A Survey on Applications of H-Technique: Revisiting Security Analysis of PRP and PRF

Abstract

The Coefficients H technique (also called the H-technique), developed by Patarin circa 1991, is a tool used to obtain the upper bounds on distinguishing advantages. This tool is known to provide relatively simple and (in some cases) tight bound proofs in comparison to some other well-known tools, such as the game-playing technique and random systems methodology. In this systematization of knowledge (SoK) paper, we aim to provide a brief survey on the H-technique. The SoK is presented in four parts. First, we redevelop the necessary nomenclature and tools required to study the security of any symmetric-key design, especially in the H-technique setting. Second, we provide a full description of the H-technique and some related tools. Third, we present (simple) H-technique-based proofs for some popular symmetric-key designs, across different paradigms. Finally, we show that the H-technique can actually provide optimal bounds on distinguishing advantages.

1. Introduction

The general goal of any cryptographic scheme is to achieve some kind of indistinguishability (pseudorandom behavior) from an ideal (random) system. In this respect, distinguishing games have a key role in defining cryptographic security definitions. In symmetric-key cryptography, pseudorandom functions or PRFs [1] and (strong) pseudorandom permutations or (S)PRPs [2] have been defined via distinguishing games. Informally, an adversary interacts with either the keyed construction (real system) of interest or with an ideal system, such as a uniform random function or permutation. The adversary’s goal is to reliably distinguish which one it is interacting with.If no adversary can distinguish the real system from the ideal system with a non-negligible probability, we say that the construction is pseudo-ideal (e.g., PRF or PRP).

Upon closer inspection of the security proofs for most of the symmetric-key designs, we mostly see that the underlying primitives are first replaced by some ideal primitives. This can be justified using the hybrid argument at the cost of the distinguishing advantages of each of the underlying primitives. Once we replace these underlying primitives with ideal candidates, we obtain the so-called hybrid or quasi random construction (information-theoretically indistinguishable from ideal candidates). The next and final step is to provide a security analysis of the hybrid construction. This is performed in a purely information-theoretic setting. So, in a way, the provable security analysis guarantees the security of the construction if the underlying primitives are indistinguishable from their ideal counterparts. In this paper we focus on the security analysis of such hybrid constructions.

1.1. Revisiting Some Popular Proof Techniques

Provable securityresults in symmetric-key can be broadly classified according to the proof techniques used. Different constructions may warrant different proof techniques depending upon the proof’s complexity, the desired security bound, and in some cases, the author’s bias.We briefly discuss some of these techniques.

Game-Playing Technique: Arguably the most popular, and certainly the oldest proof technique is the so-called game-playing technique [3,4]. At a high level the proofs based on this technique use a sequence of games, in which each game is an interaction between the adversary and an oracle. The proof starts with the game corresponding to the real construction and proceeds toward the game corresponding to the ideal system by making stepwise transitions to some intermediate games. Each transition may enable the adversary to gain some advantage, and the cumulative advantage of all such transitions determines the security bound. This high-level view of the game-playing technique is clearly demonstrated in several early works [5,6]. In more recent years, Shoup used this technique extensively [4,7,8,9,10,11].

The contemporary version of this tool is derived from Bellare and Rogaway’s systematized treatment [3], called the code-based game-playing technique. In this approach, the games are written in pseudocode language, each having their own internal variables and flags. Two games are said to be identical if they are syntactically identical. Usually the syntactical identity breaks when one of the game sets a Boolean flag bad to true. Consequently, the adversary’s distinguishing advantage in any game is upper-bounded by the probability that this flag will be set. The game-playing technique has been used to prove the security of almost all types of security notions in symmetric-key cryptography.For example, the game-playing technique was employed in the following:

• (Tweakable) (S)PRPs such as three and four rounds of Feistel [2], CLRW2 [12], etc.;
• PRFs and MACs such as CBC-MAC [13,14], ECBC, FCBC and XCBC [15], PMAC+ [16], sum of ECBC [17], etc.;
• (Tweakable) enciphering schemes such as CMC [18], EME [19], TET [20], HCH [21], HCTR [22], XLS [23], HEH [24,25], etc.;
• Online ciphers such as HCBC1 and HCBC2 [26], TC1, TC2 and TC3 [27], POEx [28], XTC [29], etc.;
• AE schemes such as SIV [30], OCB [31,32,33], COPA [34], POET [35], etc.

Coefficients H Technique: Patarin formally introduced the Coefficients H technique [36] at SAC 2008, although the technique had already been used in some of his earlier works [37,38,39,40,41]. In fact, it was Vaudenay who first reported the H-technique publicly in his decorrelation theory [42]. However, he mentioned that the technique was described in Patarin’s PhD thesis [38], written in French. Independently, Bernstein rediscovered a similar variant of the result in [43], referred to as the interpolation theorem. This was later strengthened by Nandi [44] as the strong interpolation theorem. Later, Chen and Steinberger presented a renewed interpretation of the H-technique in their work on key alternating ciphers [45]. They expressed the hope that their “paper will serve as a useful additional tutorial on (or introduction to) Patarin’s H-coefficient technique, which still seems to suffer from a lack of exposure”. This modernization indeed popularized the H-technique, as to the best of our knowledge, all the recent applications consider this renewed description of the H-technique. We remark that Mennink’s uses of the H-technique in [46,47] offer a relatively simple yet similar exposition of the technique with relatively simple constructions.

At a very high level, the H-technique concentrates on the input-output tuple generated by an adversary’s interaction with the oracle at hand, called the transcript. In the simplest case, the H-technique states that the distinguishing advantage is bounded by one minus a lower bound of the ratio of the probability that an attainable transcript can be realized by the real oracle to the probability that it can be realized by the ideal oracle. A transcript is called attainable if the probability that it can be realized by the ideal oracle is non-zero.

For example, suppose an adversary $\mathbf{A}$ wants to distinguish a uniform random function $\mathit{\rho }:\mathcal{D}\to \mathcal{D}$ (the real oracle) from a uniform random permutation $\mathit{\pi }:\mathcal{D}\to \mathcal{D}$ (the ideal oracle) by making q queries to the oracle at hand (this is popularly known as PRP-PRF switching lemma [3]). A typical attainable transcript for this distinguishing game would look like $\omega =((x_1,y_1),(x_2,y_2),\dots ,(x_q,y_q))$, where $x_i$ and $y_i$ denote the i-th query and response, respectively. For an attainable transcript for the uniform random permutation, we must have $x_i=x_j\iff y_i=y_j$ for all $i\ne j$. Without the loss of generality, we may assume that $x_i\ne x_j$, as $\mathbf{A}$ does not attain any benefits from duplicate queries. Let ${\mathsf{\Theta }}_0$ and ${\mathsf{\Theta }}_1$ be the transcript random variable generated by $\mathbf{A}$’s interaction with $\mathit{\pi }$ and $\mathit{\rho }$, respectively. Then, it is easy to see that

$$Pr[{\mathsf{\Theta }}_0=\omega ]={Pr}_{\mathit{\pi }}[\mathit{\pi }\left(x_1\right)=y_1,\dots ,\mathit{\pi }\left(x_q\right)=y_q]=\frac{1}{2^n(2^n-1)\cdots (2^n-q+1)},$$

and

$$Pr[{\mathsf{\Theta }}_1=\omega ]={Pr}_{\mathit{\rho }}[\mathit{\rho }\left(x_1\right)=y_1,\dots ,\mathit{\rho }\left(x_q\right)=y_q]=\frac{1}{2^{nq}}.$$

Thus, the ratio of the above two probabilities is lower-bounded as

$$\frac{Pr[{\mathsf{\Theta }}_0=\omega ]}{Pr[{\mathsf{\Theta }}_1=\omega ]}=\frac{2^n(2^n-1)\cdots (2^n-q+1)}{2^{nq}}\ge \left(1-\frac{q(q-1)}{2^{n+1}}\right).$$

Finally, the Coefficients H technique states that $\mathbf{A}$’s advantage in distinguishing $\mathit{\rho }$ from $\mathit{\pi }$ is upper-bounded by $q^2/2^{n+1}$.

The above example is quite simple. However, in many cases, it might be possible that certain transcripts are bad (i.e., they may lead to inconsistency or are improbable) in the real or ideal world. In those cases, we also have to add the probability of realizing a bad transcript in the ideal world to the distinguishing advantage. For example, if we interchange the real and the ideal world in the above example, we can define a transcript $\omega =((x_1,y_1),(x_2,y_2),\dots ,(x_q,y_q))$ as bad if for some $i\ne j$, $y_i=y_j$. This can happen with a probability of at most $q^2/2^{n+1}$ in the case of the ideal world (which is now the uniform random function). For a good transcript $\omega$ (from the above calculation), it is easy to see that $\frac{Pr[{\mathsf{\Theta }}_1=\omega ]}{Pr[{\mathsf{\Theta }}_0=\omega ]}\ge 1$. A variant of H-technique which allows bad transcripts will then give the same bound (which is the sum of probability of a bad transcript in the ideal world and the maximum value of 1 minus the ratio over all good transcripts).In the second approach, the maximum value of 1 minus the ratio is, at most, zero and so it is simply bounded by the bad transcript probability.

Note that we have consciously ignored some key technical details, such as $\mathbf{A}$’s computational resources and its probabilistic nature, in order to give a short overview on how the H-technique tool works. In later sections, we will provide a formal description of the H-technique in full generality. Nevertheless, it can still be observed that the H-technique, unlike the game-playing technique, does not make any implicit assumptions about the probability distribution of the oracles and requires an explicit probability computation in both the worlds to provide a bound for the ratio. In recent years, there has been a steady rise in the number of applications of the H-technique. Some of the schemes which have been analyzed with the H-technique include:

• (Online) PRP/SPRPs such as Feistel [41,48,49], MHCBC and MCBC [50], (tweakable) even-Mansour [45,51,52,53,54,55], FMix [56], OleF [57], two-round LDT [58], CLRW2 [59], etc.;
• PRFs and MACs such as CBC-MAC [60], EWCDM [61,62], HaT and NaT [63], 1k-PMAC+ [64], EHtM [65], ZMAC+ [66], DWCDM [67], etc.;
• AE schemes such as ELmE [68], COFB [69], OCB3 [70], Beetle [71], GCM-SIV [72], etc.

Maurer’s Random Systems Methodology: At Eurocrypt 2002, Maurer introduced the random systems methodology (also called Maurer’s methodology) for indistinguishability proofs [73]. The randoms system methodology defines a sequence of conditional probabilities associated with a system, i.e., the interaction between an adversary and an oracle. It further defines the notion of a monotone binary condition associated to a system. Two systems are said to be equivalent until a monotone binary condition B, if they give rise to the same sequence of conditional probabilities while $B=0$. This formalizes the identical-until-bad philosophy of the game-playing technique. Expectedly, the advantage is bounded by the probability that the monotone condition changes to 1. Note that in contrast to this approach, the H-technique considers the joint probability distribution for the systems. Applications of Maurer’s methodology were first presented in some indistinguishability and composition proofs [73,74,75,76]. Later, Maurer’s methodology was also applied to prove the security of PMAC, TMAC and XCBC [77], ENR and its variants [78,79,80], and XTX [81].

Expectation Method: The expectation method, developed by Hoang and Tessaro [82], is a generalization of the H-technique, in which the expected value of the ratio is used instead of a constant (i.e., independent of the transcript) lower bound. The expectation method has been applied to obtain exact bounds in [82] and to obtain multi-user security in [82,83,84].

Coupling Technique: The coupling technique [51,85,86,87] is a very useful tool for upper-bounding of the distinguishing advantage (mostly for the nonadaptive distinguisher) of iterated structures. For example, it has been applied, among others, to the iterated even-Mansour [51], iterated tweakable even-Mansour [54], and cascaded LRW2 [88] schemes. The high level idea is simple: the coupling lemma is used to bound the statistical distance of r-rounds of some iterated scheme from uniform distribution. This step is non-adaptive in nature. Now, given the non-adaptive bound, a straightforward application of the composition lemma from [75] gives adaptive security for $2r$ rounds of the iterated scheme. The coupling technique is known for having notoriously loose bounds. This is because even if the coupling lemma gives a tight bound for the non-adaptive security of r rounds, this does not say anything about the adaptive security of r rounds. It might be possible to obtain the desired level of adaptive security at r rounds itself, but the technique requires $2r$ rounds.

${\chi }^2$-Method and Hellinger Distance: The ${\chi }^2$-method was proposed by Dai, Hoang and Tessaro [89], in which the statistical distance is bounded in terms of the expectation of the conditional ${\chi }^2$-distances. The ${\chi }^2$-method gave improved bounds in some cases, such as the sum of permutations and EDM [89,90], where the H-technique failed. Bhattacharya and Nandi explored the applications of the ${\chi }^2$-method in analyzing the PRF security of a sum of permutation variant [91] and the indifferentiability of a sum of permutations [92]. Recently, beyond-birthday security analysis of three-round LDT [93] has been demonstrated. The ${\chi }^2$ method is quite useful in certain cases in which it is easy to compute the conditional probabilities such as the sum of permutation. However, there is no clear picture as to its utility in cases in which the conditional probability is not that easy to compute, such as hash-based schemes.

The application of a different distance notion for the binding of the statistical distance is not new. In fact, much earlier Steinberger used the Hellinger distance [94] to study the key alternating ciphers. However, this method is yet to be explored for other constructions.

1.2. Our Contribution

The contributions of this SoK are fourfold. First, we reformulate an interactive algorithm in its functional view, which provides the language of the proof of symmetric-key designs. Second, we provide a complete description of the H-technique tool, along with some related tools. Third, we revisit the security analysis of some of the well known symmetric-key constructions across different paradigms. Specifically, we give H-technique based proofs for the following constructions:

• Hash-based schemes: hash-then-PRF, hash-then-TBC [66] and ENR [78,79]. In the case of ENR we study a generic scheme, called ${\mathsf{NR}}^{\star }$, which allows for simple proofs for both ENR and LDT [58].
• Feistel cipher: the three-round Luby–Rackoff [2] and the three-round tweakable block-cipher-based Luby–Rackoff scheme [95].
• SPRP enciphering schemes: HCTR [22] and TET [20].
• Beyond-birthday-bound secure PRFs: SoP [96,97,98] and SoEM22 [99].

Finally, we show that the extended version of the H-technique can achieve optimal security bounds. As a side result, we provide an alternate proof for the composition of non-adaptive PRPs [75].

The above given constructions were chosen for varied reasons. In some cases, we simplify the existing game-playing or Maurer’s-methodology-based proofs. For example, see the proof of ENR, Fesitel ciphers, and SoP. However, in some cases, we unify the proofs of various related schemes into one general result. For example, see the general proof of ${\mathsf{NR}}^{\star }$. For SPRP enciphering schemes, we provide the first proof in the H-technique.

Organization of the Paper

We begin by developing the notations and conventions, in Section 2, that will be used in the paper. In Section 3, we formalize the model for bounded-query interactive algorithms. In Section 4, we describe the H-technique tool and its variant, the expectation method. We also present a brief on how to capture the random system methodology using the H-technique. In Section 5, Section 6 and Section 7, we give alternate proofs for some hash-based schemes, Feistel-like schemes, and popular SPRP schemes, respectively. Section 8 gives proofs for beyond-birthday-bound secure PRFs, namely, SoP and SoEM22. In Section 9, we prove the optimality of the H-technique and use similar ideas to present an alternate proof for the non-adaptive to adaptive PRP composition.

2. Preliminaries

2.1. Notation

We simply write the set $\{1,2,\dots ,m\}$ as $\left[m\right]$. We denote a q-tuple $(x_1,\dots ,x_q)$ as $x^q$. We sometime use the notation $\left\{x^q\right\}$ to denote the set $\{x_i:1\le i\le q\}$. For a q-tuple $v=v^q$, we sometimes denote $v_i$ as ${v|}_i$. A binary sequence $b^q$ is called monotone if $b_{i+1}\ge b_i$ for all $i\in [q-1]$. Thus, any binary monotone sequence must be of the form $0^i{1}^{q-i}$ for some i.

For a set $\mathcal{X}$, we write ${\mathcal{X}}^{\left(r\right)}$ for the set of all r tuples $x^r\in {\mathcal{X}}^r$ such that $x_1,\dots ,x_r$ are distinct. We write $N(N-1)\cdots (N-r+1)$ as ${\left(N\right)}_r$. If the size of the set $\mathcal{X}$ is N, then clearly, $|{\mathcal{X}}^{\left(r\right)}{|=\left(N\right)}_r$.

A function $g(a,b)$ is functionally independent of b if for all $a,b,b^{\prime }$, $g(a,b)=g(a,b^{\prime })$. In this case there exists a function $g^{\prime }$ such that for all $a,b$, $g(a,b)=g^{\prime }\left(a\right)$.

Given an index set $\mathcal{I}$, we denote an indexed family (or a tuple) as ${\left\{x_i\right\}}_{i\in \mathcal{I}}$ or $x^{\mathcal{I}}$. Note that it is different from the set $\{x_i:i\in \mathcal{I}\}$. For some $i\ne j$, $x_i$ and $x_j$ may be the same and we ignore repetition in the set representation, whereas in the indexed family we allow repetition. More formally, it can be represented as a function from the index set to some set in which $x_i$ values belong. Note that $x^q$ is a shorthand notation for $x^{\left[q\right]}$, where $\left[q\right]$ is the index set.

Notations on Compatibility. The set of all functions from $\mathcal{X}$ to $\mathcal{Y}$ is denoted as $\mathsf{Func}(\mathcal{X},\mathcal{Y})$. Similarly, the set of all permutations over $\mathcal{Y}$ is denoted as $\mathsf{Perm}\left(\mathcal{Y}\right)$.

• A pair of tuples $(x^q,y^q)$ is referred to as function-compatible if $x_i=x_j\Rightarrow y_i=y_j$. We denote it as $x^q⇝y^q$.
• A pair of tuples $(x^q,y^q)$ is referred to as permutation-compatible if $x_i=x_j\iff y_i=y_j$. We denote it as $x^q\leftrightsquigarrow y^q$.
• A pair of triples $(t^q,x^q,y^q)$ is referred to as tweakable-permutation-compatible if $(t_i,x_i)=(t_j,x_j)\iff (t_i,y_i)=(t_j,y_j)$. We denote it as $x^q\stackrel{t^q}{\leftrightsquigarrow }{y}^q$ (equivalently, $(t^q,x^q)\leftrightsquigarrow (t^q,y^q)$).

2.2. Statistical Distance

Statistical distance (also known as total variation [100] in the statistics community) is a metric on the set of probability functions over a finite set $\mathsf{\Omega }$. This is the most common metric in cryptography. As we see later, it has a close relationship with the distinguishing advantage.

Definition 1

(statistical distance). Let ${\mathsf{Pr}}_0$ and ${\mathsf{Pr}}_1$ be two probability functions over a finite set Ω. We define the statistical distance between ${\mathsf{Pr}}_0$ and ${\mathsf{Pr}}_1$ as

$$\parallel {\mathsf{Pr}}_0-{\mathsf{Pr}}_1\parallel :=\frac{1}{2}\sum _{x\in \mathsf{\Omega }}|{\mathsf{Pr}}_0\left(x\right)-{\mathsf{Pr}}_1\left(x\right)|.$$

When $\mathsf{X},\mathsf{Y}$ are two random variables over Ω, we define $\mathsf{\Delta }(\mathsf{X};\mathsf{Y})=\parallel {\mathsf{Pr}}_{\mathsf{X}}-{\mathsf{Pr}}_{\mathsf{Y}}\parallel$.

It is easy to verify that the statistical distance satisfies the symmetry and triangle inequality. Moreover, it always lies between zero and one. It is one if and only if the support (the set of all elements of having positive probabilities) of the probability distributions are disjoint and it is zero if and only if the distributions are the same.

The following properties indicate that the total variation is a bounded metric over the set of all probability functions.

Lemma 1

(Properties). For any probability functions ${\mathsf{Pr}}_1,{\mathsf{Pr}}_2,\dots ,{\mathsf{Pr}}_d$, we have

1. 

(non-negative) $\parallel {\mathsf{Pr}}_1-{\mathsf{Pr}}_2\parallel \ge 0$.

2. 

(identification) $\parallel {\mathsf{Pr}}_1-{\mathsf{Pr}}_2\parallel =0$ if and only if ${\mathsf{Pr}}_1={\mathsf{Pr}}_2$.

3. 

(symmetric) $\parallel {\mathsf{Pr}}_1-{\mathsf{Pr}}_2\parallel =\parallel {\mathsf{Pr}}_2-{\mathsf{Pr}}_1\parallel$.

4. 

Triangle inequality(general form):

$$\parallel {\mathsf{Pr}}_1-{\mathsf{Pr}}_d\parallel \le \parallel {\mathsf{Pr}}_1-{\mathsf{Pr}}_2\parallel +\cdots +\parallel {\mathsf{Pr}}_{d-1}-{\mathsf{Pr}}_d\parallel .$$

5. 

