A Survey on Applications of H-Technique: Revisiting Security Analysis of PRP and PRF

The Coefficients H technique (also called the H-technique), developed by Patarin circa 1991, is a tool used to obtain the upper bounds on distinguishing advantages. This tool is known to provide relatively simple and (in some cases) tight bound proofs in comparison to some other well-known tools, such as the game-playing technique and random systems methodology. In this systematization of knowledge (SoK) paper, we aim to provide a brief survey on the H-technique. The SoK is presented in four parts. First, we redevelop the necessary nomenclature and tools required to study the security of any symmetric-key design, especially in the H-technique setting. Second, we provide a full description of the H-technique and some related tools. Third, we present (simple) H-technique-based proofs for some popular symmetric-key designs, across different paradigms. Finally, we show that the H-technique can actually provide optimal bounds on distinguishing advantages.


Introduction
The general goal of any cryptographic scheme is to achieve some kind of indistinguishability (pseudorandom behavior) from an ideal (random) system. In this respect, distinguishing games have a key role in defining cryptographic security definitions. In symmetric-key cryptography, pseudorandom functions or PRFs [1] and (strong) pseudorandom permutations or (S)PRPs [2] have been defined via distinguishing games. Informally, an adversary interacts with either the keyed construction (real system) of interest or with an ideal system, such as a uniform random function or permutation. The adversary's goal is to reliably distinguish which one it is interacting with.If no adversary can distinguish the real system from the ideal system with a non-negligible probability, we say that the construction is pseudo-ideal (e.g., PRF or PRP).
Upon closer inspection of the security proofs for most of the symmetric-key designs, we mostly see that the underlying primitives are first replaced by some ideal primitives. This can be justified using the hybrid argument at the cost of the distinguishing advantages of each of the underlying primitives. Once we replace these underlying primitives with ideal candidates, we obtain the so-called hybrid or quasi random construction (informationtheoretically indistinguishable from ideal candidates). The next and final step is to provide a security analysis of the hybrid construction. This is performed in a purely informationtheoretic setting. So, in a way, the provable security analysis guarantees the security of the construction if the underlying primitives are indistinguishable from their ideal counterparts. In this paper we focus on the security analysis of such hybrid constructions.
COEFFICIENTS H TECHNIQUE: Patarin formally introduced the Coefficients H technique [36] at SAC 2008, although the technique had already been used in some of his earlier works [37][38][39][40][41]. In fact, it was Vaudenay who first reported the H-technique publicly in his decorrelation theory [42]. However, he mentioned that the technique was described in Patarin's PhD thesis [38], written in French. Independently, Bernstein rediscovered a similar variant of the result in [43], referred to as the interpolation theorem. This was later strengthened by Nandi [44] as the strong interpolation theorem. Later, Chen and Steinberger presented a renewed interpretation of the H-technique in their work on key alternating ciphers [45]. They expressed the hope that their "paper will serve as a useful additional tutorial on (or introduction to) Patarin's H-coefficient technique, which still seems to suffer from a lack of exposure". This modernization indeed popularized the H-technique, as to the best of our knowledge, all the recent applications consider this renewed description of the H-technique. We remark that Mennink's uses of the H-technique in [46,47] offer a relatively simple yet similar exposition of the technique with relatively simple constructions. At a very high level, the H-technique concentrates on the input-output tuple generated by an adversary's interaction with the oracle at hand, called the transcript. In the simplest case, the H-technique states that the distinguishing advantage is bounded by one minus a lower bound of the ratio of the probability that an attainable transcript can be realized by the real oracle to the probability that it can be realized by the ideal oracle. A transcript is called attainable if the probability that it can be realized by the ideal oracle is non-zero.
Thus, the ratio of the above two probabilities is lower-bounded as Finally, the Coefficients H technique states that A's advantage in distinguishing ρ ρ ρ from π π π is upper-bounded by q 2 /2 n+1 . The above example is quite simple. However, in many cases, it might be possible that certain transcripts are bad (i.e., they may lead to inconsistency or are improbable) in the real or ideal world. In those cases, we also have to add the probability of realizing a bad transcript in the ideal world to the distinguishing advantage. For example, if we interchange the real and the ideal world in the above example, we can define a transcript ω = ((x 1 , y 1 ), (x 2 , y 2 ), . . . , (x q , y q )) as bad if for some i = j, y i = y j . This can happen with a probability of at most q 2 /2 n+1 in the case of the ideal world (which is now the uniform random function). For a good transcript ω (from the above calculation), it is easy to see that Pr[Θ 0 =ω] ≥ 1. A variant of H-technique which allows bad transcripts will then give the same bound (which is the sum of probability of a bad transcript in the ideal world and the maximum value of 1 minus the ratio over all good transcripts).In the second approach, the maximum value of 1 minus the ratio is, at most, zero and so it is simply bounded by the bad transcript probability.
MAURER'S RANDOM SYSTEMS METHODOLOGY: At Eurocrypt 2002, Maurer introduced the random systems methodology (also called Maurer's methodology) for indistinguishability proofs [73]. The randoms system methodology defines a sequence of conditional probabilities associated with a system, i.e., the interaction between an adversary and an oracle. It further defines the notion of a monotone binary condition associated to a system. Two systems are said to be equivalent until a monotone binary condition B, if they give rise to the same sequence of conditional probabilities while B = 0. This formalizes the identical-until-bad philosophy of the game-playing technique. Expectedly, the advantage is bounded by the probability that the monotone condition changes to 1. Note that in contrast to this approach, the H-technique considers the joint probability distribution for the systems. Applications of Maurer's methodology were first presented in some indistinguishability and composition proofs [73][74][75][76]. Later, Maurer's methodology was also applied to prove the security of PMAC, TMAC and XCBC [77], ENR and its variants [78][79][80], and XTX [81].
EXPECTATION METHOD: The expectation method, developed by Hoang and Tessaro [82], is a generalization of the H-technique, in which the expected value of the ratio is used instead of a constant (i.e., independent of the transcript) lower bound. The expectation method has been applied to obtain exact bounds in [82] and to obtain multi-user security in [82][83][84].
COUPLING TECHNIQUE: The coupling technique [51,[85][86][87] is a very useful tool for upperbounding of the distinguishing advantage (mostly for the nonadaptive distinguisher) of iterated structures. For example, it has been applied, among others, to the iterated even-Mansour [51], iterated tweakable even-Mansour [54], and cascaded LRW2 [88] schemes. The high level idea is simple: the coupling lemma is used to bound the statistical distance of r-rounds of some iterated scheme from uniform distribution. This step is non-adaptive in nature. Now, given the non-adaptive bound, a straightforward application of the composition lemma from [75] gives adaptive security for 2r rounds of the iterated scheme. The coupling technique is known for having notoriously loose bounds. This is because even if the coupling lemma gives a tight bound for the non-adaptive security of r rounds, this does not say anything about the adaptive security of r rounds. It might be possible to obtain the desired level of adaptive security at r rounds itself, but the technique requires 2r rounds. χ 2 -METHOD AND HELLINGER DISTANCE: The χ 2 -method was proposed by Dai, Hoang and Tessaro [89], in which the statistical distance is bounded in terms of the expectation of the conditional χ 2 -distances. The χ 2 -method gave improved bounds in some cases, such as the sum of permutations and EDM [89,90], where the H-technique failed. Bhattacharya and Nandi explored the applications of the χ 2 -method in analyzing the PRF security of a sum of permutation variant [91] and the indifferentiability of a sum of permutations [92]. Recently, beyond-birthday security analysis of three-round LDT [93] has been demonstrated. The χ 2 method is quite useful in certain cases in which it is easy to compute the conditional probabilities such as the sum of permutation. However, there is no clear picture as to its utility in cases in which the conditional probability is not that easy to compute, such as hash-based schemes.
The application of a different distance notion for the binding of the statistical distance is not new. In fact, much earlier Steinberger used the Hellinger distance [94] to study the key alternating ciphers. However, this method is yet to be explored for other constructions.

