\(\mathsf {CENCPP}^*\): beyond-birthday-secure encryption from public permutations

Abstract

Public permutations have been established as important primitives for the purpose of designing cryptographic schemes. While many such schemes for authentication and encryption have been proposed in the past decade, the birthday bound in terms of the primitive’s block length n has been mostly accepted as the standard security goal. Thus, remarkably little research has been conducted yet on permutation-based modes with higher security guarantees. At CRYPTO’19, Chen et al. showed two constructions with higher security based on the sum of two public permutations. Their work has sparked increased interest in this direction by the community. However, since their proposals were domain-preserving, the question of encryption schemes with beyond-birthday-bound security was left open. This work tries to address this gap by proposing \(\mathsf {CENCPP}^{*}\), a nonce-based encryption scheme from public permutations. Our proposal is a variant of Iwata’s block-cipher-based mode CENC that we adapt for public permutations, thereby generalizing Chen et al.’s Sum-of-Even-Mansour construction to a mode with variable output lengths. Like CENC, our proposal enjoys a comfortable rate-security trade-off that needs \(w + 1\) calls to the primitive for w primitive outputs. We show a tight security level for up to \(O(2^{2n/3}/w^2)\) primitive calls. While the term of \(w \ge 1\) can be arbitrary, two independent keys suffice. Beyond our proposal of \(\mathsf {CENCPP}^{*}\) in a generic setting with \(w + 1\) independent permutations, we show that only \(\log _2(w + 1)\) bits of the input for domain separation suffice to obtain a single-permutation variant with a security level of up to \(O(2^{2n/3}/w^4)\) queries.

Appendices

Analysis of Bad transcripts of DS-XORPP

We restate the lemma to aid the reader.

Lemma 7

It holds that

$$\begin{aligned} \Pr \left[ \varTheta _{\text {ideal}} \in \textsc {BadT} \right]&\le \frac{2^{2d} \left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) q_c q_p^2}{2^{2n}} + \frac{2^{d+1} w (w + 1) q_c q_p^2}{2^{2n}} + \frac{2^{d} (w + 1) \left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) q_c q_p^2}{2^{2n}}\\&\quad + \frac{2^{2d} w^3 q^2_c q_p}{2^{2n}} + \frac{2^{2d+1} w^3 q_c q^2_p}{2^{2n}} + \frac{2^{2d} w^4 q^2_c q_p}{2^{2n}}\\&\quad + \frac{2^{2d+1} w^4 q_c^2 q_p^2}{2^{3n}} + \frac{w q_c}{2^n} + \frac{\left( {\begin{array}{c}w\\ 2\end{array}}\right) q_c}{2^n}\,. \end{aligned}$$

Proof

In the following, we study the probabilities of the individual bad events. Before that, we recall the key-scheduling matrix \(\mathbf{A}\) as follows:

$$\begin{aligned} {\mathbf {A}} = \begin{bmatrix} 1 &{} 2 &{} 2^2 &{} \ldots &{} 2^w \\ 1 &{} 2^2 &{} 2^4 &{} \ldots &{} 2^2w \end{bmatrix}^{\top }. \end{aligned}$$

\({\mathbf {\mathsf{{bad}}}}_1\) This event considers the collision between the input of P corresponding to a construction query whose last d bits is \(\langle \alpha \rangle _{d} \) and the input to P corresponding to a primitive query whose last d bits is \(\langle \alpha \rangle _{d} \), and a similar collision corresponding to construction and primitive query whose last d bits is \(\langle \beta \rangle _{d} \). To bound the event, it must hold that

$$\begin{aligned} \textsf {msb} _{n-d}(2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1)&= I^i \oplus \textsf {msb} _{n-d}(U^j_{\alpha }) \quad \text {and} \\ \textsf {msb} _{n-d}(2^{\beta } \cdot K_0 \oplus 2^{2\beta } \cdot K_1)&= I^i \oplus \textsf {msb} _{n-d}(U^k_{\beta })\,. \end{aligned}$$

with \([2^{\alpha } ~~ 2^{2{\alpha }}]\) and \([2^{\beta } ~~ 2^{2{\beta }}]\) as the \((\alpha + 1)\)th and the \((\beta + 1)\)th row of A respectively. The two equations can be seen as

$$\begin{aligned} \textsf {msb} _{n-d} \left( {\mathbf {A}}' \cdot {\mathbf {K}} \right)&= \textsf {msb} _{n-d} \left( \begin{bmatrix} 2^{\alpha } &{} 2^{2\alpha } \\ 2^{\beta } &{} 2^{2\beta } \\ \end{bmatrix} \cdot \begin{bmatrix} K_0 \\ K_1 \end{bmatrix} \right) = \begin{bmatrix} I^i \oplus \textsf {msb} _{n-d}(U^j_{\alpha }) \\ I^i \oplus \textsf {msb} _{n-d}(U^k_{\beta }) \end{bmatrix} \end{aligned}$$

Since all rows of \({\mathbf {A}}\) are pairwise linearly independent, \({\mathbf {A}}'\) is non-singular. Moreover, \(K_0\) and \(K_1\) are uniform random variables over \(\{0, 1\} ^ n\). Thus, we can apply Lemma 3 and the probability of this event for a fixed choice of indices is \(2^{-2(n-d)}\). Since one can choose \(\alpha \) and \(\beta \) in \(\left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) \) ways, we obtain from the union bound over all indices

$$\begin{aligned} \Pr [\textsf {bad} _1]&\le \frac{2^{2d} \left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) q_c q_p^2}{2^{2n}}\,. \end{aligned}$$

\({\mathbf {\mathsf{{bad}}}}_2\) This event considers the collision between the input of P corresponding to a construction query whose last d bits is \(\langle 0 \rangle _{d} \) and the input to P corresponding to a primitive query whose last d bits is \(\langle 0 \rangle _{d} \), and the collision between the output of P corresponding to the same construction query whose last d bits is \(\langle \alpha \rangle _{d} \) and the output of P corresponding to a primitive query whose last d bits is \(\langle \beta \rangle _{d} \) for \(\alpha \in [w]\) and \(\beta \in [0..w]\). For this event, it must hold that

$$\begin{aligned} \textsf {msb} _{n-d}(K_0 \oplus K_1)&= I^i \oplus \textsf {msb} _{n-d}(U^j_0) \quad \text {and} \\ (2^{\alpha } \oplus 1) \cdot K_0 \oplus (2^{2\alpha } \oplus 1) \cdot K_1&= O^i_{\alpha } \oplus V^j_0 \oplus V^k_{\beta }\,. \end{aligned}$$

