On the Resilience of Even-Mansour to Invariant Permutations

Symmetric cryptographic primitives are often exposed to invariances: deterministic relations between plaintexts and ciphertexts that propagate through the primitive. Recent invariant subspace attacks have shown that these can be a serious issue. One way to mitigate invariant subspace attacks is at the primitive level, namely by proper use of round constants (Beierle et al., CRYPTO 2017). In this work, we investigate how to thwart invariance exploitation at the mode level, namely by assuring that a mode never evaluates its underlying primitive under any invariance. We first formalize the use of invariant cryptographic permutations from a security perspective, and analyze the Even-Mansour block cipher construction. We further demonstrate how the model composes, and apply it to the keyed sponge construction. The security analyses exactly pinpoint how the presence of linear invariances affects the bounds compared with analyses in the random permutation model. As such, they give an exact indication how invariances can be exploited. From a practical side, we apply the derived security bounds to the case where the Even-Mansour construction is instantiated with the 512-bit ChaCha permutation, and derive a distinguishing attack against Even-Mansour-ChaCha in 2128\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{128}$$\end{document} queries, faster than the birthday bound. Comparable results are derived for instantiation using the 200-bit Keccak permutation without round constants (attack in 250\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{50}$$\end{document} queries), the 1024-bit CubeHash permutation (attack in 2256\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{256}$$\end{document} queries), and the 384-bit Gimli permutation without round constants (attack in 296\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{96}$$\end{document} queries). The attacks do not invalidate the security of the permutations themselves, but rather they demonstrate the tightness of our bounds and confirm that care should be taken when employing a cryptographic primitive that has nontrivial linear invariances.


Introduction
The core of symmetric cryptographic primitives and modes alike has been, historically, the block cipher. Its applications range from compression functions to authenticated encryption. For example, the AES block cipher [44] is at the core of AES-GCM [83], AES-CCM [104], AES-CBC [52], OCB [77], AEZ [67], and many other widely used modes.
Block ciphers usually consist of two main components: a (iterated) round function, which deals with input data, and a key schedule, which expands one key to multiple, randomlooking, block-sized keys. Key material is regularly added to the data in-between evaluations of the round function. More recently, tweakable block ciphers [82] added a third input, the tweak, which in existing designs is essentially treated as key material [70].
A different approach has been gaining momentum in the last few years: permutation based cryptography. In this paradigm, there is no key; every part of the input is treated equally. Key material is then added only "at the top", as in the Even-Mansour construction [50,53], or the various keyed sponge modes [2,19,31,41,85]. This arguably makes designs cleaner and easier to analyze, as there are no separate processing lanes for key and data, and enables a clearer mixing of the key and the data.
For most permutation based modes of operation, security is argued in the random permutation model, meaning that the underlying permutation is assumed to be perfect. So as to meet this assumption as close as possible, permutations are often designed to prevent all kinds of structural defects, harmless as they may seem. This is the so-called "hermetic" design strategy. One usually accomplishes this by designing a strong iterated round function resistant to differential, linear, and other standard attacks, and adding round constants in-between evaluations of the round function. These constants achieve two goals: -They make every round distinct, preventing internal differentials [94], slide attacks [22], and a defective cycle structure [86]; -They can prevent invariant subspace attacks, by breaking the symmetries that are preserved across round functions [9,79].
Many permutations follow this design pattern, such as the Keccak permutation [18,56], Ascon [49], PHOTON [66], Prøst [74], Gimli [16], Mixifer [99], or Xoodoo [40]. Other permutations, often single-purpose components of larger modes of operation, decide to omit such round constants, and let the mode of operation ensure that "bad" states are never reached. This is the case of Salsa20 [15] or NORX [4], in which invariance-breaking constants are simply added "at the top". This can result in simpler designs, at the cost of losing the random permutation model as a useful modeling tool.

Invariances
Consider the event that for a permutation P : {0, 1} n → {0, 1} n , there are one or more functions λ : {0, 1} n → {0, 1} n such that λ • P(x) = P • λ(x) (1) for any x ∈ {0, 1} n . We say that P is invariant under λ, and call λ an invariance for P. The identity mapping is always an invariance for P, but ideally, it is the only one, the reason being that non-trivial invariances expose non-random behavior of P and may allow and attacker to distinguish the primitive from random. Various examples of invariances for permutations are given in Sect. 2.

Dealing with Invariances
Basically, there are two ways to resolve the potential weaknesses caused by the presence of invariances: -At the primitive level: avoid the presence of invariances. This is achieved by using more involved key schedules and round constants. Most invariant subspace attacks to date [20,27,64,69,79,80,97,100] exploit weaknesses at the primitive level. Beierle et al. [9] studied the issue of invariances in SPNs, with particular focus on the linear layer, and investigated the effect of round constants on the resistance against invariant subspace attacks; -At the mode level: ensure that invariances are never inspected. In this case, the primitive must be "masked" at the mode level so that it is never evaluated for two values x and λ(x), where λ is any of the non-trivial invariances of P.
The former approach delivers primitives that may function as standalone objects to be used as a black-box by mode designers and implementers. The latter approach allows for simpler, more minimalistic primitives, but mode designers should pay attention to the fact that invariances are avoided. Theorists, however, typically ignore the issue of invariances entirely, simply assuming ideal primitives.

Invariances in Practice
The issue of invariances is not a purely theoretical matter. Invariances are inherent to symmetric cryptography, and some cryptographic permutations, including the ones underlying Salsa20 [15], ChaCha [13], NORX [4], BLAKE2 [5], and CubeHash [14], do have certain invariances that make them easily distinguishable from their ideal counterparts. These invariances are not always attributed to flaws in the scheme: sometimes, the presence of invariances allows to obtain simpler and faster schemes. Yet, there are no available tools to study their behavior when used in permutation based modes. Given the popularity of ChaCha and AESlike building blocks to build new schemes, the case deserves proper formal understanding. We stress that we do not advocate for general purpose primitive designers to design purposefully imperfect cryptographic primitives. Instead, our focus is on combined mode and primitive designers, noting that nowadays many cryptographic modes are designed alongside their single-purpose primitives. We have noticed this pattern in many CAESAR candidates [28], e.g., Prøst, NORX, ICEPOLE, Minalpher, PRIMATEs, and PAEQ. When designing a single-purpose permutation, as in these cases, it seems reasonable to handle properties that simplify or speed up the permutation by relying on the mode to protect against them (as is already the case, in a simpler setting, with Salsa20 and ChaCha).

