Abstract
In CRYPTO’03, Patarin conjectured a lower bound on the number of distinct solutions \((P_1, \ldots , P_{q}) \in (\{0,1\}^{n})^{q}\) satisfying a system of equations of the form \(X_i \oplus X_j = \lambda _{i,j}\) such that \(P_1, P_2, \ldots \), \(P_{q}\) are pairwise distinct. This result is known as “\(P_i \oplus P_j\) Theorem for any \(\xi _{\max }\)” or alternatively as Mirror Theory for general \(\xi _{\max }\), which was later proved by Patarin in ICISC’05. Mirror theory for general \(\xi _{\max }\) stands as a powerful tool to provide a high-security guarantee for many blockcipher-(or even ideal permutation-) based designs. Unfortunately, the proof of the result contains gaps that are non-trivial to fix. In this work, we present the first complete proof of the \(P_i \oplus P_j\) theorem for a wide range of \(\xi _{\max }\), typically up to order \(O(2^{n/4}/\sqrt{n})\). Furthermore, our proof approach is made simpler by using a new type of equation, dubbed link-deletion equation, that roughly corresponds to half of the so-called orange equations from earlier works. As an illustration of our result, we also revisit the security proofs of two optimally secure blockcipher-based pseudorandom functions, and n-bit security proof for six round Feistel cipher, and provide updated security bounds.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Here, \(\textsf {E}_{k_1}\) and \(\textsf {E}_{k_2}\) denote two n-bit independent pseudorandom permutations.
- 2.
Abusing the notation, we use the same symbol to denote the variables and the solution of a given system of equations.
- 3.
This is because, the column sum is zero, which implies that the all-1 vector belongs to the kernel of the matrix, implying that it is non-invertible, and since it is already assumed to have full row rank, it cannot possibly have full column rank, hence \(m = \textrm{rank}(A) < p\).
- 4.
\(\textsf{CLRW}2\) or cascading \(\textsf {LRW}2\) is a tweakable blockcipher, defined as \(\textsf{CLRW}2((k_1, k_2, h_1, h_2), t, m) = \textsf {LRW}2((k_2, h_2), t, \textsf {LRW}2((k_1, h_1), t, m))\), with \(\textsf {LRW}2((k, h), t, m) = E(k, m \oplus h(t)) \oplus h(t)\), where E is a block cipher, k is the block cipher key, and h is an XOR universal hash function.
- 5.
For a set \(A \subseteq \{0,1\}^n\) and a n-bit number \(x \in \{0,1\}^n\), \(x \oplus A := \{x \oplus a \mid a \in A\}\)
- 6.
We do not claim novelty for this Theorem, but we present its proof for illustration purpose.
- 7.
We say that two variables are in the same block of equalities if there exists an alternating trail involving both variables.
- 8.
CPCA-2 adversary here means an adversary that adaptively queries Chosen Plaintexts and Chosen Ciphertexts.
- 9.
Since \(\gamma \subseteq \lambda \), we have \(\sum _{S \in \gamma } \delta _S(z) \le \sum _{S' \in \lambda } \delta _{S'}(z)\) for every \(z \in \{0,1\}^n\), since every \(S \in \gamma \) is subset of some \(S' \in \lambda \). So taking maximum over all \(z \in \{0,1\}^n\), on both sides would give us \(\varDelta _{\gamma } \le \varDelta _{\lambda }\).