$\parallel {\mathsf{Pr}}_1-{\mathsf{Pr}}_2\parallel \le 1$. The equality holds if and only if the supports of these two probability functions are disjoint.

All these results are easy to verify based on the definition of statistical distance. We leave this as an exercise for the reader.

Definition 2. 

Given two probability distributions${\mathsf{Pr}}_0$and${\mathsf{Pr}}_1$over Ω, we associate two sets

$$\begin{array}{cc}\hfill {\mathsf{\Omega }}_{>}& =\{x\in \mathsf{\Omega }:{\mathsf{Pr}}_0\left(x\right)>{\mathsf{Pr}}_1\left(x\right)\},and\hfill \\ \hfill {\mathsf{\Omega }}_{\ge }& =\{x\in \mathsf{\Omega }:{\mathsf{Pr}}_0\left(x\right)\ge {\mathsf{Pr}}_1\left(x\right)\}.\hfill \end{array}$$

Lemma 2. 

For any two probability distributions${\mathsf{Pr}}_0$and${\mathsf{Pr}}_1$, we have

$$\underset{\mathcal{E}}{max}\left({\mathsf{Pr}}_0\left(\mathcal{E}\right)-{\mathsf{Pr}}_1\left(\mathcal{E}\right)\right)=\sum _{x\in \mathsf{\Omega }}max\{0,{\mathsf{Pr}}_0\left(x\right)-{\mathsf{Pr}}_1\left(x\right)\}=\parallel {\mathsf{Pr}}_0-{\mathsf{Pr}}_1\parallel .$$

The maximum is achieved at$\mathcal{E}$if and only if${\mathsf{\Omega }}_{>}\subseteq \mathcal{E}\subseteq {\mathsf{\Omega }}_{\ge }$.

Proof. 

It is easy to see that the maximum value of ${\mathsf{Pr}}_0\left(\mathcal{E}\right)-{\mathsf{Pr}}_1\left(\mathcal{E}\right)$ is achieved at $\mathcal{E}$ if and only if ${\mathsf{\Omega }}_{>}\subseteq \mathcal{E}\subseteq {\mathsf{\Omega }}_{\ge }$ (for any $x\notin {\mathsf{\Omega }}_{\ge }$, the contribution ${\mathsf{Pr}}_0\left(x\right)-{\mathsf{Pr}}_1\left(x\right)$ is negative). Here, we can note that

$$max\{0,{\mathsf{Pr}}_0\left(x\right)-{\mathsf{Pr}}_1\left(x\right)\}=\left\{\begin{array}{cc}0\hfill & \mathrm{if}x\notin {\mathsf{\Omega }}_{>}\hfill \\ {\mathsf{Pr}}_0\left(x\right)-{\mathsf{Pr}}_1\left(x\right)\hfill & \mathrm{if}x\in {\mathsf{\Omega }}_{>}.\hfill \end{array}\right.$$

So,

$$\begin{array}{cc}\hfill \sum _{x\in \mathsf{\Omega }}max\{0,{\mathsf{Pr}}_0\left(x\right)-{\mathsf{Pr}}_1\left(x\right)\}& =\sum _{x\in {\mathsf{\Omega }}_{>}}{\mathsf{Pr}}_0\left(x\right)-{\mathsf{Pr}}_1\left(x\right)\hfill \\ \hfill & =\underset{\mathcal{E}}{max}\left({\mathsf{Pr}}_0\left(\mathcal{E}\right)-{\mathsf{Pr}}_1\left(\mathcal{E}\right)\right).\hfill \end{array}$$

This proves the first equality. Now, we write

$$2\parallel {\mathsf{Pr}}_0-{\mathsf{Pr}}_1\parallel =\sum _{x\in {\mathsf{\Omega }}_{>}}|{\mathsf{Pr}}_0\left(x\right)-{\mathsf{Pr}}_1\left(x\right)|+\sum _{x\notin {\mathsf{\Omega }}_{>}}|{\mathsf{Pr}}_0\left(x\right)-{\mathsf{Pr}}_1\left(x\right)|.$$

The first sum can be simplified as

$$\sum _{x\in {\mathsf{\Omega }}_{>}}{\mathsf{Pr}}_0\left(x\right)-{\mathsf{Pr}}_1\left(x\right)={\mathsf{Pr}}_0\left({\mathsf{\Omega }}_{>}\right)-{\mathsf{Pr}}_1\left({\mathsf{\Omega }}_{>}\right).$$

Similarly, the second sum can be simplified to

$$\begin{array}{cc}\hfill \sum _{x\notin {\mathsf{\Omega }}_{>}}{\mathsf{Pr}}_1\left(x\right)-{\mathsf{Pr}}_0\left(x\right)& ={\mathsf{Pr}}_1\left({\mathsf{\Omega }}_{>}^c\right)-{\mathsf{Pr}}_0\left({\mathsf{\Omega }}_{>}^c\right)\hfill \\ \hfill & ={\mathsf{Pr}}_0\left({\mathsf{\Omega }}_{>}\right)-{\mathsf{Pr}}_1\left({\mathsf{\Omega }}_{>}\right)\hfill \end{array}$$

If we add these two sums, we obtain the second equality. □

Corollary 1. 

Let${\mathsf{X}}_0\sim {\mathsf{Pr}}_0$and${\mathsf{X}}_1\sim {\mathsf{Pr}}_1$. Let${ϵ}_{\mathsf{opt}}\left(x\right)=max\{0,1-\frac{{\mathsf{Pr}}_1\left(x\right)}{{\mathsf{Pr}}_0\left(x\right)}\}$for all x in the support of${\mathsf{X}}_0$. Then,

$$\parallel {\mathsf{Pr}}_0-{\mathsf{Pr}}_1\parallel =\mathsf{Ex}\left[{ϵ}_{\mathsf{opt}}\left({\mathsf{X}}_0\right)\right].$$

3. Models for Interactive Algorithms

3.1. Probabilistic Function

A probabilistic function (defined below) is a mathematical model for the black-box behavior of a probabilistic algorithm. We also use the same object to model probabilistic interactive algorithms.

Definition 3

(probabilistic function). A probabilistic function with an input space $\mathcal{X}$ and an output space $\mathcal{Y}$ is a function $f:\mathcal{R}\times \mathcal{X}\to \mathcal{Y}$ for some finite set $\mathcal{R}$, called the random coin space. We can also simply write (abusing notation) $f:\mathcal{X}\stackrel{\ast }{\to }\mathcal{Y}$ suppressing the notation for the random coin space.

If the random coin space is a singleton (i.e., degenerated) we simply ignore the random coin space. In this case, the probabilistic function is reduced to a function. Given an input $x\in \mathcal{X}$, we first sample $\mathsf{R}\stackrel{\ast }{\leftarrow }\mathcal{R}$ (in most cases uniformly) and then we define an output random variable $f\left(x\right):=f(\mathsf{R},x)$ over $\mathcal{Y}$. So, for all $y\in \mathcal{Y}$,

$${\displaystyle {\mathsf{p}}_x^f\left(y\right):=\mathsf{Pr}[f\left(x\right)=y]=\sum _{\begin{array}{c}r\\ f(r,x)=y\end{array}}\mathsf{Pr}[\mathsf{R}=r]}$$

(1)

Definition 4. 

With each probabilistic function$f:\mathcal{X}\stackrel{\ast }{\to }\mathcal{Y}$, we associate a family of probability functions over$\mathcal{Y}$(indexed by the input space$\mathcal{X}$)

$${\mathsf{p}}^f:=\left\{{\mathsf{p}}_x^f\right|x\in \mathcal{X}\},$$

where${\mathsf{p}}_x^f\left(y\right):=\mathsf{Pr}[f\left(x\right)=y]$. We call the${\mathsf{p}}^f$the probabilistic systemassociated with the probabilistic function f.

Note that the probabilistic function and probabilistic system are analogous to a random variable and its probability distribution.

Example 1

(Keyed Functions). This is an important example for cryptography. Many cryptographic designs are viewed as keyed functions. Let F be a keyed function family $\left\{F_k\right|k\in \mathcal{K}\}$ such that for all keys $k\in \mathcal{K}$, $F_k:\mathcal{X}\to \mathcal{Y}$.

We sample key$\mathsf{K}{\leftarrow }_{\$}\mathcal{K}$and treat it as a random coin, and we obtain a probabilistic function (abusing notation)$F:\mathcal{X}\stackrel{\ast }{\to }\mathcal{Y}$, mapping x to$F(\mathsf{K},x):=F_{\mathsf{K}}\left(x\right)$(also written as$\mathsf{K}\left(x\right)$, whenever$\mathsf{K}$actually represents the function F).

Notation 1. 

Given a probabilistic function$f:\mathcal{X}\stackrel{\ast }{\to }{\mathcal{Y}}_1\times {\mathcal{Y}}_2$we write$f=(f_1,f_2)$where$f(r,x)=(f_1(r,x),f_2(r,x))$and$f_i:\mathcal{X}\stackrel{\ast }{\to }{\mathcal{Y}}_i$,$i=1,2$. The probabilistic functions$f_1$and$f_2$are basically two components of f and we also call them truncated probabilistic functions. This can be similarly extended for the Cartesian product of more than two sets.

3.2. Function Models of Interactive Algorithms and Their Interaction

An interactive algorithm is modeled as a (probabilistic) interactive Turing machine [1,101]. In this paper, probabilistic functions are modeled for interactive algorithms. This model is general enough to capture finite and bounded interactions between two interactive algorithms (i.e., the number of interactions between two algorithms is bounded by some fixed positive integer, say q).

Definition 5

(function models of interactive algorithms). Let q be a positive integer.

• Joint Response Function:- A q-joint $(\mathcal{X},\mathcal{Y})$ response function is a probabilistic function $\mathbf{F}:{\mathcal{X}}^q\stackrel{\ast }{\to }{\mathcal{Y}}^q$ such that for all random coins r, the mapping $x^q\mapsto \mathbf{F}(r,x^q){|}_i$ is functionally independent of $x_{i+1},\dots ,x_q$.
• Joint Query Function:- A probabilistic function $\mathcal{A}:{\mathcal{Y}}^q\stackrel{\ast }{\to }{\mathcal{X}}^q$ is called aq-joint $(\mathcal{X},\mathcal{Y})$ query function if for all random coins r, the mapping $y^q\mapsto \mathcal{A}(r,y^q){|}_i$ isfunctionally independent of $y_i,\dots ,y_q$. Moreover, it is called

  -

  nonadaptive  if $\mathcal{A}(r,y^q)$ is functionally independent of $y^q$ and

  -

  deterministic  if the random coin space is a singleton (we simply drop the random coin space notation and write it as a function $\mathcal{A}:{\mathcal{Y}}^q\to {\mathcal{X}}^q$).

We can also simply refer to a q-joint $(\mathcal{X},\mathcal{Y})$ query function and a q-joint $(\mathcal{X},\mathcal{Y})$ response function as a $(\mathcal{X},\mathcal{Y})$ joint query function and a $(\mathcal{X},\mathcal{Y})$ joint response function respectively.

The joint query and response function together capture the interaction. A joint query function captures the functional view of an interactive algorithm that initiates the interaction and a joint response function captures the functional view of the corresponding oracle algorithm. When a joint query function $\mathcal{A}$ interacts with a joint response function $\mathbf{F}$, $x_1$ only depends on the random coin of $\mathcal{A}$, whereas $y_1$ depends on $x_1$ and the random coin of $\mathbf{F}$. Similarly, $x_2$ depends on $y_1$ and its random coin, and $y_2$ depends on $x_1,x_2$ and its random coin. In this way, we can define $x^q$ and $y^q$ based on random coins of $\mathcal{A}$ and $\mathbf{F}$. The pair $(x^q,y^q)$ is called a transcript (which is a function of the pairs of random coins of $\mathcal{A}$ and $\mathbf{F}$).

We now formally define the transcript random variable. Based on the given conditions of the definitions of the joint response and query functions, there exist functions ${\mathcal{A}}_i$ and ${\mathbf{F}}_i$, $i\in \left[q\right]$, such that for all $y^q$, $\mathcal{A}(r,y^q){|}_i={\mathcal{A}}_i(r,y^{i-1})$ and for all $x^q$, $\mathbf{F}(r^{\prime },x^q){|}_i={\mathbf{F}}_i(r^{\prime },x^i)$.

Definition 6

(transcript). Let $\mathcal{A}$ and $\mathbf{F}$ be the $(\mathcal{X},\mathcal{Y})$ joint query function and joint response function, respectively. Let ${\mathcal{A}}_i$ and ${\mathbf{F}}_i$ be defined as above. We define the transcript random variable as $\tau \left({\mathcal{A}}^{\mathbf{F}}\right)=({\mathsf{X}}^q,{\mathsf{Y}}^q)$, where ${\mathsf{X}}_i$ values and ${\mathsf{Y}}_i$ values are defined recursively as follows:

$${\mathsf{X}}_i={\mathcal{A}}_i(\mathsf{R},{\mathsf{Y}}^{i-1}),{\mathsf{Y}}_i={\mathbf{F}}_i({\mathsf{R}}^{\prime },{\mathsf{X}}^i),1\le i\le q$$

and $\mathsf{R}$ and ${\mathsf{R}}^{\prime }$ are random coins of $\mathcal{A}$ and $\mathbf{F}$, respectively.

Based on the above definition, it is clear that for any fixed random coins r and $r^{\prime }$, the transcript is the unique pair $(x^q,y^q)$ such that $\mathcal{A}(r,y^q)=x^q$ and $\mathbf{F}(r^{\prime },x^q)=y^q$. So for any $(x^q,y^q)\in {\mathcal{X}}^q\times {\mathcal{Y}}^q$, using the independence of the random coins $\mathcal{A}$ and $\mathbf{F}$, we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[\tau \left({\mathcal{A}}^{\mathbf{F}}\right)=(x^q,y^q)]& =\mathsf{Pr}[\mathcal{A}\left(y^q\right)=x^q]\times \mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q].\hfill \end{array}$$

(2)

In terms of the probabilistic systems ${\mathsf{p}}^{\mathcal{A}}$ and ${\mathsf{p}}^{\mathbf{F}}$ associated with $\mathcal{A}$ and $\mathbf{F}$, respectively (see Definition 4), we can write the probability, realizing a transcript $\tau =(x^q,y^q)$ as

$$\begin{array}{cc}\hfill \mathsf{Pr}[\tau \left({\mathcal{A}}^{\mathbf{F}}\right)=(x^q,y^q)]& ={\mathsf{p}}_{y^q}^{\mathcal{A}}\left(x^q\right)\times {\mathsf{p}}_{x^q}^{\mathbf{F}}\left(y^q\right)\hfill \end{array}$$

So, the transcript probability is determined by the probabilistic systems ${\mathsf{p}}^{\mathcal{A}}$ and ${\mathsf{p}}^{\mathbf{F}}$.

Extended Transcript. The transcript is a piece of information obtained by the joint query function through an interaction. Sometimes we release an extra piece of information, say $\mathsf{S}$, in addition to the transcript, to the adversary. This is given only after all interaction is completed.In other words, the queries $x^q$ cannot functionally depend on $\mathsf{S}$, whereas $\mathsf{S}$ can depend on queries. To formalize this, let us define an extended response function.

Definition 7

(extended transcript). An $\mathcal{S}$-extended $(\mathcal{X},\mathcal{Y})$ joint response function is a probabilistic function $\overline{\mathbf{F}}=(\mathbf{F},\mathsf{S}):{\mathcal{X}}^q\stackrel{\ast }{\to }{\mathcal{Y}}^q\times \mathcal{S}$. For any $(\mathcal{X},\mathcal{Y})$ joint query function $\mathcal{A}$, we define the (extended) transcript of ${\mathcal{A}}^{\overline{\mathbf{F}}}$ as

$$\overline{\tau }\left({\mathcal{A}}^{\mathbf{F}}\right)=\tau \left({\mathcal{A}}^{\overline{\mathbf{F}}}\right)=(\tau \left({\mathcal{A}}^{\mathbf{F}}\right),\mathsf{S}\left({\mathsf{X}}^q\right)):=(\tau \left({\mathcal{A}}^{\mathbf{F}(\mathsf{R},·)}\right),\mathsf{S}(\mathsf{R},{\mathsf{X}}^q)),$$

where $\mathsf{R}$ denotes the random coin of $\overline{\mathbf{F}}$ and $\tau \left({\mathcal{A}}^{\mathbf{F}}\right)=({\mathsf{X}}^q,{\mathsf{Y}}^q)$. We call $\mathsf{S}$ the adjoined random variable to $\mathbf{F}$.

MBO Extension. Now we describe a popular extended joint responsefunction. An MBO (monotone binary output) extension $\overline{\mathbf{F}}$ is an ${\{0,1\}}^q$-extension of a joint response function $\mathbf{F}$ such that the support of the adjoined random variable $\mathsf{S}$ is the set of all monotone binary sequences. We call the extended transcript $\tau \left({\mathcal{A}}^{\overline{\mathbf{F}}}\right)$ good if $\mathsf{S}=0^q$, otherwise we call it bad. Informally, $\mathsf{S}$ denotes whether some bad event occurred upon some query or not. This is accomplished by setting the bit corresponding to the query index to 1. Since $\mathsf{S}$ is monotone in nature, whenever the bad flag is set to 1, it continues to be 1 for the rest of the queries. This justifies the fact that the support of $\mathsf{S}$ is $\{0^i{1}^{q-i}:0\le i\le q\}$.

Later we will see that a simpler and equally powerful extension would be to release a binary variable $\mathsf{B}$ to denote whether a bad event happened or not in the whole transcript. Thus, $\mathsf{B}=0$ if $\mathsf{S}=0^q$; otherwise, $\mathsf{B}=1$. We adjoin the random variable $\mathsf{B}$ only, instead of an MBO $\mathsf{S}$.

For an extended system $\overline{\mathbf{F}}=(\mathbf{F},\mathsf{S})$, we can similarly associate a probabilistic system, defined as

$${\mathsf{p}}_{x^q}^{\overline{\mathbf{F}}}(y^q,s)=\mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q,\mathsf{S}=s]$$

(3)

For any $(x^q,y^q,s)\in {\mathcal{X}}^q\times {\mathcal{Y}}^q\times \mathcal{S}$, we have

$$\mathsf{Pr}[\tau \left({\mathcal{A}}^{\overline{\mathbf{F}}}\right)=(x^q,y^q,s)]=\mathsf{Pr}[\mathcal{A}\left(y^q\right)=x^q]\times \mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q,\mathsf{S}=s].$$

3.3. Examples of Response Functions

Keyed Function. Let F be a keyed function family $\left\{F_k\right|k\in \mathcal{K}\}$ such that for all keys $k\in \mathcal{K}$, $F_k:\mathcal{X}\to \mathcal{Y}$. We can also view F as a function $F:\mathcal{K}\times \mathcal{X}\to \mathcal{Y}$, where $F(k,x)=F_k\left(x\right)$. If we choose the key $\mathsf{K}{\leftarrow }_{\$}\mathcal{K}$ and treat it as a random coin, we obtain a joint response function (we call it a (deterministic) keyed function) as

$$\mathbf{F}(k,x^q)=(F(k,x_1),\dots ,F(k,x_q)),x^q\in {\mathcal{X}}^q.$$

Keyed Strong Permutation. When $F(k,·)$ is a permutation on $\mathcal{Y}$ for all keys $k\in \mathcal{K}$, one can consider an interaction in which a joint query function makes queries to the inverse function as well. To capture this, we associate a new keyed function

$$F_k^{\pm }:\{1,-1\}\times \mathcal{Y}\to \mathcal{Y}$$

mapping $(1,x)$ to $F_k\left(x\right)$ and mapping $(-1,x)$ to $F_k^{-1}\left(x\right)$. We also write $F_k(\delta ,x):=F_k^{\delta }\left(x\right)$. The joint response function associated to the keyed function $F^{\pm }$ is denoted as ${\mathbf{F}}^{\pm }$ and we call it keyed strong permutation.

Definition 8.

Given a triple of tuples$({\delta }^q,x^q,y^q)\in {\{1,-1\}}^q\times {\mathcal{Y}}^{2q}$we associate aforward-only representation$({\delta }^q,a^q,b^q)$as

$$(a_i,b_i)=\left\{\begin{array}{cc}(x_i,y_i)\hfill & if{\delta }_i=1\hfill \\ (y_i,x_i)\hfill & otherwise.\hfill \end{array}\right.$$

The forward-only representation is an equivalent representation of the original triple, as we can uniquely reconstruct the original triple from it.

Suppose that $({\delta }^q,a^q,b^q)$ is a forward-only representation of $({\delta }^q,x^q,y^q)$. Then, $F_k\left(a_i\right)=b_i$ for all i if and only if $F_k^{{\delta }_i}\left(x_i\right)=y_i$ for all i. So for every $({\delta }^q,x^q,y^q)$, we have

$$\mathsf{Pr}[{\mathbf{F}}^{\pm }({\delta }^q,x^q)=y^q]=\mathsf{Pr}[\mathbf{F}\left(a^q\right)=b^q].$$

So, the probabilistic system associated to ${\mathbf{F}}^{\pm }$ is completely determined by the probabilistic system associated with $\mathbf{F}$.