Note that the matrix

$$\begin{aligned} \mathbf {A'}&= \begin{bmatrix} 1 &{} 1 \\ 2^{\alpha } \oplus 1 &{} 2^{2\alpha } \oplus 1 \\ \end{bmatrix} \end{aligned}$$

is non-singular. Since \(K_0\) and \(K_1\) are uniform random variables over \(\{0, 1\} ^ n\), the probability of this event for a fixed choice of indices is \(2^d/2^{2n}\) as follows from Lemma 2. Since one can choose \(\alpha \) in w ways and \(\beta \) in \(w+1\) ways, we obtain from the union bound over all indices

$$\begin{aligned} \Pr [\textsf {bad} _2]&\le \frac{2^d w (w + 1) q_c q_p^2}{2^{2n}}\,. \end{aligned}$$

\({\mathbf {\mathsf{{bad}}}}_3\) This event considers the collision between the input of P corresponding to a construction query whose last d bits is \(\langle \alpha \rangle _{d} \) and the input to P corresponding to a primitive query whose last d bits is \(\langle \alpha \rangle _{d} \), and the collision between the output of P corresponding to the same construction query whose last d bits is \(\langle 0 \rangle _{d} \) and the output of P corresponding to a primitive query whose last d bits is \(\langle \beta \rangle _{d} \) for \(\alpha \in [w]\) and \(\beta \in [0..w]\). For this event, it must hold that

$$\begin{aligned} \textsf {msb} _{n-d}(2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1)&= I^i \oplus \textsf {msb} _{n-d}(U^j_{\alpha }) \quad \text {and} \\ (2^{\alpha } \oplus 1) \cdot K_0 \oplus (2^{2\alpha } \oplus 1) \cdot K_1&= O^i_{\alpha } \oplus V^j_{\alpha } \oplus V^k_{\beta }\,. \end{aligned}$$

Note that the matrix

$$\begin{aligned} \mathbf {A'}&= \begin{bmatrix} 2^{\alpha } &{} 2^{2\alpha } \\ 2^{\alpha } \oplus 1 &{} 2^{2\alpha } \oplus 1 \\ \end{bmatrix} \end{aligned}$$

is non-singular. Since \(K_0\) and \(K_1\) are uniform random variables over \(\{0, 1\} ^ n\), the probability of this event for a fixed choice of indices is \(2^d/2^{2n}\) as follows from Lemma 2. Since one can choose \(\alpha \) in w ways and \(\beta \) in \(w+1\) ways, we obtain from the union bound over all indices

$$\begin{aligned} \Pr [\textsf {bad} _3]&\le \frac{2^d w (w + 1) q_c q_p^2}{2^{2n}}\,. \end{aligned}$$

\({\mathbf {\mathsf{{bad}}}}_4\) This event considers the collision between the input of P corresponding to a construction query whose last d bits is \(\langle \alpha \rangle _{d} \) and the input to P corresponding to a primitive query whose last d bits is \(\langle \alpha \rangle _{d} \), and the collision between the output of P corresponding to the same construction query whose last d bits is \(\langle \beta \rangle _{d} \) and the output of P corresponding to a primitive query whose last d bits is \(\langle \gamma \rangle _{d} \) for \(\alpha \) and \(\beta \in [w]\) and \(\gamma \in [0..w]\). For this event, it must hold that

$$\begin{aligned} \textsf {msb} _{n-d}(2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1)&= I^i \oplus \textsf {msb} _{n-d}(U^j_{\alpha }) \quad \text {and} \\ (2^{\alpha } \oplus 2^{\beta }) \cdot K_0 \oplus (2^{2\alpha } \oplus 2^{2\beta }) \cdot K_1&= O^i_{\alpha } \oplus O^i_{\beta } \oplus V^j_{\alpha } \oplus V^k_{\gamma }\,. \end{aligned}$$

Note that the matrix

$$\begin{aligned} \mathbf {A'}&= \begin{bmatrix} 2^{\alpha } &{} 2^{2\alpha } \\ 2^{\alpha } \oplus 2^{\beta } &{} 2^{2\alpha } \oplus 2^{2\beta } \\ \end{bmatrix} \end{aligned}$$

is non-singular. Since \(K_0\) and \(K_1\) are uniform random variables over \(\{0, 1\} ^ n\), the probability of this event for a fixed choice of indices is \(2^d/2^{2n}\) as follows from Lemma 2. Since one can choose \(\alpha \) and \(\beta \) in \(\left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) \) ways and \(\gamma \) in \(w+1\) ways, we obtain from the union bound over all indices

$$\begin{aligned} \Pr [\textsf {bad} _4]&\le \frac{2^d (w + 1) \left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) q_c q_p^2}{2^{2n}}\,. \end{aligned}$$

\({\mathbf {\mathsf{{bad}}}}_5\) This event considers the collision between the input of P corresponding to the ith construction query whose last d bits is \(\langle 0 \rangle _{d} \) and to that of the input of corresponding primitive query and the collision between the input of P corresponding to the jth construction query whose last d bits is \(\langle 0 \rangle _{d} \) and to that of the input of corresponding primitive query and the collision between the output of P corresponding to the ith construction query whose last d bits is \(\langle \beta \rangle _{d} \) and the output of P corresponding to the jth construction query whose last d bits is \(\langle \gamma \rangle _{d} \) for \(\beta , \gamma \in [w]\). For this event, it must hold that

$$\begin{aligned} {\left\{ \begin{array}{ll} \textsf {msb} _{n-d}(K_0 \oplus K_1) = I^i \oplus \textsf {msb} _{n-d}(U^k_{0}),\\ \textsf {msb} _{n-d}(K_0 \oplus K_1) = I^j \oplus \textsf {msb} _{n-d}(U^l_{0}),\\ (2^{\beta } \oplus 2^{\gamma }) \cdot K_0 \oplus (2^{2\beta } \oplus 2^{2\gamma }) \cdot K_1 = V^k_{0} \oplus O^i_{\beta } \oplus O^j_{\gamma } \oplus V^l_0\,. \end{array}\right. } \end{aligned}$$

Note that the system of equations above can be rewritten as

$$\begin{aligned} {\left\{ \begin{array}{ll} K_0 \oplus K_1 = U^k_{0} \oplus (I^i \Vert \langle x \rangle _{d}) = U^l_{0} \oplus (I^j \Vert \langle y \rangle _{d}), ~~~~ (\textsf {E.1}) \\ (2^{\beta } \oplus 2^{\gamma }) \cdot K_0 \oplus (2^{2\beta } \oplus 2^{2\gamma }) \cdot K_1 = V^k_{0} \oplus O^i_{\beta } \oplus O^j_{\gamma } \oplus V^l_0\,, \end{array}\right. } \end{aligned}$$

where \(x, y \in \{0,1\}^d\). We can easily observe that

$$\begin{aligned} \Pr [(\textsf {E.1})] = \Pr [U^k_{0} \oplus (I^i \Vert \langle x \rangle _{d}) = U^l_{0} \oplus (I^j \Vert \langle y \rangle _{d})] \nonumber \\ \cdot \, \Pr [(\textsf {E.1}) ~|~ U^k_{0} \oplus (I^i \Vert \langle x \rangle _{d}) = U^l_{0} \oplus (I^j \Vert \langle y \rangle _{d})]. \end{aligned}$$

