1 Introduction

1.1 Authenticated encryption

An authenticated encryption (AE) scheme is a symmetric encryption scheme that achieves both confidentiality and authenticity of data. Recent AE schemes accept associated data (AD) that should be authenticated but not encrypted, sometimes called AEAD schemes. Throughout a significant amount of research and standardization process (e.g., the CAESAR competition and NIST’s lightweight cryptography competition), AE schemes have evolved in many ways. Although conventional AE standards (e.g., GCM [24] and CCM [29]) are built on top of block ciphers, recent AE schemes are based on not only a conventional block cipher but also various cryptographic primitives such as public permutations [1, 7, 11], tweakable block ciphers [5, 14, 19, 20, 23, 27], and fork ciphers [3, 4]. In addition, many analyses are being made on security requirements for special environments such as resource-constrained and quantum computing environments. We now have various AE security notions including nonce-misuse security, released unverified plaintext (RUP) security, and so on.

1.2 NAE, MRAE, and OAE

A nonce is an arbitrary value that should never be reused during cryptographic communication. Using a nonce in AE is a typical way of providing variability to the ciphertext and an AE scheme using nonces is called a nonce-based AE (NAE). On the other hand, only a single nonce repetition might completely break the security of NAE schemes. For example, GCM leaks its hash key as soon as a single nonce is used twice. Therefore, it is crucial to guarantee the uniqueness of nonces in NAE schemes. In order to avoid nonce repetition, NAE schemes either maintain an internal state to change the nonce for every encryption or choose a nonce as a random value using a sufficiently large amount of entropy. However, it is hard to find and reject all faulty implementations of NAE schemes. It might be challenging to maintain the uniqueness of nonces in a certain environment, for example, a stateless device where good quality randomness is not available.

To address this problem, Rogaway and Shrimpton [28] formalized the notion of misuse-resistant AE (MRAE). An MRAE scheme provides a reasonable level of security even if nonces are repeated. Later, the notion of nonce misuse resistance is refined by viewing the adversarial distinguishing advantage as a function of the maximum number of multi-collisions in nonce values or the number of queries with repeated nonces (amongst all encryption queries). There has been a considerable amount of research on the design of MRAE schemes including SIV [28], AEZ [17], and GCM-SIV [15]. However, using MRAE in practice has a fundamental problem in efficiency that such schemes can never be online; in order to achieve MRAE security, each bit of the ciphertext should be affected by every input bit, so one can start encryption only after accepting all the input blocks. The online property and the MRAE security are both highly desirable in resource-constrained environments, where it seems hard to achieve both of them at the same time.

As a compromise between security and efficiency, Fleischmann et al. [13] proposed a security notion that slots between NAE and MRAE, namely, online AE (OAE) security. In an OAE scheme, the i-th ciphertext block depends only on a key and the first i blocks of the plaintext. Then, if we use a nonce as the first input block, OAE security is exactly the same as NAE security in the nonce-respecting scenario. In the case where nonces are repeated, an OAE scheme loses its privacy only up to the longest common prefix. On the other hand, OAE security guarantees data integrity even in the nonce-misuse setting.

Later, Hoang et al. [18] proposed an alternative security notion for online authenticated encryption, dubbed OAE2. They argued that the existing OAE security does not capture resistance to common-prefix-secret-suffix (CPSS) attacks, while OAE2 security guarantees better security by extending the unit of computation from blocks to segments. However, we believe that OAE2 security is not yet a perfect replacement for OAE since the proposed OAE2-secure constructions require large ciphertext expansions or achieve limited onlineness without providing full security against CPSS attacks. Therefore, in this paper, we focus on OAE-secure constructions.

1.3 Pipelineablility

Suppose that a message block \(x\in X\) and a counter \(i\in {\mathcal {I}}\) is processed by an algorithm \(f: X \times {\mathcal {I}}\rightarrow Y\), where f is decomposed into \(f_1: X \times {\mathcal {I}}\rightarrow Z\) and \(f_2: Z \times {\mathcal {I}}\rightarrow Y\) such that \(f(x, i) = f_2(f_1(x, i), i)\). If \(f_1(x', i+1)\) can be computed without knowing f(xi), then f is called pipelineable. Pipelineability is regarded as advantageous for hardware implementation. Most authenticated encryption schemes based on the Encrypt-Mix-Encrypt paradigm, such as ELmE [12] and CoLM [22], are pipelinable.

1.4 Tweakable block cipher based AE

Tweakable block ciphers (TBCs) are useful for constructing encryption modes since their additional input space gives variety to every encryption. SCT [27], \(\Theta \)CB [21], Deoxys-I/II [20], LOTUS/LOCUS-AEAD [9] and LightOCB [10] are AE schemes using TBCs as their building primitives. All these schemes provide n-bit security for the block length n whereas most of (conventional) block cipher-based AE schemes provide only n/2-bit security, namely, the birthday bound security (with respect to the block size). TBC is also advantageous as a primitive for hashing modes because it allows for the use of both the tweak space and the message space as the input space, resulting in a reduced number of primitive calls per message block. As authenticated encryption can be considered a combination of encryption and hashing (for authentication), using tweakable block ciphers is one of the promising ways of building an authenticated encryption scheme that achieves both better efficiency and higher security at the same time. ZAE [19], DoveSIV [14], ZOCB and ZOTR [5] are examples of such TBC-based AEs.

1.5 Our contribution

The focus of this paper is put on the construction of tweakable block cipher-based online AE schemes with full n-bit OAE security and reasonable efficiency; we propose a new tweakable block cipher-based online authenticated encryption scheme, dubbed \(\textsf{ZLR}\) (ZHash–Luby–Rackoff) and its domain separation variant, dubbed \(\textsf{DS}\text {-}\textsf{ZLR}\). \(\textsf{ZLR}\) follows the Encrypt-Mix-Encrypt paradigm with a novel mixing function that allows online computation. This approach has been already used in previous constructions such as \(\textsf{ELmE}\) and \(\textsf{CoLM}\), but all of those are block cipher-based, birthday bound secure, and of rate 1/2, where the rate is defined by the number of input blocks processed per primitive call. \(\textsf{ZLR}\) is a tweakable block cipher-based AE scheme that adopts the structure of ZMAC to reduce primitive calls and uses a Luby–Rackoff-like structure to encrypt internal states into the ciphertext blocks. More precisely, for an associated data A and a message M, \(\textsf{ZLR}\) computes its tag \(T = \mathsf {ZMAC'}(A, M)\) where \(\mathsf {ZMAC'}\) is a variant of \(\textsf{ZMAC}\) with similar structure. While computing T, \(\textsf{ZLR}\) maintains the internal state S, and encrypts T and S by a 2n-bit pseudo-random permutation which is instantiated with two TBC calls in a Luby–Rackoff-like structure. In this way, \(\textsf{ZLR}\) processes 2n-bit blocks with only a single TBC call for hashing and two TBC calls for encryption and decryption, achieving rate 2/3, when it is based on an n-bit tweakable block cipher using n-bit tweaks. Furthermore, it supports pipelined computation as well as online nonce-misuse resistance.

We also propose a domain-separated variant of \(\textsf{ZLR}\), dubbed \(\textsf{DS}\text {-}\textsf{ZLR}\). The design principle of \(\textsf{DS}\text {-}\textsf{ZLR}\) is similar to \(\textsf{ZLR}\), while the underlying tweakable block cipher uses a larger tweak space than \(\textsf{ZLR}\), which allows an efficient initialization phase. We believe that \(\textsf{ZLR}\) and \(\textsf{DS}\text {-}\textsf{ZLR}\) will be useful in protocols where high security and efficiency are required simultaneously, especially in protocols where latency is critical and online properties are required (e.g., network protocols).

Table 1 Comparison of \(\textsf{ZLR}\) and \(\textsf{DS}\text {-}\textsf{ZLR}\) with existing AE modes. n denotes the block size and t denote the tweak size
Full size table

Table 1 compares \(\textsf{ZLR}\) and \(\textsf{DS}\text {-}\textsf{ZLR}\) to well-known AE schemes based on (tweakable) block ciphers. For simplicity of comparison, we assume that all the underlying tweakable block ciphers use tweaks larger than blocks (i.e., \(t \ge n\)), except \(\textsf{DS}\text {-}\textsf{ZLR}\) using 2n-bit tweaks. Compared to block cipher based AE schemes with online security such as \(\textsf{COPA}\), \(\textsf{CoLM}\) and \(\textsf{ELmE}\), \(\textsf{ZLR}\) enjoys stronger security and higher rate, while it might suffer from performance loss by using TBCs and require larger memory for masks and internal states. There are a bunch of TBC based AE schemes that achieve full n-bit security and some of them also achieve higher rate by utilizing tweak spaces of TBCs, but still, none of them provide OAE security.

To the best of our knowledge, \(\textsf{ZLR}\) and \(\textsf{DS}\text {-}\textsf{ZLR}\) are the first pipelineable tweakable block cipher-based OAE schemes of rate 2/3 that provide n-bit security.

2 Preliminaries

2.1 Notation

Throughout this paper, we fix a positive integer n such that \(n\ge 3\). We write \({\textbf{0}}\) to denote \(0^n\) (i.e., n-bit string of all zeros). Let \(\lfloor n \rfloor \) is the largest integer m such that \(m \le n\). Let \(w_n = n - 2 \lfloor \frac{n}{2} \rfloor \), which is 0 if n is even and 1 otherwise. The set \(\{0,1\}^n\) is sometimes regarded as a set of integers \(\{0,1,\ldots ,2^n-1\}\) by converting an n-bit string \(a_{n-1}\cdots a_1a_0\in \{0,1\}^n\) to an integer \(a_{n-1}2^{n-1}+\cdots + a_12+a_0\). We also identify \(\{0,1\}^n\) with a finite field \(\textbf{GF}(2^n)\) with \(2^n\) elements, assuming that 2 cyclically generates all the nonzero elements of \(\textbf{GF}(2^n)\). We write \(\{0,1\}^*\) to denote the set of all binary strings including the empty string. For \(A, B \in \{0,1\}^*\), \(\left| {A} \right| \) denotes the length of A, and \(A \mathbin {\Vert }B\) denotes the concatenation of A and B. For a string \(A \in \{0,1\}^{*}\), \((A[1], A[2], \dots , A[m]) \overset{n}{\longleftarrow }\ A\) denotes that A is partitioned into strings \(A[1], \dots , A[m]\), where \(\left| {A[1]} \right| = \dots = \left| {A[m-1]} \right| = n\) and \(\left| {A[m]} \right| \le n\). For \(i=1,\ldots ,m\), let

$$\begin{aligned} A[{:\,}i] = A[1] \mathbin {\Vert }\dots \mathbin {\Vert }A[i]. \end{aligned}$$

For positive integers p and q such that \(p\le q\), we write \([q]=\{1,\ldots ,q\}\) and \([p, q] = \{p, p+1, \dots , q\}\). For a non-empty set \({\mathcal {X}}\), \(X \mathrel {\leftarrow _{\$}}{\mathcal {X}}\) denotes that X is drawn uniformly at random from \({\mathcal {X}}\). The set of all sequences that consist of b pairwise distinct elements of \({\mathcal {X}}\) is denoted \({\mathcal {X}}^{*b}\). For \(a > b\), let \((a)_b = a(a-1)\dots (a-b+1)\), and \((a)_0 = 1\) by convention. If \(\left| {{\mathcal {X}}} \right| = a\), then \((a)_b\) becomes the size of \(\left| {{\mathcal {X}}} \right| ^{*b}\)

2.2 Security notions

2.2.1 TPRPs

A tweakable permutation with tweak space \({\mathcal {W}}\) and message space \({\mathcal {X}}\) is a mapping \({\tilde{P}}:{\mathcal {W}}\times {\mathcal {M}}\rightarrow {\mathcal {M}}\) such that, for any tweak \(W \in {\mathcal {W}}\), \(x \mapsto {\tilde{P}}(t,x)\) is a permutation of \({\mathcal {X}}\). Throughout this paper, we will fix \({\mathcal {X}}= \{0,1\}^n\), and write \(\textsf{TP}({\mathcal {W}}, n)\) to mean the set of all tweakable permutations with tweak space \({\mathcal {W}}\) and message space \(\{0,1\}^n\). Let \({\tilde{E}}:{\mathcal {K}}\times {\mathcal {W}}\times \{0,1\}^n \rightarrow \{0,1\}^n\) be a keyed tweakable permutation with key space \({\mathcal {K}}\), where \({\tilde{E}}(K,W,\cdot )\) is a permutation for each \(K\in {\mathcal {K}}\) and \(W\in {\mathcal {W}}\). We will denote \({\tilde{E}}_K(W,X)\) for E(KWX). A (qt)-distinguisher against \({\tilde{E}}\) is an algorithm \({\mathcal {D}}\) with oracle access to an n-bit tweakable permutation and its inverse, making at most q oracle queries, running in time at most t, and outputting a single bit. The advantage of \({\mathcal {D}}\) in breaking the TPRP-security of \({\tilde{E}}\), i.e., in distinguishing \({\tilde{E}}\) from a uniform random tweakable permutation \({\tilde{\pi }} \mathrel {\leftarrow _{\$}}\textsf{TP}({\mathcal {W}}, n)\), is defined as

$$\begin{aligned} \textsf{Adv}^{\textsf {tprp}}_{{\tilde{E}}}({\mathcal {D}}) = \left| {\Pr \left[ {K \mathrel {\leftarrow _{\$}}{\mathcal {K}}: {\mathcal {D}}^{{\tilde{E}}_K,{\tilde{E}}^{-1}_K} = 1} \right] - \Pr \left[ {{\tilde{\pi }} \mathrel {\leftarrow _{\$}}\textsf{TP}({\mathcal {W}}, n): {\mathcal {D}}^{{\tilde{\pi }},{\tilde{\pi }}^{-1}} = 1} \right] } \right| . \end{aligned}$$

We define \(\textsf{Adv}^{\textsf {tprp}}_{{\tilde{E}}}(q,t)\) as the maximum of \(\textsf{Adv}^{\textsf {tprp}}_{{\tilde{E}}}({\mathcal {D}})\) over all (qt)-distinguishers against \({\tilde{E}}\), and when considering information theoretic security, we drop t.

2.2.2 OAEs

Given key space \({\mathcal {K}}\), associate data (AD) space \({\mathcal {A}}\), message space \({\mathcal {M}}\), ciphertext space \({\mathcal {C}}\), and tag space \({\mathcal {T}}\), a online authenticated encryption (OAE) scheme is defined by a tuple

$$\begin{aligned} \Pi = ({\mathcal {K}}, {\mathcal {A}}, {\mathcal {M}}, {\mathcal {C}}, \textsf{Enc}, \textsf{Dec}), \end{aligned}$$

where \(\textsf{Enc}\) and \(\textsf{Dec}\) denote encryption and decryption schemes, respectively. More precisely,

$$\begin{aligned} \textsf{Enc}&: {\mathcal {K}}\times {\mathcal {A}}\times {\mathcal {M}}\longrightarrow {\mathcal {C}}\times {\mathcal {T}}, \\ \textsf{Dec}&: {\mathcal {K}}\times {\mathcal {A}}\times {\mathcal {C}}\times {\mathcal {T}}\longrightarrow {\mathcal {M}}\cup \left\{ {\bot } \right\} , \end{aligned}$$

where for \(\textsf{Enc}(K,A,M) = (C,T)\), we require \(|C|=|M|\) and

$$\begin{aligned} \textsf{Dec}(K, A, C, T') = {\left\{ \begin{array}{ll} M &{}\text{ if } T=T', \\ \bot &{} \text{ otherwise }.\end{array}\right. } \end{aligned}$$

We will write \(\textsf{Enc}_K(A, M)\) to denote \(\textsf{Enc}(K, A, M)\) and \(\textsf{Dec}_K(A, C)\) to denote \(\textsf{Dec}(K, A, C)\). Throughout this paper, we will fix \({\mathcal {A}}= {\mathcal {M}}= {\mathcal {C}}= \{0,1\}^*\) and \({\mathcal {T}}= \{0,1\}^n\).

The goal of an adversary \({\mathcal {D}}\) against the OAE security of \(\Pi \) is to distinguish the real world \((\textsf{Enc}_K, \textsf{Dec}_K)\) (using a random key K, unknown to \({\mathcal {D}}\)) and the ideal world. We assume that \({\mathcal {D}}\) does not make a redundant query, including a decryption query that reuses any previous encryption query. Given an associated data \(A \in {\mathcal {A}}\) and a message \(M \in {\mathcal {M}}\), let $ be a random function that outputs

$$\begin{aligned} \$_{2n}(A, M[1]) \mathbin {\Vert }\$_{2n}(A, M[{:\,}2]) \mathbin {\Vert }\dots \mathbin {\Vert }\$_{2n}(A, M) \mathbin {\Vert }\$_{n}(A, M), \end{aligned}$$

where \((M[1], \dots , M[m]) \overset{2n}{\longleftarrow }\ M\), and \(\$_{d}\) denotes a random function from \({\mathcal {A}}\times {\mathcal {M}}\) to \(\{0,1\}^d\). Then, the ideal world oracles are \((\$,\textsf{Rej})\), where \(\textsf{Rej}\) always returns \(\bot \) for every decryption query.Footnote 1 The advantage of \({\mathcal {D}}\) breaking the OAE-security of \(\Pi \) is defined as

$$\begin{aligned} \textsf{Adv}^{\textsf{oae}}_{\Pi }({\mathcal {D}}) = \left| {\Pr \left[ {K \mathrel {\leftarrow _{\$}}{\mathcal {K}}: {\mathcal {D}}^{\textsf{Enc}_K, \textsf{Dec}_K}=1} \right] - \Pr \left[ {{\mathcal {D}}^{\$, \textsf{Rej}} = 1} \right] } \right| . \end{aligned}$$

A \((q_e,q_d,\sigma ,l,t)\)-adversary against the OAE security of \(\Pi \) is an algorithm that makes at most \(q_e\) encryption queries to its first oracle and at most \(q_d\) decryption queries to its second oracle, and running in time at most t, where the length of each encryption/decryption query is at most l blocks of 2n bits, and the total length of the encryption/decryption queries is at most \(\sigma \) blocks of 2n bits. We define \(\textsf{Adv}^{\textsf{oae}}_{\Pi }(q_e,q_d,\sigma ,l,t)\) as the maximum of \(\textsf{Adv}^{\textsf{oae}}_{\Pi }({\mathcal {D}})\) over all \((q_e,q_d,\sigma ,l,t)\)-adversaries \({\mathcal {D}}\) against \(\Pi \). When we consider information theoretic security, we will drop the parameter t.

2.3 Coefficient-H technique

We will use Patarin’s coefficient-H technique [26]. The goal of this technique is to upper bound the adversarial distinguishing advantage between a real construction and its ideal counterpart. In the real and the ideal worlds, an information-theoretic adversary \({\mathcal {D}}\) is allowed to make queries to certain oracles (with the same oracle interfaces), denoted \({\mathcal {O}}_{\textsf{real}}\) and \({\mathcal {O}}_{\textsf{ideal}}\), respectively. The interaction between the adversary \({\mathcal {D}}\) and the oracle determines a “transcript”; it contains all the information obtained by \({\mathcal {D}}\) during the interaction. We call a transcript \(\tau \) attainable if the probability of obtaining \(\tau \) in the ideal world is non-zero. We also denote \({\textsf{T}}_\textrm{id}\) (resp. \({\textsf{T}}_\textrm{re}\)) the probability distribution of the transcript \(\tau \) induced by the ideal world (resp. the real world). By extension, we use the same notation to denote a random variable distributed according to each distribution.

We partition the set of attainable transcripts \(\Gamma \) into a set of “good” transcripts \(\Gamma _{\textsf{good}}\) such that the probabilities to obtain some transcript \(\tau \in \Gamma _{\textsf{good}}\) are close in the real world and the ideal world, and a set \(\Gamma _{\textsf{bad}}\) of “bad” transcripts such that the probability to obtain any \(\tau \in \Gamma _{\textsf{bad}}\) is small in the ideal world. With this partition, the coefficient-H technique is summarized by the following lemma.

Lemma 1

Let \(\Gamma = \Gamma _{\textsf{good}}\sqcup \Gamma _{\textsf{bad}}\) be a partition of the set of attainable transcripts, where there exists a non-negative real number \(\varepsilon _1\) such that for any \(\tau \in \Gamma _{\textsf{good}}\),

$$\begin{aligned} \frac{\Pr \left[ {{\textsf{T}}_\textrm{re}= \tau } \right] }{\Pr \left[ {{\textsf{T}}_\textrm{id}= \tau } \right] } \ge 1 - \varepsilon _1, \end{aligned}$$

and there exists \(\varepsilon _2\) such that \(\Pr [{\textsf{T}}_\textrm{id}\in \Gamma _{\textsf{bad}}]\le \varepsilon _2\). Then for any distinguisher \({\mathcal {D}}\), one has

$$\begin{aligned} \left| {\Pr \left[ {{\mathcal {D}}^{{\mathcal {O}}_{\textsf{real}}}=1} \right] - \Pr \left[ {{\mathcal {D}}^{{\mathcal {O}}_{\textsf{ideal}}}=1} \right] } \right| \le \varepsilon _1 + \varepsilon _2. \end{aligned}$$

We refer to [16] for the proof of Lemma 1.

3 New authenticated encryption modes

In this section, we propose new online deterministic authenticated encryption modes, dubbed \(\textsf{ZLR}\) and \(\textsf{DS}\text {-}\textsf{ZLR}\). Both \(\textsf{ZLR}\) and \(\textsf{DS}\text {-}\textsf{ZLR}\) are built on top of a tweakable block cipher

$$\begin{aligned} {\widetilde{E}}:{\mathcal {K}}\times {\mathcal {W}}\times {\mathcal {N}}\rightarrow {\mathcal {N}}, \end{aligned}$$

and a linear function

$$\begin{aligned} \rho : {\mathcal {S}}\times {\mathcal {N}}\times {\mathcal {N}}\rightarrow {\mathcal {S}}\times {\mathcal {N}}\times {\mathcal {N}}, \end{aligned}$$

where \({\mathcal {S}}= \{0,1\}^{2n}\) is a internal state space, \({\mathcal {W}}= \{0,1\}^t\) and \({\mathcal {N}}= \{0,1\}^n\) are the tweak and message space for a given \({\widetilde{E}}\), respectively. We also call \(\rho \) as a state update function. Additionally, for given \(\rho (S,R,X) = (S',Y,Z)\), we assume that there is a special inversion function \({\hat{\rho }}^{-1}\) such that

$$\begin{aligned} {\hat{\rho }}^{-1}(S,Y,Z) = (S',R,X). \end{aligned}$$

For given \({\widetilde{E}}\) and \(\rho \), we denote the mode as

$$\begin{aligned} \textsf{ZLR}[{\widetilde{E}},\rho ] = ({\mathcal {K}},{\mathcal {A}},{\mathcal {M}},\mathsf {ZLR.Enc},\mathsf {ZLR.Dec}), \end{aligned}$$

and

$$\begin{aligned} \textsf{DS}\text {-}\textsf{ZLR}[{\widetilde{E}},\rho ] = ({\mathcal {K}},{\mathcal {A}},{\mathcal {M}},\textsf{DS}\text {-}\mathsf {ZLR.Enc},\textsf{DS}\text {-}\mathsf {ZLR.Dec}), \end{aligned}$$

where a key space \({\mathcal {K}}\), arbitrary associated data space and message space \({\mathcal {A}}={\mathcal {M}}=\{0,1\}^*\), encryption algorithm \(\mathsf {ZLR.Enc}\) (and \(\textsf{DS}\text {-}\mathsf {ZLR.Enc}\)), and decryption algorithm \(\mathsf {ZLR.Dec}\) (and \(\textsf{DS}\text {-}\mathsf {ZLR.Dec}\)), which are deterministic.

Given a key \(K\in {\mathcal {K}}\), we assume that a length of a message \(M\in {\mathcal {M}}\) is divided by 2n, and so does for an associated data \(A\in {\mathcal {A}}\). For the general case, it is sufficient to use one-to-one padding algorithms; for example,

$$\begin{aligned} \textsf{ozp}(X) = X \mathbin {\Vert }1 \mathbin {\Vert }0^{2n-1+ (|X| \bmod 2n)}. \end{aligned}$$

By using \(\textsf{ozp}\) (or any other proper padding algorithm), one can make lengths of M and A multiples of 2n.

Now, let \(A = A[1] \mathbin {\Vert }A[2] \mathbin {\Vert }\dots \mathbin {\Vert }A[a]\) and \(M = M[1] \mathbin {\Vert }M[2] \mathbin {\Vert }\dots \mathbin {\Vert }M[m]\) where \(|A[\alpha ]| = |B[\beta ]| = 2n\) for \(\alpha \in [a]\) and \(\beta \in [b]\). We denote \(A[\alpha ] = A_L[\alpha ] \mathbin {\Vert }A_R[\alpha ]\) and \(M[\beta ] = M_L[\beta ] \mathbin {\Vert }M_R[\beta ]\) where \(A_L[\alpha ], A_R[\alpha ], M_L[\beta ], M_R[\beta ] \in \{0,1\}^n\). Figures 1, 2 and 3 show graphical representations and pseudocodes of \(\mathsf {ZLR.Enc}\) and \(\textsf{DS}\text {-}\mathsf {ZLR.Enc}\). While \(\textsf{ZLR}\) needs additional masking computation compared to \(\textsf{DS}\text {-}\textsf{ZLR}\), \(\textsf{DS}\text {-}\textsf{ZLR}\) needs the primitive with larger tweak space. Therefore, \(\textsf{ZLR}\) and \(\textsf{DS}\text {-}\textsf{ZLR}\) have trade-off in the computational cost and the primitive constraints.

