Abstract
In an early version of CRYPTO’17, Mennink and Neves proposed EWCDMD, a dual of EWCDM, and showed nbit security, where n is the block size of the underlying block cipher. In CRYPTO’19, Chen et al. proposed permutation based design SoKAC21 and showed 2n/3bit security, where n is the input size of the underlying permutation. In this paper we show birthday bound attacks on EWCDMD and SoKAC21, invalidating their security claims. Both attacks exploit an inherent composition nature present in the constructions. Motivated by the above two attacks exploiting the composition nature, we consider some generic relevant composition based constructions of ideal primitives (possibly in the ideal permutation and random oracle model) and present birthday bound distinguishers for them. In particular, we demonstrate a birthday bound distinguisher against (1) a secret random permutation followed by a public random function and (2) composition of two secret random functions. Our distinguishers for SoKAC21 and EWCDMD are direct consequences of (1) and (2) respectively.
Keywords
 PRF
 Birthday bound
 SoKAC21
 EWCDMD
Download conference paper PDF
1 Introduction
Motivated from DES block cipher design, Luby and Rackoff [LR88] formally analyzed a paradigm of constructing a pseudorandom permutation (PRP) from a pseudorandom function (PRF). However, the opposite trend is more popular due to wide availability of block ciphers (modeled to be pseudorandom permutations). So pseudorandom functions are traditionally built upon block ciphers. A straightforward application of the classical PRPPRF switch [Sho04] gives security up to the birthday bound. However, in view of lightweight block ciphers [BPP+17, BKL+07] this bound may not be suitable. For example, a birthday bound secure PRF construction based on DES (64bit block cipher) may be broken in approximately \(2^{32}\) bits of data. In fact, Bhargavan and Leurent [BL16] performed practical attacks on TLS and OpenVPN when a 64bit block cipher is used. To resist such attacks, several beyond birthday bound secure constructions have been proposed. This includes popular constructions such as sum of permutations (or SoP in short) [HWKS98, Pat08, DHT17, BN18b], truncation of permutation [HWKS98, BN18a], EDM type constructions [CS16, CS18], SumECBC [Yas10], Pmac_Plus [Yas11], 3Kf9 [ZWSW12], DbHtS [DDNP18] and 1kPmac_Plus [DDN+17a].
Apart from block cipher, the recent trend of using ideal (unkeyed) permutation has also motivated several pseudorandom functions from ideal permutation. Spongebased PRF [BDPVA11b, CDH+12, BDPVA11a, ADMVA15] and Farfalle [BDH+17] are two such examples of PRF from ideal permutations. Recently, Chen et al. in Crypto 2019 [CLM19] considered permutation versions of SoP and EDMdual. Depending on the choice of the keys and the permutation, some of the constructions provide birthday bound security, while some achieve beyond the birthday bound. They have also claimed tight security by showing some matching attacks.
1.1 Some Beyond Birthday Bound Constructions
Most of the constructions mentioned above are sequential in nature. Some of these constructions can be viewed as composition of two simpler constructions. For a permutation \(\pi \), we denote \(\pi (x) \oplus x\) as \(\pi ^{\oplus }(x)\) (this is known as DaviesMeyer function which has been used to define hash functions in case of public permutation). Let \(\pi _1\) and \(\pi _2\) be two independent keyed random permutations over \(\{0,1\}^n\).
EDM and Its Dual. For a message \(m \in \{0,1\}^n\), we define
In other words, EDM (encrypted DaviesMeyer) is a composition function \(\pi _2 \circ \pi _1^{\oplus }\). Here \(\pi _1\) and \(\pi _2\) are two independently keyed block ciphers (or random permutations). Dual version of EDM (denoted as EDMD) is defined as the composition in the other direction:
In [CS16, CS18] it has been proved that EDM is PRF secure up to \(2^{2n/3}\) queries (i.e. 2n/3bit secure). Later in Crypto 2017 [DHT17], security of EDM is shown to be at least 3n/4bit using \(\chi ^2\)method. Independently, Mennink and Neves in [MN17] proved that EDM and EDMD have nbit PRF security using the generalized version of Patarin’s mirror theory [Pat08]. However, the proofs of mirror theory are extremely sketchy and contain several unverified gaps.
EWCDM and Its Dual. The previous constructions can only process nbit message. With the help of universal hash \(\mathcal {H}\), one can extend the message space, using the Wegman Carter paradigm [WC81]. We now recall the construction EWCDM [CS16] and its dual version EWCDMD [MN17] (see Fig. 1). For a nonce (which should be fresh for every execution of MAC) \(\nu \in \{0,1\}^n\) and a message \(m \in \mathcal {M}\), we define
In [CS16], Cogliati and Seurin proved 2n/3bit PRF (pseudorandom function) and MAC (message authentication) security for EWCDM in a nonce respecting model.
SoKAC21. So far we have considered constructions based on secret keyed primitives. Very recently, Chen et al. in CRYPTO 2019 [CLM19] proposed a pseudorandom function, called SoKAC21 (see Fig. 2), based on ideal public permutations. It is designed for small message space and claimed to be achieving beyond birthday bound security. For an nbit message m, and two ideal permutations \(\pi ^{\textsf {pub}}_1, \pi ^{\textsf {pub}}_2\), and an nbit secret key K, we define
This construction can be viewed as a composition of Even Mansour followed by DaviesMeyer. We note that an equivalent view (due to which it is named sum of key alternating cipher) of the above construction is \(\pi _2(v \oplus K) \oplus \pi _1(m \oplus K) \oplus K\) where \(v =\pi _1(m \oplus K)\).
1.2 Composition Constructions and Our Contribution
All the constructions mentioned in the previous subsection can be viewed as composition of ideal primitives or some functions derived from ideal primitives.
