1 Introduction

Background An elementary way to construct a block cipher with message space \(\{0,1\}^n\) from r fixed and public n-bit permutations \(P_1,\ldots P_r\) is to encrypt a plaintext x by computing

$$\begin{aligned} y=k_r\oplus P_r(k_{r-1}\oplus P_{r-1}(\cdots P_2(k_1\oplus P_1(k_0\oplus x))\cdots )), \end{aligned}$$

where \((k_0,\ldots ,k_r)\) is a sequence of n-bit round keys which are usually derived from some master key K. This construction, which captures the high-level structure of (most) block cipher designs known as substitution-permutation networks (SPNs), such as \(\mathsf {AES}\) [13], \(\mathsf {PRESENT}\) [4], or \(\mathsf {LED}\) [18] to name a few, was coined a key-alternating cipher by Daemen and Rijmen [14].

For concrete designs, where permutations \(P_1,\ldots ,P_r\) are fixed, the current state of art of provable security only allows to upper bound the success probability of very specific attacks such as differential or linear attacks. On the other hand, it is possible to obtain broader provable security results by working in the random permutation model for \(P_1,\ldots ,P_r\), i.e., by viewing permutations \(P_1,\ldots ,P_r\) as public random permutation oracles, to which the adversary can only make black-box queries (both in the forward and backward direction). This is a very strong model, but this allows to upper bound the advantage of any (even computationally unbounded) adversary as a function of the number of queries it makes. It also heuristically indicates that any adversary willing to beat the proven security bound cannot be “generic” and must somehow take advantage of some particular property of the permutations used in any concrete block cipher.

Such results in the random permutation model were first obtained for \(r=1\) round by Even and Mansour [15], who showed that the block cipher encrypting x into \(k_1\oplus P_1(k_0\oplus x)\), where \(k_0\) and \(k_1\) are independent n-bit keys, and \(P_1\) is a random permutation oracle, is secure up to \(\mathcal {O}(2^{n/2})\) queriesFootnote 1 of the adversary.Footnote 2 For this reason, this construction is often referred to as the Even–Mansour cipher, though this is somehow a misnomer since this is rather a framework in which one can conveniently analyze the security of the family of one-round key-alternating ciphers. In the following, we will perpetuate this unfortunate terminology and use the naming r-round iterated Even–Mansour cipher to designate the “ideal” r-round key-alternating cipher where \(P_1,\ldots ,P_r\) are public and perfectly random permutation oracles. Curiously, the general construction with \(r>1\) remained unstudied for a long while until a paper by Bogdanov et al. [5], who showed that for \(r\ge 2\), security is guaranteed up to \(\mathcal {O}(2^{2n/3})\) queries of the adversary. They also conjectured that the security should be \(\mathcal {O}(2^{\frac{rn}{r+1}})\) for general r, which matches a simple distinguishing attack. Progress toward solving this conjecture was rather quick: Steinberger [31] proved security up to \(\mathcal {O}(2^{3n/4})\) queries for \(r\ge 3\), Lampe et al. [26] proved security up to \(\mathcal {O}(2^{\frac{rn}{r+2}})\) queries for any even r, and finally Chen and Steinberger [8] resolved the conjecture and proved the \(\mathcal {O}(2^{\frac{rn}{r+1}})\)-security bound for any r. We stress that all these results only hold assuming that the \(r+1\) round keys and the r permutations are independent. Actually, this is not perfectly accurate: One only needs the \(r+1\) round keys \((k_0,\ldots ,k_r)\) to be r-wise independent [8], which can be obtained from only an rn-bit long master key; the most simple example being round keys of the form \((k'_1,k'_1\oplus k'_2,k'_2\oplus k'_3,\ldots ,k'_{r-1}\oplus k'_r,k'_r)\), in which case the resulting iterated Even–Mansour cipher is exactly the cascade of r single-key one-round Even–Mansour ciphers \(x\mapsto k'_i\oplus P_i(k'_i\oplus x)\).

Our Problem Let us quickly recapitulate existing provable security results on the Even–Mansour cipher for a low number of rounds. For \(r=1\), we know that the single-key Even–Mansour cipher \(x\mapsto k\oplus P(k\oplus x)\) ensures security up to \(\mathcal {O}(2^{n/2})\) queries of the adversary. As pointed out by Dunkelman et al. [12], this construction is “minimal” in the sense that if one removes any component (either the addition of one of the keys, or the permutation P), the construction becomes trivially breakable. For the two-round Even–Mansour cipher, the best provable security result we have so far requires two independent n-bit permutations \(P_1\) and \(P_2\), and two independent n-bit keys \((k,k')\) to construct three pairwise independent round keys, for example \((k,k'\oplus k,k')\). Concretely, the block cipher \(x\mapsto k'\oplus P_2((k'\oplus k)\oplus P_1(k\oplus x))\) ensures security up to \(\mathcal {O}(2^{2n/3})\) queries of the adversary. In this paper, we tackle the following question:

Can we obtain a \(\mathcal {O}(2^{2n/3})\)-security bound similar to the one proven for the two-round Even–Mansour cipher with (pairwise) independent round keys and independent permutations, from just one n-bit key k and one n-bit random permutation P ?

This question is natural since in most (if not all) SPN block ciphers, round keys are derived from an n-bit master key (or more generally an \(\ell \)-bit master key, where \(\ell \in [n,2n]\) is small compared with the total length of the round keys), and the same permutation, or very similar ones, are used at each round. It is therefore fundamental to determine whether security can actually benefit from the iterative structure and increase beyond the birthday bound, even though one does not use more key material nor more permutations than in the single-key one-round Even–Mansour cipher.

Our Results We answer positively to the question above. Our main theorem states sufficient conditions on the way to derive three n-bit round keys \((k_0,k_1,k_2)\) from one n-bit master key k so that the two-round Even–Mansour cipher defined from a single permutation

$$\begin{aligned} x\mapsto k_2\oplus P(k_1\oplus P(k_0\oplus x)) \end{aligned}$$

is secure up to \(\widetilde{\mathcal {O}}(2^{2n/3})\) queries of the adversary, where the \(\widetilde{\mathcal {O}}(\cdot )\) notation hides logarithmic (in \(N=2^n\)) factors. In particular, such a good key-schedule \(k\mapsto (k_0,k_1,k_2)\) can be constructed from any (fixed) linear orthomorphism of \(\mathbb {F}_2^n\). A permutation \(\pi \) of \(\{0,1\}^n\) is called an orthomorphism if \(x\mapsto x\oplus \pi (x)\) is also a permutation. The good cryptographic properties of orthomorphisms have already been noticed in a number of papers [17, 28] and are in particular used in Lai-Massey schemes [25, 33] such as the block ciphers \(\mathsf {IDEA}\) [25] and \(\mathsf {FOX}\) [21]. Our main theorem is as follows.

Fig. 1
figure 1

Two constructions of “minimal” two-round Even–Mansour ciphers provably secure up to \(\widetilde{\mathcal {O}}(2^{\frac{2n}{3}})\) queries of any (adaptive) adversary. Top: \(\pi \) is a (fixed) linear orthomorphism of \(\mathbb {F}_2^n\), and P is a public random permutation oracle. Bottom: \(P_1\) and \(P_2\) are two independent public random permutation oracles

Full size image

Theorem

(Informal) Let \(\pi \) be any (fixed) linear orthomorphism of \(\mathbb {F}_2^n\), and let P be a public random n-bit permutation oracle. Then, the block cipher with message space and key space \(\{0,1\}^n\) defined as (see Fig. 1, top)

figure a

is secure against any adversary making up to \(\widetilde{\mathcal {O}}(2^{\frac{2n}{3}})\) queries to \(\mathsf {EM}^P_k\) and P. (Queries can be adaptive and are allowed in both directions for \(\mathsf {EM}^P_k\) and P).

We remark that if one omits \(\pi \) in construction (\(\star \)), i.e., if one adds the same round key k each time, security drops back to \(\mathcal {O}(2^{n/2})\) queries. More generally, if round keys are all equal and the same permutation P is used at each round of the iterated Even–Mansour cipher, security caps at \(\mathcal {O}(2^{n/2})\) queries of the adversary, independently of the number r of rounds. This seems to be known as a folklore result about slide attacks [6, 7], but since we could not find a detailed exposition in the literature, we precisely describe and analyze this attack (as well as a simple extension for two rounds when the key-schedule simply consists in xoring constants to the master key) in this paper. Hence, construction (\(\star \)) can be regarded as a “minimal” two-round Even–Mansour cipher delivering security beyond the birthday bound, since removing any component causes security to drop back to \(\mathcal {O}(2^{n/2})\) queries at best (for \(\pi \) this follows from the slide attack just mentioned, while removing any instance of permutation P brings us back to a one-round Even–Mansour cipher). Additionally, we show that when using two independent public random permutations \(P_1\) and \(P_2\), the trivial key-schedule is sufficient: adding the same round key k at each round (see Fig. 1, bottom) also yields a \(\widetilde{\mathcal {O}}(2^{2n/3})\)-security bound.

To the best of our knowledge, these are the first results proving “beyond the birthday bound” security for key-alternating ciphers such as \(\mathsf {AES}\) that do not rely on the assumption that round keys are independent. This sheds some light on which exact properties are required from the key-schedule in order to lift the round keys independence assumption in provable security results. In particular, this seems to point out that a pseudorandom key-schedule is not needed (we remind the reader that our results come with the usual caveat that they are only proved in the very strong random permutation model, and hence can only be taken as a heuristic security insurance once the inner permutation(s) are instantiated).

More Details on Our Security Bounds In order to ease the previous discussion, we have been mixing two distinct types of queries of the adversary, the queries to the Even–Mansour cipher and the queries to the internal permutation(s), only discussing a global upper bound on the total number q of queries. Actually, we make a distinction between these two types of queries in our security bounds, so that they lend themselves to a more fine-grained analysis: for each possible value of the number \(q_e\) of queries to the Even–Mansour cipher, we can derive an upper bound on the number \(q_p\) of queries to the inner permutation(s) that the construction can tolerate while still ensuring security (in our previous discussion, we were only considering the very specific case where \(q_e=q_p\)). The results of this analysis are captured on Fig. 2, both for the case of a single inner permutation and for independent inner permutations. One point to notice is that when \(q_e\ge 2^{\frac{2n}{3}}\), we still prove security up to \(q_p=\mathcal {O}(\frac{n}{2})\) queries to the inner permutations when they are independent, whereas our security bound becomes vacuous in the single-permutation case.

Regarding the tightness of our security bounds, we remark that a generic attack with complexity \(q_p \sim 2^{n-\frac{1}{2}\log _2 q_e}\) for any \(q_e\) has been describedFootnote 3 by Gaži [16] (this is represented by the dotted line in Fig. 2). We note that this matches our security bound (outside uninteresting extremal points) only in the specific case \((q_e,q_p)=(2^{\frac{2n}{3}},2^{\frac{2n}{3}})\).

Fig. 2
figure 2

Our security bounds for the two-round Even–Mansour construction as a function of \((q_e,q_p)\). When the two inner permutations are independent and the round keys are identical (construction \(\mathsf {EMIP}[n,2]\)), all parameters below the solid line are secure by Theorem 4. In the case of a single inner permutation (construction \(\mathsf {EMSP}[n,2])\), all parameters below the dashed line (which merges with the solid line for \(q_e\le 2^{\frac{n}{4}}\)) are secure by Theorem 5. In both cases, all parameters above the dotted line are insecure by the generic attack of [16]. The status of the parameters in the light and dark gray region (resp. dark gray region) remains open in the single-permutation case (resp. in the independent permutation case)

Full size image

Overview of Our Techniques In order to prove our results, we use the indistinguishability framework, namely we consider a distinguisher which must tell apart two worlds: the “real” world where it interacts with \((\mathsf {EM}^{P}_k,P)\), where \(\mathsf {EM}^P_k\) is the Even–Mansour cipher instantiated with permutation P and a random key k, and the “ideal” world where it interacts with (EP) where E is a random permutation independent from P. The distinguisher can make at most \(q_e\) queries to \(\mathsf {EM}^P_k/E\) and at most \(q_p\) queries to P (all queries are adaptive and can be forward or backward, and we work in the information-theoretic setting, i.e., the adversary is computationally unbounded). In order to upper bound the distinguishing advantage of this attacker, we use, as already done in [8], the H-coefficient method of Patarin [30]. In a nutshell, this technique consists in partitioning the set of all possible transcripts of the interaction between the distinguisher and the tuple of permutations into a set \(\mathcal {T}_1\) of “good” transcripts and a set \(\mathcal {T}_2\) of “bad” transcripts. Good transcripts \(\tau \in \mathcal {T}_1\) have the property that the ratio of the probabilities to obtain \(\tau \) in the real and in the ideal world is greater that \(1-\varepsilon _1\) for some small \(\varepsilon _1>0\), while the probability to obtain any bad transcript \(\tau \in \mathcal {T}_2\) (in the ideal world) is less than some small \(\varepsilon _2>0\). Then, the advantage of the distinguisher can be upper bounded by \(\varepsilon _1+\varepsilon _2\).

In order to get intuition about what hides behind good and bad transcripts, it helps to first look at an example of how an adversary might “get lucky” during an attack. Specifically, we focus on the following attack scenario (we assume that \(q_e=q_p=q\) for simplicity). The distinguisher (adversary) \(\mathcal {D}\) starts by making q arbitrary queries to \(\mathsf {EM}_k^P/E\), resulting in a set of q pairs \(\mathcal {Q}_E = \{(x_1,y_1),\ldots ,(x_q,y_q)\}\); then \(\mathcal {D}\) determines the pair of sets (UV) with \(|U| = |V| = q\) and \(U, V \subseteq \{0,1\}^n\), that maximizes the size of the set

$$\begin{aligned} \mathcal {K}(\mathcal {Q}_E, U, V) {\mathrel {\mathop =^{\mathrm{def}}}}\{ k' \in \{0,1\}^n : \exists (x_i, y_i) \in \mathcal {Q}_E \text { s.t. } x_i \oplus k' \in U, y_i \oplus k' \in V\} \subseteq \{0,1\}^n, \end{aligned}$$
(1)

and \(\mathcal {D}\) queries P(u), \(P^{-1}(v)\) for all \(u \in U\), \(v \in V\). (This makes 2q queries to P instead of q, but this small constant factor is unimportant for the sake of intuition.) Note that if \(\mathcal {D}\) is in the real world and if the real key k is in the set \(\mathcal {K}(\mathcal {Q}_E, U, V)\) defined in (1), then \(\mathcal {D}\) can see that one of its \(\mathsf {EM}_k^P/E\)-queries is compatible with two of its P-queries with respect to k (in more detail, there exists a value i and queries (uv), \((u',v')\) to P such that \(x_i \oplus k = u\), \(v \oplus \pi (k) = u'\), and \(v' \oplus k = y_i\)). Elementary probabilistic considerations show that such a “complete cycle” will occur for at most a handful of keys in \(\mathcal {K}(\mathcal {Q}_E, U, V)\), so that “false alerts” can be quickly weeded out and the correct key k validated in a few extra queries, all assuming \(k \in \mathcal {K}(\mathcal {Q}_E, U, V)\). Moreover, heuristic considerations indicate that k will be in \(\mathcal {K}(\mathcal {Q}_E, U, V)\) with probability \(|\mathcal {K}(\mathcal {Q}_E, U, V)|/2^n\). In particular, thus, it becomes necessary to show that \(|\mathcal {K}(\mathcal {Q}_E, U, V)|\) is significantly smaller than \(2^n\) with high probability over \(\mathcal {Q}_E\), i.e., that

$$\begin{aligned} \max _{\begin{array}{c} U,V \subseteq \{0,1\}^n\\ |U|=|V|= q \end{array}} |\{ k' \in \{0,1\}^n : \exists (x_i, y_i) \in \mathcal {Q}_E \text { s.t. } x_i \oplus k' \in U, y_i \oplus k' \in V\}| \end{aligned}$$
(2)

is significantly smaller than \(2^n\) with high probability over \(\mathcal {Q}_E\), in order to show that \(\mathcal {D}\) has small advantage at q queries. One of the criteria that can make a transcript “bad” in our proof happens to be, precisely, if the set of queries \(\mathcal {Q}_E\) to \(\mathsf {EM}_k^P/E\) contained within the transcript is such that (2) is larger than desirable. (Jumping ahead, \(\mathcal {K}(\mathcal {Q}_E, U, V)\) will be re-baptized \(\mathsf {BadK}_1\) in Definitions 1 and 3 of a bad transcript.)