Our Contribution
The contributions of this SoK are fourfold. First, we reformulate an interactive algorithm in its functional view, which provides the language of the proof of symmetric-key designs. Second, we provide a complete description of the H-technique tool, along with some related tools. Third, we revisit the security analysis of some of the well known symmetric-key constructions across different paradigms. Specifically, we give H-technique based proofs for the following constructions: 1.
Hash-based schemes: hash-then-PRF, hash-then-TBC [66] and ENR [78,79]. In the case of ENR we study a generic scheme, called NR , which allows for simple proofs for both ENR and LDT [58].
Finally, we show that the extended version of the H-technique can achieve optimal security bounds. As a side result, we provide an alternate proof for the composition of non-adaptive PRPs [75].
The above given constructions were chosen for varied reasons. In some cases, we simplify the existing game-playing or Maurer's-methodology-based proofs. For example, see the proof of ENR, Fesitel ciphers, and SoP. However, in some cases, we unify the proofs of various related schemes into one general result. For example, see the general proof of NR . For SPRP enciphering schemes, we provide the first proof in the H-technique.

Organization of the Paper
We begin by developing the notations and conventions, in Section 2, that will be used in the paper. In Section 3, we formalize the model for bounded-query interactive algorithms. In Section 4, we describe the H-technique tool and its variant, the expectation method. We also present a brief on how to capture the random system methodology using the H-technique. In Sections 5-7, we give alternate proofs for some hash-based schemes, Feistel-like schemes, and popular SPRP schemes, respectively. Section 8 gives proofs for beyond-birthday-bound secure PRFs, namely, SoP and SoEM22. In Section 9, we prove the optimality of the H-technique and use similar ideas to present an alternate proof for the non-adaptive to adaptive PRP composition.

Notation
We simply write the set {1, 2, . . . , m} as [m]. We denote a q-tuple (x 1 , . . . , x q ) as x q . We sometime use the notation {x q } to denote the set {x i : . Thus, any binary monotone sequence must be of the form 0 i 1 q−i for some i.
For a set X , we write X (r) for the set of all r tuples x r ∈ X r such that x 1 , . . . , x r are distinct. We write N(N − 1) · · · (N − r + 1) as (N) r . If the size of the set X is N, then clearly, |X (r) | = (N) r .
A function g(a, b) is functionally independent of b if for all a, b, b , g(a, b) = g(a, b ). In this case there exists a function g such that for all a, b, g(a, b) = g (a).
Given an index set I, we denote an indexed family (or a tuple) as {x i } i∈I or x I . Note that it is different from the set {x i : i ∈ I}. For some i = j, x i and x j may be the same and we ignore repetition in the set representation, whereas in the indexed family we allow repetition. More formally, it can be represented as a function from the index set to some set in which x i values belong. Note that x q is a shorthand notation for x [q] , where [q] is the index set.
NOTATIONS ON COMPATIBILITY. The set of all functions from X to Y is denoted as Func(X , Y ). Similarly, the set of all permutations over Y is denoted as Perm(Y ).

1.
A pair of tuples (x q , y q ) is referred to as function-compatible if x i = x j ⇒ y i = y j . We denote it as x q y q .

2.
A pair of tuples (x q , y q ) is referred to as permutation-compatible if x i = x j ⇔ y i = y j . We denote it as x q y q .

3.
A pair of triples (t q , x q , y q ) is referred to as tweakable-permutation-compatible if . We denote it as x q t q y q (equivalently, (t q , x q ) (t q , y q )).

Statistical Distance
Statistical distance (also known as total variation [100] in the statistics community) is a metric on the set of probability functions over a finite set Ω. This is the most common metric in cryptography. As we see later, it has a close relationship with the distinguishing advantage. Definition 1 (statistical distance). Let Pr 0 and Pr 1 be two probability functions over a finite set Ω. We define the statistical distance between Pr 0 and Pr 1 as When X, Y are two random variables over Ω, we define ∆(X ; Y) = Pr X − Pr Y .
It is easy to verify that the statistical distance satisfies the symmetry and triangle inequality. (non-negative) Pr 1 − Pr 2 ≥ 0.

5.
Pr 1 − Pr 2 ≤ 1. The equality holds if and only if the supports of these two probability functions are disjoint.
All these results are easy to verify based on the definition of statistical distance. We leave this as an exercise for the reader.

The maximum is achieved at
Proof. It is easy to see that the maximum value of Pr 0 (E ) − Pr 1 (E ) is achieved at E if and only if Ω > ⊆ E ⊆ Ω ≥ (for any x ∈ Ω ≥ , the contribution Pr 0 (x) − Pr 1 (x) is negative). Here, we can note that This proves the first equality. Now, we write The first sum can be simplified as Similarly, the second sum can be simplified to If we add these two sums, we obtain the second equality.

Probabilistic Function
A probabilistic function (defined below) is a mathematical model for the black-box behavior of a probabilistic algorithm. We also use the same object to model probabilistic interactive algorithms.

Definition 3 (probabilistic function).
A probabilistic function with an input space X and an output space Y is a function f : R × X → Y for some finite set R, called the random coin space. We can also simply write (abusing notation) f : X * → Y suppressing the notation for the random coin space.
If the random coin space is a singleton (i.e., degenerated) we simply ignore the random coin space. In this case, the probabilistic function is reduced to a function. Given an input x ∈ X , we first sample R * ← R (in most cases uniformly) and then we define an output random variable f (x) := f (R, x) over Y. So, for all y ∈ Y,

Definition 4.
With each probabilistic function f : X * → Y, we associate a family of probability functions over Y (indexed by the input space X ) We call the p f the probabilistic system associated with the probabilistic function f .
Note that the probabilistic function and probabilistic system are analogous to a random variable and its probability distribution.

Example 1 (Keyed Functions)
. This is an important example for cryptography. Many cryptographic designs are viewed as keyed functions. Let F be a keyed function family {F k | k ∈ K} such that for all keys k ∈ K, F k : X → Y.
We sample key K ←$ K and treat it as a random coin, and we obtain a probabilistic function (abusing notation) F : X * → Y, mapping x to F(K, x) := F K (x) (also written as K(x), whenever K actually represents the function F).

Notation 1.
Given a probabilistic function f : X * The probabilistic functions f 1 and f 2 are basically two components of f and we also call them truncated probabilistic functions. This can be similarly extended for the Cartesian product of more than two sets.

Function Models of Interactive Algorithms and Their Interaction
An interactive algorithm is modeled as a (probabilistic) interactive Turing machine [1,101]. In this paper, probabilistic functions are modeled for interactive algorithms. This model is general enough to capture finite and bounded interactions between two interactive algorithms (i.e., the number of interactions between two algorithms is bounded by some fixed positive integer, say q).
Definition 5 (function models of interactive algorithms). Let q be a positive integer.

1.
Joint Response Function:-A q-joint (X , Y ) response function is a probabilistic function F : X q * → Y q such that for all random coins r, the mapping x q → F(r, x q )| i is functionally independent of x i+1 , . . . , x q .

