \ge (1-{ϵ}_0)(1-{ϵ}_1)(1-{ϵ}_2)(1-{ϵ}_3)(1-{ϵ}_4)(1-{ϵ}_5)\hfill \\ \hfill & \ge (1-{ϵ}_0-{ϵ}_1-{ϵ}_2-{ϵ}_3-{ϵ}_4-{ϵ}_5).\hfill \end{array}$$

(47)

Combing all these facts together, the proof of Lemma 6 is finished.  □

Finally, by Lemmas 1, 5 and 6, Theorem 2 follows.  □

5. Conclusions

In this paper, we first prove the BBB security of the construction $\mathsf{SoEM}\mathsf{22}$ in the multi-key setting, and further tweak this construction. When the bidirectionally efficient public random permutations are considered, we build the parallelizable beyond-birthday secure PRFs from one permutation in the multi-key setting, and also tweak this new construction while preserving BBB security. By a slight modification of two tweakable PRFs, we obtain two parallelizable nonce based MACs for variable length messages. In fact, the constructions mentioned above come from sum of two Even-Mansours. It is natural to generalize $\mathsf{SoEM}\mathsf{22}$ to sum of s Even-Mansours, namely

$$\begin{array}{c}\hfill F_{K_1,\dots ,K_s}^{P_1,\dots ,P_s}\left(x\right)=P_1(x\oplus K_1)\oplus K_1\oplus \cdots \oplus P_s(x\oplus K_s)\oplus K_s,\end{array}$$

where $P_1,\dots ,P_s\stackrel{\$}{\leftarrow }\mathsf{Perm}\left(n\right)$ are s independent random permutations, and $K_1,\dots ,K_s$ are s n-bit uniformly random strings. Obliviously, this generalization is at least as secure as $\mathsf{SoEM}\mathsf{22}$ even in the multi-key setting. However, the detailed analysis of its security is not easy to see, and we leave it as a future work.