References
Data encryption standard. Federal Information Processing Standards Publication 112 (1999)
Aiello, W., Venkatesan, R.: Foiling birthday attacks in length-doubling transformations. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 307–320. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_27
Bellare, M., Krovetz, T., Rogaway, P.: Luby-Rackoff backwards: increasing security by making block ciphers non-invertible. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 266–280. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054132
Morris, B., Rogaway, P., Stegers, T.: How to encipher messages on a small domain. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 286–302. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_17
Bhattacharjee, A., Dutta, A., List, E., Nandi, M.: Cencpp* - beyond-birthday-secure encryption from public permutations (2020)
Bhattacharya, S., Nandi, M.: Revisiting variable output length XOR pseudorandom function. IACR Trans. Symmetric Cryptol. 2018(1), 314–335 (2018). https://doi.org/10.13154/tosc.v2018.i1.314-335
Cogliati, B., Jha, A., Nandi, M.: How to build optimally secure PRFs using block ciphers. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 754–784. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_25
Cogliati, B., Lampe, R., Patarin, J.: The indistinguishability of the XOR of \(k\) permutations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 285–302. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_15
Cogliati, B., Patarin, J.: Mirror theory: a simple proof of the pi+pj theorem with xi_max=2. Cryptology ePrint Archive, Report 2020/734 (2020). https://eprint.iacr.org/2020/734
Cogliati, B., Seurin, Y.: EWCDM: an efficient, beyond-birthday secure, nonce-misuse resistant MAC. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 121–149. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_5
Dai, W., Hoang, V.T., Tessaro, S.: Information-theoretic indistinguishability via the chi-squared method. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 497–523. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_17
Datta, N., Dutta, A., Dutta, K.: Improved security bound of (E/D)WCDM. IACR Trans. Symmetric Cryptol. 2021(4), 138–176 (2021). https://doi.org/10.46586/tosc.v2021.i4.138-176
Datta, N., Dutta, A., Nandi, M., Paul, G.: Double-block hash-then-sum: a paradigm for constructing BBB secure PRF. IACR Trans. Symmetric Cryptol. 2018(3), 36–92 (2018). https://doi.org/10.13154/tosc.v2018.i3.36-92
Datta, N., Dutta, A., Nandi, M., Paul, G., Zhang, L.: Single key variant of PMAC_plus. IACR Trans. Symmetric Cryptol. 2017(4), 268–305 (2017). https://doi.org/10.13154/tosc.v2017.i4.268-305
Datta, N., Dutta, A., Nandi, M., Yasuda, K.: Encrypt or decrypt? To make a single-key beyond birthday secure nonce-based MAC. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 631–661. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_21
Datta, N., Dutta, A., Nandi, M., Yasuda, K.: sfDWCDM+: a BBB secure nonce based MAC. Adv. Math. Commun. 13(4), 705–732 (2019). https://doi.org/10.3943/amc.2019042
Dutta, A., Nandi, M., Saha, A.: Proof of mirror theory for \(\xi _{\max } = 2\). IEEE Trans. Inf. Theor. 68(9), 6218–6232 (2022). https://doi.org/10.1109/TIT.2022.3171178
Dutta, A., Nandi, M., Talnikar, S.: Beyond birthday bound secure MAC in faulty nonce model. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 437–466. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_15
Guo, C., Shen, Y., Wang, L., Gu, D.: Beyond-birthday secure domain-preserving PRFs from a single permutation. Des. Codes Crypt. 87(6), 1297–1322 (2018). https://doi.org/10.1007/s10623-018-0528-8
Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 370–389. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055742
Iwata, T.: New blockcipher modes of operation with beyond the birthday bound security. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 310–327. Springer, Heidelberg (2006). https://doi.org/10.1007/11799313_20
Iwata, T., Mennink, B., Vizár, D.: CENC is optimally secure. Cryptology ePrint Archive, Report 2016/1087 (2016). https://eprint.iacr.org/2016/1087
Iwata, T., Minematsu, K.: Stronger security variants of GCM-SIV. IACR Trans. Symmetric Cryptol. 2016(1), 134–157 (2016). https://doi.org/10.13154/tosc.v2016.i1.134-157
Iwata, T., Minematsu, K., Peyrin, T., Seurin, Y.: ZMAC: a fast tweakable block cipher mode for highly secure message authentication. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 34–65. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_2
Jha, A., Nandi, M.: Tight security of cascaded LRW2 (2019). https://eprint.iacr.org/2019/1495
Kim, S., Lee, B., Lee, J.: Tight security bounds for double-block hash-then-sum MACs. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 435–465. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_16
List, E., Nandi, M.: Revisiting full-PRF-secure PMAC and using it for beyond-birthday authenticated encryption. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 258–274. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_15
List, E., Nandi, M.: ZMAC+ - an efficient variable-output-length variant of ZMAC. IACR Trans. Symmetric Cryptol. 2017(4), 306–325 (2017). https://doi.org/10.13154/tosc.v2017.i4.306-325