Some Ideal Random Systems

We describe some popular ideal random systems. Let $\mathcal{X}$, $\mathcal{Y}$ and $\mathcal{T}$ be finite sets such that $N=\left|\mathcal{Y}\right|$.

Definition 9

(random function). A $(\mathcal{X},\mathcal{Y})$ random function is an $(\mathcal{X},\mathcal{Y})$ joint response function ρ such that for all $x^q\in {\mathcal{X}}^q$ and $y^q\in {\mathcal{Y}}^q$ with $x^q⇝y^q$ (function compatible),

$$\mathsf{Pr}[\mathit{\rho }\left(x^q\right)=y^q]=N^{-s}$$

where s is the number of distinct x values present in $x^q$. In all other cases the probability is zero.

Definition 10

(random permutation). A $\mathcal{Y}$ random permutation is an $(\mathcal{Y},\mathcal{Y})$ joint response function π such that for all $x^q,y^q\in {\mathcal{Y}}^q$ with $x^q\leftrightsquigarrow y^q$ (permutation compatible),

$$\mathsf{Pr}[\mathit{\pi }\left(x^q\right)=y^q]=\frac{1}{{\left(N\right)}_s}$$

where s is the number of distinct $x_i$ values present in $x^q$. In all other cases the probability is zero.

As described before, we can also similarly define a strong random permutation ${\mathit{\pi }}^{\pm }$ which provides the access of inverse. More precisely, for any $({\delta }^q,x^q,y^q)$, $\mathsf{Pr}[{\mathit{\pi }}^{\pm }({\delta }^q,x^q)=y^q]=\frac{1}{{\left(N\right)}_s}$, provided that $a^q\leftrightsquigarrow b^q$, where $({\delta }^q,a^q,b^q)$ is the forward-only transcript of $({\delta }^q,x^q,y^q)$ and s is the number of distinct $a_i$ values present in $a^q$ (which is same as the number of distinct values present in $b^q$).

We have defined the above ideal systems through their probabilistic systems. One can define these through deterministic keyed functions. For a random function, the key space is $\mathsf{Func}(\mathcal{X},\mathcal{Y})$, the set of all functions from $\mathcal{X}$ to $\mathcal{Y}$. For any $k\in \mathsf{Func}(\mathcal{X},\mathcal{Y})$, and $x\in \mathcal{X}$, we define $\mathit{\rho }(k,x)=k\left(x\right)$. For a random permutation, the key space is $\mathsf{Perm}\left(\mathcal{Y}\right)$, the set of all permutations over $\mathcal{Y}$. For any $k\in \mathsf{Perm}\left(\mathcal{Y}\right)$, and $x\in \mathcal{Y}$, we define $\mathit{\pi }(k,x)=k\left(x\right)$.

One can easily verify that the probabilistic systems view is same as the deterministic keyed function view. The two views are actually the same functions defined over two different domains.

Tweakable Random Permutation. Given a tweakable-permutation-compatible tuple $(t^q,x^q,y^q)$, we associate a tuple of positive numbers $(c_1,\dots ,c_r)$ as follows. Let $t_1^{\prime },\dots ,t_r^{\prime }$ denote the distinct tweaks present in $t^q$. We write $\mathsf{mcoll}\left(t^q\right)=c^r$ where $c_i=\left|\{x_j:t_j=t_i^{\prime }\}\right|$. Clearly, ${\sum }_i{c}_i=q$ when $(t^q,x^q,y^q)$ is a tweakable-permutation-compatible tuple. Basically, ${\sum }_i{c}_i$ represents the number of distinct $(t_i,x_i)$ pairs present in $(t^q,x^q)$.

Definition 11

(tweakable random permutation). A $(\mathcal{T},\mathcal{Y})$ tweakable random permutation is a $(\mathcal{T}\times \mathcal{Y},\mathcal{Y})$ joint response function $\tilde{\mathit{\pi }}$ such that for all tweakable-permutation-compatible tuples $(t^q,x^q,y^q)$ with $\mathit{mcoll}\left(t^q\right)=c^r$,

$$\mathsf{Pr}[\tilde{\mathit{\pi }}(t^q,x^q)=y^q]=\prod _{i=1}^r\frac{1}{{\left(N\right)}_{c_i}}.$$

(4)

The probability is zero for all other tuples $(t^q,x^q,y^q)$.

We can write the above probability in another equivalent form. For each i, we define $s_i$ as the number of $j<i$, such that $t_j=t_i$. Then, we have

$$\mathsf{Pr}[\tilde{\mathit{\pi }}(t^q,x^q)=y^q]=\prod _{i=1}^q\frac{1}{N-s_i}.$$

(5)

Intuitively, when we respond to the ith query $(t_i,x_i)$, we look at all those j for which $t_j=t_i$. Let ${\mathcal{S}}_i$ be the set of all $y_j$ values for which $t_j=t_i$. The response of the ith query is to select an element randomly from ${\mathcal{S}}_i^c$ (in other words, without a replacement sample for the same tweak values).

To realize this probabilistic system, we define a keyed function corresponding to it. Let the key space be $\mathsf{Func}(\mathcal{T},\mathsf{Perm}(\mathcal{Y}\left)\right)$, the set of all functions from the tweak space to the set of all permutations. Thus, if k is a key and t is a tweak, $k\left(t\right)$ is a permutation over $\mathcal{Y}$. We write $k\left(t\right)\left(x\right)$ as $k(t,x)$ or $\tilde{\mathit{\pi }}(k,(t,x))$. One can again check that the probabilistic system associated with this joint response function is the same as the tweakable random permutation as defined above.

4. H-Technique Tools

4.1. Distinguisher and Its Advantage

Let $\mathbf{F}$ and $\mathbf{G}$ be two $(\mathcal{X},\mathcal{Y})$ joint response functions and $\mathcal{A}$ be a $(\mathcal{X},\mathcal{Y})$ joint query system with random coin space $\mathcal{R}$. Let $b:\mathcal{R}\times {\mathcal{X}}^q\times {\mathcal{Y}}^q\to \{0,1\}$ be a binary function (also called a decision function). We call the pair $(\mathcal{A},b)$, denoted as ${\mathcal{A}}_b$, a distinguisher.

• The algorithm $\mathcal{A}$ obtains a transcript $\tau =(x^q,y^q)$.
• The function b finally makes a decision based on the transcript and the random coin initially sampled by $\mathcal{A}$.

More formally, the output of ${\mathcal{A}}_b^{\mathbf{F}}$ is $b(\mathsf{R},\tau \left({\mathcal{A}}^{\mathbf{F}}\right))$ where $\mathsf{R}$ is the random coin of $\mathcal{A}$, which is used to generate the transcript $\tau \left({\mathcal{A}}^{\mathbf{F}}\right)$. We now define

${\mathsf{\Delta }}_{{\mathcal{A}}_b}(\mathbf{F};\mathbf{G}):=|\mathsf{Pr}[{\mathcal{A}}_b^{\mathbf{F}}\to 1]-\mathsf{Pr}[{\mathcal{A}}_b^{\mathbf{G}}\to 1]|$.

Let $\mathcal{E}$ be the set of all tuples $(r,x^q,y^q)$ for which b returns 1. From the equivalent definition of statistical distance (see Lemma 2) we have

$$\begin{array}{cc}\hfill {\mathsf{\Delta }}_{{\mathcal{A}}_b}(\mathbf{F};\mathbf{G})& \le \mathsf{\Delta }((\mathsf{R},\tau \left({\mathcal{A}}^{\mathbf{F}}\right));(\mathsf{R},\tau \left({\mathcal{A}}^{\mathbf{G}}\right))).\hfill \end{array}$$

(6)

Moreover, equality is achieved if we define the decision function, called the optimal decision function and denoted $b_{opt}$, as follows:

$$b_{opt}(r,x^q,y^q)=1\iff \mathsf{Pr}[\mathsf{R}=r,\tau \left({\mathcal{A}}^{\mathbf{F}}\right)=(x^q,y^q)]\ge \mathsf{Pr}[\mathsf{R}=r,\tau \left({\mathcal{A}}^{\mathbf{G}}\right)=(x^q,y^q)].$$

Complexity. Note that the computation of $b_{opt}$ may not be efficient. In general, we consider two types of complexities for an adversary (both for the query system and the decision function) to measure the efficiency of an algorithm. One type considers all computational complexities, which includes, e.g., time, memory, etc. The other type considers the data complexities, which includes the number of queries (which is q in our case), the total number of bits in all queries, the size of the largest queries, etc. As we are interested in information-theoretic analysis, we only keep complexity related to oracle calls and we consider only unbounded time adversaries. We always assume that the decision-making function b is optimum and hence, ${\mathsf{\Delta }}_{{\mathcal{A}}_b}(\mathbf{F};\mathbf{G})=\mathsf{\Delta }((\mathsf{R},\tau \left({\mathcal{A}}^{\mathbf{F}}\right));(\mathsf{R},\tau \left({\mathcal{A}}^{\mathbf{G}}\right)))$. Thus, we simply denote a distinguisher as $\mathcal{A}$ (by its joint query function), ignoring the notation b.

Conventions

Now, we state some conventions which can be assumed without the loss of generality in this paper. This will simplify the process of analyzing the distinguishing advantage.

• Distinguishers are deterministic: Given any query function $\mathcal{A}$, and for a fixed random coin r, let $\mathcal{A}\left[r\right]:=\mathcal{A}(r,·)$ denote the deterministic query function which basically runs $\mathcal{A}$ with the random coin r. It is easy to verify that ${\mathsf{\Delta }}_{\mathcal{A}}(\mathbf{F};\mathbf{G})={\mathsf{Ex}}_{\mathsf{R}}\left({\mathsf{\Delta }}_{\mathcal{A}\left[\mathsf{R}\right]}(\mathbf{F};\mathbf{G})\right)$ and hence there exists $r_0$ for which ${\mathsf{Ex}}_{\mathsf{R}}\left({\mathsf{\Delta }}_{\mathcal{A}\left[\mathsf{R}\right]}(\mathbf{F};\mathbf{G})\right)\le {\mathsf{\Delta }}_{\mathcal{A}\left[r_0\right]}(\mathbf{F};\mathbf{G})$. Hence,

  $${\mathsf{\Delta }}_{\mathcal{A}}(\mathbf{F};\mathbf{G})\le {\mathsf{\Delta }}_{\mathcal{A}\left[r_0\right]}(\mathbf{F};\mathbf{G}).$$
• No redundant queries: In this paper we only consider deterministic keyed functions. An adversary $\mathcal{A}$ interacting with a deterministic keyed function is called redundant if $\mathcal{A}$ makes two identical queries (i.e., $x_i=x_j$ for some $i<j$). An adversary $\mathcal{A}$ interacting with a deterministic keyed strong permutation ${\mathbf{F}}^{\pm }$ is called redundant if for some $i<j$, $({\delta }_j,x_j)=({\delta }_i,x_i)$ or $({\delta }_j,x_j)=(-{\delta }_i,y_i)$, where $y_i$ is the response of the ith query. Note that, in this case, $(a_j,b_j)=(a_i,b_i)$, where $({\delta }^q,a^q,b^q)$ denotes the forward-only transcript. The response of jth query is uniquely determined from the ith query. Similarly, we define redundant queries for a tweakable keyed permutation. The ith query $({\delta }_i,t_i,x_i)$ is called redundant if there is $j<i$ with $t_j=t_i$, either $({\delta }_j,x_j)=({\delta }_i,x_i)$ or $({\delta }_j,y_j)=(-{\delta }_i,x_i)$.

Note that for all redundant queries, the response is uniquely determined from the previous query-responses and hence without the loss of generality we may ignore those queries. Thus, we assume that all such adversaries are non-redundant.

4.2. Security Definitions

Here we define PRF, PRP, SPRP, and their tweakable versions against adaptive and nonadaptive adversaries. Let $\mathbb{A}\left({\theta }_D\right)$ (and ${\mathbb{A}}_{\mathrm{na}}\left({\theta }_D\right)$) denote the set of all adversaries $\mathcal{A}$, using at most ${\theta }_D$ data complexity in adaptive ways (and nonadaptive ways, respectively). If the computational complexity is unbounded (or infinity) in all these definitions, we simply drop the notation ${\theta }_C$.

• • ${\displaystyle {\mathbf{Adv}}_{\mathbf{F}}^{\mathrm{prf}}\left({\theta }_D\right)=\underset{\mathcal{A}\in \mathbb{A}\left({\theta }_D\right)}{max}{\mathsf{\Delta }}_{\mathcal{A}}(\mathbf{F};\mathit{\rho })}$,
  • ${\displaystyle {\mathbf{Adv}}_{\mathbf{F}}^{\mathrm{nprf}}\left({\theta }_D\right)=\underset{\mathcal{A}\in {\mathbb{A}}_{\mathrm{na}}\left({\theta }_D\right)}{max}{\mathsf{\Delta }}_{\mathcal{A}}(\mathbf{F};\mathit{\rho })}$,
• • ${\displaystyle {\mathbf{Adv}}_{\mathbf{F}}^{\mathrm{prp}}\left({\theta }_D\right)=\underset{\mathcal{A}\in \mathbb{A}\left({\theta }_D\right)}{max}{\mathsf{\Delta }}_{\mathcal{A}}(\mathbf{F};\mathit{\pi })}$,
  • ${\displaystyle {\mathbf{Adv}}_{\mathbf{F}}^{\mathrm{sprp}}\left({\theta }_D\right)=\underset{\mathcal{A}\in \mathbb{A}\left({\theta }_D\right)}{max}{\mathsf{\Delta }}_{\mathcal{A}}({\mathbf{F}}^{\pm };{\mathit{\pi }}^{\pm })}$,
  • ${\displaystyle {\mathbf{Adv}}_{\mathbf{F}}^{\mathrm{nprp}}\left({\theta }_D\right)=\underset{\mathcal{A}\in {\mathbb{A}}_{\mathrm{na}}\left({\theta }_D\right)}{max}{\mathsf{\Delta }}_{\mathcal{A}}(\mathbf{F};\mathit{\pi })}$,
• • ${\displaystyle {\mathbf{Adv}}_{\mathbf{F}}^{\mathrm{tprp}}\left({\theta }_D\right)=\underset{\mathcal{A}\in \mathbb{A}\left({\theta }_D\right)}{max}{\mathsf{\Delta }}_{\mathcal{A}}(\mathbf{F};\tilde{\mathit{\pi }})}$,
  • ${\displaystyle {\mathbf{Adv}}_{\mathbf{F}}^{\mathrm{tsprp}}\left({\theta }_D\right)=\underset{\mathcal{A}\in \mathbb{A}\left({\theta }_D\right)}{max}{\mathsf{\Delta }}_{\mathcal{A}}({\mathbf{F}}^{\pm };{\tilde{\mathit{\pi }}}^{\pm })}$.

4.3. H-Technique

Here, we describe the extended version of the H-technique. The basic or standard version, also called the Coefficients H technique, is a simple instantiation of the extended version (viewing the adjoined random variable as a degenerated or fixed constant).

Lemma 3

(Extended H-technique). Suppose that $\overline{\mathbf{F}}:=(\mathbf{F},\mathsf{S})$ and $\overline{\mathbf{G}}:=(\mathbf{G},{\mathsf{S}}^{\prime })$ are two $\mathcal{S}$-extended $(\mathcal{X},\mathcal{Y})$ response systems. Let Ω denote the set of all attainable transcripts, i.e., the support of ${\mathsf{Pr}}_{\overline{\mathbf{G}}}$. Suppose that there is a set ${\mathsf{\Omega }}_{\mathtt{bad}}\subseteq \mathsf{\Omega }$ such that for all $(x^q,y^q,s)\notin {\mathsf{\Omega }}_{\mathtt{bad}}$,

$$\begin{array}{cc}\hfill \frac{\mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q,\mathsf{S}=s]}{\mathsf{Pr}[\mathbf{G}\left(x^q\right)=y^q,{\mathsf{S}}^{\prime }=s]}& \ge (1-ϵ)\hfill \end{array}$$

for some $ϵ\ge 0$. Then, for any $(\mathcal{X},\mathcal{Y})$ adversary $\mathcal{A}$,

$$\begin{array}{cc}\hfill {\mathsf{\Delta }}_{\mathcal{A}}(\mathbf{F};\mathbf{G})\le \mathsf{\Delta }(\overline{\tau }\left({\mathcal{A}}^{\mathbf{F}}\right);\overline{\tau }\left({\mathcal{A}}^{\mathbf{G}}\right))& \le \mathsf{Pr}[(\tau \left({\mathcal{A}}^{\mathbf{G}}\right),{\mathsf{S}}^{\prime })\in {\mathsf{\Omega }}_{\mathtt{bad}}]+ϵ.\hfill \end{array}$$

(7)

A proof of the H-technique is presented, among others, in [36,38,44,45]. Here, we provide a short proof for the sake of completeness.

Proof. 

For any adversary $\mathcal{A}$, it is easy to see that ${\mathsf{\Delta }}_{\mathcal{A}}(\mathbf{F};\mathbf{G})\le \mathsf{\Delta }(\overline{\tau }\left({\mathcal{A}}^{\mathbf{F}}\right);\overline{\tau }\left({\mathcal{A}}^{\mathbf{G}}\right))$. This holds as the decision-making function is free to discard the additional information. Let ${\mathsf{Pr}}_0={\mathsf{Pr}}_{\overline{\mathbf{G}}}$ and ${\mathsf{Pr}}_1={\mathsf{Pr}}_{\overline{\mathbf{F}}}$. Then, ${\mathsf{\Omega }}_{>}$ is well-defined (see Definition 2). According to Lemma 2, we have

$$\begin{array}{cc}\hfill \mathsf{\Delta }(\overline{\tau }\left({\mathcal{A}}^{\mathbf{F}}\right);\overline{\tau }\left({\mathcal{A}}^{\mathbf{G}}\right))& =\sum _{\omega \in \mathsf{\Omega }}max\{0,{\mathsf{Pr}}_{\overline{\mathbf{G}}}\left(\omega \right)-{\mathsf{Pr}}_{\overline{\mathbf{F}}}\left(\omega \right)\}\hfill \\ \hfill & =\sum _{\omega \in {\mathsf{\Omega }}_{>}}{\mathsf{Pr}}_{\overline{\mathbf{G}}}\left(\omega \right)·\left(1-\frac{{\mathsf{Pr}}_{\overline{\mathbf{F}}}\left(\omega \right)}{{\mathsf{Pr}}_{\overline{\mathbf{G}}}\left(\omega \right)}\right)\hfill \\ \hfill & \le \sum _{\omega \in {\mathsf{\Omega }}_{>}\cap {\mathsf{\Omega }}_{\mathtt{bad}}}{\mathsf{Pr}}_{\overline{\mathbf{G}}}\left(\omega \right)+ϵ\sum _{\omega \in {\mathsf{\Omega }}_{>}\setminus {\mathsf{\Omega }}_{\mathtt{bad}}}{\mathsf{Pr}}_{\overline{\mathbf{G}}}\left(\omega \right)\hfill \\ \hfill & \le \mathsf{Pr}[(\tau \left({\mathcal{A}}^{\mathbf{G}}\right),{\mathsf{S}}^{\prime })\in {\mathsf{\Omega }}_{\mathtt{bad}}]+ϵ.\hfill \end{array}$$

□

4.4. Expectation Method

Hoang and Tessaro [82] introduced a somewhat generalized version of the H-technique, termed the expectation method. We describe it in a slightly different way in order to conform to our notation.

