Almost-Minimal-Round BBB-Secure Tweakable Key-Alternating Feistel Block Cipher

: This paper focuses on designing a tweakable block cipher via by tweaking the Key-Alternating Feistel ( KAF for short) construction. Very recently Yan et al. published a tweakable KAF construction. It provides a birthday-bound security with 4 rounds and Beyond-Birthday-Bound (BBB for short) security with 10 rounds. Following their work, we further reduce the number of rounds in order to improve the efﬁciency while preserving the same level of security bound. More speciﬁcally, we rigorously prove that 6-round tweakable KAF cipher is BBB- secure. The main technical contribution is presenting a more reﬁned security proof framework, which makes signiﬁcant efforts to deal with several subtle and complicated sub-events. Note that Yan et al. showed that 4-round KAF provides exactly Birthday-Bound security by a concrete attack. Thus, 6 rounds are (almost) minimal rounds to achieve BBB security for tweakable KAF construction.


Introduction
A block cipher, also known as a pseudorandom permutation, which is a pair of algorithms (E, D). A block cipher has two important parameters: block length and key length. If the block length is n bits and the key length is k bits, for a mathematical point of view, the block cipher can be seen as a mapping E represents a mapping that from the key space and the message space to the message space, and D is the opposite direction of the mapping in E. In addition, we call E is encryption, and D is decryption. The schemes of block cipher are roughly separated into two main classes, which are named Feistel networks and substitution-permutation networks (SPNs).
The tweakable block cipher is formalized by Liskov et al. [1]. It introduces to the block cipher an extra public input parameter tweak. The tweak provides inherent variability for building higher higher-level cryptographic schemes, namely modes of operation. So far, the tweakable block cipher has got received wide applications. Examples include Message Encryption, Message Authentication Code [1,2], and Authenticated Encryption Mode [3][4][5], etc. Now designing secure tweakable block ciphers has become a very important research topic. Cryptographers build tweakable block ciphers either from the scratch [6][7][8], or based on existing cryptographic primitives such as block ciphers or permutations [2,[9][10][11]. Among these approaches, one is introducing the tweak to general structures of classical block ciphers, namely the Feistel construction [12] and the Even-Mansour construction [13]. We refer the interested readers to [9,[14][15][16][17][18] for tweaking the Even-Mansour construction.

Our Contributions
In this paper, we present a 6-round TKAF cipher which meets the BBB security, with tweaking the additional outer four rounds based on based on Guo et al.'s 6-round KAF [24]. Unlike Yan et al.'s research, we adopt the approach of introducing tweak into the 6-round KAF directly. By utilizing Guo et al's proof methodology, we introduce the tweak via using a universal hash function. We prove when the adversary makes distinct queries with different tweaks, due to the uniformity of the mentioned hash function, it still meets BBB security.

Structure of This Paper
Section 2 is the preliminaries of notations and definitions. Section 3 is the overview of proofs and core contribution. Section 4 is the proof of our conclusion. Section 5 is the future work.

Notations and General Definitions
Let n denote a positive integer. Then N = 2 n and N = {0, 1} n . F (n) denotes the set of all functions mapping from N to N . P (2n) denotes the set of all permutations in the range of {0, 1} 2n . Let θ(s) be a random variable relying on one another random variable s. Then we denote by E s∈S [θ(s)] the expectation of θ(s) taken over all s ∈ S. For X, Y ∈ N , denote X Y or simply XY as their concatenation.

Block Cipher
A block cipher is a family of permutations indexed by the secret key. It is denoted as E : K × M → C, where K is the key space, M is the message space, and C is the ciphertext space. Hence for each K ∈ K, E(K, ·) or simply E K (·) is a permutation from M to C. In this paper, M = C = {0, 1} 2n .