(27)

Let’s first fix the choice of indices of the two construction queries and the two primitive queries, and the values of \(\beta \), \(\gamma \), x and y. Now in the first case, if the last among four queries is a backward primitive query (w.l.o.g., suppose it’s \(V^k_{0}\) to obtain \(U^k_{0}\)), then the probability of Eq. (27) comes out to be \(\frac{1}{2^n}.\frac{1}{2^n}\). The first \(\frac{1}{2^n}\) comes from the randomness over \(U^k_{0}\) and the second \(\frac{1}{2^n}\) comes from the randomness over \(K_0 \oplus K_1\). And in the second case, if the last among four queries is a forward positive query (w.l.o.g., suppose it’s \(U^k_{0}\) to obtain \(V^k_{0}\)) or a construction query (w.l.o.g., suppose it’s \(I^i\) to obtain \(O^i\)), then the probability of Eq. (27) comes out to be \(1.\frac{1}{2^n}\). The \(\frac{1}{2^n}\) comes from randomness over \(K_0 \oplus K_1\). In both the cases, \(\Pr [(2^{\beta } \oplus 2^{\gamma }) \cdot K_0 \oplus (2^{2\beta } \oplus 2^{2\gamma }) \cdot K_1 = V^k_{0} \oplus O^i_{\beta } \oplus O^j_{\gamma } \oplus V^l_0] = \frac{1}{2^n}\). The \(\frac{1}{2^n}\) comes from randomness over \((2^{\beta } \oplus 2^{\gamma }) \cdot K_0 \oplus (2^{2\beta } \oplus 2^{2\gamma }) \cdot K_1\). Since the matrix

$$\begin{aligned} \begin{bmatrix} 1 &{} 1 \\ (2^{\beta } \oplus 2^{\gamma }) &{} (2^{2\beta } \oplus 2^{2\gamma }) \\ \end{bmatrix} \end{aligned}$$

is full-rank, the probability of the third equation, conditioned on the first two equations comes out to be \(\frac{1}{2^n}\), and as a result, the joint probability of all the three equations corresponding to \(\textsf {bad} _5\) comes out to be \(\frac{1}{2^{3n}}\) (in the first case) or \(\frac{1}{2^{2n}}\) (in the second case). In the first case, one can choose i and j together in \(\left( {\begin{array}{c}q_c\\ 2\end{array}}\right) \) ways, and k and l in \(q_p\) ways each. In the second case, if the last query is a forward primitive query, then i and j can be chosen in \(2 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) \) ways. But the value of the index corresponding to the last primitive query gets fixed once one fixes the value of the index of the other primitive query (This can be done in \(q_p\) ways). Similarly, if the last query is a construction query, then k and l can be chosen in \(q_p^2\) ways. But the value of the index corresponding to the last construction query gets fixed once one fixes the value of the index of the other construction query (This can be done in \(q_c\) ways). Moreover, \(\beta \) and \(\gamma \) together can be chosen in \(w^2\) ways. Thus, we obtain from the union bound over all indices and all possible values of x and y,

$$\begin{aligned} \Pr [\textsf {bad} _5]&\le \max \left( \frac{2^{2d} w^2 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p^2}{2^{3n}}, \frac{2^{2d} w^2 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p}{2^{2n}}, \frac{2^{2d} w^2 q_c q_p^2}{2^{2n}}\right) \\&\le \frac{2^{2d} w^2 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p^2}{2^{3n}} + \frac{2^{2d} w^2 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p}{2^{2n}} + \frac{2^{2d} w^2 q_c q_p^2}{2^{2n}}\,. \end{aligned}$$

\({\mathbf {\mathsf{{bad}}}}_6\) This event considers the collision between the input of P corresponding to the ith construction query whose last d bits is \(\langle \alpha \rangle _{d} \) and to that of the input of corresponding primitive query and collision between the input of P corresponding to the jth construction query whose last d bits is \(\langle \alpha \rangle _{d} \) and to that of the input of corresponding primitive query for some \(\alpha \in [w]\) and the collision between the output of P corresponding to the ith construction query whose last d bits is \(\langle \beta \rangle _{d} \) and the output of P corresponding to the jth construction query whose last d bits is \(\langle \gamma \rangle _{d} \) for \(\beta , \gamma \in [0..w]\) such that \(\alpha \ne \beta , \alpha \ne \gamma \). For this event, it must hold that

$$\begin{aligned} {\left\{ \begin{array}{ll} \textsf {msb} _{n-d}(2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1) = I^i \oplus \textsf {msb} _{n-d}(U^k_{\alpha }),\\ \textsf {msb} _{n-d}(2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1) = I^j \oplus \textsf {msb} _{n-d}(U^l_{\alpha }),\\ (2^{\beta } \oplus 2^{\gamma }) \cdot K_0 \oplus (2^{2\beta } \oplus 2^{2\gamma }) \cdot K_1 = V^k_{\alpha } \oplus V^l_{\alpha } \oplus O^i_{\alpha } \oplus O^i_{\beta } \oplus O^j_{\alpha } \oplus O^j_{\gamma }\,. \end{array}\right. } \end{aligned}$$

Note that the above system of equations can be rewritten as

$$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1 = U^k_{\alpha } \oplus (I^i \Vert \langle x \rangle _{d}),\\ 2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1 = U^l_{\alpha } \oplus (I^j \Vert \langle y \rangle _{d}),\\ (2^{\beta } \oplus 2^{\gamma }) \cdot K_0 \oplus (2^{2\beta } \oplus 2^{2\gamma }) \cdot K_1 = V^k_{\alpha } \oplus V^l_{\alpha } \oplus O^i_{\alpha } \oplus O^i_{\beta } \oplus O^j_{\alpha } \oplus O^j_{\gamma }\,, \end{array}\right. } \end{aligned}$$

where \(x, y \in \{0,1\}^d\). Using the similar reasoning while bounding \(\textsf {bad} _5\), we have

$$\begin{aligned} \Pr [\textsf {bad} _6]&\le \frac{2^{2d} w^3 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p^2}{2^{3n}} + \frac{2^{2d} w^3 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p}{2^{2n}} + \frac{2^{2d} w^3 q_c q_p^2}{2^{2n}}\,. \end{aligned}$$