Fig. 1
figure 1

Algorithm \(\mathsf {ZLR.Enc}\) (left) and \(\textsf{DS}\text {-}\mathsf {ZLR.Enc}\) (right) based on \({\widetilde{E}}\) with a key K

Full size image
Fig. 2
figure 2

\(\textsf{ZLR}\) algorithm

Full size image
Fig. 3
figure 3

\(\textsf{DS}\text {-}\textsf{ZLR}\) Algorithm. We denote \({\widetilde{E}}_K^{t_1}(t_2,m) = {\widetilde{E}}_K( \textsf{Pad}_t(t_1 \mathbin {\Vert }t_2), m )\) and \({\widetilde{E}}_K^{-1,t_1}(t_2,c) = {\widetilde{E}}_K^{-1}( \textsf{Pad}_t(t_1 \mathbin {\Vert }t_2), c )\)

Full size image

3.1 ZLR

\(\textsf{ZLR}\) maintains and updates a 2n-bit state S by proceeding each associated data block or message block in the order. We also denote the i-th state as S[i] with the initial state \(S[0] = {\textbf{0}}\). For given tweakable block cipher \({\widetilde{E}}\) with a secret key \(K\in {\mathcal {K}}\) and tweak space \({\mathcal {W}}=\{0,1\}^n\), at first, \(\textsf{ZLR}\) pre-calculates masking values \(\Delta _i\) for \(i=1,\dots ,6\) that will be utilized for both encryption and decryption. To achieve the claimed security, at least two random variables are required for each system of equations in the collision. At the same time, we want to reduce the number of primitive calls needed to produce the maskings. Considering all of the above, ZLR generates masking values in the following way:

$$\begin{aligned} \Delta _1&= {\widetilde{E}}_K({{\textbf {0}}},{{\textbf {0}}}),&\Delta _3&= {\widetilde{E}}_K({{\textbf {0}}},{{\textbf {2}}}),&\Delta _5&= \Delta _1 \mathbin {\oplus } \Delta _3, \\ \Delta _2&= {\widetilde{E}}_K({{\textbf {0}}},{{\textbf {1}}}),&\Delta _4&= {\widetilde{E}}_K({{\textbf {0}}},{{\textbf {3}}}),&\Delta _6&= \Delta _2 \mathbin {\oplus } \Delta _4. \end{aligned}$$

For given associated date \(A = A[1] \mathbin {\Vert }A[2] \mathbin {\Vert }\dots \mathbin {\Vert }A[a]\), message \(M = M[1] \mathbin {\Vert }M[2] \mathbin {\Vert }\dots \mathbin {\Vert }M[m]\) and \(i \in [a+m]\), we define i-th state S[i] and intermediate values X[i], Y[i] and Z[i] as follows:

  1. 1.

    for an associated data block with given \(\alpha \in [a]\),

    $$\begin{aligned} X[\alpha ]&= {\widetilde{E}}_K( A_R[\alpha ] \mathbin {\oplus } 2^{\alpha -1} \Delta _2 , A_L[\alpha ] \mathbin {\oplus } 2^{\alpha -1} \Delta _1 ),\\ (S[\alpha ], Y'[\alpha ], Z'[\alpha ])&= \rho ( S[\alpha -1], X[\alpha ], A_R[\alpha ] \mathbin {\oplus } 2^{\alpha -1} \Delta _2 ); \end{aligned}$$
  2. 2.

    for a message block with given \(\beta \in [m]\),

    $$\begin{aligned} X[\beta + a]&= {\widetilde{E}}_K( M_R[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _4 , M_L[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _3 ),\\ (S[\beta + a], Y[\beta ], Z[\beta ])&= \rho ( S[\beta + a -1], X[\beta + a], M_R[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _4 ). \end{aligned}$$

Note that \(Y'[\alpha ]\) and \(Z'[\alpha ]\) have no usage and the construction uses \(S[\alpha ]\) only. Hence one may gain slightly better efficiency by implementing the encryption algorithm to calculate \(S[\alpha ]\) only for the case of associated data blocks. Using the above intermediate values, encryption/decryption process can be described as follows:

  1. 1.

    In the encryption algorithm of \(\textsf{ZLR}\), let (AM) be a queried data of \(\mathsf {ZLR.Enc}\). For \(\beta \in [m]\), the \(\beta \)-th ciphertext block \(C[\beta ] = C_L[\beta ] \mathbin {\Vert }C_R[\beta ]\) is obtained by following calculations:

    $$\begin{aligned} C_R[\beta ]&= {\widetilde{E}}_K( Y[\beta ], Z[\beta ] ) \mathbin {\oplus } 2^{\beta -1}\Delta _6, \\ C_L[\beta ]&= {\widetilde{E}}_K( {\widetilde{E}}_K( Y[\beta ], Z[\beta ] ), Y[\beta ] ) \mathbin {\oplus } 2^{\beta -1}\Delta _5. \end{aligned}$$

    After the encryption phase, \(S[a+m]\) is the final internal state and denote \(S[a+m] = U \mathbin {\Vert }V\) for \(U,V\in \{0,1\}^n\). Using \(S[a+m]\), an n-bit authentication tag T is derived by \(T = {\widetilde{E}}_K( V, U )\).

  2. 2.

    In the decryption algorithm of \(\textsf{ZLR}\), the order of blocks to process \(\mathsf {ZLR.Dec}\) is same to \(\mathsf {ZLR.Enc}\), however, the calculations for each block are processing in the reverse order. Let (ACT) be a queried data of \(\mathsf {ZLR.Dec}\). At first, obtain the a-th internal state S[a] by processing associated data blocks by the same way as \(\mathsf {ZLR.Enc}\). For \(\beta \in [m]\), obtain the intermediate values \(Y[\beta ]\) and \(Z[\beta ]\) by using \(\beta \)-th ciphertext block \(C[\beta ] = C_L[\beta ] \mathbin {\Vert }C_R[\beta ]\):

    $$\begin{aligned} Y[\beta ]&= {\widetilde{E}}_K^{-1} ( C_R[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _6, C_L[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _5 ), \\ Z[\beta ]&= {\widetilde{E}}_K^{-1} ( Y[\beta ], C_R[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _6 ). \end{aligned}$$

    Note that the \((\beta + a - 1)\)-th internal state \(S[\beta + a - 1]\) is calculated at the point that \((\beta + a - 1)\)-th ciphertext block has been decrypted. The other intermediate value \(X[\beta + a ]\) and the partial message block \(M_R[\beta ]\) are derived by using \(Y[\beta ]\), \(Z[\beta ]\), and \(S[\beta + a - 1]\) with the inversion function \({\hat{\rho }}^{-1}\):

    $$\begin{aligned} ( X[\beta + a ], M_R[\beta ] ) = {\hat{\rho }}^{-1} (S[\beta + a -1], Y[\beta ] , Z[\beta ] ). \end{aligned}$$

    Remark that, by the definition,

    $$\begin{aligned} X[\beta + a ] = {\widetilde{E}}_K( M_R[\beta ]\mathbin {\oplus }2^{\beta -1}\Delta _4, M_L[\beta ]\mathbin {\oplus }2^{\beta -1}\Delta _3 ), \end{aligned}$$

    and therefore,

    $$\begin{aligned} M_L[\beta ] = {\widetilde{E}}_K^{-1}( M_R[\beta ]\mathbin {\oplus } 2^{\beta -1}\Delta _4 , X[\beta + a ] ) \mathbin {\oplus } 2^{\beta -1}\Delta _3. \end{aligned}$$

    After all ciphertext blocks are decrypted, the final internal state \(S[a+b] = U \mathbin {\Vert }V\) is given and the algorithm checks whether \(T = {\widetilde{E}}_K( V, U )\) or not. If \(T \ne {\widetilde{E}}_K( V, U )\), the algorithm only returns \(\bot \), and otherwise, it returns the decrypted message \(M = M[1] \mathbin {\Vert }\dots \mathbin {\Vert }M[m]\).

3.2 DS-ZLR

\(\textsf{DS}\text {-}\textsf{ZLR}\), similarly to \(\textsf{ZLR}\), maintains and updates a 2n-bit state S, by denoting the i-th state as S[i] with the initial state \(S[0] = {\textbf{0}}\). We also define \(\textsf{Pad}_t\) is a padding algorithm to make a t-bit string. It can be anything but for simplicity, we define \(\textsf{Pad}_t\) as for \(X \in \{0,1\}^{t-d}\) with \(0\le d<t\), \(\textsf{Pad}_t(X)\) returns \(X\mathbin {\Vert }0^d\). We write A as an element in \({\mathbb {Z}}\) or in \(\{0,1\}^d\) for an arbitrary d interchangeably, so that \(A \mathbin {\Vert }B\) with \(A \in {\mathbb {Z}}\) makes sense with an appropriate conversion into binary numbers. For given tweakable block cipher \({\widetilde{E}}\) with a secret key \(K\in {\mathcal {K}}\) and large enough tweak space \({\mathcal {W}}= \{0,1\}^t\), \((i-1)\)-th internal state \(S[i-1]\), and i-th message (or associated data) block M[i] (A[i]), respectively, we define i-th state S[i], i-th intermediate values X[i], Y[i] and Z[i] as follows:

  1. 1.

    For an associated data block with given \(\alpha \in [a]\),

    $$\begin{aligned} X[\alpha ]&= {\widetilde{E}}_K( \textsf{Pad}_t(0 \mathbin {\Vert }\alpha \mathbin {\Vert }A_R[\alpha ]), A_L[\alpha ] ),\\ (S[\alpha ], Y'[\alpha ], Z'[\alpha ])&= \rho ( S[\alpha -1], X[\alpha ], A_R[\alpha ] ), \end{aligned}$$
  2. 2.

    For a message block with given \(\beta \in [m]\),

    $$\begin{aligned} X[\beta + a ]&= {\widetilde{E}}_K( \textsf{Pad}_t(1 \mathbin {\Vert }\beta \mathbin {\Vert }M_R[\beta ]), M_L[\beta ] ),\\ (S[\beta + a ], Y[\beta ], Z[\beta ])&= \rho ( S[\beta + a -1], X[\beta + a ], M_R[\beta ] ). \end{aligned}$$

Similarly to \(\textsf{ZLR}\), encryption/decryption process can be described as follows:

  1. 1.

    In the encryption algorithm of \(\textsf{DS}\text {-}\textsf{ZLR}\), let (AM) be a queried data of \(\textsf{DS}\text {-}\mathsf {ZLR.Enc}\). For \(\beta \in [m]\), the \(\beta \)-th ciphertext block \(C[\beta ] = C_L[\beta ] \mathbin {\Vert }C_R[\beta ]\) is obtained by following calculations:

    $$\begin{aligned} C_R[\beta ]&= {\widetilde{E}}_K( \textsf{Pad}_t(2\mathbin {\Vert }\beta \mathbin {\Vert }Y[\beta ]), Z[\beta ] ), \\ C_L[\beta ]&= {\widetilde{E}}_K( \textsf{Pad}_t(3\mathbin {\Vert }\beta \mathbin {\Vert }C_R[\beta ]), Y[\beta ] ). \end{aligned}$$

    After the encryption phase, \(S[a+m]\) is the final internal state and denote \(S[a+m] = U \mathbin {\Vert }V\) for \(U,V\in \{0,1\}^n\). Using \(S[a+m]\), an n-bit authentication tag T is derived by a following calculation:

    $$\begin{aligned} T = {\widetilde{E}}_K( \textsf{Pad}_t(4\mathbin {\Vert }0^l \mathbin {\Vert }V), U ), \end{aligned}$$

    where l implies a length of \(a+m\) in binary manner.

  2. 2.

    In the decryption algorithm of \(\textsf{DS}\text {-}\textsf{ZLR}\), let (ACT) be a queried data of \(\mathsf {ZLR.Dec}\). At first, obtain the a-th internal state S[a] by processing associated data blocks by the same way as \(\mathsf {ZLR.Enc}\). For \(\beta \in [m]\), obtain the intermediate values \(Y[\beta ]\) and \(Z[\beta ]\) by using \(\beta \)-th ciphertext block \(C[\beta ] = C_L[\beta ] \mathbin {\Vert }C_R[\beta ]\):

    $$\begin{aligned} Y[\beta ]&= {\widetilde{E}}_K^{-1} ( \textsf{Pad}_t(3\mathbin {\Vert }\beta \mathbin {\Vert }C_R[\beta ]), C_L[\beta ] ), \\ Z[\beta ]&= {\widetilde{E}}_K^{-1} ( \textsf{Pad}_t(2\mathbin {\Vert }\beta \mathbin {\Vert }Y[\beta ]), C_R[\beta ] ). \end{aligned}$$

    We also assume to know the \((\beta + a - 1)\)-th internal state \(S[\beta + a - 1]\) when \((\beta + a - 1)\)-th ciphertext block has been decrypted. The other intermediate value \(X[\beta + a ]\) and the partial message block \(M_R[\beta ]\) are derived by using \(Y[\beta ]\), \(Z[\beta ]\), and \(S[\beta + a - 1]\) with the inversion function \({\hat{\rho }}^{-1}\):

    $$\begin{aligned} ( X[\beta + a ], M_R[\beta ] ) = {\hat{\rho }}^{-1} (S[{\beta + a -1}], Y[\beta ] , Z[\beta ] ). \end{aligned}$$

    Remark that, by the definition,

    $$\begin{aligned} X[\beta + a ] = {\widetilde{E}}_K( \textsf{Pad}_t(1 \mathbin {\Vert }\beta \mathbin {\Vert }M_R[\beta ]), M_L[\beta ] ), \end{aligned}$$

    and therefore,

    $$\begin{aligned} M_L[\beta ] = {\widetilde{E}}_K^{-1}( \textsf{Pad}_t(1 \mathbin {\Vert }\beta \mathbin {\Vert }M_R[\beta ]), X[\beta + a ] ). \end{aligned}$$

    After all ciphertext blocks are decrypted, the final internal state \(S[a+b] = U \mathbin {\Vert }V\) is given and the algorithm checks whether \(T = {\widetilde{E}}_K( \textsf{Pad}_t(4\mathbin {\Vert }0^l \mathbin {\Vert }V), U )\) or not. If \(T \ne {\widetilde{E}}_K( \textsf{Pad}_t(4\mathbin {\Vert }0^l \mathbin {\Vert }V), U )\), the algorithm only returns \(\bot \), and otherwise, it returns the decrypted message \(M = M[1] \mathbin {\Vert }\dots \mathbin {\Vert }M[m]\).

Note that to cover tweak inputs, we should have \(t \ge n + \lceil \log _2 (\max (a,m)) \rceil + 3\).

Fig. 4
figure 4

Algorithm \(\mathsf {ZLR.Enc}\) based on \({\widetilde{E}}\) with a key K

Full size image

3.3 State update function

Remark that the state update function \(\rho : {\mathcal {S}}\times {\mathcal {N}}\times {\mathcal {N}}\rightarrow {\mathcal {S}}\times {\mathcal {N}}\times {\mathcal {N}}\) should be paired with the inversion function \({\hat{\rho }}^{-1}: {\mathcal {S}}\times {\mathcal {N}}\times {\mathcal {N}}\rightarrow {\mathcal {N}}\times {\mathcal {N}}\) such that, for given \(\rho (S,X,R) = (S',Y,Z)\), it always satisfies that \({\hat{\rho }}^{-1}(S,Y,Z) = (S',X,R)\). Also remark that \({\mathcal {S}}=\{0,1\}^{2n}\) and \({\mathcal {N}}= \{0,1\}^n\). For the efficiency of the algorithm, it is desirable that \(\rho \) is as simple as possible. On the other hand, if \(\rho \) is too simple that it cannot guarantee the security, the entire construction may be vulnerable to distinguishing attacks. In summary, the state update function should satisfy the following properties.

  1. 1.

    It must be invertible.

  2. 2.

    Every input bit must affect the next state, Y value and Z value.

  3. 3.

    Every output bit must affect the previous state, X value and R value (in inverse).

We need to define \(\rho \) (and \({\hat{\rho }}^{-1}\)) to make a probability of bad events small enough and at the same time, we want \(\rho \) to be as simple as possible.

In this paper, we define \(\rho \) as follows: for \(S_L,S_R,X,R \in \{0,1\}^n\),

$$\begin{aligned} \rho (S_L\mathbin {\Vert }S_R, X, R) = (S'_L \mathbin {\Vert }S'_R, S_R\mathbin {\oplus } X \mathbin {\oplus } R, S_L, \mathbin {\oplus } X), \end{aligned}$$
(1)

where \(S'_L = 2 \cdot (S_L \mathbin {\oplus } X \mathbin {\oplus } R)\) and \(S'_R = S_R \mathbin {\oplus } X\). For a such \(\rho \) and given \(S_L,S_R,Y,Z \in \{0,1\}^n\), it is easy to see that

$$\begin{aligned} {\hat{\rho }}^{-1} (S_L\mathbin {\Vert }S_R, Y, Z) = (S'_L\mathbin {\Vert }S'_R, X, R), \end{aligned}$$

where \(X=S_L \mathbin {\oplus } Z\), \(R=S_L \mathbin {\oplus } S_R \mathbin {\oplus } Y \mathbin {\oplus } Z\), \(S'_L = 2 \cdot (S_L \mathbin {\oplus } X \mathbin {\oplus } R)\) and \(S'_R = S_R \mathbin {\oplus } X\). With this construction, we can compute the internal variables in \(\textsf{ZLR}\); for \(\alpha \in [m]\), \(Y[\alpha ]\) and \(Z[\alpha ]\) can be formulated by following equations,

$$\begin{aligned} Y[\alpha ] =\;&M_{R}[\alpha ] \mathbin {\oplus } 2^{\alpha -1}\Delta _4 \mathbin {\oplus } \bigoplus _{\beta = 1}^{a + \alpha } X[\beta ], \end{aligned}$$
(2)
$$\begin{aligned} Z[\alpha ] =\;&X[a + \alpha ] \mathbin {\oplus } \bigoplus _{\beta = 1}^{a} 2^{a + \alpha - \beta }\left( {X[\beta ] \mathbin {\oplus } A_{R}[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _2} \right) \nonumber \\&\mathbin {\oplus } \bigoplus _{\beta = 1}^{\alpha - 1} 2^{\alpha - \beta }\left( {X[a + \beta ] \mathbin {\oplus } M_{R}[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _4} \right) . \end{aligned}$$
(3)

Also, the final state \(S= U\mathbin {\Vert }V\) can be formulated by following equations,

$$\begin{aligned} U =&\bigoplus _{\beta = 1}^{a} 2^{a + m+1 - \beta }\left( {X[\beta ] \mathbin {\oplus } A_{R}[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _2} \right) \nonumber \\&\,\mathbin {\oplus } \bigoplus _{\beta = 1}^{m} 2^{m+1 - \beta }\left( {X[a + \beta ] \mathbin {\oplus } M_{R}[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _4} \right) , \end{aligned}$$
(4)
$$\begin{aligned} V =&\bigoplus _{\beta = 1}^{a + m} X[\beta ]. \end{aligned}$$
(5)

4 Security of DS-ZLR

We claim OAE-security bound for \(\textsf{DS}\text {-}\textsf{ZLR}\) by the following theorems.

Theorem 1

Let l, w are non-negative integers such that \(w \ge n + \lceil \log _2(l)\rceil + 3\), let \({\widetilde{E}}: {\mathcal {K}}\times \{0,1\}^w \times \{0,1\}^n \rightarrow \{0,1\}^n\) be a tweakable block cipher and \(\rho \) be a state update function given in Sect. 3.3. Then for nonnegative integers \(q_e\), \(q_d\), \(\sigma \), and t such that \(q_e, \sigma < 2^{n-1}\), we have

$$\begin{aligned} \textsf{Adv}^{\textsf{oae}}_{\textsf{DS}\text {-}\textsf{ZLR}[{\tilde{E}}, \rho ]}(q_e,q_d,\sigma ,l,t)&\le \frac{2q_d}{2^n} + \frac{6q^2 + 8\sigma ^2 +\sigma l}{2^{2n}} + \textsf{Adv}^{\textsf{tprp}}_{{\tilde{E}}}(3\sigma +q,t+t'), \end{aligned}$$

where \(q = q_e + q_d\) and \(t'\) is the time complexity necessary to compute \({\widetilde{E}}\) for \(3\sigma +q\) queries.

For a better understanding, we give a brief overview of the proof in this section. Since proving the security bound of \(\textsf{DS}\text {-}\textsf{ZLR}\) is easier, we will provide our proof of Theorem 1 first. The core idea of our proof is simple; we use the standard coefficient-H technique. We define bad events, namely \(\textsf{bad}_1\) and \(\textsf{bad}_2\), to avoid any collision between two primitives. Additional information on the internal states will be freely given to an adversary at the end of the distinguishing game, but before deciding the final output. The probability of the bad events, which handle the collisions, can be computed using these internal states. In particular, upper bounding the probability of \(\textsf{bad}_2\) needs some tedious computation, while all we need to do is simply dividing all possible cases and bounding each case. We obtain Theorem 1 from (10), Lemmas 2 and 3.

4.1 Proof setup

Fix a \((q_e, q_d, \sigma , l, t)\)-adversary \({\mathcal {A}}\) against \(\textsf{DS}\text {-}\textsf{ZLR}[{\tilde{E}}, \rho ]\). Up to the TPRP security of \({\tilde{E}}\), \({\tilde{E}}\) can be replaced by random tweakable permutation \({\tilde{\pi }}\). Precisely, the cost of this replacement is upper bounded by

$$\begin{aligned} \textsf{Adv}^{\textsf{tprp}}_{{\tilde{E}}}(3\sigma + q, t+t'), \end{aligned}$$

where \(t'\) is the time complexity necessary to compute \({\widetilde{E}}\) for \(3\sigma +q\) queries.

Let \(\$\) denote the online random function defined as in Sect. 2.2. \({\mathcal {A}}\) has to distinguish \((\mathsf {ZLR.Enc}, \mathsf {ZLR.Dec})\) and \((\$, \textsf{Rej})\) using \(q_e\) encryption queries and \(q_d\) decryption queries. In the real world, the adversary \({\mathcal {A}}\) interacts with \(\textsf{DS}\text {-}\textsf{ZLR}= (\mathsf {ZLR.Enc}, \mathsf {ZLR.Dec})\). In the ideal world, \({\mathcal {A}}\) interacts with \((\$, \textsf{Rej})\).

In the i-th encryption query, \({\mathcal {A}}\) queries with the associated data \(A_i\) and the message \(M_i\), and get the ciphertext \(C_i\) and the tag \(T_i\). In the j-th decryption query, \({\mathcal {A}}\) queries with the associated data \(A'_j\), the ciphertext \(C'_j\), and the tag \(T'_j\) and get \(b'_j = M'_j\) or \(\bot \). Then let

$$\begin{aligned} \tau _e&= (A_i, M_i, C_i, T_i)_{i \in [q_e]}, \\ \tau _d&= (A'_j, C'_j, T'_j, b'_j)_{j \in [q_d]}, \end{aligned}$$

denote the list of the encryption queries and the decryption queries, respectively. We can assume that the adversary queries all the decryption queries after all the encryption queries are done because of the following reason.

  • Adversary \({\mathcal {A}}'\) assume that all the decryption queries would return \(\bot \), and queries encryption queries with this assumption.

  • If one of the decryption queries actually return \(M'_j\) for some \(j \in [q_d]\), then \({\mathcal {A}}\) and \({\mathcal {A}}'\) has the same distinguishing advantage 1.

  • If all the decryption queries return \(\bot \), then \({\mathcal {A}}\) and \({\mathcal {A}}'\) has the same distinguishing advantage since there is no change of the information.

Therefore, let \(q = q_e + q_d\) and we can rearrange the queries and their answers as

$$\begin{aligned} \left\{ {(A_i, M_i, C_i, T_i)_{i \in [q_e]}, (A_j, C_j, T_j, b_j)_{j \in [q_e+1, q]}} \right\} . \end{aligned}$$

Recall that \(|A_i| \bmod 2n = |M_i| \bmod 2n = |C_i| \bmod 2n = 0\) for all \(i \in [q]\). Now for \(i \in [q]\), set:

$$\begin{aligned} (A_i[1], \dots , A_i[a_i])&\overset{2n}{\longleftarrow }\ A_i; \\ (C_i[1], \dots , C_i[m_i])&\overset{2n}{\longleftarrow }\ C_i. \end{aligned}$$

Similarly, for \(i \in [q_e]\), set:

$$\begin{aligned} (M_i[1], \dots , M_i[m_i])&\overset{2n}{\longleftarrow }\ M_i. \end{aligned}$$

Let \(l_i = a_i + m_i\) for \(i \in [q]\), then \(\sigma = \sum _{i \in [q]} l_i\) and \(l = \max \left\{ {l_i: i \in [q]} \right\} \).

We define some useful index set that

$$\begin{aligned} {\mathcal {P}}_A&= \left\{ {(i, \alpha ): i \in [q], \alpha \in [a_i]} \right\} ; \\ {\mathcal {P}}_M&= \left\{ {(i, \alpha ): i \in [q_e], \alpha \in [m_i]} \right\} ; \\ {\mathcal {P}}_C&= \left\{ {(i, \alpha ): i \in [q], \alpha \in [m_i]} \right\} , \end{aligned}$$

which denote the set of the indices of the associated data, the message, and the ciphertext, respectively. Now we reveal the actual internal states \(X_i[\alpha ]\), \(Y_i[\alpha ]\), and \(Z_i[\alpha ]\) variables in the real world. We set for the encryption queries:

  • for \((i, \alpha ) \in {\mathcal {P}}_A\), \(X_i[\alpha ] = {\tilde{\pi }}(\textsf{Pad}_t(0 \mathbin {\Vert }\alpha \mathbin {\Vert }A_{i,R}[\alpha ]), A_{i,L}[\alpha ])\);

  • for \((i, \alpha ) \in {\mathcal {P}}_M\), \(X_i[a_i+\alpha ] = {\tilde{\pi }}(\textsf{Pad}_t(1 \mathbin {\Vert }\alpha \mathbin {\Vert }M_{i,R}[\alpha ]), M_{i,L}[\alpha ])\);

  • for \((i, \alpha ) \in {\mathcal {P}}_C\), \(Y_i[\alpha ] = {\tilde{\pi }}^{-1}(\textsf{Pad}_t(3 \mathbin {\Vert }\alpha \mathbin {\Vert }C_{i,R}[\alpha ]), C_{i,L}[\alpha ])\);

  • for \((i, \alpha ) \in {\mathcal {P}}_C\), \(Z_i[\alpha ] = {\tilde{\pi }}^{-1}(\textsf{Pad}_t(2 \mathbin {\Vert }\alpha \mathbin {\Vert }Y_i[\alpha ]), C_{i,R}[\alpha ])\).