Tweakable Block Cipher
A tweakable block cipher is a family of permutations indexed by the secret key and the public tweak. It is denoted as E : K × T × M → C, where K is the key space, T is the tweak space, M is the message space, and C is the ciphertext space. Hence for each K ∈ K and each T ∈ T , E(K, T, ·) or simply E K,T (·) is a permutation from M to C. Similarly, M = C = {0, 1} 2n . We denote Π(T , 2n) as the set of all tweakable permutations with M = C = {0, 1} 2n .

Key-Alternating Feistel (KAF) Cipher
A KAF is a block cipher with M = C = {0, 1} 2n . It has an iterative structure. The i-th round function has the form Ψ F k i (L R) = (R L ⊕ F i (R ⊕ k i )), where L and R are the left half and the right half of the inputs respectively, k i is the i-th secret round key, and F i is the i-th public round function. We denote the r-round KAF with r public round functions F = (F 1 , . . . , F r ) in F (n) and a round-key vector k = (k 1 , . . . , k r ) by

Uniform AXU Hash Functions
A set of hash functions is denoted as H : K × T → N . For each key k ∈ K, a keyed hash function H(k, ·) or simply H k (·) maps the tweak space T to N . H is said to be uniform hash function if for any t ∈ T and y ∈ N , Moreover, it is said to be -almost XOR-universal ( -AXU) if for any t, t ∈ T with t = t and any y ∈ N ,

Security Definitions
A distinguisher D can be thought as a fundamental attacker, and it can make queries to one (or more) "oracle" which can be the block ciphers or the random permutations. The advantage of a distinguisher D in distinguishing two oracles O and Q can be defined as: We discuss this under the Random Permutation model. Firstly, we define two worlds-"the real world" and "the ideal world". When the distinguisher D interacts with the oracle (O, F), the real world means O is a tweakable block cipher E(k, ·), F = (F 1 , . . . , F r ) is a public random function or permutation of E, where k is uniformly taken from K. In addition, in the ideal world, O is a tweakable permutation Π and F = (F 1 , . . . , F r ) is a public random function or permutation of Π. We call O construction oracle and F inner component oracles. The security of a tweakable block cipher is measured by the advantage of the distinguisher D that distinguishes the two worlds: ( E(k, ·), F) and ( Π, F)(depict in Figure 2). We write Theoretically, we only consider the information-theoretic distinguisher whose computation power is unlimited, i.e., it is determined, and only with limited information, that which means the number of access to the oracle is limited. We assume that the distinguishers do not make redundant queries. We also consider the distinguishers are under the chosen-ciphertext-attack (CCA) model, meanwhile they can choose tweaks, where they have the ability to query all the oracles either forward or backward.
We denote q e as the quantity of queries to the construction oracle and q f as the number of queries to each inner component oracle, then the definition of insecurity of the tweakable block cipher E is