Public and Secret Ideal Primitives. Let and denote nbit random function and random permutation respectively. A random function or permutation is called public if adversary has direct access to these primitives or their inverses whenever exist, in addition with concerned constructions based on these primitives. In this case we call the adversarial model ideal function or ideal permutation model. We denote the public random function and permutation as \(\gamma ^{\textsf {pub}}\) and \(\pi ^{\textsf {pub}}\) respectively.
When the ideal primitives are secret (i.e. cannot accessed directly by an adversary), we denote them as \(\gamma ^{\textsf {sec}}\) and \(\pi ^{\textsf {sec}}\). Note that secret primitives appears when a keyed function (e.g. a keyed compression function) or a keyed permutation (e.g., a block cipher) is replaced by the ideal counterpart through hybrid argument.
We use subscript notation to denote independent copies of the primitives. For example, \(\pi _1, \pi _2\) are two independent random permutations (either secret or public which would be understood from the superscript notation).
Our Contribution. In this paper, we first analyze the PRF or PRP constructions \(g \circ f\) where
Due to a trivial reason^{Footnote 1} we exclude \(\pi ^{\textsf {pub}}\). Moreover, we must assume that at least one of the functions is secret. In this paper, we show birthday bound PRF attack on (1) \(\gamma ^{\textsf {sec}}_2 \circ \gamma ^{\textsf {sec}}_1\) and (2) \(\gamma ^{\textsf {pub}}\circ \pi ^{\textsf {sec}}\). The idea behind the attacks for these constructions are simple. For \(\gamma ^{\textsf {sec}}_2 \circ \gamma ^{\textsf {sec}}_1\) we expect more collisions than perfect random function. In other words, we have higher probability of realizing collision on \(\gamma ^{\textsf {sec}}_2 \circ \gamma ^{\textsf {sec}}_1\) than that of \(\gamma ^{\textsf {sec}}\). For the second construction, we observe the outputs of public function \(\gamma ^{\textsf {pub}}\) and outputs of \(\gamma ^{\textsf {pub}}\circ \pi ^{\textsf {sec}}\) (or \(\gamma ^{\textsf {sec}}\) in case of ideal oracle). We show that the probability of collision between these two lists is higher in case of the real world than the ideal world. In the real construction, collision can happen in two ways – (1) an output of \(\pi ^{\textsf {sec}}\) collides with an input of public function call \(\gamma ^{\textsf {pub}}\), (2) accidental collision (which happens in the final outputs without having collision among inputs).
Birthday Attack on EWCDMD. We exploit the attack idea of \(\gamma ^{\textsf {sec}}_2 \circ \gamma ^{\textsf {sec}}_1\) to describe a PRF attack against EWCDMD in query complexity \(2^{n/2}\). In an early version of CRYPTO 2017^{Footnote 2}, Mennink and Neves [MN17] showed almost nbit PRF security for EWCDMD. So our result invalidates the initial claim of the construction.
The main idea of the attack is simple. EWCDMD can be viewed as a composition of two keyed noninjective functions (and so it follows birthday paradox), namely \(\pi ^{\oplus }_2\) and a function f mapping \((\nu , m)\) to \(\pi _1(\nu ) \oplus \mathcal {H}(m)\). Thus, we expect that the collision probability of the composition \(\pi _2^{\oplus } \circ f\) is almost double of the collision probability for the random function. So, by observing a collision we can distinguish EWCDMD from a random function. Note that EWCDM is a composition of a permutation and a noninjective keyed function. Hence our observation is not applicable to it.
Birthday Attack on SoKAC21. Similarly, we exploit the attack idea of \(\gamma ^{\textsf {pub}}\circ \pi ^{\textsf {sec}}\) to have birthday bound PRF attack on SoKAC21. In this construction we have \(\pi _2^{\oplus }\) instead of public random function. However, with a careful analysis (and using the recent result on sum of permutation) we can have birthday attack on SoKAC21. This again violates the beyond birthday security claimed in [CLM19].
2 Preliminaries
Notation. For \( n \in \mathbb {N}\), [n] denotes the set \( \{1,2,\ldots ,n\} \). For \( n,k \in \mathbb {N}\), such that \( n \ge k \), we define the falling factorial \( (n)_k := n!/(nk)! = n(n1)\cdots (nk+1)\). For \( a \in \mathbb {N}\), an atuple \( (x_1,x_2,\ldots ,x_a) \) and also a multiset \(\{x_1, \ldots , x_a\} \) is simply denoted as \(x^a\) (this should be clear from the context). For any set \( \mathcal {X}\), \( (\mathcal {X})_a \) denotes the set of all \(x^a\) so that \(x_1, \ldots , x_a\) are distinct. We call all those \(x^a\) elementwise distinct. Note, \((\mathcal {X})_q =(\mathcal {X})_q\).
The set of all functions from \(\mathcal {X}\) to \(\mathcal {Y}\) is denoted as \(\textsf {Func}(\mathcal {X}, \mathcal {Y})\) and the set of all permutations over \(\mathcal {X}\) is denoted as \(\textsf {Perm}(\mathcal {X})\). We use shorthand notations \( \mathsf {Perm}(n) \) (or \(\mathsf {Func}(n)\)) to denote the set of all permutations (or functions respectively) from \( \{0,1\}^n \) to itself.
For a finite set \( \mathcal {X}\), denotes the uniform and random sampling of \( \textsf {X}\) from \( \mathcal {X}\). We write when \(\textsf {X}_i\)’s are chosen uniformly and independently from the set \(\mathcal {D}\). In other words, \(\textsf {X}_1, \ldots , \textsf {X}_a\) is a random with replacement sample. We write when \(\textsf {X}_i\)’s are chosen randomly from \(\mathcal {D}\) in without replacement manner. More precisely, for all elementwise distinct \(x^a \in (\mathcal {D})_a\),
2.1 Statistical Distance
Let \(\textsf {X}, \textsf {Y}\) be two random variables over a sample space \(\mathcal {S}\). Then the statistical distance between \(\textsf {X}\) and \(\textsf {Y}\) is defined as
An equivalent definition of statistical distance is the following:
To see why it is an equivalent definition, we first note that the maximization holds for \(E_1 =\{a \in \mathcal {S}: \textsf {Pr}(\textsf {X}=a) > \textsf {Pr}(\textsf {Y}=a) \}\). From the definition of \(E_1\), we can write the sum \(\sum _{a \in \mathcal {S}} \textsf {Pr}(\textsf {X}=a)  \textsf {Pr}(\textsf {Y}=a)\) (after splitting over \(E_1\) and \(E^c_1\)) as
Thus we have established the equivalence.