On the other hand, in the ideal world, for \(i \in [q_e]\) and \(\alpha \in [l_i]\), \(X_i[\alpha ]\) is chosen satisfying following rules. For \(i \in [q_e]\),

  • if \(\alpha \in [a_i]\) and there exists \(j < i\) such that \(A_i[\alpha ] = A_j[\alpha ]\), set \(X_i[\alpha ] = X_j[\alpha ]\);

  • if \(\alpha \in [m_i]\) and there exists \(j < i\) such that \(M_i[\alpha ] = M_j[\alpha ]\), set \(X_i[a_i+\alpha ] = X_j[a_j+\alpha ]\);

  • if \(\alpha \in [a_i]\), sample \(X_i[\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) different from \(X_j[\alpha ]\) for all \(j \in [q_e]\) satisfying \(a_j \ge \alpha \), \(A_i[\alpha ] \ne A_j[\alpha ]\), and \(A_{i, R}[\alpha ] = A_{j, R}[\alpha ]\);

  • if \(\alpha \in [m_i]\), sample \(X_i[a_i+\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) different from \(X_j[a_j+\alpha ]\) for all \(j \in [q_e]\) satisfying \(a_j < \alpha \), \(M_i[\alpha ] \ne M_j[\alpha ]\), and \(M_{i, R}[\alpha ] = M_{j, R}[\alpha ]\);

  • otherwise, sample \(X_i[\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) uniformly at random.

Now \(Y_i[\alpha ]\) and \(Z_i[\alpha ]\) for \(i \in [q_e]\) and \(\alpha \in [m_i]\) can be given by (2) and (3), and those would be revealed. For \(i \in [q_e+1, q]\) and \(\alpha \in [m_i]\), \(Y_i[\alpha ]\) and \(Z_i[\alpha ]\) are chosen satisfying following rules:

  • if there exists \(j < i\) such that \(C_i[\alpha ] = C_j[\alpha ]\), set \(Y_i[\alpha ] = Y_j[\alpha ]\) and set \(Z_i[\alpha ] = Z_j[\alpha ]\);

  • if there exists \(j < i\) such that \(C_i[\alpha ] \ne C_j[\alpha ]\) and \(C_{i, R}[\alpha ] = C_{j, R}[\alpha ]\), sample \(Y_j[\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) different from \(Y_k[\alpha ]\);

  • otherwise, sample \(Y_i[\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) and \(Z_i[\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) uniformly at random.

Finally, \({\mathcal {A}}\) attains the following transcript:

$$\begin{aligned} \tau = \left\{ {(A_i, M_i, X_i, Y_i, Z_i, C_i, T_i)_{i \in [q_e]}, (A_i, X_i, Y_i, Z_i, C_i, T_i, b_i)_{i \in [q_e+1, q]}} \right\} . \end{aligned}$$

4.2 Defining bad events

In this section, we define bad events. For \(i \in [q]\), let \(U_i\) and \(V_i\) be the final state \(S_i[l_i]\), which is defined in (4) and (5). To describe the bad cases, we will define some functions which take the indices as input. Let

  • \({\mathcal {I}}_1 = \left\{ {(i, \alpha ) \in {\mathcal {P}}_A: \forall j < i, A_i[\alpha ] \ne A_j[\alpha ]} \right\} \);

  • \({\mathcal {I}}_2 = \left\{ {(i, \alpha ) \in {\mathcal {P}}_M: \forall j < i, M_i[\alpha ] \ne M_j[\alpha ]} \right\} \);

  • \({\mathcal {I}}_3 = {\mathcal {I}}_4 = \left\{ {(i, \alpha ) \in {\mathcal {P}}_C: \forall j < i, C_i[\alpha ] \ne C_j[\alpha ]} \right\} \).

For \(r\in [4]\), let \(f_r, g_r: {\mathcal {I}}_r \mathop {\mathrm {\rightarrow }}\limits (\{0,1\}^n)^2\) be functions where

$$\begin{aligned} f_1(i,\alpha )&= (A_{i,R}[\alpha ], A_{i,L}[\alpha ]),&g_1(i,\alpha )&= (A_{i,R}[\alpha ], X_i[\alpha ]), \\ f_2(i,\alpha )&= (M_{i,R}[\alpha ], M_{i,L}[\alpha ]),&g_2(i,\alpha )&= (M_{i,R}[\alpha ], X_i[a_i+\alpha ]), \\ f_3(i,\alpha )&= (Y_i[\alpha ], Z_i[\alpha ]),&g_3(i,\alpha )&= (Y_i[\alpha ], C_{i,R}[\alpha ]), \\ f_4(i,\alpha )&= (C_{i,R}[\alpha ], Y_i[\alpha ]),&g_4(i,\alpha )&= (C_{i,R}[\alpha ], C_{i,L}[\alpha ]). \end{aligned}$$

Note that \(f_r\) gives the pair of the tweak and the input of each tweakable block cipher call, and \(g_r\) gives the pair of the tweak and the output of each tweakable block cipher call. For \(r \in [4]\), we define the following events.

  • \(\textsf{IC}_{r} \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists \(((i,\alpha ), (j, \alpha )) \in {\mathcal {I}}_r^{*2}\) such that \(i \ne j\) and \(f_r(i,\alpha ) = f_r(j, \alpha )\);

  • \(\textsf{OC}_{r} \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists \(((i,\alpha ), (j, \alpha )) \in {\mathcal {I}}_r^{*2}\) such that \(i \ne j\) and \(g_r(i,\alpha ) = g_r(j, \alpha )\),

and let

  • \(\textsf{IC}_{5} \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists distinct \(i, j \in [q]\) such that \((V_i, U_i) = (V_j, U_j)\);

  • \(\textsf{OC}_{5} \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists distinct \(i,j \in [q_e]\) such that \((V_i, T_i) = (V_j, T_j)\).

A transcript \(\tau \) is defined as bad if one of the following events occurs:

  1. 1.

    \(\textsf{bad}_1 \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists \(i, j \in [q_e]\) and \(\alpha \in [\min \left\{ {m_i, m_j} \right\} ]\) such that \((A_i, M_i[:\alpha ]) \ne (A_j, M_j[:\alpha ])\) and \(C_i[\alpha ] = C_j[\alpha ]\);

  2. 2.

    \(\textsf{bad}_2 \mathop {\mathrm {\Leftrightarrow }}\limits \mathop {\mathrm {\bigvee }}\limits _{1 \le r \le 5} (\textsf{IC}_{r} \vee \textsf{OC}_{r})\).

We denote \(\Gamma _\textsf{bad}\) as a set of all bad transcripts.

4.3 Analyzing good transcripts

In this section, we will prove the following lemma.

Lemma 2

For any \(\tau \notin \Gamma _{\textsf{bad}}\),

$$\begin{aligned} \frac{\Pr \left[ {{\textsf{T}}_\textrm{re}= \tau } \right] }{\Pr \left[ {{\textsf{T}}_\textrm{id}= \tau } \right] } \ge 1 - \frac{2q_d}{2^n}. \end{aligned}$$

Proof

Fix \(\tau \notin \Gamma _{\textsf{bad}}\). For the proof, we define following sets,

  • \({\mathcal {I}}'_3 = \left\{ {(i, \alpha ): i \in [q_e+q_d], \alpha \in [m_i], \forall j < i, (A_i, C_i[:\alpha ]) \ne (A_j, C_j[:\alpha ])} \right\} \).

  • \(W_{1}[\alpha , v] = \left\{ {(i, \alpha ) \in {\mathcal {I}}_1: A_{i, R}[\alpha ] = v} \right\} \);

  • \(W_{2}[\alpha , v] = \left\{ {(i, \alpha ) \in {\mathcal {I}}_2: M_{i, R}[\alpha ] = v} \right\} \);

  • \(W_{3}[\alpha , v] = \left\{ {(i, \alpha ) \in {\mathcal {I}}'_3: C_{i, R}[\alpha ] = v} \right\} \);

  • \(W_{4}[\alpha , v] = \left\{ {(i, \alpha ) \in {\mathcal {I}}'_3: Y_i[\alpha ] = v} \right\} \),

and following notations,

  • \(u_{j}[\alpha , v] = \left| {W_{j}[\alpha , v]} \right| \) for \(j \in [4]\);

  • \(u_{5}[\alpha ] = \left| {\left\{ {(i, \alpha ) \in {\mathcal {I}}'_3: \forall j < i, C_i[\alpha ] \ne C_j[\alpha ]} \right\} } \right| \);

  • \(u_6^e[v] = \left| {\left\{ {i \in [q_e]: V_i = v} \right\} } \right| \);

  • \(u_6^d[v] = \left| {\left\{ {i \in [q_e+1, q_e+q_d]: V_i = v} \right\} } \right| \).

For \(j\in [4]\), let

$$\begin{aligned} W_{j}^e[\alpha , v] = \left\{ {(i, \alpha ) \in W_{j}[\alpha , v]: i \in [q_e]} \right\} , \end{aligned}$$

and

$$\begin{aligned} W_{j}^d[\alpha , v] = W_{j}[\alpha , v] \setminus W_{j}^e[\alpha , v]. \end{aligned}$$

We also denote \(u_{j}^e[\alpha , v] = \left| {W_{j}^e[\alpha , v]} \right| \) and \(u_{j}^d[\alpha , v] = \left| {W_{j}^d[\alpha , v]} \right| \), so we have \(u_{j}[\alpha , v] = u_{j}^e[\alpha , v] + u_{j}^d[\alpha , v]\).

First, we consider the ideal world. The probability that ciphertext \(C_1, \dots , C_{q_e}\) is given is \(\frac{1}{2^{2n| {\mathcal {B}}|}}\) where \({\mathcal {B}}= \{ (A_i, M_i[:\alpha ]): 1 \le i \le q_e, \alpha \in [m_i] \}\), and one that tags \(T_1, \dots , T_{q_e}\) are given is \(\frac{1}{2^{nq_e}}\). Let \({\textbf{X}}, {\textbf{Y}}, {\textbf{Z}}\) be the distribution of \((X_1, \dots , X_{q_e+q_d})\), \((Y_{q_e+1}, \dots , Y_{q_e+q_d})\), and \((Z_{q_e+1}, \dots , Z_{q_e+q_d})\), respectively. First, \(X_i[\alpha ]\) and \(X_j[\alpha ]\) are given differently if \(A_{i, R}[\alpha ] = A_{j, R}[\alpha ]\) or \(M_{i, R}[\alpha ] = M_{j, R}[\alpha ]\). Therefore, for each \(v \in \{0,1\}^n\) and \(\alpha \in [a_i]\), the probability that \(X_i[\alpha ]\)’s for \(A_{i, R}[\alpha ] = v\) are given according to associated data is \(\frac{1}{(2^n)_{u_{1}[\alpha , v]}}\). Similarly, for each \(v \in \{0,1\}^n\) and \(\alpha \in [m_i]\), one that corresponding \(X_i[\alpha ]\)’s for \(M_{i, R}[\alpha ] = v\) are given according to message is \(\frac{1}{(2^n)_{u_{2}[\alpha , v]}}\). Hence,

$$\begin{aligned} \Pr \left[ {{\textbf{X}}= (X_1, \dots , X_{q_e+q_d})} \right]&= \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n)_{u_{1}[\alpha , v]}} \times \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n)_{u_{2}[\alpha , v]}}. \end{aligned}$$

Also, \(Y_i[\alpha ]\) and \(Y_j[\alpha ]\) are given differently if \(C_{i, R}[\alpha ] = C_{j, R}[\alpha ]\), while \(\left\{ {Y_i} \right\} _{1 \le i \le q_e}\) is determined from \((X_1, \dots , X_{q_e+q_d})\). Therefore, for each \(v \in \{0,1\}^n\) and \(\alpha \in [l]\), the probability that corresponding \(Y_i[\alpha ]\)’s are given is \(\frac{1}{(2^n - u_{3}^{e}[\alpha , v])_{u_{3}^{d}[\alpha , v]}}\). Hence similarly from the case above,

$$\begin{aligned} \Pr \left[ {{\textbf{Y}}= (Y_{q_e+1}, \dots , Y_{q_e+q_d}) | {\textbf{X}}} \right] = \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n - u_{3}^{e}[\alpha , v])_{u_{3}^{d}[\alpha , v]}}. \end{aligned}$$

Now, since \(Z_i[\alpha ]\)’s are given uniformly at random in decryption queries,

$$\begin{aligned} \Pr \left[ {{\textbf{Z}}= (Z_{q_e+1}, \dots , Z_{q_e+q_d})} \right] = \prod _{1 \le \alpha \le l} \frac{1}{(2^n)^{u_5[\alpha ]}}. \end{aligned}$$

Hence, we can conclude the following probability.

$$\begin{aligned} \Pr \left[ {{\textsf{T}}_\textrm{id}= \tau } \right] =\;&\frac{1}{2^{2n| {\mathcal {B}}|}} \times \frac{1}{2^{nq_e}} \times \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n)_{u_{1}[\alpha , v]}} \times \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n)_{u_{2}[\alpha , v]}} \nonumber \\&\times \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n - u_{3}^{e}[\alpha , v])_{u_{3}^{d}[\alpha , v]}} \nonumber \\&\times \left( {\prod _{1 \le \alpha \le l} \frac{1}{(2^n)^{u_5[\alpha ]}}} \right) . \end{aligned}$$
(6)

Now, we consider the real world. First, in decryption queries, the probability attaining \(\bot \) for every answer is bounded below by

$$\begin{aligned} \prod _{v \in \{0,1\}^n} \left( {1 - \frac{1}{2^n - u_6^e[v]}} \right) ^{u_6^d[v]} \ge \left( {1 - \frac{1}{2^n - q_e}} \right) ^{q_d} \ge 1 - \frac{q_d}{2^n-q_e}. \end{aligned}$$

Since the case \(\textsf{bad}_2\) does not exist in any good transcript, the number of tweakable block ciphers in all queries that has

  1. 1.

    \((0 \mathbin {\Vert }\alpha ) \mathbin {\Vert }v\) as tweak is \(u_1[\alpha , v]\);

  2. 2.

    \((1 \mathbin {\Vert }\alpha ) \mathbin {\Vert }v\) as tweak is \(u_2[\alpha , v]\);

  3. 3.

    \((2 \mathbin {\Vert }\alpha ) \mathbin {\Vert }v\) as tweak is \(u_3[\alpha , v]\);

  4. 4.

    \((3 \mathbin {\Vert }\alpha ) \mathbin {\Vert }v\) as tweak is \(u_4[\alpha , v]\);

  5. 5.

    \((4 \mathbin {\Vert }0) \mathbin {\Vert }v\) as tweak is \(u_6^e[v]\),

for fixed \(v \in \{0,1\}^n\). Therefore,

$$\begin{aligned} \Pr \left[ {{\textsf{T}}_\textrm{re}= \tau } \right] \ge&\prod _{\begin{array}{c} 1 \le \alpha \le l \\ v \in \{0,1\}^n \end{array}} {\frac{1}{(2^n)_{u_1[\alpha , v]}(2^n)_{u_2[\alpha , v]}(2^n)_{u_3[\alpha , v]}(2^n)_{u_4[\alpha , v]}}} \nonumber \\&\times \prod _{v \in \{0,1\}^n} \frac{1}{(2^n)_{u_6^e[v]}}. \end{aligned}$$
(7)

For simplicity, we use the following formula.

$$\begin{aligned} \prod _{v \in \{0,1\}^n} \frac{1}{(2^n)_{u_6^e[v]}} \ge \prod _{v \in \{0,1\}^n} \frac{1}{(2^n)^{u_6^e[v]}} = \frac{1}{(2^n)^{q_e}}. \end{aligned}$$
(8)

Also,

$$\begin{aligned} \prod _{1 \le \alpha \le l} (2^n)^{u_5[\alpha ]} \ge \prod _{1 \le \alpha \le l} (2^n)_{u_5[\alpha ]} \ge \prod _{1 \le \alpha \le l} (2^n)_{u_{4}^{d}[\alpha ]}. \end{aligned}$$
(9)

Therefore by (6), (7), (8) and (9),

$$\begin{aligned} \frac{\Pr \left[ {{\textsf{T}}_\textrm{re}= \tau } \right] }{\Pr \left[ {{\textsf{T}}_\textrm{id}= \tau } \right] }&\ge \frac{2^{2n|{\mathcal {B}}|}}{\prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}}(2^n)_{u_3^e[\alpha , v]}\prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}}(2^n)_{u_{4}^{e}[\alpha , v]}} \times \left( {1 - \frac{q_d}{2^n - q_e}} \right) \\&\ge 1 - \frac{q_d}{2^n - q_e} \ge 1 - \frac{2q_d}{2^n}. \end{aligned}$$

The last inequality follows that

$$\begin{aligned} |{\mathcal {B}}| \ge \sum _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} u_3^e[\alpha , v], \end{aligned}$$

so

$$\begin{aligned} 2^{n|{\mathcal {B}}|} \ge \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} (2^n)^{u_3^e[\alpha , v]} \ge \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} (2^n)_{u_3^e[\alpha , v]}, \end{aligned}$$

and similarly,

$$\begin{aligned} 2^{n|{\mathcal {B}}|} \ge \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} (2^n)_{u_{4}^{e}[\alpha , v]}. \end{aligned}$$

It completes the proof. \(\square \)

4.4 Bounding the probability of bad events

In this section, we will now find the upper bound on the probability that each bad event will occur in the ideal world. Fix \(i, j \in [q_e]\) and \(\alpha \in [\min \left\{ {m_i, m_j} \right\} ]\) such that \((A_i, M_i[:\alpha ]) \ne (A_j, M_j[:\alpha ])\). Then, since \(C_i[\alpha ]\) and \(C_j[\alpha ]\) are chosen uniformly at random, one has

$$\begin{aligned} \Pr \left[ {\textsf{bad}_1} \right] \le \frac{\sigma l}{2^{2n}}. \end{aligned}$$
(10)

We now claim the following lemma.

Lemma 3

$$\begin{aligned} \Pr \left[ {\textsf{bad}_2 \wedge \lnot \textsf{bad}_1} \right] \le \frac{8\sigma ^2 + 6q^2}{2^{2n}}. \end{aligned}$$

Let

$$\begin{aligned} \textsf{IC}&= \mathop {\mathrm {\bigvee }}\limits _{1 \le i \le 5} \textsf{IC}_{i},&\textsf{OC}&= \mathop {\mathrm {\bigvee }}\limits _{1 \le i \le 5} \textsf{OC}_{i}. \end{aligned}$$

Note that \(\textsf{bad}_2 = \textsf{IC}\vee \textsf{OC}\). We can upper bound the probability of each collision event as follows.

Lemma 4

$$\begin{aligned} \Pr \left[ {\textsf{IC}} \right] \le \frac{4q^2 + 6\sigma ^2}{2^{2n}}. \end{aligned}$$

Lemma 5

$$\begin{aligned} \Pr \left[ {\textsf{OC}} \right] \le \frac{2q_e^2 + 2\sigma ^2}{2^{2n}}. \end{aligned}$$

Then, Lemma 3 follows from Lemmas 4 and 5. Finally, by Lemmas 3, 2, and (10), we can conclude that Theorem 1 holds.

Before we start, we will use the following lemma through the whole proof.

Lemma 6

Fix \((i, \alpha ) \in {\mathcal {I}}_1\). Then

$$\begin{aligned} \Pr \left[ {X_i[\alpha ] = Q} \right] \le \frac{2}{2^n}, \end{aligned}$$

for any \(Q \in \{0,1\}^n\). Similarly, fix \((i, \alpha ) \in {\mathcal {I}}_2\). Then

$$\begin{aligned} \Pr \left[ {X_i[a_i + \alpha ] = Q} \right] \le \frac{2}{2^n}, \end{aligned}$$

for any \(Q \in \{0,1\}^n\).

Proof

Let J be the set of \(j \in [q]\) such that If \(A_{i, R}[\alpha ] = A_{j, R}[\alpha ]\) but \(A_{i, L}[\alpha ] \ne A_{j, L}[\alpha ]\), then \(X_i[\alpha ]\) is sampled uniformly at random from \(\{0,1\}^n {\setminus } \left\{ {X_j[\alpha ]: j \in J} \right\} \). In this case,

$$\begin{aligned} \Pr \left[ {X_i[\alpha ] = Q} \right] \le \frac{1}{2^n - \left| {J} \right| } \le \frac{2}{2^n}. \end{aligned}$$

We can apply the similar argument when \(M_i[\alpha ] \ne M_j[\alpha ]\) for some \(\alpha \). \(\square \)

Proof of Lemma 4

We calculate each probability of \(\textsf{IC}_{i}\) for \(1 \le i \le 5\).

  1. 1.

    Fix \(((i,\alpha ), (j,\alpha )) \in ({\mathcal {I}}_1)^{*2}\). Then one should have \(A_i[\alpha ] \ne A_j[\alpha ]\) and \(f_1(i,\alpha ) \ne f_1(j,\alpha )\). Therefore, we get

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{1}} \right] = 0. \end{aligned}$$
  2. 2.

    Fix \(((i, \alpha ), (j, \alpha )) \in {\mathcal {I}}_2^{*2}\). Then \(M_i[\alpha ] \ne M_j[\alpha ]\) so \(f_2(i, \alpha ) \ne f_2(j, \alpha )\). Therefore, we get

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{2}} \right] = 0. \end{aligned}$$
  3. 3.

    Fix \(((i,\alpha ), (j,\alpha )) \in ({\mathcal {I}}_3)^{*2}\) where \(i \le j\). First, assume that \(j \in [q_e+1,q_e+q_d]\). Then \(f_3(i, \alpha ) = f_3(j, \alpha )\) if and only if

    $$\begin{aligned} \begin{pmatrix} 1 &{} 0 \\ 0 &{} 1 \end{pmatrix} \begin{pmatrix} Y_j[\alpha ] \\ Z_j[\alpha ] \end{pmatrix} = \begin{pmatrix} Y_i[\alpha ] \\ Z_i[\alpha ] \end{pmatrix}. \end{aligned}$$

    By the sampling process of Y and Z variables in the ideal world,

    $$\begin{aligned} \Pr \left[ {Y_i[\alpha ] = Y_j[\alpha ] \wedge Z_i[\alpha ] = Z_j[\alpha ]} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\alpha )} \right] \le \frac{4}{2^{2n}}, \end{aligned}$$

    when \(j \in [q_e+1,q_e+q_d]\). Suppose \(j \in [q_e]\). Then, by (2) and (3), \(f_3(i,\alpha ) = f_3(j,\alpha )\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} \bigoplus _{\gamma = 1}^{a_i + \alpha } X_i[\gamma ] \mathbin {\oplus } \bigoplus _{\gamma = 1}^{a_j + \alpha } X_j[\gamma ] = P; \\ \bigoplus _{\gamma = 1}^{a_i + \alpha } 2^{a_i+\alpha -\gamma }X_i[\gamma ] \mathbin {\oplus } \bigoplus _{\gamma = 1}^{a_j + \alpha } 2^{a_j+\alpha -\gamma }X_j[\gamma ] = Q, \end{array}\right. } \end{aligned}$$
    (11)

    where

    $$\begin{aligned} P&= M_{i,R}[\alpha ] \mathbin {\oplus } M_{j,R}[\alpha ], \\ Q&= \bigoplus _{\gamma = 1}^{a_i} 2^{a_i +\alpha -\gamma }A_{i,R}[\gamma ] \mathbin {\oplus } \bigoplus _{\gamma = 1}^{\alpha -1} 2^{\alpha -\gamma }M_{i,R}[\gamma ] \\&\mathbin {\oplus } \bigoplus _{\gamma = 1}^{a_j} 2^{a_j +\alpha -\gamma }A_{j,R}[\gamma ] \mathbin {\oplus } \bigoplus _{\gamma = 1}^{\alpha -1} 2^{\alpha -\gamma }M_{j,R}[\gamma ]. \end{aligned}$$

    Let us take a look at each of the subcase below.

    1. (a)

      If \(a_i < a_j\), (11) can be rewritten as

      $$\begin{aligned}{} & {} {\left\{ \begin{array}{ll} X_j[a_i] \mathbin {\oplus } X_j[a_j] = P'; \\ 2^{a_j - a_i} X_j[a_i] \mathbin {\oplus } X_j[a_j] = Q', \end{array}\right. }\\{} & {} \begin{pmatrix} 1 &{} 0 \\ 0 &{} 1 \end{pmatrix} \begin{pmatrix} Y_j[\alpha ] \\ Z_j[\alpha ] \end{pmatrix} = \begin{pmatrix} P' \\ Q' \end{pmatrix}, \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_j[a_i]\) and \(X_j[a_j]\). Then, when \(j \in [q_e]\),

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\alpha )} \right] = \frac{1}{2^{2n}}, \end{aligned}$$

      by the sampling process of \(X_j[a_i]\) and \(X_j[a_j]\). Therefore, we have

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\alpha )} \right] \le \frac{4}{2^{2n}}. \end{aligned}$$
    2. (b)

      If there exists two different \(\gamma _1, \gamma _2 \le \alpha \) such that \(A_i[\gamma _1] \ne A_j[\gamma _1]\) and \(A_i[\gamma _2] \ne A_j[\gamma _2]\), (11) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_j[\gamma _1] \mathbin {\oplus } X_j[\gamma _2] = P'; \\ 2^{a_j + \alpha -\gamma _1} X_j[\gamma _1] \mathbin {\oplus } 2^{a_j + \alpha - \gamma _2} X_j[\gamma _2] = Q', \end{array}\right. } \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_j[\gamma _1]\) and \(X_j[\gamma _2]\). Therefore, we get

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\alpha )} \right] \le \frac{1}{2^{2n}}, \end{aligned}$$

      by the sampling process of \(X_j[\gamma _1]\) and \(X_j[\gamma _2]\). We can apply the similar argument if \((A_i, M_i[:\alpha ])\) and \((A_j, M_j[:\alpha ])\) are differ in two or more blocks.