Lemma 4

(Expectation Method). Suppose that $\overline{\mathbf{F}}:=(\mathbf{F},\mathsf{S})$ and $\overline{\mathbf{G}}:=(\mathbf{G},{\mathsf{S}}^{\prime })$ are two $\mathcal{S}$-extended $(\mathcal{X},\mathcal{Y})$ response systems. Let Ω be the support of ${\mathsf{Pr}}_{\overline{\mathbf{G}}}$ and suppose that there is a set ${\mathsf{\Omega }}_{\mathtt{bad}}\subseteq \mathsf{\Omega }$, and a non-negative function $ϵ:{\mathcal{X}}^q\times {\mathcal{Y}}^q\times \mathcal{S}\to [0,\infty )$ such that $\forall \overline{\tau }=(x^q,y^q,s)\notin {\mathsf{\Omega }}_{\mathtt{bad}}$, we have

$$\frac{\mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q,\mathsf{S}=s]}{\mathsf{Pr}[\mathbf{G}\left(x^q\right)=y^q,{\mathsf{S}}^{\prime }=s]}\ge 1-ϵ\left(\overline{\tau }\right).$$

Then, for any $(\mathcal{X},\mathcal{Y})$ adversary $\mathcal{A}$,

$$\begin{array}{cc}\hfill {\mathsf{\Delta }}_{\mathcal{A}}(\mathbf{F};\mathbf{G})& \le \mathsf{Pr}[(\tau \left({\mathcal{A}}^{\mathbf{G}}\right),{\mathsf{S}}^{\prime })\in {\mathsf{\Omega }}_{\mathtt{bad}}]+\mathsf{Ex}\left[ϵ\left(\overline{\tau }\left({\mathbf{A}}^{\mathbf{G}}\right)\right)\right].\hfill \end{array}$$

(8)

One can set $ϵ\left(\overline{\tau }\right)=1$, for $\overline{\tau }\in {\mathsf{\Omega }}_{\mathtt{bad}}$ to avoid the separate calculation of the bad transcript probability. The extended H-technique is obtained using Equation (8), when $ϵ$ is a constant function. Based on CS’s view of the H-technique, the expectation method is like partitioning the set of transcripts into singletons. Thus, one could argue that the expectation method should achieve optimality. This is possible if one could identify a suitable definition of the $ϵ$ function and provide a tight estimation of the expectation value. Specifically, for $\overline{\tau }\in {\mathcal{X}}^q\times {\mathcal{Y}}^q\times \mathcal{S}$, we define $ϵ\left(\overline{\tau }\right)$ as

$$ϵ\left(\overline{\tau }\right)=\left\{\begin{array}{cc}1-\frac{{\mathsf{Pr}}_{\overline{\mathbf{F}}}(x^q,y^q,s)}{{\mathsf{Pr}}_{\overline{\mathbf{G}}}(x^q,y^q,s)}\hfill & \mathrm{when}{\mathsf{Pr}}_{\overline{\mathbf{G}}}(x^q,y^q,s)>{\mathsf{Pr}}_{\overline{\mathbf{F}}}(x^q,y^q,s),\hfill \\ 0\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

Now equality holds in Equation (8), if we apply the expectation method with ${\mathsf{\Omega }}_{\mathtt{bad}}=\varnothing$.

5. Hash-Based Constructions

Now we briefly describe the power of the (extended) H-technique by proving the security of some hash-based constructions. A hash function $\mathbf{H}:\mathcal{M}\stackrel{\ast }{\to }\mathcal{X}$ is called ϵ-universal if for all $m\ne m^{\prime }\in \mathcal{M}$, ${Pr}_{\mathsf{H}{\leftarrow }_{\$}\mathcal{H}}[\mathsf{H}\left(m\right)=\mathsf{H}\left(m^{\prime }\right)]=\le ϵ$.

5.1. Hash-Then-PRF

Construction. Let $\mathbf{H}:\mathcal{M}\stackrel{\ast }{\to }\mathcal{X}$ be an $ϵ$-universal hash and $\mathit{\rho }:\mathcal{X}\stackrel{\ast }{\to }\mathcal{Y}$ be a random function. The composition function $\mathit{\rho }\circ \mathbf{H}:\mathcal{M}\stackrel{\ast }{\to }\mathcal{Y}$ is known as the hash-then-PRF construction (see Figure 1). This construction has been studied in [102,103]. Many PRF constructions can be viewed as hash-then-PRF constructions. For example, EMAC [104], ECBC and FCBC [15], LightMAC [105], and the protected counter sum or PCS approach [43].

Lemma 5. 

Let hash-then-PRF be defined as above. Then, we have

$${\mathbf{Adv}}_{\mathit{\rho }\circ \mathbf{H}}^{\mathrm{prf}}\left(q\right)\le \left(\genfrac{}{}{0pt}{}{q}{2}\right)ϵ.$$

Proof. 

We recall that all adversaries considered in this paper are deterministic and make no redundant queries (in this case, all queries are distinct). The basic idea of the proof is that as long as there is no collision among the hash outputs, $\mathit{\rho }$ returns random values and hence the composition function behaves like a random function defined over a larger input space $\mathcal{M}$. We capture this to prove the lemma formally using the extended H-technique.

Extended Systems. We denote the composition system $\mathbf{F}=\mathit{\rho }\circ \mathbf{H}$. Let ${\mathit{\rho }}^{\prime }$ be a random function from the message space $\mathcal{M}$ to $\mathcal{Y}$. We denote the size of the set $\mathcal{Y}$ as N. Let $\mathcal{H}$ be the key space of the hash function. We define a $\mathcal{H}$-extended random system. In the ideal system ${\mathit{\rho }}^{\prime }$, we simply adjoin a hash key $\mathsf{H}{\leftarrow }_{\$}\mathcal{H}$ chosen independently of $\mathit{\rho }$. Let ${\overline{\mathit{\rho }}}^{\prime }=(\mathit{\rho },\mathsf{H})$ be the extended system. In the case of $\mathbf{F}$, we simply release the hash key ${\mathsf{H}}^{\prime }$. We denote the extended system $\overline{\mathbf{F}}=(\mathbf{F},\mathsf{H})$.

Bad Transcripts and Its Analysis. Let $\tau =(m^q,y^q,h)$ denote a transcript, where $m^q\in {\mathcal{M}}^{\left(q\right)}$, $y^q\in {\mathcal{Y}}^q$, and $h\in \mathcal{H}$. We define $x^q=h\left(m^q\right):=\mathbf{H}(h,m^q)$ (i.e., h is the key of $\mathbf{H}$). As mentioned above, we say that a transcript is bad if

• there exist distinct $i,j\in \left[q\right]$, such that $x_i=x_j$.

We bound the probability of this event by $\left(\genfrac{}{}{0pt}{}{q}{2}\right)ϵ$, as the hash function is $ϵ$-universal and there are, at most, $\left(\genfrac{}{}{0pt}{}{q}{2}\right)$$(i,j)$ pairs. All other transcripts are considered to be good.

Good Transcript Analysis. Fix a good transcript $\tau =(m^q,y^q,h)$. In the ideal world, we have

$$\mathsf{Pr}[{\mathit{\rho }}^{\prime }\left(m^q\right)=y^q,{\mathsf{H}}^{\prime }=h]=\frac{1}{\left|\mathcal{H}\right|}\times \frac{1}{N^q}.$$

In the real world, we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathbf{F}\left(m^q\right)=y^q,\mathbf{H}=h]& =\frac{1}{\left|\mathcal{H}\right|}\times \mathsf{Pr}[\mathbf{F}\left(m^q\right)=y^q|\mathbf{H}=h]\hfill \\ \hfill & =\frac{1}{\left|\mathcal{H}\right|}\times \mathsf{Pr}[\mathit{\rho }\left(x^q\right)=y^q]\hfill \\ \hfill & =\frac{1}{\left|\mathcal{H}\right|}\times \frac{1}{N^q}\hfill \\ \hfill & =\mathsf{Pr}[{\mathit{\rho }}^{\prime }\left(m^q\right)=y^q,\mathsf{H}=h].\hfill \end{array}$$

The result follows, using the extended H-technique.□

5.2. Hash-Then-TBC

Construction. Let $\mathbf{H}:=({\mathbf{H}}_1,{\mathbf{H}}_2):\mathcal{M}\stackrel{\ast }{\to }\mathcal{T}\times \mathcal{X}$ be an $ϵ$-universal hash such that ${\mathbf{H}}_1$ is an ${ϵ}_1$-universal hash. Let $\tilde{\mathit{\pi }}$ be a tweakable random permutation on $\mathcal{X}$ with a tweak space $\mathcal{T}$. We define the composition function $\mathbf{F}=\tilde{\mathit{\pi }}\circ \mathbf{H}$ as hash-then-TBC (see Figure 2).

A special instantiation (in which ${\mathbf{H}}_1$ and ${\mathbf{H}}_2$ are assumed to be independent) of the above construction is first considered in [63]. Subsequently, the analysis of the above construction was been performed [66]. In the same paper, the composition was used to define an MAC, called ZMAC+. Note that a tweakable random permutation is a PRF with a maximum advantage about $q^2/2N$, where N is the size of the set $\mathcal{X}$ (this is similar to the well known result of PRP-PRF switching lemma [3]). Thus, one can apply the previous result for this construction. However, the construction can be shown to have a better PRF advantage. Let us denote the size of $\mathcal{T}$ and $\mathcal{X}$ by T and N, respectively. Let $\mathit{\rho }$ be an ideal candidate, i.e., a random function from $\mathcal{M}$ to $\mathcal{X}$.

In the previous construction we avoided the collision among hash outputs since the hash outputs were fed into a random function. In this case, the hash output is fed into a tweakable random permutation (as an input as well as a tweak). Hence, we need to avoid simultaneous collisions ofthe tweak and output, as well as the tweak and input of $\tilde{\mathit{\pi }}$. The following lemma was proved in [66] using the H-technique. We first tackle this problem without extending the random system which would require slightly more effort and then show how the extended H-technique, as well as the expectation method, can help to bound the advantage very easily.

Lemma 6. 

Let Hash-then-TBC be defined as above. Then we have

$${\mathbf{Adv}}_{\tilde{\mathit{\pi }}\circ \mathbf{H}}^{\mathrm{prf}}\left(q\right)\le \left(\genfrac{}{}{0pt}{}{q}{2}\right)ϵ+\left(\genfrac{}{}{0pt}{}{q}{2}\right)\frac{{ϵ}_1}{N}.$$

5.2.1. A. Proof without Releasing the Internal Values

Let $\tau =(m^q,y^q)$ be the transcript at hand. Let $C:=C\left(y^q\right)$ be the number of colliding pairs in the output tuple $y^q$. More formally,

$$C=\left|\right\{(i,j):i<j,y_i=y_j\left\}\right|.$$

When ${\mathsf{Y}}_1,\dots ,{\mathsf{Y}}_q{\leftarrow }_{\$}{\mathcal{X}}^q$, we write the random variable $C\left({\mathsf{Y}}^q\right)$ as $\mathsf{C}$.

Good Hash Key. Let $\mathcal{H}$ be the key space of the hash function. We define a subset ${\mathcal{H}}_{\mathsf{good}}\subseteq \mathcal{H}$ as the set of all $h\in \mathcal{H}$ so that there is

• no collision among $(t_1,x_1),\dots ,(t_q,x_q)$ and
• no collision among $(t_1,y_1),\dots ,(t_q,y_q)$.

where $h\left(m^q\right)=(t^q,x^q)$.

Clearly, for a good hash key h, $(t^q,x^q,y^q)$ is tweakable-permutation-compatible and $\mathsf{Pr}[\tilde{\mathit{\pi }}(t^q,x^q)=y^q]\ge N^{-q}$. In the following, for any h, we denote $h\left(m^q\right)=(t^q,x^q)$.

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathbf{F}\left(m^q\right)=y^q]& \ge \sum _{h\in {\mathcal{H}}_{\mathsf{good}}}\mathsf{Pr}[\mathsf{H}=h,\tilde{\mathit{\pi }}\left(\mathsf{H}\left(m^q\right)\right)=y^q]\hfill \\ \hfill & =\sum _{h\in {\mathcal{H}}_{\mathsf{good}}}\mathsf{Pr}[\mathsf{H}=h,\tilde{\mathit{\pi }}(t^q,x^q)=y^q]\hfill \\ \hfill & =\sum _{h\in {\mathcal{H}}_{\mathsf{good}}}\mathsf{Pr}[\mathsf{H}=h]\times \mathsf{Pr}[\tilde{\mathit{\pi }}(t^q,x^q)=y^q]\hfill \\ \hfill & \ge \sum _{h\in {\mathcal{H}}_{\mathsf{good}}}\mathsf{Pr}[\mathsf{H}=h]\times N^{-q}\hfill \\ \hfill & =\left(1-\mathsf{Pr}[\mathsf{H}\notin {\mathcal{H}}_{\mathsf{good}}]\right)\times N^{-q}\hfill \\ \hfill & \ge \left(1-\left(\genfrac{}{}{0pt}{}{q}{2}\right)·ϵ-C·{ϵ}_1\right)\times N^{-q}\hfill \end{array}$$

(9)

The last inequality follows from the union bound. A bad hash key can arise due to either collision of tweak-input pairs (which happens with a probability of, at most, $\left(\genfrac{}{}{0pt}{}{q}{2}\right)·ϵ$) or collision of tweak-output pairs. As there are C pairs at which $y_i$ values collide, we must have collisions of tweak values among these C pairs. Hence, the probability of a tweak–output collision occurring is at most $C·{ϵ}_1$. This justifies the last inequality. Now, the ratio

$$\frac{\mathsf{Pr}[\mathbf{F}\left(M^q\right)=y^q]}{\mathsf{Pr}[{\mathit{\rho }}^{\prime }\left(M^q\right)=y^q]}\ge 1-\left(\genfrac{}{}{0pt}{}{q}{2}\right)·ϵ-C·{ϵ}_1.$$

To obtain a bound, it is necessary to obtain a good upper bound for $C\left(y^q\right)$ for all $y^q$. At this point, we have two options to bound the value of $C\left(y^q\right)$.

(1) Standard H-Technique:

In this case we can use Markov’s inequality to bound $\mathsf{C}=C\left({\mathsf{Y}}^q\right)$ to a moderate value, where ${\mathsf{Y}}^q$ is a q-tuple independent uniform random variable (responses of $\mathit{\rho }$). We can write $\mathsf{C}={\sum }_{i<j}{\mathsf{I}}_{i,j}$ where ${\mathsf{I}}_{i,j}$ is the binary random variable which takes value the value of 1 if ${\mathsf{Y}}_i\ne {\mathsf{Y}}_j$. So,

$$\mathsf{Ex}\left(\mathsf{C}\right)=\frac{q(q-1)}{2N}.$$

Bad Transcripts and Their Analysis. Let $\alpha$ be a threshold parameter (which is determined below). We call a transcript $(m^q,y^q)$ bad if the number of collision pairs of $y_i$ values is greater than $\alpha$. Using Markov’s inequality, we obtain

$$\mathsf{Pr}[\tau \left({\mathcal{A}}^{\mathit{\rho }}\right)\in {\mathsf{\Omega }}_{\mathtt{bad}}]=\mathsf{Pr}[\mathsf{C}\ge \alpha ]\le \mathbb{E}\left[\mathsf{C}\right]/\alpha =\left(\genfrac{}{}{0pt}{}{q}{2}\right)·\frac{1}{\alpha N}$$

(10)

for any adversary $\mathcal{A}$.

Analysis of Good Transcripts. Now, fix any good transcript $\tau =(m^q,y^q)$. Using $\alpha$ as an upper bound for $C\left(y^q\right)$ in Equation (9), we get

$$\frac{\mathsf{Pr}[\mathbf{F}\left(M^q\right)=y^q]}{\mathsf{Pr}[{\mathit{\rho }}^{\prime }\left(M^q\right)=y^q]}\ge 1-\left(\genfrac{}{}{0pt}{}{q}{2}\right)·ϵ-\alpha ·{ϵ}_1.$$

Finally, using the bad transcript probability of Equation (10) and the standard H-technique, we obtain

$${\mathbf{Adv}}_{\tilde{\mathit{\pi }}\circ \mathbf{H}}^{\mathrm{prf}}\le \left(\genfrac{}{}{0pt}{}{q}{2}\right)·\frac{1}{\alpha N}+\left(\genfrac{}{}{0pt}{}{q}{2}\right)·ϵ+\alpha ·{ϵ}_1.$$

(11)

By equating the two terms $\left(\genfrac{}{}{0pt}{}{q}{2}\right)·\frac{1}{\alpha N}$ and $\alpha ·{ϵ}_1$, we set $\alpha =\frac{q}{\sqrt{N{ϵ}_1}}$. With this choice of $\alpha$, the PRF advantage is bounded as

$${\mathbf{Adv}}_{\tilde{\mathit{\pi }}\circ \mathbf{H}}^{\mathrm{prf}}\le \left(\genfrac{}{}{0pt}{}{q}{2}\right)·ϵ+2q\sqrt{{ϵ}_1/N}.\square$$

(2) Expectation Method:

For small messages, there are universal hash functionswith $ϵ\approx 1/NT$ and ${ϵ}_1\approx 1/T$. In this case, the standard H-technique bounds the prf advantage to $O(q^2/NT)+O(q/\sqrt{NT})$. Clearly, the dominating term is $O(q/\sqrt{NT})$. Instead of a crude estimation of $\mathsf{C}$, if we apply the expectation method (which needs to work with the expected value of $\mathsf{C}$ instead of an upper bound), we can get rid of the dominating term $O(q/\sqrt{NT})$.

We define $ϵ:{\mathcal{M}}^q\times {\mathcal{X}}^q\to [0,\infty )$ via the mapping

$$ϵ\left(\tau \right)=\left(\genfrac{}{}{0pt}{}{q}{2}\right)ϵ+\mathsf{C}·{ϵ}_1.$$

Clearly $ϵ$ is non-negative and the ratio of real to ideal interpolation probabilities is at least $1-ϵ\left(\tau \right)$ (using Equation (9)). Thus, we can use Lemma 4 to get

$${\mathbf{Adv}}_{\tilde{\mathit{\pi }}\circ \mathbf{H}}^{\mathrm{prf}}\left(q\right)\le \mathsf{Ex}\left[ϵ\left(\tau \right)\right]=\left(\genfrac{}{}{0pt}{}{q}{2}\right)ϵ+\left(\genfrac{}{}{0pt}{}{q}{2}\right)\frac{{ϵ}_1}{N}.$$

(12)

5.2.2. B. Proof by Releasing the Internal Values

Now we show that the extended H-technique can also help to provide a bound for this construction very easily.

Extended Systems. Let $\mathcal{H}$ be the key space of the hash function. We define the $\mathcal{H}$-extended random system. In the ideal system $\mathit{\rho }$, we simply adjoin a hash key $\mathsf{H}{\leftarrow }_{\$}\mathcal{H}$ chosen independently of $\mathit{\rho }$. Let $\overline{\mathit{\rho }}=(\mathit{\rho },\mathsf{H})$ be the extended system. In case of a $\mathbf{F}$ value based on the hash key ${\mathsf{H}}^{\prime }$ and tweakable random permutation $\tilde{\mathit{\pi }}$, we release the hash key ${\mathsf{H}}^{\prime }$. We denote the extended system $\overline{\mathbf{F}}=(\mathbf{F},{\mathsf{H}}^{\prime })$.

Bad Transcripts and Their Analysis. Given any hash key h, we define $h\left(m^q\right)=(t^q,x^q)$. We can state that an extended transcript $(m^q,y^q,h)$ is bad if either

• there is a collision among $(t^q,x^q)$ or
• there is a collision among $(t^q,y^q)$.

In the extended ideal world, an adversary can realize a bad transcript with a probability of, at most, $\left(\genfrac{}{}{0pt}{}{q}{2}\right)·(ϵ+{ϵ}_1/N)$. The probability that there is a collision among $(t^q,x^q)$ is, at most, $\left(\genfrac{}{}{0pt}{}{q}{2}\right)·ϵ$. The probability that there is a collision among $(t^q,y^q)$ is, at most, $\left(\genfrac{}{}{0pt}{}{q}{2}\right)\frac{{ϵ}_1}{N}$ (a pair of y values will collide with a probability of $1/N$, whereas a pair of t values will collide with a probability of, at most, ${ϵ}_1$ and these events are independent).

Analysis of a Good Transcript. Now we fix a good transcript $\tau =(m^q,y^q,h)$. For the ideal system we have,

$$\mathsf{Pr}[\overline{\mathit{\rho }}\left(m^q\right)=(y^q,h)]=\frac{1}{\left|\mathcal{H}\right|}\times \frac{1}{N^q},$$

and for the real system we have,

$$\mathsf{Pr}[\overline{\mathbf{F}}\left(m^q\right)=(y^q,h)]=\mathsf{Pr}[\mathsf{H}=h]\times \mathsf{Pr}[\tilde{\mathit{\pi }}(t^q,x^q)=y^q]\ge \frac{1}{\left|\mathcal{H}\right|}\times \frac{1}{N^q}.$$

Note that we have applied Equation (4) for the real system, as the transcript is tweakable-permutation-consistent and it is non-redundant. Hence, the extended H-technique of Lemma 3 gives,

$${\mathbf{Adv}}_{\tilde{\mathit{\pi }}\circ \mathbf{H}}^{\mathrm{prf}}\left(q\right)\le \left(\genfrac{}{}{0pt}{}{q}{2}\right)·(ϵ+{ϵ}_1/N).$$

(13)

Remark 1. 

TheXTX[81] and HaT [63] constructions are quite similar to HtTBC [66]. Consequently, we obtain similar proofs for these constructions.

5.3. An Extension of Naor–Reingold

The basic version of ENR [78] is a $2n$-bit permutation based on an $(n,n)$-TBC and an n-bit AXU hash function, essentially adapting the Naor–Reingold [106] simplification of the four-round Feistel structure. Here, we describe a version which generalizes ENR (see Figure 3) based on $(t,n)$-TBC (for $t\le n$), as well as LDT [58], in which the hash function is not present (which can also be viewed as an identity function).