Lemma 1
(replacement lemma). Let \(\textsf {X}, \textsf {Y}\) be two random variables over a sample space \(\mathcal {S}\) and \(\textsf {Z}\) be independent with \(\textsf {X}\) and \(\textsf {Y}\) sampled from \(\mathcal {T}\). Let \(E \subseteq \mathcal {S}\times \mathcal {T}\) then
Proof
For every z, let \(E_z =\{ s \in \mathcal {S}: (s,z) \in E \}\). Then by independence, we have

1.
\(p_1 :=\textsf {Pr}((\textsf {X}, \textsf {Z}) \in E) =\sum _z \textsf {Pr}(\textsf {Z}=z) \cdot \textsf {Pr}(\textsf {X}\in E_z)\) and similarly,

2.
\(p_2 :=\textsf {Pr}((\textsf {Y}, \textsf {Z}) \in E) =\sum _z \textsf {Pr}(\textsf {Z}=z) \cdot \textsf {Pr}(\textsf {Y}\in E_z)\).
Hence,
2.2 Sum of Without Replacement Samples
Let \(\mathcal {D}\) be a set of size N. In [DHT17] it has been proved that sum of two independent without replacement sample almost behaves like one with replacement sample. More precisely, let , , and \(\textsf {X}^a\), \(\textsf {Y}^a\) are independent. Define \(\textsf {W}_i =\textsf {X}_i \oplus \textsf {Y}_i\) for all \(i \in [a]\). Then, in [DHT17] it is shown^{Footnote 3} that
Due to Lemma 1, we can simply replace sum of random without replacement sample involved in an event by the random sample at the cost of probability 4a/N. We use this idea of replacement while we analyze SoKAC21 construction.
2.3 Security Definitions
Random Function and Random Permutation. is said to be the random function from the set \(\mathcal {X}\) to \(\mathcal {Y}\). Similarly, is said to be the random permutation over the set \(\mathcal {Y}\). In this paper we mostly use the set \(\mathcal {X}=\mathcal {Y}=\{0,1\}^n\).
Keyed Function and Permutation. A keyed function with key space \(\mathcal {K}\), domain \(\mathcal {X}\) and range \(\mathcal {Y}\) is a function \(\textsf {F} : \mathcal {K} \times \mathcal {X} \rightarrow \mathcal {Y}\) and we denote \(\textsf {F}(K, X)\) by \(\textsf {F}_{K}(X)\). Similarly, a keyed permutation with key space \(\mathcal {K}\) and domain \(\mathcal {X}\) is a mapping \(\textsf {E} : \mathcal {K} \times \mathcal {X} \rightarrow \mathcal {X}\) such that for all key \(K \in \mathcal {K}\), \(X \mapsto \textsf {E}(K, X)\) is a permutation over \(\mathcal {X}\) and we denote \(\textsf {E}_{K}(X)\) for \(\textsf {E}(K, X)\).
PRF. Given an oracle algorithm \(\mathsf {A}\) with oracle access to a function from \(\mathcal {X}\) to \(\mathcal {Y}\), making at most q queries, running time at most t and outputting a single bit, we define the prfadvantage of \(\mathsf {A}\) against the family of keyed functions \(\textsf {F}\) as
PRP. Given an oracle algorithm \(\mathsf {A}\) with oracle access to a permutation of \(\mathcal {X}\), making at most q queries, running time at most t and outputting a single bit, we define the prpadvantage of \(\mathsf {A}\) against the family of keyed permutations \(\textsf {E}\) as
PRF and PRP in Ideal Model. Some keyed constructions uses ideal public primitive such as a random function and a random permutation. Let \(P_1, \ldots , P_r\) be such all primitives used for a keyed construction \(\textsf {F}_K :=\textsf {F}^{P_1,\ldots , P_r}_K\). Let \(P_i^{\pm }\) denotes both \(P_i\) and its inverse \(P_i^{1}\). We define PRF and PRPadvantage in the public primitive model as follows.
In the above two probabilities, \(K, \gamma , P_1, \ldots , P_r\) are all independently drawn. Similarly, we define PRPadvantage in public model as
Almost XOR Universal Hash Function. A keyed hash function \(\mathcal {H}_K: \mathcal {D}\rightarrow \mathcal {R}\) is called \(\epsilon \)AXU (almost xor universal) if \(\textsf {Pr}(\mathcal {H}_K(m) \oplus \mathcal {H}_K(m') =\delta ) \le \epsilon \) for all \(m \ne m'\) and for all \(\delta \). Here the probability is computed under randomness of the key chosen uniformly from the key space.
3 Collision Probability
Let \(\mathcal {D}\) be a set of size N. We quickly recall collision probability for a uniform random sample . For any positive integers \(a \le N\), we write \( \textsf {dp}_N(a) :=\frac{(N)_a}{N^a}\) and \(\textsf {cp}_N(a) :=1  \textsf {dp}_N(a)\). When N is understood from the context, we skip the notation N. If a is very small compared to N (i.e. \(a/N \approx 0\)), a precise estimation of \(\textsf {dp}_N(a)\) is \(e^{a(a1)/2N}\). This follows from the approximation \(1 \epsilon \approx e^{\epsilon }\) for very small positive \(\epsilon \). In fact the error term \(e^{\epsilon }  (1  \epsilon )\) is in the order \(O(\epsilon ^2)\).