Mennink, B.: Towards tight security of cascaded LRW2. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 192–222. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_8
Mennink, B., Neves, S.: Encrypted Davies-Meyer and its dual: towards optimal security using mirror theory. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 556–583. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_19
Moch, A., List, E.: Parallelizable MACs based on the sum of PRPs with security beyond the birthday bound. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 131–151. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21568-2_7
Nachef, V., Patarin, J., Volte, E.: Feistel Ciphers - Security Proofs and Cryptanalysis. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-49530-9
Naito, Y.: Full PRF-secure message authentication code based on tweakable block cipher. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 167–182. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26059-4_9
Naito, Y.: Blockcipher-based MACs: beyond the birthday bound without message length. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 446–470. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_16
Patarin, J.: Luby-Rackoff: 7 rounds are enough for 2\(^{\text{ n }(1 - \varepsilon )}\) security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 513–529. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_30
Patarin, J.: Security of random feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_7
Patarin, J.: On linear systems of equations with distinct variables and small block size. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 299–321. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_25
Patarin, J.: The “coefficients H’’ technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Patarin, J.: A proof of security in O(2n) for the XOR of two random permutations. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85093-9_22
Patarin, J.: Introduction to mirror theory: analysis of systems of linear equalities and linear non equalities for cryptography. Cryptology ePrint Archive, Report 2010/287 (2010). https://eprint.iacr.org/2010/287
Patarin, J.: Security of balanced and unbalanced feistel schemes with linear non equalities. Cryptology ePrint Archive, Paper 2010/293 (2010). https://eprint.iacr.org/2010/293
Patarin, J.: Security in o(2\({}^{\text{ n }}\)) for the xor of two random permutations - proof with the standard H technique. Cryptology ePrint Archive, Report 2013/368 (2013). https://eprint.iacr.org/2013/368
Schneier, B., Kelsey, J.: Unbalanced Feistel networks and block cipher design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_49
Sorkin, A.: Lucifer, a cryptographic algorithm. Cryptologia 8(1), 22–42 (1984). https://doi.org/10.1080/0161-118491858746
Yasuda, K.: The sum of CBC MACs is a secure PRF. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 366–381. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11925-5_25
Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_34
Zhang, L., Wu, W., Sui, H., Wang, P.: 3kf9: enhancing 3GPP-MAC beyond the birthday bound. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 296–312. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_19
Zhang, P., Hu, H., Yuan, Q.: Close to optimally secure variants of GCM. Secur. Commun. Netw. 2018, 9715947:1–9715947:12 (2018). https://doi.org/10.1155/2018/9715947
Acknowledgements
Part of this work was carried out in the framework of the French-German-Center for Cybersecurity, a collaboration of CISPA and LORIA, while Benoît Cogliati was employed at the CISPA Helmholtz Center for Information Security.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Postponed Proofs
A Postponed Proofs
1.1 A.1 Proof of Lemma 2
We fix \(S \in \gamma \subseteq \lambda \) where \(|\gamma | = \alpha \) and a set U with \(|U| = \ell +1\) disjoint with S. Let \(\tau := \gamma _{+U}\) and \(\tau ' := \gamma _{- S + (S \sqcup U)}\). In words, \(\gamma \) is a set-system that is included in \(\lambda \), U is any subset of \(\mathcal {G}\) of size \(\ell +1\), and S is an element of \(\gamma \). Then, \(\tau \) corresponds to the \(\gamma \cup \{U\}\), while \(\tau '\) corresponds to \(\tau \) after S and U have been merged. Looking back at Fig. 1, \(\tau \) and \(\tau '\) would correspond respectively to the second and third graphs. We assume that \(\gamma , U, S\) are chosen in such a manner that \(|\textsf{P}(\tau ) - \textsf{P}(\tau ')| = D(\alpha , \ell )\). Now we prove the inequality in two cases.
Case \(|U| =1\). In this case, let \(U = \{x\}\). Then \(\textsf{P}(\tau ) = \textsf{P}(\gamma )\cdot \left( 1 - \Vert \gamma \Vert /2^n\right) \) from Eq. (1). Also \(\tau '_{-x | S \sqcup U} = \gamma \). Hence from link deletion equation, Eq. (5),
where \(I := I_{x, S} = \{(\delta , S') : x \oplus \delta \in S' \in \gamma _{-S}, S' \oplus \delta \ \text {is disjoint with}\ S \}\). For \(z' \in S' \in \gamma _{-S}\), \((x \oplus z, S') \not \in I\) if and only if there exists \(y \in S\) and \(w \in S'\) such that \(x \oplus y = z \oplus w\). Thus \(|I| \ge \sum _{S' \in \gamma _{- S}}\left( |S'| - \sum _{y \in S} 2\delta _{S'}(x \oplus y)\right) = \Vert \gamma \Vert - |S| - \sum _{y \in S} 2\delta _{\gamma _{- S}}(x \oplus y) \ge \Vert \gamma \Vert - \Vert \gamma \Vert _{\max }\cdot 2 \delta _{\gamma }\). Hence
where the last term in \((\star )\) is obtained from the initial condition Eq. (4).