Our Contribution
We present a structural analysis of how to handle the problem of invariant primitives at the mode level. Whereas Beierle et al. specify conditions on the use of round constants so as to avoid invariances, we describe how the security of masked primitive modes behaves in the presence of invariances. The work consists of a theoretical part (settling the model and deriving security bounds) and a practical part (translating the security bounds to attacks on concrete cryptographic permutations), as we will detail below.

Invariant Random Permutation Model
We first formalize a model for the use of invariant permutations in cryptographic modes. The model is fairly straightforward: instead of randomly drawing an n-bit permutation from the set of all n-bit permutations, one fixes a set of linear invariances Λ and draws the permutation from the set of all n-bit permutations that satisfy (1) for all λ ∈ Λ. The model is given in Sect. 3.1. Note that the model is general; in fact, it covers more than the typical invariances we observe in Salsa20, ChaCha, NORX, and so on. We also point out that this practice is riskier than the hermetic design approach, as one needs to be sure that every allowed invariance is adequately covered by the analysis.

Analysis of Even-Mansour
Then, in Sect. 3.2 we analyze the plain single-key Even-Mansour construction [53] in the invariant permutation model. The tight security bound derived for this construction exactly pinpoints how the original (i.e., the random permutation model based) security bound deteriorates in the presence of invariances. Quite surprisingly: the loss is less trivial and more significant than initially thought. The reason for this is that a strong security bound can be derived only if for any input x to the primitive P, the value λ(x) should never be evaluated by P, for any λ ∈ Λ.
In detail, the analysis leads to a security bound in the invariant permutation model that is at most |Λ| times the bound in the random permutation model plus |Λ| − 1 times a technical term P * that bounds the probability of collisions over the invariances.

Analysis of Keyed Sponge
The analysis of the Even-Mansour construction is particularly useful as it appears as building block in many security proofs. For example, security of the keyed sponge [2,19,31,41,59,85,90] and other MAC designs [87,89] can be reduced to the security of the Even-Mansour construction. In Sect. 3.4, we show how the security analysis of the Even-Mansour construction generalizes to a security analysis of the keyed sponge in the invariant permutation model.

Instantiation
The term P * is involved, and can be described as a combinatorial property of the invariances (refer to Theorem 1 for precise statement of the bound). Further derivation of the bound is then tied to the specific primitive and invariances associated with it. This, so far, leaves us with only a partial solution. In Sect. 4 we look at the remaining term in more detail for specific cryptographic primitives and invariances.
In Sect. 4.1 we consider additive invariances for the Salsa20 permutation. This permutation satisfies that it is invariant under parallel addition of 16 times the value Δ = 2 31 . We present a simple attack on Even-Mansour-Salsa20 in a constant number of construction queries that matches our security bound. The attack does not invalidate the security strength of Salsa20; it just confirms that its permutation should not be used in the Even-Mansour construction.
In Sect. 4.2 we consider linear invariances, noting that for a linear invariance λ, the probability term P * can in turn be related with the rank of id ⊕ λ. This rank can be easily computed, and attacks can be mounted on the Even-Mansour construction based on the cryptographic permutations exhibiting that invariance. For the 512-bit Chacha [13] permutation, we obtain a distinguishing attack with a complexity of 2 128 queries. For the 1600-bit Keccak permutation without round constants [18], a distinguishing attack in complexity 2 400 queries is derived, and this attack scales down to smaller versions of Keccak, up to an attack in 2 50 construction queries for 200-bit Keccak. We likewise derive a distinguishing attack for 1024-bit Cube-Hash [14] in 2 256 construction queries, and for 384-bit Gimli without round constants [16] in 2 96 construction queries. Again, none of these attacks invalidate the security claims of the primitives themselves. They rather demonstrate that one must be careful when using a cryptographic primitive that has invariances, and exemplify decisions that designers could conceivably make when designing a particular scheme.
The framework is likewise able to capture the attacks on NORXv2 [21,30], as well as the BLAKE2 [65] attacks with chosen IV. It can furthermore readily be extended to match the invariant subspaces found on Simpira v1 [97], or the attacks that rely on a block cipher hitting a particular set of bad keys.

Discussion
The attacks on Even-Mansour instantiated with ChaCha, Keccak without round constants, CubeHash, and Gimli without round constants are well below the birthday bound on the corresponding state sizes. In Sect. 5.1, we consider different avenues to salvaging Even-Mansour. One approach is to consider tweakable variants of Even-Mansour, such as a generalization of the Masked Even-Mansour construction [62] that masks the key before it is added to the message. Details on this construction are given in Appendix A. In this appendix, we also explain how the results subsequently extend to the Offset Public Permutation (OPP) authenticated encryption scheme by Granger et al. [62]. Another approach is to consider 2-round Even-Mansour. In the random permutation model, this construction has received solid investigation lately [23,32]. The attacks of Sect. 4 rely on the fact that an attacker may observe the structure of the inputs to and outputs of the cryptographic permutation, and by masking the input and output, or by adding an extra round, the attacker cannot observe this structure anymore, and the attack fails. Note that a minimal construction of 2-round Even-Mansour would take a single key, and add "round constants" to derive mutually slightly different round keys. Stretching the idea to multiple round Even-Mansour, this idea resembles the current practice of primitive level invariant subspace attack mitigation.
In Sect. 5.2, we discuss how our security analysis can be translated to multi-key security, where the attacker can query multiple instances of the constructions simultaneously. It appears that in this case, the attacker does not get any significant gain over the single-key setting. Finally, in Sect. 5.3, we informally discuss how our analyses may generalize to invariances that do not necessarily apply to the entire domain.

Notation
Throughout, parameters κ, τ, n ∈ N denote key size, tweak size, and state size. The set of n-bit permutations is denoted perm(n). We denote by tperm(T , n) the set of all families of n-bit permutations indexed by t ∈ T . For m ∈ N such that m ≤ n, we denote the falling factorial as (n) m = n(n − 1) · · · (n − m + 1) = n!/(n − m)!. For a finite set X , we denote by x $ ← − X the uniformly random sampling of x from X .