Given a list \(\mathcal {L}\) of elements \(x_1, \ldots , x_a\), we write \(\textsf {Dist}(\mathcal {L})\) if \(x_i\)’s are distinct. Otherwise, we write \(\textsf {Coll}(\mathcal {L})\).
Lemma 2
(collision probability). Let \(\mathcal {D}\) be a set of size N. Let and let \(\mathcal {L}\) denote the list containing \(\textsf {X}_i\)’s, \(1 \le i \le a\). Then,

1.
\(\textsf {Pr}(\textsf {Dist}(\mathcal {L})) =\textsf {dp}_N(a)\).

2.
\(\textsf {Pr}(\textsf {Coll}(\mathcal {L})) =\textsf {cp}_N(a) \le a^2/2N\).
We skip the proof as it is straightforward conclusion from the definition. The second statement follows from the union bound.
Now we compute probability for having a collision between two lists. We say that there is a collision between two lists, denoted as \(\textsf {LColl}(\mathcal {L}_1, \mathcal {L}_2)\) if the lists are not disjoint.
Lemma 3
(listcollision probability for without replacement sample). Let and such that \(\textsf {X}^p\) and \(\textsf {Y}^q\) are independent. Then,
Proof
We compute the complement event, i.e., \(\textsf {X}^p\) and \(\textsf {Y}^q\) are disjoint. The conditional probability of the complement event conditioning on \(\textsf {X}^p =x^p\) is \(\frac{(Np)_q}{(N)_q}\). This can be easily seen as the number of choices of \(\textsf {Y}^q\) is exactly \((Np)_q\). As the conditional probability is independent of choice of \(x^p\), the unconditional probability is also same as \(\frac{(Np)_q}{(N)_q}\). This completes the proof. \(\square \)
We denote the probability \(1  \frac{(Np)_q}{(N)_q}\) as \(\textsf {lcp}_N^{wor}(p, q)\) (or simply \(\textsf {lcp}^{wor}(p,q)\) whenever N is understood from the context).
When \(\mathcal {L}_1 :=\textsf {X}^p\) and \(\mathcal {L}_2 :=\textsf {Y}^q\), where , we denote the listcollision probability \(\textsf {Pr}(\textsf {LColl}(\mathcal {L}_1, \mathcal {L}_2))\) as \(\textsf {lcp}_N^{\$}(p, q)\) (or simply \(\textsf {lcp}^{\$}(p,q)\) whenever N is understood from the context). Here \(\mathcal {D}\) is a set of size N.
Lemma 4
(listcollision probability for random samples). For all positive integers p, q, we have
(When p is small compared to \(\sqrt{N}\), the collision probability \(\textsf {cp}_N(p)\) is almost zero and in that case, the above result says that \(1  \big (1 \frac{p}{N}\big )^q\) is a very good approximation of \(\textsf {lcp}^{\$}_N(p, q)\).)
Proof
Let and E denote the event \(\textsf {Dist}(\textsf {X}^p)\). So \(\textsf {Pr}(E) =\textsf {dp}_N(p)\). Fix any distinct \(x^p\). Then, the list collision \(\textsf {LColl}(x^p, \textsf {Y}^q)\) holds with probability \(1  (1  \frac{p}{N})^q\). Now,
Note that in our notation, \(\textsf {Pr}(\textsf {LColl}(\textsf {X}^p, \textsf {Y}^q)) =\textsf {lcp}^{\$}_N(p, q)\). Hence,
The lemma follows from the definition that \(\textsf {Pr}(E^c) =\textsf {cp}_N(p)\). \(\square \)
4 Birthday Attack on Composition of Ideal Primitives
In this section, we analyze compositions of ideal primitives. We recall that and denote nbit random function and random permutation respectively. We follow the notations described in Sect. 1.2. Here \(\equiv \) is used to mean two systems equivalent (i.e. the probabilistic behavior of interaction for any adversary would be same for both).

1.
It is easy to verify that \(\pi ^{\textsf {sec}}\circ \gamma ^{\textsf {sec}}\equiv \gamma ^{\textsf {sec}}\circ \pi ^{\textsf {sec}}\equiv \gamma \) and \(\pi ^{\textsf {sec}}_1 \circ \pi ^{\textsf {sec}}_2 \equiv \pi \). In [MS15] \(\pi ^{\textsf {sec}}\circ \pi ^{\textsf {sec}}\) (iterated random permutation) has been analyzed and it almost behaves as \(\pi ^{\textsf {sec}}\) with a maximum distinguishing advantage \(O(q/2^n)\) where q is the number of queries. Authors of [MS15, Nan15] have actually analyzed a more general construction \(\pi ^{\textsf {sec}}\circ \cdots \circ \pi ^{\textsf {sec}}\) (applied r times).

2.
In [BDD+17], \(\gamma ^{\textsf {sec}}\circ \gamma ^{\textsf {sec}}\) (iterated random function) has also been analyzed. This is equivalent to \(\gamma ^{\textsf {sec}}\) with a maximum distinguishing advantage \(O(q^2/2^n)\). Authors of [BDD+17] actually analyzed more general construction \(\gamma ^{\textsf {sec}}\circ \cdots \circ \gamma ^{\textsf {sec}}\) (applied r times). The main idea behind the distinguishing attack is that the collision probability of an iterated random function is more probable than that of a random function.