Case \(|U| \ge 2\). Fix \(x \in U\). By link-deletion equation, we have
where
It is easy to see that \(I' \subseteq I\). If \((\delta , S') \in I \setminus I'\), then,
-
either \(S' = S\) and \(\delta = x \oplus y\) for some \(y \in S\), such that \(S \oplus (x\oplus y)\) is disjoint with \(U \setminus x\) or
-
\(S' \in \gamma \setminus S\) and \(\delta = x \oplus z\) for some \(z \in S'\), such that \(S' \oplus (x \oplus z)\) is disjoint with \(U \setminus x\) but not disjoint with \(S \sqcup (U \setminus x)\).
The first case can contribute at most |S|. The second case will happen if for some \(z, w \in S'\), and \(y \in S\), \(z \oplus w = x \oplus y\). Thus
Hence, we have the following:
The last inequality follows from the observation that \(\tau _{\delta , S'}\) and \(\tau '_{\delta , S'}\) are considered when we take maximum to compute \(D(\alpha -1, \ell +|S'| - 1)\). Moreover, from our initial condition Eq. (4),
Now, taking upper bounds of the total size terms, and adding some positive terms in the middle sum, and noting that \(\varDelta _{\gamma } \le \varDelta _{\lambda }\)Footnote 9, the inequality, Eq. (17) can be easily modified to the theorem statement, Eq. (7).
1.2 Proof of Recursive Inequality Lemma
Let us denote by an ordered tuple of integers from [q], as \(i^k := (i_1, \cdots , i_k) \in [q]^k\). Note that, for all positive integer j, \(e^j \ge \frac{j^j}{j!}\) and so \(1/j! \le (e/j)^j\), and we have
This inequality will be frequently used for the proof of this lemma. We also use the following fact extensively: for \(r < 1\), \(\sum _{j \ge i} r^j \le \frac{r^i}{1- r}\).
We state the following claim, which follows from iterated applications of the recursive inequality.
Claim 1
For any \(0 \le d \le \xi n\), and \(0 \le \ell < \xi -1\) we have
Proof of the Claim. We prove the claim by induction on d. The result holds trivially for \(d = 1\) (by applying \(d = \ell = 0\) in Eq. (9)). Now we prove the statement for \(d_0+1\), assuming it true for \(d_0\). Therefore, we have
The range of the first and second summations has deliberately been taken to start from \(\left\lceil (d_0 + 1-\ell )/\xi \right\rceil \le \left\lceil (d_0-\ell )/\xi \right\rceil + 1\), because if \(k < \left\lceil (d_0 + 1-\ell )/\xi \right\rceil \), then \(k + \sum _{j=1}^{k}\ell _{i_j} - (d_0+1) \le k \xi - (d_0 + 1) <0\) and hence \(a_{k, k + \sum _{j=1}^{k}\ell _{i_j} - (d_0+1)} = 0\). Now we can see that the coefficient of \(\sum _{i^k \in [q]^k} a_{k, k + \sum _{j = 1}^k - (d_0 + 1)}\) in the above summation is bounded by \(\left( {\begin{array}{c}d_0\\ k - 1\end{array}}\right) + \left( {\begin{array}{c}d_0\\ k\end{array}}\right) = \left( {\begin{array}{c}d_0 + 1\\ k\end{array}}\right) \). This concludes the proof of the claim. \(\square \)
Proof of Lemma 3. Let us take \(d = \xi n\). In that case, Claim 1 becomes
We are going to upper bound both terms of the sum in subsequent turns. For the first term, note that one has \(k \ge n-\frac{\ell }{\xi } > n-1\) since \(\ell < \xi - 1\) by definition. This implies that
Hence, using the initial bound, one has
As for the second term, we make the following observation: For \(\xi k < i \le \xi (k + 1)\), \(k \in (n - 1]\), \(j \ge \lceil \frac{i - \ell }{\xi } \rceil \ge k\), and hence
For \(0 \le i \le \xi \) and \(j \ge 1\), \(\left( {\begin{array}{c}i\\ j\end{array}}\right) \le \left( \frac{e i}{j}\right) ^j \le (e \xi )^j\). Thus, we are going to break the sum into two parts:
where the last inequality follows from the fact that \(\xi \ge 2\).
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Cogliati, B., Dutta, A., Nandi, M., Patarin, J., Saha, A. (2023). Proof of Mirror Theory for a Wide Range of \(\xi _{\max }\). In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14007. Springer, Cham. https://doi.org/10.1007/978-3-031-30634-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-30634-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30633-4
Online ISBN: 978-3-031-30634-1
eBook Packages: Computer ScienceComputer Science (R0)