Proof of Mirror Theory for a Wide Range of \(\xi _{\max }\)

Abstract

In CRYPTO’03, Patarin conjectured a lower bound on the number of distinct solutions \((P_1, \ldots , P_{q}) \in (\{0,1\}^{n})^{q}\) satisfying a system of equations of the form \(X_i \oplus X_j = \lambda _{i,j}\) such that \(P_1, P_2, \ldots \), \(P_{q}\) are pairwise distinct. This result is known as “\(P_i \oplus P_j\) Theorem for any \(\xi _{\max }\)” or alternatively as Mirror Theory for general \(\xi _{\max }\), which was later proved by Patarin in ICISC’05. Mirror theory for general \(\xi _{\max }\) stands as a powerful tool to provide a high-security guarantee for many blockcipher-(or even ideal permutation-) based designs. Unfortunately, the proof of the result contains gaps that are non-trivial to fix. In this work, we present the first complete proof of the \(P_i \oplus P_j\) theorem for a wide range of \(\xi _{\max }\), typically up to order \(O(2^{n/4}/\sqrt{n})\). Furthermore, our proof approach is made simpler by using a new type of equation, dubbed link-deletion equation, that roughly corresponds to half of the so-called orange equations from earlier works. As an illustration of our result, we also revisit the security proofs of two optimally secure blockcipher-based pseudorandom functions, and n-bit security proof for six round Feistel cipher, and provide updated security bounds.

A Postponed Proofs

1.1 A.1 Proof of Lemma 2

We fix \(S \in \gamma \subseteq \lambda \) where \(|\gamma | = \alpha \) and a set U with \(|U| = \ell +1\) disjoint with S. Let \(\tau := \gamma _{+U}\) and \(\tau ' := \gamma _{- S + (S \sqcup U)}\). In words, \(\gamma \) is a set-system that is included in \(\lambda \), U is any subset of \(\mathcal {G}\) of size \(\ell +1\), and S is an element of \(\gamma \). Then, \(\tau \) corresponds to the \(\gamma \cup \{U\}\), while \(\tau '\) corresponds to \(\tau \) after S and U have been merged. Looking back at Fig. 1, \(\tau \) and \(\tau '\) would correspond respectively to the second and third graphs. We assume that \(\gamma , U, S\) are chosen in such a manner that \(|\textsf{P}(\tau ) - \textsf{P}(\tau ')| = D(\alpha , \ell )\). Now we prove the inequality in two cases.

Case \(|U| =1\). In this case, let \(U = \{x\}\). Then \(\textsf{P}(\tau ) = \textsf{P}(\gamma )\cdot \left( 1 - \Vert \gamma \Vert /2^n\right) \) from Eq. (1). Also \(\tau '_{-x | S \sqcup U} = \gamma \). Hence from link deletion equation, Eq. (5),

$$\begin{aligned} \textsf{P}(\tau ') = \textsf{P}(\gamma ) - N^{-1} \sum _{(\delta , S') \in I} \textsf{P}(\tau '_{\delta , S'}) \end{aligned}$$

where \(I := I_{x, S} = \{(\delta , S') : x \oplus \delta \in S' \in \gamma _{-S}, S' \oplus \delta \ \text {is disjoint with}\ S \}\). For \(z' \in S' \in \gamma _{-S}\), \((x \oplus z, S') \not \in I\) if and only if there exists \(y \in S\) and \(w \in S'\) such that \(x \oplus y = z \oplus w\). Thus \(|I| \ge \sum _{S' \in \gamma _{- S}}\left( |S'| - \sum _{y \in S} 2\delta _{S'}(x \oplus y)\right) = \Vert \gamma \Vert - |S| - \sum _{y \in S} 2\delta _{\gamma _{- S}}(x \oplus y) \ge \Vert \gamma \Vert - \Vert \gamma \Vert _{\max }\cdot 2 \delta _{\gamma }\). Hence

$$\begin{aligned} D(\alpha , 0)&= |\textsf{P}(\tau ) - \textsf{P}(\tau ')| = \left| \frac{\Vert \gamma \Vert }{N} \textsf{P}(\gamma ) - N^{-1} \sum _{(\delta , S') \in I} \textsf{P}(\tau '_{\delta , S'})\right| \\&{\mathop {\le }\limits ^{(\star )}} N^{-1} \sum _{(\delta , S') \in I} |\textsf{P}(\gamma ) - \textsf{P}(\tau '_{\delta , S'})| + \frac{2\varDelta _{\gamma } \Vert \gamma \Vert _{\max } \cdot \textsf{P}(\lambda )}{N \left( 1 - \frac{\Vert \lambda \setminus \gamma \Vert _{\max } \times \Vert \gamma \Vert }{N}\right) ^{|\lambda \setminus \gamma |}}\\&\le \frac{\Vert \gamma _{-S}\Vert _{\max }}{N} \sum _{S' \in \gamma \setminus S} D(\alpha -1, |S'| - 1) + \frac{2\varDelta _{\gamma } \Vert \gamma \Vert _{\max } \cdot \textsf{P}(\lambda )}{N \left( 1 - \frac{\Vert \lambda \setminus \gamma \Vert _{\max } \times \Vert \gamma \Vert }{N}\right) ^{|\lambda \setminus \gamma |}}, \end{aligned}$$

where the last term in \((\star )\) is obtained from the initial condition Eq. (4).