To elaborate a little more on this, note that

$$\begin{aligned} |\mathcal {K}(\mathcal {Q}_E, U, V)|&\le |\{(k', u, v) \in \{0,1\}^n \times U \times V : k' \oplus u = x_i, k' \oplus v\\&= y_i \text { for some } 1\le i\le q\}|\\&= |\{(i,u,v) \in \{1, \ldots , q\} \times U \times V : x_i \oplus y_i = u \oplus v\}|. \end{aligned}$$

Also note that the set of values \(\{x_i \oplus y_i : (x_i, y_i) \in \mathcal {Q}_E\}\) is essentially a random set since if the i-th query to \(\mathsf {EM}_k^P/E\) is forward then \(y_i\) comes at random from a large set, whereas otherwise \(x_i\) comes at random from a large set. Moreover, as a matter of fact, the problem of upper bounding

$$\begin{aligned} \mu (A) {\mathrel {\mathop =^{\mathrm{def}}}}\max _{\begin{array}{c} U,V\subseteq \{0,1\}^n\\ |U|=|V|=q \end{array}} |\{(a,u,v) \in A \times U \times V : a = u \oplus v\} \end{aligned}$$

for a truly random set \(A \subseteq \{0,1\}^n\) of size q has already been studied before [2, 3, 20, 22, 32], being dubbedFootnote 4 the sum-capture problem in [32]. One of the main known results [3, 32] on the sum-capture problem is that \(\mu (A)\) is upper bounded by roughly \(q^{3/2}\) for \(q \le 2^{2n/3}\). Surprisingly enough, this bound is exactly sufficient for our application, since \(q^{3/2} \ll 2^n\) for \(q \ll 2^{2n/3}\). (Implying, thus, that (2) is far from \(2^n\) as long as q remains beneath \(2^{2n/3}\), as desired.) Our own setting is, of course, slightly different, since the set \(\{x_i \oplus y_i : (x_i, y_i) \in \mathcal {Q}_E\}\) isn’t, unlike A, a purely random set of size q. Other complications also arise: in the general case where the three round keys \((k_0,k_1,k_2)\) are derived from the n-bit master key k using non-trivial (bijective) key derivation functions \(\gamma _i:k\mapsto k_i\), \(\mathcal {K}(\mathcal {Q}_E,U,V)\) takes the more complicated form

$$\begin{aligned} \{ k' \in \{0,1\}^n : \exists (x_i, y_i) \in \mathcal {Q}_E \text { s.t. } x_i \oplus \gamma _0(k') \in U, y_i \oplus \gamma _2(k') \in V\}, \end{aligned}$$

so that we have to upper bound

$$\begin{aligned} |\{(i,u,v)\in \{1,\ldots ,q\}\times U\times V:x_i\oplus u=\gamma _0\circ \gamma _2^{-1}(y_i\oplus v)\}|. \end{aligned}$$

All this means that we have to carefully adapt (and to some degree significantly extend) the Fourier-analytic techniques used in [3, 32].

Once the probability to obtain a bad transcript has been upper bounded, the second part of the proof is to show that the ratio between the probabilities to obtain any good transcript in the real and the ideal world is close to 1. This part is in essence a permutation counting argument. When the two permutations are independent (Fig. 1, bottom), the counting argument is not overly complicated. While we could, in principle, re-use the general results of [8], we expose it in Sect. 5 (see Lemma 8) since it constitutes a good warm-up for the reader before the more complicated counting in the subsequent section. For the single-permutation case, things become much more involved: first, we need to consider more conditions defining bad transcripts; and second, the permutation counting itself becomes much more intricate. Interestingly, this part is related to the following simple to state (yet to the best of our knowledge unexplored) problem: how many queries are needed to distinguish a random squared permutation \(P\circ P\) (where P is uniformly random) from a uniformly random permutation E?

Related Work Two recent papers analyzed a stronger security property of the iterated Even–Mansour cipher than mere pseudorandomness, namely indifferentiability from an ideal cipher [1, 27]. Aside with provable security results already mentioned, a number of papers explored attacks on the (iterated) Even–Mansour cipher for one round [7, 9, 12], two rounds [29], three rounds [10], and four rounds [11].

A distinct yet related line of work considers the security of the so-called “Xor-Cascade” construction [16, 24], a key-length extension method which generalizes the DESX construction [23] in the same way the generalized Even–Mansour construction generalizes the original (one-round) Even–Mansour cipher. Given a block cipher E with message space \(\{0,1\}^n\) and key space \(\{0,1\}^{\kappa }\), the r-round Xor-Cascade construction \(\mathsf {XC}^E\) defines a new block cipher with message space \(\{0,1\}^n\) and key space \(\{0,1\}^{\kappa +(r+1)n}\) as follows: given a plaintext \(x\in \{0,1\}^n\) and a key \((z,k_0,\ldots ,k_r)\in \{0,1\}^{\kappa +(r+1)n}\), the ciphertext y is computed as

$$\begin{aligned} y=k_r\oplus E_{z_r}(k_{r-1}\oplus E_{z_{r-1}}(\cdots E_{z_2}(k_1\oplus E_{z_1}(k_0\oplus x))\cdots )), \end{aligned}$$

where \((z_1,\ldots ,z_r)\) is a sequence of sub-keys deterministically derived from z in a way such that for any z, the \(z_i\)’s are pairwise distinct (note that this imposes \(r\le 2^{\kappa }\)). Some authors considered minor variants of this construction where the last whitening key \(k_r\) is omitted [16] or where the sub-keys \((z_1,\ldots ,z_r)\) are drawn uniformly at random [24]. Directly relevant to our work, Gazi and Tessaro [19] considered a construction they named \(\mathsf {2XOR}\), which is the two-round variant of Xor-Cascade where the whitening keys are identical (and the last whitening key is omitted), namely

$$\begin{aligned} \mathsf {2XOR}^{E}_{z,k}(x)=E_{z_2}(k\oplus E_{z_1}(k\oplus x)), \end{aligned}$$

where \((z_1,z_2)\) are pairwise distinct sub-keys derived from z. They showed that, when the underlying block cipher E is modeled as an ideal cipher, this construction is secure up to \(\mathcal {O}(2^{\kappa +n/2})\) queries to E, even when the adversary can make all possible \(2^n\) queries to the permutation oracle (which, in the indistinguishability experiment, is either \(\mathsf {2XOR}^E_{z,k}\) or an independent random permutation). Considering a block cipher E with key-length \(\kappa =1\), one obtains a construction which is similar to the two-round Even–Mansour cipher of Fig. 1, bottom, where the last key addition would be omitted.Footnote 5 Hence, the Gazi-Tessaro result says that this construction is secure for \(q_e=2^n\) and \(q_p=\mathcal {O}(2^{n/2})\).Footnote 6 Our own results are incomparable with the one of [19]. First, the third key addition is omitted in the \(\mathsf {2XOR}\) construction. Second, our bounds are more general: they hold for any value of \(q_e\) and \(q_p\) as long as \(q_e<2^{2n/3}\) and \(q_p<2^{2n/3}\). Though our bounds become meaningless for \(q_e=2^n\), they show that when \(q_e<2^{2n/3}\) (an interesting case in practice since an attacker will not always have access to the entire codebook), security is ensured up to \(\widetilde{\mathcal {O}}(2^{2n/3})\) queries to the internal permutations (something that cannot be derived from the result of [19]).

Open Questions Currently, our results only apply when the key derivation functions mapping the master key to the round keys are linear bijective functions of \(\mathbb {F}_2^n\). This is due to the fact that the proof of our sum-capture theorem in Sect. 3 requires linear mappings. It is an open question whether this theorem can be extended to nonlinear (bijective) mappings as well. A second tantalizing yet challenging open problem is of course to generalize our results to larger numbers of rounds. Namely, for \(r>2\), can we find sufficient conditions on the key-schedule such that the r-round single-permutation Even–Mansour cipher ensures security up to \(\widetilde{\mathcal {O}}(2^{\frac{rn}{r+1}})\) queries of the adversary? We stress that even the simpler case where permutations are independent and round keys are identical seems hard to tackle for \(r>2\): we currently have no idea of how to extend our sum-capture result in order to upper bound the probability of bad transcripts even in the case \(r=3\).

It would also be interesting to reduce the time complexity of attacks against the two-round Even–Mansour cipher (potentially down to \(\mathcal {O}(2^{2n/3})\)). Currently, the best known attack (for the case of independent permutations and identical round keys) has time complexity \(\mathcal {O}(2^{n-\log _2n})\) [12]. Since our focus in this paper is on query complexity, we have not investigated whether this attack applies to the single-permutation variant (\(\star \)) as well.

Organization We start in Sect. 2 by setting the notation, giving the necessary background on the H-coefficient technique, and proving some helpful lemmas. In Sect. 3, which is self-contained, we prove our new sum-capture result, which might be of independent interest. In Sect. 4, we detail slide attacks against the iterated Even–Mansour cipher. Sections 5 and 6 contain our two provable security results for the two “minimized” variants of the two-round Even–Mansour cipher of Fig. 1. In Sect. 5, we first deal with the case where the two permutations are independent and the three round keys are identical. The permutation counting argument in this section (Lemma 8) serves as a good exercise before the corresponding one of the subsequent section (Lemma 10). Section 6, which contains our main theorem, deals with the case of a single permutation.

2 Preliminaries

2.1 Notation

Permutations In all the following, we fix an integer \(n\ge 1\), and we write \(N=2^n\). The set of all permutations on \(\{0,1\}^n\) will be denoted \(\mathcal {P}_n\). For integers \(1\le s\le t\), we will write \((t)_s=t(t-1)\cdots (t-s+1)\) and \((t)_0=1\) by convention. Given \(\mathcal {Q}=((x_1,y_1),\ldots ,(x_q,y_q))\), where the \(x_i\)’s are pairwise distinct n-bit strings and the \(y_i\)’s are pairwise distinct n-bit strings, and a permutation \(P\in \mathcal {P}_n\), we say that P extends \(\mathcal {Q}\), denoted \(P\vdash \mathcal {Q}\), if \(P(x_i)=y_i\) for \(i=1,\ldots ,q\). Let \(X=\{x\in \{0,1\}^n:(x,y)\in \mathcal {Q}\}\) and \(Y=\{y\in \{0,1\}^n:(x,y)\in \mathcal {Q}\}\). We call X and Y, respectively, the domain and the range of \(\mathcal {Q}\). By an abuse of notation, we will sometimes denote \(\mathcal {Q}\) the bijection from X to Y such that \(\mathcal {Q}(x_i)=y_i\) for \(i=1,\ldots ,q\). Thus, for any \(X'\subseteq X\) we have \(\mathcal {Q}(X')=\{y\in \{0,1\}^n:(x,y)\in \mathcal {Q}\wedge x\in X'\}\), and for any \(Y'\subseteq Y\) we have \(\mathcal {Q}^{-1}(Y')=\{x\in \{0,1\}^n:(x,y)\in \mathcal {Q}\wedge y\in Y'\}\). We will often use the following simple fact: given \(\mathcal {Q}\) of size q and \(\mathcal {Q}'\) of size \(q'\) whose respective domains X and \(X'\) and respective ranges Y and \(Y'\) satisfy \(X\cap X'=\emptyset \) and \(Y\cap Y'=\emptyset \), one has

When two sets A and B are disjoint, we denote \(A\sqcup B\) their (disjoint) union.

Vector Space \(\mathbb {F}_2^n\). We denote \(\mathbb {F}_2\simeq \{0,1\}\) the field with two elements, and \(\mathbb {F}_2^n\) the vector space of dimension n over \(\mathbb {F}_2\). Given two vectors \(x=(x_1,\ldots ,x_n)\) and \(y=(y_1,\ldots ,y_n)\) in \(\mathbb {F}_2^n\), we denote \(x\cdot y=\sum _{i=1}^n x_iy_i\bmod 2\) the inner product of x and y. The general linear group of degree n over \(\mathbb {F}_2\), i.e., the set of all automorphisms (linear bijective mappings) of \(\mathbb {F}_2^n\), will be denoted \(\mathsf {GL}(n)\). Given \(\varGamma \in \mathsf {GL}(n)\), we denote \(\varGamma ^*\) the adjoint of \(\varGamma \), i.e., the unique automorphism satisfying \(x\cdot \varGamma (y)=\varGamma ^*(x)\cdot y\) for all \(x,y\in \mathbb {F}_2^n\).

2.2 The Generalized Even–Mansour Cipher

Fix integers \(n,r,m,\ell \ge 1\). Let \(\phi :\{1,\ldots ,r\}\rightarrow \{1,\ldots ,m\}\) be an arbitrary function, and \(\varvec{\gamma }=(\gamma _0,\ldots ,\gamma _r)\) be a \((r+1)\)-tuple of functions from \(\{0,1\}^{\ell }\) to \(\{0,1\}^n\). The r-round generalized Even–Mansour construction \(\mathsf {EM}[n,r,m,\ell ,\phi ,\varvec{\gamma }]\) specifies, from any m-tuple \(\mathbf {P}=(P_1,\ldots ,P_m)\) of permutations on \(\{0,1\}^n\), a block cipher with message space \(\{0,1\}^n\) and key space \(\{0,1\}^{\ell }\), simply denoted \(\mathsf {EM}^{\mathbf {P}}\) in the following (parameters \([n,r,m,\ell ,\phi ,\varvec{\gamma }]\) are implicit and will always be clear from the context), which maps a plaintext \(x\in \{0,1\}^n\) and a key \(K\in \{0,1\}^{\ell }\) to the ciphertext defined by (see Fig. 3):

$$\begin{aligned}&\mathsf {EM}^{\mathbf {P}}(K,x)=\gamma _r(K)\oplus P_{\phi (r)}(\gamma _{r-1}(K)\oplus P_{\phi (r-1)}(\cdots P_{\phi (2)}(\gamma _1(K)\\&\quad \oplus P_{\phi (1)}(\gamma _0(K)\oplus x))\cdots )). \end{aligned}$$

We denote \(\mathsf {EM}^{\mathbf {P}}_K:x\mapsto \mathsf {EM}^{\mathbf {P}}(K,x)\) the Even–Mansour cipher instantiated with key K (hence, syntactically, \(\mathsf {EM}^{\mathbf {P}}_K\) is a permutation on \(\{0,1\}^n\)).

Fig. 3
figure 3

The r-round generalized Even–Mansour cipher

Full size image

For example, \(\mathsf {AES}\)-128 is a generalized Even–Mansour cipher where \(n=128\), \(r=10\), \(m=2\), \(\ell =128\), the function \(\phi \) is defined by \(\phi (i)=1\) for \(i=1,\ldots ,9\) and \(\phi (10)=2\), each key derivation function \(\gamma _i\) is a 128-bit (nonlinear for \(i\ge 1\)) permutation, and the two permutations \(P_1\) and \(P_2\) are defined as:

$$\begin{aligned} P_1&=\mathsf {MixColumns}\circ \mathsf {ShiftRows}\circ \mathsf {SubBytes}\\ P_2&=\mathsf {ShiftRows}\circ \mathsf {SubBytes} . \end{aligned}$$

All previous work about the indistinguishability of the Even–Mansour cipher [5, 8, 26, 31] considered the case where all permutations and all round keys are independent, namely \(m=r\), \(\phi \) is the identity function, \(\ell =(r+1)n\), and \(\gamma _i\) simply selects the i-th n-bit string of \(K=(k_0,\ldots ,k_r)\).

In the following, we will focus in particular on two special cases:

  • the case where permutations are independent and the same n-bit key k is used at each round, namely \(m=r\), \(\phi \) is the identity function, \(\ell =n\), and all \(\gamma _i\)’s are the identity function, in which case we will simply denote \(\mathsf {EMIP}[n,r]\) the resulting construction. Hence, for an r-tuple of permutations \(\mathbf {P}=(P_1,\ldots ,P_r)\), the block cipher \(\mathsf {EMIP}^{\mathbf {P}}\) maps a plaintext \(x\in \{0,1\}^n\) and a key \(k\in \{0,1\}^n\) to the ciphertext defined by:

    $$\begin{aligned} \mathsf {EMIP}^{\mathbf {P}}(k,x)=k \oplus P_r(k\oplus P_{r-1}(\cdots P_2(k \oplus P_1(k\oplus x))\cdots )). \end{aligned}$$

  • the case where a single permutation P is used at each round, namely \(m=1\) and \(\phi (i)=1\) for \(i=1,\ldots ,r\), in which case we will simply denote \(\mathsf {EMSP}[n,r,\ell ,\varvec{\gamma }]\) the resulting construction. Hence, for a permutation P, the block cipher \(\mathsf {EMSP}^P\) maps a plaintext \(x\in \{0,1\}^n\) and a key \(K\in \{0,1\}^{\ell }\) to the ciphertext defined by:

    $$\begin{aligned} \mathsf {EMSP}^{P}(K,x){=}\gamma _r(K)\oplus P(\gamma _{r-1}(K){\oplus } P(\cdots P(\gamma _1(K)\oplus P(\gamma _0(K)\oplus x))\cdots )). \end{aligned}$$

    When additionally \(\ell =n\) (namely the master key-length is equal to the block length), we overload the notation and simply denote \(\mathsf {EMSP}[n,r,\varvec{\gamma }]\) the resulting construction.