2.
Joint Query Function:-A probabilistic function A : Y q * → X q is called a q-joint (X , Y ) query function if for all random coins r, the mapping y q → A(r, y q )| i is functionally independent of y i , . . . , y q . Moreover, it is called nonadaptive if A(r, y q ) is functionally independent of y q and deterministic if the random coin space is a singleton (we simply drop the random coin space notation and write it as a function A : Y q → X q ).
We can also simply refer to a q-joint (X , Y ) query function and a q-joint (X , Y ) response function as a (X , Y ) joint query function and a (X , Y ) joint response function respectively.
The joint query and response function together capture the interaction. A joint query function captures the functional view of an interactive algorithm that initiates the interaction and a joint response function captures the functional view of the corresponding oracle algorithm. When a joint query function A interacts with a joint response function F, x 1 only depends on the random coin of A, whereas y 1 depends on x 1 and the random coin of F. Similarly, x 2 depends on y 1 and its random coin, and y 2 depends on x 1 , x 2 and its random coin. In this way, we can define x q and y q based on random coins of A and F. The pair (x q , y q ) is called a transcript (which is a function of the pairs of random coins of A and F).
We now formally define the transcript random variable. Based on the given conditions of the definitions of the joint response and query functions, there exist functions A i and F i , Definition 6 (transcript). Let A and F be the (X , Y ) joint query function and joint response function, respectively. Let A i and F i be defined as above. We define the transcript random variable as τ(A F ) = (X q , Y q ), where X i values and Y i values are defined recursively as follows: and R and R are random coins of A and F, respectively.
Based on the above definition, it is clear that for any fixed random coins r and r , the transcript is the unique pair (x q , y q ) such that A(r, y q ) = x q and F(r , x q ) = y q . So for any (x q , y q ) ∈ X q × Y q , using the independence of the random coins A and F, we have In terms of the probabilistic systems p A and p F associated with A and F, respectively (see Definition 4), we can write the probability, realizing a transcript τ = (x q , y q ) as So, the transcript probability is determined by the probabilistic systems p A and p F . EXTENDED TRANSCRIPT. The transcript is a piece of information obtained by the joint query function through an interaction. Sometimes we release an extra piece of information, say S, in addition to the transcript, to the adversary. This is given only after all interaction is completed.In other words, the queries x q cannot functionally depend on S, whereas S can depend on queries. To formalize this, let us define an extended response function.
where R denotes the random coin ofF and τ(A F ) = (X q , Y q ). We call S the adjoined random variable to F.
MBO EXTENSION. Now we describe a popular extended joint responsefunction. An MBO (monotone binary output) extensionF is an {0, 1} q -extension of a joint response function F such that the support of the adjoined random variable S is the set of all monotone binary sequences. We call the extended transcript τ(AF) good if S = 0 q , otherwise we call it bad. Informally, S denotes whether some bad event occurred upon some query or not. This is accomplished by setting the bit corresponding to the query index to 1. Since S is monotone in nature, whenever the bad flag is set to 1, it continues to be 1 for the rest of the queries. This justifies the fact that the support of S is {0 i 1 q−i : 0 ≤ i ≤ q}.
Later we will see that a simpler and equally powerful extension would be to release a binary variable B to denote whether a bad event happened or not in the whole transcript. Thus, B = 0 if S = 0 q ; otherwise, B = 1. We adjoin the random variable B only, instead of an MBO S.
For an extended systemF = (F, S), we can similarly associate a probabilistic system, defined as For

Examples of Response Functions
Keyed Function . Let F be a keyed function family {F k | k ∈ K} such that for all keys k ∈ K, F k : X → Y. We can also view F as a function F : we choose the key K ←$ K and treat it as a random coin, we obtain a joint response function (we call it a (deterministic) keyed function) as Keyed Strong Permutation. When F(k, ·) is a permutation on Y for all keys k ∈ K, one can consider an interaction in which a joint query function makes queries to the inverse function as well. To capture this, we associate a new keyed function . The joint response function associated to the keyed function F ± is denoted as F ± and we call it keyed strong permutation.
The forward-only representation is an equivalent representation of the original triple, as we can uniquely reconstruct the original triple from it.
So, the probabilistic system associated to F ± is completely determined by the probabilistic system associated with F.

Some Ideal Random Systems
We describe some popular ideal random systems. Let X , Y and T be finite sets such that N = |Y |. Definition 9 (random function). A (X , Y ) random function is an (X , Y ) joint response function ρ ρ ρ such that for all x q ∈ X q and y q ∈ Y q with x q y q (function compatible), where s is the number of distinct x values present in x q . In all other cases the probability is zero.
Definition 10 (random permutation). A Y random permutation is an (Y, Y ) joint response function π π π such that for all x q , y q ∈ Y q with x q y q (permutation compatible), where s is the number of distinct x i values present in x q . In all other cases the probability is zero.
As described before, we can also similarly define a strong random permutation π π π ± which provides the access of inverse. More precisely, for any (δ q , x q , y q ), Pr[π π π ± (δ q , x q ) = y q ] = 1 (N) s , provided that a q b q , where (δ q , a q , b q ) is the forward-only transcript of (δ q , x q , y q ) and s is the number of distinct a i values present in a q (which is same as the number of distinct values present in b q ).
We have defined the above ideal systems through their probabilistic systems. One can define these through deterministic keyed functions. For a random function, the key space is Func(X , Y ), the set of all functions from X to Y. For any k ∈ Func(X , Y ), and x ∈ X , we define ρ ρ ρ(k, x) = k(x). For a random permutation, the key space is Perm(Y ), the set of all permutations over Y. For any k ∈ Perm(Y ), and x ∈ Y, we define π π π(k, x) = k(x).
One can easily verify that the probabilistic systems view is same as the deterministic keyed function view. The two views are actually the same functions defined over two different domains. TWEAKABLE RANDOM PERMUTATION. Given a tweakable-permutation-compatible tuple (t q , x q , y q ), we associate a tuple of positive numbers (c 1 , . . . , c r ) as follows. Let t 1 , . . . , t r denote the distinct tweaks present in t q . We write The probability is zero for all other tuples (t q , x q , y q ).
We can write the above probability in another equivalent form. For each i, we define s i as the number of j < i, such that t j = t i . Then, we have Intuitively, when we respond to the ith query (t i , x i ), we look at all those j for which t j = t i . Let S i be the set of all y j values for which t j = t i . The response of the ith query is to select an element randomly from S c i (in other words, without a replacement sample for the same tweak values).
To realize this probabilistic system, we define a keyed function corresponding to it. Let the key space be Func(T , Perm(Y )), the set of all functions from the tweak space to the set of all permutations. Thus, if k is a key and t is a tweak, k(t) is a permutation over Y. We write k(t)(x) as k(t, x) or π π π(k, (t, x)). One can again check that the probabilistic system associated with this joint response function is the same as the tweakable random permutation as defined above.

Distinguisher and Its Advantage
Let F and G be two (X , Y ) joint response functions and A be a (X , Y ) joint query system with random coin space R. Let b : R × X q × Y q → {0, 1} be a binary function (also called a decision function). We call the pair (A, b), denoted as A b , a distinguisher.

1.
The algorithm A obtains a transcript τ = (x q , y q ).

2.
The function b finally makes a decision based on the transcript and the random coin initially sampled by A.
More formally, the output of where R is the random coin of A, which is used to generate the transcript τ(A F ). We now define Let E be the set of all tuples (r, x q , y q ) for which b returns 1. From the equivalent definition of statistical distance (see Lemma 2) we have Moreover, equality is achieved if we define the decision function, called the optimal decision function and denoted b opt , as follows: COMPLEXITY. Note that the computation of b opt may not be efficient. In general, we consider two types of complexities for an adversary (both for the query system and the decision function) to measure the efficiency of an algorithm. One type considers all computational complexities, which includes, e.g., time, memory, etc. The other type considers the data complexities, which includes the number of queries (which is q in our case), the total number of bits in all queries, the size of the largest queries, etc. As we are interested in information-theoretic analysis, we only keep complexity related to oracle calls and we consider only unbounded time adversaries. We always assume that the decision-making function b is optimum and hence, ). Thus, we simply denote a distinguisher as A (by its joint query function), ignoring the notation b.

Conventions
Now, we state some conventions which can be assumed without the loss of generality in this paper. This will simplify the process of analyzing the distinguishing advantage.

1.
Distinguishers are deterministic: Given any query function A, and for a fixed random coin r, let A[r] := A(r, ·) denote the deterministic query function which basically runs A with the random coin r. It is easy to verify that

2.
No redundant queries: In this paper we only consider deterministic keyed functions. An adversary A interacting with a deterministic keyed function is called redundant if A makes two identical queries (i.e., x i = x j for some i < j). An adversary A interacting with a deterministic keyed strong permutation F ± is called redundant if for some where y i is the response of the ith query. Note that, in this case, (a j , b j ) = (a i , b i ), where (δ q , a q , b q ) denotes the forward-only transcript. The response of jth query is uniquely determined from the ith query. Similarly, we define redundant queries for a tweakable keyed permutation. The ith Note that for all redundant queries, the response is uniquely determined from the previous query-responses and hence without the loss of generality we may ignore those queries. Thus, we assume that all such adversaries are non-redundant .

Security Definitions
Here we define PRF, PRP, SPRP, and their tweakable versions against adaptive and nonadaptive adversaries. Let A(θ D ) (and A na (θ D )) denote the set of all adversaries A, using at most θ D data complexity in adaptive ways (and nonadaptive ways, respectively). If the computational complexity is unbounded (or infinity) in all these definitions, we simply drop the notation θ C .