    3. (c)

      Let \(a_i = a_j\) and \(M_i[\alpha ] \ne M_j[\alpha ]\) while \((A_i, M_i[\alpha -1]) = (A_j, M_j[\alpha -1])\), Then, (11) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i+\alpha ] \mathbin {\oplus } X_j[a_i+\alpha ] = M_{i,R}[\alpha ] \mathbin {\oplus } M_{j,R}[\alpha ]; \\ X_i[a_i+\alpha ] \mathbin {\oplus } X_j[a_i+\alpha ] = 0, \end{array}\right. } \end{aligned}$$

      so one should have \(X_i[a_i+\alpha ] = X_j[a_i+\alpha ]\) and \(M_{i,R}[\alpha ] = M_{j,R}[\alpha ]\) which contradicts the rules for choosing X variables. Therefore,

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\alpha )} \right] = 0, \end{aligned}$$

      and one can apply the similar argument if there exists only one different block between \((A_i, M_i[:\alpha ])\) and \((A_j, M_j[:\alpha ])\).

    All in all, we get

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{3}} \right] \le \frac{4|{\mathcal {I}}_3|^2}{2^{2n}}. \end{aligned}$$
  4. 4.

    Fix \(((i, \alpha ), (j, \alpha )) \in {\mathcal {I}}_4^{*2}\). Without loss of generality, let \(i \le j\). We distinguish some sub-cases as below.

    1. (a)

      Let \(i, j \in [q_e]\). Note that \(C_i[\alpha ] \ne C_j[\alpha ]\) and \(M_i[:\alpha ] \ne M_j[:\alpha ]\) since \(((i, \alpha ), (j, \alpha )) \in {\mathcal {I}}_4^{*2}\). Let \(h \in [\alpha ]\) the index such that \(M_i[h] \ne M_j[h]\). Then \(f_4(i, \alpha ) = f_4(j, \alpha )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} C_{i, R}[\alpha ] = C_{j, R}[\alpha ]; \\ X_i[h] = M_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\alpha ] \mathbin {\oplus } \bigoplus _{\gamma \ne a_i + h} X_i[\gamma ] \mathbin {\oplus } \bigoplus _{\gamma = 1}^{a_j + \alpha } X_j[\gamma ]. \end{array}\right. } \end{aligned}$$

      Since \(C_{i, R}[\alpha ]\) is chosen uniformly at random from \(\{0,1\}^n\) and \(X_i[h]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \), one has

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = f_4(j, \alpha )} \right] \le \frac{1}{2^n(2^n - \sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Let \(i \in [q_e]\), \(j \in [q_e + 1, q]\). If \(C_{i, R}[\alpha ] = C_{j, R}[\alpha ]\), then \(Y_i[\alpha ] \ne Y_j[\alpha ]\) by the sampling process. In this case, \(\Pr \left[ {f_4(i, \alpha ) = f_4(j, \alpha )} \right] = 0\). If \(C_{i, R}[\alpha ] \ne C_{j, R}[\alpha ]\), then similarly \(\Pr \left[ {f_4(i, \alpha ) = f_4(j, \alpha )} \right] = 0\). Therefore,

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = f_4(j, \alpha )} \right] = 0. \end{aligned}$$
    3. (c)

      Let \(i, j \in [q_e + 1, q]\). If \(C_{i, R}[\alpha ] = C_{j, R}[\alpha ]\), then \(Y_i[\alpha ] \ne Y_j[\alpha ]\) by the sampling process, so the probability is zero. If \(C_{i, R}[\alpha ] \ne C_{j, R}[\alpha ]\), then the probability is obviously zero.

    To sum up, we have

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{4}} \right] \le \frac{2\left| {{\mathcal {I}}_4} \right| ^2}{2^{2n}}. \end{aligned}$$
  5. 5.

    Fix \(i, j \in [q]^{*2}\). Without loss of generality, let \(i \le j\). We restore X values and R values by the \({\hat{\rho }}^{-1}\). Then since there is no redundant query, \(A_i \ne A_j\) or \(M_i \ne M_j\). Let \(A_i \ne A_j\). We can apply the similar argument when \(M_i \ne M_j\). We can consider the following cases.

    1. (a)

      If \(a_i > a_j + 1\), then \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 2^{a_i + m_i - a_j} &{} 2^{a_i + m_i - a_j - 1} \\ 1 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[a_j + 1] \\ X_i[a_j + 2] \end{pmatrix} = \begin{pmatrix} P' \\ Q' \end{pmatrix}, \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[a_j + 1]\) and \(X_i[a_j + 2]\). By the sampling process of \(X_i[a_j + 1]\) and \(X_i[a_j + 2]\), in this case \(\Pr \left[ {(V_i, U_i) = (V_j, U_j)} \right] \le \frac{4}{2^{2n}}\). We can apply the similar argument when \(a_j > a_i + 1\) and get the same result.

    2. (b)

      Assume that \(a_i = a_j + 1\) and \(A_i[\beta ] \ne A_j[\beta ]\) for some \(\beta \in [a_j]\). Then \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 2^{m_i + a_i - \beta + 1} &{} 2^{m_i + 1} \\ 1 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[\beta ] \\ X_i[a_i] \end{pmatrix} = \begin{pmatrix} P' \\ Q' \end{pmatrix}, \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[\beta ]\) and \(X_i[a_i]\). By Lemma 6, we can conclude

      $$\begin{aligned} \Pr \left[ {(V_i, U_i) = (V_j, U_j)} \right] \le \frac{4}{2^{2n}}. \end{aligned}$$
    3. (c)

      Assume that \(a_i = a_j + 1\) and \(A_i[:a_j] = A_j\). If \(M_i[\beta ] \ne M_j[\beta ]\) or there exists \(\beta \in [m_i]\), we can use the randomness of \(X_i[a_i + \beta ]\) and \(X_i[a_i]\). More precisely, \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 2^{m_i - \beta + 1} &{} 2^{m_i + 1} \\ 1 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[a_i + \beta ] \\ X_i[a_i] \end{pmatrix} = \begin{pmatrix} P' \\ Q' \end{pmatrix}, \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[a_i + \beta ]\) and \(X_i[a_i]\). If \(M_i = M_j\), we have two cases, \(X_i[a_i] = 0\) or \(X_i[a_i] \ne 0\). \(X_i[a_i] \ne 0\) implies \(V_i \ne V_j\) (see (5).). Also, if \(X_i[a_i] = 0\), then \(U_i = U_j\) if and only if

      $$\begin{aligned} \bigoplus _{\beta = 1}^{m_i}2^{m + 1 - \beta }(X_i[a_i + \beta ] \mathbin {\oplus } M_{i, R}[\beta ]) \mathbin {\oplus } 2^{m + 1}A_{i, R}[a_i] = 0. \end{aligned}$$

      Therefore, \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 1 &{} 0 \\ 0 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[a_i] \\ X_i[a_i + m_i] \end{pmatrix} = \begin{pmatrix} 0 \\ Q' \end{pmatrix}, \end{aligned}$$

      where

      $$\begin{aligned} Q' = \bigoplus _{\beta = 1}^{m_i - 1}2^{m + 1 - \beta }(X_i[a_i + \beta ] \mathbin {\oplus } M_{i, R}[\beta ]) \mathbin {\oplus } M_{i, R}[m_i] \mathbin {\oplus } 2^{m + 1}A_{i, R}[a_i], \end{aligned}$$

      (see (4)) Therefore, by the sampling process of \(X_i[a_i]\) and Lemma 6,

      $$\begin{aligned} \Pr \left[ {(V_i, U_i) = (V_j, U_j)} \right] \le \frac{4}{2^{2n}}. \end{aligned}$$

      We can apply the similar argument when \(a_j = a_i + 1\) and \(A_j[:a_i] = A_i\).

    4. (d)

      Assume that \(a_i = a_j\). If there exist \(\alpha , \beta \in [a_i]\) such that \(A_i[\alpha ] \ne A_j[\alpha ]\) and \(A_i[\beta ] \ne A_j[\beta ]\), \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 2^{a_i + m_i - \alpha + 1} &{} 2^{a_i + m_i - \beta + 1} \\ 1 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[\alpha ] \\ X_i[\beta ] \end{pmatrix} = \begin{pmatrix} P' \\ Q' \end{pmatrix}, \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[\alpha ]\) and \(X_i[\beta ]\). Then by Lemma 6, \(\Pr \left[ {(V_i, U_i) = (V_j, U_j)} \right] \le \frac{4}{2^{2n}}\). If there exists only one \(\alpha \in [a_i]\) such that \(A_i[\alpha ] \ne A_j[\alpha ]\), then \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 2^{a_i + m_i - \alpha + 1} &{} 2^{a_j + m_j - \alpha + 1} \\ 1 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[\alpha ] \\ X_j[\alpha ] \end{pmatrix} = \begin{pmatrix} P' \\ Q' \end{pmatrix}, \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[\alpha ]\) and \(X_j[\alpha ]\). Therefore,

      $$\begin{aligned} \Pr \left[ {(V_i, U_i) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{4}{2^{2n}}. \end{aligned}$$

    By the above analysis, we have

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{5}} \right] \le \frac{4q^2}{2^{2n}}. \end{aligned}$$

All in all, we have

$$\begin{aligned} \Pr \left[ {\textsf{IC}} \right] \le \frac{4q^2 + 6\sigma ^2}{2^{2n}}. \end{aligned}$$

\(\square \)

Proof of Lemma 5

We calculate each probability of \(\textsf{OC}_{i}\) for \(1 \le i \le 5\).

  1. 1.

    Let \(((i, \alpha ), (j, \alpha )) \in {\mathcal {I}}_1^{*2}\). Then one should have \(A_i[\alpha ] \ne A_j[\alpha ]\) and \(g_1(i, \alpha ) \ne g_2(\alpha )\). Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{1}} \right] = 0. \end{aligned}$$
  2. 2.

    Let \(((i, \alpha ), (j, \alpha )) \in {\mathcal {I}}_2^{*2}\). Then \(M_i[\alpha ] \ne M_j[\alpha ]\) so \(g_2(i, \alpha ) \ne g_2(j, \alpha )\). Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{2}} \right] = 0. \end{aligned}$$
  3. 3.

    Since \(\textsf{IC}_{4} = \textsf{OC}_{3}\),

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{3}} \right] \le \frac{2\left| {{\mathcal {I}}_4} \right| ^2}{2^{2n}}. \end{aligned}$$
  4. 4.

    Let \(((i, \alpha ), (j, \alpha )) \in {\mathcal {I}}_4^{*2}\). Then \(C_i[\alpha ] \ne C_j[\alpha ]\) so \(g_4(i, \alpha ) \ne g_4(j, \alpha )\). Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{4}} \right] = 0. \end{aligned}$$
  5. 5.

    Let \((i, j) \in [q_e]^{*2}\). We distinguish two sub-cases.

    1. (a)

      First, assume \(m_i \ne m_j\). Without loss of generality, we can assume that \(m_i < m_j\). In this case, \((V_i, T_i) = (V_j, T_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_j[a_j + m_j] = V_i \mathbin {\oplus } \bigoplus _{\alpha = 1}^{a_j + m_j - 1} X_j[\alpha ]; \\ T_j = T_i. \end{array}\right. } \end{aligned}$$

      Since \(X_j[a_j + m_j]\) is chosen uniformly at random from the set of size at least \(2^n - q_e\) and \(T_j\) is chosen uniformly at random from \(\{0,1\}^n\), one has

      $$\begin{aligned} \Pr \left[ {(V_i, T_i) = (V_j, T_j)} \right] \le \frac{1}{2^n(2^n - q_e)} \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Now assume that \(m_i = m_j\). Since there is no redundant query, there exists at least one index h such that \(M_i[h] \ne M_j[h]\). In this case, \((V_i, T_i) = (V_j, T_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_j[a_j + h] = V_i \mathbin {\oplus } \bigoplus _{\alpha \ne a_j + h} X_j[\alpha ]; \\ T_j = T_i. \end{array}\right. } \end{aligned}$$

      Since \(X_j[a_j + h]\) is chosen uniformly at random from the set of size at least \(2^n - q_e\) and \(T_j\) is chosen uniformly at random from \(\{0,1\}^n\), one has

      $$\begin{aligned} \Pr \left[ {(V_i, T_i) = (V_j, T_j)} \right] \le \frac{1}{2^n(2^n - q_e)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    To sum up, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{5}} \right] \le \sum _{(i, j) \in [q_e]^{*2}} \frac{2}{2^{2n}} \le \frac{2q_e^2}{2^{2n}}. \end{aligned}$$

Now using \(\left| {{\mathcal {I}}_1} \right| + \left| {{\mathcal {I}}_2} \right| \le \sigma \), \(\left| {{\mathcal {I}}_1} \right| + \left| {{\mathcal {I}}_3} \right| \le \sigma \), and \(\left| {{\mathcal {I}}_i} \right| \le \sigma \) for \(1 \le i \le 4\), we conclude the lemma. \(\square \)

5 Security of ZLR

Theorem 2

Let \({\widetilde{E}}: {\mathcal {K}}\times \{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^n\) be a tweakable block cipher and \(\rho \) be a state update function given in Sect. 3.3. Then for nonnegative integers \(q_e\), \(q_d\), \(\sigma \), l, and t such that \(q_e, \sigma < 2^{n-1}\), we have

$$\begin{aligned} \textsf{Adv}^{\textsf{oae}}_{\textsf{ZLR}[{\tilde{E}}, \rho ]}(q_e,q_d,\sigma ,l,t)&\le \frac{6\sigma + 2q + 2q_d}{2^n} + \frac{\sigma l + 48\sigma ^2 + 18q\sigma + 6q^2}{2^{2n}} \\&\quad + \textsf{Adv}^{\textsf{tprp}}_{{\tilde{E}}}(3\sigma +q,t+t'), \end{aligned}$$

where \(q = q_e + q_d\) and \(t'\) is the time complexity necessary to compute \({\widetilde{E}}\) for \(3\sigma +q\) queries.

5.1 Proof setup

The proof of Theorem 2 is similar to the proof of \(\textsf{DS}\text {-}\textsf{ZLR}\) mode. Fix a \((q_e, q_d, \sigma , l, t)\)-adversary \({\mathcal {A}}\) against \(\textsf{ZLR}[{\tilde{E}}, \rho ]\). Up to the TPRP security of \({\tilde{E}}\), \({\tilde{E}}\) can be replaced by random tweakable permutation \({\tilde{\pi }}\) with the cost of

$$\begin{aligned} \textsf{Adv}^{\textsf{tprp}}_{{\tilde{E}}}(3\sigma + q, t+t'), \end{aligned}$$

where \(t'\) is the time complexity necessary to compute \({\widetilde{E}}\) for \(3\sigma +q\) queries.

Let \(\$\) denote the online random function defined as in Sect. 2.2. \({\mathcal {A}}\) has to distinguish \((\mathsf {ZLR.Enc}, \mathsf {ZLR.Dec})\) and \((\$, \textsf{Rej})\) using \(q_e\) encryption queries and \(q_d\) decryption queries. In the real world, \({\mathcal {A}}\) interacts with \(\textsf{ZLR}= (\mathsf {ZLR.Enc}, \mathsf {ZLR.Dec})\). In the ideal world, \({\mathcal {A}}\) interacts with \((\$, \textsf{Rej})\).

In the i-th encryption query, \({\mathcal {A}}\) queries with the associated data \(A_i\) and the message \(M_i\), and get the ciphertext \(C_i\) and the tag \(T_i\). In the j-th decryption query, \({\mathcal {A}}\) queries with the associated data \(A'_j\), the ciphertext \(C'_j\), and the tag \(T'_j\) and get \(b'_j = M'_j\) or \(\bot \). Then let

$$\begin{aligned} \tau _e&= (A_i, M_i, C_i, T_i)_{i \in [q_e]} \\ \tau _d&= (A'_j, C'_j, T'_j, b'_j)_{j \in [q_d]}, \end{aligned}$$

denote the list of the encryption queries and the decryption queries, respectively. Let \(q = q_e + q_d\) and we can rearrange the queries and their answers as

$$\begin{aligned} \left\{ {(A_i, M_i, C_i, T_i)_{i \in [q_e]}, (A_j, C_j, T_j, b_j)_{j \in [q_e+1, q]}} \right\} . \end{aligned}$$

Now for \(i \in [q]\), set:

$$\begin{aligned} (A_i[1], \dots , A_i[a_i])&\overset{2n}{\longleftarrow }\ A_i; \\ (C_i[1], \dots , C_i[m_i])&\overset{2n}{\longleftarrow }\ C_i. \end{aligned}$$

Similarly, for \(i \in [q_e]\), set:

$$\begin{aligned} (M_i[1], \dots , M_i[m_i])&\overset{2n}{\longleftarrow }\ M_i. \end{aligned}$$

Let \(l_i = a_i + m_i\) for \(i \in [q]\), then \(\sigma = \sum _{i \in [q]} l_i\) and \(l = \max \left\{ {l_i: i \in [q]} \right\} \).

To make the proof simple, we reveal the actual tuple of the masks \((\Delta _i)_{i \in [4]}\) to \({\mathcal {A}}\) at the end of the interaction in the real world, or dummy tuple of masks \((\Delta _i)_{i \in [4]}\) that is chosen randomly from \((\{0,1\}^n)^{*4}\) in the ideal world. With this information, \({\mathcal {A}}\) can compute \(\Delta _5 = \Delta _1 \mathbin {\oplus } \Delta _3\) and \(\Delta _6 = \Delta _2 \mathbin {\oplus } \Delta _4\). We define some useful index sets that

$$\begin{aligned} {\mathcal {P}}_A&= \left\{ {(i, \alpha ): i \in [q], \alpha \in [a_i]} \right\} ; \\ {\mathcal {P}}_M&= \left\{ {(i, \alpha ): i \in [q_e], \alpha \in [m_i]} \right\} ; \\ {\mathcal {P}}_C&= \left\{ {(i, \alpha ): i \in [q], \alpha \in [m_i]} \right\} , \end{aligned}$$

which denote the set of the indices of the associated data, the message, and the ciphertext, respectively. For each \((i, \alpha ) \in {\mathcal {P}}_A\), set

$$\begin{aligned} (A_{i, L}[\alpha ], A_{i, R}[\alpha ])&\overset{n}{\longleftarrow } A_i[\alpha ]. \end{aligned}$$

For each \((i, \alpha ) \in {\mathcal {P}}_M\), set

$$\begin{aligned} (M_{i, L}[\alpha ], M_{i, R}[\alpha ])&\overset{n}{\longleftarrow } M_i[\alpha ]. \end{aligned}$$

Also, for each \((i, \alpha ) \in {\mathcal {P}}_C\), set

$$\begin{aligned} (C_{i, L}[\alpha ], C_{i, R}[\alpha ])&\overset{n}{\longleftarrow } C_i[\alpha ]. \end{aligned}$$

For each \((i, \alpha ) \in {\mathcal {P}}_A\), let

$$\begin{aligned} {\hat{A}}_{i,L}[\alpha ]&= A_{i,L}[\alpha ] \mathbin {\oplus } 2^{\alpha -1} \Delta _1,&{\hat{A}}_{i,R}[\alpha ]&= A_{i,R}[\alpha ] \mathbin {\oplus } 2^{\alpha -1} \Delta _2. \end{aligned}$$

For each \((i, \alpha ) \in {\mathcal {P}}_M\), let

$$\begin{aligned} {\hat{M}}_{i,L}[\alpha ]&= M_{i,L}[\alpha ] \mathbin {\oplus } 2^{\alpha -1} \Delta _3,&{\hat{M}}_{i,R}[\alpha ]&= M_{i,R}[\alpha ] \mathbin {\oplus } 2^{\alpha -1} \Delta _4. \end{aligned}$$

Also, for each \((i, \alpha ) \in {\mathcal {P}}_C\), let

$$\begin{aligned} {\hat{C}}_{i,L}[\alpha ]&= C_{i,L}[\alpha ] \mathbin {\oplus } 2^{\alpha -1} \Delta _5,&{\hat{C}}_{i,R}[\alpha ]&= C_{i,R}[\alpha ] \mathbin {\oplus } 2^{\alpha -1} \Delta _6. \end{aligned}$$

With these values, we reveal the actual internal states \(X_i[\alpha ]\), \(Y_i[\alpha ]\), and \(Z_i[\alpha ]\) variables in the real world. We set for the encryption queries:

  • for \((i, \alpha ) \in {\mathcal {P}}_A\), \(X_i[\alpha ] = {\tilde{\pi }}(\textsf{Pad}_t(0 \mathbin {\Vert }\alpha \mathbin {\Vert }{\hat{A}}_{i,R}[\alpha ]), {\hat{A}}_{i,L}[\alpha ])\);

  • for \((i, \alpha ) \in {\mathcal {P}}_M\), \(X_i[a_i+\alpha ] = {\tilde{\pi }}(\textsf{Pad}_t(1 \mathbin {\Vert }\alpha \mathbin {\Vert }{\hat{M}}_{i,R}[\alpha ]), {\hat{M}}_{i,L}[\alpha ])\);

  • for \((i, \alpha ) \in {\mathcal {P}}_C\), \(Y_i[\alpha ] = {\tilde{\pi }}^{-1}(\textsf{Pad}_t(3 \mathbin {\Vert }\alpha \mathbin {\Vert }{\hat{C}}_{i,R}[\alpha ]), {\hat{C}}_{i,L}[\alpha ])\);

  • for \((i, \alpha ) \in {\mathcal {P}}_C\), \(Z_i[\alpha ] = {\tilde{\pi }}^{-1}(\textsf{Pad}_t(2 \mathbin {\Vert }\alpha \mathbin {\Vert }{\hat{Y}}_i[\alpha ]), {\hat{C}}_{i,R}[\alpha ])\).

On the other hand, in the ideal world, for \(i \in [q_e]\) and \(\alpha \in [l_i]\), \(X_i[\alpha ]\) is chosen to satisfy following rules. For \(i \in [q_e]\),

  • if \(\alpha \in [a_i]\) and there exists \(j < i\) such that \(A_i[\alpha ] = A_j[\alpha ]\), set \(X_i[\alpha ] = X_j[\alpha ]\);

  • if \(\alpha \in [m_i]\) and there exists \(j < i\) such that \(M_i[\alpha ] = M_j[\alpha ]\), set \(X_i[a_i+\alpha ] = X_j[a_j+\alpha ]\);

  • if \(\alpha \in [a_i]\), sample \(X_i[\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) different from \(X_j[\alpha ]\) for all \(j \in [q_e]\) satisfying \(a_j \ge \alpha \), \(A_i[\alpha ] \ne A_j[\alpha ]\), and \(A_{i, R}[\alpha ] = A_{j, R}[\alpha ]\);

  • if \(\alpha \in [m_i]\), sample \(X_i[a_i+\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) different from \(X_j[a_j+\alpha ]\) for all \(j \in [q_e]\) satisfying \(a_j < \alpha \), \(M_i[\alpha ] \ne M_j[\alpha ]\), and \(M_{i, R}[\alpha ] = M_{j, R}[\alpha ]\);

  • otherwise, sample \(X_i[\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) uniformly at random.

Now \(Y_i[\alpha ]\) and \(Z_i[\alpha ]\) for \(i \in [q_e]\) and \(\alpha \in [m_i]\) can be given by (2) and (3), and those would be revealed. For \(i \in [q_e+1, q]\) and \(\alpha \in [m_i]\), \(Y_i[\alpha ]\) and \(Z_i[\alpha ]\) are chosen satisfying following rules:

  • if there exists \(j < i\) such that \(C_i[\alpha ] = C_j[\alpha ]\), set \(Y_i[\alpha ] = Y_j[\alpha ]\) and set \(Z_i[\alpha ] = Z_j[\alpha ]\);

  • if there exists \(j < i\) such that \(C_i[\alpha ] \ne C_j[\alpha ]\) and \(C_{i, R}[\alpha ] = C_{j, R}[\alpha ]\), sample \(Y_j[\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) different from \(Y_k[\alpha ]\);

  • otherwise, sample \(Y_i[\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) and \(Z_i[\alpha ] \mathrel {\leftarrow _{\$}}\{0,1\}^n\) uniformly at random.

Finally, \({\mathcal {A}}\) attains the following transcript:

$$\begin{aligned} \tau =&\left\{ {(A_i, M_i, X_i, Y_i, Z_i, C_i, T_i)_{i \in [q_e]}, (A_i, X_i, Y_i, Z_i, C_i, T_i, b_i)_{i \in [q_e+1, q]}} \right\} \\&\cup \left\{ {(\Delta _{i, j})_{i \in [q], j \in [4]}} \right\} . \end{aligned}$$

5.2 Defining bad events

In this section, we define bad events. For \(i \in [q]\), let \(U_i\) and \(V_i\) be the final state \(S_i[l_i]\), which is defined in (4) and (5). To describe the bad cases, we will define some functions which take the indices as input. Let

  • \({\mathcal {I}}_1 = \left\{ {(i, \alpha ) \in {\mathcal {P}}_A: \forall j < i, A_i[\alpha ] \ne A_j[\alpha ]} \right\} \);

  • \({\mathcal {I}}_2 = \left\{ {(i, \alpha ) \in {\mathcal {P}}_M: \forall j < i, M_i[\alpha ] \ne M_j[\alpha ]} \right\} \);

  • \({\mathcal {I}}_3 = {\mathcal {I}}_4 = \left\{ {(i, \alpha ) \in {\mathcal {P}}_C: \forall j < i, C_i[\alpha ] \ne C_j[\alpha ]} \right\} \),

and for \(r\in [4]\), let \(f_r, g_r: {\mathcal {I}}_r \mathop {\mathrm {\rightarrow }}\limits (\{0,1\}^n)^2\) be functions where

$$\begin{aligned} f_1(i,\alpha )&= ({\hat{A}}_{i,R}[\alpha ], {\hat{A}}_{i,L}[\alpha ]),&g_1(i,\alpha )&= ({\hat{A}}_{i,R}[\alpha ], X_i[\alpha ]), \\ f_2(i,\alpha )&= ({\hat{M}}_{i,R}[\alpha ], {\hat{M}}_{i,L}[\alpha ]),&g_2(i,\alpha )&= ({\hat{M}}_{i,R}[\alpha ], X_i[a_i+\alpha ]), \\ f_3(i,\alpha )&= (Y_i[\alpha ], Z_i[\alpha ]),&g_3(i,\alpha )&= (Y_i[\alpha ], {\hat{C}}_{i,R}[\alpha ]), \\ f_4(i,\alpha )&= ({\hat{C}}_{i,R}[\alpha ], Y_i[\alpha ]),&g_4(i,\alpha )&= ({\hat{C}}_{i,R}[\alpha ], {\hat{C}}_{i,L}[\alpha ]). \end{aligned}$$

Note that \(f_r\) gives the pair of the tweak and the input of each tweakable block cipher call, and \(g_r\) gives the pair of the tweak and the output of each tweakable block cipher call. For \(1 \le r \le s \le 4\) we define the following events.