H-Coefficient Technique
We utilizuse the H-coefficient technique [25,26] to evaluate the upper bound of the advantage of the adversary mentioned above.
Definition 1 (Transcript). A transcript τ = (Q E , Q F ) is the response-tuple when the distinguisher D interacts with its oracle, where Q E contains the tuples of the form (t, LR, ST) ∈ T × {0, 1} 2n × {0, 1} 2n which interacts with the construction oracle and Q F contains the tuples (x, y) which interacts with the inner component oracle.
By definition, we can see that D either makes the direct query (t, LR) to the construction oracle with x to the inner component oracle, receiving answer ST and y, or makes the inverse query (t, ST) to the construction oracle with y to the inner component oracle, receiving answer LR and x. Suppose that |Q E | = q e , and there are m distinct tweaks in the Q E . We assume there exist We note that all the transcripts of queries are directionless and disordered form, but according to our hypothesis that the distinguisher D is deterministic. Thus, there is a one-to-one mapping between this statement and the primitive transcript of the interaction of D with its oracles. Meanwhile, the output of D is a deterministic function of τ.
In addition, for the function F j and its set of queries Q F j , if for each (x, y) ∈ Q F j , F j (x) = y, we say that F j extends Q F j , denoted by F j Q F j . Similarly, for the permutation P (i) and its transcript sets Q E i , if for each (t, LR, ST) ∈ Q E i , P (i) (t, LR) = ST, we say that P (i) extends Q E i , denoted by P (i) Q E i . With the above definition of "extend", we can define KAF F We further define the probability that the interactions of the distinguisher D with the real world and the ideal world. In addition, we respectively denote them by Pr re (τ) and Pr id (τ), where τ is a transcript of these interactions.
With these definitions, we give the core lemma of the H-coefficient technique, and the distinguishing advantage could be inferred by the ratio of Pr re (τ) and Pr id (τ). Lemma 1 (From [27]). Assume that there is a function ϕ(q f , q e ) > 0 such that for every possible transcript τ with q e and q f queries of the two types it holds According to [27], the upper bound of |Pr id (τ) − Pr re (τ)| is named "ϕ-point-wise proximity" of τ, which was raised by Hoang and Tessaro (HT) [27]. We let K = K good ∪ K bad , where K good and K bad are mutual exclusive subsets. Denote Pr re (τ, k) as the probability that D interacts with the real world, where k ∈ K, and Pr id (τ, k) is that D interacts with the ideal world, where k is a "virtual" key uniformly selected from the key space K. With the above definition, HT provided a lemma to establish point-wise proximity. Lemma 2 (Lemma 1 of [27]). Fix a transcript τ with Pr id (τ) > 0. Assume that: (i) Pr[k ∈ K bad ] ≤ δ, and (ii) there is a function g : K → [0, ∞) such that for all k ∈ K good , it holds Pr re (τ,k) Pr id (τ,k) ≥ 1 − g(k). Then we have

Beyond Birthday-Bound Security for Six Rounds
In the beginning, we need to guarantee that tweaking the KAF ciphers does not break its construction, and the influence on efficiency of the scheme execution can not cannot be enormous. For study of the execution efficiency and security, Liskov et al. [1] thought the cost of changing tweaks should be less than that of changing keys. However, the study by Jean et al. [14] showed that the adversary can hardly obtain the key, but has the ability to completely control the tweak.
In this paper, we use a nonlinear compound mode for tweaking the Feistel structure, instead of tweaking dependent or independent keys. As we known, the four rounds of KAF cipher do not meet BBB security [24], Yan's [23] work showed that tweaking 10 rounds KAF cipher can meet BBB security. Our work shows a method for tweaking the KAF cipher by the nonlinear pattern, and reduces the rounds of the scheme. For requirement of security, we consider to introduce the tweak with the round-key vectors by using a universal hash function.
Yan's [23] work used the minimized 6-round KAF as a "core", with additional four more rounds on the first and last sides of the "core", meanwhile introducing the tweak into these four rounds. They gave a 10-round TKAF construction with BBB security. In our work, we aim to"tweak" the first and last two rounds of the "core", and use a universal hash function to merge the tweak into round-key vectors.
Next, we denote this 6-round construction by where F = (F 1 , F 2 , F 3 , F 4 , F 5 , F 6 ) are random functions, k = (k 1 , k 2 , k 3 , k 4 , k 5 , k 6 ) are the corresponding round keys, t ∈ T is a tweak and x ∈ {0, 1} 2n is a message (depict in Figure 3). Finally, we upper-bound the advantage of an adversary to attack this scheme. By utilizing the H-coefficient technique which is in Lemma 2, we firstly upper upper-bound the bad key event δ, then upper-bound the expectation of the function g(k), which holds Pr re (τ,k) Pr id (τ,k) ≥ 1 − g(k). By Lemma 1, we could obtain the advantage. Thus, we have this theorem: Theorem 1. For the 6-round tweakable KAF cipher with a suitable round-key vector as specified in Definition 2, it holds Adv TKAF (q f , q e ) ≤ (7q 3 e + 24q 2 e q f + 20q e q 2 f ) (1)

Core Contribution
In our work, we analyze the influence of tweaking KAF ciphers on security. We tweak the outer four rounds of Guo et al's 6-round KAF and the proof of BBB security is the major research work we have done.