Using a similar argument, we can show that \(\gamma ^{\textsf {sec}}_2 \circ \gamma ^{\textsf {sec}}_1\) can be distinguished from \(\gamma ^{\textsf {sec}}\) by making \(2^{n/2}\) queries. Let \(x_1, \ldots , x_q\) be q queries and let \(y_1, \ldots , y_q\) be the responses. In case of the real world, \(y_i =\gamma ^{\textsf {sec}}_2(z_i)\) where \(z_i =\gamma ^{\textsf {sec}}_1(x_i)\). Let \(\mu :=\textsf {cp}_{2^n}(q)\). Now,
$$\begin{aligned} \textsf {Pr}(\textsf {Coll}(y^q))&=\textsf {Pr}(\textsf {Coll}(z^q)) +\textsf {Pr}(\textsf {Coll}(y^q)\ \ \textsf {Dist}(z^q)) \times \textsf {Pr}(\textsf {Dist}(z^q))\\&=\mu +\mu (1\mu ) \end{aligned}$$Let \(\mathcal {A}\) return 1 if it observes a collision among outputs. Thus, the distinguishing advantage of the adversary is at least \(\mu (1\mu )\). When \(q =2^{n/2}\), \(\textsf {cp}(q) \approx 1 \frac{1}{\sqrt{e}}\) and hence advantage is \(\frac{1}{\sqrt{e}} \times (1 \frac{1}{\sqrt{e}})\) which is at least 0.2. One can also choose q (which should be again \(O(2^{n/2})\)) such that \(\mu \approx 1/2\) and hence the advantage would be about 0.25.
Same attack can be applied to \(\gamma ^{\textsf {sec}}\circ \gamma ^{\textsf {pub}}\) and \(\gamma ^{\textsf {pub}}\circ \gamma ^{\textsf {sec}}\) as if the adversary does not take an advantage of accessing the public random function \(\gamma ^{\textsf {pub}}\).

3.
Let us consider the construction \(\pi ^{\textsf {sec}}\circ \gamma ^{\textsf {pub}}\). An adversary \(\mathcal {A}\) first finds a collision pair \((m, m')\) of \(\gamma ^{\textsf {pub}}\) by making \(2^{n/2}\) queries to it. Then, \(\pi ^{\textsf {sec}}\circ \gamma ^{\textsf {pub}}(m) =\pi ^{\textsf {sec}}\circ \gamma ^{\textsf {pub}}(m')\). Clearly, in the ideal world, \(\gamma (m) =\gamma (m')\) holds with probability \(2^{n}\). So \(\mathcal {A}\) is a PRFdistinguisher against \(\pi ^{\textsf {sec}}\circ \gamma ^{\textsf {pub}}\) making about \(2^{n/2}\) queries to the public random function. The same attack is also applied to \(\gamma ^{\textsf {sec}}\circ \gamma ^{\textsf {pub}}\).

4.
Although \(\gamma ^{\textsf {sec}}\circ \pi ^{\textsf {sec}}\) is equivalent to a random function, we have the following birthday bound complexity PRFattack on \(\gamma ^{\textsf {pub}}\circ \pi ^{\textsf {sec}}\) (replacing the outer layer of secret random function by public random function). Here we exploit the public access of \(\gamma ^{\textsf {pub}}\) (since otherwise it is equivalent to a random function) (Fig. 3).
Let E denote the event that there are i, j such that \(y_i =c_j\).
Ideal World: In the ideal world we have . So
$$\textsf {Pr}(E) =\textsf {lcp}^{\$}(p,q) =\mu \text{(say) }.$$Real World: In the real world, let \(z_i =\pi ^{\textsf {sec}}(i)\). So \(c_i =\gamma ^{\textsf {pub}}(z_i)\). Thus, independent of \(x^p\). Now, we write the event E as the disjoint union (denoted as \(\sqcup \))
$$\textsf {LColl}(z^q, x^p) \ \sqcup \ \big (\lnot \textsf {LColl}(z^q, x^p) \wedge \textsf {LColl}(c^q, y^p)\big ).$$Given that \(z^q\) is distinct from \(x^p\), we have . Now, \(\textsf {Pr}(\textsf {LColl}(z^q, x^p) ) =\textsf {lcp}^{wor}(p,q) :=\mu _1\) (say). Then,
$$\begin{aligned} \textsf {Pr}(E)&=\mu _1 +(1  \mu _1) \mu . \end{aligned}$$So, the distinguishing advantage of our adversary is \(\mu _1(1  \mu )\). By Lemma 3 and Lemma 4, the distinguishing advantage is at least
$$\begin{aligned} (1  \frac{(2^np)_q}{(2^n)_q}) \times \big ( (1  \frac{p}{2^n})^q  2\textsf {cp}_{2^n}(q) \big ). \end{aligned}$$(8)Further, we have
$$\begin{aligned} \frac{(2^np)_q}{(2^n)_q}&=\prod _{i =0}^{q1} (1  \frac{p}{2^ni}) \\&\le (1  \frac{p}{2^n})^q \\&\le 1  \frac{pq}{2^n} +\frac{pq^2}{2^{2n +1}}. \end{aligned}$$The last inequality follows from the following fact:
$$(1  x)^q \le 1  {q \atopwithdelims ()1}x +{q \atopwithdelims ()2} x^2,\ \ 0 \le x \le 1.$$We also have \((1  \frac{p}{2^n})^q \ge 1  \frac{pq}{2^n}\). By substituting the above inequalities in Eq. 8, the distinguishing advantage is at least
$$(1  \frac{pq}{2^n}  \frac{q^2}{2^n}) \times \frac{pq}{2^n}\times (1  \frac{q}{2^{n +1}}).$$Now if we choose \(p =q =\sqrt{2^n/3}\) then the advantage is at least \(\frac{1}{9}(1  \frac{1}{3 \times 2^{n/2}})\). This value is almost 1/9 for a reasonably large n.
5 Birthday Attack on SoKAC21
In the previous section we have shown the basic attacks on composition of ideal primitives. A similar idea can be used for composition of constructions which are not ideal. However, a more dedicated analysis of advantage computation is required. In this section we show a birthday attack on a recent proposal SoKAC21. In the following section we show birthday attack of Dual EWCDM.