  • \(\textsf{TwColl}_r \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists \((i,\alpha ) \in {\mathcal {I}}_r\) and \(v \in \{0,1\}^n\) such that \(f_r(i,\alpha ) = (0, v)\);

  • \(\textsf{IC}_{r,s} \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists \((i,\alpha ) \in {\mathcal {I}}_r\) and \((j,\beta ) \in {\mathcal {I}}_s\) such that \((r,i,\alpha ) \ne (s,j,\beta )\) and \(f_r(i,\alpha ) = f_s(j, \beta )\);

  • \(\textsf{OC}_{r,s} \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists \((i,\alpha ) \in {\mathcal {I}}_r\) and \((j,\beta ) \in {\mathcal {I}}_s\) such that \((r,i,\alpha ) \ne (s,j,\beta )\) and \(g_r(i,\alpha ) = g_s(j, \beta )\).

Also, For \(r \in [4]\), let

  • \(\textsf{IC}_{r,5} \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists \(i \in [q]\) and \((j,\beta ) \in {\mathcal {I}}_r\) such that \((V_i, U_i) = f_r(j,\beta )\);

  • \(\textsf{OC}_{r,5} \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists \(i \in [q_e]\) and \((j,\beta ) \in {\mathcal {I}}_r\) such that \((V_i, T_i) = g_r(j,\beta )\),

and let

  • \(\textsf{TwColl}_5 \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists \(i \in [q]\) such that \(V_i = 0\);

  • \(\textsf{IC}_{5,5} \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists different \(i,j \in [q]\) such that \((V_i, U_i) = (V_j, U_j)\);

  • \(\textsf{OC}_{5,5} \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists different \(i,j \in [q_e]\) such that \((V_i, T_i) = (V_j, T_j)\).

A transcript \(\tau \) is defined as bad if one of the following events occurs:

  1. 1.

    \(\textsf{bad}_1 \mathop {\mathrm {\Leftrightarrow }}\limits \) there exists \(i, j \in [q_e]\) and \(\alpha \in [\min \left\{ {m_i, m_j} \right\} ]\) such that \((A_i, M_i[:\alpha ]) \ne (A_j, M_j[:\alpha ])\) and \(C_i[\alpha ] = C_j[\alpha ]\);

  2. 2.

    \(\textsf{bad}_2 \mathop {\mathrm {\Leftrightarrow }}\limits \mathop {\mathrm {\bigvee }}\limits _{1 \le r \le s \le 5} (\textsf{IC}_{r,s} \vee \textsf{OC}_{r,s} \vee \textsf{TwColl}_r)\).

We denote \(\Gamma _\textsf{bad}\) as a set of all bad transcripts. We will now find the upper bound on the probability that each bad event will occur in the ideal world. Fix \(i, j \in [q_e]\) and \(\alpha \in [\min \left\{ {m_i, m_j} \right\} ]\) such that \((A_i, M_i[:\alpha ]) \ne (A_j, M_j[:\alpha ])\). Then, since \(C_i[\alpha ]\) and \(C_j[\alpha ]\) are chosen uniformly at random, one has

$$\begin{aligned} \Pr \left[ {\textsf{bad}_1} \right] \le \frac{\sigma l}{2^{2n}}. \end{aligned}$$
(12)

The conditional probability of \(\textsf{bad}_2\) given that \(\textsf{bad}_1\) has not happened is upper bounded as follows.

Lemma 7

$$\begin{aligned} \Pr \left[ {\textsf{bad}_2 \wedge \lnot \textsf{bad}_1} \right] \le \frac{48\sigma ^2 + 18q\sigma + 6q^2}{2^{2n}} + \frac{6\sigma + 2q}{2^n}. \end{aligned}$$

The proof of this lemma is deferred to Sect. 5.4. We now consider good transcripts.

Lemma 8

For any \(\tau \notin \Gamma _{\textsf{bad}}\),

$$\begin{aligned} \frac{\Pr \left[ {{\textsf{T}}_\textrm{re}= \tau } \right] }{\Pr \left[ {{\textsf{T}}_\textrm{id}= \tau } \right] } \ge 1 - \frac{2q_d}{2^n}. \end{aligned}$$

The proof of this lemma is deferred to Sect. 5.3.

Finally, by Lemmas 7 and 8 and (12), we can conclude that Theorem 2 holds.

5.3 Analyzing good transcripts

Fix \(\tau \notin \Gamma _{\textsf{bad}}\). For the proof, we define the following sets.

  • \({\mathcal {I}}'_3 = \left\{ {(i, \alpha ): i \in [q_e+q_d], \alpha \in [m_i], \forall j < i, (A_i, C_i[:\alpha ]) \ne (A_j, C_j[:\alpha ])} \right\} \);

  • \(W_{1}[\alpha , v] = \left\{ {(i, \alpha ) \in {\mathcal {I}}_1: A_{i, R}[\alpha ] = v\mathbin {\oplus } 2^{\alpha -1}\Delta _2 } \right\} \);

  • \(W_{2}[\alpha , v] = \left\{ {(i, \alpha ) \in {\mathcal {I}}_2: M_{i, R}[\alpha ] = v\mathbin {\oplus } 2^{\alpha -1}\Delta _4 } \right\} \);

  • \(W_{3}[\alpha , v] = \left\{ {(i, \alpha ) \in {\mathcal {I}}'_3: C_{i, R}[\alpha ] = v\mathbin {\oplus } 2^{\alpha -1}\Delta _6 } \right\} \);

  • \(W_{4}[\alpha , v] = \left\{ {(i, \alpha ) \in {\mathcal {I}}'_3: Y_i[\alpha ] = v} \right\} \),

and following notations,

  • \(u_{j}[\alpha , v] = \left| {W_{j}[\alpha , v]} \right| \) for \(j \in [4]\);

  • \(u_{5}[\alpha ] = \left| {\left\{ {(i, \alpha ) \in {\mathcal {I}}'_3: \forall j < i, C_i[\alpha ] \ne C_j[\alpha ]} \right\} } \right| \);

  • \(u_6^e[v] = \left| {\left\{ {i \in [q_e]: V_i = v} \right\} } \right| \);

  • \(u_6^d[v] = \left| {\left\{ {i \in [q_e+1, q_e+q_d]: V_i = v} \right\} } \right| \).

For \(j\in [4]\), let

$$\begin{aligned} W_{j}^e[\alpha , v] = \left\{ {(i, \alpha ) \in W_{j}[\alpha , v]: i \in [q_e]} \right\} , \end{aligned}$$

and

$$\begin{aligned} W_{j}^d[\alpha , v] = W_{j}[\alpha , v] \setminus W_{j}^e[\alpha , v]. \end{aligned}$$

We also denote \(u_{j}^e[\alpha , v] = \left| {W_{j}^e[\alpha , v]} \right| \) and \(u_{j}^d[\alpha , v] = \left| {W_{j}^d[\alpha , v]} \right| \), so we have \(u_{j}[\alpha , v] = u_{j}^e[\alpha , v] + u_{j}^d[\alpha , v]\).

First, we consider the ideal world. The probability that ciphertext \(C_1, \dots , C_{q_e}\) is given is \(\frac{1}{2^{2n| {\mathcal {B}}|}}\) where \({\mathcal {B}}= \{ (A_i, M_i[:\alpha ]): 1 \le i \le q_e, \alpha \in [m_i] \}\), and one that tags \(T_1, \dots , T_{q_e}\) are given is \(\frac{1}{2^{nq_e}}\). Let \({\textbf{X}}, {\textbf{Y}}, {\textbf{Z}}\) be the distribution of \((X_1, \dots , X_{q_e+q_d})\), \((Y_{q_e+1}, \dots , Y_{q_e+q_d})\), and \((Z_{q_e+1}, \dots , Z_{q_e+q_d})\), respectively. First, \(X_i[\alpha ]\) and \(X_j[\alpha ]\) are given differently if \(A_{i, R}[\alpha ] = A_{j, R}[\alpha ]\) or \(M_{i, R}[\alpha ] = M_{j, R}[\alpha ]\). Therefore, for each \(v \in \{0,1\}^n\) and \(\alpha \in [a_i]\), the probability that \(X_i[\alpha ]\)’s for \(A_{i, R}[\alpha ] = v\) are given according to associated data is \(\frac{1}{(2^n)_{u_{1}[\alpha , v_1]}}\), where \(v_1 = v \mathbin {\oplus } 2^{\alpha - 1}\Delta _2\). Similarly, for each \(v \in \{0,1\}^n\) and \(\alpha \in [m_i]\), one that corresponding \(X_i[\alpha ]\)’s for \(M_{i, R}[\alpha ] = v\) are given according to message is \(\frac{1}{(2^n)_{u_{2}[\alpha , v_2]}}\), where \(v_2 = v \mathbin {\oplus } 2^{\alpha - 1}\Delta _4\). Hence,

$$\begin{aligned} \Pr \left[ {{\textbf{X}}= (X_1, \dots , X_{q_e+q_d})} \right]&= \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n)_{u_{1}[\alpha , v_1]}} \times \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n)_{u_{2}[\alpha , v_2]}} \nonumber \\&= \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n)_{u_{1}[\alpha , v]}} \times \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n)_{u_{2}[\alpha , v]}}. \nonumber \end{aligned}$$

Also, \(Y_i[\alpha ]\) and \(Y_j[\alpha ]\) are given differently if \(C_{i, R}[\alpha ] = C_{j, R}[\alpha ]\), while \(\left\{ {Y_i} \right\} _{1 \le i \le q_e}\) is determined from \((X_1, \dots , X_{q_e+q_d})\). Therefore, for each \(v \in \{0,1\}^n\) and \(\alpha \in [l]\), the probability that corresponding \(Y_i[\alpha ]\)’s are given is \(\frac{1}{(2^n - u_{3}^{e}[\alpha , v_3])_{u_{3}^{d}[\alpha , v_3]}}\), where \(v_3 = v \mathbin {\oplus } 2^{\alpha -1}\Delta _6\). Hence similarly from the case above,

$$\begin{aligned} \Pr \left[ {{\textbf{Y}}= (Y_{q_e+1}, \dots , Y_{q_e+q_d}) | {\textbf{X}}} \right] = \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n - u_{3}^{e}[\alpha , v])_{u_{3}^{d}[\alpha , v]}}. \end{aligned}$$

Now, since \(Z_i[\alpha ]\)’s are given uniformly at random in decryption queries,

$$\begin{aligned} \Pr \left[ {{\textbf{Z}}= (Z_{q_e+1}, \dots , Z_{q_e+q_d})} \right] = \prod _{1 \le \alpha \le l} \frac{1}{(2^n)^{u_5[\alpha ]}}. \end{aligned}$$

Hence, we can conclude the following probability.

$$\begin{aligned} \Pr \left[ {{\textsf{T}}_\textrm{id}= \tau } \right] =\;&\frac{1}{2^{2n| {\mathcal {B}}|}} \times \frac{1}{2^{nq_e}} \times \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n)_{u_{1}[\alpha , v]}} \times \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n)_{u_{2}[\alpha , v]}} \nonumber \\&\times \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} \frac{1}{(2^n - u_{3}^{e}[\alpha , v])_{u_{3}^{d}[\alpha , v]}} \nonumber \\&\times \left( {\prod _{1 \le \alpha \le l} \frac{1}{(2^n)^{u_5[\alpha ]}}} \right) \times \frac{1}{(2^n)_4}. \end{aligned}$$
(13)

Note that \(\frac{1}{(2^n)_4}\) is the probability that \(\Delta _1, \Delta _2, \Delta _3\) and \(\Delta _4\) are given.

Now, we consider the real world. First, in decryption queries, the probability of attaining \(\bot \) for every answer is bounded below by

$$\begin{aligned} \prod _{v \in \{0,1\}^n} \left( {1 - \frac{1}{2^n - u_6^e[v]}} \right) ^{u_6^d[v]} \ge \left( {1 - \frac{1}{2^n - q_e}} \right) ^{q_d} \ge 1 - \frac{q_d}{2^n-q_e}. \end{aligned}$$

If we fix \(v \in \{0,1\}^n\), \({\tilde{\pi }}\) takes v as a tweak if and only if one of the following conditions holds.

  1. 1.

    \(A_{i, R}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _2 = v\);

  2. 2.

    \(M_{i, R}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _4 = v\);

  3. 3.

    \(Y_i[\alpha ] = v\);

  4. 4.

    \(C_{i, R}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _6 = v\);

  5. 5.

    \(V_i = v\).

Since the case \(\textsf{bad}_2\) does not exist in any good transcript, the number of tweakable block ciphers in all queries that has v as tweak is

$$\begin{aligned} \sum _{1 \le \alpha \le l} \left( {u_1[\alpha , v] + u_2[\alpha , v] + u_3[\alpha , v] + u_4[\alpha , v]} \right) + u^e_6[v]. \end{aligned}$$

Since \(\frac{1}{(2^n)_{a+b}} \ge \frac{1}{(2^n)_a(2^n)_b}\) for \(a, b \ge 0\), we have

$$\begin{aligned} \Pr \left[ {{\textsf{T}}_\textrm{re}= \tau } \right] \ge&\prod _{\begin{array}{c} 1 \le \alpha \le l \\ v \in \{0,1\}^n \end{array}} {\frac{1}{(2^n)_{u_1[\alpha , v]}(2^n)_{u_2[\alpha , v]}(2^n)_{u_3[\alpha , v]}(2^n)_{u_4[\alpha , v]}}} \nonumber \\&\times \prod _{v \in \{0,1\}^n} \frac{1}{(2^n)_{u_6^e[v]}} \times \frac{1}{(2^n)_4}. \end{aligned}$$
(14)

Note that \(\frac{1}{(2^n)_4}\) is the probability that \(\Delta _1, \Delta _2, \Delta _3\) and \(\Delta _4\) are given. Since \(\sum _{v \in \{0,1\}^n} u_6^e[v] = q_e\), we have

$$\begin{aligned} \prod _{v \in \{0,1\}^n} \frac{1}{(2^n)_{u_6^e[v]}} \ge \prod _{v \in \{0,1\}^n} \frac{1}{(2^n)^{u_6^e[v]}} = \frac{1}{(2^n)^{q_e}}. \end{aligned}$$
(15)

Also,

$$\begin{aligned} \prod _{1 \le \alpha \le l} (2^n)^{u_5[\alpha ]} \ge \prod _{1 \le \alpha \le l} (2^n)_{u_5[\alpha ]} \ge \prod _{1 \le \alpha \le l} (2^n)_{u_{4}^{d}[\alpha ]}. \end{aligned}$$
(16)

Therefore by (13), (14), (15) and (16),

$$\begin{aligned} \frac{\Pr \left[ {{\textsf{T}}_\textrm{re}= \tau } \right] }{\Pr \left[ {{\textsf{T}}_\textrm{id}= \tau } \right] }&\ge \frac{2^{2n|{\mathcal {B}}|}}{\prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}}(2^n)_{u_3^e[\alpha , v]}\prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}}(2^n)_{u_{4}^{e}[\alpha , v]}} \times \left( {1 - \frac{q_d}{2^n - q_e}} \right) \\&\ge 1 - \frac{q_d}{2^n - q_e} \ge 1 - \frac{2q_d}{2^n}. \end{aligned}$$

The last inequality follows since

$$\begin{aligned} |{\mathcal {B}}| \ge \sum _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} u_3^e[\alpha , v], \end{aligned}$$

and hence,

$$\begin{aligned} 2^{n|{\mathcal {B}}|} \ge \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} (2^n)^{u_3^e[\alpha , v]} \ge \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} (2^n)_{u_3^e[\alpha , v]}, \end{aligned}$$

and similarly,

$$\begin{aligned} 2^{n|{\mathcal {B}}|} \ge \prod _{\begin{array}{c} v\in \{0,1\}^n \\ 1 \le \alpha \le l \end{array}} (2^n)_{u_{4}^{e}[\alpha , v]}, \end{aligned}$$

which completes the proof.

5.4 Bounding the probability of bad events

Let

$$\begin{aligned} \textsf{TwColl}&= \mathop {\mathrm {\bigvee }}\limits _{i = 1}^{5} \textsf{TwColl}_i, \\ \textsf{IC}&= \mathop {\mathrm {\bigvee }}\limits _{1 \le i \le j \le 5} \textsf{IC}_{i, j}, \\ \textsf{OC}&= \mathop {\mathrm {\bigvee }}\limits _{1 \le i \le j \le 5} \textsf{OC}_{i, j}. \end{aligned}$$

Note that \(\textsf{bad}_2 = \textsf{TwColl}\vee \textsf{IC}\vee \textsf{OC}\). We calculate the probability of the each collision event in the following lemmas. The result of main theorem is derived directly.

Lemma 9

$$\begin{aligned} \Pr \left[ {\textsf{TwColl}} \right] \le \frac{6\sigma + 2q}{2^n}. \end{aligned}$$

Proof

We calculate each probability of \(\textsf{TwColl}_i\) for \(i = 1\) to 5.

  1. 1.

    Fix \((i, \alpha ) \in {\mathcal {I}}_1\) and \(v \in \{0,1\}^n\). Then \(f_1(i, \alpha ) = (0, v)\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha -1}\Delta _1 = A_{i, L}[\alpha ]; \\ 2^{\alpha -1}\Delta _2 = A_{i, R}[\alpha ] \mathbin {\oplus } v, \end{array}\right. } \end{aligned}$$

    and since \((\Delta _1, \Delta _2)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {f_1(i,\alpha ) = (0, v)} \right] \le \frac{1}{2^n(2^n-1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    Therefore, we get

    $$\begin{aligned} \Pr \left[ {\textsf{TwColl}_{1}} \right] \le \sum _{v \in \{0,1\}^n} \frac{2|{\mathcal {I}}_1|}{2^{2n}} \le \frac{2|{\mathcal {I}}_1|}{2^{n}}. \end{aligned}$$
  2. 2.

    Fix \((i, \alpha ) \in {\mathcal {I}}_2\) and \(v \in \{0,1\}^n\). Then \(f_2(i, \alpha ) = (0, v)\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha -1}\Delta _3 = M_{i, L}[\alpha ]; \\ 2^{\alpha -1}\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } v, \end{array}\right. } \end{aligned}$$

    and since \((\Delta _3, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {f_2(i,\alpha ) = (0, v)} \right] \le \frac{1}{2^n(2^n-1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    Therefore, we get

    $$\begin{aligned} \Pr \left[ {\textsf{TwColl}_{2}} \right] \le \sum _{v \in \{0,1\}^n} \frac{2|{\mathcal {I}}_2|}{2^{2n}} \le \frac{2|{\mathcal {I}}_2|}{2^{n}}. \end{aligned}$$
  3. 3.

    Fix \((i, \alpha ) \in {\mathcal {I}}_3\) and \(v \in \{0,1\}^n\). If \(i \in [q_e]\), then \(f_3(i, \alpha ) = (0, v)\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_i + \alpha } X_i[\beta ], \\ X_i[\alpha + a_i] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 1}^{\alpha - 1} 2^{\alpha - 1}\Delta _4 = Q \mathbin {\oplus } v, \end{array}\right. } \end{aligned}$$

    where

    $$\begin{aligned} Q =&\bigoplus _{\beta = 1}^{a_i} 2^{a_i + \alpha - \beta }\left( {X[\beta ] \mathbin {\oplus } A_{i, R}[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _2} \right) \nonumber \\&\mathbin {\oplus } \bigoplus _{\beta = 1}^{\alpha - 1} 2^{\alpha - \beta }\left( {X[a_i + \beta ] \mathbin {\oplus } M_{i, R}[\beta ]} \right) . \end{aligned}$$

    Since \(\Delta _4\) is chosen uniformly at random from \(\{0,1\}^n\) and \(X_i[\alpha + a_i]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \), one has

    $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (0, v)} \right] \le \frac{1}{2^n(2^n - \sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$

    Now assume that \(i \notin [q_e]\). Then \(f_3(i, \alpha ) = (0, v)\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} Y_i[\alpha ] = 0; \\ Z_i[\alpha ] = v, \end{array}\right. } \end{aligned}$$

    and since \(Z_i[\alpha ]\) is chosen uniformly at random from \(\{0,1\}^n\) and \(Y_i[\alpha ]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \), one has

    $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (0, v)} \right] \le \frac{1}{2^n(2^n - \sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$

    By the above reasoning, we have

    $$\begin{aligned} \Pr \left[ {\textsf{TwColl}_{3}} \right] \le \sum _{v \in \{0,1\}^n} \frac{2|{\mathcal {I}}_3|}{2^{2n}} \le \frac{2|{\mathcal {I}}_3|}{2^{n}}. \end{aligned}$$
  4. 4.

    Fix \((i, \alpha ) \in {\mathcal {I}}_4\) and \(v \in \{0,1\}^n\). If \(i \in [q_e]\), then \(f_4(i, \alpha ) = (0, v)\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } 2^{\alpha - 1}\Delta _4 = C_{i, R}[\alpha ]; \\ 2^{\alpha - 1}\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } v \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_i + \alpha } X_i[\beta ], \end{array}\right. } \end{aligned}$$

    and since \((\Delta _2, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {f_4(i,\alpha ) = (0, v)} \right] \le \frac{1}{2^n(2^n-1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    If \(i \notin [q_e]\), then \(f_4(i, \alpha ) = (0, v)\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _2 = C_{i, R}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _4; \\ Y_i[\alpha ] = v. \end{array}\right. } \end{aligned}$$

    Since \(\Delta _2\) is chosen uniformly at random from \(\{0,1\}^n\) and \(Y_i[\alpha ]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \), one has

    $$\begin{aligned} \Pr \left[ {f_4(i,\alpha ) = (0, v)} \right] \le \frac{1}{2^n(2^n-\sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$

    Therefore, we get

    $$\begin{aligned} \Pr \left[ {\textsf{TwColl}_{4}} \right] \le \sum _{v \in \{0,1\}^n} \frac{2|{\mathcal {I}}_4|}{2^{2n}} \le \frac{2|{\mathcal {I}}_4|}{2^{n}}. \end{aligned}$$
  5. 5.

    Fix \(i \in [q]\). We distinguish two subcases.

    1. (a)

      Assume that \(i \in [q_e]\). Then \(V_i = 0\) if and only if

      $$\begin{aligned} X_i[1] = \sum _{\alpha = 2}^{a_i + m_i} X_i[\alpha ]. \end{aligned}$$

      Since \(X_i[1]\) is sampled from the set of size at least \(2^n - q_e\), one has

      $$\begin{aligned} \Pr \left[ {V_i = 0} \right] \le \frac{1}{2^n - q_e} \le \frac{2}{2^n}. \end{aligned}$$
    2. (b)

      Assume that \(i \notin [q_e]\). Then the equation \(V_i = 0\) is equivalent to the system of equations

      $$\begin{aligned} Y_i[1] = \bigoplus _{\alpha = 1}^{a_i} X_i[\alpha ] \mathbin {\oplus } \bigoplus _{\alpha = 2}^{m_i} \left( {Y_i[\alpha ] \mathbin {\oplus } Z_i[\alpha ]} \right) \mathbin {\oplus } Z_i[1]. \end{aligned}$$

      Since \(Y_i[1]\) is sampled from the set of size at least \(2^n - q\), one has

      $$\begin{aligned} \Pr \left[ {V_i = 0} \right] \le \frac{1}{2^n - q} \le \frac{2}{2^n}. \end{aligned}$$

    By the above reasoning,

    $$\begin{aligned} \Pr \left[ {\textsf{TwColl}_5} \right] \le \sum _{i \in [q]} \frac{2}{2^n} \le \frac{2q}{2^n}. \end{aligned}$$

Now using \(\left| {{\mathcal {I}}_1} \right| + \left| {{\mathcal {I}}_2} \right| \le \sigma \), \(\left| {{\mathcal {I}}_1} \right| + \left| {{\mathcal {I}}_3} \right| \le \sigma \), and \(\left| {{\mathcal {I}}_i} \right| \le \sigma \) for \(1 \le i \le 4\), we conclude the lemma. \(\square \)

Lemma 10

$$\begin{aligned} \Pr \left[ {\textsf{IC}} \right] \le \frac{4q^2 + 12q\sigma + 20\sigma ^2}{2^{2n}}. \end{aligned}$$

Proof

We calculate each probability of \(\textsf{IC}_{i, j}\) for \(1 \le i \le j \le 5\).

  1. 1.

    Fix \(((i,\alpha ), (j,\beta )) \in ({\mathcal {I}}_1)^{*2}\). If \(\alpha = \beta \), one should have \(A_i[\alpha ] \ne A_j[\beta ]\) and \(f_1(i,\alpha ) \ne f_1(j,\beta )\). Suppose \(\alpha \ne \beta \). Then, \(f_1(i,\alpha ) = f_1(j,\beta )\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} (2^{\alpha -1} \mathbin {\oplus } 2^{\beta -1}) \Delta _1 = A_{i,L}[\alpha ] \mathbin {\oplus } A_{j,L}[\beta ]; \\ (2^{\alpha -1} \mathbin {\oplus } 2^{\beta -1}) \Delta _2 = A_{i,R}[\alpha ] \mathbin {\oplus } A_{j,R}[\beta ], \end{array}\right. } \end{aligned}$$

    and since \((\Delta _1, \Delta _2)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {f_1(i,\alpha ) = f_1(j,\beta )} \right] \le \frac{1}{2^n(2^n-1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    Therefore, we get

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{1,1}} \right] \le \frac{2|{\mathcal {I}}_1|^2}{2^{2n}}. \end{aligned}$$
  2. 2.