\({\mathbf {\mathsf{{bad}}}}_7\) This event considers the collision between the input of P corresponding to the ith construction query whose last d bits is \(\langle 0 \rangle _{d} \) and to that of the input of corresponding primitive query and collision between the input of P corresponding to the jth construction query whose last d bits is \(\langle \alpha \rangle _{d} \) and to that of the input of corresponding primitive query for some \(\alpha \in [w]\) and the collision between the output of P corresponding to the ith construction query whose last d bits is \(\langle \beta \rangle _{d} \) and the output of P corresponding to the jth construction query whose last d bits is \(\langle \gamma \rangle _{d} \) for \(\beta \in [w]\) and \(\gamma \in [0..w]\) such that \(\alpha \ne \gamma \). For this event, it must hold that

$$\begin{aligned} {\left\{ \begin{array}{ll} \textsf {msb} _{n-d}(K_0 \oplus K_1) = I^i \oplus \textsf {msb} _{n-d}(U^k_{0})\,, \\ \textsf {msb} _{n-d}(2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1) = I^j \oplus \textsf {msb} _{n-d}(U^l_{\alpha })\,, \\ (1 \oplus 2^{\alpha } \oplus 2^{\beta } \oplus 2^{\gamma }) \cdot K_0 \oplus (1 \oplus 2^{2\alpha } \oplus 2^{2\beta } \oplus 2^{2\gamma }) \cdot K_1 \\ = V^k_{0} \oplus V^l_{\alpha } \oplus O^i_{\beta } \oplus O^j_{\alpha } \oplus O^j_{\gamma }\,. \end{array}\right. } \end{aligned}$$

Note that the above system of equations can be rewritten as

$$\begin{aligned} {\left\{ \begin{array}{ll} K_0 \oplus K_1 = U^k_{0} \oplus (I^i \Vert \langle x \rangle _{d})\,, \\ 2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1 = U^l_{\alpha } \oplus (I^j \Vert \langle y \rangle _{d})\,, \\ (1 \oplus 2^{\alpha } \oplus 2^{\beta } \oplus 2^{\gamma }) \cdot K_0 \oplus (1 \oplus 2^{2\alpha } \oplus 2^{2\beta } \oplus 2^{2\gamma }) \cdot K_1 \\ = V^k_{0} \oplus V^l_{\alpha } \oplus O^i_{\beta } \oplus O^j_{\alpha } \oplus O^j_{\gamma }\,, \end{array}\right. } \end{aligned}$$

where \(x, y \in \{0,1\}^d\). Let’s first fix the choice of indices of the two construction queries and the two primitive queries, and the values of \(\alpha \), \(\beta \), \(\gamma \), x and y. The rank of the first two equations over \(K_0\) and \(K_1\) is 2 and hence the joint probability of the first two equations comes out to be \(\frac{1}{2^{2n}}\). Once we bound the probability of the first two equations, \(K_0\) and \(K_1\) gets fixed. The probability of the third equation depends on the randomness of different variables depending on the last query.

1. 1.

   If the last among four queries is the construction query to obtain \(O^i\) from \(I^i\), then the randomness comes from \(O^i_\beta \), and the probability of the third equation comes out to be \(\frac{1}{2^n}\).

2. 2.

   If the last among four queries is the construction query to obtain \(O^j\) from \(I^j\), then the randomness comes from \(O^j_\alpha \oplus O^j_\gamma \), and the probability of the third equation comes out to be \(\frac{1}{2^n}\).

3. 3.

   If the last among four queries is the forward primitive query to obtain \(V^k_0\) from \(U^k_0\), then the randomness comes from \(V^k_0\), and the probability of the third equation comes out to be \(\frac{1}{2^n}\).

4. 4.

   If the last among four queries is the forward primitive query to obtain \(V^l_\alpha \) from \(U^l_\alpha \), then the randomness comes from \(V^l_\alpha \), and the probability of the third equation comes out to be \(\frac{1}{2^n}\).

5. 5.

   If the last among four queries is the backward primitive query to obtain \(U^k_0\) from \(V^k_0\), then the probability of the third equation comes out to be 1.

6. 6.

   If the last among four queries is the backward primitive query to obtain \(U^l_\alpha \) from \(V^l_\alpha \), then the probability of the third equation comes out to be 1.

Now, one can choose i and j together in \(2 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) \) ways. If the last query is a construction query or a forward primitive query, then one can choose k and l in \(q_p\) ways each. but if the last query is a backward primitive query, then the value of the index of the last primitive query gets fixed once one fixes the value of the index of the other primitive query (This can be done in \(q_p\) ways). Moreover, \(\beta , \gamma \) can be chosen in \(w^2\) ways and \(\alpha \) can be chosen in w ways. Thus, we obtain from the union bound over all indices and all possible values of x and y,

$$\begin{aligned} \Pr [\textsf {bad} _7]&\le \max \left( \frac{2^{2d} w^3 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p^2}{2^{3n}}, \frac{2^{2d} w^3 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p}{2^{2n}} \right) \le \frac{2^{2d} w^3 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p^2}{2^{3n}} + \frac{2^{2d} w^3 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p}{2^{2n}}\,. \end{aligned}$$

\({\mathbf {\mathsf{{bad}}}}_8\) This event considers the collision between the input of P corresponding to the ith construction query whose last d bits is \(\langle \alpha \rangle _{d} \) and to that of the input of corresponding primitive query for some \(\alpha \in [w]\) and collision between the input of P corresponding to the jth construction query whose last d bits is \(\langle \beta \rangle _{d} \) and to that of the input of corresponding primitive query for some \(\beta \in [w]\) and the collision between the output of P corresponding to the ith construction query whose last d bits is \(\langle \gamma \rangle _{d} \) and the output of P corresponding to the jth construction query whose last d bits is \(\langle \rho \rangle _{d} \) for \(\beta \in [w]\) and \(\gamma , \rho \in [0..w]\) such that \(\alpha \ne \gamma \) and \(\rho \ne \beta \). For this event, it must hold that

$$\begin{aligned} {\left\{ \begin{array}{ll} \textsf {msb} _{n-d}(2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1) = I^i \oplus \textsf {msb} _{n-d}(U^k_{\alpha })\,, \\ \textsf {msb} _{n-d}(2^{\beta } \cdot K_0 \oplus 2^{2\beta } \cdot K_1) = I^j \oplus \textsf {msb} _{n-d}(U^l_{\beta })\,, \\ (2^{\rho } \oplus 2^{\alpha } \oplus 2^{\beta } \oplus 2^{\gamma }) \cdot K_0 \oplus (2^{2\rho } \oplus 2^{2\alpha } \oplus 2^{2\beta } \oplus 2^{2\gamma }) \cdot K_1 \\ = V^k_{\alpha } \oplus V^l_{\beta } \oplus O^i_{\alpha } \oplus O^i_{\gamma } \oplus O^j_{\beta } \oplus O^j_{\rho }\,. \end{array}\right. } \end{aligned}$$