We first recall the definition of SoKAC21 (see Fig. 2 and Eq. 4 for details). It uses two public nbit random permutations \(\pi ^{\textsf {pub}}_1\) and \(\pi ^{\textsf {pub}}_2\). Given an nbit key K, an nbit input m, we define SoKAC21 output as
Our attack does not exploit public queries to \(\pi ^{\textsf {pub}}_1\) and hence \(\pi ^{\textsf {pub}}_1(m \oplus K) \oplus K\) behaves identically to a secret random permutation \(\pi ^{\textsf {sec}}(m)\). Let \(\textsf {DM}(x) :=\pi ^{\textsf {pub}}_2(x) \oplus x\) (DaviesMeyer construction based on a public random permutation). So SoKAC21 is actually the composition \(\textsf {DM}\circ \pi ^{\textsf {sec}}\). However, \(\textsf {DM}\) is not perfect random function. But if we choose the inputs of \(\textsf {DM}\) in a without replacement manner, the output of \(\textsf {DM}\) can be viewed as the sum of two WOR samples and hence it is very close to uniform distribution. We use this principle along with the attack strategy as described in the previous section for the composition construction \(\gamma ^{\textsf {pub}}\circ \pi ^{\textsf {sec}}\). We simply write \(\pi ^{\textsf {pub}}\) instead of \(\pi ^{\textsf {pub}}_2\) and \(\pi ^{\textsf {sec}}\) instead of the EvenMansour construction on \(\pi ^{\textsf {pub}}_1\) (Fig. 4).
We define the event \(E :=\textsf {LColl}(c^q, y^p)\) (i.e. there exists i, j such that \(y_i =c_j\)).
Ideal World: In the ideal world . Moreover, \(y_i\) is defined as sum of two without replacement sample. By Eq. 6, \(y_i\)’s are close to a with replacement sample \(y'_1, \ldots , y'_p\) with the statistical distance at most \(4p/2^n\). Moreover \(y'_i\)’s are independent of \(c^q\). Let \(\mu :=\textsf {Pr}(\textsf {LColl}(c^q, (y')^p)) =\textsf {lcp}^{\$}(p,q)\). So by using Lemma 1,
Real World: In the real world, let \(z_i =\pi ^{\textsf {sec}}(i)\). So \(c_i =\pi ^{\textsf {pub}}(z_i) \oplus z_i\) for all i and independent of \(x^p\). Now, the event E can be written as a disjoint union \(E_1 \sqcup E_2\) where

1.
\(E_1\) is \(\textsf {LColl}(z^q, x^p)\) and

2.
\(E_2\) is \(\lnot \textsf {LColl}(z^q, x^p) \wedge \textsf {LColl}(c^q, y^p)\).
Let \(\textsf {Pr}(E_1) =\textsf {lcp}^{wor}(p,q) =\mu _1\) (say).
Now, we compute the probability of the event \(E_2\) which is same as \(E_1^c \wedge \textsf {LColl}(c^q, y^p)\). Given that \(z^q\) is distinct from \(x^p\) (i.e. \(E_1^c\) holds) we have
As \(c_i =\textsf {DM}(z_i)\) and \(y_i =\textsf {DM}(x_i)\), \(c_i\)’s and \(y_i\)’s are almost uniformly distributed. More precisely, for ,
So by Lemma 1, \(\textsf {Pr}(E_2) \ge (1  \mu _1)\times (\mu  4(p +q)/2^n)\) where \(\mu =\textsf {lcp}^{\$}(p,q)\). Now,
So, subtracting the probability \(\textsf {Pr}(E)\) of the real world from that of the ideal world, the distinguishing advantage is at least
We have already shown that \(\mu _1(1 \mu )\) is at least \(\frac{1}{9}  \frac{1}{27 \cdot 2^{n/2}}\) when \(p =q =\sqrt{2^n/3}\) (see the last paragraph of our analysis on \(\gamma ^{\textsf {pub}}\circ \pi ^{\textsf {sec}}\)). Hence the advantage is at least \(\frac{1}{9}  \frac{1}{2^{n/21}}\).
6 Birthday Attack on DualEWCDM
In this section we provide details of a nonce respecting distinguishing attack on EWCDMD. For better understanding we consider a specific hash function \(\mathcal {H}(m) = K \cdot m\) where K is a nonzero random key chosen uniformly from \(\{0,1\}^n \setminus \{0\}\) and \(m \in \mathcal {M}:= \{0,1\}^n\). Here \(K \cdot m\) means the field multiplication with respect to a fixed primitive polynomial. Clearly, \(\mathcal {H}\) is \(\frac{1}{2^n1}\) AXU hash. Moreover it is injective hash. In other words, for distinct messages \(m_1, \ldots , m_q\), \(\mathcal {H}(m_1), \ldots , \mathcal {H}(m_q)\) are distinct.
Distinguishing Attack. \(\mathcal {A}\) choses \((\nu _1, m_1), \ldots , (\nu _q, m_q) \in \{0,1\}^ n \times \mathcal {M}\) where all \(\nu _i\)’s are distinct and all \(m_i\)’s are distinct. Suppose \(T_1, \ldots , T_q\) are all responses. \(\mathcal {A}\) returns 1 if there is a collision among \(T_i\) values, otherwise returns zero.
When \(\mathcal {A}\) is interacting with a random function, \(\textsf {Pr}[\mathcal {A}\rightarrow 1] \le q(q1)/2^{n+1}\) (by using the union bound). Now we provide lower bound of \(\textsf {Pr}[\mathcal {A}\rightarrow 1]\) while \(\mathcal {A}\) is interacting with EWCDMD in which \(\pi _1, \pi _2\) are two independent random permutations and \(\mathcal {H}\) is the above hash function whose key is chosen independently. To obtain a lower bound we first prove the following lemma. Let \(N= 2^n\).