    Fix \((i, \alpha ) \in {\mathcal {I}}_1\) and \((j, \beta ) \in {\mathcal {I}}_2\). Then the equation \(f_1(i, \alpha ) = f_2(j, \beta )\) is equivalent to the system of equations

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _1 = A_{i, L}[\alpha ] \mathbin {\oplus } M_{j, L}[\beta ] \mathbin {\oplus } 2^{\beta - 1}\Delta _3; \\ 2^{\alpha - 1}\Delta _2 = A_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ] \mathbin {\oplus } 2^{\beta - 1}\Delta _4. \end{array}\right. } \end{aligned}$$

    Since \((\Delta _1, \Delta _2)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {f_1(i, \alpha ) = f_2(j, \beta )} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    Therefore,

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{1, 2}} \right] \le \sum _{(i, \alpha ) \in {\mathcal {I}}_1} \sum _{(j, \beta ) \in {\mathcal {I}}_2} \frac{2}{2^{2n}} \le \frac{2\left| {{\mathcal {I}}_1} \right| \left| {{\mathcal {I}}_2} \right| }{2^{2n}}. \end{aligned}$$
  3. 3.

    Fix \((i, \alpha ) \in {\mathcal {I}}_1\) and \((j, \beta ) \in {\mathcal {I}}_3\). We distinguish two subcases.

    1. (a)

      If \(j \in [q_e]\), then the equation \(f_1(i, \alpha ) = f_3(j, \beta )\) is equivalent to the system of equations

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _1 \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{\beta - 1} 2^{\beta - 1}\Delta _4 = A_{i, L}[\alpha ] \mathbin {\oplus } Q; \\ 2^{\beta - 1}\Delta _4 = 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } A_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \beta } X_j[\gamma ], \end{array}\right. } \end{aligned}$$

      where

      $$\begin{aligned} Q =&X[a_j + \beta ] \mathbin {\oplus } \bigoplus _{\gamma = 1}^{a_j} 2^{a_j + \beta - \gamma }\left( {X_j[\gamma ] \mathbin {\oplus } A_{j, R}[\gamma ] \mathbin {\oplus } 2^{\gamma -1}\Delta _2} \right) \\&\mathbin {\oplus } \bigoplus _{\gamma = 1}^{\beta - 1} 2^{\beta - \gamma }\left( {X_j[a_j + \gamma ] \mathbin {\oplus } M_{j, R}[\gamma ]} \right) . \end{aligned}$$

      Since \((\Delta _1, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {f_1(i, \alpha ) = f_3(j, \beta )} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Assume \(j \notin [q_e]\). If \(C_j[\beta ] = C_{j'}[\beta ]\) for \(j' \in [q_e]\), this case is same as the case that \(j \in [q_e]\). Otherwise, the equation \(f_1(i, \alpha ) = f_3(j, \beta )\) is equivalent to the system of equations

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _1 = A_{i, L}[\alpha ] \mathbin {\oplus } Z_j[\beta ]; \\ 2^{\alpha - 1}\Delta _2 = A_{i, R}[\alpha ] \mathbin {\oplus } Y_j[\beta ]. \end{array}\right. } \end{aligned}$$

      Since \((\Delta _1, \Delta _2)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {f_1(i, \alpha ) = f_3(j, \beta )} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    By the above reasoning,

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{1, 3}} \right] \le \sum _{(i, \alpha ) \in {\mathcal {I}}_1} \sum _{(j, \beta ) \in {\mathcal {I}}_3} \frac{2}{2^{2n}} \le \frac{2\left| {{\mathcal {I}}_1} \right| \left| {{\mathcal {I}}_3} \right| }{2^{2n}}. \end{aligned}$$
  4. 4.

    Fix \((i, \alpha ) \in {\mathcal {I}}_1\) and \((j, \beta ) \in {\mathcal {I}}_4\). We distinguish two subcases.

    1. (a)

      Assume that \(j \in [q_e]\). Then the equation \(f_1(i, \alpha ) = f_4(j, \beta )\) is equivalent to the system of equations

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _1 \mathbin {\oplus } 2^{\beta - 1}\Delta _4 = A_{i, L}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \beta } X_j[\gamma ]; \\ 2^{\beta - 1}\Delta _4 = A_{i, R}[\alpha ] \mathbin {\oplus } C_{j, R}[\beta ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } 2^{\beta - 1}\Delta _2. \end{array}\right. } \end{aligned}$$

      Since \((\Delta _1, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {f_1(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Assume that \(j \notin [q_e]\). Then the equation \(f_1(i, \alpha ) = f_4(j, \beta )\) is equivalent to the system of equations

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _1 = A_{i, L}[\alpha ] \mathbin {\oplus } Y_j[\beta ]; \\ 2^{\beta - 1}\Delta _4 = A_{i, R}[\alpha ] \mathbin {\oplus } C_{j, R}[\beta ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } 2^{\beta - 1}\Delta _2. \end{array}\right. } \end{aligned}$$

      Since \((\Delta _1, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {f_1(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    By the above reasoning,

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{1, 4}} \right] \le \sum _{(i, \alpha ) \in {\mathcal {I}}_1} \sum _{(j, \beta ) \in {\mathcal {I}}_4} \frac{2}{2^{2n}} \le \frac{2\left| {{\mathcal {I}}_1} \right| \left| {{\mathcal {I}}_4} \right| }{2^{2n}}. \end{aligned}$$
  5. 5.

    Fix \((i, \alpha ) \in {\mathcal {I}}_1\) and \(j \in [q]\). We distinguish two subcases.

    1. (a)

      Assume that \(j \in [q_e]\). Then the equation \(f_1(i, \alpha ) = (V_j, U_j)\) is equivalent to the system of equations

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _1 \mathbin {\oplus } \left( {\mathop {\bigoplus }\nolimits _{\beta = 1}^{a_j} 2^{a_j + m_j + 1 - \beta }} \right) \Delta _2 = Q \mathbin {\oplus } A_{i, L}[\alpha ]; \\ 2^{\alpha - 1}\Delta _2 = A_{i, R}[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_j + m_j} X_j[\beta ], \end{array}\right. } \end{aligned}$$

      where

      $$\begin{aligned} Q =&\bigoplus _{\beta = 1}^{a_j} 2^{a_j + m_j + 1 - \beta }\left( {X_j[\beta ] \mathbin {\oplus } A_{j, R}[\beta ]} \right) \\&\mathbin {\oplus } \bigoplus _{\beta = 1}^{m_j} 2^{m_j + 1 - \beta }\left( {X_j[a_j + \beta ] \mathbin {\oplus } M_{j, R}[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _4} \right) . \end{aligned}$$

      Since \((\Delta _1, \Delta _2)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {f_1(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Assume that \(j \notin [q_e]\). Then the equation \(f_1(i, \alpha ) = (V_j, U_j)\) is equivalent to the system of equations

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _1 = A_{i, L}[\alpha ] \mathbin {\oplus } U_j; \\ 2^{\alpha - 1}\Delta _2 = A_{i, R}[\alpha ] \mathbin {\oplus } V_j. \end{array}\right. } \end{aligned}$$

      Note that \(U_j\) and \(V_j\) are independent of \(\Delta _1\) and \(\Delta _2\). Since \((\Delta _1, \Delta _2)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {f_1(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    By the above reasoning, we have

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{1, 5}} \right] \le \sum _{(i, \alpha ) \in {\mathcal {I}}_1} \sum _{j \in [q]} \frac{2}{2^{2n}} \le \frac{2q\left| {{\mathcal {I}}_1} \right| }{2^{2n}}. \end{aligned}$$
  6. 6.

    Fix \((i, \alpha ) \in {\mathcal {I}}_2\) and \((j, \beta ) \in {\mathcal {I}}_2\), where \((i, \alpha ) \ne (j, \beta )\). If \(\alpha = \beta \), then \(M_i[\alpha ] \ne M_j[\beta ]\) so \(f_2(i, \alpha ) \ne f_2(j, \beta )\). Suppose \(\alpha \ne \beta \). Then, \(f_2(i, \alpha ) = f_2(j, \beta )\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _3 = M_{i, L}[\alpha ] \mathbin {\oplus } M_{j, L}[\beta ]; \\ (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ], \end{array}\right. } \end{aligned}$$

    where \(2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1} \ne 0\). Since \((\Delta _3, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {f_2(i, \alpha ) = f_2(j, \beta )} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    Therefore, we get

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{2, 2}} \right] \le \sum _{(i, \alpha ) \in {\mathcal {I}}_2} \sum _{(j, \beta ) \in {\mathcal {I}}_2} \frac{2}{2^{2n}} \le \frac{2\left| {{\mathcal {I}}_2} \right| ^2}{2^{2n}}. \end{aligned}$$
  7. 7.

    Fix \((i, \alpha ) \in {\mathcal {I}}_2\) and \((j, \beta ) \in {\mathcal {I}}_3\). We distinguish two subcases.

    1. (a)

      Assume that \(j \in [q_e]\). Then the equation \(f_2(i, \alpha ) = f_3(j, \beta )\) is equivalent to the system of the equations

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _3 \mathbin {\oplus } X_j[a_j + \beta ] = M_{i, L}[\alpha ] \mathbin {\oplus } Q; \\ X_j[a_j + \beta ] = (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4 \mathbin {\oplus } M_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \beta - 1} X_j[\gamma ], \end{array}\right. } \end{aligned}$$

      where

      $$\begin{aligned} Q =&\bigoplus _{\gamma = 1}^{a_j} 2^{a_j + \beta - \gamma }\left( {X_j[\gamma ] \mathbin {\oplus } A_{j, R}[\gamma ] \mathbin {\oplus } 2^{\gamma - 1}\Delta _2} \right) \\&\mathbin {\oplus } \bigoplus _{\gamma = 1}^{\beta - 1} 2^{\beta - \gamma }\left( {X_j[a_j + \gamma ] \mathbin {\oplus } M_{j, R}[\gamma ] \mathbin {\oplus } 2^{\gamma - 1}\Delta _4} \right) . \end{aligned}$$

      Since \(\Delta _3\) is chosen uniformly at random from \(\{0,1\}^n\) and \(X_j[a_j + \beta ]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \), one has

      $$\begin{aligned} \Pr \left[ {f_2(i, \alpha ) = f_3(j, \beta )} \right] \le \frac{1}{2^n(2^n - \sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Assume that \(j \notin [q_e]\). Then the equation \(f_2(i, \alpha ) = f_3(j, \beta )\) is equivalent to the system of the equations

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _3 = M_{i, L}[\alpha ] \mathbin {\oplus } Z_j[\beta ]; \\ 2^{\alpha - 1}\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } Y_j[\beta ]. \end{array}\right. } \end{aligned}$$

      Since \((\Delta _3, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {f_2(i, \alpha ) = f_3(j, \beta )} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    By the above reasoning, we have

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{2, 3}} \right] \le \sum _{(i, \alpha ) \in {\mathcal {I}}_2} \sum _{(j, \beta ) \in {\mathcal {I}}_3} \frac{2}{2^{2n}} \le \frac{2\left| {{\mathcal {I}}_2} \right| \left| {{\mathcal {I}}_3} \right| }{2^{2n}}. \end{aligned}$$
  8. 8.

    Fix \((i, \alpha ) \in {\mathcal {I}}_2\) and \((j, \beta ) \in {\mathcal {I}}_4\). Then the equation \(f_2(i, \alpha ) = f_4(j, \beta )\) is equivalent to the system of the equations

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _3 = M_{i, L}[\alpha ] \mathbin {\oplus } Y_j[\beta ]; \\ 2^{\beta - 1}\Delta _2 = (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4 \mathbin {\oplus } M_{i, R}[\alpha ] \mathbin {\oplus } C_{j, R}[\beta ]. \end{array}\right. } \end{aligned}$$

    Note that \(Y_j[\beta ]\) is independent of \(\Delta _2\) and \(\Delta _3\). Since \((\Delta _2, \Delta _3)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {f_2(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{2, 4}} \right] \le \sum _{(i, \alpha ) \in {\mathcal {I}}_2} \sum _{(j, \beta ) \in {\mathcal {I}}_4} \frac{2}{2^{2n}} \le \frac{2\left| {{\mathcal {I}}_2} \right| \left| {{\mathcal {I}}_4} \right| }{2^{2n}}. \end{aligned}$$
  9. 9.

    Fix \((i, \alpha ) \in {\mathcal {I}}_2\) and \(j \in [q]\). If \(j \in [q_e]\), then \(f_2(i, \alpha ) = (V_j, U_j)\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _3 \mathbin {\oplus } \left( {\mathop {\bigoplus }\nolimits _{\beta = 1}^{m_j} 2^{m_j}} \right) \Delta _4 = M_{i, L}[\alpha ] \mathbin {\oplus } P; \\ 2^{\alpha - 1}\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_j + m_j} X_j[\beta ], \end{array}\right. } \end{aligned}$$

    where

    $$\begin{aligned} P =&\bigoplus _{\beta = 1}^{a} 2^{a + m+1 - \beta }\left( {X[\beta ] \mathbin {\oplus } A_{R}[\beta ] \mathbin {\oplus } 2^{\beta -1}\Delta _2} \right) \\&\mathbin {\oplus } \bigoplus _{\beta = 1}^{m} 2^{m+1 - \beta }\left( {X[a + \beta ] \mathbin {\oplus } M_{R}[\beta ]} \right) . \end{aligned}$$

    Since \((\Delta _3, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {f_2(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    If \(j \notin [q_e]\), then \(f_2(i, \alpha ) = (V_j, U_j)\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _3 = M_{i, L}[\alpha ] \mathbin {\oplus } U_j; \\ 2^{\alpha - 1}\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } V_j. \end{array}\right. } \end{aligned}$$

    Note that \(U_j\) and \(V_j\) are independent of \(\Delta _3\) and \(\Delta _4\). Since \((\Delta _3, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {f_2(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{2, 5}} \right] \le \sum _{j \in [q]} \sum _{(i, \alpha ) \in {\mathcal {I}}_2} \frac{2}{2^{2n}} \le \frac{2q\left| {{\mathcal {I}}_2} \right| }{2^{2n}}. \end{aligned}$$
  10. 10.

    Fix \(((i,\alpha ), (j,\beta )) \in ({\mathcal {I}}_3)^{*2}\) where \(i \le j\). If \(j \in [q_e+1,q_e+q_d]\), we have

    $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\beta )} \right] \le \frac{1}{2^{2n}}, \end{aligned}$$

    by the random choice of Y and Z variables in the ideal world. Suppose \(j \in [q_e]\). Then, by the equations of Y-variables and Z-variables, \(f_3(i,\alpha ) = f_3(j,\beta )\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_i + \alpha } X_i[\gamma ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \beta } X_j[\gamma ] = P; \\ \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_i + \alpha } 2^{a_i+\alpha -\gamma }X_i[\gamma ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \beta } 2^{a_j+\beta -\gamma }X_j[\gamma ] = Q, \end{array}\right. } \end{aligned}$$
    (17)

    where

    $$\begin{aligned} P&= M_{i,R}[\alpha ] \mathbin {\oplus } M_{j,R}[\beta ] \mathbin {\oplus } (2^{\alpha -1} \mathbin {\oplus } 2^{\beta -1})\Delta _2, \\ Q&= \bigoplus _{\gamma = 1}^{a_i} 2^{a_i +\alpha -\gamma } (A_{i,R}[\gamma ] \mathbin {\oplus } 2^{\gamma -1}\Delta _2) \mathbin {\oplus } \bigoplus _{\gamma = 1}^{\alpha -1} 2^{\alpha -\gamma } (M_{i,R}[\gamma ] \mathbin {\oplus } 2^{\gamma -1}\Delta _4) \\&\mathbin {\oplus } \bigoplus _{\gamma = 1}^{a_j} 2^{a_j +\beta -\gamma } (A_{j,R}[\gamma ] \mathbin {\oplus } 2^{\gamma -1}\Delta _2) \mathbin {\oplus } \bigoplus _{\gamma = 1}^{\beta -1} 2^{\beta -\gamma } (M_{j,R}[\gamma ] \mathbin {\oplus } 2^{\gamma -1}\Delta _4). \end{aligned}$$

    Let us take a look at each of the subcase below.

    1. (a)

      If \(\alpha < \beta \), (17) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i+\alpha ] \mathbin {\oplus } X_j[a_j+\alpha ] \mathbin {\oplus } X_j[a_j+\beta ] = P'; \\ X_i[a_i+\alpha ] \mathbin {\oplus } 2^{\beta - \alpha } X_j[a_j+\alpha ] \mathbin {\oplus } X_j[a_j+\beta ] = Q', \end{array}\right. } \end{aligned}$$
      (18)

      for some \(P'\) and \(Q'\). Assume that \(X_i[a_i + \alpha ] = X_j[a_j + \alpha ]\). Then (18) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_j[a_j+\beta ] = P'; \\ (2^{\beta - \alpha } + 1) X_j[a_j+\alpha ] \mathbin {\oplus } X_j[a_j+\beta ] = Q'. \end{array}\right. } \end{aligned}$$

      In this case, by the sampling process of \(X_i[a_i + \alpha ]\) and \(X_j[a_j + \beta ]\),

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\beta )} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

      If \(X_i[a_i + \alpha ] = X_j[a_j + \alpha ]\), (18) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i+\alpha ] \mathbin {\oplus } X_j[a_j+\alpha ] = P' \mathbin {\oplus } X_j[a_j+\beta ]; \\ X_i[a_i+\alpha ] \mathbin {\oplus } 2^{\beta - \alpha } X_j[a_j+\alpha ] = Q' \mathbin {\oplus } X_j[a_j+\beta ]. \end{array}\right. } \end{aligned}$$

      In this case, by the sampling process of \(X_i[a_i + \alpha ]\) and \(X_j[a_j + \alpha ]\),

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\beta )} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

      Therefore, no matter \(M_i[\alpha ] = M_j[\alpha ]\) or not,

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\beta )} \right] \le \frac{4}{2^{2n}}. \end{aligned}$$
    2. (b)

      If \(a_i < a_j\) and \(\alpha = \beta \), (17) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i] \mathbin {\oplus } X_j[a_i] \mathbin {\oplus } X_j[a_j] = P'; \\ X_i[a_i] \mathbin {\oplus } 2^{a_j - a_i} X_j[a_i] \mathbin {\oplus } X_j[a_j] = Q', \end{array}\right. } \end{aligned}$$
      (19)

      for some \(P'\) and \(Q'\). Assume that \(X_i[a_i] = X_j[a_i]\). Then (19) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_j[a_j] = P'; \\ (2^{a_j - a_i} + 1) X_j[a_i] \mathbin {\oplus } X_j[a_j] = Q'. \end{array}\right. } \end{aligned}$$

      In this case, by the sampling process of \(X_j[a_i]\) and \(X_j[a_j]\), we have

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\beta )} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

      If \(X_i[a_i] \ne X_j[a_i]\), then (19) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i] \mathbin {\oplus } X_j[a_i] = P' \mathbin {\oplus } X_j[a_j]; \\ X_i[a_i] \mathbin {\oplus } 2^{a_j - a_i} X_j[a_i] = Q' \mathbin {\oplus } X_j[a_j]. \end{array}\right. } \end{aligned}$$

      In this case, by the sampling process of \(X_i[a_i]\) and \(X_j[a_i]\), we have

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\beta )} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

      Therefore, no matter \(A_i[a_i] = A_j[a_i]\) or not,

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\beta )} \right] \le \frac{4}{2^{2n}}. \end{aligned}$$
    3. (c)

      If there exists two different \(\gamma _1, \gamma _2 \le \alpha \) such that \(A_i[\gamma _1] \ne A_j[\gamma _1]\) and \(A_i[\gamma _2] \ne A_j[\gamma _2]\), (17) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[\gamma _1] \mathbin {\oplus } X_j[\gamma _2] = P'; \\ 2^{a_i \mathbin {\oplus } \alpha -\gamma _1} X_i[\gamma _1] \mathbin {\oplus } 2^{a_i \mathbin {\oplus } \alpha - \gamma _2} X_i[\gamma _2] = Q', \end{array}\right. } \end{aligned}$$

      for some \(P'\) and \(Q'\). Therefore, by the sampling process of \(X_i[\gamma _1]\) and \(X_j[\gamma _2]\), we get

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\beta )} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

      We can apply the similar argument if \((A_i, M_i[:\alpha ])\) and \((A_j, M_j[:\alpha ])\) are differ in two or more blocks.

    4. (d)

      Let \(a_i = a_j\), \(\alpha = \beta \), and \(M_i[\alpha ] \ne M_j[\alpha ]\) while \((A_i, M_i[\alpha -1]) = (A_j, M_j[\alpha -1])\), Then, (17) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i+\alpha ] \mathbin {\oplus } X_j[a_i+\alpha ] = M_{i,R}[\alpha ] \mathbin {\oplus } M_{j,R}[\alpha ]; \\ X_i[a_i+\alpha ] \mathbin {\oplus } X_j[a_i+\alpha ] = 0, \end{array}\right. } \end{aligned}$$

      so one should have \(X_i[a_i+\alpha ] = X_j[a_i+\alpha ]\) and \(M_{i,R}[\alpha ] = M_{j,R}[\alpha ]\) which contradicts the rules for choosing X variables. Therefore,

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = f_3(j,\beta )} \right] = 0, \end{aligned}$$

      and one can apply the similar argument if there exists only one different block between \((A_i, M_i[:\alpha ])\) and \((A_j, M_j[:\alpha ])\).

    All in all, we get

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{3,3}} \right] \le \frac{4|{\mathcal {I}}_3|^2}{2^{2n}}. \end{aligned}$$
  11. 11.

    Fix \((i, \alpha ) \in {\mathcal {I}}_3\) and \((j, \beta ) \in {\mathcal {I}}_4\). Let us take a look at each of sub-case below.

    1. (a)

      Let \(i, j \in [q_e]\). Assume that \(M_i[:\alpha ]\) and \(M_j[:\beta ]\) are different in two or more blocks. We fix such distinct \(\gamma _1, \gamma _2\). If \(\beta \le \alpha \), then \(f_3(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{a_i \mathbin {\oplus } \alpha -\gamma _1}X_i[a_i + \gamma _1] \mathbin {\oplus } 2^{a_i \mathbin {\oplus } \alpha - \gamma _2}X_i[a_i +\gamma _2] = P'; \\ X_i[a_i + \gamma _1] \mathbin {\oplus } X_i[a_i + \gamma _2] = Q', \end{array}\right. } \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[a_i + \gamma _1]\) and \(X_i[a_i + \gamma _2]\) By the sampling process of \(X_i[a_i + \gamma _1]\) and \(X_i[a_i + \gamma _2]\), we have

      $$\begin{aligned} \Pr \left[ {f_3(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

      If \(\beta > \alpha \), then \(f_3(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_j[a_j + \gamma _1] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\delta = 1}^{a_i} 2^{\delta - 1}\Delta _2 = P'; \\ 2^{\beta - 1}\Delta _2 = Y_i \mathbin {\oplus } 2^{\beta - 1}\Delta _4 \mathbin {\oplus } C_{j, R}[\beta ], \end{array}\right. } \end{aligned}$$

      for some \(P'\) which is independent of \(X_j[a_j + \gamma _1]\) and \(\Delta _2\). By the sampling process of \(X_j[a_j + \gamma _1]\) and the randomness of \(\Delta _2\), we have

      $$\begin{aligned} \Pr \left[ {f_3(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{1}{(2^n - \sigma )(2^n - 1)} \le \frac{4}{2^{2n}}. \end{aligned}$$

      Therefore,

      $$\begin{aligned} \Pr \left[ {f_3(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{4}{2^{2n}}. \end{aligned}$$
    2. (b)

      Let \(i, j \in [q_e]\). Assume that \(M_i[:\alpha ]\) and \(M_j[:\beta ]\) are different in just a single block with index h. Then \(f_3(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i + h] = P'; \\ 2^{\alpha - h}X_i[a_i + h] \mathbin {\oplus } X_j[a_j + h] = Q', \end{array}\right. } \end{aligned}$$

      for some \(P'\) and \(Q'\). Therefore, by the sampling process of \(X_i[a_i + h]\) and \(X_j[a_j + h]\), we have

      $$\begin{aligned} \Pr \left[ {f_3(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$
    3. (c)

      Let \(i, j \in [q_e]\) and \(M_i[:\alpha ] = M_j[:\beta ]\). Note that \(X_i[a_i + h] = X_j[a_j + h]\) for all \(h \in [\alpha ]\). If \(\alpha = \beta > 2\), then \(f_3(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i + 1] \mathbin {\oplus } X_i[a_i + 2] = P' \\ (2^{\alpha - 1} \mathbin {\oplus } 1)X_i[a_i + 1] \mathbin {\oplus } (2^{\alpha - 2} \mathbin {\oplus } 1)X_i[a_i + 2] = Q'. \end{array}\right. } \end{aligned}$$

      If \(\alpha = \beta = 2\), then \(f_3(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i + 1] \mathbin {\oplus } X_i[a_i + 2] = P'; \\ (2^{\alpha - 1} \mathbin {\oplus } 1)X_i[a_i + 1] = Q'. \end{array}\right. } \end{aligned}$$

      For both case, one has

      $$\begin{aligned} \Pr \left[ {f_3(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{4}{2^{2n}}. \end{aligned}$$

      Now assume \(\alpha = \beta = 1\). Then \(f_3(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} \Delta _2 = P'; \\ \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j} 2^{a_j + 1 - \gamma }\Delta _2 \mathbin {\oplus } \Delta _4 = Q'. \end{array}\right. } \end{aligned}$$

      Since \((\Delta _2, \Delta _4)\) is chosen uniformly at random from \(\{0,1\}^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {f_3(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{2}{2^{2n}}. \end{aligned}$$
    4. (d)

      Let \(i \in [q_e+1, q]\) and \(j \in [q_e]\). Then \(f_3(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\beta - 1}\Delta _2 \mathbin {\oplus } 2^{\beta - 1}\Delta _4 = Y_i[\alpha ] \mathbin {\oplus } C_{j, R}; \\ 2^{\beta - 1}\Delta _4 = Z_i[\alpha ] \mathbin {\oplus } M_{j, R}[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \beta } X_j[\gamma ]. \end{array}\right. } \end{aligned}$$

      Since \((\Delta _2, \Delta _4)\) is chosen uniformly at random from \(\{0,1\}^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {f_3(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{2}{2^{2n}}. \end{aligned}$$
    5. (e)

      Let \(i \in [q_e]\) and \(j \in [q_e+1, q]\). If \(\alpha \ge 2\), then \(f_3(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i + 1] \mathbin {\oplus } X_i[a_i + 2] = P'; \\ X_i[a_i + 1] \mathbin {\oplus } 2X_i[a_i + 2] = Q', \end{array}\right. } \end{aligned}$$

      where \(P'\) and \(Q'\) are independent of \(X_i[a_i + 1]\) and \(X_i[a_i + 2]\). In this case, by the sampling process of \(X_i[a_i + 1]\) and \(X_i[a_i + 2]\), we have

      $$\begin{aligned} \Pr \left[ {f_3(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{1}{(2^n-\sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

      If \(\alpha = 1\), then \(f_3(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i + 1] \mathbin {\oplus } \Delta _4 = P'; \\ X_i[a_i + 1] = Q', \end{array}\right. } \end{aligned}$$

      where \(P'\) and \(Q'\) are independent of \(X_i[a_i + 1]\) and \(\Delta _4\). In this case, since \(X_i[a_i + 1]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \) and \(\Delta _4\) is chosen uniformly at random from \(\{0,1\}^n \setminus \left\{ {\Delta _2} \right\} \), we have

      $$\begin{aligned} \Pr \left[ {f_3(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{1}{(2^n - 1)(2^n-\sigma )} \le \frac{4}{2^{2n}}. \end{aligned}$$
    6. (f)

      Let \(i, j \in [q_e + 1, q]\). Then \(f_3(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\beta - 1}\Delta _2 = Y_i[\alpha ] \mathbin {\oplus } C_{j, R}[\beta ] \mathbin {\oplus } 2^{\beta - 1}\Delta _4; \\ Z_i[\alpha ] = Y_j[\beta ]. \end{array}\right. } \end{aligned}$$

      Since \(\Delta _2\) is chosen uniformly at random from \(\{0,1\}^n {\setminus } \left\{ {\Delta _2} \right\} \) and \(Z_i[\alpha ]\) are chosen uniformly at random from \(\{0,1\}^n\), respectively, we have

      $$\begin{aligned} \Pr \left[ {f_3(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{1}{2^{n}(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    To sum up, we have

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{3, 4}} \right] \le \sum _{(j, \beta ) \in {\mathcal {I}}_4} \sum _{(i, \alpha ) \in {\mathcal {I}}_3} \frac{4}{2^{2n}} \le \frac{4\left| {{\mathcal {I}}_3} \right| \left| {{\mathcal {I}}_4} \right| }{2^{2n}}. \end{aligned}$$
  12. 12.