Note that the above system of equations can be rewritten as

$$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1 = U^k_{\alpha } \oplus (I^i \Vert \langle x \rangle _{d})\,, \\ 2^{\beta } \cdot K_0 \oplus 2^{2\beta } \cdot K_1 = U^l_{\beta } \oplus (I^j \Vert \langle y \rangle _{d})\,, \\ (2^{\rho } \oplus 2^{\alpha } \oplus 2^{\beta } \oplus 2^{\gamma }) \cdot K_0 \oplus (2^{2\rho } \oplus 2^{2\alpha } \oplus 2^{2\beta } \oplus 2^{2\gamma }) \cdot K_1 \\ = V^k_{\alpha } \oplus V^l_{\beta } \oplus O^i_{\alpha } \oplus O^i_{\gamma } \oplus O^j_{\beta } \oplus O^j_{\rho }\,, \end{array}\right. } \end{aligned}$$

where \(x, y \in \{0,1\}^d\). Using the similar reasoning while bounding \(\textsf {bad} _7\), we have

$$\begin{aligned} \Pr [\textsf {bad} _8]&\le \frac{2^{2d} w^4 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p^2}{2^{3n}} + \frac{2^{2d} w^4 \left( {\begin{array}{c}q_c\\ 2\end{array}}\right) q_p}{2^{2n}}\,. \end{aligned}$$

\({\mathbf {\mathsf{{bad}}}}_9\) To bound the event, it must hold that

$$\begin{aligned} (2^{\alpha } + 1) \cdot K_0 \oplus (2^{2\alpha } + 1) \cdot K_1&= O^i_{\alpha }\,. \end{aligned}$$

Since \(K_0\) and \(K_1\) are uniform random variables over \(\{0, 1\} ^ n\), the probability of this event for a fixed choice of indices is \(2^n\). Since one can choose \(\alpha \) in at most w ways and i in at most \(q_c\) ways, we obtain from the union bound over all indices

$$\begin{aligned} \Pr [\textsf {bad} _9] \le \frac{w q_c}{2^n}\,. \end{aligned}$$

\({\mathbf {\mathsf{{bad}}}}_{10}\) To bound the event, it must hold that

$$\begin{aligned} (2^{\alpha } + 2^{\beta }) \cdot K_0 \oplus (2^{2\alpha } + 2^{2\beta }) \cdot K_1&= O^i_{\alpha } + O^i_{\beta }\,. \end{aligned}$$

Since \(K_0\) and \(K_1\) are uniform random variables over \(\{0, 1\} ^ n\), the probability of this event for a fixed choice of indices is \(2^n\). Since one can choose \(\alpha \) and \(\beta \) in at most \(\left( {\begin{array}{c}w\\ 2\end{array}}\right) \) ways and i in at most \(q_c\) ways, we obtain from the union bound over all indices

$$\begin{aligned} \Pr [\textsf {bad} _{10}]&\le \frac{\left( {\begin{array}{c}w\\ 2\end{array}}\right) q_c}{2^n}\,. \end{aligned}$$

The bound in Lemma 7 follows from the sum of probabilities of the individual bad events. \(\square \)

Analysis of Good transcripts of DS-XORPP

It remains to consider the interpolation probability of good attainable transcripts. Again, we restate the lemma to aid the reader.

Lemma 8

Let \(v {\mathop {=}\limits ^{\text {def}}} w + 1\) and \(q_c + v(q_p+q_c) \le 2^{n}/2(w+1)\). For any good transcript \(\tau = \tau _c \cup \tau _0 \cup \ldots \tau _w \cup \{K_0, K_1\}\), it holds that

$$\begin{aligned} \frac{\Pr [\varTheta _{\text {real}} = \tau ]}{\Pr [\varTheta _{\text {ideal}} = \tau ]}&\ge 1 - \frac{4 v^4 q_c^3 + 4 v^4 q_c^2 q_p + v^4 q_c q_p^2}{ 2^{2n} }. \end{aligned}$$

Proof

Let \(\textsf {All} _{\text {real}} (\tau )\) denote the set of all oracles in the real world, and \(\textsf {All} _{\text {ideal}} (\tau )\) the set of all oracles in the ideal world. Let \(\textsf {Comp} _{\text {real}} (\tau )\) denote the fraction of oracles in the real world that are compatible with \(\tau \) and \(\textsf {Comp} _{\text {ideal}} (\tau )\) the corresponding fraction in the ideal world. It holds that

$$\begin{aligned} \frac{\Pr [\varTheta _{\text {real}} = \tau ]}{\Pr [\varTheta _{\text {ideal}} = \tau ]}&= \frac{|\textsf {Comp} _{\text {real}} (\tau )| \cdot |\textsf {All} _{\text {ideal}} (\tau )|}{|\textsf {Comp} _{\text {ideal}} (\tau )| \cdot |\textsf {All} _{\text {real}} (\tau )|}. \end{aligned}$$

We can easily bound three out of four terms:

$$\begin{aligned} |\textsf {All} _{\text {real}} (\tau )|&= (2^n)^2 \cdot (2^n)! \end{aligned}$$

since there exist \((2^n)^2\) keys and \(2^n!\) possible permutations. The same argument holds in the ideal world, i.e.,

$$\begin{aligned} |\textsf {All} _{\text {ideal}} (\tau )|&= (2^n)^2 \cdot (2^n)! \cdot (2^{wn})^{2^n}, \end{aligned}$$

combined with \((2^{wn})^{2^n}\) random functions for the answers to the construction queries. Moreover,

$$\begin{aligned} |\textsf {Comp} _{\text {ideal}} (\tau )|&= (2^{wn})^{2^n - q_c} \cdot (2^n - (w + 1) \cdot q_p)! \end{aligned}$$

compatible oracles exist in the ideal world, where \((2^{wn})^{2^n - q_c}\) are the random function oracles that are compatible with the construction query transcripts and \((2^n - (w + 1) q_p)!\) permutation oracles that are compatible with primitive query transcripts. Now, it remains to determine \(|\textsf {Comp} _{\text {real}} (\tau )|\). Note that

$$\begin{aligned} |\textsf {Comp}_{\mathrm {real}}(\tau )|&= \left| \left\{ P: \textsf {DS-XORPP} [P, w]_{{\mathbf {K}}} \mapsto \tau _c \wedge \bigwedge _{\alpha =0}^w P \mapsto \tau _{\alpha } \right\} \right| \,. \end{aligned}$$