Invariances
A permutation P ∈ perm(n) is invariant under bijection λ ∈ perm(n) if for any x ∈ {0, 1} n , We call λ an invariance for P. Note that the identity function id is always an invariance for P (regardless of P), and if P is invariant under λ, λ , it is also invariant under λ −1 and λ • λ . In particular, the set of invariances for P forms a group (Λ, •). For a group of invariances Λ, we write perm[Λ](n) as the set of all permutations that are invariant under Λ. In our work, we restrict our focus to linear invariances. We refer to Courtois [37,38] for research on nonlinear invariances.
In the remainder of this section, we discuss invariances for various theoretical and practical functions.

Random Permutation
If P : {0, 1} n → {0, 1} n is a random permutation, i.e., a function that generates each response uniformly at random without replacement from {0, 1} n , with high probability Λ = {id}. Stated differently: with high probability, this function has no invariances except for the trivial one.

Iterated Random Permutation
In the case P : {0, 1} n → {0, 1} n is the repeated composition of the same round function f r (·), we have the invariant In the case of an unknown round function, as in the case of block ciphers, finding pairs of inputs of the form (x, f (x)), i.e., slid pairs, is a core step of slide attacks [7,22]. Since (x, f (x)) implies (P(x), f (P(x)) at the output, recovering the key from such a slid pair is often efficiently achievable (e.g., KeeLoq [1]).

Salsa Family of Permutations
Salsa20 [15] is part of the eSTREAM portfolio of stream ciphers. Its core primitive is a permutation operating on a 16-word state, usually treated as a 4 × 4 matrix ⎛ The Salsa20 round consists of four parallel "quarter-round" operations, as follows: followed by a transposition of the state. In other words, Salsa20 consists of the composition of "column rounds" followed by "row rounds". The transposition is omitted after the last round.
Determining the invariances of Salsa20 is straightforward. The column rounds, when treating G as a random permutation, are invariant under any permutation of the diagonals. Furthermore, the transposition forces the admissible invariant permutations to be restricted to rotations.
Besides this set of rotational invariances, Salsa20's G has itself some invariant properties. In particular, G is invariant with respect to addition (or xor) by {2 31 } 4 , as observed by Wagner [103], Robshaw, and Castro et al. [29].
It is interesting to note that Salsa20's predecessor, Salsa10 [12, §5], did not have any simple invariances, owing to its different quarter-round and the addition of a constant every two rounds. Salsa20's invariances were an explicit design choice.

ChaCha, BLAKE2, and NORX
ChaCha [13] is a variant of Salsa20. It operates on the same 4 × 4 state as Salsa20, but the linear layer is slightly different. The ChaCha round first applies four parallel "quarter rounds" 13 ) , followed by a "shift rows" operation The next round uses the same quarter-round, followed by the inverse of the "shift rows" operation.
The invariances here are similar to Salsa20. The quarter-round layer is invariant under any permutation of state columns. The linear layer, however, is only invariant under rotations of columns. Thus, ChaCha is invariant under rotations of columns.
Several other permutations based on the ChaCha, such as the ones in BLAKE2 [5] and NORX [4], share the same property. The rotational invariance of this round structure was implicitly used in the "chosen-IV" BLAKE2 attacks of Guo et al. [65], as well as explicitly described in the cryptanalysis of NORXv2 [21,30].
These invariances, or "symmetric states", were first identified by Aumasson et al. [3] and later further classified by Ferguson et al. [55]. One of these invariances will be considered in detail in Sect. 4.2.3.
In the particular case of Keccak, whose state consists of a 5 × 5 matrix of {1, 2, 4, 8, 16, 32, 64}-bit words, the round function χ • π • ρ • θ is invariant under the rotation of every word by the same amount. Comparable invariances occur for the other primitives.

Gimli
Gimli [16] is a recently proposed permutation operating on a 3 × 4 matrix of 32-bit words. Its round functions, without the constant additions, lead to invariance under the following permutations of state columns:

Secure Usage of Invariant Random Permutations
We consider the security of constructions reminiscent of the Even-Mansour construction [53]. The security model is outlined in Sect. 3.1, and Even-Mansour and its security in the invariant permutation model are stated in Sect. 3.2. The security proof is given in Sect. 3.3. This Even-Mansour construction and analysis is particularly useful as it appears as building block in many security proofs. In particular, by considering that the keyed sponge can be seen as a composition of the Even-Mansour construction, we demonstrate in Sect. 3.4 how the analysis of Even-Mansour in the invariant permutation model carries over to the keyed sponge.
We remark that the ideas generalize to other permutation based constructions, including multiple-round Even-Mansour [23] and generalizations of the Masked Even-Mansour construction [62]. See also Sect. 5.1.

Security Model
A distinguisher D is an algorithm that is given access to an oracle O, written as D O , and outputs a bit b ∈ {0, 1}. Its complexity is measured (solely) by the number of calls to its oracle. As such, we can consider it to be deterministic (as for any probabilistic distinguisher there is a deterministic one with at least the same success probability). The security of a construction C based on a primitive P is measured by the advantage of distinguishing C P from a random function R with the same interface and functionality as C: where the randomness is taken over the distributions of C, P, and R. The security distance of (4) is depicted in Fig. 1. In our work, P is always an invariant permutation from perm[Λ](n), unless explicitly stated otherwise. Note that if Λ = {id}, we retrieve indistinguishability in the random permutation model. Any caution that must be paid in the random permutation model must be paid in the invariant permutation model as well. For example, if a construction C is proven secure in the invariant permutation model, and it is subsequently instantiated using a concrete permutation, security may differ from the promised security statement and one must re-assess security of the scheme in combination with the permutation.
We will use the H-coefficient technique [33,92,93]. Consider any two oracles O 1 or O 2 and an information-theoretic deterministic distinguisher D trying to distinguish both. It can make a finite amount of queries, gathered in a view ν. Denote by X 1 (resp. X 2 ) the probability distribution of views in interaction with O 1 (resp. O 2 ). Denote by V the set of "attainable views", i.e., views ν such that Pr (X 2 = ν) > 0.