Construction. Let $\mathcal{M}={\mathbb{F}}_{2^t}\times {\mathbb{F}}_{2^n}$. Suppose that $\mathbf{H}:=({\mathbf{H}}_1,{\mathbf{H}}_2):\mathcal{M}\stackrel{\ast }{\to }{\mathbb{F}}_{2^t}\times {\mathbb{F}}_{2^n}$ is an invertible keyed function such that ${\mathbf{H}}_1$ is an $ϵ$-universal hash function. Suppose that ${\tilde{\mathit{\pi }}}_1$ and ${\tilde{\mathit{\pi }}}_2$ are two independently sampled tweakable random permutations on ${\mathbb{F}}_{2^n}$ with tweak space ${\mathbb{F}}_{2^t}$. We define ${\mathsf{NR}}^{\star }:{\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^t}\stackrel{\ast }{\to }{\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^t}$ as follows:

–

Input: $m\in \mathcal{M}$.

• $(v,u)=\mathbf{H}(h,m)$.
• $x\parallel y={\tilde{\mathit{\pi }}}_1(v,u)$, where $x\in {\mathbb{F}}_{2^t}$ and $y\in {\mathbb{F}}_{2^{n-t}}$.
• $z={\tilde{\mathit{\pi }}}_2(x,y\parallel v)$.
• $c={\mathbf{H}}^{-1}(h,x\parallel z)$.
• return $c:={\mathsf{NR}}^{\star }\left(m\right)$.

Let $\mathbf{F}$ be the response system corresponding to ${\mathsf{NR}}^{\star }$ and $\mathbf{\Pi }$ be the system corresponding to a random permutation over ${\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^t}$. It is easy to see that $\mathbf{F}$ is an invertible response system.

Lemma 7. 

$${\mathbf{Adv}}_{{\mathsf{NR}}^{\star }}^{\mathrm{sprp}}\left(q\right)\le \frac{\left(\genfrac{}{}{0pt}{}{q}{2}\right)}{2^n}\left(ϵ+\frac{1}{2^t}\right).$$

Proof. 

We apply extended H-technique and so we define the additional random variables released after the interaction.

Extended Systems. Suppose that $({\delta }^q,m^q,c^q)$ is the forward-only transcript (before we extend it). Now, we define the $(\mathcal{H}\times {\mathbb{F}}_{2^{n-t}}^q)$-extended random system. In the ideal system $\mathbf{\Pi }$, we simply adjoin a hash key $\mathsf{H}{\leftarrow }_{\$}\mathcal{H}$ and ${\mathsf{Y}}_1,\dots ,{\mathsf{Y}}_q{\leftarrow }_{\$}{\mathbb{F}}_{2^{n-t}}$, chosen independently of $\mathbf{\Pi }$. Let $\overline{{\mathbf{\Pi }}^{\pm }}=({\mathbf{\Pi }}^{\pm },\mathsf{H},{\mathsf{Y}}^q)$ be the extended ideal system.

In the case of ${\mathbf{F}}^{\pm }$, based on the hash key $\mathsf{H}$ and tweakable random permutation ${\tilde{\mathit{\pi }}}_1,{\tilde{\mathit{\pi }}}_2$, we release the hash key $\mathsf{H}$ and all q internal values ${\mathsf{Y}}_1,\dots ,{\mathsf{Y}}_q$, where ${\mathsf{Y}}_i$ is the value of y in step-2, while computing $\mathbf{F}\left(m_i\right)$. We denote the extended system $\overline{{\mathbf{F}}^{\pm }}=({\mathbf{F}}^{\pm },\mathsf{H},{\mathsf{Y}}^q)$.

Analysis of Bad Transcripts. Let $\tau =({\delta }^q,m^q,c^q,h,y^q)$ be a transcript. We define $h\left(m^q\right)=(v^q,u^q)$ and $h\left(c^q\right)=(x^q,z^q)$. We can say that an extended transcript $\tau$ is bad if there is a collision among $v_1\parallel x_1\parallel y_1,v_2\parallel x_2\parallel y_2,\dots ,v_q\parallel y_q\parallel x_q$ values. (Observe that the bad event is quite similar to the one arising in hash-then-TBC analysis. In fact, in most of the TBC-based constructions, the sole bad event is of this particular type (avoiding tweak-input and tweak-output collisions).)Now we calculate the probability that the extended transcript $\overline{\tau }\left({\mathcal{A}}^{{\mathbf{\Pi }}^{\pm }}\right)$ is bad for any adversary $\mathcal{A}$ making q queries. Let ${\left[q\right]}_e$ and ${\left[q\right]}_d$ denote the set of all forward- and backward-query indices. Let us denote the random variables corresponding to $m,c,x,y$, and v values in the ideal world as $\mathsf{M},\mathsf{C},\mathsf{X},\mathsf{Y}$, and $\mathsf{V}$, respectively.

Now, the bad event means that there is $i<j$ such that ${\mathsf{X}}_i={\mathsf{X}}_j,{\mathsf{Y}}_i={\mathsf{Y}}_j,{\mathsf{V}}_i={\mathsf{V}}_j$. We have $\mathsf{Pr}[{\mathsf{Y}}_i={\mathsf{Y}}_j]=2^{t-n}$. Moreover, ${\mathsf{Y}}_i$ values are chosen independently of $(\mathbf{\Pi },\mathsf{H})$ and are hence independent of the values of $\mathsf{X}$ and $\mathsf{V}$. Thus, it is sufficient to bound $\mathsf{Pr}[{\mathsf{X}}_i={\mathsf{X}}_j,{\mathsf{V}}_i={\mathsf{V}}_j]$ for some $i<j$.

Claim.

$$\mathsf{Pr}[{\mathsf{X}}_i={\mathsf{X}}_j,{\mathsf{V}}_i={\mathsf{V}}_j]\le \frac{ϵ}{2^t}.$$

We prove the claim when $j\in {\left[q\right]}_e$. A similar proof is applied for $j\in {\left[q\right]}_d$. As $j\in {\left[q\right]}_e$, ${\mathsf{V}}_j$ depends on ${\mathsf{C}}_j$ and the hash key $\mathsf{H}$ of $\mathbf{H}$. We first condition on all query responses ${\mathsf{M}}^{j-1}=m^{j-1},{\mathsf{C}}^{j-1}=c^{j-1}$ up to $j-1$ queries. Note that up to $j-1$ queries, the queries can be both encryption or decryption queries. Thus, ${\mathsf{M}}^{j-1},{\mathsf{C}}^{j-1}$ is simply the forward-only reordering of the query and responses. Once we condition on itand $j\in {\left[q\right]}_e$, the value of ${\mathsf{M}}_j$ is fixed (say, $m_j$) and ${\mathsf{C}}_j{\leftarrow }_{\$}\mathcal{M}\setminus \{c_1,\dots ,c_{j-1}\}$. Let us write the conditional event ${\mathsf{M}}^{j-1}=m^{j-1},{\mathsf{C}}^{j-1}=c^{j-1}$ as $\mathsf{E}$ and the set of all h for which ${\mathbf{H}}_1(h,m_i)={\mathbf{H}}_1(h,m_j)$ holds as ${\mathcal{H}}^{\prime }$. Thus,

$$\begin{array}{cc}\hfill \mathsf{Pr}[{\mathsf{X}}_i={\mathsf{X}}_j,{\mathsf{V}}_i={\mathsf{V}}_j|\mathsf{E}]& =\mathsf{Pr}[{\mathbf{H}}_1(\mathsf{H},m_i)={\mathbf{H}}_1(\mathsf{H},m_j),{\mathbf{H}}_1(\mathsf{H},c_i)={\mathbf{H}}_1(\mathsf{H},{\mathsf{C}}_j)|\mathsf{E}]\hfill \\ \hfill & =\sum _{h\in {\mathcal{H}}^{\prime }}\mathsf{Pr}[\mathsf{H}=h,{\mathbf{H}}_1(h,c_i)={\mathbf{H}}_1(h,{\mathsf{C}}_j)|\mathsf{E}]\hfill \\ \hfill & =\sum _{h\in {\mathcal{H}}^{\prime }}\mathsf{Pr}[\mathsf{H}=h]\times \mathsf{Pr}[{\mathbf{H}}_1(h,c_i)={\mathbf{H}}_1(h,{\mathsf{C}}_j)|\mathsf{E}]\hfill \\ \hfill & \le \sum _{h\in {\mathcal{H}}^{\prime }}\mathsf{Pr}[\mathsf{H}=h]\times \frac{1}{2^t}\hfill \end{array}$$

To justify the latter inequality, we first note that $\mathbf{H}(h,·)$ is an invertible function and so the conditional distribution of $\mathbf{H}(h,{\mathsf{C}}_j)$ is uniformly distributed over a set of size $2^{n+t}-(j-1)$. Hence, $\mathsf{Pr}[{\mathbf{H}}_1(h,c_i)={\mathbf{H}}_1(h,{\mathsf{C}}_j)|\mathsf{E}]\le \frac{2^n}{2^{n+t}-(j-1)}\le \frac{1}{2^t}$. To complete the proof of the claim we sum over all such events $\mathsf{E}$ (i.e., varying $m^{j-1}$ and $c^{j-1}$) after multiplying the probability of $\mathsf{E}$.

Therefore, for any $i<j$, $\mathsf{Pr}[{\mathsf{X}}_i={\mathsf{X}}_j,{\mathsf{V}}_i={\mathsf{V}}_j,{\mathsf{Y}}_i={\mathsf{Y}}_j]\le \frac{ϵ}{2^n}$. This proves that

$$\mathsf{Pr}\left[\overline{\tau }\left({\mathcal{A}}^{{\mathbf{\Pi }}^{\pm }}\right)isbad\right]\le \frac{q(q-1)ϵ}{2^{n+1}}.$$

(14)

Analysis of a Good Transcript. We fix a good transcript $\tau =({\delta }^q,m^q,c^q,h,y^q)$ and let $h\left(m^q\right)=(v^q,u^q)$ and $h\left(c^q\right)=(x^q,z^q)$. According to the definition of a good transcript, $(v^q,u^q,x^q\parallel y^q)$ and $(x^q,y^q\parallel v^q,z^q)$ are tweakable-permutation-compatible, which means they are also non-redundant. Thus,

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathbf{F}\left(m^q\right)=c^q,\mathsf{H}=h,{\mathsf{Y}}^{\prime q}=y^q]& =\mathsf{Pr}[{\tilde{\mathit{\pi }}}_1(v^q,u^q)=x^q\parallel y^q]\times \mathsf{Pr}[{\tilde{\mathit{\pi }}}_2(x^q,y^q\parallel v^q)=z^q]\times \mathsf{Pr}[\mathsf{H}=h]\hfill \\ \hfill & \ge \frac{1}{\left|\mathcal{H}\right|}\times \frac{1}{2^{2nq}}.\hfill \end{array}$$

On the other hand, realizing the transcript via the extended ideal system is expressed as

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathbf{\Pi }\left(m^q\right)=c^q,\mathsf{H}=h,{\mathsf{Y}}^q=y^q]& =\frac{1}{\left|\mathcal{H}\right|}\times \frac{1}{{\left(2^{n+t}\right)}_q}\times \frac{1}{2^{(n-t)q}}\hfill \\ \hfill & \le \frac{1}{\left|\mathcal{H}\right|}\times \frac{1}{2^{(n+t)q}·\left(1-\frac{q(q-1)}{2^{n+t+1}}\right)}\times \frac{1}{2^{(n-t)q}}.\hfill \end{array}$$

Thus, the ratio

$$\begin{array}{cc}\hfill \frac{\mathsf{Pr}[\mathbf{F}\left(m^q\right)=c^q,\mathsf{H}=h,{\mathsf{Y}}^{\prime q}=y^q]}{\mathsf{Pr}[\mathbf{\Pi }\left(m^q\right)=c^q,\mathsf{H}=h,{\mathsf{Y}}^q=y^q]}& \ge 1-\frac{\left(\genfrac{}{}{0pt}{}{q}{2}\right)}{2^{n+t}}.\hfill \end{array}$$

(15)

Combining Equations (14) and (15) with Lemma 3, we get

$${\mathbf{Adv}}_{{\mathsf{NR}}^{\star }}^{\mathrm{sprp}}\left(q\right)\le \frac{\left(\genfrac{}{}{0pt}{}{q}{2}\right)}{2^n}\left(ϵ+\frac{1}{2^t}\right).\square$$

Based on the security analysis of this generic design, we can obtain simple proofs for ENR [78,79] and LDT [58].

5.3.1. A Simple Proof for ENR

The basic version of ENR [78] can be viewed as a specific instantiation of NR*, where the hash function is defined as $(a,b)\mapsto (a,(a\odot \mathsf{K}\oplus b\left)\right)$ for $\mathsf{K}{\leftarrow }_{\$}{\mathbb{F}}_{2^n}$. Subsequently, Minematsu and Iwata presented a simpler definition for ENR for $t<n$, called SmallBlock [79] that merely redefines the hash to be ${(a,(a\odot \mathsf{K}\oplus b))}_{|t}$. Now, we have the following corollary.

Corollary 2. 

For$t\le n$we have

$${\mathbf{Adv}}_{\mathsf{ENR}}^{\mathrm{sprp}}\left(q\right)\le \frac{q^2}{2^{n+t}}.$$

5.3.2. A Simple Proof for LDT

The two-round LDT construction by Chen et al. [58] can also be viewed as a specific instantiation of NR*, where the hash function is defined to be the identity function. This immediately gives the following corollary on the SPRP advantage of LDT.

Corollary 3. 

$${\mathbf{Adv}}_{\mathsf{LDT}}^{\mathrm{sprp}}\left(q\right)\le \frac{q^2}{2^n}.$$

6. Feistel Structure-Based Schemes

A (keyed) bijective function $\mathsf{\Psi }$ based on an internal primitive $\mathsf{\psi }$ is said to be inverse-free if and only if the computation of ${\mathsf{\Psi }}^{-1}$ does not require the execution of ${\mathsf{\psi }}^{-1}$. The Feistel structure has this property.

6.1. Three-Round Luby–Rackoff

Construction. Suppose that $\mathsf{\psi }$ is a random function over ${\{0,1\}}^n$ and $\mathsf{\Psi }$ is a round function defined by the mapping

$$(a,b)\stackrel{\mathsf{\Psi }}{\mapsto }(b,a\oplus \mathsf{\psi }\left(b\right)).$$

Suppose that ${\mathsf{\Psi }}_i$ denotes the round function based on the random function ${\mathsf{\psi }}_i$. The well-known three-round Luby–Rackoff [2] scheme (see Figure 4), denoted LR3, is defined as ${\mathsf{\Psi }}_3\circ {\mathsf{\Psi }}_2\circ {\mathsf{\Psi }}_1$.

LR3 is a well-studied birthday-bound pseudorandom permutation. The original proof by Luby and Rackoff [2] is one of the foundational results in symmetric-key provable security. We now show how a fairly modern tool in symmetric-key provable security can simplify the security analysis as compared to the original proof. We note that a simpler proof based on the H-technique is already available through the work of Nachef, Patarin, and Volte [107]. Here, we provide the proof of LR3 in our language.

Lemma 8. 

For$t\le n$, we have

$${\mathbf{Adv}}_{\mathsf{3}\mathsf{LR}}^{\mathrm{prp}}\left(q\right)\le \frac{q^2}{2^n}+\frac{q^2}{2^{2n}}.$$

Proof. 

We apply the standard H-technique (i.e., no need to extend the system).

Analysis of Bad Transcripts. For input $(a,b)$ and output $(c,d)$, let the one-round and two-round outputs be $(x,b)$ and $(x,d)$. Let $\mathbf{F}$ be the response system corresponding to $\mathsf{LR}\mathsf{3}$ and $\mathbf{\Pi }$ be the system corresponding to a random permutation. The transcript random variable $\tau$ is defined as the tuple $({\mathsf{A}}^q,{\mathsf{B}}^q,{\mathsf{C}}^q,{\mathsf{D}}^q)$. We say that a transcript $(a^q,b^q,c^q,d^q)$ is bad if $d^q$ has a colliding pair, i.e., for two distinct queries i and j, $d_i=d_j$. Thus we have

$$\mathsf{Pr}\left[\tau \left({\mathcal{A}}^{\mathbf{\Pi }}\right)\mathrm{is}\mathrm{bad}\right]\le \frac{q(q-1)(2^n-1)}{2(2^{2n}-1)}\le \frac{q^2}{2^{n+1}}.$$

(16)

Analysis of Good Transcripts. Fix a good transcript $(a^q,b^q,c^q,d^q)$. We say that a function $f\in \mathsf{Func}$ is bad, denoted $f\in {\mathsf{Func}}_{\mathtt{bad}}$ if for some distinct $i,j\in \left[q\right]$,$f\left(b_i\right)\oplus a_i=f\left(b_j\right)\oplus a_j$; otherwise, we say it is good. Clearly for a uniform random f, the probability of f being bad is bounded to, at most, $q^2/2^{n+1}$. Let ${\mathsf{Func}}_{\mathsf{good}}=\mathsf{Func}\setminus {\mathsf{Func}}_{\mathtt{bad}}$. Thus we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathbf{F}(a^q,b^q)=(c^q,d^q)]& \ge \mathsf{Pr}[{\mathsf{\psi }}_1\in {\mathsf{Func}}_{\mathsf{good}}]\times \mathsf{Pr}[{\mathsf{\psi }}_2\left(x^q\right)=b^q\oplus d^q,{\mathsf{\psi }}_3\left(d^q\right)=x^q\oplus c^q|{\mathsf{\psi }}_1]\hfill \\ \hfill & \ge \left(1-\frac{q^2}{2^{n+1}}\right)\times \frac{1}{2^{2nq}}\hfill \\ \hfill & \ge \left(1-\frac{q^2}{2^{n+1}}-\frac{q^2}{2^{2n}}\right)\times \frac{1}{{\left(2^{2n}\right)}_q}\hfill \end{array}$$

As $\mathsf{Pr}[\mathbf{\Pi }(a^q,b^q)=(c^q,d^q)]=\frac{1}{{\left(2^{2n}\right)}_q}$, we have

$$\frac{\mathsf{Pr}[\mathbf{F}(a^q,b^q)=(c^q,d^q)]}{\mathsf{Pr}[\mathbf{\Pi }(a^q,b^q)=(c^q,d^q)]}\ge \left(1-\frac{q^2}{2^n}-\frac{q^2}{2^{2n}}\right).$$

(17)

The result follows from Equations (16) and (17) using the standard H-technique. □

Remark 2. 

Note that the above proof can be easily converted into a proof with an extended transcript. In particular, we release${\mathsf{X}}^q$values. In the case of an ideal oracle, it is computed as follows:${\mathsf{X}}_i={\mathsf{\psi }}_1\left(b_i\right)\oplus a_i$for all i. We add one more bad event, which is the presence of a collision among${\mathsf{X}}^q$values. The probability of this new bad event can be easily shown to be at most$q^2/2^{n+1}$. For a good transcript the ratio can be similarly shown to be at least$1-q^2/2^{2n}$and hence we obtain exactly the same bound for the PRP advantage.

One can have an SPRP proof for the four-round LR using the extended transcript. The proof is similar, with some bad events avoiding all possible collisions among inputs of${\mathsf{\psi }}_2$and${\mathsf{\psi }}_3$.

6.2. Three-Round TBC-Based Luby–Rackoff

In [95], Coron et al. presented an alternative to the three-round Luby–Rackoff method using a tweakable block cipher, called TLR3, and demonstrated $O(q/2^n)$-query security. In this case, $\mathsf{\psi }$ is a tweakable random permutation and the $\mathsf{\Psi }$ function is defined by the mapping $(a,b)\stackrel{\mathsf{\Psi }}{\mapsto }(b,\mathsf{\psi }(b,a))$. The original work by Coron et al. is mainly focused on the indifferentiability of TLR3 with respect to an ideal cipher. However, their result also implies $\mathsf{\Omega }\left(2^n\right)$-query SPRP security. We present a relatively simple proof for the SPRP security of TLR3.

Proposition 1. 

For$q<2^{n-1}$we have

$${\mathbf{Adv}}_{\mathsf{TLR}\mathsf{3}}^{\mathrm{sprp}}\left(q\right)\le \frac{q^2}{2^{2n-1}}.$$

Proof. 

We will use the extended H-technique to prove the claimed security.

Extended Systems. The variables arising in the following analysis are analogous to the ones given in Figure 5. Let $\mathbf{F}$ be the response system corresponding to $\mathsf{TLR}\mathsf{3}$ and $\mathbf{\Pi }$ be the system corresponding to a random permutation. The transcript $\tau$ is defined as the tuple $({\mathsf{A}}^q,{\mathsf{B}}^q,{\mathsf{C}}^q,{\mathsf{D}}^q)$. We define ${\mathbb{F}}_{2^n}^q$-extended response systems by adjoining the internal value ${\mathsf{X}}^q$. In the case of $\mathbf{F}$, this is well-defined according to the definition of TLR3.