For \(\alpha \in [0..w]\), let \(\textsf {Dom}_{\alpha }\) denotes the set \(\{U^i_{\alpha }: (U^i_{\alpha }, V^i_{\alpha }) \in \tau _{\alpha }\}\) and \(\textsf {Ran}_{\alpha }\) denotes the set \(\{V^i_{\alpha }: (U^i_{\alpha }, V^i_{\alpha }) \in \tau _{\alpha }\}\), then \(\bigwedge _{\alpha =0}^w P \mapsto \tau _{\alpha }\) equivalently means that for each \(\alpha \in [0..w]\), P maps elements from \(\textsf {Dom}_{\alpha }\) to \(\textsf {Ran}_{\alpha }\). Now, in order to compute \(|\textsf {Comp}_{\mathrm {real}}(\tau )|\), we regroup the queries from \(\tau _c, \tau _0, \ldots , \tau _w\) to \(\tau ^{\textsf {new}}_c, \tau ^{\textsf {new}}_0, \ldots , \tau ^{\textsf {new}}_w\). Using the similar regrouping technique, the new transcript sets are initialized by their corresponding old parts, and reordered as follows:

1. 1.

   if \(\exists i \in [q_c], j \in [q_p]\), such that \({\widehat{U}}^i_0 = U^j_0\), then

   • \(\tau _c^{\textsf {new}} \leftarrow \tau _c^{\textsf {new}} \setminus \{(I^i, \mathbf{O}^i)\}\) and

   • for all \(\alpha \in [w]\), \(\tau _{\alpha }^{\textsf {new}} \leftarrow \tau _{\alpha }^{\textsf {new}} \cup \{({\widehat{U}}^i_{\alpha }, V^j_0 \oplus O^i_{\alpha } \oplus (2^{\alpha } \oplus 1) \cdot K_0 \oplus (2^{2\alpha } \oplus 1) \cdot K_1)\}\).

2. 2.

   if \(\exists i \in [q_c], j \in [q_p]\), and \(\alpha \in [w]\) such that \({\widehat{U}}^i_{\alpha } = U^j_{\alpha }\), then

   • \(\tau _c^{\textsf {new}} \leftarrow \tau _c^{\textsf {new}} \setminus \{(I^i, \mathbf{O}^i)\}\) and

   • \(\tau _{0}^{\textsf {new}} \leftarrow \tau _{0}^{\textsf {new}} \cup \{({\widehat{U}}^i_{0}, V^j_{\alpha } \oplus O^i_{\alpha } \oplus (2^{\alpha } \oplus 1) \cdot K_0 \oplus (2^{2\alpha } \oplus 1) \cdot K_1)\}\) and

   • for all \(\beta \in [w]\) with \(\beta \ne \alpha \), \(\tau _{\beta }^{\textsf {new}} \leftarrow \tau _{\beta }^{\textsf {new}} \cup \{({\widehat{U}}^i_{\beta }, V^j_{\alpha } \oplus O^i_{\alpha } \oplus O^i_{\beta } \oplus (2^{\alpha } \oplus 2^{\beta }) \cdot K_0 \oplus (2^{2\alpha } \oplus 2^{2\beta }) \cdot K_1)\}\).

Note that the addition of elements in Steps (1) and (2) is sound. For Step (1),

• since \({\widehat{U}}^i_0\) collides with \(U^j_0\), \({\widehat{U}}^i_{\alpha }\) cannot collide with any \(U^k_{\alpha }\) for \(\alpha \in [w]\) due to \(\overline{\textsf {bad}_1}\).

• Similarly, \((V^j_0 \oplus O^i_{\alpha } \oplus (2^{\alpha } \oplus 1) \cdot K_0 \oplus (2^{2\alpha } \oplus 1) \cdot K_1)\) cannot collide with any \(V^k_{\beta }\) for \(\beta \in [0..w]\) due to \(\overline{\textsf {bad}_2}\).

• Moroever, \((V^j_0 \oplus O^i_{\alpha } \oplus (2^{\alpha } \oplus 1) \cdot K_0 \oplus (2^{2\alpha } \oplus 1) \cdot K_1)\) is distinct due to \(\overline{\textsf {bad}_5}\) and \(\overline{\textsf {bad}_7}\).

For Step (2),

• since \({\widehat{U}}^i_{\alpha }\) collides with \(U^j_{\alpha }\) for \(\alpha \in [w]\), neither \({\widehat{U}}^i_{0}\) can collide with any \(U^k_{0}\) nor \({\widehat{U}}^i_{\beta }\) can collide with any \(U^k_{\beta }\) for \(\beta \in [w]\) with \(\beta \ne \alpha \) due to \(\overline{\textsf {bad}_1}\).

• Similarly, \((V^j_{\alpha } \oplus O^i_{\alpha } \oplus (2^{\alpha } \oplus 1) \cdot K_0 \oplus (2^{2\alpha } \oplus 1) \cdot K_1)\) cannot collide with any \(V^k_{\beta }\) for any \(\beta \in [0..w]\) due to \(\overline{\textsf {bad}_3}\) and

• \((V^j_{\alpha } \oplus O^i_{\alpha } \oplus O^i_{\beta } \oplus (2^{\alpha } \oplus 2^{\beta }) \cdot K_0 \oplus (2^{2\alpha } \oplus 2^{2\beta }) \cdot K_1)\) cannot collide with \(V^k_{\gamma }\) for any \(\gamma \in [0..w]\) due to \(\overline{\textsf {bad}_4}\).

• Moroever, \((V^j_{\alpha } \oplus O^i_{\alpha } \oplus (2^{\alpha } \oplus 1) \cdot K_0 \oplus (2^{2\alpha } \oplus 1) \cdot K_1)\) is distinct due to \(\overline{\textsf {bad}_6}\) and \(\overline{\textsf {bad}_8}\).