2.3 Security Definition

To study the indistinguishability of the generalized Even–Mansour cipher (in the random permutation model), we consider a distinguisher \(\mathcal {D}\) which interacts with a set of \(m+1\) permutation oracles on n bits that we denote generically \((P_0,P_1\ldots ,P_m)=(P_0,\mathbf {P})\). The goal of \(\mathcal {D}\) is to distinguish whether it is interacting with \((\mathsf {EM}^{\mathbf {P}}_K,\mathbf {P})\), where \(\mathbf {P}=(P_1,\ldots ,P_m)\) are random and independent permutations and K is randomly chosen from \(\{0,1\}^{\ell }\) (we will informally refer to this case as the “real” world), or with \((E,\mathbf {P})\), where E is a random n-bit permutation independent from \(\mathbf {P}\) (the “ideal” world). Note that in the latter case the distinguisher is simply interacting with \(m+1\) independent random permutations. We sometimes refer to the first permutation \(P_0\) as the outer permutation, and to permutations \(P_1,\ldots ,P_m\) as the inner permutations. The distinguisher is adaptive, and can make both forward and backward queries to each permutation oracle, which corresponds to the notion of adaptive chosen-plaintext and ciphertext security (CCA). We consider computationally unbounded distinguishers, and we assume wlog that the distinguisher is deterministic and never makes useless queries (which means that it never repeats a query, nor makes a query \(P_i^{-1}(y)\) if it received y as the answer to a previous query \(P_i(x)\), or vice-versa).

The distinguishing advantage of \(\mathcal {D}\) is defined as

$$\begin{aligned} \mathbf{Adv }(\mathcal {D})=\left| \Pr \left[ {\mathcal {D}^{\mathsf {EM}^{\mathbf {P}}_K,\mathbf {P}}=1}\right] -\Pr \left[ {\mathcal {D}^{E,\mathbf {P}}=1}\right] \right| , \end{aligned}$$

where the first probability is taken over the random choice of K and \(\mathbf {P}\), and the second probability is taken over the random choice of E and \(\mathbf {P}\). We recall that, even though this is not apparent from the notation, the distinguisher can make both forward and backward queries to each permutation oracle.

For \(q_e,q_p\) nonnegative integers, we define the insecurity of the idealFootnote 7 Generalized Even–Mansour cipher with parameters \((n,r,m,\ell ,\phi ,\varvec{\gamma })\) as:

$$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EM}[n,r,m,\ell ,\phi ,\varvec{\gamma }]}(q_e,q_p)=\max _{\mathcal {D}} \mathbf{Adv }(\mathcal {D}), \end{aligned}$$

where the maximum is taken over all distinguishers \(\mathcal {D}\) making exactly \(q_e\) queries to the outer permutation and exactly \(q_p\) queries to each inner permutation. The notation is adapted naturally for the two special cases \(\mathsf {EMIP}\) and \(\mathsf {EMSP}\) defined in Sect. 2.2.

2.4 The H-Coefficient Technique

We give here all the necessary background on the H-coefficient technique [8, 30] that we will use throughout this paper.

Transcript All the information gathered by the distinguisher when interacting with the system of \(m+1\) permutations can be summarized in what we call the transcript of the interaction, which is the ordered list of queries and answers received from the system \((i,b,z,z')\), where \(i\in \{0,\ldots ,m\}\) names the permutation being queried, b is a bit indicating whether this is a forward or backward query, \(z\in \{0,1\}^n\) is the actual value queried and \(z'\) the answer. We say that a transcript is attainable (with respect to some fixed distinguisher \(\mathcal {D}\)) if there exists a tuple of permutations \((P_0,\ldots ,P_m)\in (\mathcal {P}_n)^{m+1}\) such that the interaction of \(\mathcal {D}\) with \((P_0,\ldots ,P_m)\) yields this transcript (said otherwise, the probability to obtain this transcript in the “ideal” world is nonzero). In fact, an attainable transcript can be represented in a more convenient way that we will use in all the following. Namely, from the transcript we can build \(m+1\) lists of directionless queries

$$\begin{aligned} \mathcal {Q}_E&=((x_1,y_1),\ldots ,(x_{q_e},y_{q_e})),\\ \mathcal {Q}_{P_1}&=((u_{1,1},v_{1,1}),\ldots ,(u_{1,q_p},v_{1,q_p})),\\&\ \vdots \\ \mathcal {Q}_{P_m}&=((u_{m,1},v_{m,1}),\ldots ,(u_{m,q_p},v_{m,q_p})) \end{aligned}$$

as follows. For \(j=1,\ldots ,q_e\), let \((0,b,z,z')\) be the j-th query to \(P_0\) in the transcript: if this was a forward query then we set \(x_j=z\) and \(y_j=z'\), otherwise we set \(x_j=z'\) and \(y_j=z\). Similarly, for each \(i=1,\ldots ,m\), and \(j=1,\ldots ,q_p\), let \((i,b,z,z')\) be the j-th query to \(P_i\) in the transcript: if this was a forward query then we set \(u_{i,j}=z\) and \(v_{i,j}=z'\), otherwise we set \(u_{i,j}=z'\) and \(v_{i,j}=z\). A moment of thinking should make it clear that for attainable transcripts there is a one-to-one mapping between these two representations. (Essentially this follows from the fact that the distinguisher is deterministic). Moreover, though we defined \(\mathcal {Q}_E,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_m}\) as ordered lists, the order is unimportant (our formalization keeps the natural order induced by the distinguisher).

For convenience, and following [8], we will be generous with the distinguisher by providing it, at the end of its interaction, with the actual key K when it is interacting with \((\mathsf {EM}^{\mathbf {P}}_K,\mathbf {P})\), or with a dummy key K selected uniformly at random when it is interacting with \((E,\mathbf {P})\). This is without loss of generality since the distinguisher is free to ignore this additional information. Hence, all in all a transcript \(\tau \) is a tuple \((\mathcal {Q}_E,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_m},K)\). We refer to \((\mathcal {Q}_E,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_m})\) (without the key) as the permutation transcript, and we say that a transcript \(\tau \) is attainable if the corresponding permutation transcript is attainable. We denote \(\mathcal {T}\) the set of attainable transcripts. (Thus \(\mathcal {T}\) depends on \(\mathcal {D}\), as the notion of attainability depends on \(\mathcal {D}\).) In all the following, we denote \(T_{\mathrm{re}}\), resp. \(T_{\mathrm{id}}\), the probability distribution of the transcript \(\tau \) induced by the real world, resp. the ideal world (note that these two probability distributions depend on the distinguisher). By extension, we use the same notation to denote a random variable distributed according to each distribution.

Main Lemma In order to upper bound the advantage of the distinguisher, we will repeatedly use the following strategy: we will partition the set of attainable transcripts \(\mathcal {T}\) into a set of “good” transcripts \(\mathcal {T}_1\) such that the probabilities to obtain some transcript \(\tau \in \mathcal {T}_1\) are close in the real and in the ideal world, and a set \(\mathcal {T}_2\) of “bad” transcripts such that the probability to obtain any \(\tau \in \mathcal {T}_2\) is small in the ideal world. More precisely, we will use the following result.

Lemma 1

Fix a distinguisher \(\mathcal {D}\). Let \(\mathcal {T}=\mathcal {T}_1\sqcup \mathcal {T}_2\) be a partition of the set of attainable transcripts. Assume that there exists \(\varepsilon _1\) such that for any \(\tau \in \mathcal {T}_1\), one hasFootnote 8

$$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}\ge 1-\varepsilon _1, \end{aligned}$$

and that there exists \(\varepsilon _2\) such that

$$\begin{aligned} \Pr [T_{\mathrm{id}}\in \mathcal {T}_2]\le \varepsilon _2. \end{aligned}$$

Then, \( \mathbf{Adv }(\mathcal {D})\le \varepsilon _1+\varepsilon _2\).

Proof

The proof is standard, but we sketch it here for completeness. Since the distinguisher’s output is a (deterministic) function of the transcript, its distinguishing advantage is upper bounded by the statistical distance between \(T_{\mathrm{id}}\) and \(T_{\mathrm{re}}\), namely

$$\begin{aligned} \mathbf{Adv }(\mathcal {D})\le \Vert T_{\mathrm{re}}-T_{\mathrm{id}}\Vert {\mathrel {\mathop =^{\mathrm{def}}}}\frac{1}{2}\sum _{\tau \in \mathcal {T}} \left| \Pr [T_{\mathrm{re}}=\tau ]-\Pr [T_{\mathrm{id}}=\tau ] \right| . \end{aligned}$$

Moreover, we have:

$$\begin{aligned} \Vert T_{\mathrm{re}}-T_{\mathrm{id}}\Vert&=\sum _{\begin{array}{c} \tau \in \mathcal {T}\\ \Pr [T_{\mathrm{id}}=\tau ]> \Pr [T_{\mathrm{re}}=\tau ] \end{array}} (\Pr [T_{\mathrm{id}}=\tau ]-\Pr [T_{\mathrm{re}}=\tau ])\\&= \sum _{\begin{array}{c} \tau \in \mathcal {T}\\ \Pr [T_{\mathrm{id}}=\tau ]> \Pr [T_{\mathrm{re}}=\tau ] \end{array}} \Pr [T_{\mathrm{id}}=\tau ]\left( 1-\frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}\right) \\&\le \sum _{\tau \in \mathcal {T}_1}\Pr [T_{\mathrm{id}}=\tau ]\varepsilon _1+\sum _{\tau \in \mathcal {T}_2}\Pr [T_{\mathrm{id}}=\tau ]\\&\le \varepsilon _1+\varepsilon _2. \end{aligned}$$

\(\square \)

The ratio \(\Pr [T_{\mathrm{re}}=\tau ]/\Pr [T_{\mathrm{id}}=\tau ]\) takes a particularly simple form for the Even–Mansour cipher. (This is one of the reasons why we append the key K at the end of the transcript; otherwise, the ratio would take a more cumbersome form.)

Lemma 2

Let \(\tau =(\mathcal {Q}_E,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_m},K)\in \mathcal {T}\) be an attainable transcript. Let

Then

$$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}=(N)_{q_e}\cdot \mathsf {p}(\tau ). \end{aligned}$$

Proof

One can easily check that the interaction of the distinguisher with any set of permutations \((P_0,P_1,\ldots , P_m)\) produces permutation transcript \((\mathcal {Q}_E,\mathcal {Q}_{P_1},\ldots ,\mathcal {Q}_{P_m})\) iff

$$\begin{aligned} (P_0\vdash \mathcal {Q}_E) \wedge (P_1\vdash \mathcal {Q}_{P_1}) \wedge \cdots \wedge (P_m \vdash \mathcal {Q}_{P_m}). \end{aligned}$$

In the ideal world, the distinguisher interacts with \((E,P_1,\ldots ,P_m)\) where E is independent from \(P_1,\ldots P_m\), and the (dummy) key K is uniformly random and independent from the permutations. It follows easily that

$$\begin{aligned} \Pr [T_{\mathrm{id}}=\tau ]=\frac{1}{2^{\ell }}\times \frac{1}{(N)_{q_e}}\times \left( \frac{1}{(N)_{q_p}}\right) ^m. \end{aligned}$$

In the real world, the distinguisher interacts with \((\mathsf {EM}^{P_1,\ldots ,P_m}_K,P_1,\ldots ,P_m)\), where the key K is uniformly random and independent from \((P_1,\ldots ,P_m)\). It easily follows that

hence the result. \(\square \)

2.5 A Useful Lemma

We prove a lemma that will be useful throughout the paper.

Lemma 3

Let Nabcd be positive integers such that \(c+d=2b\) and \(2a+2b\le N\). Then

$$\begin{aligned} \frac{(N)_a(N-2b)_a}{(N-c)_a(N-d)_a}\ge 1-\frac{4ab^2}{N^2}. \end{aligned}$$

Proof

Assume wlog that \(c\ge d\). Note that this implies \(c\ge b\). Then:

$$\begin{aligned} \frac{(N)_a(N-2b)_a}{(N-c)_a(N-d)_a}&=\frac{(N)_a(N-2b)_a}{((N-b)_a)^2}\times \frac{((N-b)_a)^2}{(N-c)_a(N-d)_a} \\&= \prod _{i=N-a-b+1}^{N-b}\frac{(i+b)(i-b)}{i^2} \times \prod _{i=N-a-b+1}^{N-b}\frac{i^2}{(i-c+b)(i-d+b)}\\&= \prod _{i=N-a-b+1}^{N-b}\left( 1-\frac{b^2}{i^2}\right) \times \underbrace{\prod _{i=N-a-b+1}^{N-b}\frac{i^2}{(i-(c-b))(i+(c-b))}}_{\ge 1}\\&\ge \left( 1-\frac{b^2}{(N-a-b+1)^2}\right) ^a\\&\ge 1-\frac{4ab^2}{N^2}, \end{aligned}$$

where for the last inequality we used \(a+b\le N/2\). \(\square \)

3 A Sum-Capture Theorem

In this section, we prove a variant of previous “sum-capture” results [3, 22, 32]. Informally, such results typically state that when choosing a random subset A of \(\mathbb {Z}_2^n\) (or more generally any abelian group) of size q, the value

$$\begin{aligned} \mu (A)=\max _{\begin{array}{c} U,V\subseteq \mathbb {Z}_2^n\\ |U|=|V|=q \end{array}}\left| \{(a,u,v)\in A\times U\times V : a=u\oplus v\} \right| \end{aligned}$$

is close to its expected value \(q^3/N\) (if AUV were chosen at random), except with negligible probability. Here, we prove a result of this type for the setting where A arises from the interaction of an adversary with a random permutation P, namely \(A=\{x\oplus y:(x,y)\in \mathcal {Q}\}\), where \(\mathcal {Q}\) is the transcript of the interaction between the adversary and P. In fact our result is even more general, the special case just mentioned corresponding to \(\varGamma \) being the identity in the theorem below.

Theorem 1

Fix an automorphism \(\varGamma \in \mathsf {GL}(n)\). Let P be a uniformly random permutation of \(\{0,1\}^n\), and let \(\mathcal {A}\) be some probabilistic algorithm making exactly q (two-sided) adaptive queries to P. Let \(\mathcal {Q}=((x_1,y_1),\ldots ,(x_q,y_q))\) denote the transcript of the interaction of \(\mathcal {A}\) with P. For any two subsets U and V of \(\{0,1\}^n\), let

$$\begin{aligned} \mu (\mathcal {Q},U,V)=|\{((x,y),u,v)\in \mathcal {Q}\times U\times V : x\oplus u=\varGamma (y\oplus v)\}|. \end{aligned}$$

Then, assuming \(25n\le q\le N/2\), one has

$$\begin{aligned} \Pr _{P,\omega }\left[ \exists U,V\subseteq \{0,1\}^n : \mu (\mathcal {Q},U,V){\ge } \frac{q |U| |V|}{N} {+}\frac{2q^2\sqrt{|U| |V|}}{N} {+}5\sqrt{n q |U| |V|} \right] \le \frac{2}{N}, \end{aligned}$$

where the probability is taken over the random choice of P and the random coins \(\omega \) of \(\mathcal {A}\).

Proof

The theorem follows directly from Lemmas 4 and 6 that are proven below. \(\square \)

A Reminder on Fourier Analysis We start by introducing some notation and recalling some classical results on Fourier analysis over the abelian group \(\mathbb {Z}_2^n\). In the following, given a subset \(S\subset \{0,1\}^n\), we denote \(1_S:\{0,1\}^n\rightarrow \{0,1\}\) the characteristic functions of S, namely \(1_S(x)=1\) if \(x\in S\) and \(1_S(x)=0\) if \(x\notin S\). Given two functions \(f,g:\{0,1\}^n\rightarrow \mathbb {R}\), we denote

$$\begin{aligned} \langle f,g\rangle =\mathbb {E}[fg]=\frac{1}{N}\sum _{x\in \{0,1\}^n}f(x)g(x) \end{aligned}$$

the inner product of f and g, and, for all \(x\in \{0,1\}^n\), we denote

$$\begin{aligned} (f *g)(x)=\sum _{y\in \{0,1\}^n}f(y)g(x\oplus y) \end{aligned}$$

the convolution of f and g. Given \(\alpha \in \{0,1\}^n\), we denote \(\chi _{\alpha }:\{0,1\}^n \rightarrow \{\pm 1\}\) the character associated with \(\alpha \) defined as

$$\begin{aligned} \chi _{\alpha }(x)=(-1)^{\alpha \cdot x}. \end{aligned}$$

The all-one character \(\chi _0\) is called the principal character. All other characters \(\chi \ne 1\) corresponding to \(\alpha \ne 0\) are called non-principal characters. The set of all characters forms a group for the pointwise product operation \((\chi _{\alpha }\chi _{\beta })(x)=\chi _{\alpha }(x)\chi _{\beta }(x)\) and one has \(\chi _{\alpha }\chi _{\beta }=\chi _{\alpha \oplus \beta }\).