In the ideal system $\mathbf{\Pi }$, we sample ${\mathsf{X}}^q$ as follows:

• for all $i\in {\left[q\right]}_e$,

  $${\mathsf{X}}_i{\leftarrow }_{\$}{\{0,1\}}^n\setminus \{x\in {\{0,1\}}^n:\exists j<i,{\mathsf{X}}_j=x\wedge {\mathsf{B}}_i={\mathsf{B}}_j\};$$
• for all $i\in {\left[q\right]}_d$,

  $${\mathsf{X}}_i{\leftarrow }_{\$}{\{0,1\}}^n\setminus \{x\in {\{0,1\}}^n:\exists j<i,{\mathsf{X}}_j=x\wedge {\mathsf{D}}_i={\mathsf{D}}_j\};$$

Bad Transcripts and Their Analysis. We say that an extended transcript $(a^q,b^q,x^q,c^q,d^q)$ is bad if and only if $(b^q,a^q,x^q)$, $(x^q,b^q,d^q)$ and $(d^q,x^q,c^q)$ are not tweakable-permutation-consistent. Due to the way in which we sample ${\mathsf{X}}^q$ in $\mathbf{\Pi }$, the necessary and sufficient condition for the inconsistency of $({\mathsf{B}}^q,{\mathsf{A}}^q,{\mathsf{X}}^q)$, $({\mathsf{X}}^q,{\mathsf{B}}^q,{\mathsf{D}}^q)$, and $({\mathsf{D}}^q,{\mathsf{X}}^q,{\mathsf{C}}^q)$ is: $i<j\in \left[q\right]$ and (1) $j\in {\left[q\right]}_e$ and $({\mathsf{X}}_j,{\mathsf{D}}_j)=({\mathsf{X}}_i,{\mathsf{D}}_i)$; or (2) $j\in {\left[q\right]}_d$ and $({\mathsf{B}}_j,{\mathsf{X}}_j)=({\mathsf{B}}_i,{\mathsf{X}}_i)$. Formally, we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[\overline{\tau }\left(\mathbf{\Pi }\right)\in {\mathcal{V}}_{\mathtt{bad}}]& =\sum _{i\in \left[q\right]}\left(\sum _{i<j\in {\left[q\right]}_e}\mathsf{Pr}[{\mathsf{X}}_i={\mathsf{X}}_j,{\mathsf{D}}_i={\mathsf{D}}_j]+\sum _{i<j\in {\left[q\right]}_d}\mathsf{Pr}[{\mathsf{B}}_i={\mathsf{B}}_j,{\mathsf{X}}_i={\mathsf{X}}_j]\right)\hfill \\ \hfill & \le \left(\genfrac{}{}{0pt}{}{q}{2}\right)\times \frac{2^n-1}{2^{2n}-j+1}\times \frac{1}{2^n-q}\hfill \\ \hfill & \le \frac{q(q-1)}{2^{n+1}(2^n-q)}.\hfill \end{array}$$

(18)

Analysis of Good Transcripts. For a good transcript $(a^q,b^q,x^q,c^q,d^q)$, we know that $(b^q,a^q,x^q)$, $(x^q,b^q,d^q)$, and $(d^q,x^q,c^q)$ are tweakable-permutation-consistent. Let ${\alpha }^u=\mathsf{mcoll}\left(b^q\right)$, ${\beta }^v=\mathsf{mcoll}\left(x^q\right)$, and ${\gamma }^w=\mathsf{mcoll}\left(d^q\right)$. Given a good transcript, for a real system we have

$$\begin{array}{cc}\hfill \mathsf{Pr}\left[\overline{\tau }\left(\mathbf{F}\right)\right]& =\mathsf{Pr}[{\mathsf{\psi }}_1(b^q,a^q)=x^q]\times \mathsf{Pr}[{\mathsf{\psi }}_2(x^q,b^q)=d^q]\times \mathsf{Pr}[{\mathsf{\psi }}_3(d^q,x^q)=c^q]\hfill \\ \hfill & =\frac{1}{{\prod }_{i=1}^u{\left(2^n\right)}_{{\alpha }_i}}\times \frac{1}{{\prod }_{j=1}^v{\left(2^n\right)}_{{\beta }_j}}\times \frac{1}{{\prod }_{k=1}^w{\left(2^n\right)}_{{\gamma }_k}}.\hfill \end{array}$$

For $i\in \left[q\right]$, let $r_i$ and $s_i$ denote the number of previous queries j and $j^{\prime }$ such that $b_i=b_j$ and $d_i=d_{j^{\prime }}$, respectively. Then, for the ideal system we have

$$\begin{array}{cc}\hfill \mathsf{Pr}\left[\overline{\tau }\left(\mathbf{\Pi }\right)\right]& =\frac{1}{{\left(2^{2n}\right)}_q}\times \frac{1}{{\prod }_{i^{\prime }\in {\left[q\right]}_e}(2^n-r_{i^{\prime }})}\times \frac{1}{{\prod }_{k^{\prime }\in {\left[q\right]}_d}(2^n-s_{k^{\prime }})}\hfill \\ \hfill & \le \frac{1}{\left(1-\frac{q^2}{2^{2n}}\right)\times 2^{2nq}}\times \frac{1}{{\prod }_{i^{\prime }\in {\left[q\right]}_e}(2^n-r_{i^{\prime }})}\times \frac{1}{{\prod }_{k^{\prime }\in {\left[q\right]}_d}(2^n-s_{k^{\prime }})}.\hfill \end{array}$$

Thus the ratio is

$$\begin{array}{cc}\hfill \frac{\mathsf{Pr}\left[\overline{\tau }\left(\mathbf{F}\right)\right]}{\mathsf{Pr}\left[\overline{\tau }\left(\mathbf{\Pi }\right)\right]}& \ge \left(1-\frac{q^2}{2^{2n}}\right)\times \frac{2^{2nq}\times {\prod }_{i^{\prime }\in {\left[q\right]}_e}(2^n-r_{i^{\prime }})\times {\prod }_{k^{\prime }\in {\left[q\right]}_d}(2^n-s_{k^{\prime }})}{{\prod }_{i=1}^u{\left(2^n\right)}_{{\alpha }_i}\times {\prod }_{j=1}^v{\left(2^n\right)}_{{\beta }_j}\times {\prod }_{k=1}^w{\left(2^n\right)}_{{\gamma }_k}}.\hfill \end{array}$$

(19)

In the above expression, we claim the following:

$$\begin{array}{cc}\hfill \prod _{i=1}^u{\left(2^n\right)}_{{\alpha }_i}& =\prod _{i^{\prime }\in {\left[q\right]}_e}(2^n-r_{i^{\prime }})\times \prod _{\widehat{i}\in {\left[q\right]}_d}(2^n-{\widehat{\gamma }}_{\widehat{i}}),\mathrm{and}\hfill \\ \hfill \prod _{k=1}^w{\left(2^n\right)}_{{\gamma }_k}& =\prod _{k^{\prime }\in {\left[q\right]}_d}(2^n-s_{k^{\prime }})\times \prod _{\widehat{k}\in {\left[q\right]}_e}(2^n-{\widehat{\gamma }}_{\widehat{k}}),\hfill \end{array}$$

where for all $\widehat{i}$ and $\widehat{k}$, ${\widehat{\gamma }}_{\widehat{i}},{\widehat{\gamma }}_{\widehat{k}}\ge 0$. We argue the first one and the second can be argued similarly. The set $\left[u\right]$ can be viewed as an indexing over the set of distinct tweak values. Now consider the first term on the right hand side (the one indexed by $i^{\prime }$). For all $i^{\prime }\in {\left[q\right]}_e$, we define $\varphi \left(i^{\prime }\right)\to (i,p)$ such that i is the index of the tweak of the $i^{\prime }$-th query, i.e., $i\le u$, and p is the number of previous queries with the same tweak, i.e., $p=r_{i^{\prime }}\le {\alpha }_i$. The mapping is well-defined. Furthermore, it is injective: for distinct $i_1^{\prime },i_2^{\prime }\in {\left[q\right]}_e$, either the tweaks are different, i.e., $i_1\ne i_2$, or if the tweaks are same, then $p_1=r_{i_1^{\prime }}\ne r_{i_2^{\prime }}=p_2$. Observe that $\varphi$ also maps each of the $(N-r_{i^{\prime }})$ terms on the right-hand side to a unique $(N-p)$ term (taken from ${\left(N\right)}_{{\alpha }_i}$ expansion) on the left, exhausting all the terms corresponding to encryption queries. Thus, we are left with only the terms corresponding to all the decryption queries. Using the relations presented above in Equation (19) we have

$$\begin{array}{cc}\hfill \frac{\mathsf{Pr}\left[\overline{\tau }\left(\mathbf{F}\right)\right]}{\mathsf{Pr}\left[\overline{\tau }\left(\mathbf{\Pi }\right)\right]}& \ge \left(1-\frac{q^2}{N^2}\right)\times \frac{N^{2q}}{{\prod }_{\widehat{i}\in {\left[q\right]}_d}(N-{\widehat{\gamma }}_{\widehat{i}})\times {\prod }_{j=1}^v{\left(N\right)}_{{\beta }_j}\times {\prod }_{\widehat{k}\in {\left[q\right]}_e}(N-{\widehat{\gamma }}_{\widehat{k}})}\hfill \\ \hfill & \ge \left(1-\frac{q^2}{N^2}\right)\hfill \end{array}$$

(20)

The result follows from the extended H-technique, using Equations (18) and (20). □

7. Strong Pseudo-Random Permutation Designs

More notations: For $\ell \ge 1$, $p\in {\mathcal{M}}^{\ell }$, $p\left[i\right]$ denotes the i-th coordinate of p, for all $i\in [\ell ]$. Extending the notation, $p[i..j]$ denotes the $\mathcal{M}$-substring $\left(p\right[i],p[i+1],\dots ,p[j\left]\right)$ of p, for $1\le i<j\le \ell$. Thus, we also write p, alternatively, as $p[1..\ell ]$. We denote the set of all n-bits as ${\mathcal{B}}_n$.

7.1. HCTR

HCTR is an encryption scheme developed by Wang, Feng and Fu [22], based on the hash-CTR-hash paradigm, which uses a sandwich consisting of the CTR mode in between two executions of an AXU hash function. The CTR mode can be replaced by a pseudorandom function (PRF), which takes n-bit inputs and returns an arbitrarily long bit-stream. The PRF-based HCTR construction was studied by Chakraborty et al. in [108], and this system does not require any inverse of the block cipher. For the sake of simplicity, we first describe a simple version of the HCTR construction.

Construction. Let L ($\ge n$) be a large integer, which is the size of the largest messages to be encrypted. Let $\mathcal{T}$ denote a tweak space. Suppose that $\mathbf{H}:\mathcal{T}\times {\{0,1\}}^{\le L-n}\to {\{0,1\}}^n$ is an $ϵ$-AXU hash function, $\mathit{\pi }$ is an n-bit random permutation and $\mathit{\rho }:{\mathcal{B}}_n\to {\{0,1\}}^{L-n}$ is a random function. Moreover, all these primitives are independently sampled. The PRF-based HCTR scheme (see Figure 6), denoted as HCTR^∗, is defined below, which takes $(t,p\parallel p^{\prime })$ as an input, and returns $c\parallel c^{\prime }$ as an output, where $p,c\in {\mathcal{B}}_n$, $t\in \mathcal{T}$ and $|p^{\prime }|=|c^{\prime }|\le L-n$. We call t the tweak, $p\parallel p^{\prime }$ the plaintext, and $c\parallel c^{\prime }$ the ciphertext.

–

Input: $t\in \mathcal{T}$, $p\parallel p^{\prime }$;Output: $c\parallel c^{\prime }$.

• $x:=p\oplus \mathsf{H}(t,p^{\prime })$.
• $y:=\mathit{\pi }\left(x\right)$.
• $z:=x\oplus y$.
• $c^{\prime }:={\lfloor \mathit{\rho }\left(z\right)\rfloor }_{|p^{\prime }|}\oplus p^{\prime }$.
• $c:=y\oplus \mathsf{H}(t,c^{\prime })$.

Note that the decryption algorithm is exactly same, except that we replace $\mathit{\pi }$ by ${\mathit{\pi }}^{-1}$ in line (b). When we substitute $\mathit{\rho }$ by ${\mathsf{CTR}}_{\mathit{\pi }}$, as in the standard encryption schemesusing IV-based counter mode [109], we obtain our original HCTR mode. The construction HCH [21] can be obtained by replacing $\mathit{\rho }$ by the construction ${\mathsf{CTR}}_{\mathit{\pi }}$, where IV is computed as the encryption of z by $\mathit{\pi }$. We note that the original security bound for HCTR was cubic (in the number of queries). To obtain a quadratic bound, HCH was proposed. However, subsequently, in [108] a quadratic bound for HCTR was proven using the game playing technique. For the sake of simplicity, we provide a very simple proof of the HCTR* construction. The original HCTR scheme and all of its variants can be proven similarly.

Lemma 9. 

$${\mathbf{Adv}}_{\mathsf{HCTR}\ast }^{\mathrm{sprp}}(q,\sigma )\le q^2·(ϵ+2^{-n}).$$

Proof. 

(The basic idea of the proof is quite simple. We have to bound two types of collisions, namely, the input and output collisions on the underlying random permutation and the input collision of the random function. Most of these collisions can be bounded using the AXU property of $\mathsf{H}$.)

Extended System. Let $\mathbf{F}$ be the response system corresponding to the real system $\mathsf{HCTRf}$ and $\mathbf{\Pi }$ be the system corresponding to a length-preserving tweakable random permutation over the set of all bit strings of at least $n+1$ in size. The transcript random variable $\tau$ is defined as the tuple $({\mathsf{T}}^q,{\mathsf{P}}^q,{\mathsf{C}}^q)$, where for all $i\in \left[q\right]$, ${\mathsf{P}}_i$ and ${\mathsf{C}}_i$ are of length ${\ell }_i$ and ${\sum }_{i\in \left[q\right]}{\ell }_i=\sigma$. We define the $\mathcal{H}$-extended random system. In the real world, we simply release the hash key $\mathsf{H}$ after all q queries are made. Let ${\overline{\mathbf{F}}}^{\pm }=({\mathbf{F}}^{\pm },\mathsf{H})$ be the extended real system. In the ideal system, we adjoin a dummy hash key $\mathsf{H}{\leftarrow }_{\$}\mathcal{H}$, chosen independently of $\mathbf{\Pi }$. Let ${\overline{\mathbf{\Pi }}}^{\pm }=({\mathbf{\Pi }}^{\pm },\mathsf{H})$ be the extended ideal system. We define the internal variables ${\mathsf{X}}_i:=\mathsf{H}({\mathsf{T}}_i,{\mathsf{P}}_i)$, and ${\mathsf{Y}}_i:=\mathsf{H}({\mathsf{T}}_i,{\mathsf{C}}_i)$, and ${\mathsf{Z}}_i:={\mathsf{X}}_i\oplus {\mathsf{Y}}_i$.

Analysis of Bad Transcripts. We say that a transcript is bad if one of the following conditions is met:

• $\mathtt{xcoll}:\exists i\ne j\in \left[q\right]$, such that ${\mathsf{X}}_i={\mathsf{X}}_j$.
• $\mathtt{ycoll}:\exists i\ne j\in \left[q\right]$, such that ${\mathsf{Y}}_i={\mathsf{Y}}_j$.
• $\mathtt{zcoll}:\exists i\ne j\in \left[q\right]$, such that ${\mathsf{Z}}_i={\mathsf{Z}}_j$.

Bound on $Pr\left[\mathtt{xcoll}\right]$: Note that $\mathsf{H}$ is sampled independently of the inputs $({\mathsf{T}}_i,{\mathsf{P}}_i)$. So, for any $i\ne j$, $Pr({\mathsf{X}}_i={\mathsf{X}}_j)\le ϵ$ as $\mathsf{H}$ is the $ϵ$-AXU hash function. A similar bound works for ${\mathsf{Y}}_i={\mathsf{Y}}_j$.

Bound on $Pr\left[\mathtt{ycoll}\right]$: Exactly the same bound works for ${\mathsf{Y}}_i={\mathsf{Y}}_j$.

Bound on $Pr\left[\mathtt{zcoll}\right]$: Fix any $i<j$ and let us assume that the jth query is the encryption query (a similar argument would work for the decryption query). Now, ${\mathsf{Z}}_i={\mathsf{Z}}_j$ means that

$${\mathsf{C}}_j^{\prime }={\mathsf{Z}}_i\oplus {\mathsf{P}}_j^{\prime }\oplus (\mathsf{H}({\mathsf{T}}_j,{\mathsf{P}}_j)\oplus \mathsf{H}({\mathsf{T}}_j,{\mathsf{C}}_j)).$$

Note that ${\mathsf{C}}_j^{\prime }$ is uniform and independent of all random variables present on the right-hand side of the above equation. Hence, the probability of the above event is $2^{-n}$.

By summing over all pairs $(i,j)$ with $i<j$, the probability that the ideal-world extended transcript is bad is, at most, $q^2·(ϵ+2^{-n-1})$.

Analysis of Good Transcripts. Fix a good transcript $(t^q,p^q,c^q,h)$. Let $q(\ell ,t)$ denote the number of queries of length ℓ for all $\ell \in \left[L\right]$ with the tweak t. By definition, ${\sum }_{\ell ,t}q(\ell ,t)=\sigma$. Since for a good transcript there are no input/output collisions for $\mathit{\pi }$. So we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathbf{F}(t^q,p^q)=c^q,\mathsf{H}=h]& =\frac{1}{\left|\mathcal{H}\right|}\times \frac{1}{{\left(2^n\right)}_q}\times \frac{1}{2^{\sigma -nq}}\hfill \\ \hfill & \ge \frac{1}{\left|\mathcal{H}\right|}\times (1-\frac{q^2}{2^{n+1}})\times \frac{1}{2^{\sigma }}\hfill \\ \hfill & \ge (1-\frac{q^2}{2^{n+1}})\times \frac{1}{\left|\mathcal{H}\right|}\times \prod _{\ell ,t}\frac{1}{{\left(2^{\ell }\right)}_{q(\ell ,t)}}\hfill \\ \hfill & \ge (1-\frac{q^2}{2^{n+1}})\times Pr[\mathbf{\Pi }(t^q,p^q)=c^q,\mathsf{H}=h]\hfill \end{array}$$

The result follows from the extended H-technique. □

Now let us consider the original HCTR scheme, in which $c^{\prime }=m^{\prime }\oplus {\lfloor S\rfloor }_{|m^{\prime }|}$, where $S=$$\mathit{\pi }(z\oplus 1)\parallel$⋯$\parallel \mathit{\pi }(z\oplus (\ell -1\left)\right)$. Let us assume that ith queries have size $n{\ell }_i$, ${\ell }_i\le \ell$. We need to consider a revised definition of a zcoll bad event. We say that zcoll holds if one of the following holds:

• ${\mathsf{Z}}_i\oplus j={\mathsf{Z}}_{i^{\prime }}\oplus j^{\prime }$ or $m_i^{\prime }\left[j\right]\oplus c_i^{\prime }\left[j\right]=m_{i^{\prime }}^{\prime }\left[j^{\prime }\right]\oplus c_{i^{\prime }}^{\prime }\left[j^{\prime }\right]$ for some $(i,j)\ne (i^{\prime },j^{\prime })$, $j<{\ell }_i$, $j^{\prime }<{\ell }_{i^{\prime }}$,
• ${\mathsf{Z}}_i\oplus j={\mathsf{X}}_k$ or $m_i\left[j\right]\oplus c_i\left[j\right]={\mathsf{Y}}_k$, $j<{\ell }_i$, $k\in \left[q\right]$.

Using the previous analysis, one can easily verify that the probability of this modified $\mathtt{zcoll}$ is at most $({\sigma }^2+\sigma q)(2ϵ+2^{-n-3})$ (as there are, at most, ${\sigma }^2$ choices for $(i,j)$ and $(i^{\prime },j^{\prime })$, and at most $\sigma q$ choices for $(i,j)$ and k).

7.2. TET

Construction.TET (a later, simplified version was renamed HEH in [24]) is an encryption scheme developed by Halevi [20], based on the hash-encrypt-hash paradigm [20,24,25], which uses a sandwich consisting of the ECB mode in between two blockwise universal and invertible length-preserving hash functions. In this paper, we formally describe and analyze the hash-encrypt-hash paradigm defined over multiple messages of n-bits.