Further note that such an addition of elements (x, y) in the transcript \(\tau _{\alpha }^{\textsf {new}}\) for \(\alpha \in [0..w]\) also updates the set \(\textsf {Dom}_{\alpha } \leftarrow \textsf {Dom}_{\alpha } \cup \{x\}\) and \(\textsf {Ran}_{\alpha } \leftarrow \textsf {Ran}_{\alpha } \cup \{y\}\). Now, given \(q_c\) constructions queries and \(q'_p = (w+1)q_p\) primitive queries to the permutation P in the original transcript, let the numbers of queries moved from \(\tau _c\) be r which includes total \(s_{\alpha }\) elements into the primitive partial transcripts \(\tau _{\alpha }\) for \(\alpha \in [0..w]\). Thus, the number of queries in the new construction transcript is denoted by \(q' = q_c - r\). Moreover, we define \(q''_{\alpha } = q_p + s_{\alpha }\), for all \(0 \le \alpha \le w\) and for each \(\alpha \in [0..w]\), \(s_{\alpha } \le q_c\). The \(w+1\) sets of transcripts, \((\tau ^{\textsf {new}}_{0}, \tau ^{\textsf {new}}_{1}, \ldots , \tau ^{\textsf {new}}_{w})\) define exactly \((q''_0, q''_1, \ldots , q''_w)\) input-output tuples for P. What remains is the counting of the number of permutations P that satisfy these \(q''_0 + \ldots + q''_w\) tuples, and that could give the remaining transcript \(\tau ^{\textsf {new}}_{c}\), i.e., we are interested to count the number of permutation P that satisfies the following system of equations:

$$\begin{aligned} {\mathbb {E}}_i = {\left\{ \begin{array}{ll} P({\widehat{U}}^i_0) \oplus P({\widehat{U}}^i_1) = O^i_1 \oplus 2 \cdot K_0 \oplus 2^2 \cdot K_1 \oplus K_0 \oplus K_1 \\ P({\widehat{U}}^i_0) \oplus P({\widehat{U}}^i_2) = O^i_2 \oplus 2^2 \cdot K_0 \oplus 2^4 \cdot K_1 \oplus K_0 \oplus K_1 \\ \vdots ~~~~ \vdots ~~~~ \vdots ~~~~~ \vdots \\ P({\widehat{U}}^i_0) \oplus P({\widehat{U}}^i_w) = O^i_w \oplus 2^w \cdot K_0 \oplus 2^{2w} \cdot K_1 \oplus K_0 \oplus K_1, \end{array}\right. } \end{aligned}$$

where \(i \in [q']\), \(U^i_{\alpha } = I^i \oplus \textsf {msb} _{n-d}(2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1) \,\Vert \, \langle \alpha \rangle _{d} \) for all \(\{(I^i, \mathbf{O}^i)\} \in \tau _c^{\textsf {new}}\), along with the fact that for each \(\alpha \in [0..w], P\) maps \(\mathcal {D}_{\alpha }\) to \(\mathcal {R}_{\alpha }\), where \(\mathcal {D}_{\alpha } = \{0,1\}^n \setminus \textsf {Dom}_{\alpha }\) and \(\mathcal {R}_{\alpha } = \{0,1\}^n \setminus \textsf {Ran}_{\alpha }\). Since \(\tau \) is a good transcript, it follows that the constants in the right hand side of each equation of \({\mathbb {E}}_i\), i.e., \(O^i_{\alpha } \oplus 2^{\alpha } \cdot K_0 \oplus 2^{2\alpha } \cdot K_1 \oplus K_0 \oplus K_1\), is non-zero, for \(\alpha \in [w]\) (due to \(\overline{\textsf {bad}_9}\)). Similarly, due to \(\overline{\textsf {bad}_{10}}\), we have all the constants in the right hand side of equations \({\mathbb {E}}_i\) distinct from each other. Note that,

$$\begin{aligned}&\mathsf {Dom}_{\alpha } {\mathop {=}\limits ^{\text {def}}} \{U^i_{\alpha }: (U^i_{\alpha }, V^i_{\alpha }) \in \tau ^{\textsf {new}}_{\alpha }\} \\&\mathsf {Ran}_{\alpha } {\mathop {=}\limits ^{\text {def}}} \{V^i_{\alpha }: (U^i_{\alpha }, V^i_{\alpha }) \in \tau ^{\textsf {new}}_{\alpha }\}. \end{aligned}$$

It is easy to see that \(|\mathcal {D}_{\alpha }| = |\mathcal {R}_{\alpha }| = (2^n - q_p - s_{\alpha })\). Note that, for each \(\alpha \in [0..w]\), \(V^{\textsf {out}}_{\alpha } = \{0,1\}^n \setminus \mathcal {R}_{\alpha }\) is the set of range values of P that are prohibited (basically these are the V values in \(\tau _{\alpha }\)). Now, for \(j = [0..q'-1]\), let

$$\begin{aligned} \lambda _{j + 1}&{\mathop {=}\limits ^{\text {def}}} \left| \left\{ ({\mathsf {P}}_0^1, \ldots , {\mathsf {P}}_0^{j + 1}, \ldots , {\mathsf {P}}_w^1, \ldots , {\mathsf {P}}_w^{j + 1}) \right\} \right| \end{aligned}$$

(28)

be the number of solutions that satisfy

1. (1)

   the system of equations \({\mathbb {E}}_1 \cup {\mathbb {E}}_2 \cup \ldots \cup {\mathbb {E}}_{j+1}\).

2. (2)

   For all \(\alpha \in [0..w]\), it holds that \({\mathsf {P}}_{\alpha }^{j + 1} \not \in \{{\mathsf {P}}_{\alpha }^1, \ldots , {\mathsf {P}}_{\alpha }^{j}\} \cup \textsf {Ran}_{0} \cup \textsf {Ran}_1 \cup \ldots \cup \textsf {Ran}_w\) .

Then, the goal is to define a recursive expression for \(\lambda _{j + 1}\) from \(\lambda _{j}\) such that a lower bound can be found for the expression \(\lambda _{j + 1} / \lambda _{j}\). It holds that

$$\begin{aligned} |\textsf {Comp} _{\text {real}} (\tau )|&= \lambda _{q'} \cdot \left( 2^n - \left( \sum _{\alpha = 0}^{w} q''_{\alpha } + (w + 1) q' \right) \right) ! \end{aligned}$$

We obtain

$$\begin{aligned} \frac{\Pr [\varTheta _{\text {real}} = \tau ]}{\Pr [\varTheta _{\text {ideal}} = \tau ]}&= \frac{\lambda _{q'} \cdot (2^n - (\sum _{\alpha = 0}^{w} q''_{\alpha } + (w + 1) q'))!}{ (2^n - (w + 1)q_p)! } \cdot (2^{wn})^{q_c}\,. \end{aligned}$$

(29)