Given a function \(f:\{0,1\}^n\rightarrow \mathbb {R}\) and \(\alpha \in \{0,1\}^n\), the Fourier coefficient of f corresponding to \(\alpha \) is

$$\begin{aligned} \widehat{f}(\alpha ){\mathrel {\mathop =^{\mathrm{def}}}}\langle f,\chi _{\alpha } \rangle =\frac{1}{N}\sum _{x\in \{0,1\}^n}f(x)(-1)^{\alpha \cdot x}. \end{aligned}$$

The coefficient corresponding to \(\alpha =0\) is called the principal Fourier coefficient, all the other ones are called non-principal Fourier coefficients. Note that for a set \(S\subseteq \{0,1\}^n\) one has

$$\begin{aligned} \widehat{1_S}(0)=\frac{|S|}{N}, \end{aligned}$$

namely the principal Fourier coefficient of \(1_S\) is equal to the relative size of the set. We will also use the following three classical results, holding for any functions \(f,g,:\{0,1\}^n\rightarrow \mathbb {R}\), any \(\alpha \in \{0,1\}^n\), and any \(S\subseteq \{0,1\}^n\):

$$\begin{aligned} \sum _{x\in \{0,1\}^n}f(x)g(x)&=N\sum _{\alpha \in \{0,1\}^n}\widehat{f}(\alpha )\widehat{g}(\alpha ) \end{aligned}$$
(3)
$$\begin{aligned} \widehat{(f*g)}(\alpha )&=N\widehat{f}(\alpha )\widehat{g}(\alpha )\end{aligned}$$
(4)
$$\begin{aligned} \sum _{\alpha \in \{0,1\}^n}|\widehat{1_S}(\alpha )|^2&=\frac{|S|}{N}. \end{aligned}$$
(5)

First Step: the CauchySchwarz Trick As a preliminary step toward proving Theorem 1, we start by relating the quantity \(\mu (\mathcal {Q},U,V)\) with the maximal amplitude of (a subset of) non-principal Fourier coefficients of the characteristic function \(\widehat{1_{\mathcal {Q}}}\) of the set \(\mathcal {Q}=((x_1,y_1),\ldots ,(x_q,y_q))\) seen as a subset of \(\{0,1\}^{2n}\). This part is adapted from Babai [3, Section 4] and Steinberger [32], but in our setting we have to work over the product group \(\mathbb {Z}_2^n\times \mathbb {Z}_2^n\) (in particular, Lemma 4 is the analogue of Theorem 4.1 in [3], which was independently rediscovered by Steinberger [32]). In the following, we let, for any \(\alpha ,\beta \in \{0,1\}^n\), \(\alpha \ne 0\), \(\beta \ne 0\),

$$\begin{aligned} \varPhi _{\alpha ,\beta }(\mathcal {Q})&{\mathrel {\mathop =^{\mathrm{def}}}}N^2\left| \widehat{1_{\mathcal {Q}}}(\alpha ,\beta ) \right| =\left| \sum _{(x,y)\in \mathcal {Q}}(-1)^{\alpha \cdot x \oplus \beta \cdot y}\right| \\ \varPhi (\mathcal {Q})&{\mathrel {\mathop =^{\mathrm{def}}}}\max _{\alpha \ne 0,\beta \ne 0} \varPhi _{\alpha ,\beta }(\mathcal {Q}). \end{aligned}$$

Lemma 4

For any subsets U and V of \(\{0,1\}^n\), one has

$$\begin{aligned} \mu (\mathcal {Q},U,V)\le \frac{q|U||V|}{N} +\varPhi (\mathcal {Q})\sqrt{|U||V|}. \end{aligned}$$

Proof

In the following, we denote

$$\begin{aligned} W&=U\times V =\{(u,v): u\in U,v\in V\}\\ K&=\{(\varGamma (k),k): k\in \{0,1\}^n\}. \end{aligned}$$

Since \(((x,y),u,v)\in \mathcal {Q}\times U\times V\) satisfies \(x\oplus u=\varGamma (y\oplus v)\) iff there exists \(k\in \{0,1\}^n\) such that

$$\begin{aligned} (x,y)\oplus (u,v)=(\varGamma (k),k), \end{aligned}$$

it follows that we have

$$\begin{aligned} \mu (\mathcal {Q},U,V)&=\sum _{\begin{array}{c} (x,y)\in (\{0,1\}^n)^2\\ (u,v)\in (\{0,1\}^n)^2 \end{array}}1_{\mathcal {Q}}(x,y)1_{W}(u,v)1_K(x\oplus u,y\oplus v)\\&= \sum _{(x,y)\in (\{0,1\}^n)^2}1_{\mathcal {Q}}(x,y)\sum _{(u,v)\in (\{0,1\}^n)^2}1_{W}(u,v)1_{K}(x\oplus u,y\oplus v)\\&=\sum _{(x,y)\in (\{0,1\}^n)^2}1_{\mathcal {Q}}(x,y) (1_W*1_K)(x,y)\\&= N^2 \sum _{(\alpha ,\beta )\in (\{0,1\}^n)^2}\widehat{1_{\mathcal {Q}}} (\alpha ,\beta )\widehat{(1_W*1_K)}(\alpha ,\beta ) \qquad \text {(by (3))}\\&=N^4\sum _{(\alpha ,\beta )\in (\{0,1\}^n)^2}\widehat{1_{\mathcal {Q}}} (\alpha ,\beta )\widehat{1_W}(\alpha ,\beta )\widehat{1_K}(\alpha ,\beta ) \qquad \text {(by (4))}. \end{aligned}$$

Separating the principal Fourier coefficient from non-principal ones in the last equality above, we get

$$\begin{aligned} \mu (\mathcal {Q},U,V)&=N^4\frac{|\mathcal {Q}|}{N^2}\frac{|W|}{N^2}\frac{|K|}{N^2}+N^4 \sum _{(\alpha ,\beta )\ne (0,0)}\widehat{1_{\mathcal {Q}}}(\alpha ,\beta ) \widehat{1_W}(\alpha ,\beta )\widehat{1_K}(\alpha ,\beta )\nonumber \\&= \frac{q|U||V|}{N} +N^4\sum _{(\alpha ,\beta )\ne (0,0)}\widehat{1_{\mathcal {Q}}} (\alpha ,\beta )\widehat{1_W}(\alpha ,\beta )\widehat{1_K}(\alpha ,\beta ). \end{aligned}$$
(6)

[We note that equality (6) holds in fact for any abelian group G and any fixed, non-necessarily linear, permutation \(\varGamma :G\rightarrow G\), replacing the summation over \((\alpha ,\beta )\ne (0,0)\) by the summation over all non-principal characters of the product group \(G\times G\).] Moreover, we have

$$\begin{aligned} \widehat{1_W}(\alpha ,\beta )&=\frac{1}{N^2}\sum _{(u,v)\in (\{0,1\}^n)^2}1_W(u,v)(-1)^{\alpha \cdot u\oplus \beta \cdot v}\\&=\frac{1}{N^2}\sum _{(u,v)\in (\{0,1\}^n)^2}1_U(u)1_V(v)(-1)^{\alpha \cdot u\oplus \beta \cdot v}\\&= \frac{1}{N^2}\left( \sum _{u\in \{0,1\}^n}1_U(u)(-1)^{\alpha \cdot u}\right) \left( \sum _{v\in \{0,1\}^n}1_V(v)(-1)^{\beta \cdot v}\right) \\&= \widehat{1_U}(\alpha )\widehat{1_V}(\beta ), \end{aligned}$$

and

$$\begin{aligned} \widehat{1_K}(\alpha ,\beta )&=\frac{1}{N^2}\sum _{(x,y)\in (\{0,1\}^n)^2}1_K(x,y)(-1)^{\alpha \cdot x \oplus \beta \cdot y}\\&=\frac{1}{N^2}\sum _{y\in \{0,1\}^n}(-1)^{\alpha \cdot \varGamma (y)\oplus \beta \cdot y}\\&=\frac{1}{N^2}\sum _{y\in \{0,1\}^n}(-1)^{\varGamma ^*(\alpha )\cdot y\oplus \beta \cdot y}\\&= 0 \text { if } \beta \ne \varGamma ^*(\alpha )\\&\quad \frac{1}{N} \text { if } \beta =\varGamma ^*(\alpha ). \end{aligned}$$

Then, injecting the two observations in (6), we obtain

$$\begin{aligned} \mu (\mathcal {Q},U,V)&=\frac{q|U||V|}{N} +N^3\sum _{\alpha \ne 0}\widehat{1_{\mathcal {Q}}}(\alpha ,\varGamma ^*(\alpha ))\widehat{1_U}(\alpha )\widehat{1_V}(\varGamma ^*(\alpha ))\\&\le \frac{q|U||V|}{N} +N^3\sum _{\alpha \ne 0}\left| \widehat{1_{\mathcal {Q}}}(\alpha ,\varGamma ^*(\alpha ))\right| \cdot \left| \widehat{1_U}(\alpha )\right| \cdot \left| \widehat{1_V}(\varGamma ^*(\alpha ))\right| \\&\le \frac{q|U||V|}{N} +N\varPhi (\mathcal {Q})\sum _{\alpha \ne 0}\left| \widehat{1_U}(\alpha )\right| \cdot \left| \widehat{1_V}(\varGamma ^*(\alpha ))\right| , \end{aligned}$$

where the last inequality follows by noting that \(|\widehat{1_{\mathcal {Q}}}(\alpha ,\varGamma ^*(\alpha ))|\le \varPhi (\mathcal {Q})/N^2\) for any \(\alpha \ne 0\) (by definition of \(\varPhi (\mathcal {Q})\)). By Cauchy–Schwarz,

$$\begin{aligned} \sum _{\alpha \ne 0}\left| \widehat{1_U}(\alpha )\right| \cdot \left| \widehat{1_V}(\varGamma ^*(\alpha ))\right| \le \sqrt{\sum _{\alpha \in \{0,1\}^n}|\widehat{1_U}(\alpha )|^2}\sqrt{\sum _{\alpha \in \{0,1\}^n}|\widehat{1_V}(\varGamma ^*(\alpha ))|^2}= \frac{1}{N}\sqrt{|U||V|}, \end{aligned}$$

where the last equality follows from (5), so that we finally obtain

$$\begin{aligned} \mu (\mathcal {Q},U,V)\le \frac{q|U||V|}{N} +\varPhi (\mathcal {Q})\sqrt{|U||V|}. \end{aligned}$$

\(\square \)

Upper Bounding Non-Principal Fourier Coefficients Having established Lemma 4, it remains to find an upper bound on \(\varPhi (\mathcal {Q})\) holding with high probability over the random choice of P and the random coins of the adversary. For this, we will need the following extension of the Chernoff bound to “moderately dependent” random variables.

Lemma 5

Let \(0\le \varepsilon \le 1/2\), and let \(\varvec{A}=(A_i)_{1\le i\le q}\) be a sequence of random variables taking values in \(\{\pm 1\}\). Assume that for any \(1\le i\le q\) and any sequence \((a_1,\ldots ,a_{i-1})\in \{\pm 1\}^{i-1}\), one has

$$\begin{aligned} \Pr \left[ A_i=1\,|\, (A_1,\ldots ,A_{i-1})=(a_1,\ldots a_{i-1})\right] \le \frac{1}{2}+\varepsilon . \end{aligned}$$

Then, for any \(\delta \in [0,1]\), one has

$$\begin{aligned} \Pr \left[ \sum _{i=1}^q A_i \ge q(2\varepsilon +\delta ) \right] \le e^{-\frac{q\delta ^2}{12}}. \end{aligned}$$

Proof

Let \(\varvec{B}=(B_i)_{1\le i\le q}\) be independent and identically distributed random variables such that

$$\begin{aligned} \Pr [B_{i}=1]=\frac{1}{2}+\varepsilon \quad \text {and} \quad \Pr [B_{i}=-1]=\frac{1}{2}-\varepsilon . \end{aligned}$$

We first show that for any r, we have

$$\begin{aligned} \Pr \left[ \sum _{i=1}^{q}A_{i}\ge r\right] \le \Pr \left[ \sum _{i=1}^{q}B_{i}\ge r\right] . \end{aligned}$$
(7)

We prove this with a coupling-like argument. Let \(\mathsf {Ber}_p\) denote the \(\pm 1\) Bernoulli distribution of parameter p (which takes value 1 with probability p and \(-1\) with probability \(1-p\)). Consider the following sampling process (we assume \(\varepsilon <1/2\) here, but this is wlog since the lemma trivially holds for \(\varepsilon =1/2\)):

figure b

Then clearly \((u_1,\ldots ,u_q)\sim \varvec{A}\). Moreover, \((v_1,\ldots ,v_q)\sim \varvec{B}\). Indeed, for any \(i=1,\ldots ,q\), and any sequence \((v_1,\ldots ,v_{i-1})\in \{\pm 1\}^{i-1}\), one has

$$\begin{aligned} \Pr [v_i=1| (v_1,\ldots ,v_{i-1})]=p+p'(1-p)=\frac{1}{2}+\varepsilon . \end{aligned}$$

Note that during the sampling process, \(u_i=1\) implies \(v_i=1\), so that for any r,

$$\begin{aligned} \sum _{i=1}^q u_i \ge r \Longrightarrow \sum _{i=1}^q v_i\ge r, \end{aligned}$$

which implies (7).

Fix now \(\delta \in [0,1]\), and let \((B'_i)_{1\le i\le q}\) be defined as

$$\begin{aligned} B'_i=\frac{1+B_i}{2}, \end{aligned}$$

so that

$$\begin{aligned} \Pr [B'_{i}=1]=\frac{1}{2}+\varepsilon \quad \text {and} \quad \Pr [B'_{i}=0]=\frac{1}{2}-\varepsilon . \end{aligned}$$

Let \(m=\mathbb {E}(\sum _{i=1}^q B'_i)=q(1/2+\varepsilon )\). Then, the Chernoff bound asserts that for any \(0\le \delta '\le 1\), one has

$$\begin{aligned} \Pr \left[ \sum _{i=1}^q B'_i\ge (1+\delta ')m \right] \le e^{\frac{-m\delta '^2}{3}}. \end{aligned}$$

Substituting \(\delta '=\frac{q\delta }{2m}=\frac{\delta }{1+2\varepsilon }\) in the inequality above yields (note that \(\delta \in [0,1]\Rightarrow \delta '\in [0,1]\))

$$\begin{aligned} \Pr \left[ \sum _{i=1}^q B_i\ge q(2\varepsilon +\delta ) \right] =\Pr \left[ \sum _{i=1}^q B'_i\ge \left( 1+\frac{q\delta }{2m}\right) m \right] \le e^{-\frac{q^2\delta ^2}{12m}}\le e^{-\frac{q\delta ^2}{12}}. \end{aligned}$$

which combined with (7) concludes the proof. \(\square \)

We are now ready to prove an adequate upper bound on \(\varPhi (\mathcal {Q})\).

Lemma 6

Assume that \(25n\le q\le N/2\). Fix an adversary \(\mathcal {A}\) making q queries to a random permutation P. Let \(\mathcal {Q}\) denote the transcript of the interaction of \(\mathcal {A}\) with P. Then

$$\begin{aligned} \Pr _{P,\omega }\left[ \varPhi (\mathcal {Q})\ge \frac{2q^2}{N}+5\sqrt{nq}\right] \le \frac{2}{N}, \end{aligned}$$

where the probability is taken over the random choice of P and the random coins \(\omega \) of \(\mathcal {A}\).

Proof

In all this proof, \(\Pr [\cdot ]\) denotes \(\Pr _{P,\omega }[\cdot ]\). Fix \(\alpha ,\beta \in \{0,1\}^n\), \(\alpha \ne 0\) and \(\beta \ne 0\). Letting \(\mathcal {Q}=((x_1,y_1),\ldots ,(x_q,y_q))\) following the natural ordering of the queries of \(\mathcal {A}\), we define the sequence of random variables \((A_i)_{1\le i\le q}\) where \(A_i=(-1)^{\alpha _\cdot x_i\oplus \beta \cdot y_i}\). Then \(\varPhi _{\alpha ,\beta }(\mathcal {Q})=|\sum _{i=1}^q A_i|\). In order to apply Lemma 5, we will show that for \(1\le i\le q\), and any sequence \((a_1,\ldots ,a_{i-1})\in \{\pm 1\}^{i-1}\), we have

$$\begin{aligned} p_i{\mathrel {\mathop =^{\mathrm{def}}}}\Pr \left[ A_i=1\,|\, (A_1,\ldots ,A_{i-1})=(a_1,\ldots ,a_{i-1})\right] \le \frac{1}{2}+\frac{q}{N}. \end{aligned}$$
(8)

Assume that the ith query of the adversary to P is a forward query \(x_i\). Note that the answer \(y_i\) is distributed uniformly at random on a set of size \(N-i+1\). Also notice that, once \(x_i\) is fixed, there are exactly N / 2 \(y_i\)’s such that \(A_i=(-1)^{\alpha _\cdot x_i\oplus \beta \cdot y_i}=1\) since \(\beta \ne 0\). Similarly, if the ith query is a backward query \(y_i\), then the answer \(x_i\) is distributed uniformly at random on a set of size \(N-i+1\), and once \(y_i\) is fixed, there are exactly N / 2 \(x_i\)’s such that \(A_i=(-1)^{\alpha _\cdot x_i\oplus \beta \cdot y_i}=1\) since \(\alpha \ne 0\). Hence, we have that

$$\begin{aligned} p_i\le \frac{N/2}{N-i+1} \le \frac{N}{2(N-q)} = \frac{1}{2}+\frac{q}{2(N-q)}\le \frac{1}{2}+\frac{q}{N}. \end{aligned}$$

We can now apply Lemma 5 with \(\varepsilon =q/N\) and we obtain, for any \(\delta \in [0,1]\),

$$\begin{aligned} \Pr \left[ \sum _{i=1}^q A_i \ge \frac{2q^2}{N}+q\delta \right] \le e^{-\frac{q\delta ^2}{12}}. \end{aligned}$$

Defining \(A'_i=-A_i\), and applying exactly the same reasoning, we obtain

$$\begin{aligned} \Pr \left[ \sum _{i=1}^q A_i \le -\left( \frac{2q^2}{N}+q\delta \right) \right] \le e^{-\frac{q\delta ^2}{12}}. \end{aligned}$$

Since \(\varPhi _{\alpha ,\beta }(\mathcal {Q})=|\sum _{i=1}^q A_i|\), by a union bound we obtain

$$\begin{aligned} \Pr \left[ \varPhi _{\alpha ,\beta }(\mathcal {Q}) \ge \frac{2q^2}{N}+q\delta \right] \le 2e^{-\frac{q\delta ^2}{12}}. \end{aligned}$$

Note that this holds for any \(\alpha \ne 0\) and \(\beta \ne 0\). Hence, by a union bound over all pairs \((\alpha ,\beta )\) and choosing \(\delta =\sqrt{(36\ln N)/q}\) (which, assuming \(q\ge 25n\), implies \(\delta \le 1\)), we finally obtain, using \(\sqrt{36\ln 2}\le 5\),

$$\begin{aligned} \Pr _{P,\omega }\left[ \varPhi (\mathcal {Q})\ge \frac{2q^2}{N}+5\sqrt{nq}\right] \le 2N^2e^{-\frac{q\delta ^2}{12}} \le \frac{2}{N}. \end{aligned}$$

\(\square \)

4 Slide Attacks Against the Even–Mansour Cipher

4.1 Slide Attack for Identical Round Keys and Identical Permutations

Consider the r-round Even–Mansour cipher with a single permutation P and identical round keys, which we simply denote \(\mathsf {EM}^P_k\) here. We show that there is a slide attack against this cipher with query and time complexity \(\mathcal {O}(2^{n/2})\), independently of the number r of rounds. This attack works as follows (we describe a distinguishing attack where the adversary \(\mathcal {D}\) interacts with a pair of permutations (EP), and must distinguish whether E is truly random, or whether this is \(\mathsf {EM}^P_k\) for a random key k):

  1. 1.