Case \(|U| \ge 2\). Fix \(x \in U\). By link-deletion equation, we have

$$\begin{aligned} \textsf{P}(\tau )&= \textsf{P}(\tau _{-x|U}) - \frac{1}{N} \sum _{(\delta , S') \in I} \textsf{P}(\tau _{\delta , S'}) \\ \textsf{P}(\tau ')&= \textsf{P}(\tau '_{-x|S \sqcup U}) - \frac{1}{N} \sum _{(\delta , S') \in I'} \textsf{P}(\tau '_{\delta , S'}), \end{aligned}$$

where

$$\begin{aligned} I&:= I_{x|U} = \{(\delta , S'):x \oplus \delta \in S' \in \gamma , ~~ S' \oplus \delta \text{ is } \text{ disjoint } \text{ with } U \setminus x \}, \\ I'&:= I_{x|S \sqcup U} = \{(\delta , S'):x \oplus \delta \in S' \in \gamma _{- S}, ~~ S' \oplus \delta \text{ is } \text{ disjoint } \text{ with } S \sqcup U \setminus x \}. \end{aligned}$$

It is easy to see that \(I' \subseteq I\). If \((\delta , S') \in I \setminus I'\), then,

• either \(S' = S\) and \(\delta = x \oplus y\) for some \(y \in S\), such that \(S \oplus (x\oplus y)\) is disjoint with \(U \setminus x\) or

• \(S' \in \gamma \setminus S\) and \(\delta = x \oplus z\) for some \(z \in S'\), such that \(S' \oplus (x \oplus z)\) is disjoint with \(U \setminus x\) but not disjoint with \(S \sqcup (U \setminus x)\).

The first case can contribute at most |S|. The second case will happen if for some \(z, w \in S'\), and \(y \in S\), \(z \oplus w = x \oplus y\). Thus

$$|I \setminus I'| \le |S| + \sum _{y \in S} \delta _{\gamma _{-S}}(x \oplus y) \le \Vert \gamma \Vert _{\max } \cdot 2\varDelta _{\gamma }.$$

Hence, we have the following:

$$\begin{aligned}&D(\alpha , \ell ) = |\textsf{P}(\tau ) - \textsf{P}(\tau ')| \nonumber \\&\le \big | \textsf{P}(\tau _{-x}) - \textsf{P}(\tau '_{-x}) \big | + N^{-1} \sum _{(\delta , S') \in I'} \big | \textsf{P}(\tau _{\delta , S'}) - \textsf{P}(\tau '_{\delta , S'}) \big | + \sum _{(\delta , S') \in I \setminus I'} \textsf{P}(\tau _{\delta , S'})/N \nonumber \\&\le D(\alpha , \ell -1) + \frac{\Vert \gamma _{-S}\Vert _{\max }}{N} \sum _{S' \in \gamma _{-S}} D(\alpha -1, \ell +|S'| - 1) + \frac{2\varDelta _{\gamma } \Vert \gamma \Vert _{\max } \cdot \textsf{P}(\lambda )}{N \left( 1 - \frac{\Vert \lambda \setminus \gamma \Vert _{\max } \times \Vert \gamma \Vert }{N}\right) ^{|\lambda \setminus \gamma |}}. \end{aligned}$$

(17)

The last inequality follows from the observation that \(\tau _{\delta , S'}\) and \(\tau '_{\delta , S'}\) are considered when we take maximum to compute \(D(\alpha -1, \ell +|S'| - 1)\). Moreover, from our initial condition Eq. (4),

$$\textsf{P}(\tau _{\delta , S'}) \le \textsf{P}(\gamma ) \le \textsf{P}(\lambda ) / \left( 1 - \frac{\Vert \lambda \setminus \gamma \Vert _{\max } \times \Vert \gamma \Vert }{N}\right) ^{|\lambda \setminus \gamma |}$$

Now, taking upper bounds of the total size terms, and adding some positive terms in the middle sum, and noting that \(\varDelta _{\gamma } \le \varDelta _{\lambda }\)⁹, the inequality, Eq. (17) can be easily modified to the theorem statement, Eq. (7).