Lemma 5
Let \(x_1, \ldots , x_q \in \{0,1\}^n\) be q distinct values. Let \(\pi \) be a random permutation. Then, for all distinct \(\nu _1, \ldots , \nu _q\), let C denote the event that there is a collision among values of \(\pi (\nu _i) \oplus x_i\), \(1 \le i \le q\). Then,
where \(\alpha = \frac{q(q1)}{2(N1)}\) and \(\beta = \frac{(q2)(q+1)}{4(N3)}\). In particular, for distinct \(x_i\)’s, there is a collision among \(\pi (x_i) \oplus x_i\) values has probability at least \(\alpha (1  \beta )\).
\(\mathbf{Proof. }\) Let \(E_{i,j}\) denote the event that \(\pi (\nu _i) \oplus \pi (\nu _j) = x_i \oplus x_j\). So for all \(i \ne j\), \(\textsf {Pr}[E_{i,j}] = 1/(N1)\). Let \(C = \cup _{i \ne j} E_{i,j}\) denote the collision event. By using union bound we can easily upper bound
Now, we show the lower bound. For this, we apply Boole’s inequality and we obtain lower bound of collision probability as
where the sum is taken over all possible choices of \(\{\{i,j \}, \{k, l\}\}\), and the number of such choices is at most \({ q(q1)/2 \atopwithdelims ()2} =q(q1)(q+1)(q2)/8 \). Note that for each such choice i, j, k, l,
Hence,
This completes the proof. \(\square \)
Advantage Computation. Using the above Lemma we now show that the probability that \(\mathcal {A}\) returns 1 while interacting with EWCDMD is significant when \(q = O(2^{n/2})\).
Let \(C_1\) denote the event that there is a collision among the values \(z_i := \pi _1(\nu _i) \oplus \mathcal {H}(m_i)\). We can apply our lemma as \(\mathcal {H}(m_i)\)’s are distinct due to our choice of the hash function. Thus, \(\textsf {Pr}[C_1] \ge \alpha (1  \beta )\). Moreover, \(\textsf {Pr}[\lnot C_1] \ge (1  \alpha )\). Given \(\lnot C_1\), T values are outputs of DaviesMeyer based on random permutation \(\pi _2\) for distinct inputs. So by using previous lemma,
Hence,
Thus, the advantage of the adversary is at least \(\alpha  2\alpha \beta  \alpha ^2\). It is easy to see that when \(2q^2 \ge N\), we have \(1  2 \beta  \alpha \le 1/2\) and hence the advantage is at least \(\alpha /2 =q(q1)/4(N1)\).
Remark 1
We would like to note that the distinguishing advantages of both constructions can be made closer to one if we repeat the whole process independently O(n) times.
6.1 Issues in the Previous Proofs
Now we briefly describe what were the issues in the proofs of [CLM19, MN17]. Both proofs used Htechnique and hence it is broadly divided into two parts: bounding probability of bad events and finding good lower bound for realizing any fixed good transcript in the real world. The flaws in their proof lie on the good transcript analysis.
Suppose \(\pi _1\) and \(\pi _2\) are two random permutations. In the both proofs, good transcript analysis deals to compute the probability distribution of sum of the two random permutations. More precisely, for fixed \(\lambda _1, x_1, y_1, \ldots x_q, y_q, \lambda _q \in \{0,1\}^n\), we want to provide a lower bound of the event \(\pi _1(x_i) \oplus \pi _2(y_i) =\lambda _i\) for all i. This is also known as mirror theory and have been studied in several papers [Pat10, Pat13, DDN+17a, DDNY19, DDNY18]. A desired lower bounds are known if the equality patterns of \(x_i\) and \(y_i\)’s satisfy certain conditions. In the proofs of [CLM19, MN17], equality pattern of \(y_i\)’s depend on the values of \(\pi _1(x_i)\) for all i. So, clearly, we cannot use the mirror theory based lower bound. This is the main flaw of the proofs.
7 Concluding Discussion
We have demonstrated a distinguishing attack on EWCDMD. We would like to note that this attack does not work for EDM, EWCDM and EDMD as we can not write them as a composition of two noninjective functions. We also demonstrate a birthday attack on SoKAC21. Our attack also does not work if we mask the final output by a key (which is another variant of sum of key alternating ciphers). However, at the same time, we do not know how to prove its beyond birthday security.
7.1 Some Open Problems
Followings are some of open problems on which cryptography community could have interest.

1.
We would like to note that our attack against EWCDMD is a PRF attack and it is not easy to extend to a forging attack in a nonce respecting situation. Thus, proving MAC security would be an interesting research problem.

2.
One can consider the following dual variant:
$$\begin{aligned} \pi _2(\pi _1(\nu ) \oplus \mathcal {H}(m)) \oplus \pi _1(\nu ). \end{aligned}$$(11)This is very close to the sum of permutations. However, the presence of \(\mathcal {H}(m)\) makes it very difficult to prove (without using Patarin’s claim or conjecture on the interpolation probability of sum of random permutations). Moreover, it can not be expressed as a composition function with nbit outputs. Hence it is a potential dual candidate of EWCDM.

3.
Another possibility is to use three independent random permutations. As mentioned in [CS16], we can consider
$$\begin{aligned} \pi _3\big ( \pi _1(\nu ) \oplus \pi _2(\nu ) \oplus \mathcal {H}(m) \big ). \end{aligned}$$This will give \(2^n\) security in nonce respecting model assuming that the sum of permutations would give nbit PRF security. However, we don’t know the tradeoff between the number of allowed repetition of nonce and the security bound.

4.
Proving beyond birthday security (or demonstrating birthday attacks) of some other variants of SoKAC21 would be an interesting open problem.
Notes
 1.
Note that if the outer function g is \(\pi ^{\textsf {pub}}\) or the inner function f is \(\pi ^{\textsf {pub}}\) then the composition is essentially reduced to a single primitive. An adversary can always uncover \(\pi ^{\textsf {pub}}\) by making calls to \(\pi ^{\textsf {pub}}\) and \((\pi ^{\textsf {pub}})^{1}\).
 2.