    Fix \((i,\alpha ) \in {\mathcal {I}}_3\) and \(j \in [q_e+q_d]\). Let us take a look at each of sub-case below.

    1. (a)

      Assume that \(i, j \in [q_e]\), and \(M_i[:\alpha ]\) and \(M_j\) are different in two or more blocks. Fix such distinct \(\gamma _1, \gamma _2\). If \(\alpha \ge m_j\), then \(f_3(i, \alpha ) = (V_j, U_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i + \gamma _1] \mathbin {\oplus } X_i[a_i + \gamma _2] = P'; \\ 2^{a_i + \alpha - \gamma _1}X_i[a_i + \gamma _1] \mathbin {\oplus } 2^{a_i + \alpha - \gamma _2}X_i[a_i + \gamma _2] = Q', \end{array}\right. } \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[a_i + \gamma _1]\) and \(X_i[a_i + \gamma _2]\). In this case, by the sampling process of \(X_i[a_i + \gamma _1]\) and \(X_i[a_i + \gamma _2]\),

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (V_j, U_j)} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

      If \(\alpha < m_j\), then \(f_3(i, \alpha ) = (V_j, U_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_j[a_j + \gamma _1] \mathbin {\oplus } X_j[a_j + \gamma _2] = P'; \\ 2^{a_j + m_j + 1 - \gamma _1}X_j[a_j + \gamma _1] \mathbin {\oplus } 2^{a_j + m_j + 1 - \gamma _2}X_j[a_j + \gamma _2] = Q', \end{array}\right. } \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_j[a_j + \gamma _1]\) and \(X_j[a_j + \gamma _2]\). In this case, by the sampling process of \(X_j[a_j + \gamma _1]\) and \(X_j[a_j + \gamma _2]\),

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (V_j, U_j)} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

      Therefore, we have

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (V_j, U_j)} \right] \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Suppose \(i, j \in [q_e]\), and \(M_i\) and \(M_j\) are differ in a single block with index \(\gamma \). Then, by the equations of U-variables and V-variables specified in Sect. 3, \(f_3(i,\alpha ) = (V_j, U_j)\) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i+\gamma ] \mathbin {\oplus } X_j[a_j+\gamma ] = P'; \\ X_i[a_i+\gamma ] \mathbin {\oplus } 2^{m_j + 1 - \gamma } X_j[a_j+\gamma ] = Q', \end{array}\right. } \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[a_i+\gamma ]\) and \(X_j[a_j+\gamma ]\). By the sampling process of \(X_i[a_i+\gamma ]\) and \(X_j[a_j+\gamma ]\), we have

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (V_j, U_j)} \right] \le \frac{1}{(2^n - \sigma )} \le \frac{4}{2^{2n}}. \end{aligned}$$
    3. (c)

      Suppose \(i = j \in [q_e]\). If \(\alpha < m_i\), then \(f_3(i,\alpha ) = (V_i, U_i)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i + m_i] = M_{i, R}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _4 \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = a_i + \alpha + 1}^{a_i + m_i}X_i[\beta ]; \\ 2X_i[a_i + m_i] \mathbin {\oplus } (2^{m_i + 1 - \alpha } + 1)X_i[a_i + \alpha ] = Q', \end{array}\right. } \end{aligned}$$

      for some \(Q'\) which is independent of \(X_i[a_i + \alpha ]\) and \(X_i[a_i + m_i]\). Note that \(\alpha < m_i\) so \(m_i - \alpha + 1 > 0\). Therefore, in this case, we have

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (V_i, U_i)} \right] \le \frac{1}{(2^n - \sigma )} \le \frac{4}{2^{2n}}. \end{aligned}$$

      Now assume that \(\alpha = m_i\). Then \(f_3(i,m_i) = (V_i, U_i)\) can be rewritten as

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{m_i-1}\Delta _4 = P'; \\ 3X_i[m_i] \mathbin {\oplus } \left( {2^{m_i} \mathbin {\oplus } \bigoplus _{\beta =1}^{m_i-1} (2^{m_i-1} \mathbin {\oplus } 2^{m_i})} \right) \Delta _4 = Q'. \end{array}\right. } \end{aligned}$$

      \(X_i[m_i]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \) and \(\Delta _4\) is chosen uniformly at random from \(\{0,1\}^n \setminus \left\{ {\Delta _2} \right\} \), we get

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (V_i, U_i)} \right] \le \frac{1}{(2^n - 1)(2^n - \sigma )} \le \frac{4}{2^{2n}}. \end{aligned}$$
    4. (d)

      Let \(i \in [q_e+1, q]\) and \(C_i[\alpha ] \ne C_j[\alpha ]\). Then \(f_3(i, \alpha ) = (V_j, U_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} Y_i[\alpha ] = V_j; \\ Z_i[\alpha ] = U_j. \end{array}\right. } \end{aligned}$$

      Since \(Y_i[\alpha ]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \) and \(Z_i[\alpha ]\) are chosen uniformly at random from \(\{0,1\}^n\), we have

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n - \sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$
    5. (e)

      Let \(j \in [q_e+1,q]\) and there exists \(\gamma \) such that \((j,\gamma ) \in {\mathcal {I}}_3\). Then, if we fix all X, Y, and Z variables consisting \((V_j, U_j)\) except \(Y_j[\gamma ]\) and \(Z_j[\gamma ]\), there exists a 1-1 correspondence map \(f: \{0,1\}^{2n} \longrightarrow \{0,1\}^{2n}\) between \((Y_j[\gamma ], Z_j[\gamma ])\) and \((V_j, U_j)\). Then \(\Pr \left[ {f_3(i,\alpha ) = (V_j, U_j)} \right] = \Pr \left[ {f_3(i, \alpha ) = f((Y_j[\gamma ], Z_j[\gamma ]))} \right] \). Since \(Y_j[\gamma ]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \) and \(Z_j[\gamma ]\) are chosen uniformly at random from \(\{0,1\}^n\), we get

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n - \sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$
    6. (f)

      Let \(i \in [q_e+1,q]\), \(C_i[\alpha ] = C_j[\alpha ]\), Since \((i,\alpha ) \in {\mathcal {I}}_3\), one should have \(j \in [q_e+1,q_e + q_d]\) and \(C_i[\gamma ] \ne C_j[\gamma ]\) for some \(\gamma \). Suppose that \((j,\gamma ) \notin {\mathcal {I}}_3\). If there exists some \(j' \in [q_e+1,q_e+q_d]\) such that \((j',\gamma ) \in {\mathcal {I}}_3\) and \(C_j[\gamma ] = C_{j'}[\gamma ]\), we can easily apply the same argument as (e). If there exists \(j' \in [q_e]\) such that \((j',\gamma ) \in {\mathcal {I}}_3\) and \(C_{j'}[\gamma ] = C_j[\gamma ]\), there exists a 1-1 correspondence map between \((X_{j'}[\gamma ], \Delta _4)\) and \((V_j, U_j)\). Since \(Y_j[\gamma ]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \) and \(Z_j[\gamma ]\) are chosen uniformly at random from \(\{0,1\}^n\), we get

      $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

      Moreover, we can apply same method for all remaining cases together with the condition \(\lnot \textsf{bad}_1\).

    To sum up, we have

    $$\begin{aligned} \Pr \left[ {f_3(i,\alpha ) = (V_j, U_j)} \right] \le \frac{4}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{3,5}} \right] \le \frac{4|{\mathcal {I}}_3|q}{2^{2n}}. \end{aligned}$$
  13. (13)

    Fix \(((i, \alpha ), (j, \beta )) \in {\mathcal {I}}_4^{*2}\). Without loss of generality, let \(i \le j\). We distinguish some sub-cases as below.

    1. (a)

      Let \(i, j \in [q_e]\) and \(\alpha \ne \beta \). Then \(f_4(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _2 \mathbin {\oplus } (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4 = C_{i, R}[\alpha ] \mathbin {\oplus } C_{j, R}[\beta ]; \\ (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_i + \alpha } X_i[\gamma ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \beta } X_j[\gamma ]. \end{array}\right. } \end{aligned}$$

      Since \((\Delta _2, \Delta _4)\) is chosen uniformly at random from \(\{0,1\}^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Let \(i, j \in [q_e]\) and \(\alpha = \beta \). (Now we use \(\alpha \) instead of \(\beta \).) Note that \(C_i[\alpha ] \ne C_j[\alpha ]\) and \(M_i[:\alpha ] \ne M_j[:\alpha ]\) since \(((i, \alpha ), (j, \alpha )) \in {\mathcal {I}}_4^{*2}\). Let \(h \in [\alpha ]\) the index such that \(M_i[h] \ne M_j[h]\) Then \(f_4(i, \alpha ) = f_4(j, \alpha )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} C_{i, R}[\alpha ] = C_{j, R}[\alpha ]; \\ X_i[h] = M_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma \ne a_i + h} X_i[\gamma ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \alpha } X_j[\gamma ]. \end{array}\right. } \end{aligned}$$

      Since \(C_{i, R}[\alpha ]\) is chosen uniformly at random from \(\{0,1\}^n\) and \(X_i[h]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \), one has

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = f_4(j, \alpha )} \right] \le \frac{1}{2^n(2^n - \sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$
    3. (c)

      Let \(i \in [q_e]\), \(j \in [q_e + 1, q]\), and \(\alpha \ne \beta \). Then \(f_4(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _2 \mathbin {\oplus } (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4 = C_{i, R}[\alpha ] \mathbin {\oplus } C_{j, R}[\beta ]; \\ 2^{\alpha - 1}\Delta _4 = Y_j[\beta ] \mathbin {\oplus } M_{i, R}[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_i + \alpha } X_i[\gamma ]. \end{array}\right. } \end{aligned}$$

      Since \((\Delta _2, \Delta _4)\) is chosen uniformly at random from \(\{0,1\}^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{2}{2^{2n}}. \end{aligned}$$
    4. (d)

      Let \(i \in [q_e]\), \(j \in [q_e + 1, q]\), and \(\alpha = \beta \). If \(C_{i, R}[\alpha ] = C_{j, R}[\alpha ]\), then \(Y_i[\alpha ] \ne Y_j[\alpha ]\) by the sampling process. In this case, \(\Pr \left[ {f_4(i, \alpha ) = f_4(j, \alpha )} \right] = 0\). If \(C_{i, R}[\alpha ] \ne C_{j, R}[\alpha ]\), then similarly \(\Pr \left[ {f_4(i, \alpha ) = f_4(j, \alpha )} \right] = 0\). Therefore,

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = f_4(j, \alpha )} \right] = 0. \end{aligned}$$
    5. (e)

      Let \(i, j \in [q_e + 1, q]\). If \(\alpha \ne \beta \), then \(f_4(i, \alpha ) = f_4(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _2 = (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4 \mathbin {\oplus } C_{i, R}[\alpha ] \mathbin {\oplus } C_{j, R}[\beta ]; \\ Y_i[\alpha ] = Y_j[\beta ]. \end{array}\right. } \end{aligned}$$

      Since \(\Delta _2\) is chosen uniformly at random from \(\{0,1\}^n {\setminus } \left\{ {\Delta _4} \right\} \) and \(Y_i[\alpha ]\) is chosen uniformly at random from the set of size at least \(2^n - q\), we have

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = f_4(j, \beta )} \right] \le \frac{4}{2^{2n}}. \end{aligned}$$

      Let \(\alpha = \beta \). If \(C_{i, R}[\alpha ] = C_{j, R}[\alpha ]\), then \(Y_i[\alpha ] \ne Y_j[\beta ]\) by the sampling process, so the probability is zero. If \(C_{i, R}[\alpha ] = C_{j, R}[\alpha ]\), then \(C_{i, R}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } 2^{\alpha - 1}\Delta _4 \ne C_{j, R}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } 2^{\alpha - 1}\Delta _4\) so the probability is zero.

    To sum up, we have

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{4, 4}} \right] \le \frac{4\left| {{\mathcal {I}}_4} \right| ^2}{2^{2n}}. \end{aligned}$$
  14. 14.

    Fix \((i, \alpha ) \in {\mathcal {I}}_4\) and \(j \in [q]\). We distinguish some sub-cases as below.

    1. (a)

      Let \(i, j \in [q_e]\) and \(\alpha \ne m_j\). If \(\alpha > m_j\), then \(f_4(i, \alpha ) = (V_j, U_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i + \alpha ] = M_{i, R}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _4 \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_i + \alpha - 1} X_i[\beta ] \mathbin {\oplus } U_j; \\ C_{i, R}[\alpha ] = 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } 2^{\alpha - 1}\Delta _4 \mathbin {\oplus } V_j. \end{array}\right. } \end{aligned}$$

      Therefore, by the randomness of \(C_{i, R}[\alpha ]\) and \(X_i[a_i + \alpha ]\), one has

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{(2^n- \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

      If \(\alpha < m_j\), then \(f_4(i, \alpha ) = (V_j, U_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2X_j[a_j + m_j] = Y_i[\alpha ] \mathbin {\oplus } P;\\ X_j[a_j + m_j] \mathbin {\oplus } C_{i, R}[\alpha ] = 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } 2^{\alpha - 1}\Delta _4 \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_j + m_j - 1} X_j[\beta ], \end{array}\right. } \end{aligned}$$

      for some constant \(P \in \{0,1\}^n\), which is independent of \(X_j[a_j + m_j]\) and \(C_{i, R}[\alpha ]\). Therefore, by the sampling process of \(C_{i, R}[\alpha ]\) and \(X_j[a_j + m_j]\), one has

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{(2^n- \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$
    2. (b)

      Let \(i, j \in [q_e]\) and \(\alpha = m_j\). Assume that \(A_i \ne A_j\) and \(a_i \ge a_j\). (We can apply the similar argument when \(a_i < a_j\).) Then there exists \(\gamma \in [a_i]\) such that \(\gamma > a_j\) or \(A_i[\gamma ] \ne A_j[\gamma ]\). In this case, \(f_4(i, \alpha ) = (V_j, U_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} C_{i, R}[\alpha ] \mathbin {\oplus } X_i[\gamma ] = P';\\ X_i[\gamma ] = Q', \end{array}\right. } \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(C_{i, R}[\alpha ]\) and \(X_i[\gamma ]\). Since \(C_{i, R}[\alpha ]\) is chosen uniformly at random from \(\{0,1\}^n\) and \(X_i[\gamma ]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \), we get

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n- \sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$
    3. (c)

      Let \(i, j \in [q_e]\), \(A_i = A_j\) and \(\alpha = m_j\). Then \(M_i \ne M_j\) since there is no redundant query. Let h be the index such that \(M_i[h] \ne M_j[h]\). Then \(f_4(i, \alpha ) = (V_j, U_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_i[a_i + h] \mathbin {\oplus } 2^{m_j + 1 - h}X_j[a_j + h] = P; \\ X_j[a_j + h] = 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } 2^{\alpha - 1}\Delta _4 \mathbin {\oplus } C_{i, R}[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\begin{array}{c} \beta \in [m_j] \\ \beta \ne a_j + h \end{array}} X_j[\beta ], \end{array}\right. } \end{aligned}$$

      for some P which is independent of \(X_i[a_i + h]\) and \(X_j[a_j + h]\). Since \(X_i[a_i + h]\) and \(X_j[a_j + h]\) are chosen randomly from the set of size at least \(2^n - \sigma \), one has

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$
    4. (d)

      Let \(i, j \in [q_e]\), \(A_i = A_j\) and \(M_i[:\alpha ] = M_j\). Then \(f_4(i, \alpha ) = (V_j, U_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _4 = M_i[\alpha ]; \\ 2^{\alpha - w_{\alpha }}\Delta _4 \mathbin {\oplus } 3X_i[a_i + \alpha ] = P, \end{array}\right. } \end{aligned}$$

      for some constant P. Since \(\Delta _4\) is chosen uniformly at random from \(\{0,1\}^n\) and \(X_i[a_i + \alpha ]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \), we have

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n - \sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$
    5. (e)

      Let \(i \in [q_e + 1, q]\) and \(j \in [q_e]\). If \(C_i[\alpha ] = C_{i'}[\alpha ]\) for some \(i' \in [q_e]\), it is one of the above cases. Otherwise, \(f_4(i, \alpha ) = (V_j, U_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} Y_i[\alpha ] \mathbin {\oplus } 2^{a_j + m_j}X_j[1] = P';\\ X_j[1] = 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } 2^{\alpha - 1}\Delta _4 \mathbin {\oplus } C_{j, R}[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 2}^{a_j + m_j} X_j[\beta ], \end{array}\right. } \end{aligned}$$

      for some constant \(P'\) which is independent of \(Y_i[\alpha ]\) and \(X_j[1]\). \(Y_i[\alpha ]\) is sampled from the set of size at least \(2^n - \sigma \) and \(X_j[1]\) is sampled uniformly at random from the set of size at least \(2^n - \sigma \). Therefore, we have

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$
    6. (f)

      Let \(i \in [q_e]\) and \(j \in [q_e + 1, q]\). There is no redundant query, \(A_i \ne A_j\) or \(C_i \ne C_j\). Assume that \(A_i \ne A_j\) and \(a_i \ge a_j\). (We can apply similar argument when \(a_i < a_j\) or \(C_i \ne C_j\).) Then there exists \(\gamma \in [a_i]\) such that \(\gamma > a_j\) or \(A_i[\gamma ] \ne A_j[\gamma ]\). Then \(f_4(i, \alpha ) = (V_j, U_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _2 = 2^{\alpha - 1}\Delta _4 \mathbin {\oplus } C_{j, R}[\alpha ] \mathbin {\oplus } V_j; \\ \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_j} 2^{\beta - 1}\Delta _2 \mathbin {\oplus } X_i[\gamma ] = Q', \end{array}\right. } \end{aligned}$$

      for some \(Q'\) which is independent of \(\Delta _2\) and \(X_i[\gamma ]\). In this case, \(X_i[\gamma ]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \). Also, \(\Delta _2\) is chosen uniformly at random from \(\{0,1\}^n\). Therefore, we have

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n - \sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$
    7. (g)

      Let \(i, j \in [q_e + 1, q]\). If \(C_i[\alpha ] = C_{i'}[\alpha ]\) for some \(i' \in [q_e]\), it is one of the above cases. Otherwise, \(f_4(i, \alpha ) = (V_j, U_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} C_{i, R}[\alpha ] = V_j \mathbin {\oplus } 2^{\alpha - 1}\Delta _{i, 2} \mathbin {\oplus } 2^{\alpha - 1}\Delta _{i, 4}; \\ Y_i[\alpha ] = U_j. \end{array}\right. } \end{aligned}$$

      By the sampling process of \(C_{i, R}[\alpha ]\) and \(Y_i[\alpha ]\), we have

      $$\begin{aligned} \Pr \left[ {f_4(i, \alpha ) = (V_j, U_j)} \right] \le \frac{1}{(2^n - \sigma )^2} \le \frac{4}{2^{2n}}. \end{aligned}$$

    By the above analysis, we have

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{4, 5}} \right] \le \frac{4q\left| {{\mathcal {I}}_4} \right| }{2^{2n}}. \end{aligned}$$
  15. 15.

    Fix \(i, j \in [q]^{*2}\). Without loss of generality, let \(i \le j\). We restore X values and R values using \({\hat{\rho }}^{-1}\). Then, since there is no redundant query, \(A_i \ne A_j\) or \(M_i \ne M_j\). We consider the following cases.

    1. (a)

      If \(a_i > a_j + 1\), then \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 2^{a_i + m_i - a_j} &{} 2^{a_i + m_i - a_j - 1} \\ 1 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[a_j + 1] \\ X_i[a_j + 2] \end{pmatrix} = \begin{pmatrix} P' \\ Q' \end{pmatrix}, \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[a_j + 1]\) and \(X_i[a_j + 2]\). By the sampling process of \(X_i[a_j + 1]\) and \(X_i[a_j + 2]\), in this case \(\Pr \left[ {(V_i, U_i) = (V_j, U_j)} \right] \le \frac{4}{2^{2n}}\). We can apply the similar argument when \(a_j > a_i + 1\) and get the same result.

    2. (b)

      Assume that \(a_i = a_j + 1\) and \(A_i[\beta ] \ne A_j[\beta ]\) for some \(\beta \in [a_j]\). Then \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 2^{m_i + a_i - \beta + 1} &{} 2^{m_i + 1} \\ 1 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[\beta ] \\ X_i[a_i] \end{pmatrix} = \begin{pmatrix} P' \\ Q' \end{pmatrix}, \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[\beta ]\) and \(X_i[a_i]\). By Lemma 6, we can conclude

      $$\begin{aligned} \Pr \left[ {(V_i, U_i) = (V_j, U_j)} \right] \le \frac{4}{2^{2n}}. \end{aligned}$$
    3. (c)

      Assume that \(a_i = a_j + 1\) and \(A_i[:a_j] = A_j\). If \(M_i[\beta ] \ne M_j[\beta ]\) or there exists \(\beta \in [m_i]\), we can use the randomness of \(X_i[a_i + \beta ]\) and \(X_i[a_i]\). More precisely, \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 2^{m_i - \beta + 1} &{} 2^{m_i + 1} \\ 1 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[a_i + \beta ] \\ X_i[a_i] \end{pmatrix} = \begin{pmatrix} P' \\ Q' \end{pmatrix}, \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[a_i + \beta ]\) and \(X_i[a_i]\). If \(M_i = M_j\), we have two cases, \(X_i[a_i] = 0\) or \(X_i[a_i] \ne 0\). \(X_i[a_i] \ne 0\) implies \(V_i \ne V_j\) (see (5)). Also, if \(X_i[a_i] = 0\), then \(U_i = U_j\) if and only if

      $$\begin{aligned} \bigoplus _{\beta = 1}^{m_i}2^{m + 1 - \beta }(X_i[a_i + \beta ] \mathbin {\oplus } M_{i, R}[\beta ]) \mathbin {\oplus } 2^{m + 1}A_{i, R}[a_i] = 0. \end{aligned}$$

      Therefore, \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 1 &{} 0 \\ 0 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[a_i] \\ X_i[a_i + m_i] \end{pmatrix} = \begin{pmatrix} 0 \\ Q' \end{pmatrix}, \end{aligned}$$

      where

      $$\begin{aligned} Q' = \bigoplus _{\beta = 1}^{m_i - 1}2^{m + 1 - \beta }(X_i[a_i + \beta ] \mathbin {\oplus } M_{i, R}[\beta ]) \mathbin {\oplus } M_{i, R}[m_i] \mathbin {\oplus } 2^{m + 1}A_{i, R}[a_i]. \end{aligned}$$

      (see (4)). Therefore, by the sampling process of \(X_i[a_i]\) and Lemma 6,

      $$\begin{aligned} \Pr \left[ {(V_i, U_i) = (V_j, U_j)} \right] \le \frac{4}{2^{2n}}. \end{aligned}$$

      We can apply the similar argument when \(a_j = a_i + 1\) and \(A_j[:a_i] = A_i\).