Even-Mansour
We consider the plain single-key Even-Mansour construction EM : : (here, the number of appended zeros is, obviously, n − κ). In the random permutation model, where P $ ← − perm(n), the Even-Mansour construction is known to be indistinguishable from a random permutation π $ ← − perm(n) up to 2qp/2 κ , where the distinguisher makes q construction and p primitive queries [2,35,50,53,54,84,89]. We perform an analysis if EM is instantiated with a random invariant permutation P $ ← − perm[Λ](n), for a fixed Λ.
Consider any distinguisher D making at most q construction queries and p primitive queries. We have, We stress that in the summation, indeed, the case z = z is included. Unlike intuition, the proof is more complicated than the ideal permutation based one, and contains various hurdles to be overcome. The proof is given in Sect. 3.3. In Sect. 4, the second part of the bound of Theorem 1 will be considered for specific invariant permutations, including the 512-bit ChaCha permutation [13], the {200, 400, 800, 1600}-bit Keccak permutation [18] with omitted round constants, the 1024-bit permutation of CubeHash [14], and the 384-bit permutation Gimli [16] with omitted round constants.

Proof of Theorem 1
After D's interaction with its oracle but before it outputs its decision bit b, we reveal the random key k (this simplifies the probability analysis in the H-coefficient technique later on). The complete view is denoted We assume that D never repeats any query, hence ν c and ν p do not contain duplicate queries. We particularly assume that D never repeats any primitive query transformed over any λ.
A view ν is called bad if it satisfies one of the following conditions: In the real world O 1 , any construction query (m, c) ∈ ν c corresponds to a primitive evaluation (m ⊕ k0 * , c ⊕ k0 * ) of P . Events BAD cc and BAD cp resemble much of what is typically considered in simple Even-Mansour proofs: they capture the event of collisions among construction queries (the former) or between a construction query and a primitive query (the latter). In current proof, however, they cover the event of a collision even if transformed over any invariance λ ∈ Λ. 1 New compared to classical Even-Mansour proofs is BAD c . This event considers the case that a single query collides with itself non-trivially under a transformation of a λ ∈ Λ\{id}. Note that, by attainability of transcripts, we do not have to take into account collisions among primitive queries, not even under a transformation by any λ ∈ Λ.
In below two lemmas, we will derive an upper bound on Pr (X 2 ∈ V bad ) (in Lemma 2), and show that for any good view, Pr (X 1 = ν) ≥ Pr (X 2 = ν) (in Lemma 3). This completes the proof using Lemma 1 on the H-coefficient technique.

Lemma 2 We have
Proof The probability Pr (X 2 ∈ V bad ) equals the probability that BAD := BAD c ∨ BAD cc ∨ BAD cp holds in the ideal world. By basic probability theory, where we recall that in the ideal world, k BAD c . Consider any query (m, c) ∈ ν c and any λ ∈ Λ\{id}. As k Taking the sum over all queries and all choices of λ, the bad event is set with probability at most Note that the second bound is pretty tight. For each of the construction queries, the distinguisher either chooses m and receives randomly generated c or it chooses c and receives randomly generated m. For bounding the bad event, we simply give it the power to choose both m and c for every query. As the distinguisher achieves highest advantage if it chooses all m's at its own discretion, the sum over the # k | m ⊕ k0 * = λ m ⊕ k0 * 's will dominate and the sum over the # k | c ⊕ k0 * = λ c ⊕ k0 * 's will disappear. Our bound is at most a factor 2 larger. BAD cc . Consider any distinct queries (m, c), (m , c ) ∈ ν c and any λ ∈ Λ. If λ = id the event happens with probability 0; we consider λ ∈ Λ\{id}. As k $ ← − {0, 1} κ , the bad event is set with probability at most Taking the sum over all distinct queries and all choices of λ, the bad event is set with probability at most BAD cp . Consider any queries (m, c) ∈ ν c , (x, y) ∈ ν p , and any λ ∈ Λ. The bad event is set if As k $ ← − {0, 1} κ , Eq. (8) holds with probability at most 2/2 κ . Taking the sum over all queries and all choices of λ, the bad event is set with probability at most Adding the separate bounds in accordance with (7) gives where in the summation the values z, z may be identical.

Lemma 3 For any good view
Proof In the real world O 1 , every tuple in (ν c , ν p ) defines exactly one input-output tuple of P $ ← − perm[Λ](n). Therefore, we derive c) ∈ ν c }, and whereν c ∪ ν p contains a total amount of q + p tuples among which there are no input or output collisions even when the tuples are transformed over any λ ∈ Λ.
In the ideal world O 2 , we have where ν p represents a list of p tuples for which there are no input or outputs collisions even when transformed over any λ ∈ Λ.
We obtain that where for the approximation we use that the list of tuples inν c ∪ ν p do not collide even when transformed over any λ ∈ Λ.

Keyed Sponge
The sponge hash function construction [17] consists of a sequential application of a permutation on a state, where the permutation evaluations are interleaved with absorption of data into the outer part of the state or extraction of data from that part of the state. Security is determined by the capacity, the size of the state that is not involved in the absorption or extraction. The construction has led to various MAC designs based on a permutation [2,19,31,41,59,85,87,89,90], that also consist of a sequential application of a permutation, but with the initial state masked using a key. For the sake of exemplification, we will consider the full-state keyed sponge of Mennink et al. [85]. We remark that follow-up work considered a more general scheme with a more accurate bound [41], but the scheme of the former is easier to describe concisely. We will drop the adjective "full-state" for simplicity.
The keyed sponge (KS) is a message authentication code. On input of a message M ∈ {0, 1} * and a parameter ∈ N, it outputs a tag T ∈ {0, 1} . For identical messages but different parameters , , the shortest response is a prefix of the longer one. Internally, it uses a permutation on an n-bit state split in an inner part of c bits and an outer part of r bits, in such a way that c + r = n. We furthermore assume that κ = c (but see the proof of Theorem 2). The function is depicted in Fig. 2.
Security of the keyed sponge is measured by its "PRF security", a distance to a variable output length random oracle R [10], i.e., (4) with R as random function: Mennink et al. [85] proved the following security bound for KS.
Theorem 2 (Mennink et al. [85]) Let k $ ← − {0, 1} κ , P $ ← − perm(n), and R be a random oracle as described above. For any distinguisher D making at most σ construction query blocks and Fig. 2 The keyed sponge (KS) of [85] p primitive queries, Proof (sketch) Consider any fixed deterministic distinguisher D that makes a total amount of σ construction query blocks and p primitive queries. Consider EM P k of (6). By xoring the key k twice in-between each two consecutive evaluations of P, 2 we can observe that where the subscripts denote the key input. Therefore, where π $ ← − perm(n) is a random permutation, and D is some distinguisher that makes at most σ construction queries and p primitive queries. For the first term of (10), Mennink et al. proved that (simplified) The second term of (10) is at most 2σ p/2 κ (see the introductory text of Sect. 3.2). 3 We demonstrate how a security bound for KS based on an invariant permutation P' $ ← − perm[Λ](n) is easily derived. (n), and R be a random oracle as described above. For any distinguisher D making at most σ construction query blocks and p primitive queries,