1.2 Proof of Recursive Inequality Lemma

Let us denote by an ordered tuple of integers from [q], as \(i^k := (i_1, \cdots , i_k) \in [q]^k\). Note that, for all positive integer j, \(e^j \ge \frac{j^j}{j!}\) and so \(1/j! \le (e/j)^j\), and we have

$$\begin{aligned} \left( {\begin{array}{c}m\\ j\end{array}}\right)&\le \frac{m^j}{j!} \le (em/j)^j. \end{aligned}$$

(18)

This inequality will be frequently used for the proof of this lemma. We also use the following fact extensively: for \(r < 1\), \(\sum _{j \ge i} r^j \le \frac{r^i}{1- r}\).

We state the following claim, which follows from iterated applications of the recursive inequality.

Claim 1

For any \(0 \le d \le \xi n\), and \(0 \le \ell < \xi -1\) we have

$$\begin{aligned} a_{0, \ell }&\le \sum _{k = \left\lceil \frac{d-\ell }{\xi } \right\rceil }^{d} \left( {\begin{array}{c}d\\ k\end{array}}\right) \sum _{i^k \in [q]^k} a_{k, k+ \sum _{j=1}^k\ell _{i_j} - d} + C \sum _{i = 0}^{d - 1}\sum _{j = \left\lceil \frac{i-\ell }{\xi }\right\rceil }^i \left( {\begin{array}{c}i\\ j\end{array}}\right) (4\xi e )^{-j}. \end{aligned}$$

(19)

Proof of the Claim. We prove the claim by induction on d. The result holds trivially for \(d = 1\) (by applying \(d = \ell = 0\) in Eq. (9)). Now we prove the statement for \(d_0+1\), assuming it true for \(d_0\). Therefore, we have

$$\begin{aligned} a_{0, \ell } \le&\sum _{k = \left\lceil \frac{d_0-\ell }{\xi } \right\rceil }^{d_0} \left( {\begin{array}{c}d_0\\ k\end{array}}\right) \sum _{i^k \in [q]^k} a_{k, k+ \sum _{j=1}^k\ell _{i_j} - d_0} + C \sum _{i = 0}^{d_0 - 1}\sum _{j = \left\lceil \frac{i-\ell }{\xi }\right\rceil }^i \left( {\begin{array}{c}i\\ j\end{array}}\right) (4\xi e)^{-j}\\ \le&\sum _{k = \left\lceil \frac{d_0-\ell }{\xi } \right\rceil }^{d_0} \left( {\begin{array}{c}d_0\\ k\end{array}}\right) \sum _{i^k \in [q]^k} \left( \sum _{i_{k + 1} \in [q]} a_{k+1, k+1+ \sum _{j=1}^{k+1}\ell _{i_j} - (d_0+1)} + C \cdot (4 \xi e q)^{-k}\right) \\&+ \sum _{k = \left\lceil \frac{d_0-\ell }{\xi } \right\rceil }^{d_0} \left( {\begin{array}{c}d_0\\ k\end{array}}\right) \sum _{i^k \in [q]^k} a_{k, k+ \sum _{j=1}^k\ell _{i_j} - (d_0 + 1)} + C \sum _{i = 0}^{d_0 - 1}\sum _{j = \left\lceil \frac{i-\ell }{\xi }\right\rceil }^i \left( {\begin{array}{c}i\\ j\end{array}}\right) (4\xi e)^{-j}\\ \le&\sum _{k = \left\lceil \frac{d_0 + 1-\ell }{\xi } \right\rceil }^{d_0 + 1} \left( {\begin{array}{c}d_0\\ k - 1\end{array}}\right) \sum _{i^{k - 1} \in [q]^{k - 1}}\sum _{i_{k} \in [q]} a_{k, k + \sum _{j=1}^{k}\ell _{i_j} - (d_0+1)}\\&+\sum _{k = \left\lceil \frac{d_0 + 1-\ell }{\xi } \right\rceil }^{d_0 + 1} \left( {\begin{array}{c}d_0\\ k \end{array}}\right) \sum _{i^{k} \in [q]^{k}} a_{k, k+ \sum _{j=1}^{k}\ell _{i_j} - (d_0 + 1)} + C \sum _{i = 0}^{d_0}\sum _{j = \left\lceil \frac{i-\ell }{\xi }\right\rceil }^i \left( {\begin{array}{c}i\\ j\end{array}}\right) (4\xi e)^{-j}. \end{aligned}$$