    Fix a nonzero \(c\in \{0,1\}^n\) and two subsets X, \(U\subset \{0,1\}^n\) such that \(|X|=|U|=2^{\frac{n}{2}}\) and

    $$\begin{aligned} X\oplus U=\{x\oplus u:x\in X, u\in U\}=\{0,1\}^n. \end{aligned}$$

    (For example, X consists of all strings whose last n / 2 bits are zero, and U consists of all strings whose first n / 2 bits are zero.)

  2. 2.

    \(\mathcal {D}\) makes queries

    • E(x) and \(E(x\oplus c)\) for \(x\in X\)

    • P(u) and \(P(u\oplus c)\) for \(u\in U\)

  3. 3.

    Using the responses to the above queries, \(\mathcal {D}\) further makes queries

    • E(P(u)) and \(E(P(u\oplus c))\) for \(u\in U\)

    • P(E(x)) and \(P(E(x\oplus c))\) for \(x\in X\)

  4. 4.

    If there are \(x^*\in X\) and \(u^*\in U\) such that

    $$\begin{aligned} P(E(x^*))\oplus E(P(u^*))=P(E(x^*\oplus c))\oplus E(P(u^*\oplus c))=x^*\oplus u^* \end{aligned}$$
    (9)

    then \(\mathcal {D}\) outputs 1. Otherwise, \(\mathcal {D}\) outputs 0.

The numbers of E-queries and P-queries required for this attack are both at most \(2^{2+\frac{n}{2}}\) (there might be redundant queries). Moreover, this attack can easily be turned into a key-recovery attack, the key guess of the adversary being \(k=x^*\oplus u^*\) for \((x^*,u^*)\) satisfying Eq. (9).

Let us analyze the success probability of this attack. When \(\mathcal {D}\) is interacting with the real world \((\mathsf {EM}^P_k,P)\), then it always outputs 1 since the pair \((x^*,u^*)\) such that \(x^*\oplus u^*=k\), where k is the secret key, necessarily satisfies Eq. (9). This can easily be seen for example from the following “commutativity” property, holding for all \(x\in \{0,1\}^n\):

$$\begin{aligned} k\oplus P(\mathsf {EM}^P_k(x))=\mathsf {EM}^P_k(P(k\oplus x)). \end{aligned}$$

On the other hand, suppose that E is a random permutation that is independent of P. We will show that the probability of finding \((x^*,u^*)\) satisfying (9) is small. Fix any pair \((x,u)\in X\times U\). For any tuple \((y,y',v,v')\) of n-bit values such that \(y\ne y'\) and \(v\ne v'\), we define

$$\begin{aligned}&\mathsf {p}(y,y',v,v'){\mathrel {\mathop =^{\mathrm{def}}}}\Pr \left[ (x,u) \text { satisfies (9)} \,|\, \begin{array}{l} E(x)=y \wedge E(x\oplus c)=y'\\ P(u)=v \wedge P(u\oplus c)=v' \end{array}\right] \\&\quad = \Pr \left[ P(y)\oplus E(v)=P(y')\oplus E(v')=x\oplus u \,|\, \begin{array}{l} E(x)=y \wedge E(x\oplus c)=y'\\ P(u)=v \wedge P(u\oplus c)=v' \end{array}\right] . \end{aligned}$$

In order to upper bound \(\mathsf {p}(y,y',v,v')\), we distinguish the following four cases:

  1. 1.

    If (\(y\notin \{u,u\oplus c\}\) or \(v\notin \{x,x\oplus c\}\)) and (\(y'\notin \{u,u\oplus c\}\) or \(v'\notin \{x,x\oplus c\}\)), then

    $$\begin{aligned} \mathsf {p}(y,y',v,v')\le \frac{1}{(N-2)(N-3)}. \end{aligned}$$
  2. 2.

    If (\(y\in \{u,u\oplus c\}\) and \(v\in \{x,x\oplus c\}\)) and (\(y'\notin \{u,u\oplus c\}\) or \(v'\notin \{x,x\oplus c\}\)), then

    $$\begin{aligned} \mathsf {p}(y,y',v,v')\le \frac{1}{(N-2)}. \end{aligned}$$
  3. 3.

    If (\(y\notin \{u,u\oplus c\}\) or \(v\notin \{x,x\oplus c\}\)) and (\(y'\in \{u,u\oplus c\}\) and \(v'\in \{x,x\oplus c\}\)), then

    $$\begin{aligned} \mathsf {p}(y,y',v,v')\le \frac{1}{(N-2)}. \end{aligned}$$
  4. 4.

    If \(y\in \{u,u\oplus c\}\), \(v\in \{x,x\oplus c\}\), \(y'\in \{u,u\oplus c\}\), and \(v'\in \{x,x\oplus c\}\), then

    $$\begin{aligned} \mathsf {p}(y,y',v,v')\le 1. \end{aligned}$$

It remains to upper bound the number of tuples \((y,y',v,v')\) for each case, and we obtain:

Summing over \((x,u)\in X\times U\), we finally obtain

$$\begin{aligned} \Pr [\exists (x,u) \text { satisfying (9)}]{\le }\frac{N}{(N-2)(N-3)} +\frac{8}{N(N-2)}+\frac{4}{N(N-1)^2}{=}\mathcal {O}\left( \frac{1}{N}\right) . \end{aligned}$$

Hence, when interacting with the ideal world, \(\mathcal {D}\) outputs 1 with probability close to zero for large N. Thus, we just proved the following theorem.

Theorem 2

Consider the r-round iterated Even–Mansour construction with a single permutation and identical round keys \(\mathsf {EMSP}[n,r,\ell =n,\varvec{\gamma }=\mathbf{Id}]\). Then, there exists a distinguishing attack against this cipher which makes at most \(2^{2+\frac{n}{2}}\) queries both to the outer and to the inner permutation, and which has a distinguishing advantage \(1-\mathcal {O}(\frac{1}{N})\).

4.2 Extension to Key-Schedules Based on Xoring Constants for Two Rounds

We show that the slide attack of the previous section can be extended to the single-permutation two-round Even–Mansour cipher with a very basic key-schedule, namely when the three round keys are derived as \(k_i=k\oplus t_i\), where k is the n-bit master key and \((t_0,t_1,t_2)\) are three (public) n-bit constants. The distinguisher, interacting with a pair of permutations (EP), proceeds as follows:

  1. 1.

    Fix a nonzero \(c\in \{0,1\}^n\) and two subsets X, \(U\subset \{0,1\}^n\) such that \(|X|=|U|=2^{\frac{n}{2}}\) and

    $$\begin{aligned} X\oplus U=\{x\oplus u:x\in X, u\in U\}=\{0,1\}^n. \end{aligned}$$

    (For example, X consists of all strings whose last n / 2 bits are zero, and U consists of all strings whose first n / 2 bits are zero.)

  2. 2.

    \(\mathcal {D}\) makes queries

    • E(x) and \(E(x\oplus c)\) for \(x\in X\)

    • P(u) and \(P(u\oplus c)\) for \(u\in U\)

  3. 3.

    Using the responses to the above queries, \(\mathcal {D}\) further makes queries

    • \(E(t_0\oplus t_1\oplus P(u))\) and \(E(t_0\oplus t_1 \oplus P(u\oplus c))\) for \(u\in U\)

    • \(P(t_1\oplus t_2\oplus E(x))\) and \(P(t_1\oplus t_2\oplus E(x\oplus c))\) for \(x\in X\)

  4. 4.

    If there are \(x^*\in X\) and \(u^*\in U\) such that

    $$\begin{aligned} \left\{ \begin{array}{l} P(t_1\oplus t_2\oplus E(x^*))\oplus E(t_0\oplus t_1\oplus P(u^*))=t_0\oplus t_2\oplus x^*\oplus u^* \\ P(t_1\oplus t_2\oplus E(x^*\oplus c))\oplus E(t_0\oplus t_1\oplus P(u^*\oplus c))=t_0\oplus t_2\oplus x^*\oplus u^* \end{array}\right. \end{aligned}$$
    (10)

    then \(\mathcal {D}\) outputs 1. Otherwise, \(\mathcal {D}\) outputs 0.

The numbers of E-queries and P-queries required for this attack are both at most \(2^{2+\frac{n}{2}}\) (there might be redundant queries). Moreover, this attack can easily be turned into a key-recovery attack, the key guess of the adversary being \(k=t_0\oplus x^*\oplus u^*\) for \((x^*,u^*)\) satisfying conditions (10).

Let us analyze the success probability of this attack. When \(\mathcal {D}\) is interacting with the real world \((\mathsf {EM}^P_k,P)\), then it always outputs 1 since the pair \((x^*,u^*)\) such that \(x^*\oplus u^*=k\oplus t_0\), where k is the secret master key, necessarily satisfies conditions (10). This can easily be seen for example from the following “commutativity” property, holding for all \(x\in \{0,1\}^n\):

$$\begin{aligned} k\oplus t_2\oplus P(t_1\oplus t_2\oplus \mathsf {EM}^P_k(x))=\mathsf {EM}^P_k(t_0\oplus t_1\oplus P(k\oplus t_0\oplus x)). \end{aligned}$$

When the distinguisher is interacting with the ideal world (EP), where E is a random permutation that is independent from P, then if we set \(P'=t_0 \oplus t_1 \oplus P\) and \(E'=t_1 \oplus t_2 \oplus E\), Eq. (10) simplifies into Eq. (9) with E and P replaced by \(E'\) and \(P'\), so that we can use exactly the same analysis as for the original attack of Sect. 4.1. Hence \(\mathcal {D}\) outputs 1 with probability \(\mathcal {O}(\frac{1}{N})\). Thus, we have the following theorem.

Theorem 3

Consider the two-round Even–Mansour construction \(\mathsf {EMSP}[n,2,\ell =n,\varvec{\gamma }]\) with a single permutation and round keys \(k_i\) derived from the n-bit master key k as \(\gamma _i(k)=k\oplus t_i\), for publicly specified constants \((t_0,t_1,t_2)\). Then, there exists a distinguishing attack against this cipher which makes at most \(2^{2+\frac{n}{2}}\) queries both to the outer and to the inner permutation, and which has a distinguishing advantage \(1-\mathcal {O}(\frac{1}{N})\).

Fig. 4
figure 4

The two-round Even–Mansour cipher with independent permutations and identical round keys

Full size image

5 Security Proof for Independent Permutations and Identical Round Keys

5.1 Statement of the Result and Discussion

In this section, we study the security of the two-round Even–Mansour construction with two independent permutations and identical round keys \(\mathsf {EMIP}[n,2]\) (depicted in Fig. 4). More precisely, we prove the following theorem.

Theorem 4

(Independent permutations and identical round keys) Consider the two-round Even–Mansour cipher with independent permutations and identical round keys \(\mathsf {EMIP}[n,2]\). Assume that \(n\ge 11\), \(q_e\ge 25n\), \(q_p\ge 25n\), and \(2q_e+2q_p\le N\). Then, the following upper bounds hold:

  1. (i)

    When \(q_e\le 2^{\frac{n}{4}}\), one has

    $$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMIP}[n,2]}(q_e,q_p)\le \frac{6q_eq_p}{N}. \end{aligned}$$
    (11)
  2. (ii)

    When \(2^{\frac{n}{4}}\le q_e\le 2^{\frac{2n}{3}}\), one has

    $$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMIP}[n,2]}(q_e,q_p)\le \frac{6}{N} +(13+15\sqrt{n})\left( \frac{q_e q_p^5}{N^4}\right) ^{\frac{1}{5}} . \end{aligned}$$
    (12)
  3. (iii)

    When \(2^{\frac{2n}{3}}\le q_e\le 2^{\frac{3n}{4}}\), one has

    $$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMIP}[n,2]}(q_e,q_p)\le \frac{6}{N} +(13+15\sqrt{n})\frac{q_e^2 q_p}{N^2} . \end{aligned}$$
    (13)
  4. (iv)

    When \(q_e\ge 2^{\frac{3n}{4}}\), one has,

    $$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMIP}[n,2]}(q_e,q_p)\le \frac{1}{eN} + \frac{nq_p^2}{N}. \end{aligned}$$
    (14)

Discussion Before proceeding to the proof, we discuss Theorem 4. As is clear from the form of the theorem, we can identify four “regimes” for the security bound depending on \(q_e\). The “low \(q_e\)” regime corresponds to \(q_e\le 2^{\frac{n}{4}}\), where the security bound is given by (11), which is, up to constant terms, exactly the same bound as for the one-round Even–Mansour cipher [12, 15]. There are two “medium \(q_e\)” regimes, derived with the same analysis but where two different terms dominate the security bound, which correspond, respectively, to \(2^{\frac{n}{4}}\le q_e \le 2^{\frac{2n}{3}}\), where the security bound is given by (12), and \(2^{\frac{2n}{3}}\le q_e \le 2^{\frac{3n}{4}}\) where the security bound is given by (13). Finally, the “large \(q_e\)” regime corresponds to \(q_e \ge 2^{\frac{3n}{4}}\), where the security bound is given by (14) and caps at \(q_p=2^{\frac{n}{2}}\). See Fig. 2 in Sect. 1 where the security bound is plotted in the \((q_e,q_p)\) plane.

If we put a global upper bound on the total number of queries of the adversary by letting \(q=\max (q_e,q_p)\), then, assuming \(q\le 2^{\frac{2n}{3}}\), the second upper bound of Theorem 4 simplifies into

$$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMIP}[n,2]}(q,q)\le \frac{6}{N} +(13+15\sqrt{n})\left( \frac{q^6}{N^4}\right) ^{\frac{1}{5}}\le \frac{6}{2^n}+\frac{13q}{2^{\frac{2n}{3}}}+\frac{15q}{2^{\frac{2n}{3}-\frac{1}{2}\log _2n}} . \end{aligned}$$

Hence, security is ensured up to \(\mathcal {O}(2^{\frac{2n}{3}-\frac{1}{2}\log _2 n})= \widetilde{\mathcal {O}}(2^{\frac{2n}{3}})\) total queries of the adversary.

The remaining of this section is devoted to the proof of Theorem 4.

5.2 Definition and Probability of Bad Transcripts

Following the general methodology outlined in Sect. 2.4, our first task will be to define the set \(\mathcal {T}_2\) of bad transcripts \(\tau =(\mathcal {Q}_E,\mathcal {Q}_{P_1},\mathcal {Q}_{P_2},k)\), with \(|\mathcal {Q}_E|=q_e\) and \(|\mathcal {Q}_{P_1}|=|\mathcal {Q}_{P_2}|=q_p\). Informally, a transcript is bad if the key creates “chains” in the permutation transcript. The formal definition follows.