Theorem 3 Consider any fixed Λ. Let k
where BOUND Thm.1 (σ, p) is the bound of Theorem 1 for distinguisher's parameters σ and p.
Proof Consider any fixed deterministic distinguisher D that makes a total amount of σ construction query blocks and p primitive queries. Consider EM P' k of (6). By xoring the key k twice in-between each two consecutive evaluations of P', we can observe that where the subscripts denote the key input. Therefore, where π $ ← − perm(n) is a random permutation, and D is some distinguisher that makes at most σ construction queries and p primitive queries. The first term is bounded as (11) as before, and for the second term of (13) we rely on Theorem 1.

Understanding Invariance Loss
The bound of Theorem 1 precisely demonstrates what aspect of the invariant permutation must be exploited in order to break the Even-Mansour construction: further analysis boils down to upper bounding the sizes of the sets #{k | . . . }. Focus on Even-Mansour with key size κ = n, and consider the task of upper bounding max z={z 1 ,...,z q }⊆{0,1} n z,z ∈z for any invariance λ = id. In the specific case that λ satisfies λ(x ⊕ y) = λ(x) ⊕ λ(y), which always holds in our work as we consider linear invariances, we will resort to a rewritten version of (14) that will be easier to work with: Bounding this quantity seems to relate to upper bounding the set of weak keys k, but the goal is not quite the same. Rather, the current issue boils down to quantifying the image of k → k ⊕ λ(k) and the ability of an adversary in selecting z = {z 1 , . . . , z q } so as to maximize the number of "hits": choices z, z ∈ z such that z ⊕ λ(z ) has many preimages over (id ⊕ λ) −1 . We will consider the problem of bounding (14) for the case of additive invariances in Sect. 4.1, and derive a practical attack on Even-Mansour based on Salsa20. Then, in Sect. 4.2, we will consider linear invariances (that satisfy λ(x ⊕ y) = λ(x) ⊕ λ(y)), and restrict our focus to bounding (15). We will investigate how to maximize this set, and subsequently show how the analysis applies to the 512-bit ChaCha permutation [13] (distinguishing attack in 2 128 construction queries), the n-bit Keccak permutation without round constants [18] (distinguishing attack in 2 n/4 construction queries), CubeHash [14] (distinguishing attack in 2 256 construction queries), and Gimli without round constants [16] (distinguishing attack in 2 96 construction queries).

Additive Invariances
As mentioned in Sect. 2.3, the Salsa20 permutation P is invariant under addition of the constant Δ = 2 31 to each of the 16 words. Call this invariance λ add : It is easy to verify that Based on this observation, we can describe a simple distinguishing attack on Even-Mansour-Salsa20 that succeeds in constant time. 16 . Query m and m to the construction oracle to obtain the corresponding c and c ; 2. For the real world EM P , we necessarily have

Fix any m, m that satisfy m ⊕ m = {Δ}
3. If, indeed, c ⊕ c = {Δ} 16 , D is with high probability interacting with EM P k ; otherwise, it is interacting with π.
The attentive reader will recognize this as an elementary differential distinguisher.
Concretely, the attack means the following for the second term of Theorem 1. Assume that Λ = {λ add }. Above attack shows that there exists an adversary that makes q = 2 construction queries, and that can in this way select 2 values z = {z 1 , z 2 } such that In other words, the bound of Theorem 1 becomes void, and as q = 2, this can be considered a practical attack.

Linear Invariances
For linear λ, quantifying the image of k → k ⊕ λ(k) is easy: if the rank of id ⊕ λ is r , its image has size 2 r . Consequently, the lower the rank of id ⊕ λ, the higher (15) can get. On the other hand, if λ is a linear orthomorphism 4 there is no image size reduction.
The second challenge is to choose z in such a way as to hit as many elements of the image of id ⊕ λ as possible. One way this can be accomplished is by random sampling z ∈ z from linear combinations of a basis of id ⊕ λ. Query both z and λ −1 (z) if they are distinct. Given q (not necessarily distinct) queries we have up to q 2 values, and the expected number of queries until every element of id ⊕ λ is covered is a variant of the coupon collector's problem [57], and is given by √ 8 · 2 r · H 2 r + 1 + 1 /2, where H n is the nth harmonic number. We can approximate it by 8 · (log(2 r ) + 0.5772156649 . . .) · 2 r or, more loosely, √ 8r · 2 r /2 . In some cases a basis of id⊕λ can be generated quite easily. For example, in the invariances covered below, it suffices to find the smallest set z ⊂ F r 2 such that {z ⊕ z : z, z ∈ z} = F r 2 . This is equivalent to a well-studied problem in coding theory: finding a minimal length code [n, n − r ] of co-dimension r and covering radius 2 [36]. Explicit constructions of these codes are given in, e.g., [26,47,58]. Such sets are also known, in Galois geometry, as "1-saturating sets" [48,61], "saturated sets" [47,101], "dense sets" [24], or "spanning sets" [26]. Clark and Pedersen [34] give a particularly simple solution, described in Algorithm 1, for r ≥ 4, of length 2 · 2 r /2 − 2 for even r , and 3 · 2 r /2 − 2 for odd r .