Let \(\mathcal {B} _{(1)}\) denote the set of solutions that comply with only Condition (1) without considering Conditions (2.0) through (2.w). Moreover, let \(\mathcal {B} _{(2.\iota :i)}\) denote the set of solutions compatible with Condition (1), but not with \((2.\iota :i)\), for \(i = 1, \ldots , j + \sum _{\alpha = 0}^w|\textsf {Ran}_{\alpha }|\). From the inclusion-exclusion principle, it follows that \(\lambda _{j + 1}\) can be written as

$$\begin{aligned}&\left| \mathcal {B} _{(1)} \right| - \left| \bigg ( \bigcup _{i = 1}^{j + |\mathsf {Ran}_0| + \ldots + |\mathsf {Ran}_w|} \mathcal {B} _{(2.0:i)} \bigg ) \cup \cdots \cup \bigg ( \bigcup _{i = 1}^{j + |\mathsf {Ran}_0| + \ldots + |\mathsf {Ran}_w|} \mathcal {B} _{(2.w:i)} \bigg ) \right| \\&\quad \ge \left| \mathcal {B} _{(1)} \right| - \left| \sum _{i = 1}^{j + |\mathsf {Ran}_0| + \ldots + |\mathsf {Ran}_w|} |\mathcal {B} _{(2.0:i)}| \right| - \cdots - \left| \sum _{i = 1}^{j + |\mathsf {Ran}_w| + \ldots + |\mathsf {Ran}_w|} |\mathcal {B} _{(2.w:i)}| \right| \\&\quad \ge 2^n \cdot \lambda _{j} - \sum _{i = 1}^{j + |\mathsf {Ran}_0| + \ldots + |\mathsf {Ran}_w|} \lambda _{j} - \cdots - \sum _{i = 1}^{j + |\mathsf {Ran}_0| + \ldots + |\mathsf {Ran}_w|} \lambda _{j}\,. \end{aligned}$$

So, it follows that

$$\begin{aligned} \lambda _{j + 1}&\ge 2^n \cdot \lambda _{j} - \left( j + \sum \limits _{\alpha =0}^w q''_{\alpha } \right) \cdot \lambda _{j} - \ldots - \left( j + \sum \limits _{\alpha =0}^w q''_{\alpha } \right) \cdot \lambda _{j}\, \end{aligned}$$

where recall that \(q''_{\alpha } = q_p + s_{\alpha }\) for \(\alpha \in [0..w]\). Therefore,

$$\begin{aligned} \frac{\lambda _{j + 1}}{\lambda _{j}}&\ge 2^n - (w + 1) j - (w + 1) \left( \sum _{\alpha = 0}^{w} q''_{\alpha } \right) \,. \end{aligned}$$

with \(\lambda _0 = 1\). Let \(s = s_0 + \ldots + s_w\). It follows from Eq. (29) that

$$\begin{aligned} (29)&= \prod _{t = 0}^{s - 1} \frac{2^n}{2^n - (w + 1)q_p - t} \cdot \prod _{j = 0}^{q' - 1} \frac{\lambda _{j + 1}}{\lambda _{j}} \cdot \frac{ (2^{n})^w }{ \prod _{\alpha = 0}^{w} (2^n - \sum _{k = 0}^w q''_k - j q' - j) } \nonumber \\&\ge \prod _{j = 0}^{q' - 1} \left( \frac{ (2^n - (w + 1)j - (w + 1)\sum _{\alpha = 0}^{w} q''_\alpha )}{ \prod _{\alpha = 0}^{w} (2^n - \sum _{k = 0}^w q''_k - j q' - j) } \right) 2^{nw}\,. \end{aligned}$$

(30)

We use \(q_{\textsf {sum}} {\mathop {=}\limits ^{\text {def}}} \sum _{k = 0}^w q''_k\) and define \(p = (q' + q_{\textsf {sum}}) / 2^n\). Note that, \(0 \le p \le 1\) and therefore by applying Lemma 4 on Eq. (30), we have

$$\begin{aligned} (30)&\ge \prod _{j = 0}^{q' - 1} \left( \frac{ (2^n)^{w+1} - (w+1) \cdot p \cdot 2^{n(w + 1)} }{ (2^n - p \cdot 2 ^ n))^{w+1} } \right) \end{aligned}$$

(31)

$$\begin{aligned}&\ge \prod _{j = 0}^{q' - 1} \left( \frac{ 1 - (w + 1)p }{ 1 - (w + 1)p + \left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) p^2 } \right) \nonumber \\&= \prod _{j = 0}^{q' - 1} \left( 1 - \frac{ \left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) p^2 }{ 1 - (w + 1)p + \left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) p^2 } \right) \nonumber \\&= \prod _{j = 0}^{q' - 1} \left( 1 - \frac{ \left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) (q' + q_{\textsf {sum}})^2 }{ 2^{2n} - (w + 1)2^n(q' + q_{\textsf {sum}}) + \left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) (q' + q_{\textsf {sum}})^2 } \right) \end{aligned}$$

(32)

$$\begin{aligned}&\ge \prod _{j = 0}^{q' - 1} \left( 1 - \frac{ 2 \left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) (q' + q_{\textsf {sum}})^2 }{ 2^{2n} } \right) \end{aligned}$$

(33)

$$\begin{aligned}&\ge \left( 1 - \frac{ (w + 1) ^ 2 q' (q' + q_{\textsf {sum}})^2 }{ 2^{2n} } \right) \end{aligned}$$

(34)

$$\begin{aligned}&{\mathop {\ge }\limits ^{(1)}} \bigg (1 - \frac{ v^2 (q_c^3 + 2 q_c^2 v(q_c + q_p) + q_c v^2(q_c + q_p)^2) }{ 2^{2n} } \bigg ) \end{aligned}$$

(35)

$$\begin{aligned}&\ge \bigg (1 - \frac{ 4 v^4 q_c^3 + 4 v^4 q_c^2 q_p + v^4 q_c q_p^2 }{ 2^{2n} }\bigg )\,. \end{aligned}$$

(36)

Note that, \((w + 1)2^n(q' + q_{\textsf {sum}}) - \left( {\begin{array}{c}w + 1\\ 2\end{array}}\right) (q' + q_{\textsf {sum}})^2 \le 2^{2n}/2\) as \(q' + q_{\textsf {sum}} = q' + \sum _{\alpha = 0}^w q''_{\alpha } = q'+ (w+1)q_p + \sum _{\alpha = 0}^w s_{\alpha }\) and for each \(\alpha \in [0..w]\), \(s_{\alpha } \le q_c\) and \(q' \le q_c\), it follows that \(q_{\textsf {sum}} \le (w+1)(q_p+q_c)\), and thereby \(q' + q_{\textsf {sum}} \le q_c + (w+1)(q_p+q_c) \le 2^{n}/2 (w+1)\). (1) follows due to \(v {\mathop {=}\limits ^{\text {def}}} w+1\) and \(q' \le q_c\) and \(q_{\textsf {sum}} \le v(q_p+q_c)\). which concludes our proof. \(\square \)