H-Technique
Here, we describe the extended version of the H-technique. The basic or standard version, also called the Coefficients H technique, is a simple instantiation of the extended version (viewing the adjoined random variable as a degenerated or fixed constant).
Let Ω denote the set of all attainable transcripts, i.e., the support of PrḠ. Suppose that there is a set Ω bad ⊆ Ω such that for all (x q , y q , s) ∈ Ω bad , A proof of the H-technique is presented, among others, in [36,38,44,45]. Here, we provide a short proof for the sake of completeness.
Proof. For any adversary A, it is easy to see that ∆ A (F; G) ≤ ∆(τ(A F );τ(A G )). This holds as the decision-making function is free to discard the additional information. Let Pr 0 = PrḠ and Pr 1 = PrF. Then, Ω > is well-defined (see Definition 2). According to Lemma 2, we have

Expectation Method
Hoang and Tessaro [82] introduced a somewhat generalized version of the H-technique, termed the expectation method. We describe it in a slightly different way in order to conform to our notation.
Lemma 4 (Expectation Method). Suppose thatF := (F, S) andḠ := (G, S ) are two S-extended (X , Y ) response systems. Let Ω be the support of PrḠ and suppose that there is a set Ω bad ⊆ Ω, and a non-negative function : Then, for any (X , Y ) adversary A, One can set (τ) = 1, forτ ∈ Ω bad to avoid the separate calculation of the bad transcript probability. The extended H-technique is obtained using Equation (8), when is a constant function. Based on CS's view of the H-technique, the expectation method is like partitioning the set of transcripts into singletons. Thus, one could argue that the expectation method should achieve optimality. This is possible if one could identify a suitable definition of the function and provide a tight estimation of the expectation value. Specifically, forτ ∈ X q × Y q × S, we define (τ) as PrḠ(x q ,y q ,s) when PrḠ(x q , y q , s) > PrF(x q , y q , s), 0 otherwise. (8), if we apply the expectation method with Ω bad = ∅.

Hash-Based Constructions
Now  Figure 1). This construction has been studied in [102,103]. Many PRF constructions can be viewed as hash-then-PRF constructions. For example, EMAC [104], ECBC and FCBC [15], LightMAC [105], and the protected counter sum or PCS approach [43]. Lemma 5. Let hash-then-PRF be defined as above. Then, we have Proof. We recall that all adversaries considered in this paper are deterministic and make no redundant queries (in this case, all queries are distinct). The basic idea of the proof is that as long as there is no collision among the hash outputs, ρ ρ ρ returns random values and hence the composition function behaves like a random function defined over a larger input space M. We capture this to prove the lemma formally using the extended H-technique.
EXTENDED SYSTEMS. We denote the composition system F = ρ ρ ρ • H. Let ρ ρ ρ be a random function from the message space M to Y. We denote the size of the set Y as N. Let H be the key space of the hash function. We define a H-extended random system. In the ideal system ρ ρ ρ , we simply adjoin a hash key H ←$ H chosen independently of ρ ρ ρ. Letρ ρ ρ = (ρ ρ ρ, H) be the extended system. In the case of F, we simply release the hash key H . We denote the extended systemF = (F, H).
BAD TRANSCRIPTS AND ITS ANALYSIS. Let τ = (m q , y q , h) denote a transcript, where m q ∈ M (q) , y q ∈ Y q , and h ∈ H. We define x q = h(m q ) := H(h, m q ) (i.e., h is the key of H).
As mentioned above, we say that a transcript is bad if We bound the probability of this event by ( q 2 ) , as the hash function is -universal and there are, at most, ( q 2 ) (i, j) pairs. All other transcripts are considered to be good. GOOD TRANSCRIPT ANALYSIS. Fix a good transcript τ = (m q , y q , h). In the ideal world, we have In the real world, we have The result follows, using the extended H-technique.

Hash-Then-TBC
CONSTRUCTION. Let H := (H 1 , H 2 ) : M * → T × X be an -universal hash such that H 1 is an 1 -universal hash. Let π π π be a tweakable random permutation on X with a tweak space T . We define the composition function F = π π π • H as hash-then-TBC (see Figure 2). A special instantiation (in which H 1 and H 2 are assumed to be independent) of the above construction is first considered in [63]. Subsequently, the analysis of the above construction was been performed [66]. In the same paper, the composition was used to define an MAC, called ZMAC+. Note that a tweakable random permutation is a PRF with a maximum advantage about q 2 /2N, where N is the size of the set X (this is similar to the well known result of PRP-PRF switching lemma [3]). Thus, one can apply the previous result for this construction. However, the construction can be shown to have a better PRF advantage. Let us denote the size of T and X by T and N, respectively. Let ρ ρ ρ be an ideal candidate, i.e., a random function from M to X .
In the previous construction we avoided the collision among hash outputs since the hash outputs were fed into a random function. In this case, the hash output is fed into a tweakable random permutation (as an input as well as a tweak). Hence, we need to avoid simultaneous collisions ofthe tweak and output, as well as the tweak and input of π π π. The following lemma was proved in [66] using the H-technique. We first tackle this problem without extending the random system which would require slightly more effort and then show how the extended H-technique, as well as the expectation method, can help to bound the advantage very easily. Let τ = (m q , y q ) be the transcript at hand. Let C := C(y q ) be the number of colliding pairs in the output tuple y q . More formally, When Y 1 , . . . , Y q ←$ X q , we write the random variable C(Y q ) as C.
GOOD HASH KEY. Let H be the key space of the hash function. We define a subset H good ⊆ H as the set of all h ∈ H so that there is 1.
where h(m q ) = (t q , x q ). Clearly, for a good hash key h, (t q , x q , y q ) is tweakable-permutation-compatible and Pr[ π π π(t q , x q ) = y q ] ≥ N −q . In the following, for any h, we denote h(m q ) = (t q , x q ).
The last inequality follows from the union bound. A bad hash key can arise due to either collision of tweak-input pairs (which happens with a probability of, at most, ( q 2 ) · ) or collision of tweak-output pairs. As there are C pairs at which y i values collide, we must have collisions of tweak values among these C pairs. Hence, the probability of a tweak-output collision occurring is at most C · 1 . This justifies the last inequality. Now, the ratio To obtain a bound, it is necessary to obtain a good upper bound for C(y q ) for all y q . At this point, we have two options to bound the value of C(y q ).
(1) Standard H-Technique: In this case we can use Markov's inequality to bound C = C(Y q ) to a moderate value, where Y q is a q-tuple independent uniform random variable (responses of ρ ρ ρ). We can write C = ∑ i<j I i,j where I i,j is the binary random variable which takes value the value of 1 if Y i = Y j . So, BAD TRANSCRIPTS AND THEIR ANALYSIS. Let α be a threshold parameter (which is determined below). We call a transcript (m q , y q ) bad if the number of collision pairs of y i values is greater than α. Using Markov's inequality, we obtain for any adversary A.
ANALYSIS OF GOOD TRANSCRIPTS. Now, fix any good transcript τ = (m q , y q ). Using α as an upper bound for C(y q ) in Equation (9), we get Finally, using the bad transcript probability of Equation (10) and the standard Htechnique, we obtain By equating the two terms ( q 2 ) · 1 αN and α · 1 , we set α = q √ N 1 . With this choice of α, the PRF advantage is bounded as Adv prf π π π•H ≤ q 2 · + 2q 1 /N.
(2) Expectation Method: For small messages, there are universal hash functionswith ≈ 1/NT and 1 ≈ 1/T. In this case, the standard H-technique bounds the prf advantage to O(q 2 /NT) + O(q/ √ NT). Clearly, the dominating term is O(q/ √ NT). Instead of a crude estimation of C, if we apply the expectation method (which needs to work with the expected value of C instead of an upper bound), we can get rid of the dominating term O(q/ √ NT).
We define : M q × X q → [0, ∞) via the mapping Clearly is non-negative and the ratio of real to ideal interpolation probabilities is at least 1 − (τ) (using Equation (9)). Thus, we can use Lemma 4 to get