Algorithm 1 Clark-Pedersen saturating set
The above reasoning immediately translates to a distinguisher for the single-key Even-Mansour block cipher when used with a permutation carrying a linear invariance λ: 1. Query the oracle with z such that as much-or all-possible values of k ⊕ λ(k) are covered by z ⊕ λ(z ), with z, z ∈ z. This can be accomplished by random sampling or by an appropriate covering code as described above; 2. If there are two queries such that k ⊕ λ(k) = m i ⊕ λ(m j ), then we also have whence m i ⊕ λ(m j ) = c i ⊕ λ(c j ) and m i ⊕ c i = λ(m j ⊕ c j ); 3. Such a pair will be found in approximately 2 r /2 queries, where r is the rank of id ⊕ λ. If r is significantly smaller than n, this leads to a distinguisher that also yields the value of (id ⊕ λ)(k).
In terms of Theorem 1, above attack rather aims at recovering (id ⊕ λ)(k), which can possibly be done faster than recovering k as the id ⊕ λ has rank r ≤ κ. Nevertheless, every image of id ⊕ λ has 2 κ−r preimages, and after q ≈ 2 r /2 queries, above attack maximizes to approximately 2 κ . For the second term of Theorem 1, this implies that As in Sect. 4.1, the bound of Theorem 1 becomes void. In this case, however, more construction queries are needed, namely q ≈ 2 r /2 . It depends on the construction and on the invariance whether r is low enough for this attack to be considered practical.

ChaCha
The invariance λ : {0, 1} 512 → {0, 1} 512 present in ChaCha [13] for which id ⊕ λ has the lowest rank is the rotation of each 128-bit column by 2 positions (see also Sect. 2.3.1). The rank of id ⊕ λ is thus 256, and the image of k ⊕ λ(k) can be given by two copies of F 256 2 side by side. Using Algorithm 1, the attack succeeds in at most 2 129 − 2 queries.

Keccak
We may consider the n-bit Keccak permutation [18], with n ∈ {200, 400, 800, 1600}, modified to omit the constant addition ι. In this case, we have 25 parallel operations that swap one half of each word with the other half. The rank of this operation is n/2 and, as above, the attack would succeed in approximately 2 n/4 queries.

CubeHash
The 1024-bit state of CubeHash [14] is split into 32 words of 32 bits. The state can then be decomposed into 32 independent 32-bit vectors, corresponding to each bit of each word, and an invariance reminiscent of those in Sect. 2.4 is applied. In this case, we can consider the invariance corresponding to "swap each adjacent word", which has rank 512. The attack succeeds in approximately 2 256 queries.

Gimli
For Gimli [16], assuming omission of the round constants, one can decompose its 384-bit state into 96 independent 4-bit vectors, corresponding to each bit of each column, after which a permutation matrix π is applied. From Sect. 2.6, we can conclude that this permutation π is either of ⎛ ⎜ ⎜ ⎝ For each of these, the rank of id ⊕ π equals 2, meaning that the rank of id ⊕ λ is 192. The attack succeeds in approximately 2 96 queries.

Salvaging Use of Even-Mansour
One way to mitigate the attacks on Even-Mansour of Sect. 4 is to consider a tweakable variant of Even-Mansour, such as a generalization of the Masked Even-Mansour construction [62]. This construction uses a tweak to mask the key before it is added to the message. In detail, it does not simply add k0 * to the message (as in (6)), but rather it adds where s is a tweak and u is a subkey derived from the key using the permutation P. This masking function can be assumed to eliminate any structure in We elaborate on this generalization of the Masked Even-Mansour construction, and prove security in the invariant permutation model, in Appendix A.1. In Appendix A.2, we subsequently explain how the analysis extends to security of the Offset Public Permutation (OPP) authenticated encryption scheme by Granger et al. [62]. For these constructions, it particularly becomes clear that exploiting invariances becomes significantly harder, if not impossible. On the downside, the security analysis becomes much more technically involved. A less (conceptually) costly way of salvaging Even-Mansour is to add the key using, say, F 2 n multiplication instead of xor, after which the typical invariance is no longer linear. Another way to mitigate the attacks on Even-Mansour is to consider 2-round Even-Mansour [23,32]: where ι is an orthomorphism (i.e., both ι and ι ⊕ id are a permutation). An attacker that has oracle access to 2EM P' for an invariant permutation P' ∈ perm[Λ](n) is unable to observe the input-output pattern of P' and cannot mount attacks comparable to those of Sect. 4. The attack could be slowed down as well by preventing the adversary to have full control over the input of the construction. For example, in the keyed sponge of Sect. 3.4, the data is absorbed over the entire state, but the original keyed sponge [2,19] maintains an inner part on which no data is absorbed. The adversary has to run the algorithm and wait for the inner part to fall into a symmetric state.

Multi-Key Security
In the random permutation model, the Even-Mansour construction is known to admit only a small loss: it is proven to be secure up to (q 2 +2qp)/2 κ [88]. The loss is caused by the possible presence of cross-collisions between construction queries for different keys. A similar loss occurs in analyses in the random invariant permutation model: the adversary succeeds if two evaluations for different keys, say (m, c) for key k and (m , c ) for key k , collide under a transformation of any invariance λ: The extra loss is marginal as for each query m (or, in inverse direction, c) that the distinguisher makes, it has to tie itself to a specific key instance. As noted by Lee et al. [81], one may consider this extra choice as a tweak, transforming the scheme into a specific form of tweaked Even-Mansour [35].

Extension to Different Primitives and Invariances
The treatment of Sect. 2 can be generalized to cover invariances that only apply to a subset S ⊂ {0, 1} n of potential inputs. Or perhaps this subset is not known, but only the probability of randomly hitting it. Midori [6] is an interesting example of that kind. The high number of fixed points (3,7,8,9) of its S-box, combined with a simple binary diffusion matrix and poor choice of key schedule constants, results in a weak set of 2 32 keys {0, 1} 16×2 for which the cipher is entirely linear-and invariant-for inputs of the form {8, 9} 16 [64].
For example, one may consider NOEKEON without round constants [43], for which We stress that this condition does not apply to NOEKEON due to the presence of round constants. Related to invariance subspace attacks are weak key attacks on block ciphers. An example of such a similarity is the complementation property of DES [46]: for Δ = 11 . . . 11.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

A Extension to Masked Even-Mansour
We will demonstrate how the results of Sect. 3 extend to more involved modes. We will do so by considering the Masked Even-Mansour construction in Appendix A.1, and the Offset Public Permutation authenticated encryption scheme in Appendix A.2.