Security Proof of Theorem 1
In the following subsections, we present the methodology to prove Theorem 1. We fix a transcript τ = (Q E , Q F ) with Q F = (Q F 1 , Q F 2 , Q F 3 , Q F 4 , Q F 5 , Q F 6 ), where |Q E | = q e and |Q F i | = q f , i = 1, . . . , 6. We divide the analysis of this claim into two parts: (i) define bad key vectors, then (ii) lower bound the probability Pr re (τ, k). We analyze these two parts respectively.

Bad Key Vectors and Probability
Definition 3 (Bad Key Vectors for 6 rounds). A suitable key vector k ∈ K is bad, for a transcript τ = (Q E , Q F ), if one of the follow conditions is met: otherwise, k is good. We denote K bad for the set of bad key vectors, and K good for the good key vectors.
In the beginning, we upper-bound the probability of the bad key vectors. Firstly, we analyze the above three conditions respectively, consider (A-1) first. Since we have the key k 1 and k 6 picked from the key space K uniformly and randomly, for the properties of suitable, k 1 and k 6 are independent of each other (Definition 2). By the uniformity of H, H k 1 and H k 6 are also independent. Thus Thus, there are N 2 possible choices. For (t, LR, ST) ∈ Q E , (x 1 , y 1 ) ∈ Q F 1 and (x 6 , y 6 ) ∈ Q F 6 , we have at most q e q 2 f choices, as |Q E | = q e , |DomF 1 | = Similarly, by definition of suitable key vector (Definition 2), it also holds that (k 1 , k 2 ), (k 5 , k 6 ) are independent, and for the uniformity of H, we have Pr To sum up, we can upper-bound the probability of the bad key vectors with (2)

Analysis for Good Keys
In the following, we fix the round-key vectors k ∈ K good , and aim to lower bound Cogliati et al. [9,15], we divide this proof process into two steps: (i) upper bounding the probability that a pair of functions (F 1 , F 6 ) satisfies "bad" conditions. By these means, the "good" conditions of the function -pair can transfer the transcripts of the distinguisher on 6 rounds to a special transcripts on 4 rounds, it can be said that we "peel off" the outer two rounds [24]; then (ii) assuming that (F 1 , F 6 ) is good, by bounding the inner 4 rounds, we will prove the claim of Theorem 1.

Peeling Off the Outer Two Rounds
We pick a pair of round functions (F 1 , From this, we obtain q e transcripts with the form of (t, RX, AS). For convenience, we denote a new set including all these introduced transcript tuples by Q * E (F 1 , F 6 ). Furthermore, we define two subsets of Q * E (F 1 , F 6 ), the transcripts that collide at the positions of X and A, respectively. Denote them by ID(X) and ID(A): In order to characterize τ, we define four key-dependent quantities: Now we define the "bad event" on the pair (F 1 , F 6 ). If the corresponding set Q * E (F 1 , F 6 ) of the pair (F 1 , F 6 ) fulfills one of the following "collision" conditions, we say that the predicate is bad, denoted by Bad(F 1 , F 6 ):