The range of the first and second summations has deliberately been taken to start from \(\left\lceil (d_0 + 1-\ell )/\xi \right\rceil \le \left\lceil (d_0-\ell )/\xi \right\rceil + 1\), because if \(k < \left\lceil (d_0 + 1-\ell )/\xi \right\rceil \), then \(k + \sum _{j=1}^{k}\ell _{i_j} - (d_0+1) \le k \xi - (d_0 + 1) <0\) and hence \(a_{k, k + \sum _{j=1}^{k}\ell _{i_j} - (d_0+1)} = 0\). Now we can see that the coefficient of \(\sum _{i^k \in [q]^k} a_{k, k + \sum _{j = 1}^k - (d_0 + 1)}\) in the above summation is bounded by \(\left( {\begin{array}{c}d_0\\ k - 1\end{array}}\right) + \left( {\begin{array}{c}d_0\\ k\end{array}}\right) = \left( {\begin{array}{c}d_0 + 1\\ k\end{array}}\right) \). This concludes the proof of the claim.    \(\square \)

Proof of Lemma 3. Let us take \(d = \xi n\). In that case, Claim 1 becomes

$$\begin{aligned} a_{0, \ell }&\le \sum _{k = \left\lceil \frac{\xi n - \ell }{\xi } \right\rceil }^{\xi n} \left( {\begin{array}{c}\xi n\\ k\end{array}}\right) \sum _{i^k \in [q]^k} a_{k, k+ \sum _{j=1}^k\ell _{i_j} - \xi n} + C \sum _{i = 0}^{\xi n - 1}\sum _{j = \left\lceil \frac{i-\ell }{\xi }\right\rceil }^i \left( {\begin{array}{c}i\\ j\end{array}}\right) (4\xi e )^{-j}. \end{aligned}$$

We are going to upper bound both terms of the sum in subsequent turns. For the first term, note that one has \(k \ge n-\frac{\ell }{\xi } > n-1\) since \(\ell < \xi - 1\) by definition. This implies that

$$ \left( {\begin{array}{c}\xi n\\ k\end{array}}\right) \le \left( \frac{e \xi n}{k}\right) ^k \le \left( \frac{e \xi n}{n-1}\right) ^k\le (2e\xi )^k. $$

Hence, using the initial bound, one has

$$\begin{aligned} \sum _{k = \left\lceil \frac{\xi n-\ell }{\xi } \right\rceil }^{\xi n} \left( {\begin{array}{c}\xi n\\ k\end{array}}\right) \sum _{i^k \in [q]^k} a_{k, k+ \sum _{j=1}^k\ell _{i_j} - \xi n}&\le \sum _{k = \left\lceil \frac{\xi n-\ell }{\xi } \right\rceil }^{\xi n} (2e\xi )^k q^k (4\xi e q)^{-k} \le \frac{4}{2^n} \le \frac{4}{N} \end{aligned}$$

As for the second term, we make the following observation: For \(\xi k < i \le \xi (k + 1)\), \(k \in (n - 1]\), \(j \ge \lceil \frac{i - \ell }{\xi } \rceil \ge k\), and hence

$$ \left( {\begin{array}{c}i\\ j\end{array}}\right) \le \left( \frac{e i}{j}\right) ^j \le \left( \frac{e \xi (k +1)}{k}\right) ^j\le (2e\xi )^j. $$

For \(0 \le i \le \xi \) and \(j \ge 1\), \(\left( {\begin{array}{c}i\\ j\end{array}}\right) \le \left( \frac{e i}{j}\right) ^j \le (e \xi )^j\). Thus, we are going to break the sum into two parts:

$$\begin{aligned} \sum _{i = 0}^{\xi n - 1}\sum _{j = \left\lceil \frac{i-\ell }{\xi }\right\rceil }^i \left( {\begin{array}{c}i\\ j\end{array}}\right) (4 \xi e)^{-j}&=\sum _{i = 0}^{\xi }\sum _{j = \left\lceil \frac{i-\ell }{\xi }\right\rceil }^i \left( {\begin{array}{c}i\\ j\end{array}}\right) (4 \xi e )^{-j} + \sum _{i = \xi + 1}^{\xi n - 1}\sum _{j = \left\lceil \frac{i-\ell }{\xi }\right\rceil }^i \left( {\begin{array}{c}i\\ j\end{array}}\right) (4 \xi e)^{-j}\\&\le \xi + 1 + \sum _{i = 0}^{\xi }\sum _{j = 1}^i (e\xi )^j(4e\xi )^{-j} + \sum _{i = \xi + 1}^{\xi n - 1}\sum _{j = \lceil i/\xi \rceil -1}^i (2e\xi )^j(4e\xi )^{-j}\\&\le \xi + 1 + \frac{\xi + 1}{3} + 4\sum _{i = \xi + 1}^{\xi n - 1}\frac{1}{2^{\lceil i/\xi \rceil }}\\&{\mathop {\le }\limits ^{(1)}} \frac{4}{3}(\xi + 1) + 2\xi {\mathop {\le }\limits ^{(2)}} 4\xi , \end{aligned}$$

where the last inequality follows from the fact that \(\xi \ge 2\).