A.1 Generalized Masked Even-Mansour
We will consider an abstraction, formally a generalization, of the Masked Even-Mansour construction of Granger et al. [62]. The tweak space is now composed of {0, 1} τ × T for some space T . Formally, we consider the tweakable block cipher genMEM : {0, 1} κ × ({0, 1} τ × T ) × {0, 1} n → {0, 1} n based on a permutation P : {0, 1} n → {0, 1} n , where κ + τ ≤ n: for some masking function Φ : {0, 1} n × T → {0, 1} n . We assume that Φ(u, s) = u for any u ∈ {0, 1} n if and only if s = 0. The original construction MEM of Granger et al. [62] can be retained by fixing v ∈ N, fixing v LFSRs ϕ 0 , . . . , ϕ v−1 , setting T = N v , and defining where s = (s 0 , . . . , s v−1 ) ∈ T . In this construction, indeed, Φ(u, s) = u for s = (0, . . . , 0), and the space T is further restricted in such a way that this is the only element (see [62]). The choice of MEM as our starting primitive is arbitrary, arguably better choices for the sake of generality would have been Tweakable Even-Mansour (TEM) [35] or XPX [84]. However, TEM is general in the sense that it takes an arbitrary mask based on a universal hash function independent of the permutation P, and XPX considers masks of the form δ 1 k ⊕ δ 2 P(k) which suits generality but makes the proof more technical. Application-wise, as we will see in Appendix A.2, starting from MEM is more convenient. The security of genMEM is highly dependent on restrictions put on the masking function. This was also the case for the original MEM, which for example becomes insecure if an adversary manages to find two distinct s, s such that Our abstraction of the masking function allows us to discard these peculiarities. Inspired by [62], we define -properness of the masking function Φ as follows: is -universal and -xor-universal, respectively: where the randomness is taken over u.
We are ready to prove security of genMEM in the random invariant permutation model.

Theorem 4 Consider any fixed
Let Φ be an -proper masking function. Consider any distinguisher D making at most q construction queries and p primitive queries, that never queries its construction oracle in inverse direction for any tweak of the form (t, 0) ∈ {0, 1} τ × T . Among the q construction queries, assume that there are at most q different tweaks t ∈ {0, 1} τ , and each of these occurs at most times. We have, The proof is very similar to those in [62,84], and included in Appendix B. Again, for Λ = {id} the theorem gives security of genMEM P in the random permutation model, for P $ ← − perm(n).
In this case, it matches the security bound derived by Granger et al. [62] on MEM P : 4.5q 2 +3qp 2 + p 2 κ , where the authors used that n ≥ and simplified their bound accordingly. The analysis is more involved than that of Even-Mansour in Theorem 1 due to the fact that (i) the masking consists of evaluations of P and (ii) the distinguisher can influence the masking by the use of tweaks. These differences result in additional bad events in the analysis. The last two terms of the bound have a form of q times a maximum taken over values. If the number of choices of t is evenly distributed, q · ≈ q and the bound is pretty tight. If there are outliers, for example, q − tweaks occur 1 time and 1 tweak occurs times, a slightly more accurate bound can be derived straightforwardly from the proof. In typical applications of genMEM, t represents a nonce, and each nonce is used an approximately equal amount of times.

A.2 Offset Public Permutation
Offset Public Permutation (OPP) is an authenticated encryption scheme by Granger et al. [62]. It is designed on top of the MEM tweakable block cipher, with the specific masking function of (21) for cleverly chosen LFSRs. It takes nonces of size n − κ bits, and outputs tags of size t ≤ n. The encryption function E k of OPP gets as input a nonce N , associated data A, and a message M, and outputs a ciphertext C and tag T . The function E k for integral data is depicted in Fig. 3; we refer to [62] for the full version. Associated with E k is a decryption function D k : it should satisfy the property that for any input tuple (N , A, M) to E k , If D k does not receive a valid input, it outputs a dedicated ⊥ symbol.
Security of the authenticated encryption scheme is slightly more advanced. The distinguisher has access to both E k and D k , with the restriction that it never relays the response of an encryption query to the decryption oracle. The encryption oracle should never be queried  (s 0 , s 1 , s 2 )) with the function Φ of (21) twice on the same nonce (there is no such restriction for couples of queries involving a decryption query). Security is measured by a distance to a random oracle R that for each input M responds with a random string of size |M| + t, and a function that outputs a bot sign ⊥ for each decryption query: where for simplicity we now assume the distinguisher can make one forgery attempt. Granger et al. [62] proved the following security bound for OPP based on a random permutation P $ ← − perm(n): where q is the number of construction query blocks, and with = n (the masking of (21) is optimal). The proof idea is related to that of Theorem 2 but more advanced as a tweakable block cipher is involved. We demonstrate how a security bound for OPP based on an invariant permutation P' , and R be a random oracle as described above. Consider any distinguisher D making at most q construction queries, each of length at most blocks and in total at most q blocks, and p primitive queries. We have, where BOUND Thm.4 (q, q , , p) is the bound of Theorem 4 for distinguisher's parameters (q, q , , p), and with = n.
We can observe that where ΘCB is a tweakable block cipher based authenticated encryption scheme of Krovetz and Rogaway [77] (see [62] for details). Denote, for brevity, the encryption and decryption functions of ΘCB by ΘE and ΘD. We have: whereπ $ ← − tperm({0, 1} τ × T , n) is a random tweakable permutation, and D is some distinguisher that makes at most q construction query blocks, for q distinct tweaks t and each tweak occurring at most times, and p primitive queries. For the first term of (24), Krovetz and Rogaway [77] proved: For the second term of (24) we rely on Theorem 4.