A family of hash functions $\mathsf{H}:{\mathcal{B}}_n^{\le L}\stackrel{\ast }{\to }{\mathcal{B}}_n^{\le L}$ is called an $({ϵ}_1,{ϵ}_2)$-blockwise universal if it is length-preserving. For all $l\le L$, for all $m\in {\mathcal{B}}_n^l$, $\mathsf{H}\left(m\right)\in {\mathcal{B}}_n^l$. and for all $\ell ,{\ell }^{\prime }\in \left[L\right]$, $m\in {\mathcal{B}}_n^{\ell }$, $m^{\prime }\in {\mathcal{B}}_n^{{\ell }^{\prime }}$, $i\in [\ell ]$, and $i^{\prime }\in \left[{\ell }^{\prime }\right]$ with $(m,i)\ne (m^{\prime },i^{\prime })$,

$${Pr}_{\mathsf{H}{\leftarrow }_{\$}\mathcal{H}}[\mathsf{H}\left(m\right)\left[i\right]=\mathsf{H}\left(m^{\prime }\right)\left[i^{\prime }\right]]\le \left\{\begin{array}{cc}{ϵ}_1\hfill & \mathrm{if}i=i^{\prime },\hfill \\ {ϵ}_2\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

Suppose that $\mathsf{H}$ is an $({ϵ}_1,{ϵ}_2)$-blockwise universal and invertible hash function over ${\mathcal{B}}_n^{\le L}$. Suppose that $\mathit{\pi }$ is an n-bit random permutation independent of the hash. Then, the composition ${\mathsf{H}}^{-1}\circ {\mathsf{ECB}}_{\mathit{\pi }}\circ \mathsf{H}$ is called the TET construction (see Figure 7), which is defined over ${\mathcal{B}}_n^{\le L}$. A trick such as HCTR or the DE (the domain expander reported by Nandi in [110]) can help to process arbitrary bit strings.

Lemma 10. 

$${\mathbf{Adv}}_{\mathsf{TET}}^{\mathrm{sprp}}(q,L,\sigma )\le q^{2}L{ϵ}_1+{\sigma }^2{ϵ}_2.$$

Proof. 

We will again use the same idea of avoiding collisions among the input/output of the internal random permutation $\mathit{\pi }$. Let $\mathbf{F}$ be the response system corresponding to $\mathsf{TET}$ and $\mathbf{\Pi }$ be the system corresponding to a random permutation. The transcript $\tau$ is defined as the tuple $({\mathsf{P}}^q,{\mathsf{C}}^q)$, where for all $i\in q$, ${\mathsf{P}}_i$ and ${\mathsf{C}}_i$ are of length ${\ell }_i$ and ${\sum }_{i\in \left[q\right]}{\ell }_i=\sigma$.

Analysis of Good Transcripts. This proof will be similar to that of hash-then-PRF. For any transcript $(p^q,c^q)$, we have

$$\begin{array}{cc}\hfill Pr[\mathbf{F}\left(p^q\right)=c^q]& \ge \sum _{x^q,y^q\in {\mathcal{B}}_n^{\left(\sigma \right)}}Pr[\mathsf{H}\left(p^q\right)=x^q,\mathit{\pi }\left(x^q\right)=y^q,{\mathsf{H}}^{-1}\left(y^q\right)=c^q]\hfill \\ \hfill & =\sum _{x^q,y^q\in {\mathcal{B}}_n^{\left(\sigma \right)}}Pr[\mathsf{H}\left(p^q\right)=x^q,\mathsf{H}\left(c^q\right)=y^q]\times Pr[\mathit{\pi }\left(x^q\right)=y^q]\hfill \\ \hfill & =Pr[\mathsf{H}\left(p^q\right)\in {\mathcal{B}}_n^{\left(\sigma \right)},\mathsf{H}\left(c^q\right)\in {\mathcal{B}}_n^{\left(\sigma \right)}]\times \frac{1}{{\left(N\right)}_{\sigma }}\hfill \\ \hfill & \ge \left(1-q^{2}L{ϵ}_1-{\sigma }^2{ϵ}_2\right)\times Pr[\mathbf{\Pi }\left(p^q\right)=c^q]\hfill \end{array}$$

(21)

The latter inequality follows from the definition of the blockwise universal hash function and from the observation $Pr[\mathbf{\Pi }\left(p^q\right)=c^q]\le \frac{1}{{\left(N\right)}_{\sigma }}$. The result follows from substituting Equation (21) in the standard H-technique. □

Remark 3. 

We note that the bound in Lemma 10 is obtained for a slightly generalized definition of blockwise universality. Specifically, we consider two different bounds, one for collisions at the same position, and another for collisions at two different positions. This slight generalization gives a better security bound for certain hash functions that have better bounds for collisions at two different positions. For example, consider the following example from the work of Sarkar [24].

We view${\mathcal{B}}_n$as the finite field$\mathrm{GF}\left(2^n\right)$and fix α to be a primitive element of${\mathcal{B}}_n$. Let$K_1$and$K_2$be two independent and random elements of${\mathcal{B}}_n$. Define$e_{\ell }=(\alpha K_1,{\alpha }^2{K}_1,\dots ,{\alpha }^{\ell -1}{K}_1,K_1)$, for all$\ell \in \left[L\right]$. We define the map$H_{K_1,K_2}:{\mathcal{B}}_n^{\le L}\to {\mathcal{B}}_n^{\le L}$in the following manner:

$$H_{K_1,K_2}(x\left[1\right],\dots ,x[\ell ])=(x\left[1\right]\oplus y,\dots ,x[\ell -1]\oplus y,y)\oplus e_{\ell },$$

where$y={\sum }_{i=1}^{\ell }x\left[i\right]K_2^{\ell -i}$. Sarkar proved that H is an$(L{2}^{-n},2^{-n})$-blockwise universal hash function ([24], Theorem 1). Using this bound in combination with Lemma 10 gives a bound of the form${\sigma }^2{2}^{-n}+q^2{L}^2{2}^{-n}$, which results in a birthday bound in terms of L.

8. Beyond-Birthday-Bound Secure Schemes

In this section, we revisit some beyond-birthday-bound secure schemes. All these schemes are inherently based on one of the most celebrated problems in symmetric-key cryptography, called the sum of permutations problem [59,96,97,99].

8.1. Pseudorandom Functions

There are many beyond-birthday-bound PRF constructions from PRP [61,96]. The sum of permutations [96,97,98] is one such construction, which constructs a PRF based on two independently keyed random permutations.

We first state and prove a simple proposition that lower-bounds the probability distribution of the sum of permutations conditioned on the event that the underlying random permutations are already sampled on some fixed number of points. We remark that a similar result is already available in ([64], Theorem 2), albeit for the single-permutation setting. Their analysis similarly can be extended for the two-permutation setting. For the sake of completeness, we provide the proof of this variant.

Proposition 2. 

Let$s_1,s_2,q\ge 0$and$s_1+s_2+2q\le 2^{n-1}$. Let${\mathit{\pi }}_1$and${\mathit{\pi }}_2$be two independent and uniform random permutations over${\{0,1\}}^n$. For all$a^{s_1},b^{s_1}\in {\mathcal{B}}_n^{\left(s_1\right)}$,$c^{s_2},d^{s_2}\in {\mathcal{B}}_n^{\left(s_2\right)}$,$x^q\in {\left({\mathcal{B}}_n\setminus \left\{a^{s_1}\right\}\right)}^{\left(q\right)}$,$y^q\in {\left({\mathcal{B}}_n\setminus \left\{b^{s_2}\right\}\right)}^{\left(q\right)}$, and$z^q\in {\mathcal{B}}_n^q$, we have

$$\mathsf{Pr}[{\mathit{\pi }}_1\left(x^q\right)\oplus {\mathit{\pi }}_2\left(y^q\right)=z^q|\mathtt{F}]\ge \left(1-\frac{2s_1{s}_{2}q}{2^{2n}}-\frac{(s_1+s_2)q^2}{2^{2n}}-\frac{q^3}{2^{2n}}\right)\times \frac{1}{2^{nq}},$$

where$\mathtt{F}$denotes the event${\mathit{\pi }}_1\left(a^{s_1}\right)=b^{s_1}\wedge {\mathit{\pi }}_2\left(c^{s_2}\right)=d^{s_2}$.

Proof. 

We compute a lower bound on the probability by following the chain rule of conditional probabilities, i.e., we compute the conditional probability of ${\mathit{\pi }}_1\left(x_i\right)\oplus {\mathit{\pi }}_2\left(y_i\right)=z_i$ for some $i\in \left[q\right]$, given $\mathtt{F}$, and ${\mathit{\pi }}_1\left(x_j\right)\oplus {\mathit{\pi }}_2\left(y_j\right)=z_j$ for all $j<i$.

Let ${\mathsf{P}}_i={\mathit{\pi }}_1\left(x_i\right)$, ${\mathsf{Q}}_i={\mathit{\pi }}_2\left(y_i\right)$, and ${\mathtt{E}}_i$ denote the event that the i-th equation ${\mathsf{P}}_i\oplus {\mathsf{Q}}_i=z_i$ holds, for all $i\in \left[q\right]$.

For all $1\le i\le q$, consider the i-th equation ${\mathsf{P}}_i\oplus {\mathsf{Q}}_i=z_i$. We have at least $2^n-s_1-s_2-2(i-1)$ possibilities for ${\mathsf{P}}_i$. This can be argued by removing $b^{s_1}$, $d^{s_2}\oplus z_i$, ${\mathsf{P}}_j$ and ${\mathsf{Q}}_j\oplus z_i$ values for all $j<i$. Once we fix ${\mathsf{P}}_i$, ${\mathsf{Q}}_i$ fixes to ${\mathsf{P}}_i\oplus z_i$. Furthermore, for each such value, ${\mathtt{E}}_i$ occurs with a probability of $1/(2^n-s_1-i+1)(2^n-s_2-i+1)$ given that $\mathtt{F}$ occurs, and ${\mathtt{E}}_j$ occurs for all $j<i$. Let $k=i-1$. Then, we have

$$\begin{array}{cc}\hfill \mathsf{Pr}\left[{\mathtt{E}}_i\right|\mathtt{F}\wedge {\mathtt{E}}_1\wedge \cdots \wedge {\mathtt{E}}_k]& \ge \frac{2^n-s_1-s_2-2k}{(2^n-s_1-k)(2^n-s_2-k)}\hfill \\ \hfill & \ge \frac{2^{2n}-(s_1+s_2+2k)2^n}{2^{2n}-(s_1+s_2+2k)2^n+s_1{s}_2+(s_1+s_2)k+k^2}\times \frac{1}{2^n}\hfill \\ \hfill & =\left(1-\frac{s_1{s}_2+(s_1+s_2)k+k^2}{2^{2n}-(s_1+s_2+2k)2^n+s_1{s}_2+(s_1+s_2)k+k^2}\right)\times \frac{1}{2^n}\hfill \\ \hfill & \ge \left(1-\frac{2(s_1{s}_2+(s_1+s_2)k+k^2)}{2^{2n}}\right)\times \frac{1}{2^n},\hfill \end{array}$$

where the latter inequality follows from the assumptions that $(s_1+s_2+2k)2^n<(s_1+s_2+2q)2^n<2^{2n-1}$ and $s_1{s}_2+(s_1+s_2)k+k^2\ge 0$. Finally, we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[{\mathit{\pi }}_1\left(x^q\right)\oplus {\mathit{\pi }}_2\left(y^q\right)=z^q|\mathtt{F}]& =\mathsf{Pr}\left[{\mathtt{E}}_1\right|\mathtt{F}]\times \mathsf{Pr}\left[{\mathtt{E}}_2\right|\mathtt{F}\wedge {\mathtt{E}}_1]\times \cdots \times \mathsf{Pr}\left[{\mathtt{E}}_q\right|\mathtt{F}\wedge {\mathtt{E}}_1\wedge \cdots \wedge {\mathtt{E}}_{q-1}]\hfill \\ \hfill & \ge \prod _{k=0}^{q-1}\left(1-\frac{2(s_1{s}_2+(s_1+s_2)k+k^2)}{2^{2n}}\right)\times \frac{1}{2^{nq}}\hfill \\ \hfill & \ge \left(1-2\sum _{k=0}^{q-1}\frac{s_1{s}_2+(s_1+s_2)k+k^2}{2^{2n}}\right)\times \frac{1}{2^{nq}}\hfill \\ \hfill & \ge \left(1-\frac{2s_1{s}_{2}q}{2^{2n}}-\frac{(s_1+s_2)q^2}{2^{2n}}-\frac{q^3}{2^{2n}}\right)\times \frac{1}{2^{nq}}.\hfill \end{array}$$

□

Note that Proposition 2 is useful in both conditional and unconditional (i.e., $s_1=s_2=0$) cases. Now, we discuss two straightforward applications of the proposition given above.

8.1.1. Sum of Permutations

Construction: Suppose that ${\mathit{\pi }}_1$ and ${\mathit{\pi }}_2$ are two independent uniform random permutations over ${\{0,1\}}^n$. The sum of permutation (or SoP) construction [96,97,98] (illustrated in Figure 8) is a length-preserving function over ${\{0,1\}}^n$, defined by the mapping

$$x\stackrel{\mathsf{SoP}}{⟼}{\mathit{\pi }}_1\left(x\right)\oplus {\mathit{\pi }}_2\left(x\right).$$

It is well-known [89,111,112] that SoP is indistinguishable from a uniform random function up to $o\left(2^n\right)$ queries. The H-technique-based proofs presented in [111,112], although tight, contain some non-trivial gaps, whereas the proof in [89] uses the recently introduced ${\chi }^2$ technique.

In one of the early works on this problem, Lucks [98] presented a suboptimal bound of $2^{2n/3}$ queries using the game-playing technique. Here, we give a very simple and short proof for the $2^{2n/3}$ query bound using the standard H-technique.

Lemma 11. 

For$q\le 2^{2n/3}$,

$${\mathbf{Adv}}_{{\mathsf{SoP}}_{{\mathit{\pi }}_1,{\mathit{\pi }}_2}}^{\mathrm{prf}}\left(q\right)\le \frac{q^3}{2^{2n}}.$$

Proof. 

We write $\mathbf{F}={\mathsf{SoP}}_{{\mathit{\pi }}_1,{\mathit{\pi }}_2}$. Let $\mathit{\rho }$ be a uniform random function over ${\{0,1\}}^n$. Let $\tau =(x^q,y^q)$ denote a transcript where $x^q\in {\left({\{0,1\}}^n\right)}^{\left(q\right)}$. All transcripts are considered to be good.

Analysis of Good Transcripts. Given a transcript $\tau =(x^q,y^q)$, it is easy to see that

$$\mathsf{Pr}[\mathit{\rho }\left(x^q\right)=y^q]=\frac{1}{2^{nq}},$$

(22)

as $x^q⇝y^q$. For the lower bound on $\mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q]$, we summon Proposition 2, with $s_1=0$ and $s_2=0$, i.e., the random permutations are not sampled at any points as of now. Accordingly, we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q]& =\left(1-\frac{q^3}{2^{2n}}\right)\times \frac{1}{2^{nq}}\hfill \\ \hfill & \ge \left(1-\frac{q^3}{2^{2n}}\right)\times \mathsf{Pr}[\mathit{\rho }\left(x^q\right)=y^q]\hfill \\ \hfill \frac{\mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q]}{\mathsf{Pr}[\mathit{\rho }\left(x^q\right)=y^q]}& \ge \left(1-\frac{q^3}{2^{2n}}\right).\hfill \end{array}$$

The result follows from the standard H-technique. □

8.1.2. Sum of Even-Mansour

In a recent paper [99], Chen et al. presented various beyond-birthday-bound secure PRF constructions based on public (i.e., in which the adversary has oracle access to the underlying random permutations) random permutations. Here we consider SoEM22, or the sum of even-Mansour scheme, with two independent random permutations and two independent keys.

Construction: Suppose that ${\mathit{\pi }}_1$ and ${\mathit{\pi }}_2$ are two independent uniform random permutations over ${\{0,1\}}^n$ and $({\mathsf{K}}_1,{\mathsf{K}}_2){\leftarrow }_{\$}{\{0,1\}}^{2n}$. The SoEM22 construction (illustrated in Figure 9) is a length-preserving function over ${\{0,1\}}^n$ defined by the mapping

$$x\stackrel{\mathsf{SoEM}\mathsf{22}}{\to }{\mathit{\pi }}_1(x\oplus {\mathsf{K}}_1)\oplus {\mathsf{K}}_1\oplus {\mathit{\pi }}_2(x\oplus {\mathsf{K}}_2)\oplus {\mathsf{K}}_2.$$

In [99], SoEM22 has been shown to be a secure PRF up to $o\left(2^{2n/3}\right)$ queries to both the underlying permutations, as well as the construction itself. Furthermore, it has been shown that the bound is tight. We demonstrate a similar security bound using Proposition 2.

Lemma 12. 

Let q and p denote the total number of constructions and primitive queries, respectively. Then, for$q,p\le 2^{2n/3}$, we have

$${\mathbf{Adv}}_{\mathsf{SoEM}\mathsf{22}}^{\mathrm{prf}}(q,p)\le \frac{2p^{2}q}{2^{2n}}+\frac{9p{q}^2}{2^{2n}}+\frac{5q^3}{2^{2n}}.$$

Proof. 

We can write $\mathbf{F}=\mathsf{SoEM}{\mathsf{22}}_{{\mathit{\pi }}_1,{\mathit{\pi }}_2,{\mathsf{K}}_1,{\mathsf{K}}_2}$. Let $\mathit{\rho }$ be a uniform random function over ${\{0,1\}}^n$. Let ${\tau }_C=(m^q,z^q)$ denote the transcript corresponding to $\mathbf{F}$, where $x^q\in {\left({\{0,1\}}^n\right)}^{\left(q\right)}$. Without the loss of generality, we assume that the adversary makes the same number of queries to the underlying random permutations. Let ${\tau }_P=(u^p,v^p)$ and $(x^p,y^p)$ denote the forward-only transcript corresponding to the direct access of ${\mathit{\pi }}_1^{\pm }$ and ${\mathit{\pi }}_2^{\pm }$, respectively.

We define ${\{0,1\}}^{2n}$-extended response systems by adjoining the masking keys ${\mathsf{K}}_1$ and ${\mathsf{K}}_2$. In the case of $\mathbf{F}$, this is well-defined according to the definition of $\mathsf{SoEM}\mathsf{22}$. In the ideal system we sample $({\mathsf{K}}_1,{\mathsf{K}}_2){\leftarrow }_{\$}{\{0,1\}}^{2n}$. Note that, once ${\mathsf{K}}_1$ and ${\mathsf{K}}_2$ are released, one can easily obtain ${\mathsf{A}}^q$, ${\mathsf{C}}^q$, ${\mathsf{B}}^q$, and ${\mathsf{D}}^q$.

Bad Transcript and Its Analysis. A transcript is called bad precisely when it leads to permutation incompatibility for any one of the underlying permutations. One way to avoid such inconsistencies is to avoid input/output collision constraints over the two permutations simultaneously. More formally, we say that a transcript is bad if one of the following events occurs for some $({\mathsf{M}}_i,{\mathsf{Z}}_i)\in {\varphi }_c,({\mathsf{U}}_j,{\mathsf{V}}_j)\in {\varphi }_1,({\mathsf{X}}_{j^{\prime }},{\mathsf{Y}}_{j^{\prime }})\in {\varphi }_2$,

• $\mathtt{B}\mathtt{1}$: ${\mathsf{A}}_i={\mathsf{U}}_j$ and ${\mathsf{C}}_i={\mathsf{X}}_{j^{\prime }}$.
• $\mathtt{B}\mathtt{2}$: ${\mathsf{A}}_i={\mathsf{U}}_j$ and ${\mathsf{B}}_i\oplus {\mathsf{Z}}_i\oplus {\mathsf{K}}_1\oplus {\mathsf{K}}_2={\mathsf{Y}}_{j^{\prime }}$.
• $\mathtt{B}\mathtt{3}$: ${\mathsf{C}}_i={\mathsf{X}}_{j^{\prime }}$ and ${\mathsf{D}}_i\oplus {\mathsf{Z}}_i\oplus {\mathsf{K}}_1\oplus {\mathsf{K}}_2={\mathsf{V}}_j$.

Here, $\mathtt{B}\mathtt{1}$ corresponds to a collision on the input of the two underlying permutations; $\mathtt{B}\mathtt{2}$ corresponds to the input collision on ${\mathit{\pi }}_1$ and the output collision on ${\mathit{\pi }}_2$; and, $\mathtt{B}\mathtt{3}$ corresponds to the input collision on ${\mathit{\pi }}_2$ and the output collision on ${\mathit{\pi }}_1$. Note that we only consider collisions between constructions and primitive queries. This is because of the fact that construction-to-construction and primitive-to-primitive collisions are forbidden by design. Now, we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[\overline{\tau }\left({\mathbf{A}}^{\mathit{\rho },{\mathit{\pi }}_1^{\pm },{\mathit{\pi }}_2^{\pm }}\right)\in {\mathsf{\Omega }}_{\mathtt{bad}}]& \le \sum _{i,j,j^{\prime }}\mathsf{Pr}\left[\mathtt{B}\mathtt{1}\right]+\mathsf{Pr}\left[\mathtt{B}\mathtt{2}\right]+\mathsf{Pr}\left[\mathtt{B}\mathtt{3}\right]\le \frac{3q{p}^2}{2^{2n}},\hfill \end{array}$$

where the latter inequality can be argued based on the fact that there are, at most, $q{p}^2$$(i,j,j^{\prime })$ triples, and for each such triple, $\mathsf{Pr}\left[\mathtt{Bi}\right]=1/2^{2n}$ for all $\mathtt{i}\in \left[3\right]$. This is because each bad event reduces to a system of two linear equations in two independent and uniform random variables ${\mathsf{K}}_1$ and ${\mathsf{K}}_2$; therefore, a solution occurs with $1/2^{2n}$ probability.