(B-4)
For the given pair of distinct merged transcripts (t, LRX, AST) and (t , L R X , A S T ) together with (x 2 , y 2 ) ∈ Q F 2 , we discuss the cases in three conditions: are independent with each other, also keep uniformly random. Then it holds Therefore, the probability of the collision at the position H k 2 (t) ⊕ X and X = X is at most For the property of H, we have the probability of the collision at the position X is at most 1 N 2 .
• Case 3: if t = t and R = R but L = L , it can not cannot be held that X = X and To sum up, the probability of "former" part of (B-4) can not cannot exceed ε 2 + 1 N 2 , and the analysis of "latter" part is similar to the former part. We consider all possible pairs of transcripts, the quantity of these pairs can not cannot exceed q 2 e q f . Therefore, For the given transcripts (t, LRX, AST) = (t * , L * R * X * , A * S * T * ) and (x 2 , y 2 ) ∈ Q F 2 , due to the conditions on good key vector, it holds H k 1 (t) ⊕ R / ∈ DomF 1 . The same as (B-4), we consider the front part of this condition. According to the state of S, we respectively discuss in three cases: • Case 1: it holds H k 6 (t) ⊕ S / ∈ DomF 6 , then for the distinct (t, LRX, AST) and (t * , L * R * X * , A * S * T * ), they all have q e choices. - are independent and uniformly random. Thus, on the condition of On the condition of If t = t * and S = S * but T = T * , it could not be held that A = A * or H k 2 (t) = X ⊕ x 2 .
Under the above cases, we have the probability of the collision at the position H k 2 (t) ⊕ X and A = A * is at most ε 2 + 1 N 2 . In addition, for H k 6 (t) ⊕ S / ∈ DomF 6 , the probability of (B-5)'s front part is at most q 2 e q f ε 2 + q 2 e q f N 2 . • Case 2: For H k 6 (t) ⊕ S ∈ DomF 6 , the choices of (t, LRX, AST) are n (6) (k). Similar Therefore, the probability of holding at least one such transcript (t, LRX, AST) is at most q f ·n (6) To sum up the above two cases, the probability that the former part of (B-5) holding is at most q 2 e q f ε 2 + q f ·n (6) Similarly, the latter part of (B-5) is symmetric with the former part. Therefore, we have Pr[(B-5)] ≤ 2q 2 e q f ε 2 + q f · (n (1) (k) + n (6) (k)) N + 2q 2 e q f N 2 + q f ε(n (1) (k) + n (6) (k)).
We sum up all the five conditions, it holds Now we prove the Lemma 3.

Analysis of the Inner Four Rounds
In the following section, we analyze the inner four rounds of TKAF which depicts in Figure 4. We denote Q * E (F 1 , F 6 ) the set of tuples in the form (t, RX, AS), which is induced by peeling off outer two rounds. Similar with [24], we also write F * = (F 2 , F 3 , F 4 , F 5 ), further denote Lemma 4 (From [24]). Assume that there exists a function ϕ : (F (n)) 2 × K → [0, ∞) such that for any good (F 1 , F 6 ), it holds Then we have Lemma 5. For any fixed good tuple (F 1 , F 6 ), there exists a function ϕ(F 1 , F 6 , k) of the function pair and the round-key vector k such that the inequality (3) Proof. Due to the space constraints, the full proof must be deferred to Appendix A. In the following, we only present a proof sketch and the core conclusions. At the beginning of the proof, we define some notations and values in order to present the proof process. We divide the transcripts in Q * E (F 1 , F 6 ) into four sets: Then we denote E G 1 , E G 2 , E G 3 and E G 4 by the events that TKAF F * H k (t) G 1 , G 2 , G 3 and G 4 respectively, and let extends the i-th tuple (t, R i X i , A i S i ). We define four sets of "collision position": For convenience, we denote two values e

. That is Num
Since we have these definitions mentioned above, we can lower bound Analyzing these four sets in turn. First, we consider Pr E G 1 |F Q F . There are three cases for each transcript (t, RX, AS) ∈ G 1 : (i) The two intermediate values Y and Z derived from F 2 and F 5 will not collide with the values that have been queried in the past time. So, the probability of this case is at least  (ii) The intermediate value Y collides with some values of the past queries, but Z is still "free". So, the probability of this case is at least (iii) This case is symmetrical to the second one, where Z collides with some past values, but Y is "free". The probability is at least Summing over the above five cases, we have Then, we analyze E G 2 , E G 3 , and E G 4 . The events E G 2 and E G 3 can be considered simultaneously. For the rest events, we need to upper-bound the corresponding "bad" events, then consider the efficiency of introducing tweak. Through this method, we can lower bound these three events. See Appendix A for more details about the proof.
To this end, we consider β 3 . For the fixed transcript (t, LR, ST) such that H k 1 (t) ⊕ R / ∈ DomF 1 , give a distinct (t , L R , S T ). If t = t but LR = L R , for the uniformity of H, we have if t = t and R = R , then it must be L = L , thus X = X is impossible; if t = t and L = L but R = R , on account of H k 1 (t) ⊕ R / ∈ DomF 1 , then F 1 (H k 1 (t) ⊕ R) keeps uniformly random conditioned on F 1 Q F 1 , therefore Pr[X = X ] = 1 N . In addition, the choices of distinct pairs (t, LR, ST) and (t , L R , S T ) are at most q 2 e . Thus Thus, we have For H k 1 (t) ⊕ R ∈ DomF 1 , the number of the transcripts (t, LR, ST) which meet the above conditions is n (1) (k). We have Symmetrically, Finally, H k 1 (t) and H k 6 (t) are uniform in 2 n possible choices, Gathering all the above yields, we have as claimed in (4).