B Proof of Theorem 4
The proof follows [84] almost verbatim, but extends it in the presence of the invariances Λ.
Consider any fixed deterministic distinguisher D that has access to either O 1 = (genMEM P , P ) or O 2 = (π, P ). Gather its q constructions queries in a view ν c = {(t 1 , s 1 , m 1 , c 1 ), . . . , (t q , s q , m q , c q )} and its p primitive queries in a view ν p = {(x 1 , y 1 ), . . . , (x p , y p )}. Let q be the number of unique values t i in ν c , and denote these unique values by {t 1 , . . . , t q }. We recall that any construction query of the form (t, 0, m, c) must have been made in forward direction.
After D's interaction with its oracle but before it outputs its decision bit b, we reveal the random key k and a tuple ν m = {(w 1 , u 1 ), . . . , (w q , u q )}. In the real world, this tuple is generated as w i = kt i 0 * and u i = P(w i ). In the ideal world the w i 's are unchanged but the values u 1 , . . . , u q $ ← − {0, 1} n are uniformly randomly drawn. The complete view is denoted We assume that D never repeats any query, hence ν c and ν p do not contain duplicate queries. We particularly assume that D never repeats any primitive query transformed over any λ. For ν m , two tuples never have colliding inputs (by definition of the values t i ) but they may have colliding outputs. Also, ν c satisfies the property that for any two tuples with (t i , s i ) = (t i , s i ), we have m i = m i and c i = c i .
For any t ∈ {t 1 , . . . , t q }, write ν m (t) = u as shortcut notation for the unique u such that (kt0 * , u) ∈ ν m . A view ν is called bad if it satisfies one of the following conditions: The bad events look technically involved, but in fact are not. Restricted to the case that λ = id, the events capture that ν does not include any two evaluations of P with identical input or identical output. Stretching the analysis to arbitrary λ, we want that there are no collisions transformed over λ. This explains all bad events, except for the presence of BAD c and BAD m : these are included as for λ = id, a query may non-trivially collide with itself.
In below two lemmas, we will derive an upper bound on Pr (X 2 ∈ V bad ) (Lemma 4), and show that for any good view, Pr (X 1 = ν) ≥ Pr (X 2 = ν) (Lemma 5). This completes the proof using Lemma 1 on the H-coefficient technique.

Lemma 4 We have
Proof The probability Pr (X 2 ∈ V bad ) equals the probability that BAD := BAD c ∨ BAD cc ∨ BAD cm ∨ BAD cp ∨ BAD m ∨ BAD mm ∨ BAD mp holds in the ideal world. By basic probability theory, where we recall that in the ideal world, k $ ← − {0, 1} κ and u 1 , . . . , u q $ ← − {0, 1} n . In addition, for any construction query of the form (t, 0, m, c), c is randomly drawn from a set of size at least 2 n − q elements. BAD c . Consider any query (t, s, m, c) ∈ ν c and any λ ∈ Λ\{id}. As ν m (t) = u $ ← − {0, 1} n is a randomly generated n-bit value, the bad event is set with probability at most Taking the sum over all queries and all choices of λ, the bad event is set with probability at most Here, we made a similar simplification as in the proof of Lemma 2. BAD cc . Consider any distinct queries (t, s, m, c), (t , s , m , c ) ∈ ν c and any λ ∈ Λ.
-If t = t , then ν m (t) and ν m (t ) are two independent randomly generated n-bit values and we argue based on the former. The bad event is set if As Φ is -proper, it is -universal (Definition 1), and the bad event is set with probability 2/2 ; -If t = t , then ν m (t) = ν m (t ) is a single randomly generated n-bit value. In this case, either s = s or (m = m and c = c ).
-If λ = id, the bad event is set if As Φ is -proper, it is -xor-universal (Definition 1), and (26) holds with probability at most 2/2 ; -If λ = id, as ν m (t) = u $ ← − {0, 1} n is a randomly generated n-bit value, the bad event is set with probability at most Taking the sum over all distinct queries and all choices of λ, the bad event is set with probability at most Here, we made a similar simplification as before. We stress that in the summation, we have to include the case that z = z (but necessarily s = s ) and s = s (but necessarily z = z ). BAD cm . Consider any queries (t, s, m, c) ∈ ν c , (w, u) ∈ ν m , and any λ ∈ Λ. For the first part of the bad event, m ⊕ Φ(ν m (t), s) = λ w , we can observe that ν m (t) $ ← − {0, 1} n is independently generated from w. As Φ is -proper, it is -universal (Definition 1), and the bad event is set with probability 1/2 . Taking the sum over all queries and all choices of λ, the first part of the bad event is set with probability at most |Λ|qq 2 .
For the second part of the bad event, c ⊕ Φ(ν m (t), s) = λ u , the analysis is more complicated. Let w = kt 0 * , such that u = ν m (t ). The bad event is set if or equivalently -If t = t , then ν m (t) and ν m (t ) are two independent randomly generated n-bit values and we argue based on the former. As Φ is -proper, it is -xor-universal (Definition 1), and Eq. (28) holds with probability at most 1/2 ; -If t = t , then ν m (t) = ν m (t ) is a single randomly generated n-bit value.
-If s = 0, we have the following two cases: • If λ = id, as Φ is -proper, it is -universal (Definition 1), and (28)  -If s = 0, we have Φ(ν m (t), s) = Φ(ν m (t), 0) = ν m (t), and we cannot rely on the randomness of ν m (t). Instead, we use that in this case c is randomly drawn from a set of size at least 2 n − q ≥ 2 n−1 , and hence (28) holds with probability at most 2/2 n .
As Φ is -proper, it is -universal (Definition 1), and the bad event is set with probability 2/2 . Taking the sum over all queries and all choices of λ, the bad event is set with probability at most BAD m . Consider any query (w, u) ∈ ν m and any λ ∈ Λ\{id}. Recall that w = kt0 * for some t. The first part of the bad event, w = λ w , is set if k0 * ⊕ 0 κ t0 * = λ k0 * ⊕ 0 κ t0 * .
where in fact the w's are parsed as kt0 * , and we made a similar simplification as before. BAD mm . Consider any distinct queries (w, u), (w , u ) ∈ ν m and any λ ∈ Λ. The second part of the bad event, u = λ(u ), happens with probability 1/2 n . The first part of the bad event, w = λ(w ), happens with non-zero probability only if λ = id; we consider λ ∈ Λ\{id}.
Recall that w = kt0 * for some t, and similarly for w . The bad event is set if k0 * ⊕ 0 κ t0 * = λ k0 * ⊕ 0 κ t 0 * . where ν p represents a list of p tuples for which there are no input or outputs collisions even when transformed over any λ ∈ Λ.
We obtain that where for the second approximation we use that the list of tuples inν c ∪ ν p do not collide even when transformed over any λ ∈ Λ.