Analysis of Good Transcripts. Given a transcript $\tau =(x^q,y^q)$, it is easy to see that

$$\mathsf{Pr}[\mathit{\rho }\left(x^q\right)=y^q,{\mathit{\pi }}_1\left(u^p\right)=v^p,{\mathit{\pi }}_2\left(x^p\right)=y^p,{\mathsf{K}}_1,{\mathsf{K}}_2]=\frac{1}{2^{nq}}\times \frac{1}{{\left(2^n\right)}_p}\times \frac{1}{{\left(2^n\right)}_p}\times \frac{1}{2^{2n}},$$

(23)

as $m^q⇝z^q$, $u^p\leftrightsquigarrow v^p$, and $x^p\leftrightsquigarrow y^p$ and $({\mathsf{K}}_1,{\mathsf{K}}_2)$ are chosen uniformly from ${\{0,1\}}^{2n}$. In the real world, for primitive queries we know that $u^p\leftrightsquigarrow v^p$, and $x^p\leftrightsquigarrow y^p$. In construction queries, the i-th query could be one of the three types: (1) $a_i=u_j$ and $c_i\ne x_{j^{\prime }}$ for all $j^{\prime }\in \left[p\right]$; (2) $a_i\ne u_j$ for all $j\in \left[p\right]$ and $c_i=x_{j^{\prime }}$; (3) $a_i\ne u_j$ and $c_i\ne x_{j^{\prime }}$ for all $j,j^{\prime }\in \left[p\right]$. It is easy to see that both a and c cannot collide simultaneously as the transcript is good. Let ${\varphi }_C^1$, ${\varphi }_C^2$, and ${\varphi }_C^3$ denote type-1, type-2, and type-3 construction transcripts, respectively, and $q_1$, $q_2$, and $q_3$ denote the number of such queries, respectively. Finally, we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q,{\mathit{\pi }}_1\left(u^p\right)=v^p,{\mathit{\pi }}_2\left(x^p\right)=y^p,{\mathsf{K}}_1,{\mathsf{K}}_2]& =\mathsf{Pr}[{\varphi }_C,{\varphi }_P,{\mathsf{K}}_1,{\mathsf{K}}_2]\hfill \\ \hfill & =\mathsf{Pr}\left[{\varphi }_P\right]\times \mathsf{Pr}\left[{\varphi }_C^1\right|{\varphi }_P]\times \mathsf{Pr}\left[{\varphi }_C^2\right|{\varphi }_P\wedge {\varphi }_C^1]\hfill \\ \hfill & \times \mathsf{Pr}\left[{\varphi }_C^3\right|{\varphi }_P\wedge {\varphi }_C^1\wedge {\varphi }_C^2]\times \frac{1}{2^{2n}}\hfill \\ \hfill & =\frac{1}{2^{2n}}\times \frac{1}{{\left(2^n\right)}_p{\left(2^n\right)}_p}\times \frac{1}{{(2^n-p)}_{q_1}}\hfill \\ \hfill & \times \frac{1}{{(2^n-p)}_{q_2}}\times \mathsf{Pr}\left[{\varphi }_C^3\right|{\varphi }_P\wedge {\varphi }_C^1\wedge {\varphi }_C^2]\hfill \end{array}$$

Observe that we can apply Proposition 2 to bound the conditional probability of ${\varphi }_C^3$ given ${\varphi }_P$, ${\varphi }_C^1$, and ${\varphi }_C^2$. Thus, by using $s_1=p+q_1$, $s_2=p+q_2$, and the relation $q_1,q_2,q_3<q$, we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q,{\mathit{\pi }}_1\left(u^p\right)=v^p,{\mathit{\pi }}_2\left(x^p\right)=y^p,{\mathsf{K}}_1,{\mathsf{K}}_2]& \ge \left(1-\frac{2p^{2}q}{2^{2n}}-\frac{6p{q}^2}{2^{2n}}-\frac{5q^3}{2^{2n}}\right)\times \frac{1}{2^{n{q}_3}}\hfill \\ \hfill & \times \frac{1}{{\left(2^n\right)}_p{\left(2^n\right)}_p}\times \frac{1}{{(2^n-p)}_{q_1}}\hfill \\ \hfill & \times \frac{1}{{(2^n-p)}_{q_2}}\times \frac{1}{2^{2n}}.\hfill \end{array}$$

(24)

The result follows by dividing Equation (24) by Equation (23).□

9. Optimality of the Extended H-Technique

We have already observed that the expectation method can achieve optimal bounds for the distinguishing advantage. The extended H-technique is also a potential tool to obtain a tight bound for the distinguishing advantage. Now we describe why this is the case. Suppose that $\mathbf{F}$ and $\mathit{\alpha }$ are two $(\mathcal{X},\mathcal{Y})$ random systems. We usually choose $\mathit{\alpha }$ to be an ideal random system (such as a random permutation or a random function) and $\mathbf{F}$ is the construction of interest. Let

$$\begin{array}{cc}\hfill {\mathcal{E}}_{\mathbf{F}\ge \mathit{\alpha }}& =\left\{(x^q,y^q)|r^{\mathbf{F}/\mathit{\alpha }}(x^q,y^q):=\frac{\mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q]}{\mathsf{Pr}[\mathit{\alpha }\left(x^q\right)=y^q]}\ge 1\right\}.\hfill \end{array}$$

The complement of the above set is denoted as ${\mathcal{E}}_{\mathbf{F}<\mathit{\alpha }}$. We also define a binary random variable $\mathsf{B}$ adjoined with $\mathit{\alpha }$ as follows. Let

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathsf{B}=0|\mathit{\alpha }\left(x^q\right)=y^q]& =1,\forall (x^q,y^q)\in {\mathcal{E}}_{\mathbf{F}\ge \mathit{\alpha }}\hfill \end{array}$$

(25)

and

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathsf{B}=0|\mathit{\alpha }\left(x^q\right)=y^q]& =r^{\mathbf{F}/\mathit{\alpha }}(x^q,y^q),\forall (x^q,y^q)\in {\mathcal{E}}_{\mathbf{F}<\mathit{\alpha }}.\hfill \end{array}$$

(26)

We can combine these two equations and write the following for all $(x^q,y^q)$:

$$\mathsf{Pr}[\mathsf{B}=1|\mathit{\alpha }\left(x^q\right)=y^q]=max\{0,1-r^{\mathbf{F}/\mathit{\alpha }}(x^q,y^q)\}$$

(27)

and hence

$$\mathsf{Pr}[\mathsf{B}=1,\mathit{\alpha }\left(x^q\right)=y^q]=max\{0,\mathsf{Pr}[\mathit{\alpha }\left(x^q\right)=y^q]-\mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q]\}.$$

(28)

We say that a transcript $(x^q,y^q,b)$ is bad if $b=1$. Fix any deterministic adversary $\mathcal{A}$. The probability that the extended transcript random variable $\overline{\tau }\left({\mathcal{A}}^{\mathit{\alpha }}\right)$ is bad is

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathsf{B}=1]& =\sum _{\mathcal{A}\left(y^q\right)=x^q}max\{0,\mathsf{Pr}[\mathit{\alpha }\left(x^q\right)=y^q]-\mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q]\}\hfill \\ \hfill & =\mathsf{\Delta }(\tau \left({\mathcal{A}}^{\mathbf{F}}\right);\tau \left({\mathcal{A}}^{\mathit{\alpha }}\right)).\hfill \end{array}$$

Now we define ${\mathsf{B}}^{\prime }$ adjoined with $\mathbf{F}$. The random variable ${\mathsf{B}}^{\prime }$ is degenerated and takes the value of zero with a probability of one. In other words, $\mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q,{\mathsf{B}}^{\prime }=0]=\mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q]$. It is easy to see that for all $(x^q,y^q)$,

$$\begin{array}{c}\hfill \mathsf{Pr}[\mathbf{F}\left(x^q\right)=y^q,{\mathsf{B}}^{\prime }=0]\ge \mathsf{Pr}[\mathit{\alpha }\left(x^q\right)=y^q,\mathsf{B}=0].\end{array}$$

Thus, if we apply the H-technique we actually obtain equality in Equation (7).

Remark 4. 

Here we remark that although the extended H-technique and the expectation method can achieve optimal distinguishing bounds, this might require a very involved analysis. For the expectation method, identifying the optimal ϵ function and then provided a tight estimation for the expectation of this function can be quite difficult. Similarly, for the extended H-technique, identifying the optimal bad event can be very difficult. One thing is clear, however. Both these tools can achieve optimality whenever it is possible through the game-playing or random systems methodologies.

Nonadaptive PRP to SPRP

“Two weak make one strong” or the composition lemma [75,76] states that, in the information-theoretic setting, the composition of two NPRP secure-block ciphers results in an SPRP secure-block cipher. The initial proofs [75,76] of this result were based on Maurer’s random systems methodology. Subsequently, Cogliati, Patarin and Seurin [113] presented a much simpler proof using the standard H-technique.

Construction. Let $\mathbf{F}$ and $\mathbf{G}$ be two NPRP secure quasi-random permutations over $\mathcal{X}$. Then, we are interested in the SPRP security of the composition ${\mathbf{G}}^{-1}\circ \mathbf{F}$. Formally, the composition result is stated in Theorem 1.

Theorem 1.

Suppose that$\mathbf{F}$and$\mathbf{G}$are two random systems over$\mathcal{X}$; then,

$${\mathbf{Adv}}_{{\mathbf{G}}^{-1}\circ \mathbf{F}}^{\mathrm{sprp}}\left(q\right)\le {\mathbf{Adv}}_{\mathbf{F}}^{\mathrm{nprp}}\left(q\right)+{\mathbf{Adv}}_{\mathbf{G}}^{\mathrm{nprp}}\left(q\right).$$

In [113], the following result has been proven. Lemma 13 gives a simple proof for Theorem 1 using the standard H-technique.

Lemma 13.

For all$x^q,y^q\in {\mathcal{X}}^{\left(q\right)}$, we have

$$\frac{\mathsf{Pr}[{\mathbf{G}}^{-1}\circ \mathbf{F}\left(x^q\right)=y^q]}{\mathsf{Pr}[\mathit{\pi }\left(x^q\right)=y^q]}\ge 1-{\mathbf{Adv}}_{\mathbf{F}}^{\mathrm{nprp}}\left(q\right)-{\mathbf{Adv}}_{\mathbf{G}}^{\mathrm{nprp}}\left(q\right).$$

Alternate proof using the extended-H technique. We give a similar but alternative proof for Theorem 1, using the idea of optimality of the extended H-technique. Since we will employ the extended H-technique, we start off with a description of the extended systems.

EXTENDED SYSTEMS. We consider $({\mathcal{X}}^q\times {\{0,1\}}^2)$-extended random systems. We first define a triple of random variables $({\mathsf{Z}}^q,{\mathsf{B}}_1,{\mathsf{B}}_2)\leftarrow {\mathcal{X}}^q\times \{0,1\}\times \{0,1\}$ adjoined with ${\mathit{\pi }}^{\pm }$. Let $\tau \left({\mathcal{A}}^{{\mathit{\pi }}^{\pm }}\right):=({\delta }^q,{\mathsf{X}}^q,{\mathsf{Y}}^q)$ be the forward-only transcript. We sample ${\mathsf{Z}}^q\stackrel{\mathrm{wor}}{⟵}\mathcal{X}$ independently of $\mathit{\pi }$ (and hence independently of the transcript $\tau$ as well). Now, we define the conditional distribution of ${\mathsf{B}}_1,{\mathsf{B}}_2$ given $({\delta }^q,{\mathsf{X}}^q,{\mathsf{Y}}^q,{\mathsf{Z}}^q)$.

Fix three tuples $x^q,y^q,z^q\in {\mathcal{X}}^{\left(q\right)}$. We define the distributions of ${\mathsf{B}}_1,{\mathsf{B}}_2$ given that ${\mathsf{X}}^q=x^q,{\mathsf{Y}}^q=y^q$ and ${\mathsf{Z}}^q=z^q$. Note that the sampling of ${\mathsf{Z}}^q$ can be viewed as ${\mathit{\pi }}^{\prime }\left({\mathsf{X}}^q\right)$ for a random permutation ${\mathit{\pi }}^{\prime }$ independently of $\mathit{\pi }$. If $(x^q,z^q)\in {\mathcal{E}}_{\mathbf{F}\ge {\mathit{\pi }}^{\prime }}$ then ${\mathsf{B}}_1=0$ with a probability of one. Otherwise, ${\mathsf{B}}_1$ follows the Bernoulli distribution $\mathsf{ber}(1-r^{\mathbf{F}/{\mathit{\pi }}^{\prime }}(x^q,z^q))$. Similarly, if $(y^q,z^q)\in {\mathcal{E}}_{\mathbf{G}\ge {\mathit{\pi }}^{\prime }}$ then ${\mathsf{B}}_2=0$ with a probability of one. Otherwise, ${\mathsf{B}}_2$ follows the Bernoulli distribution $\mathsf{ber}(1-r^{\mathbf{G}/{\mathit{\pi }}^{\prime }}(y^q,z^q))$.

Analysis of bad transcripts. We say that a transcript $(x^q,y^q,z^q,b_1,b_2)$ is bad if $b_1=1\vee b_2=1$. For the random transcript variable $({\mathsf{X}}^q,{\mathsf{Y}}^q,{\mathsf{Z}}^q,{\mathsf{B}}_1,{\mathsf{B}}_2)$, we denote this event as $\mathtt{bad}$. According to the union bound,

$$\mathsf{Pr}\left[\mathtt{bad}\right]\le \mathsf{Pr}[{\mathsf{B}}_1=1]+\mathsf{Pr}[{\mathsf{B}}_2=1].$$

We now show that $\mathsf{Pr}[{\mathsf{B}}_1=1]\le {\mathbf{Adv}}_{\mathbf{F}}^{\mathrm{nprp}}\left(q\right)$. Similarly, one can show that $\mathsf{Pr}[{\mathsf{B}}_2=1]\le {\mathbf{Adv}}_{\mathbf{G}}^{\mathrm{nprp}}\left(q\right)$. Similarly to Equation (28), we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[{\mathsf{B}}_1=1]& =\sum _{\begin{array}{c}(x^q,y^q)\in \mathcal{A}\\ z^q\in {\mathcal{X}}^{\left(q\right)}\end{array}}\mathsf{Pr}[{\mathsf{B}}_1=1,{\mathsf{Z}}^q=z^q,{\mathsf{X}}^q=x^q,{\mathsf{Y}}^q=y^q]\hfill \\ \hfill & =\sum _{\begin{array}{c}(x^q,y^q)\in \mathcal{A}\\ z^q\in {\mathcal{X}}^{\left(q\right)}\end{array}}\mathsf{Pr}[{\mathsf{B}}_1=1,{\mathit{\pi }}^{\prime }\left(x^q\right)=z^q,\mathit{\pi }\left(x^q\right)=y^q]\hfill \\ \hfill & =\sum _{(x^q,y^q)\in \mathcal{A}}\mathsf{Pr}[\mathit{\pi }\left(x^q\right)=y^q]\sum _{z^q\in {\mathcal{X}}^{\left(q\right)}}\mathsf{Pr}[{\mathit{\pi }}^{\prime }\left(x^q\right)=z^q]\times max\{0,1-r^{\mathbf{F}/{\mathit{\pi }}^{\prime }}(x^q,z^q)\}\hfill \\ \hfill & =\sum _{(x^q,y^q)\in \mathcal{A}}\mathsf{Pr}[\mathit{\pi }\left(x^q\right)=y^q]\sum _{z^q\in {\mathcal{X}}^{\left(q\right)}}max\{0,\mathsf{Pr}[{\mathit{\pi }}^{\prime }\left(x^q\right)=z^q]-\mathsf{Pr}[\mathbf{F}\left(x^q\right)-z^q]\}\hfill \\ \hfill & =\sum _{(x^q,y^q)\in \mathcal{A}}\mathsf{Pr}[\mathit{\pi }\left(x^q\right)=y^q]\times \parallel {\mathsf{Pr}}_{{\mathit{\pi }}^{\prime }\left(x^q\right)}-{\mathsf{Pr}}_{\mathbf{F}\left(x^q\right)}\parallel \hfill \\ \hfill & \le \underset{a^q\in {\mathcal{X}}^{\left(q\right)}}{max}\parallel {\mathsf{Pr}}_{{\mathit{\pi }}^{\prime }\left(a^q\right)}-{\mathsf{Pr}}_{\mathbf{F}\left(a^q\right)}\parallel \sum _{(x^q,y^q)\in \mathcal{A}}\mathsf{Pr}[\mathit{\pi }\left(x^q\right)=y^q]\hfill \\ \hfill & \le {\mathbf{Adv}}_{\mathbf{F}}^{\mathrm{nprp}}\left(q\right).\hfill \end{array}$$

Analysis of good transcripts. We define ${\mathsf{B}}_1^{\prime }$ and ${\mathsf{B}}_2^{\prime }$ adjoined with $\mathbf{F}$ in a similar fashion as in the case of the optimality result. Both ${\mathsf{B}}_1^{\prime }$ and ${\mathsf{B}}_2^{\prime }$ are degenerated and take a value of zero with a probability of one. For $x^q,y^q,z^q\in {\mathcal{X}}^{\left(q\right)}$ and $i\in \{1,2\}$, let $p_i:=\mathsf{Pr}[{\mathsf{B}}_i=0|\mathit{\pi }\left(x^q\right)=y^q$, ${\mathsf{Z}}^q=z^q]$. Then, we have

$$\begin{array}{cc}\hfill \mathsf{Pr}[\mathit{\pi }\left(x^q\right)=y^q,{\mathsf{Z}}^q=z^q,{\mathsf{B}}_1=0,{\mathsf{B}}_2=0]& =\mathsf{Pr}[\mathit{\pi }\left(x^q\right)=y^q]\times \mathsf{Pr}[{\mathsf{Z}}^q=z^q]\times {\mathsf{p}}_1\times {\mathsf{p}}_2\hfill \\ \hfill & =\mathsf{Pr}[\mathit{\pi }\left(x^q\right)=y^q]\times \mathsf{Pr}[{\mathsf{Z}}^q=z^q]\times {\mathsf{p}}_1\times {\mathsf{p}}_2\hfill \\ \hfill & \le \mathsf{Pr}[\mathbf{F}\left(x^q\right)=z^q]\times \mathsf{Pr}[\mathbf{G}\left(y^q\right)=z^q]\hfill \\ \hfill & =\mathsf{Pr}[\mathbf{F}\left(x^q\right)=z^q,\mathbf{G}\left(y^q\right)=z^q,{\mathsf{B}}_1^{\prime }=0,{\mathsf{B}}_2^{\prime }=0]\hfill \\ \hfill & =\mathsf{Pr}[{\mathbf{G}}^{-1}\circ \mathbf{F}\left(x^q\right)=y^q,{\mathsf{B}}_1^{\prime }=0,{\mathsf{B}}_2^{\prime }=0]\hfill \end{array}$$

The result follows from the extended H-technique, Lemma 3.

10. Conclusions

In this systematization of knowledge, our main goal was to revisit a popular tool in symmetric-key provable security, called the (Coefficients) H-technique [36,38]. We re-formalized the notations and conventions necessary to study the security of any symmetric-key design. We then described the H-technique tool and showed that it can achieve optimal security bounds. To illustrate the effectiveness of this tool, we presented simple security proofs for some popular symmetric-key designs, across different paradigms.

Although our main goal is to promote the application of the H-technique, we emphasize that it is not a universal solution. In particular, there are many problems in which a straightforward application of the H-technique may not provide a tight bound. A prime example is the sum of permutations or SoP problem [96,97]. Although there are some tight-bound proofs [111,112] for the SoP problem that use the H-technique, the veracity of these proofs is not yet established. In contrast, a recent tool developed by Dai et al., called the ${\chi }^2$-method [89], provides a much simple and asymptotically tight bound proof for SoP. The preceding example is just one such instance in which one tool is somewhat superior to another. There could be many more. For instance, it is still not clear how one can apply the ${\chi }^2$-method with the same ease as the H-technique to the analysis of schemes based on low-entropy primitives (such as universal hash functions).

To conclude, a thorough study on the various available tools is presently needed. This will help in choosing the right tools for a given set of problems, which in turn may present tight and/or simple proofs. We believe that this work is a step in that direction. It would be interesting to see similar work on some other popular tools such as the coupling technique [85,86,87] and ${\chi }^2$-method [89,90]. At the same time, we must also look at some other avenues in probability theory to obtain new tools. For example, Morris, Rogaway, and Stegers explored the applications of Markov chains [86] and Steinberger explored the Hellinger distance [94].