Definition 1

(Bad transcript, independent permutations case) We say that a transcript \(\tau =(\mathcal {Q}_E,\mathcal {Q}_{P_1},\mathcal {Q}_{P_2},k)\in \mathcal {T}\) is bad if

$$\begin{aligned} k\in \mathsf {BadK}=\bigcup _{1\le i\le 3} \mathsf {BadK}_i \end{aligned}$$

where:

$$\begin{aligned} k\in \mathsf {BadK}_1&\Leftrightarrow k=x\oplus u_1=v_2\oplus y \text { for some }(x,y)\in \mathcal {Q}_E, (u_1,v_1)\in \mathcal {Q}_{P_1}, (u_2,v_2)\in \mathcal {Q}_{P_2}\\ k\in \mathsf {BadK}_2&\Leftrightarrow k=x\oplus u_1=v_1\oplus u_2 \text { for some }(x,y)\in \mathcal {Q}_E, (u_1,v_1)\in \mathcal {Q}_{P_1}, (u_2,v_2)\in \mathcal {Q}_{P_2}\\ k\in \mathsf {BadK}_3&\Leftrightarrow k=v_1\oplus u_2=v_2\oplus y \text { for some }(x,y)\in \mathcal {Q}_E, (u_1,v_1)\in \mathcal {Q}_{P_1}, (u_2,v_2)\in \mathcal {Q}_{P_2}. \end{aligned}$$

Otherwise, \(\tau \) is said good. We denote \(\mathcal {T}_2\) the set of bad transcripts, and \(\mathcal {T}_1=\mathcal {T}\setminus \mathcal {T}_2\) the set of good transcripts.

We first upper bound the probability of obtaining a bad transcript in the ideal world.

Lemma 7

Depending on \((q_e,q_p)\), the following upper bounds hold:

  1. (i)

    For any integers \(q_e\) and \(q_p\), one has

    $$\begin{aligned} \Pr [T_{\mathrm{id}}\in \mathcal {T}_2]\le \frac{2q_eq_p}{N}. \end{aligned}$$
  2. (ii)

    When \(25n\le q_e\le N/2\) and \(25n\le q_p\le N/2\), one has

    $$\begin{aligned} \Pr [T_{\mathrm{id}}\in \mathcal {T}_2]\le \frac{6}{N}+\frac{2q_e^2q_p+3q_eq_p^2+4q_p^2\sqrt{q_eq_p}}{N^2}+\frac{15q_p\sqrt{nq_e}}{N}. \end{aligned}$$
  3. (iii)

    For \(q_e=N\) and any integer \(q_p\), one has, assuming \(n\ge 11\),

    $$\begin{aligned} \Pr [T_{\mathrm{id}}\in \mathcal {T}_2]\le \frac{1}{eN} + \frac{nq_p^2}{N}. \end{aligned}$$

Proof

Note that in the ideal world, sets \(\mathsf {BadK}_1\), \(\mathsf {BadK}_2\) and \(\mathsf {BadK}_3\) only depend on the random permutations E, \(P_1\), and \(P_2\), and not on the key k, which is drawn uniformly at random at the end of the interaction of the distinguisher with \((E,P_1,P_2)\). Hence, for any \(C>0\), we can write

(15)

With this observation at hand, we first prove (i). Note that one always has, independently of E, \(P_1\), and \(P_2\),

$$\begin{aligned} |\mathsf {BadK}|&\le |\{x\oplus u_1:(x,y)\in \mathcal {Q}_E,(u_1,v_1)\in \mathcal {Q}_{P_1}\}|\\&\quad +|\{v_2\oplus y:(x,y)\in \mathcal {Q}_E,(u_2,v_2)\in \mathcal {Q}_{P_2}\}|\\&\le 2q_eq_p. \end{aligned}$$

The first upper bound follows by (15) with \(C=2q_eq_p\).

We then prove the more complex upper bound of (ii), using the sum-capture theorem of Sect. 3. Given a permutation transcript \((\mathcal {Q}_E,\mathcal {Q}_{P_1},\mathcal {Q}_{P_2})\), let:

$$\begin{aligned} X&=\{x\in \{0,1\}^n : (x,y)\in \mathcal {Q}_E\},&Y&=\{y\in \{0,1\}^n : (x,y)\in \mathcal {Q}_E\},\\ U_1&=\{u_1\in \{0,1\}^n : (u_1,v_1)\in \mathcal {Q}_{P_1}\},&V_1&=\{v_1\in \{0,1\}^n : (u_1,v_1)\in \mathcal {Q}_{P_1}\},\\ U_2&=\{u_2\in \{0,1\}^n : (u_2,v_2)\in \mathcal {Q}_{P_2}\},&V_2&=\{v_2\in \{0,1\}^n : (u_2,v_2)\in \mathcal {Q}_{P_2}\} \end{aligned}$$

denote the domains and ranges of \(\mathcal {Q}_E\), \(\mathcal {Q}_{P_1}\), and \(\mathcal {Q}_{P_2}\), respectively. Then, one has

$$\begin{aligned} |\mathsf {BadK}_1|&\le \mu (\mathcal {Q}_E,U_1,V_2){\mathrel {\mathop =^{\mathrm{def}}}}|\{((x,y),u_1,v_2)\in \mathcal {Q}_E\times U_1\times V_2: x\oplus u_1=v_2\oplus y\}|\\ |\mathsf {BadK}_2|&\le \mu (\mathcal {Q}_{P_1},X,U_2){\mathrel {\mathop =^{\mathrm{def}}}}|\{((u_1,v_1),x,u_2)\in \mathcal {Q}_{P_1}\times X\times U_2: x\oplus u_1=v_1\oplus u_2\}|\\ |\mathsf {BadK}_3|&\le \mu (\mathcal {Q}_{P_2},V_1,Y){\mathrel {\mathop =^{\mathrm{def}}}}|\{((u_2,v_2),v_1,y)\in \mathcal {Q}_{P_2}\times V_1\times Y: v_1\oplus u_2=v_2\oplus y\}|. \end{aligned}$$

We can now use Theorem 1 (with \(\varGamma \) the identity mapping) to upper bound \(|\mathsf {BadK}_i|\) for \(i=1,2,3\), with high probability (note that in order to apply this theorem to upper bound, say, \(|\mathsf {BadK}_1|\), we consider the combination of the distinguisher \(\mathcal {D}\) and permutations \(P_1\) and \(P_2\) as a probabilistic adversary \(\mathcal {A}\) interacting with permutation E, resulting in transcript \(\mathcal {Q}_E\)). We obtain that for

$$\begin{aligned} C_1&=\frac{q_eq_p^2}{N}+\frac{2q_e^2q_p}{N} +5q_p\sqrt{n q_e}\\ C_2&=C_3=\frac{q_eq_p^2}{N}+\frac{2q_p^2\sqrt{q_eq_p}}{N}+5q_p\sqrt{nq_e}, \end{aligned}$$

one has for each \(i=1,2,3\). Applying (15) with \(C=C_1+C_2+C_3\) completes the proof of (ii).

It remains to prove (iii). Hence, we assume now that \(q_e=N\), so that \(\mathcal {Q}_E\) simply consists of all pairs (xE(x)) for \(x\in \{0,1\}^n\). It is easy to see that one always has, independently of E, \(P_1\), and \(P_2\),

$$\begin{aligned} |\mathsf {BadK}_2\cup \mathsf {BadK}_3| \le |\{v_1\oplus u_2: (u_1,v_1)\in \mathcal {Q}_{P_1},(u_2,v_2)\in \mathcal {Q}_{P_2}\}|\le q_p^2. \end{aligned}$$

In order to upper bound \(|\mathsf {BadK}_1|\), we consider the maximum multiplicity of the multiset

$$\begin{aligned} W=\{x\oplus E(x):x\in \{0,1\}^n\}. \end{aligned}$$

For any integer \(d\ge 1\), the probability that one finds an element of multiplicity at least d in W over the random choice of \(E\in \mathcal {P}_n\) is upper bounded by

$$\begin{aligned} N\left( {\begin{array}{c}N\\ d\end{array}}\right) \frac{(N-d)!}{N!}= \frac{N}{d!}\le \frac{N}{e}\left( \frac{e}{d}\right) ^d. \end{aligned}$$

If there is no element of multiplicity d or more in W, then the size of \(\mathsf {BadK}_1\) is upper bounded by \((d-1)q_p^2\). Hence, if we set \(d=n\) and \(C=q_p^2+(n-1)q_p^2=nq_p^2\), we obtain that

where for the last inequality we used that \(n\ge 11\ge 4e\). By (15), this completes the proof of (iii). \(\square \)

5.3 Good Transcripts and Their Properties

In the second stage of the proof, we show that for any good transcript \(\tau \), the ratio between the probabilities to obtain \(\tau \) in the ideal world and the real world is close to 1.

Lemma 8

Fix any good transcript \(\tau \in \mathcal {T}_1\). Then, depending on \(q_e\) and \(q_p\), the following lower bounds hold:

  1. (i)

    For any integers \(q_e\) and \(q_p\) such that \(2q_e+2q_p\le N\), one has

    $$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}\ge 1-\frac{4q_eq_p^2}{N^2}. \end{aligned}$$
  2. (ii)

    For \(q_e=N\) and any integer \(q_p\), one has

    $$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}\ge 1 . \end{aligned}$$

Proof

Fix a good transcript \(\tau =(\mathcal {Q}_E,\mathcal {Q}_{P_1},\mathcal {Q}_{P_2},k)\in \mathcal {T}_1\). In the following, we let:

so that, by Lemma 2,

$$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}=(N)_{q_e}\cdot \mathsf {p}(\tau ). \end{aligned}$$
(16)

Hence, we now have to lower bound \(\mathsf {p}(\tau )\). First, we modify the inner permutations \(P_1,P_2\) and the transcript in order to “get rid” of the key k. For this, we define:

$$\begin{aligned} P'_1&=P_1\oplus k\\ P'_2&=P_2\oplus k\\ \mathcal {Q}'_E&=\{(x\oplus k,y): (x,y)\in \mathcal {Q}_E\}\\ \mathcal {Q}'_{P_1}&=\{(u_1,v_1\oplus k):(u_1,v_1)\in \mathcal {Q}_{P_1}\}\\ \mathcal {Q}'_{P_2}&=\{(u_2,v_2\oplus k):(u_2,v_2)\in \mathcal {Q}_{P_2}\}. \end{aligned}$$

Then, one clearly has:

Let:

$$\begin{aligned} X&=\{x'\in \{0,1\}^n : (x',y')\in \mathcal {Q}'_E\},&Y&=\{y'\in \{0,1\}^n : (x',y')\in \mathcal {Q}'_E\},\\ U_1&=\{u'_1\in \{0,1\}^n : (u'_1,v'_1)\in \mathcal {Q}'_{P_1}\},&V_1&=\{v'_1\in \{0,1\}^n : (u'_1,v'_1)\in \mathcal {Q}'_{P_1}\},\\ U_2&=\{u'_2\in \{0,1\}^n : (u'_2,v'_2)\in \mathcal {Q}'_{P_2}\},&V_2&=\{v'_2\in \{0,1\}^n : (u'_2,v'_2)\in \mathcal {Q}'_{P_2}\} \end{aligned}$$

denote the domains and ranges of \(\mathcal {Q}'_E\), \(\mathcal {Q}'_{P_1}\), and \(\mathcal {Q}'_{P_2}\), respectively. We also define \(\alpha _1=|V_2\cap Y|\) and \(\alpha _2=|X\cap U_1|\). We can now rewrite the fact that \(\tau \) is good as follows (see Fig. 5):

$$\begin{aligned} k\notin \mathsf {BadK}_1&\Leftrightarrow \mathcal {Q}'_E(X\cap U_1) \text { is disjoint from } V_2 {\Leftrightarrow } (\mathcal {Q}'_E)^{-1}(V_2\cap Y) \text { is disjoint from } U_1\\ k\notin \mathsf {BadK}_2&\Leftrightarrow \mathcal {Q}'_{P_1}(X\cap U_1) \text { is disjoint from } U_2\\ k\notin \mathsf {BadK}_3&\Leftrightarrow (\mathcal {Q}'_{P_2})^{-1}(V_2\cap Y) \text { is disjoint from } V_1. \end{aligned}$$

To see why the first equivalence holds, note that:

$$\begin{aligned}&\mathcal {Q}'_E(X\cap U_1) \cap V_2 \ne \emptyset \\&\quad \Leftrightarrow \, x'{=}u'_1 \text { and } y'{=}v'_2 \text { for some } (x',y')\in \mathcal {Q}'_E, (u'_1,v'_1)\in \mathcal {Q}'_{P_1}, \text { and } (u'_2,v'_2)\in \mathcal {Q}'_{P_2}\\&\quad \Leftrightarrow \, k{=}x\oplus u_1 \text { and } k{=}v_2\oplus y \text { for some } (x,y){\in }\mathcal {Q}_E, (u_1,v_1){\in }\mathcal {Q}_{P_1}, \text { and } (u_2,v_2){\in }\mathcal {Q}_{P_2}\\&\quad \Leftrightarrow \, k\in \mathsf {BadK}_1. \end{aligned}$$

The other cases are proved similarly.

Fig. 5
figure 5

Graphical help for the proof of Lemma 8. X and Y are of size \(q_e\), while \(U_1\), \(V_1\), \(U_2\), and \(V_2\) are of size \(q_p\). The red zones are of size \(\alpha _1\) and the green zones of size \(\alpha _2\)

Full size image

This allows us to lower bound \(\mathsf {p}(\tau )\) as follows. Let \(\mathsf {E}_1\) denote the event that \(P'_1(x')=u'_2\) for each of the \(\alpha _1\) pairs of queries \(\left( (x',y'),(u'_2,v'_2)\right) \in \mathcal {Q}'_E\times \mathcal {Q}'_{P_2}\) such that \(y'=v'_2\) (red arrow in Fig. 5). Similarly, let \(\mathsf {E}_2\) be the event that \(P'_2(v'_1)=y'\) for each of the \(\alpha _2\) pairs of queries \(\left( (x',y'),(u'_1,v'_1)\right) \in \mathcal {Q}'_E\times \mathcal {Q}'_{P_1}\) such that \(x'=u'_1\) (green arrow in Fig. 5). Since \(P'_2\circ P'_1\vdash \mathcal {Q}'_E\) implies \(\mathsf {E}_1\) and \(\mathsf {E}_2\), we have

(17)

Moreover, since \((\mathcal {Q}'_E)^{-1}(V_2\cap Y)\) is disjoint from \(U_1\) and \((\mathcal {Q}'_{P_2})^{-1}(V_2\cap Y)\) is disjoint from \(V_1\), we have

Similarly, since \(\mathcal {Q}'_{P_1}(X\cap U_1)\) is disjoint from \(U_2\) and \(\mathcal {Q}'_E(X\cap U_1)\) is disjoint from \(V_2\), we have

Hence,

(18)

Let \(\alpha =\alpha _1+\alpha _2\). Conditioned on event \((P'_1\vdash \mathcal {Q}'_{P_1})\wedge (P'_2\vdash \mathcal {Q}'_{P_2})\wedge \mathsf {E}_1\wedge \mathsf {E}_2\), \(P'_1\) is fixed on \(q_p+\alpha _1\) points, \(P'_2\) is fixed on \(q_p+\alpha _2\) points, and \(P'_2\circ P'_1\) agrees with \(\mathcal {Q}'_E\) on \(\alpha \) pairs \((x',y')\). It remains to lower bound the probability \(\mathsf {p}^*\) that \(P'_2\circ P'_1\) completes the remaining \(q_e-\alpha \) evaluations needed to extend \(\mathcal {Q}'_E\), namely

Let \(S_1\), resp. \(T_1\), be the set of points for which \(P'_1\), resp. \((P'_1)^{-1}\), has not been determined. More formally:

$$\begin{aligned} S_1&=\{0,1\}^n\setminus (U_1\sqcup (\mathcal {Q}'_E)^{-1}(V_2\cap Y))\\ T_1&=\{0,1\}^n\setminus (V_1\sqcup (\mathcal {Q}'_{P_2})^{-1}(V_2\cap Y)). \end{aligned}$$

Similarly, let \(S_2\), resp. \(T_2\), be the set of points for which \(P'_2\), resp. \((P'_2)^{-1}\), has not been determined. More formally:

$$\begin{aligned} S_2&=\{0,1\}^n\setminus (U_2\sqcup \mathcal {Q}'_{P_1}(X\cap U_1))\\ T_2&=\{0,1\}^n\setminus (V_2\sqcup \mathcal {Q}'_E(X\cap U_1). \end{aligned}$$

Let also

$$\begin{aligned} X'&=X\cap S_1=X\setminus (U_1\sqcup (\mathcal {Q}'_E)^{-1}(V_2\cap Y))\\ Y'&=Y\cap T_2=Y\setminus (V_2\sqcup \mathcal {Q}'_E(X\cap U_1)). \end{aligned}$$

Then, \(\mathsf {p}^*\) is exactly the probability, over the choice of two random bijections \(\overline{P'_1}:S_1\rightarrow T_1\) and \(\overline{P'_2}:S_2\rightarrow T_2\), that \(\overline{P'_2}\circ \overline{P'_1}(x')=y'\) for each \((x',y')\in \mathcal {Q}'_E\) such that \(x'\in X'\) and \(y'\in Y'\). We now lower bound \(\mathsf {p}^*\).