B. Proof by Releasing the Internal Values
Now we show that the extended H-technique can also help to provide a bound for this construction very easily. EXTENDED SYSTEMS. Let H be the key space of the hash function. We define the Hextended random system. In the ideal system ρ ρ ρ, we simply adjoin a hash key H ←$ H chosen independently of ρ ρ ρ. Letρ ρ ρ = (ρ ρ ρ, H) be the extended system. In case of a F value based on the hash key H and tweakable random permutation π π π, we release the hash key H . We denote the extended systemF = (F, H ).
BAD TRANSCRIPTS AND THEIR ANALYSIS. Given any hash key h, we define h(m q ) = (t q , x q ). We can state that an extended transcript (m q , y q , h) is bad if either 1.
there is a collision among (t q , x q ) or 2.
there is a collision among (t q , y q ).
In the extended ideal world, an adversary can realize a bad transcript with a probability of, at most, ( q 2 ) · ( + 1 /N). The probability that there is a collision among (t q , x q ) is, at most, ( q 2 ) · . The probability that there is a collision among (t q , y q ) is, at most, ( q 2 ) 1 N (a pair of y values will collide with a probability of 1/N, whereas a pair of t values will collide with a probability of, at most, 1 and these events are independent). ANALYSIS OF A GOOD TRANSCRIPT. Now we fix a good transcript τ = (m q , y q , h). For the ideal system we have, and for the real system we have, Note that we have applied Equation (4) for the real system, as the transcript is tweakablepermutation-consistent and it is non-redundant. Hence, the extended H-technique of Lemma 3 gives, Remark 1. The XTX [81] and HaT [63] constructions are quite similar to HtTBC [66]. Consequently, we obtain similar proofs for these constructions.

An Extension of Naor-Reingold
The basic version of ENR [78] is a 2n-bit permutation based on an (n, n)-TBC and an n-bit AXU hash function, essentially adapting the Naor-Reingold [106] simplification of the four-round Feistel structure. Here, we describe a version which generalizes ENR (see Figure 3) based on (t, n)-TBC (for t ≤ n), as well as LDT [58], in which the hash function is not present (which can also be viewed as an identity function). CONSTRUCTION. Let M = F 2 t × F 2 n . Suppose that H := (H 1 , H 2 ) : M * → F 2 t × F 2 n is an invertible keyed function such that H 1 is an -universal hash function. Suppose that π π π 1 and π π π 2 are two independently sampled tweakable random permutations on F 2 n with tweak space F 2 t . We define NR* : F 2 n × F 2 t * → F 2 n × F 2 t as follows: x y = π π π 1 (v, u), where x ∈ F 2 t and y ∈ F 2 n−t . 3. z = π π π 2 (x, y v).
Let F be the response system corresponding to NR* and Π Π Π be the system corresponding to a random permutation over F 2 n × F 2 t . It is easy to see that F is an invertible response system.
Proof. We apply extended H-technique and so we define the additional random variables released after the interaction.
EXTENDED SYSTEMS. Suppose that (δ q , m q , c q ) is the forward-only transcript (before we extend it). Now, we define the (H × F q 2 n−t )-extended random system. In the ideal system Π Π Π, we simply adjoin a hash key H ←$ H and Y 1 , . . . , Y q ←$ F 2 n−t , chosen independently of Π Π Π. LetΠ Π Π ± = (Π Π Π ± , H, Y q ) be the extended ideal system.
In the case of F ± , based on the hash key H and tweakable random permutation π π π 1 , π π π 2 , we release the hash key H and all q internal values Y 1 , . . . , Y q , where Y i is the value of y in step-2, while computing F(m i ). We denote the extended systemF ± = (F ± , H, Y q ).
ANALYSIS OF BAD TRANSCRIPTS. Let τ = (δ q , m q , c q , h, y q ) be a transcript. We define h(m q ) = (v q , u q ) and h(c q ) = (x q , z q ). We can say that an extended transcript τ is bad if there is a collision among v 1 x 1 y 1 , v 2 x 2 y 2 , . . . , v q y q x q values. (Observe that the bad event is quite similar to the one arising in hash-then-TBC analysis. In fact, in most of the TBC-based constructions, the sole bad event is of this particular type (avoiding tweak-input and tweak-output collisions).)Now we calculate the probability that the extended transcript τ(A Π Π Π ± ) is bad for any adversary A making q queries. Let [q] e and [q] d denote the set of all forward-and backward-query indices. Let us denote the random variables corresponding to m, c, x, y, and v values in the ideal world as M, C, X, Y, and V, respectively.

Now, the bad event means that there is
Moreover, Y i values are chosen independently of (Π Π Π, H) and are hence independent of the values of X and V. Thus, it is sufficient to bound

Claim.
Pr We prove the claim when j ∈ [q] e . A similar proof is applied for j ∈ [q] d . As j ∈ [q] e , V j depends on C j and the hash key H of H. We first condition on all query responses M j−1 = m j−1 , C j−1 = c j−1 up to j − 1 queries. Note that up to j − 1 queries, the queries can be both encryption or decryption queries. Thus, M j−1 , C j−1 is simply the forward-only reordering of the query and responses. Once we condition on itand j ∈ [q] e , the value of M j is fixed (say, m j ) and C j ←$ M \ {c 1 , . . . , c j−1 }. Let us write the conditional event M j−1 = m j−1 , C j−1 = c j−1 as E and the set of all h for which H 1 (h, m i ) = H 1 (h, m j ) holds as H . Thus, To justify the latter inequality, we first note that H(h, ·) is an invertible function and so the conditional distribution of H(h, C j ) is uniformly distributed over a set of size 2 n+t − (j − 1).
To complete the proof of the claim we sum over all such events E (i.e., varying m j−1 and c j−1 ) after multiplying the probability of E.
Therefore, for any i < j, ANALYSIS OF A GOOD TRANSCRIPT. We fix a good transcript τ = (δ q , m q , c q , h, y q ) and let h(m q ) = (v q , u q ) and h(c q ) = (x q , z q ). According to the definition of a good transcript, (v q , u q , x q y q ) and (x q , y q v q , z q ) are tweakable-permutation-compatible, which means they are also non-redundant. Thus, On the other hand, realizing the transcript via the extended ideal system is expressed as Thus, the ratio Combining Equations (14) and (15) with Lemma 3, we get Based on the security analysis of this generic design, we can obtain simple proofs for ENR [78,79] and LDT [58].

A Simple Proof for ENR
The basic version of ENR [78] can be viewed as a specific instantiation of NR*, where the hash function is defined as (a, b) → (a, (a K ⊕ b)) for K ←$ F 2 n . Subsequently, Minematsu and Iwata presented a simpler definition for ENR for t < n, called SmallBlock [79] that merely redefines the hash to be (a, (a K ⊕ b)) |t . Now, we have the following corollary.

A Simple Proof for LDT
The two-round LDT construction by Chen et al. [58] can also be viewed as a specific instantiation of NR*, where the hash function is defined to be the identity function. This immediately gives the following corollary on the SPRP advantage of LDT.

Feistel Structure-Based Schemes
A (keyed) bijective function Ψ based on an internal primitive ψ ψ ψ is said to be inverse-free if and only if the computation of Ψ −1 does not require the execution of ψ ψ ψ −1 . The Feistel structure has this property.

Three-Round Luby-Rackoff
CONSTRUCTION. Suppose that ψ ψ ψ is a random function over {0, 1} n and Ψ is a round function defined by the mapping Suppose that Ψ i denotes the round function based on the random function ψ ψ ψ i . The wellknown three-round Luby-Rackoff [2] scheme (see Figure 4), denoted LR3, is defined as Figure 4. The three-round Luby-Rackoff or LR3 construction.
LR3 is a well-studied birthday-bound pseudorandom permutation. The original proof by Luby and Rackoff [2] is one of the foundational results in symmetric-key provable security. We now show how a fairly modern tool in symmetric-key provable security can simplify the security analysis as compared to the original proof. We note that a simpler proof based on the H-technique is already available through the work of Nachef, Patarin, and Volte [107]. Here, we provide the proof of LR3 in our language.

Lemma 8. For t ≤ n, we have
Proof. We apply the standard H-technique (i.e., no need to extend the system). (a, b) and output (c, d), let the one-round and two-round outputs be (x, b) and (x, d). Let F be the response system corresponding to LR3 and Π Π Π be the system corresponding to a random permutation. The transcript random variable τ is defined as the tuple (A q , B q , C q , D q ). We say that a transcript (a q , b q , c q , d q ) is bad if d q has a colliding pair, i.e., for two distinct queries i and j, d i = d j . Thus we have

ANALYSIS OF BAD TRANSCRIPTS. For input
ANALYSIS OF GOOD TRANSCRIPTS. Fix a good transcript (a q , b q , c q , d q ). We say that a function f ∈ Func is bad, otherwise, we say it is good. Clearly for a uniform random f , the probability of f being bad is bounded to, at most, q 2 /2 n+1 . Let Func good = Func \ Func bad . Thus we have The result follows from Equations (16) and (17) using the standard H-technique.