Now we have Lemma 2, Lemma 4, and (2), we obtain
Pr re (τ) For the expectation E k Pr Bad(F 1 , F 6 )|F 1 Q F 1 , F 6 Q F 6 , we note that k 3 and k 4 are uniformly picked from 2 n possibilities, then E k n (2,3) (k) = E k n (4,5) It has been shown that E k n (1) (k) = E k n (6) (k) ≤ q e q f N . Then Lemma 3 yields From all above, by Lemmas 1 and 2, we have proved the conclusion of Theorem 1.

Conclusions and Future Work
This paper presents a result of constructing a tweakable block cipher from the KAF construction. Our work is based on based on the study by Guo et al. [24], we introduce the tweak into their optimized 6-round scheme KAF in order to achieve the Beyond Birthday-Bound security. We utilize a universal hash function which is called ε-almost XOR-universal hash function, with tweak and round-key vector, we rebuild a new tweakable KAF scheme TKAF which meets the security of beyond birthday-bound. Finally Finally, by using the Hcoefficient technique [25], we prove the security requirement and obtain a better conclusion with fewer rounds. Our approach is to introduce the tweak into the first and last two rounds of Guo's 6-round KAF structure, and utilize the universal hash function as the operation method. Can we introduce the tweak directly into the round function without using the universal hash function, and still meeting the beyond birthday-bound security? Or can we use another linear method to introduce a tweak? We leave these as future work.

Appendix A. Proof of Lemma 5
Appendix A.1. Pr E G 1 |F Q F Firstly, we consider the event E G 1 , i.e., lower bounding Pr E G 1 |F Q F . By the definition, there must be E G 1 = E |G 1 | ∧ . . . ∧ E 1 . So, Therefore, we consider to lowering bound the probability of E l+1 on the condition of E l ∧ . .
We note that on the condition of E l ∧ . . . ∧ E 1 , for arbitrary x 3 ∈ ExtF (l) 3 and x 4 ∈ ExtF (l) 4 , F 3 (x 3 ) and F 4 (x 4 ) will be considered to be "fixed". For convenience, we denote x ). Depending on the states of two intermediate values Y l+1 and Z l+1 , we consider the event E l+1 in three cases: • CASE 1-no collision: Y l+1 and Z l+1 satisfy By these, accumulating all probabilities of above three cases, we have Now we consider these three cases respectively.
With tuples in Q * E (F 1 , F 6 ), X l+1 does not collide with other corresponding positions since |ID(X l+1 )| = 1. Thus Thus, F 2 (x (l+1) 2 ) remains uniformly random on the con- Then, the probability that these two equations Appendix A.1.2. Case 2 We consider the opposite case of CASE 2, and upper-bound the probability on this condition. Let pcoll be the probability of the contrary case. We have where Coll(x 3 , x 4 ) stands for the collision event Then, we consider five subcases of the opposite CASE 2 respectively, and upper-bound for each in turn.
• Subcase 2.1: , and x 4 ∈ G 3 F 4 . For each x 4 ∈ G 3 F 4 , by definition, we have the number of In addition, similar with CASE 1, we can still deem F 2 (x (l+1) 2 ) as uniformly random.
• Subcase 2.2: x 3 ∈ DomF 3 , and x 4 ∈ DomF 4 . Define a key-dependent value: Then we have the quantity of (x 3 , x 4 ) which satisfies the collision condition X l+1 ⊕ y 3 = k 4 ⊕ x 4 is Num + 3,4 (k, X l+1 ). Same as Subcase 2.1, It can be seen, k 4 is uniform in N values. So, the expectation of Num + 3,4 (k, X l+1 ) is at most First, we focus on Pr Coll( Considering the probability on the condition that E i fits into CASE 1,2 and 3. It can be seen that if E i fits into CASE 3, then we have x (i) 4 ∈ DomF 4 , it contradicts the Subcase 2.3. Let 3 . By definition, the number of choices for such y 3 , the probability of the following two collisions is at most 1 N , i.e., From the above, • Subcase 2.4: 3 \DomF 3 , and x 4 ∈ DomF 4 . By definition, we write First, we focus on Pr Coll(x . Same as Subcase 2.3, we only need to consider two cases on E i .
Then it holds Then, we have Pr 4 . We note that if X l+1 , x i and x 4 are "fixed", then the possibility of choices of x (i) 4 is at most 1. Therefore, if Y l+1 collides with x (i) 3 , the following two collisions have to happen: According to Subcase 2.3, we have In addition, sgn (j) = 1 if and only if j is the smallest index that satisfies x 3 , according to Subcase 2.3, the number of choices for such y