The early version can be accessed on ePrint 2017/473 posted on 28May2017. This paper was initially accepted in CRYPTO 2017. Later, after finding the flaw in the analysis, authors removed this analysis from the final proceeding.
 3.
The original bound is \(\frac{1.5a}{N} +\frac{3 \sqrt{a}}{N}\) which is less than the bound we consider here for all \(a \ge 3\). For \(a =2\), one can easily establish the bound.
References
Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed sponge constructions using a modular proof approach. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 364–384. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662481165_18
Bhaumik, R., Datta, N., Dutta, A., Mouha, N., Nandi, M.: The iterated random function problem. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 667–697. Springer, Cham (2017). https://doi.org/10.1007/9783319706979_23
Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Farfalle: parallel permutationbased cryptography. IACR Trans. Symmetric Cryptol. 2017, 1–38 (2017)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: singlepass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642284960_19
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the security of the keyed sponge construction. In: Symmetric Key Encryption Workshop, vol. 2011 (2011)
Bogdanov, A., et al.: PRESENT: an ultralightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540747352_31
Bhargavan, K., Leurent, G.: On the practical (in) security of 64bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 456–467. ACM (2016)
Bhattacharya, S., Nandi, M.: A note on the chisquare method: a tool for proving cryptographic security. Cryptogr. Commun. 10(5), 935–957 (2018). https://doi.org/10.1007/s120950170276z
Bhattacharya, S., Nandi, M.: Revisiting variable output length XOR pseudorandom function. IACR Trans. Symmetric Cryptol. 2018(1), 314–335 (2018)
Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Y., Sim, S.M., Todo, Y.: GIFT: a small present. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 321–345. Springer, Cham (2017). https://doi.org/10.1007/9783319667874_16
Chang, D., Dworkin, M., Hong, S., Kelsey, J., Nandi, M.: A keyed sponge construction with pseudorandomness in the standard model. In: The Third SHA3 Candidate Conference, March 2012, vol. 3, p. 7 (2012)
Chen, Y.L., Lambooij, E., Mennink, B.: How to build pseudorandom functions from public random permutations. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 266–293. Springer, Cham (2019). https://doi.org/10.1007/9783030269487_10
Cogliati, B., Seurin, Y.: EWCDM: an efficient, beyondbirthday secure, noncemisuse resistant MAC. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 121–149. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530184_5
Cogliati, B., Seurin, Y.: Analysis of the singlepermutation encrypted DaviesMeyer construction. Des. Codes Cryptogr. 86(12), 2703–2723 (2018). https://doi.org/10.1007/s1062301804709
Datta, N., Dutta, A., Nandi, M., Paul, G., Zhang, L.: Single key variant of PMAC\(\_\)Plus. IACR Trans. Symmetric Cryptol. 2017(4), 268–305 (2017)
Datta, N., Dutta, A., Nandi, M., Paul, G.: Doubleblock hashthensum: a paradigm for constructing BBB secure PRF. IACR Trans. Symmetric Cryptol. 2018, 36–92 (2018)
Datta, N., Dutta, A., Nandi, M., Yasuda, K.: Encrypt or decrypt? To make a singlekey beyond birthday secure noncebased MAC. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 631–661. Springer, Cham (2018). https://doi.org/10.1007/9783319968841_21
Datta, N., Dutta, A., Nandi, M., Yasuda, K.: DWCDM+: a BBB secure nonce based MAC. Adv. Math. Comm. 13(4), 705–732 (2019)
Dai, W., Hoang, V.T., Tessaro, S.: Informationtheoretic indistinguishability via the chisquared method. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 497–523. Springer, Cham (2017). https://doi.org/10.1007/9783319636979_17
Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 370–389. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055742
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)
Mennink, B., Neves, S.: Encrypted DaviesMeyer and its dual: towards optimal security using mirror theory. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 556–583. Springer, Cham (2017). https://doi.org/10.1007/9783319636979_19
Minaud, B., Seurin, Y.: The iterated random permutation problem with applications to cascade encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 351–367. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662479896_17
Nandi, M.: A simple proof of a distinguishing bound of iterated uniform random permutation. IACR Cryptol. ePrint Arch. 2015, 579 (2015)
Patarin, J.: A proof of security in \(O(2^{n})\) for the XOR of two random permutations. In: SafaviNaini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540850939_22
Patarin, J.: Introduction to mirror theory: analysis of systems of linear equalities and linear non equalities for cryptography. IACR Cryptol. ePrint Arch. 2010, 287 (2010)
Patarin, J.: Security in o(2\({}^{\text{ n }}\)) for the XOR of two random permutations  proof with the standard H technique. IACR Cryptol. ePrint Arch. 2013, 368 (2013)
Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. IACR Cryptol. ePrint Arch. 2004, 332 (2004)
Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)
Yasuda, K.: The sum of CBC MACs is a secure PRF. In: Pieprzyk, J. (ed.) CTRSA 2010. LNCS, vol. 5985, pp. 366–381. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642119255_25
Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642227929_34
Zhang, L., Wu, W., Sui, H., Wang, P.: 3kf9: enhancing 3GPPMAC beyond the birthday bound. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 296–312. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642349614_19
Acknowledgment
This work is supported by the project “Study and Analysis of IoT Security” under Government of India at R. C. Bose Centre for Cryptology and Security, Indian Statistical Institute, Kolkata.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 International Association for Cryptologic Research
About this paper
Cite this paper
Nandi, M. (2020). Mind the Composition: Birthday Bound Attacks on EWCDMD and SoKAC21. In: Canteaut, A., Ishai, Y. (eds) Advances in Cryptology – EUROCRYPT 2020. EUROCRYPT 2020. Lecture Notes in Computer Science(), vol 12105. Springer, Cham. https://doi.org/10.1007/9783030457211_8
Download citation
DOI: https://doi.org/10.1007/9783030457211_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030457204
Online ISBN: 9783030457211
eBook Packages: Computer ScienceComputer Science (R0)