Remark 2.
Note that the above proof can be easily converted into a proof with an extended transcript.
In particular, we release X q values. In the case of an ideal oracle, it is computed as follows: X i = ψ ψ ψ 1 (b i ) ⊕ a i for all i. We add one more bad event, which is the presence of a collision among X q values. The probability of this new bad event can be easily shown to be at most q 2 /2 n+1 . For a good transcript the ratio can be similarly shown to be at least 1 − q 2 /2 2n and hence we obtain exactly the same bound for the PRP advantage. One can have an SPRP proof for the four-round LR using the extended transcript. The proof is similar, with some bad events avoiding all possible collisions among inputs of ψ ψ ψ 2 and ψ ψ ψ 3 .

Three-Round TBC-Based Luby-Rackoff
In [95], Coron et al. presented an alternative to the three-round Luby-Rackoff method using a tweakable block cipher, called TLR3, and demonstrated O(q/2 n )-query security. In this case, ψ ψ ψ is a tweakable random permutation and the Ψ function is defined by the ψ ψ ψ(b, a)). The original work by Coron et al. is mainly focused on the indifferentiability of TLR3 with respect to an ideal cipher. However, their result also implies Ω(2 n )-query SPRP security. We present a relatively simple proof for the SPRP security of TLR3. Proof. We will use the extended H-technique to prove the claimed security. EXTENDED SYSTEMS. The variables arising in the following analysis are analogous to the ones given in Figure 5. Let F be the response system corresponding to TLR3 and Π Π Π be the system corresponding to a random permutation. The transcript τ is defined as the tuple (A q , B q , C q , D q ). We define F q 2 n -extended response systems by adjoining the internal value X q . In the case of F, this is well-defined according to the definition of TLR3.
c d x Figure 5. The three-round TPRP-based Luby-Rackoff or TLR3 construction.
In the ideal system Π Π Π, we sample X q as follows: BAD TRANSCRIPTS AND THEIR ANALYSIS. We say that an extended transcript (a q , b q , x q , c q , d q ) is bad if and only if (b q , a q , x q ), (x q , b q , d q ) and (d q , x q , c q ) are not tweakable-permutationconsistent. Due to the way in which we sample X q in Π Π Π, the necessary and sufficient condition for the inconsistency of (B q , A q , X q ), (X q , B q , D q ), and (D q , X q , C q ) is: i < j ∈ [q] and (1) j ∈ [q] e and (X j , D j ) = (X i , D i ); or (2) j ∈ [q] d and (B j , X j ) = (B i , X i ). Formally, we have ANALYSIS OF GOOD TRANSCRIPTS. For a good transcript (a q , b q , x q , c q , d q ), we know that (b q , a q , x q ), (x q , b q , d q ), and (d q , x q , c q ) are tweakable-permutation-consistent. Let α u = mcoll(b q ), β v = mcoll(x q ), and γ w = mcoll(d q ). Given a good transcript, for a real system we have For i ∈ [q], let r i and s i denote the number of previous queries j and j such that b i = b j and d i = d j , respectively. Then, for the ideal system we have Thus the ratio is In the above expression, we claim the following: where for allî andk,γˆi,γˆk ≥ 0. We argue the first one and the second can be argued similarly. The set [u] can be viewed as an indexing over the set of distinct tweak values. Now consider the first term on the right hand side (the one indexed by i ). For all i ∈ [q] e , we define φ(i ) → (i, p) such that i is the index of the tweak of the i -th query, i.e., i ≤ u, and p is the number of previous queries with the same tweak, i.e., p = r i ≤ α i . The mapping is well-defined. Furthermore, it is injective: for distinct i 1 , i 2 ∈ [q] e , either the tweaks are different, i.e., i 1 = i 2 , or if the tweaks are same, then p 1 = r i 1 = r i 2 = p 2 . Observe that φ also maps each of the (N − r i ) terms on the right-hand side to a unique (N − p) term (taken from (N) α i expansion) on the left, exhausting all the terms corresponding to encryption queries. Thus, we are left with only the terms corresponding to all the decryption queries. Using the relations presented above in Equation (19) we have The result follows from the extended H-technique, using Equations (18) and (20).

Strong Pseudo-Random Permutation Designs
Thus, we also write p, alternatively, as p[1.. ]. We denote the set of all n-bits as B n .

HCTR
HCTR is an encryption scheme developed by Wang, Feng and Fu [22], based on the hash-CTR-hash paradigm, which uses a sandwich consisting of the CTR mode in between two executions of an AXU hash function. The CTR mode can be replaced by a pseudorandom function (PRF), which takes n-bit inputs and returns an arbitrarily long bit-stream. The PRF-based HCTR construction was studied by Chakraborty et al. in [108], and this system does not require any inverse of the block cipher. For the sake of simplicity, we first describe a simple version of the HCTR construction.
CONSTRUCTION. Let L (≥ n) be a large integer, which is the size of the largest messages to be encrypted. Let T denote a tweak space. Suppose that H : T × {0, 1} ≤L−n → {0, 1} n is an -AXU hash function, π π π is an n-bit random permutation and ρ ρ ρ : B n → {0, 1} L−n is a random function. Moreover, all these primitives are independently sampled. The PRF-based HCTR scheme (see Figure 6), denoted as HCTR*, is defined below, which takes (t, p p ) as an input, and returns c c as an output, where p, c ∈ B n , t ∈ T and |p | = |c | ≤ L − n. We call t the tweak, p p the plaintext, and c c the ciphertext.
Note that the decryption algorithm is exactly same, except that we replace π π π by π π π −1 in line (b). When we substitute ρ ρ ρ by CTR π π π , as in the standard encryption schemesusing IV-based counter mode [109], we obtain our original HCTR mode. The construction HCH [21] can be obtained by replacing ρ ρ ρ by the construction CTR π π π , where IV is computed as the encryption of z by π π π. We note that the original security bound for HCTR was cubic (in the number of queries). To obtain a quadratic bound, HCH was proposed. However, subsequently, in [108] a quadratic bound for HCTR was proven using the game playing technique. For the sake of simplicity, we provide a very simple proof of the HCTR* construction. The original HCTR scheme and all of its variants can be proven similarly. Figure 6. A simplified view of the HCTR enciphering scheme. The double equal style paths denote a compressed view of ( − 1) many parallel paths.
Proof. (The basic idea of the proof is quite simple. We have to bound two types of collisions, namely, the input and output collisions on the underlying random permutation and the input collision of the random function. Most of these collisions can be bounded using the AXU property of H.) EXTENDED SYSTEM. Let F be the response system corresponding to the real system HCTRf and Π Π Π be the system corresponding to a length-preserving tweakable random permutation over the set of all bit strings of at least n + 1 in size. The transcript random variable τ τ τ is defined as the tuple (T q , P q , C q ), where for all i ∈ [q], P i and C i are of length i and ∑ i∈[q] i = σ. We define the H-extended random system. In the real world, we simply release the hash key H after all q queries are made. LetF ± = (F ± , H) be the extended real system. In the ideal system, we adjoin a dummy hash key H ←$ H, chosen independently of Π Π Π. LetΠ Π Π ± = (Π Π Π ± , H) be the extended ideal system. We define the internal variables ANALYSIS OF BAD TRANSCRIPTS. We say that a transcript is bad if one of the following conditions is met: , such that Z i = Z j . Bound on Pr[xcoll]: Note that H is sampled independently of the inputs (T i , P i ). So, for any i = j, Pr(X i = X j ) ≤ as H is the -AXU hash function. A similar bound works for Bound on Pr[ycoll]: Exactly the same bound works for Y i = Y j . Bound on Pr[zcoll]: Fix any i < j and let us assume that the jth query is the encryption query (a similar argument would work for the decryption query). Now, Z i = Z j means that Note that C j is uniform and independent of all random variables present on the right-hand side of the above equation. Hence, the probability of the above event is 2 −n .
By summing over all pairs (i, j) with i < j, the probability that the ideal-world extended transcript is bad is, at most, q 2 · ( + 2 −n−1 ). ANALYSIS OF GOOD TRANSCRIPTS. Fix a good transcript (t q , p q , c q , h). Let q( , t) denote the number of queries of length for all ∈ [L] with the tweak t. By definition, ∑ ,t q( , t) = σ. Since for a good transcript there are no input/output collisions for π π π. So we have The result follows from the extended H-technique. Now let us consider the original HCTR scheme, in which c = m ⊕ S |m | , where S = π π π(z ⊕ 1) · · · π π π(z ⊕ ( − 1)). Let us assume that ith queries have size n i , i ≤ . We need to consider a revised definition of a zcoll bad event. We say that zcoll holds if one of the following holds: Using the previous analysis, one can easily verify that the probability of this modified zcoll is at most (σ 2 + σq)(2 + 2 −n−3 ) (as there are, at most, σ 2 choices for (i, j) and (i , j ), and at most σq choices for (i, j) and k).