Note that \(|X'|=|Y'|=q_e-\alpha \). Choose a set \(W\subseteq \{0,1\}^n\setminus (V_1\cup U_2)\) of size \(q_e-\alpha \) (note that \(N-2q_p\ge q_e-\alpha \) by the assumption that \(2q_e+2q_p\le N\)) and a bijection \(F:X'\rightarrow W\). The number of possibilities for the pair (WF) is at least

$$\begin{aligned} \left( {\begin{array}{c}N-2q_p\\ q_e-\alpha \end{array}}\right) (q_e-\alpha )!=(N-2q_p)_{q_e-\alpha }. \end{aligned}$$

For each choice of (WF), the probability that random bijections \(\overline{P'_1}:S_1\rightarrow T_1\) and \(\overline{P'_2}:S_2\rightarrow T_2\), satisfy:

  1. (1)

    \(\overline{P'_1}(x')=F(x')\) for each \(x'\in X'\),

  2. (2)

    \(\overline{P'_2}\circ \overline{P'_1}(x')=y'\) for each \((x',y')\in \mathcal {Q}'_E\) such that \(x'\in X'\) and \(y'\in Y'\)

is exactly

$$\begin{aligned} \frac{1}{(N-q_p-\alpha _1)_{q_e-\alpha }(N-q_p-\alpha _2)_{q_e-\alpha }}, \end{aligned}$$

since condition (1) fixes \(q_e-\alpha \) distinct equations on \(\overline{P'_1}\) and condition (2) fixes \(q_e-\alpha \) distinct equations on \(\overline{P'_2}\). Hence, summing over all the possibilities for the pair (WF), we obtain

$$\begin{aligned} \mathsf {p}^*\ge \frac{(N-2q_p)_{q_e-\alpha }}{(N-q_p-\alpha _1)_{q_e-\alpha }(N-q_p-\alpha _2)_{q_e-\alpha }}. \end{aligned}$$
(19)

Gathering (16), (17), (18), and (19) finally yields:

$$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}&\ge \frac{(N)_{q_e}(N-2q_p)_{q_e-\alpha }}{(N-q_p)_{\alpha _1}(N-q_p-\alpha _1)_{q_e-\alpha }(N-q_p)_{\alpha _2}(N-q_p-\alpha _2)_{q_e-\alpha }} \nonumber \\&=\frac{(N)_{q_e}(N-2q_p)_{q_e-\alpha }}{(N-q_p)_{q_e-\alpha _2}(N-q_p)_{q_e-\alpha _1}}. \end{aligned}$$
(20)

Note that we did not use any assumptions on \(q_e\) and \(q_p\) until now, so that (20) holds for any parameters (assuming good transcripts exist at all). We now complete the proof by considering two cases. We first prove (i), under the assumption that \(2q_e+2q_p\le N\). From (20), we have

$$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}&\ge \frac{(N)_{q_e}(N-2q_p)_{q_e}}{(N-q_p)_{q_e}(N-q_p)_{q_e}}\times \underbrace{\frac{(N-q_p-q_e+\alpha _2)_{\alpha _2}(N-q_p-q_e+\alpha _1)_{\alpha _1}}{(N-2q_p-q_e+\alpha )_{\alpha }}}_{\ge 1}\\&\ge \frac{(N)_{q_e}(N-2q_p)_{q_e}}{((N-q_p)_{q_e})^2}\\&\ge 1-\frac{4q_eq_p^2}{N^2}, \end{aligned}$$

where for the last inequality we used Lemma 3 with \(a=q_e\) and \(b=c=d=q_p\), and the assumption that \(2q_e+2q_p\le N\).

We then consider the case where \(q_e=N\). Clearly, \(U_1\subseteq X\) and \(V_2\subseteq Y\) since \(X=Y=\{0,1\}^n\) in that case, so that \(\alpha _1=\alpha _2=q_p\) and \(\alpha =2q_p\). Hence, (20) now becomes

$$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}\ge \frac{N!(N-2q_p)!}{((N-q_p)!)^2}\ge 1. \end{aligned}$$

This shows (ii) and concludes the proof. \(\square \)

5.4 Concluding the Proof of Theorem 4

We are now ready to complete the proof of Theorem 4.

Proof (of Theorem 4)

The theorem directly follows by combining the H-coefficient Lemma (Lemma 1) with the adequate parts of Lemmas 7 and 8. First, if we combine Lemma 7 (i) and Lemma 8 (i), we obtain

$$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMIP}[n,2]}(q_e,q_p)\le \frac{2q_eq_p}{N}+\frac{4q_eq_p^2}{N^2}\le \frac{6q_eq_p}{N}, \end{aligned}$$

which proves (i).

If we now combine Lemma 7 (ii) (noting that the assumption \(2q_e+2q_p\le N\) implies that \(q_e\le N/2\) and \(q_p\le N/2\), as needed) and Lemma 8 (i), we obtain

$$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMIP}[n,2]}(q_e,q_p)\le \frac{6}{N}+\frac{2q_e^2q_p+7q_eq_p^2+4q_p^2\sqrt{q_eq_p}}{N^2}+\frac{15q_p\sqrt{nq_e}}{N}. \end{aligned}$$

Letting \(\alpha =\log _2 q_e\), this upper bound can be rewritten

$$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMIP}[n,2]}(q_e,q_p)\le \frac{6}{N}+\frac{2q_p}{2^{2n-2\alpha }} +7\left( \frac{q_p}{2^{n-\frac{\alpha }{2}}}\right) ^2+4\left( \frac{q_p}{2^{\frac{4n-\alpha }{5}}}\right) ^{\frac{5}{2}}+15\sqrt{n}\frac{q_p}{2^{n-\frac{\alpha }{2}}}. \end{aligned}$$

From this inequality, we prove (ii) and (iii). We start with (ii). Since (12) trivially holds when \(q_eq_p^5>N^4\), we can assume \(q_eq_p^5\le N^4\). One can easily check that when \(\frac{n}{4}\le \alpha \le \frac{2n}{3}\), \(\frac{4n-\alpha }{5}\le n-\frac{\alpha }{2} \le 2n-2\alpha \). Hence, when \(2^{\frac{n}{4}} \le q_e \le 2^{\frac{2n}{3}}\) and \(q_e q_p^5\le N^4\), one has

$$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMIP}[n,2]}(q_e,q_p)&\le \frac{6}{N}+\frac{2q_p}{2^{\frac{4n-\alpha }{5}}} +7\left( \frac{q_p}{2^{\frac{4n-\alpha }{5}}}\right) ^2+4\left( \frac{q_p}{2^{\frac{4n-\alpha }{5}}}\right) ^{\frac{5}{2}}+15\sqrt{n}\frac{q_p}{2^{\frac{4n-\alpha }{5}}}\\&\le \frac{6}{N} +(13+15\sqrt{n})\left( \frac{q_e q_p^5}{N^4}\right) ^{\frac{1}{5}}, \end{aligned}$$

completing the proof of (ii). We then prove (iii). Since (13) trivially holds when \(q_e^2q_p>N^2\), we can assume \(q_e^2q_p\le N^2\). One can check that when \(\frac{2n}{3}\le \alpha \le \frac{3n}{4}\), \(2n-2\alpha \le n-\frac{\alpha }{2}\le \frac{4n-\alpha }{5}\). Hence, when \(2^{\frac{2n}{3}} \le q_e \le 2^{\frac{3n}{4}}\) and \(q_e^2 q_p\le N^2\), one has

$$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMIP}[n,2]}(q_e,q_p)&\le \frac{6}{N}+\frac{2q_p}{2^{2n-2\alpha }} +7\left( \frac{q_p}{2^{2n-2\alpha }}\right) ^2+4\left( \frac{q_p}{2^{2n-2\alpha }}\right) ^{\frac{5}{2}}+15\sqrt{n}\frac{q_p}{2^{2n-2\alpha }}\\&\le \frac{6}{N} +(13+15\sqrt{n})\frac{q_e^2 q_p}{N^2}, \end{aligned}$$

proving (iii).

Finally, (iv) directly follows from combining Lemma 7 (iii) and Lemma 8 (ii). Lemma 7 (iii) was proved for \(q_e=N\), but the resulting upper bound holds in fact for any \(q_e\) since the advantage can obviously only increase with \(q_e\). \(\square \)

6 Security Proof for the Single-Permutation Case

6.1 Statement of the Result and Discussion

Fig. 6
figure 6

The two-round Even–Mansour cipher with a single permutation and an arbitrary key-schedule

Full size image

In this section, we study the security of the two-round Even–Mansour construction where a single permutation P is used instead of two independent permutations, namely \(\mathsf {EMSP}[n,r,\ell ,\varvec{\gamma }]\) (depicted in Fig. 6). By the results of Sect. 4, we know that we cannot simply use the same n-bit key k at each round if we aim at proving security beyond the birthday bound, so that some non-trivial key-schedule \(\varvec{\gamma }=(\gamma _0,\gamma _1,\gamma _2)\), with \(\gamma _i:\{0,1\}^{\ell }\rightarrow \{0,1\}^n\), is needed (we remain as general as possible when we can, and we only specify the key-length and the key-schedule when needed). Given a key \(K\in \{0,1\}^{\ell }\), we denote \(k_0=\gamma _0(K)\), \(k_1=\gamma _1(K)\), and \(k_2=\gamma _2(K)\), so that:

$$\begin{aligned} \mathsf {EMSP}^P_K(x)=P(P(x\oplus k_0)\oplus k_1)\oplus k_2. \end{aligned}$$

Our main result deals with the case where \(\ell =n\), namely the master key-length is equal to the block length (and hence to the round keys length). We treat the (simpler) cases where the three round keys are independent, or derived from two independent n-bit keys, respectively, in “Appendices A and B”. First, we specify conditions on the key-schedule that will allow us to upper bound the probability to obtain a bad transcript in the ideal world (the definition of bad transcripts will be given later).

Definition 2

(Good key-schedule) For \(\ell =n\), we say that a key-schedule \(\varvec{\gamma }=(\gamma _0,\gamma _1,\gamma _2)\), where \(\gamma _i:\{0,1\}^n\rightarrow \{0,1\}^n\), is good if it satisfies the following conditions:

  1. (i)

    \(\gamma _0,\gamma _1,\gamma _2\in \mathsf {GL}(n)\) (i.e., each \(\gamma _i\) is a linear bijective map of \(\mathbb {F}_2^n\));

  2. (ii)

    \(\gamma _0\oplus \gamma _1 \in \mathsf {GL}(n)\) and \(\gamma _1\oplus \gamma _2\in \mathsf {GL}(n)\);

  3. (iii)

    \(\gamma _0\oplus \gamma _1\oplus \gamma _2\) is a permutation over \(\{0,1\}^n\) (non-necessarily linear over \(\mathbb {F}_2^n\)).

A simple way to build a good key-schedule is to take for \(\gamma _0\) and \(\gamma _2\) the identity, and \(\gamma _1=\pi \), where \(\pi \) is a linear orthomorphism of \(\mathbb {F}_2^n\) (recall that a permutation \(\pi \) of \(\{0,1\}^n\) is an orthomorphism if \(x\mapsto x\oplus \pi (x)\) is also a permutation), so that the sequence of round keys is \((k,\pi (k),k)\). We give two simple examples of linear orthomorphisms which are attractive from an implementation point of view:

  • When n is even, and \(k=(k_L,k_R)\) where \(k_L\) and \(k_R\) are, respectively, the left and right halves of k, then

    $$\begin{aligned} \pi :(k_L,k_R)\mapsto (k_R,k_L\oplus k_R) \end{aligned}$$

    is a linear orthomorphism.

  • Fix an irreducible polynomial p of degree n over \(\mathbb {F}_2\) and identify \(\mathbb {F}_2^n\) and the extension field \(\mathbb {F}_{2^n}\) defined by p in the canonical way. Then, for any \(c\in \mathbb {F}_{2^n}\setminus \{0,1\}\), \(k\mapsto c\odot k\) (where \(\odot \) denotes the extension field multiplication) is a linear orthomorphism.

The main result of this paper if the following security bound for the two-round Even–Mansour construction with a single permutation and an n-bit master key.

Theorem 5

(Single permutation and non-independent round keys) Consider the single-permutation two-round Even–Mansour cipher \(\mathsf {EMSP}[n,2,\varvec{\gamma }]\) with n-bit master key-length and a good key-schedule \(\varvec{\gamma }\) (see Definition 2). Assume that \(n\ge 9\), \(q_e\ge 25n\), \(q_p\ge 25n\), and \(4q_e+2q_p\le N\). Then, the following upper bounds hold:

  1. (i)

    When \(q_e\le 2^{\frac{n}{3}}\), one has

    $$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMSP}[n,2,\varvec{\gamma }]}(q_e,q_p)\le \frac{23}{N^{\frac{1}{3}}} + \frac{16q_e q_p}{N}. \end{aligned}$$
    (21)
  2. (ii)

    When \(q_e\ge 2^{\frac{n}{3}}\), one has

    $$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMSP}[n,2,\varvec{\gamma }]}(q_e,q_p)\le \frac{10}{N} + (23+10\sqrt{n})\frac{q_e}{N^{\frac{2}{3}}}+(39+15\sqrt{n})\frac{q_p}{N^{\frac{2}{3}}}. \end{aligned}$$
    (22)

Discussion Before giving the proof, we discuss Theorem 5. There are two “regimes”. The “low \(q_e\)” regime corresponds to \(q_e\le 2^{\frac{n}{3}}\), where the security bound is given by (21), which is, up to constant terms, exactly the same bound as for the one-round Even–Mansour cipher [12, 15] and the two-round Even–Mansour cipher with independent permutations [see Theorem 4, Eq. (11)]. The “medium \(q_e\)” regime corresponds to \(2^{\frac{n}{3}}\le q_e\le 2^{\frac{2n}{3}}\), where the security bound is given by (22), which caps at \(q_p=2^{\frac{2n}{3}}\). Note that contrarily to Theorem 4 for the case of independent permutations, the bound becomes vacuous for \(q_e>2^{\frac{2n}{3}}\). Inspection of the proof shows that the annoying terms appear when analyzing good transcripts (Lemma 10), and we currently do not know how to extend the bound when \(q_e>2^{\frac{2n}{3}}\). See Fig. 2 in Sect. 1 where the security bound is plotted in the \((q_e,q_p)\) plane.

Letting \(q=\max (q_e,q_p)\), and assuming \(q\le N^{\frac{2}{3}}\), the second upper bound of Theorem 5 simplifies into

$$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMSP}[n,2,\varvec{\gamma }]}(q,q)\le \frac{10}{N} + \frac{62q}{N^{\frac{2}{3}}} + 25\sqrt{n}\frac{q}{N^{\frac{2}{3}}}=\frac{10}{2^n}+\frac{62q}{2^{\frac{2n}{3}}}+\frac{25q}{2^{\frac{2n}{3}-\frac{1}{2}\log _2 n}}. \end{aligned}$$

Hence, security is ensured up to \(\mathcal {O}(2^{\frac{2n}{3}-\frac{1}{2}\log _2n})=\widetilde{\mathcal {O}}(2^{\frac{2n}{3}})\) total queries of the adversary.

The remaining subsections are devoted to the proof of Theorem 5.

6.2 Definition and Probability of Bad Transcripts

Let \(\tau =(\mathcal {Q}_E,\mathcal {Q}_P,K)\), with \(|\mathcal {Q}_E|=q_e\), \(|\mathcal {Q}_P|=q_p\), and \(K\in \{0,1\}^{\ell }\) be an attainable transcript. As previously, we start by defining the set of bad transcripts. (The definition holds independently of the master key-length \(\ell \).) In all the following, we let

$$\begin{aligned} M= \frac{q_e}{N^{\frac{1}{3}}}. \end{aligned}$$

Definition 3

(Bad transcript, single-permutation case) We say that a transcript \(\tau =(\mathcal {Q}_E,\mathcal {Q}_P,K)\in \mathcal {T}\) is bad if

$$\begin{aligned} K\in \mathsf {BadK}=\bigcup _{1\le i\le 10}\mathsf {BadK}_i \end{aligned}$$

where

$$\begin{aligned} K\in \mathsf {BadK}_1&\Leftrightarrow k_0=x\oplus u\text { and }k_2=v'\oplus y\text { for some }(x,y)\in \mathcal {Q}_E\text { and }(u,v),(u',v')\in \mathcal {Q}_P\\ K\in \mathsf {BadK}_2&\Leftrightarrow k_0=x\oplus u\text { and }k_1=v\oplus u'\text { for some }(x,y)\in \mathcal {Q}_E\text { and }(u,v),(u',v')\in \mathcal {Q}_P\\ K\in \mathsf {BadK}_3&\Leftrightarrow k_1=v\oplus u'\text { and }k_2=v'\oplus y\text { for some }(x,y)\in \mathcal {Q}_E\text { and }(u,v),(u',v')\in \mathcal {Q}_P\\ K\in \mathsf {BadK}_4&\Leftrightarrow k_0=x\oplus u\text { and }k_0\oplus k_1=v\oplus x'\text { for some }(x,y),(x',y')\in \mathcal {Q}_E,(u,v)\in \mathcal {Q}_P\\ K\in \mathsf {BadK}_5&\Leftrightarrow k_1\oplus k_2=y'\oplus u\text { and }k_2=v\oplus y\text { for some }(x,y),(x',y')\in \mathcal {Q}_E,(u,v)\in \mathcal {Q}_P\\ K\in \mathsf {BadK}_6&\Leftrightarrow \left| \left\{ \left( (x,y),(u,v)\right) \in \mathcal {Q}_E\times \mathcal {Q}_P:x\oplus u=k_0\right\} \right|> \frac{M}{3}\\ K\in \mathsf {BadK}_7&\Leftrightarrow \left| \left\{ \left( (x,y),(u,v)\right) \in \mathcal {Q}_E\times \mathcal {Q}_P:v\oplus y=k_2\right\} \right|> \frac{M}{3}\\ K\in \mathsf {BadK}_8&\Leftrightarrow \left| \left\{ \left( (x,y),(u,v)\right) \in \mathcal {Q}_E\times \mathcal {Q}_P:x\oplus v=k_0\oplus k_1\right\} \right|> \frac{M}{3}\\ K\in \mathsf {BadK}_9&\Leftrightarrow \left| \left\{ \left( (x,y),(u,v)\right) \in \mathcal {Q}_E\times \mathcal {Q}_P:u\oplus y=k_1\oplus k_2\right\} \right|> \frac{M}{3}\\ K\in \mathsf {BadK}_{10}&\Leftrightarrow \left| \left\{ \left( (x,y),(x',y')\right) \in \mathcal {Q}_E\times \mathcal {Q}_E:x\oplus y'=k_0\oplus k_1\oplus k_2\right\} \right| > M. \end{aligned}$$

Otherwise \(\tau \) is said good. We denote \(\mathcal {T}_2\) the set of bad transcripts, and \(\mathcal {T}_1=\mathcal {T}\setminus \mathcal {T}_2\) the set of good transcripts.