), the upper bound of the probability is
• Summing over all five subcases: We have The five cases above are opposite conditions to CASE 2. Moreover, if it holds (t, R l+1 X l+1 , A l+1 S l+1 ) ∈ G 1 , then we have (i) x can be deemed as "new". For these arguments above, we have With the similar analysis of CASE 2, we denote Also, we consider five subcases in turn.

. On this condition, as the constraint
where Num On account of the uniformity of k 3 in N choices, we have 3 \DomF 3 , and x 4 ∈ DomF 4 . By definition, we write From above with the similar calculation, we have • Subcase 3.4: x 3 ∈ DomF 3 , and x 4 ∈ ExtF (l) • Summing over all five subcases: We have Summing over all the three cases: We denote Secondly, we consider Similarly, Finally, we have the upper bound Next, we analyze the event E G 2 ∧ E G 3 , we firstly focus on E G 2 . Define the "bad" event on this condition, we denote by Bad 1 (F 3 ): there exists (t, RX, AS) ∈ G 2 , one of the following conditions is fulfilled: We note that for each (t, RX, AS) ∈ G 2 , let x 3 = k 3 ⊕ R ⊕ ImgF 2 (H k 2 (t) ⊕ X), we have x 3 / ∈ DomF 3 (for the condition of ¬Bad(F 1 , F 6 )) and x 3 / ∈ ExtF (for the analysis of E G 1 ). Then, on the condition of E G 1 ∧ F 3 G F 3 , the values of function F 3 (x 3 ) keep uniform. Thus, for (t, RX, AS): (i) the probability of condition (i) fulfilled is at most q f N ; (ii) for each (t , R X , A S ) ∈ G 2 , if the corresponding x 3 = x 3 , we have If the two tuples are distinct, i.e., (t, RX, AS) = (t , R X , A S ): (a) t = t , X = X , and x 3 = x 3 , then Pr[X ⊕ F 3 (x 3 ) = X ⊕ F 3 (x 3 )] ≤ ε; (b) if t = t , X = X , and x 3 = x 3 , then it must be X ⊕ F 3 (x 3 ) = X ⊕ F 3 (x 3 ). (iii) for each (t * , R * X * , A * S * ) ∈ G 1 ∪ G 3 , we have Summing up the above, we have the probability of Bad 1 (F 3 ): We can see that if Bad 1 (F 3 ) does not happen, there are |G 2 | values Z 1 , . . . , Z |G 2 | in G 2 which are distinct (otherwise (ii) is fulfilled). In addition, F 4 (k 4 ⊕ Z 1 ), . . . , F 4 (k 4 ⊕ Z |G 2 | ) are all undetermined (otherwise (i) and (iii) are fulfilled).