TET
CONSTRUCTION. TET (a later, simplified version was renamed HEH in [24]) is an encryption scheme developed by Halevi [20], based on the hash-encrypt-hash paradigm [20,24,25], which uses a sandwich consisting of the ECB mode in between two blockwise universal and invertible length-preserving hash functions. In this paper, we formally describe and analyze the hash-encrypt-hash paradigm defined over multiple messages of n-bits. A Suppose that H is an ( 1 , 2 )-blockwise universal and invertible hash function over B ≤L n . Suppose that π π π is an n-bit random permutation independent of the hash. Then, the composition H −1 • ECB π π π • H is called the TET construction (see Figure 7), which is defined over B ≤L n . A trick such as HCTR or the DE (the domain expander reported by Nandi in [110]) can help to process arbitrary bit strings.

Lemma 10. Adv
Proof. We will again use the same idea of avoiding collisions among the input/output of the internal random permutation π π π. Let F be the response system corresponding to TET and Π Π Π be the system corresponding to a random permutation. The transcript τ is defined as the tuple (P q , C q ), where for all i ∈ q, P i and C i are of length i and ∑ i∈[q] i = σ. ANALYSIS OF GOOD TRANSCRIPTS. This proof will be similar to that of hash-then-PRF. For any transcript (p q , c q ), we have Pr[H(p q ) = x q , π π π(x q ) = y q , H −1 (y q ) = c q ] The latter inequality follows from the definition of the blockwise universal hash function and from the observation . The result follows from substituting Equation (21) in the standard H-technique.

Remark 3.
We note that the bound in Lemma 10 is obtained for a slightly generalized definition of blockwise universality. Specifically, we consider two different bounds, one for collisions at the same position, and another for collisions at two different positions. This slight generalization gives a better security bound for certain hash functions that have better bounds for collisions at two different positions. For example, consider the following example from the work of Sarkar [24].
We view B n as the finite field GF(2 n ) and fix α to be a primitive element of B n . Let K 1 and K 2 be two independent and random elements of B n . Define e = (αK 1 , α 2 K 1 , . . . , α −1 K 1 , K 1 ), for all ∈ [L]. We define the map H K 1 ,K 2 : B ≤L n → B ≤L n in the following manner: Sarkar proved that H is an (L2 −n , 2 −n )-blockwise universal hash function ( [24], Theorem 1). Using this bound in combination with Lemma 10 gives a bound of the form σ 2 2 −n + q 2 L 2 2 −n , which results in a birthday bound in terms of L.

Beyond-Birthday-Bound Secure Schemes
In this section, we revisit some beyond-birthday-bound secure schemes. All these schemes are inherently based on one of the most celebrated problems in symmetric-key cryptography, called the sum of permutations problem [59,96,97,99].

Pseudorandom Functions
There are many beyond-birthday-bound PRF constructions from PRP [61,96]. The sum of permutations [96][97][98] is one such construction, which constructs a PRF based on two independently keyed random permutations.
We first state and prove a simple proposition that lower-bounds the probability distribution of the sum of permutations conditioned on the event that the underlying random permutations are already sampled on some fixed number of points. We remark that a similar result is already available in ( [64], Theorem 2), albeit for the single-permutation setting. Their analysis similarly can be extended for the two-permutation setting. For the sake of completeness, we provide the proof of this variant. Proposition 2. Let s 1 , s 2 , q ≥ 0 and s 1 + s 2 + 2q ≤ 2 n−1 . Let π π π 1 and π π π 2 be two independent and uniform random permutations over {0, 1} n . For all a s 1 , b s 1 ∈ B n , x q ∈ (B n \ {a s 1 }) (q) , y q ∈ (B n \ {b s 2 }) (q) , and z q ∈ B q n , we have where F denotes the event π π π 1 (a s 1 ) = b s 1 ∧ π π π 2 (c s 2 ) = d s 2 .
Proof. We compute a lower bound on the probability by following the chain rule of conditional probabilities, i.e., we compute the conditional probability of π π π 1 (x i ) ⊕ π π π 2 (y i ) = z i for some i ∈ [q], given F, and π π π 1 (x j ) ⊕ π π π 2 (y j ) = z j for all j < i. Let P i = π π π 1 (x i ), Q i = π π π 2 (y i ), and E i denote the event that the i-th equation P i ⊕ Q i = z i holds, for all i ∈ [q].
For all 1 ≤ i ≤ q, consider the i-th equation P i ⊕ Q i = z i . We have at least 2 n − s 1 − s 2 − 2(i − 1) possibilities for P i . This can be argued by removing b s 1 , d s 2 ⊕ z i , P j and Q j ⊕ z i values for all j < i. Once we fix P i , Q i fixes to P i ⊕ z i . Furthermore, for each such value, E i occurs with a probability of 1/(2 n − s 1 − i + 1)(2 n − s 2 − i + 1) given that F occurs, and E j occurs for all j < i. Let k = i − 1. Then, we have where the latter inequality follows from the assumptions that (s 1 + s 2 + 2k)2 n < (s 1 + s 2 + 2q)2 n < 2 2n−1 and s 1 s 2 + (s 1 + s 2 )k + k 2 ≥ 0. Finally, we have Note that Proposition 2 is useful in both conditional and unconditional (i.e., s 1 = s 2 = 0) cases. Now, we discuss two straightforward applications of the proposition given above.
It is well-known [89,111,112] that SoP is indistinguishable from a uniform random function up to o(2 n ) queries. The H-technique-based proofs presented in [111,112], although tight, contain some non-trivial gaps, whereas the proof in [89] uses the recently introduced χ 2 technique.
π π π 1 π π π 2 X ⊕ ⊕ ⊕ Y P Q In one of the early works on this problem, Lucks [98] presented a suboptimal bound of 2 2n/3 queries using the game-playing technique. Here, we give a very simple and short proof for the 2 2n/3 query bound using the standard H-technique.
ANALYSIS OF GOOD TRANSCRIPTS. Given a transcript τ = (x q , y q ), it is easy to see that as x q y q . For the lower bound on Pr[F(x q ) = y q ], we summon Proposition 2, with s 1 = 0 and s 2 = 0, i.e., the random permutations are not sampled at any points as of now. Accordingly, we have The result follows from the standard H-technique.

Sum of Even-Mansour
In a recent paper [99], Chen et al. presented various beyond-birthday-bound secure PRF constructions based on public (i.e., in which the adversary has oracle access to the underlying random permutations) random permutations. Here we consider SoEM22, or the sum of even-Mansour scheme, with two independent random permutations and two independent keys. CONSTRUCTION: Suppose that π π π 1 and π π π 2 are two independent uniform random permutations over {0, 1} n and (K 1 , K 2 ) ←$ {0, 1} 2n . The SoEM22 construction (illustrated in Figure 9) is a length-preserving function over {0, 1} n defined by the mapping In [99], SoEM22 has been shown to be a secure PRF up to o(2 2n/3 ) queries to both the underlying permutations, as well as the construction itself. Furthermore, it has been shown that the bound is tight. We demonstrate a similar security bound using Proposition 2.