    4. (d)

      Assume that \(a_i = a_j\). If there exist \(\alpha , \beta \in [a_i]\) such that \(A_i[\alpha ] \ne A_j[\alpha ]\) and \(A_i[\beta ] \ne A_j[\beta ]\), \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 2^{a_i + m_i - \alpha + 1} &{} 2^{a_i + m_i - \beta + 1} \\ 1 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[\alpha ] \\ X_i[\beta ] \end{pmatrix} = \begin{pmatrix} P' \\ Q' \end{pmatrix}, \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[\alpha ]\) and \(X_i[\beta ]\). Then by Lemma 6, \(\Pr \left[ {(V_i, U_i) = (V_j, U_j)} \right] \le \frac{4}{2^{2n}}\). If there exists only one \(\alpha \in [a_i]\) such that \(A_i[\alpha ] \ne A_j[\alpha ]\), then \((V_i, U_i) = (V_j, U_j)\) if and only if

      $$\begin{aligned} \begin{pmatrix} 2^{a_i + m_i - \alpha + 1} &{} 2^{a_j + m_j - \alpha + 1} \\ 1 &{} 1 \end{pmatrix} \begin{pmatrix} X_i[\alpha ] \\ X_j[\alpha ] \end{pmatrix} = \begin{pmatrix} P' \\ Q' \end{pmatrix}, \end{aligned}$$

      for some \(P'\) and \(Q'\) which are independent of \(X_i[\alpha ]\) and \(X_j[\alpha ]\). Therefore,

      $$\begin{aligned} \Pr \left[ {(V_i, U_i) = (V_j, U_j)} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{4}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{IC}_{5, 5}} \right] \le \frac{4q^2}{2^{2n}}. \end{aligned}$$

All in all, we have

$$\begin{aligned} \Pr \left[ {\textsf{IC}} \right] \le \frac{4q^2 + 12q\sigma + 20\sigma ^2}{2^{2n}}. \end{aligned}$$

\(\square \)

Lemma 11

$$\begin{aligned} \Pr \left[ {\textsf{OC}} \right] \le \frac{2q_e^2 + 6q_e\sigma + 28\sigma ^2}{2^{2n}}. \end{aligned}$$

Proof

We calculate each probability of \(\textsf{OC}_{i, j}\) for \(1 \le i \le j \le 5\).

  1. 1.

    Let \(((i, \alpha ), (j, \beta )) \in {\mathcal {I}}_1^{*2}\). If \(\alpha = \beta \), then one should have \(A_i[\alpha ] \ne A_j[\beta ]\) and \(g_1(i, \alpha ) \ne g_2(\beta )\). Suppose \(\alpha \ne \beta \). Then \(g_1(i, \alpha ) = g_1(j, \beta )\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _2 = A_{i, R}[\alpha ] \mathbin {\oplus } A_{j, R}[\beta ]; \\ X_i[\alpha ] = X_j[\beta ], \end{array}\right. } \end{aligned}$$

    and since \(\Delta _2\) is chosen uniformly at random from \(\{0,1\}^n\) and \(X_i[\alpha ]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \), one has

    $$\begin{aligned} \Pr \left[ {g_1(i, \alpha ) = g_1(j, \beta )} \right] \le \frac{1}{2^n(2^n - \sigma )} \le \frac{2}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{1, 1}} \right] \le \sum _{((i, \alpha ), (j, \beta )) \in {\mathcal {I}}_1^{*2}} \frac{2}{2^{2n}} \le \frac{2\left| {{\mathcal {I}}_1} \right| ^2}{2^{2n}}. \end{aligned}$$
  2. 2.

    Let \((i, \alpha ) \in {\mathcal {I}}_1\) and \((j, \beta ) \in {\mathcal {I}}_2\). Then \(g_1(i, \alpha ) = g_2(j, \beta )\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _2 = 2^{\beta - 1}\Delta _4 \mathbin {\oplus } A_{i, R}[\alpha ] \mathbin {\oplus } M_{i, R}[\beta ]; \\ X_i[\alpha ] = X_j[a_j + \beta ]. \end{array}\right. } \end{aligned}$$

    Since \(\Delta _2\) is chosen uniformly at random from \(\{0,1\}^n {\setminus } \left\{ {\Delta _4} \right\} \) and \(X_i[\alpha ]\) is chosen uniformly at random from the set of size at least \(2^n - \sigma \), one has

    $$\begin{aligned} \Pr \left[ {g_1(i, \alpha ) = g_2(j, \beta )} \right] \le \frac{1}{(2^n - 1)(2^n - \sigma )} \le \frac{4}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{1, 2}} \right] \le \sum _{(j, \beta ) \in {\mathcal {I}}_2} \sum _{(i, \alpha ) \in {\mathcal {I}}_1} \frac{4}{2^{2n}} \le \frac{4\left| {{\mathcal {I}}_1} \right| \left| {{\mathcal {I}}_2} \right| }{2^{2n}}. \end{aligned}$$
  3. 3.

    Let \((i, \alpha ) \in {\mathcal {I}}_1\) and \((j, \beta ) \in {\mathcal {I}}_3\). We distinguish two sub-cases.

    1. (a)

      Assume \(j \in [q_e]\). Then \(g_1(i, \alpha ) = g_3(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\beta - 1}\Delta _4 \mathbin {\oplus } C_j[\beta ] = 2^{\beta - 1}\Delta _2 \mathbin {\oplus } X_i[\alpha ]; \\ 2^{\beta - 1}\Delta _4 = 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } A_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \beta } X_j{\gamma }. \end{array}\right. } \end{aligned}$$

      Since \(\Delta _4\) is chosen uniformly at random from \(\{0,1\}^n {\setminus } \left\{ {\Delta _2} \right\} \) and \(C_j[\beta ]\) is chosen uniformly at random from \(\{0,1\}^n\), respectively, one has

      $$\begin{aligned} \Pr \left[ {g_1(i, \alpha ) = g_3(j, \beta )} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Assume \(j \notin [q_e]\). If \(C_j[\beta ] = C_{j'}[\beta ]\) for \(j' \in [q_e]\), this case is same as the case that \(j \in [q_e]\). Otherwise, \(g_1(i, \alpha ) = g_3(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _2 = A_{i, R}[\alpha ] \mathbin {\oplus } Y_j[\beta ]; \\ 2^{\beta - 1}\Delta _2 \mathbin {\oplus } 2^{\beta - 1}\Delta _4 = C_{i, R}[\beta ] \mathbin {\oplus } X_i[\alpha ]. \end{array}\right. } \end{aligned}$$

      Since \((\Delta _2, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {g_1(i, \alpha ) = g_3(j, \beta )} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    To sum up, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{1, 3}} \right] \le \sum _{(j, \beta ) \in {\mathcal {I}}_3} \sum _{(i, \alpha ) \in {\mathcal {I}}_1} \frac{2}{2^{2n}} \le \frac{2\left| {{\mathcal {I}}_1} \right| \left| {{\mathcal {I}}_3} \right| }{2^{2n}}. \end{aligned}$$
  4. 4.

    Let \((i, \alpha ) \in {\mathcal {I}}_1\) and \((j, \beta ) \in {\mathcal {I}}_4\). Then \(g_1(i, \alpha ) = g_3(j, \beta )\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\beta - 1}\Delta _1 = X_i[\alpha ] \mathbin {\oplus } C_{i, L}[\beta ] \mathbin {\oplus } 2^{\beta - 1}\Delta _3; \\ 2^{\beta - 1}\Delta _4 = A_{i, R}[\alpha ] \mathbin {\oplus } (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _2. \end{array}\right. } \end{aligned}$$

    Since \((\Delta _1, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n \setminus \left\{ {\Delta _2, \Delta _3} \right\} )^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {g_1(i, \alpha ) = g_4(j, \beta )} \right] \le \frac{1}{(2^n - 2)(2^n - 3)} \le \frac{4}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{1, 4}} \right] \le \sum _{(j, \beta ) \in {\mathcal {I}}_4} \sum _{(i, \alpha ) \in {\mathcal {I}}_1} \frac{4}{2^{2n}} \le \frac{4\left| {{\mathcal {I}}_1} \right| \left| {{\mathcal {I}}_4} \right| }{2^{2n}}. \end{aligned}$$
  5. 5.

    Let \((i, \alpha ) \in {\mathcal {I}}_1\) and \(j \in [q_e]\). Then \(g_1(i, \alpha ) = (V_j, T_j)\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _2 = A_{i, R}[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_j + m_j} X_j[\beta ]; \\ T_j = X_i[\alpha ]. \end{array}\right. } \end{aligned}$$

    Since \(\Delta _2\) and \(T_j\) are chosen uniformly at random from \(\{0,1\}^n\), respectively, one has

    $$\begin{aligned} \Pr \left[ {g_1(i, \alpha ) = (V_j, T_j)} \right] \le \frac{1}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{1, 5}} \right] \le \sum _{j \in [q_e]} \sum _{(i, \alpha ) \in {\mathcal {I}}_1} \frac{1}{2^{2n}} \le \frac{q_e\left| {{\mathcal {I}}_1} \right| }{2^{2n}}. \end{aligned}$$
  6. 6.

    Let \(((i, \alpha ), (j, \beta )) \in {\mathcal {I}}_2^{*2}\). If \(\alpha = \beta \), then \(M_i[\alpha ] \ne M_j[\beta ]\) so \(g_2(i, \alpha ) \ne g_2(j, \beta )\). Otherwise, \(g_2(i, \alpha ) = g_2(j, \beta )\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ]; \\ X_i[a_i + \alpha ] = X_j[a_j + \beta ]. \end{array}\right. } \end{aligned}$$

    Since \(\Delta _4\) is chosen uniformly at random from \(\{0,1\}^n\) and \(X_i[a_i + \alpha ]\) is chosen uniformly at random from the set of size at least \(2^n - q_e\), we have

    $$\begin{aligned} \Pr \left[ {g_2(i, \alpha ) = g_2(j, \beta )} \right] \le \frac{1}{2^n(2^n - q_e)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{2, 2}} \right] \le \sum _{((i, \alpha ), (j, \beta )) \in {\mathcal {I}}_2^{*2}} \frac{2}{2^{2n}} \le \frac{2\left| {{\mathcal {I}}_2} \right| ^2}{2^{2n}}. \end{aligned}$$
  7. 7.

    Let \((i, \alpha ) \in {\mathcal {I}}_2\) and \((j, \beta ) \in {\mathcal {I}}_3\). We distinguish three sub-cases.

    1. (a)

      Assume that \(j \in [q_e]\) and \(\alpha \ne \beta \). Then \(g_2(i, \alpha ) = g_3(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\beta - 1}\Delta _2 \mathbin {\oplus } 2^{\beta - 1}\Delta _4 = X_i[a_i + \alpha ] \mathbin {\oplus } C_{j, R}[\beta ]; \\ (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \beta } X_j[\gamma ]. \end{array}\right. } \end{aligned}$$

      Since \((\Delta _2, \Delta _4)\) is chosen uniformly at random from \((\{0,1\}^n)^{*2}\), one has

      $$\begin{aligned} \Pr \left[ {g_2(i, \alpha ) = g_3(j, \beta )} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Now assume that \(j \in [q_e]\) and \(\alpha = \beta \). If \(M_i[\alpha ] = M_j[\beta ]\), then \(X_i[a_i + \alpha ] = X_j[a_j + \beta ]\) therefore \(g_2(i, \alpha ) = g_3(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_j[a_j + \beta ] \mathbin {\oplus } 2^{\beta - 1}\Delta _2 = C_{j, R}[\beta ] \mathbin {\oplus } 2^{\beta - 1}\Delta _4;\\ X_j[a_j + \beta ] = M_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \beta - 1} X_j[\gamma ]. \end{array}\right. } \end{aligned}$$

      Otherwise, \(g_2(i, \alpha ) = g_3(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\beta - 1}\Delta _2 = C_{j, R}[\beta ] \mathbin {\oplus } X_i[a_i + \alpha ] \mathbin {\oplus } 2^{\beta - 1}\Delta _4; \\ X_j[a_j + \beta ] = M_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\gamma = 1}^{a_j + \beta - 1} X_j[\gamma ]. \end{array}\right. } \end{aligned}$$

      For both cases, since \(\Delta _2\) is chosen uniformly at random from \(\{0,1\}^n {\setminus }{\Delta _4}\) and \(X_j[a_j + \beta ]\) is chosen uniformly at random from the set of size at least \(2^n - q_e\), one has

      $$\begin{aligned} \Pr \left[ {g_2(i, \alpha ) = g_3(j, \beta )} \right] \le \frac{1}{(2^n - 1)(2^n - q_e)} \le \frac{4}{2^{2n}}. \end{aligned}$$
    3. (c)

      Assume that \(j \notin [q_e]\). Since \((j, \beta ) \in {\mathcal {I}}_3\), \(Y_j[\beta ]\) is chosen uniformly at random from the set of size at least \(2^n - q\). Now, \(g_2(i, \alpha ) = g_3(j, \beta )\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\beta - 1}\Delta _2 = C_{j, R}[\beta ] \mathbin {\oplus } X_i[a_i + \alpha ] \mathbin {\oplus } 2^{\beta - 1}\Delta _4; \\ Y_j[\beta ] = M_{i, R}[\alpha ] \mathbin {\oplus } M_{j, R}[\beta ] \mathbin {\oplus } (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4. \end{array}\right. } \end{aligned}$$

      Since \(\Delta _2\) is chosen uniformly at random from \(\{0,1\}^n {\setminus } \left\{ {\Delta _4} \right\} \) and \(Y_j[\beta ]\) is chosen uniformly at random from the set of size at least \(2^n - q\), one has

      $$\begin{aligned} \Pr \left[ {g_2(i, \alpha ) = g_3(j, \beta )} \right] \le \frac{1}{(2^n - 1)(2^n - q)} \le \frac{4}{2^{2n}}. \end{aligned}$$

    To sum up, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{2, 3}} \right] \le \sum _{(j, \beta ) \in {\mathcal {I}}_3} \sum _{(i, \alpha ) \in {\mathcal {I}}_2} \frac{4}{2^{2n}} \le \frac{4\left| {{\mathcal {I}}_2} \right| \left| {{\mathcal {I}}_3} \right| }{2^{2n}}. \end{aligned}$$
  8. 8.

    Let \((i, \alpha ) \in {\mathcal {I}}_2\) and \((j, \beta ) \in {\mathcal {I}}_4\). Then \(g_2(i, \alpha ) = g_4(j, \beta )\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\beta - 1}\Delta _1 = X_i[a_i + \alpha ] \mathbin {\oplus } C_{j, L}[\beta ] \mathbin {\oplus } 2^{\beta - 1}\Delta _3; \\ 2^{\beta - 1}\Delta _2 = M_{i, R}[\alpha ] \mathbin {\oplus } C_{j, R}[\beta ] \mathbin {\oplus } (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4. \end{array}\right. } \end{aligned}$$

    Since \((\Delta _1, \Delta _2)\) is chosen uniformly at random from \((\{0,1\}^n \setminus \left\{ {\Delta _3, \Delta _4} \right\} )^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {g_2(i, \alpha ) = g_4(j, \beta )} \right] \le \frac{1}{(2^n - 2)(2^n - 3)} \le \frac{4}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{2, 4}} \right] \le \sum _{(j, \beta ) \in {\mathcal {I}}_4} \sum _{(i, \alpha ) \in {\mathcal {I}}_2} \frac{4}{2^{2n}} \le \frac{4\left| {{\mathcal {I}}_2} \right| \left| {{\mathcal {I}}_4} \right| }{2^{2n}}. \end{aligned}$$
  9. 9.

    Let \((i, \alpha ) \in {\mathcal {I}}_2\) and \(j \in [q_e]\). Then \(g_2(i, \alpha ) = (V_j, T_j)\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_j + m_j} X_j[\beta ]; \\ T_j = X_i[a_i + \alpha ]. \end{array}\right. } \end{aligned}$$

    Since \(\Delta _4\) and \(T_j\) are chosen uniformly at random from \(\{0,1\}^n\), respectively, one has

    $$\begin{aligned} \Pr \left[ {g_2(i, \alpha ) = (V_j, T_j)} \right] \le \frac{1}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{2, 5}} \right] \le \sum _{j \in q_e} \sum _{(i, \alpha ) \in {\mathcal {I}}_2} \frac{1}{2^{2n}} \le \frac{q_e\left| {{\mathcal {I}}_2} \right| }{2^{2n}}. \end{aligned}$$
  10. 10.

    Since \(\textsf{IC}_{4, 4} = \textsf{OC}_{3, 3}\),

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{3, 3}} \right] \le \frac{4\left| {{\mathcal {I}}_4} \right| ^2}{2^{2n}}. \end{aligned}$$
  11. 11.

    Let \((i, \alpha ) \in {\mathcal {I}}_3\) and \((j, \beta ) \in {\mathcal {I}}_4\). Then \(g_3(i, \alpha ) = g_4(j, \beta )\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\beta - 1}\Delta _2 = C_{j, R}[\beta ] \mathbin {\oplus } 2^{\beta - 1}\Delta _4 \mathbin {\oplus } Y_i[\alpha ]; \\ 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } 2^{\beta - 1}\Delta _1 = C_{i, R}[\alpha ] \mathbin {\oplus } C_{j, L}[\beta ] \mathbin {\oplus } 2^{\beta - 1}\Delta _3 \mathbin {\oplus } 2^{\alpha - 1}\Delta _4. \end{array}\right. } \end{aligned}$$

    Note that \(Y_i[\alpha ]\) is independent of \(\Delta _1\) and \(\Delta _2\) whether \(i \in [q_e]\) or not. Since \((\Delta _1, \Delta _2)\) is chosen uniformly at random from \((\{0,1\}^n {\setminus } \left\{ {\Delta _3, \Delta _4} \right\} )^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {g_3(i, \alpha ) = g_4(j, \beta )} \right] \le \frac{1}{(2^n - 2)(2^n - 3)} \le \frac{4}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{3, 4}} \right] \le \sum _{(j, \beta ) \in {\mathcal {I}}_4} \sum _{(i, \alpha ) \in {\mathcal {I}}_3} \frac{4}{2^{2n}} \le \frac{4\left| {{\mathcal {I}}_3} \right| \left| {{\mathcal {I}}_4} \right| }{2^{2n}}. \end{aligned}$$
  12. 12.

    Let \((i, \alpha ) \in {\mathcal {I}}_3\) and \(j \in [q_e]\). We distinguish two sub-cases.

    1. (a)

      Let \(i \in [q_e]\). Then \(g_3(i, \alpha ) = (V_j, T_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _4 = M_{i, R}[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_i + \alpha } X_i[\alpha ] \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_j + m_j} X_j[\beta ]; \\ T_j \mathbin {\oplus } 2^{\alpha - 1}\Delta _4 = C_{i, R}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _2. \end{array}\right. } \end{aligned}$$

      Since \(\Delta _4\) is chosen uniformly at random from \(\{0,1\}^n {\setminus } \left\{ {\Delta _2} \right\} \) and \(T_j\) is chosen uniformly at random from \(\{0,1\}^n\), respectively, one has

      $$\begin{aligned} \Pr \left[ {g_3(i, \alpha ) = (V_j, T_j)} \right] \le \frac{1}{2^n(2^n - 1)} \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Let \(i \notin [q_e]\). If there exists \(i' \in [q_e]\) such that \(C_i[\alpha ] = C_{i'}[\alpha ]\), this case is same as the case that \(i \in [q_e]\). Otherwise, \(g_3(i, \alpha ) = (V_j, T_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} Y_i[\alpha ] = \mathop {\bigoplus }\nolimits _{\beta = 1}^{a_j + m_j} X_j[\beta ]; \\ T_j = C_{i, R}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _2 \mathbin {\oplus } 2^{\alpha - 1}\Delta _4. \end{array}\right. } \end{aligned}$$

      Since \(T_j\) is chosen uniformly at random from \(\{0,1\}^n\) and \(Y_i[\alpha ]\) is chosen uniformly at random from the set of size at least \(2^n - q\), one has

      $$\begin{aligned} \Pr \left[ {g_3(i, \alpha ) = (V_j, T_j)} \right] \le \frac{1}{2^n(2^n - q)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    To sum up, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{3, 5}} \right] \le \sum _{j \in [q_e]} \sum _{(i, \alpha ) \in {\mathcal {I}}_3} \frac{2}{2^{2n}} \le \frac{2q_e\left| {{\mathcal {I}}_3} \right| }{2^{2n}}. \end{aligned}$$
  13. 13.

    Let \(((i, \alpha ), (j, \beta )) \in {\mathcal {I}}_4^{*2}\). If \(\alpha = \beta \), then \(C_i[\alpha ] \ne C_j[\beta ]\) so \(g_4(i, \alpha ) \ne g_4(j, \beta )\). Now assume \(\alpha \ne \beta \). Then \(g_4(i, \alpha ) = g_4(j, \beta )\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _1 = C_{i, L}[\alpha ] \mathbin {\oplus } C_{j, L}[\beta ] \mathbin {\oplus } (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _3; \\ (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _2 = C_{i, R}[\alpha ] \mathbin {\oplus } C_{j, R}[\beta ] \mathbin {\oplus } (2^{\alpha - 1} \mathbin {\oplus } 2^{\beta - 1})\Delta _4. \end{array}\right. } \end{aligned}$$

    Since \((\Delta _1, \Delta _2)\) is chosen uniformly at random from \((\{0,1\}^n \setminus \left\{ {\Delta _3, \Delta _4} \right\} )^{*2}\), one has

    $$\begin{aligned} \Pr \left[ {g_4(i, \alpha ) = g_4(j, \beta )} \right] \le \frac{1}{(2^n - 2)(2^n - 3)} \le \frac{4}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{4, 4}} \right] \le \frac{4\left| {{\mathcal {I}}_4} \right| ^2}{2^{2n}}. \end{aligned}$$
  14. 14.

    Let \((i, \alpha ) \in {\mathcal {I}}_4\) and \(j \in [q_e]\). Then \(g_4(i, \alpha ) = (V_j, T_j)\) if and only if

    $$\begin{aligned} {\left\{ \begin{array}{ll} 2^{\alpha - 1}\Delta _2 = C_{i, R}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _4 \mathbin {\oplus } V_j; \\ T_j = C_{i, L}[\alpha ] \mathbin {\oplus } 2^{\alpha - 1}\Delta _1 \mathbin {\oplus } 2^{\alpha - 1}\Delta _3. \end{array}\right. } \end{aligned}$$

    Note that \(V_j\) is independent of \(\Delta _2\). Since \(\Delta _2\) is chosen uniformly at random from \(\{0,1\}^n {\setminus } \left\{ {\Delta _1, \Delta _3, \Delta _4} \right\} \) and \(T_j\) is chosen uniformly at random from \(\{0,1\}^n\), respectively, one has

    $$\begin{aligned} \Pr \left[ {g_4(i, \alpha ) = (V_j, T_j)} \right] \le \frac{2}{2^{2n}}. \end{aligned}$$

    Therefore, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{4, 5}} \right] \le \sum _{j \in [q_e]} \sum _{(i, \alpha ) \in {\mathcal {I}}_4} \frac{2}{2^{2n}} \le \frac{2q_e{\mathcal {I}}_4}{2^{2n}}. \end{aligned}$$
  15. 15.

    Let \((i, j) \in [q_e]^{*2}\). We distinguish two sub-cases.

    1. (a)

      First, assume \(m_i \ne m_j\). Without loss of generality, we can assume that \(m_i < m_j\). In this case, \((V_i, T_i) = (V_j, T_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_j[a_j + m_j] = V_i \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\alpha = 1}^{a_j + m_j - 1} X_j[\alpha ]; \\ T_j = T_i. \end{array}\right. } \end{aligned}$$

      Since \(X_j[a_j + m_j]\) is chosen uniformly at random from the set of size at least \(2^n - q_e\) and \(T_j\) is chosen uniformly at random from \(\{0,1\}^n\), one has

      $$\begin{aligned} \Pr \left[ {(V_i, T_i) = (V_j, T_j)} \right] \le \frac{1}{2^n(2^n - q_e)} \le \frac{2}{2^{2n}}. \end{aligned}$$
    2. (b)

      Now assume that \(m_i = m_j\). Since there is no redundant query, there exists at least one index h such that \(M_i[h] \ne M_j[h]\). In this case, \((V_i, T_i) = (V_j, T_j)\) if and only if

      $$\begin{aligned} {\left\{ \begin{array}{ll} X_j[a_j + h] = V_i \mathbin {\oplus } \mathop {\bigoplus }\nolimits _{\alpha \ne a_j + h} X_j[\alpha ]; \\ T_j = T_i. \end{array}\right. } \end{aligned}$$

      Since \(X_j[a_j + h]\) is chosen uniformly at random from the set of size at least \(2^n - q_e\) and \(T_j\) is chosen uniformly at random from \(\{0,1\}^n\), one has

      $$\begin{aligned} \Pr \left[ {(V_i, T_i) = (V_j, T_j)} \right] \le \frac{1}{2^n(2^n - q_e)} \le \frac{2}{2^{2n}}. \end{aligned}$$

    To sum up, we have

    $$\begin{aligned} \Pr \left[ {\textsf{OC}_{5, 5}} \right] \le \sum _{(i, j) \in [q_e]^{*2}} \frac{2}{2^{2n}} \le \frac{2q_e^2}{2^{2n}}. \end{aligned}$$

Now using \(\left| {{\mathcal {I}}_1} \right| + \left| {{\mathcal {I}}_2} \right| \le \sigma \), \(\left| {{\mathcal {I}}_1} \right| + \left| {{\mathcal {I}}_3} \right| \le \sigma \), and \(\left| {{\mathcal {I}}_i} \right| \le \sigma \) for \(1 \le i \le 4\), we conclude the lemma. \(\square \)

We distinguish 35 cases, which is denoted by \(\textsf{TwColl}, \textsf{IC},\) or \(\textsf{OC}\).

All in all, since \(|{\mathcal {I}}_r| \le \sigma \) for \(r \in [4]\), one get

$$\begin{aligned} \Pr \left[ {\textsf{bad}_2 \wedge \lnot \textsf{bad}_1} \right] \le \frac{48\sigma ^2 + 18q\sigma + 6q^2}{2^{2n}} + \frac{6\sigma + 2q}{2^n}. \end{aligned}$$

6 Conclusion

In this paper, we proposed two tweakable block cipher-based online authenticated encryption schemes ZLR and DS-ZLR, following the Encrypt-Mix-Encrypt paradigm. Our schemes turn out to provide n-bit OAE security, supporting pipelined computation as well as online nonce-misuse resistance. We believe that our AE schemes will be useful in protocols where high security and efficiency are required at the same time, in particular, when latency is critical and online properties are required, for example, for VoIP, teleconference and Car2X communications. It is open if the provable security of ZLR and DS-ZLR are tight, and if they also provide more advanced security notions such as Release of Unverified Plaintext (RUP) security. We leave them as interesting topics for further research.