Moreover, at the "right" part, there are also |G 2 | values A 1 , . . . , A |G 2 | , such that F 5 (H k 5 (t) ⊕ A 1 ), . . . , F 5 (H k 5 (t) ⊕ A | G 2 |) are also undetermined. Therefore, the event E G 2 is equivalent to F 4 and F 5 satisfying 2|G 2 | new equations, so the probability does not exceed 1 N 2|G 2 | . Similar to the analysis of E G 2 , we consider the event E G 3 . Likewise, we define the bad event Bad 2 (F 4 ) that there exists (t, RX, AS) ∈ G 3 , one of the following conditions is fulfilled: 3 , where x 4 = k 4 ⊕ S ⊕ ImgF 5 (H k 5 (t) ⊕ A), the probability is at most q f N ; (ii) there exists (t , R X , A S ) ∈ G 3 , such that A ⊕ F 4 (x 4 ) = A ⊕ F 4 (x 4 ), where x 4 = k 4 ⊕ S ⊕ ImgF 5 (H k 5 (t ) ⊕ A ), and the probability is at most |G 3 | N + ε; (iii) there exists (t * , R * X * , A * S * ) ∈ G 1 ∪ G 2 , such that A ⊕ F 4 (x 4 ) = R * ⊕ F 2 (H k 2 (t * ) ⊕ X * ), and the probability is at most |G 1 |+|G 2 | N . Thus, we have the probability of Bad 2 (F 4 ): Same as E G 2 , the event E G 3 is equivalent to F 2 and F 3 satisfying 2|G 3 | new equations. Therefore, on the condition of E G 1 ∧ F Q F , we have Thirdly, we analyze the event E G 4 . By definition, for arbitrary (t, RX, AS) ∈ G 4 , we denote x 2 = H k 2 (t) ⊕ X and x 5 = H k 5 (t) ⊕ A such that x 2 / ∈ DomF 2 and x 5 / ∈ DomF 5 . Furthermore, on the condition of E G 1 ∧ E G 2 ∧ E G 3 , and the conditions of bad event Bad(F 1 , F 6 ), the two values of functions F 2 (x 2 ) and F 5 (x 5 ) must be uniform and undetermined.
We also define the bad event Bad 3 (F 2 , F 5 ) that there exists (t, RX, AS) ∈ G 4 , such that x 2 and x 5 fulfill one of following conditions: • left part: consider F 2 (x 2 ): (i) x 3 = k 3 ⊕ R ⊕ F 2 (x 2 ) ∈ DomF 3 , on account of the randomness of F 2 (x 2 ), for each (t, RX, AS) ∈ G 4 , the probability of which is at most q f N ; (ii) there exists (t , R X , A S ) ∈ G 1 ∪ G 2 ∪ G 3 , such that R ⊕ F 2 (x 2 ) = R ⊕ F 2 (H k 2 (t ) ⊕ X ). For distinct two tuples in G 4 , (a) it might be t = t , such that Y collides with some "previously-ly determined" Y , the probability of which is ε; (b) if t = t but X = X (it can not cannot be R = R ), by the randomness of F 2 (x 2 ), for each (t, RX, AS) ∈ G 4 , the upper bound of the probability is |G 1 |+|G 2 |+|G 3 | N + ε ≤ q e N + ε. • right part: consider F 5 (x 5 ), similar to the above: (i) k 4 ⊕ S ⊕ F 5 (x 5 ) ∈ DomF 4 , for each (t, RX, AS) ∈ G 4 , the probability of which is at most q f N ; (ii) there exists another distinct (t , R X , A S ) ∈ G 1 ∪ G 2 ∪ G 3 , such that S ⊕ F 5 (x 5 ) = S ⊕ F 5 (H k 5 (t ) ⊕ A ). For each (t, RX, AS) ∈ G 4 , the upper bound of the probability is Thus, denote |G 4 | = β 3 , we have