Lemma 12.
Let q and p denote the total number of constructions and primitive queries, respectively. Then, for q, p ≤ 2 2n/3 , we have Proof. We can write F = SoEM22 π π π 1 ,π π π 2 ,K 1 ,K 2 . Let ρ ρ ρ be a uniform random function over {0, 1} n . Let τ C = (m q , z q ) denote the transcript corresponding to F, where x q ∈ ({0, 1} n ) (q) . Without the loss of generality, we assume that the adversary makes the same number of queries to the underlying random permutations. Let τ P = (u p , v p ) and (x p , y p ) denote the forward-only transcript corresponding to the direct access of π π π ± 1 and π π π ± 2 , respectively. We define {0, 1} 2n -extended response systems by adjoining the masking keys K 1 and K 2 . In the case of F, this is well-defined according to the definition of SoEM22. In the ideal system we sample (K 1 , K 2 ) ←$ {0, 1} 2n . Note that, once K 1 and K 2 are released, one can easily obtain A q , C q , B q , and D q .
BAD TRANSCRIPT AND ITS ANALYSIS. A transcript is called bad precisely when it leads to permutation incompatibility for any one of the underlying permutations. One way to avoid such inconsistencies is to avoid input/output collision constraints over the two permutations simultaneously. More formally, we say that a transcript is bad if one of the following events occurs for some ( Here, B1 corresponds to a collision on the input of the two underlying permutations; B2 corresponds to the input collision on π π π 1 and the output collision on π π π 2 ; and, B3 corresponds to the input collision on π π π 2 and the output collision on π π π 1 . Note that we only consider collisions between constructions and primitive queries. This is because of the fact that construction-to-construction and primitive-to-primitive collisions are forbidden by design. Now, we have where the latter inequality can be argued based on the fact that there are, at most, qp 2 (i, j, j ) triples, and for each such triple, Pr[Bi] = 1/2 2n for all i ∈ [3]. This is because each bad event reduces to a system of two linear equations in two independent and uniform random variables K 1 and K 2 ; therefore, a solution occurs with 1/2 2n probability.
ANALYSIS OF GOOD TRANSCRIPTS. Given a transcript τ = (x q , y q ), it is easy to see that Pr[ρ ρ ρ(x q ) = y q , π π π 1 (u p ) = v p , π π π 2 (x p ) = y p , K 1 , (23) as m q z q , u p v p , and x p y p and (K 1 , K 2 ) are chosen uniformly from {0, 1} 2n . In the real world, for primitive queries we know that u p v p , and x p y p . In construction queries, the i-th query could be one of the three types: (1) a i = u j and c i = x j for all j ∈ [p]; (2) a i = u j for all j ∈ [p] and c i = x j ; (3) a i = u j and c i = x j for all j, j ∈ [p]. It is easy to see that both a and c cannot collide simultaneously as the transcript is good. Let ø 1 C , ø 2 C , and ø 3 C denote type-1, type-2, and type-3 construction transcripts, respectively, and q 1 , q 2 , and q 3 denote the number of such queries, respectively. Finally, we have Pr[F(x q ) = y q , π π π 1 (u p ) = v p , π π π 2 (x p ) = y p , K 1 , Observe that we can apply Proposition 2 to bound the conditional probability of ø 3 C given ø P , ø 1 C , and ø 2 C . Thus, by using s 1 = p + q 1 , s 2 = p + q 2 , and the relation q 1 , q 2 , q 3 < q, we have Pr[F(x q ) = y q , π π π 1 (u p ) = v p , π π π 2 (x p ) = y p , K 1 , The result follows by dividing Equation (24) by Equation (23).

Optimality of the Extended H-Technique
We have already observed that the expectation method can achieve optimal bounds for the distinguishing advantage. The extended H-technique is also a potential tool to obtain a tight bound for the distinguishing advantage. Now we describe why this is the case. Suppose that F and α α α are two (X , Y ) random systems. We usually choose α α α to be an ideal random system (such as a random permutation or a random function) and F is the construction of interest. Let The complement of the above set is denoted as E F<α α α . We also define a binary random variable B adjoined with α α α as follows. Let Pr[B = 0 | α α α(x q ) = y q ] = 1, ∀(x q , y q ) ∈ E F≥α α α (25) and Pr[B = 0 | α α α(x q ) = y q ] = r F/α α α (x q , y q ), ∀(x q , y q ) ∈ E F<α α α .
We say that a transcript (x q , y q , b) is bad if b = 1. Fix any deterministic adversary A. The probability that the extended transcript random variableτ(A α α α ) is bad is Thus, if we apply the H-technique we actually obtain equality in Equation (7).

Remark 4.
Here we remark that although the extended H-technique and the expectation method can achieve optimal distinguishing bounds, this might require a very involved analysis. For the expectation method, identifying the optimal function and then provided a tight estimation for the expectation of this function can be quite difficult. Similarly, for the extended H-technique, identifying the optimal bad event can be very difficult. One thing is clear, however. Both these tools can achieve optimality whenever it is possible through the game-playing or random systems methodologies.
Nonadaptive PRP to SPRP "Two weak make one strong" or the composition lemma [75,76] states that, in the information-theoretic setting, the composition of two NPRP secure-block ciphers results in an SPRP secure-block cipher. The initial proofs [75,76] of this result were based on Maurer's random systems methodology. Subsequently, Cogliati, Patarin and Seurin [113] presented a much simpler proof using the standard H-technique.
CONSTRUCTION. Let F and G be two NPRP secure quasi-random permutations over X . Then, we are interested in the SPRP security of the composition G −1 • F. Formally, the composition result is stated in Theorem 1.

Theorem 1.
Suppose that F and G are two random systems over X ; then, In [113], the following result has been proven. Lemma 13 gives a simple proof for Theorem 1 using the standard H-technique.
Alternate proof using the extended-H technique. We give a similar but alternative proof for Theorem 1, using the idea of optimality of the extended H-technique. Since we will employ the extended H-technique, we start off with a description of the extended systems.
ANALYSIS OF GOOD TRANSCRIPTS. We define B 1 and B 2 adjoined with F in a similar fashion as in the case of the optimality result. Both B 1 and B 2 are degenerated and take a value of zero with a probability of one. For x q , y q , z q ∈ X (q) and i ∈ {1, 2}, let p i := Pr[B i = 0 | π π π(x q ) = y q , Z q = z q ]. Then, we have Pr[π π π(x q ) = y q , Z q = z q , B 1 = 0, B 2 = 0] = Pr[π π π(x q ) = y q ] × Pr[Z q = z q ] × p 1 × p 2 = Pr[π π π(x q ) = y q ] × Pr[Z q = z q ] × p 1 × p 2 ≤ Pr[F(x q ) = z q ] × Pr[G(y q ) = z q ] = Pr[F(x q ) = z q , G(y q ) = z q , B 1 = 0, The result follows from the extended H-technique, Lemma 3.

Conclusions
In this systematization of knowledge, our main goal was to revisit a popular tool in symmetric-key provable security, called the (Coefficients) H-technique [36,38]. We reformalized the notations and conventions necessary to study the security of any symmetric-key design. We then described the H-technique tool and showed that it can achieve optimal security bounds. To illustrate the effectiveness of this tool, we presented simple security proofs for some popular symmetric-key designs, across different paradigms.
Although our main goal is to promote the application of the H-technique, we emphasize that it is not a universal solution. In particular, there are many problems in which a straightforward application of the H-technique may not provide a tight bound. A prime example is the sum of permutations or SoP problem [96,97]. Although there are some tight-bound proofs [111,112] for the SoP problem that use the H-technique, the veracity of these proofs is not yet established. In contrast, a recent tool developed by Dai et al., called the χ 2 -method [89], provides a much simple and asymptotically tight bound proof for SoP. The preceding example is just one such instance in which one tool is somewhat superior to another. There could be many more. For instance, it is still not clear how one can apply the χ 2 -method with the same ease as the H-technique to the analysis of schemes based on low-entropy primitives (such as universal hash functions).
To conclude, a thorough study on the various available tools is presently needed. This will help in choosing the right tools for a given set of problems, which in turn may present tight and/or simple proofs. We believe that this work is a step in that direction. It would be interesting to see similar work on some other popular tools such as the coupling technique [85][86][87] and χ 2 -method [89,90]. At the same time, we must also look at some other avenues in probability theory to obtain new tools. For example, Morris, Rogaway, and Stegers explored the applications of Markov chains [86] and Steinberger explored the Hellinger distance [94].