We start by upper bounding the probability to obtain a bad transcript in the ideal world when the master key-length is n and the key-schedule is good. We treat the (simpler) cases where the three round keys are independent, or derived from two independent n-bit keys, respectively, in “Appendices A and B”.

Lemma 9

Let \(\ell =n\) and \(\varvec{\gamma }=(\gamma _0,\gamma _1,\gamma _2)\) be a good key-schedule. The following upper bounds hold:

  1. (i)

    For any integers \(q_e\) and \(q_p\), one has

    $$\begin{aligned} \Pr [T_{\mathrm{id}}\in \mathcal {T}_2]\le \frac{q_e^2+4q_eq_p}{N}. \end{aligned}$$
  2. (ii)

    When \(25n\le q_e\le N/2\) and \(25n\le q_p\le N/2\), one has

    $$\begin{aligned} \Pr [T_{\mathrm{id}}\in \mathcal {T}_2]\le & {} \frac{10}{N}+\frac{4q_e^2q_p+7q_eq_p^2+4q_p^2 \sqrt{q_eq_p}}{N^2}\\&+\frac{15q_p\sqrt{nq_e}+10q_e\sqrt{nq_p}}{N}+\frac{q_e+12q_p}{N^{\frac{2}{3}}}. \end{aligned}$$

Proof

In the ideal world, sets \(\mathsf {BadK}_i\) only depend on the random permutations E and P, and not on the key k, which is drawn uniformly at random at the end of the interaction of the distinguisher with (EP). Hence, for any \(C>0\), we can write

(23)

With this observation at hand, we first prove (i). Note that

$$\begin{aligned}&K\in \bigcup _{i=1}^7\mathsf {BadK}_i \Rightarrow k_0=x\oplus u \text { for some }(x,y)\in \mathcal {Q}_E\text { and }(u,v)\in \mathcal {Q}_P\\&\quad \text {or } k_2=v\oplus y \text { for some }(x,y)\in \mathcal {Q}_E\text { and }(u,v)\in \mathcal {Q}_P. \end{aligned}$$

Hence, since \(\gamma _0\), \(\gamma _1\), and \(\gamma _2\) are permutations of \(\{0,1\}^n\), one always has, independently of E and P,

$$\begin{aligned} \left| \bigcup _{i=1}^7\mathsf {BadK}_i \right|&\le \left| \{x\oplus u: (x,y)\in \mathcal {Q}_E, (u,v)\in \mathcal {Q}_P\} \right| +\left| \{v\oplus y: (x,y)\in \mathcal {Q}_E, (u,v)\in \mathcal {Q}_P\} \right| \\&\le 2q_eq_p. \end{aligned}$$

Similarly,

$$\begin{aligned} K \in \mathsf {BadK}_8&\Rightarrow k_0\oplus k_1 = x\oplus v \text { for some } (x,y)\in \mathcal {Q}_E \text { and } (u,v)\in \mathcal {Q}_P,\\ K \in \mathsf {BadK}_9&\Rightarrow k_1\oplus k_2 = u\oplus y \text { for some } (x,y)\in \mathcal {Q}_E \text { and } (u,v)\in \mathcal {Q}_P,\\ K \in \mathsf {BadK}_{10}&\Rightarrow k_0\oplus k_1\oplus k_2 = x\oplus y' \text { for some } (x,y),(x',y')\in \mathcal {Q}_E . \end{aligned}$$

Hence, since \(\gamma _0 \oplus \gamma _1\), \(\gamma _1 \oplus \gamma _2\), and \(\gamma _0\oplus \gamma _1 \oplus \gamma _2\) are permutations of \(\{0,1\}^n\), one always has

$$\begin{aligned} \left| \mathsf {BadK}_8 \right|&\le \left| \{x\oplus v: (x,y)\in \mathcal {Q}_E, (u,v)\in \mathcal {Q}_P\} \right| \le q_e q_p,\\ \left| \mathsf {BadK}_9 \right|&\le \left| \{u\oplus y: (x,y)\in \mathcal {Q}_E, (u,v)\in \mathcal {Q}_P\} \right| \le q_e q_p,\\ \left| \mathsf {BadK}_{10} \right|&\le \left| \{x\oplus y': (x,y),(x',y')\in \mathcal {Q}_E\} \right| \le q_e^2. \end{aligned}$$

The first bound follows by (23) with \(C=4q_eq_p+q_e^2\).

We then prove the more complex upper bound of (ii). Again, the size of \(\mathsf {BadK}_i\) for \(i=6\) to 10 can be upper bounded independently of EP. Indeed, since \(\gamma _0\), \(\gamma _2\), \(\gamma _0\oplus \gamma _1\), \(\gamma _1\oplus \gamma _2\), and \(\gamma _0\oplus \gamma _1\oplus \gamma _2\) are all permutations of \(\{0,1\}^n\), one always has

$$\begin{aligned} |\mathsf {BadK}_6|,|\mathsf {BadK}_7|,|\mathsf {BadK}_8|,|\mathsf {BadK}_9|&\le \frac{3q_eq_p}{M},\\ |\mathsf {BadK}_{10}|&\le \frac{q_e^2}{M}. \end{aligned}$$

On the other hand, in order to upper bound \(|\mathsf {BadK}_i|\) for \(i=1\) to 5, we now appeal to the sum-capture theorem of Sect. 3. For a permutation transcript \((\mathcal {Q}_E,\mathcal {Q}_P)\), let

$$\begin{aligned} X&=\{x\in \{0,1\}^n:(x,y)\in \mathcal {Q}_E\},&Y&=\{y\in \{0,1\}^n:(x,y)\in \mathcal {Q}_E\},\\ U&=\{u\in \{0,1\}^n:(u,v)\in \mathcal {Q}_P\},&V&=\{v\in \{0,1\}^n:(u,v)\in \mathcal {Q}_P\} \end{aligned}$$

denote the domains and the ranges of \(\mathcal {Q}_E\) and \(\mathcal {Q}_P\), respectively. Then, one has

$$\begin{aligned} |\mathsf {BadK}_1|&\le \mu (\mathcal {Q}_E,U,V){\mathrel {\mathop =^{\mathrm{def}}}}|\{((x,y),u,v)\in \mathcal {Q}_E\times U\times V:x\oplus u=\gamma _0\circ \gamma _2^{-1}(y\oplus v)\}|\\ |\mathsf {BadK}_2|&\le \mu (\mathcal {Q}_P,X,U){\mathrel {\mathop =^{\mathrm{def}}}}|\{((u,v),x,u')\in \mathcal {Q}_P\times X\times U:x\oplus u=\gamma _0\circ \gamma _1^{-1}(v\oplus u')\}|\\ |\mathsf {BadK}_3|&\le \mu (\mathcal {Q}_P,V,Y){\mathrel {\mathop =^{\mathrm{def}}}}|\{((u',v'),v,y)\in \mathcal {Q}_P\times V\times Y:v\oplus u'=\gamma _1\circ \gamma _2^{-1}(v'\oplus y)\}|\\ |\mathsf {BadK}_4|&\le \mu (\mathcal {Q}_P,X,X){\mathrel {\mathop =^{\mathrm{def}}}}|\{((u,v),x,x')\in \mathcal {Q}_P\times X\times X:x\oplus u\\&=\gamma _0\circ (\gamma _0\oplus \gamma _1)^{-1}(v\oplus x')\}|\\ |\mathsf {BadK}_5|&\le \mu (\mathcal {Q}_P,Y,Y){\mathrel {\mathop =^{\mathrm{def}}}}|\{((u,v),y,y')\in \mathcal {Q}_P\times Y\times Y:y'\oplus u\\&=(\gamma _1\oplus \gamma _2)\circ \gamma _2^{-1}(v\oplus y)\}|. \end{aligned}$$

By our assumption that the key-schedule is good, we have that \(\gamma _0\circ \gamma _2^{-1}\), \(\gamma _0\circ \gamma _1^{-1}\), \(\gamma _1\circ \gamma _2^{-1}\), \(\gamma _0\circ (\gamma _0\oplus \gamma _1)^{-1}\), and \(\gamma _0\circ (\gamma _0\oplus \gamma _1)^{-1}\) are all automorphisms of \(\mathbb {F}_2^n\). Hence, we can apply Theorem 1 (note that in order to apply this theorem to upper bound, say, \(|\mathsf {BadK}_1|\), we consider the combination of the distinguisher \(\mathcal {D}\) and permutation P as a probabilistic adversary \(\mathcal {A}\) interacting with permutation E, resulting in transcript \(\mathcal {Q}_E\)). Thus, if we set

$$\begin{aligned} C_1&= \frac{q_eq_p^2}{N}+\frac{2q_e^2q_p}{N}+5q_p\sqrt{nq_e}\\ C_2&=C_3= \frac{q_eq_p^2}{N}+\frac{2q_p^2\sqrt{q_eq_p}}{N}+5q_p\sqrt{nq_e}\\ C_4&=C_5= \frac{q_e^2q_p}{N}+\frac{2q_eq_p^2}{N}+5q_e\sqrt{nq_p}, \end{aligned}$$

one has for each \(i=1\) to 5. Applying (23) with

$$\begin{aligned} C&=\sum _{i=1}^5 C_i +\frac{q_e^2+12q_eq_p}{M}\\&= \frac{4q_e^2q_p+7q_eq_p^2+4q_p^2\sqrt{q_eq_p}}{N}+15q_p\sqrt{nq_e}+10q_e\sqrt{nq_p}+N^{\frac{1}{3}}(q_e+12q_p) \end{aligned}$$

completes the proof of (ii). \(\square \)

6.3 Good Transcripts and Their Properties

It remains to show that for any good transcript \(\tau \), the ratio between the probabilities to obtain \(\tau \) in the ideal world and the real world is close to 1. The following lemma holds independently of the master key-length \(\ell \).

Lemma 10

Assume that \(n\ge 9\) and \(4q_e+2q_p\le N\). Let \(\tau =(\mathcal {Q}_E,\mathcal {Q}_P,K)\in \mathcal {T}_1\) be a good transcript. Then

$$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}\ge 1-\varepsilon _1, \end{aligned}$$

where

$$\begin{aligned} \varepsilon _1= \frac{4q_e(q_e+q_p)^2}{N^2}+\frac{2q_e^2}{N^{\frac{4}{3}}}+\frac{16q_e}{N^{\frac{2}{3}}}. \end{aligned}$$

Proof

Fix a good transcript \(\tau =(\mathcal {Q}_E,\mathcal {Q}_P,K)\in \mathcal {T}_1\). In the following, we let:

so that, by Lemma 2,

$$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}=(N)_{q_e}\cdot \mathsf {p}(\tau ). \end{aligned}$$
(24)

Our goal is now to lower bound \(\mathsf {p}(\tau )\). First, we modify the inner permutation P and the transcript in order to get rid of the round keys as follows:

$$\begin{aligned} P'&=P\oplus k_1,\\ \mathcal {Q}'_E&=\left\{ (x\oplus k_0,y\oplus k_1\oplus k_2):(x,y)\in \mathcal {Q}_E\right\} ,\\ \mathcal {Q}'_P&=\left\{ (u,v\oplus k_1):(u,v)\in \mathcal {Q}_P\right\} . \end{aligned}$$

Then, we have

Let

$$\begin{aligned} X&=\{x'\in \{0,1\}^n:(x',y')\in \mathcal {Q}'_E\},&Y&=\{y'\in \{0,1\}^n:(x',y')\in \mathcal {Q}'_E\},\\ U&=\{u'\in \{0,1\}^n:(u',v')\in \mathcal {Q}'_P\},&V&=\{v'\in \{0,1\}^n:(u',v')\in \mathcal {Q}'_P\} \end{aligned}$$

denote the domains and the ranges of \(\mathcal {Q}'_E\) and \(\mathcal {Q}'_P\), respectively. We also denote \(\alpha _1=|Y\cap V|\) and \(\alpha _2=|X\cap U|\). We can now rewrite the fact that the transcript is good as follows (see Fig. 7):

$$\begin{aligned} K\notin \mathsf {BadK}_1&\Leftrightarrow \mathcal {Q}'_E(X\cap U) \text { is disjoint from } V \Leftrightarrow (\mathcal {Q}'_E)^{-1}(Y\cap V) \text { is disjoint from } U \end{aligned}$$
(B.1)
$$\begin{aligned} K\notin \mathsf {BadK}_2&\Leftrightarrow \mathcal {Q}'_P(X\cap U) \text { is disjoint from } U \end{aligned}$$
(B.2)
$$\begin{aligned} K\notin \mathsf {BadK}_3&\Leftrightarrow (\mathcal {Q}'_P)^{-1}(Y\cap V) \text { is disjoint from } V \end{aligned}$$
(B.3)
$$\begin{aligned} K\notin \mathsf {BadK}_4&\Leftrightarrow \mathcal {Q}'_P(X\cap U) \text { is disjoint from } X \end{aligned}$$
(B.4)
$$\begin{aligned} K\notin \mathsf {BadK}_5&\Leftrightarrow (\mathcal {Q}'_P)^{-1} (Y\cap V) \text { is disjoint from } Y \end{aligned}$$
(B.5)
$$\begin{aligned} K\notin \mathsf {BadK}_6&\Leftrightarrow \alpha _2=\left| X\cap U\right| \le \frac{M}{3} \end{aligned}$$
(B.6)
$$\begin{aligned} K\notin \mathsf {BadK}_7&\Leftrightarrow \alpha _1=\left| Y\cap V\right| \le \frac{M}{3} \end{aligned}$$
(B.7)
$$\begin{aligned} K\notin \mathsf {BadK}_8&\Leftrightarrow \left| X\cap V\right| \le \frac{M}{3} \end{aligned}$$
(B.8)
$$\begin{aligned} K\notin \mathsf {BadK}_9&\Leftrightarrow \left| Y\cap U\right| \le \frac{M}{3} \end{aligned}$$
(B.9)
$$\begin{aligned} K\notin \mathsf {BadK}_{10}&\Leftrightarrow \left| X\cap Y\right| \le M . \end{aligned}$$
(B.10)
Fig. 7
figure 7

Graphical help for the proof of Lemma 10. X and Y are of size \(q_e\), while U and V are of size \(q_p\). The red zones are of size \(\alpha _1\), and the green zones of size \(\alpha _2\). Conditioning on \((P'\vdash \mathcal {Q}'_P)\wedge \mathsf {E}_1\wedge \mathsf {E}_2\), \(P'\) is defined on the zones which are colored on the left, while \((P')^{-1}\) is defined on the zones which are colored on the right

Full size image

Let \(\mathsf {E}_1\) denote the event that \(P'(x')=u'\) for each of \(\alpha _1\) pairs of queries \(\left( (x',y'),(u',v')\right) \in \mathcal {Q}'_E\times \mathcal {Q}'_P\) such that \(y'=v'\) (red arrows in Fig. 7). Similarly, let \(\mathsf {E}_2\) be the event that \(P'(v')=y'\) for each of \(\alpha _2\) pairs of queries \(\left( (x',y'),(u',v')\right) \in \mathcal {Q}'_E\times \mathcal {Q}'_P\) such that \(x'=u'\) (green arrows in Fig. 7). Since \(P'\circ P'\vdash \mathcal {Q}'_E\) implies \(\mathsf {E}_1\) and \(\mathsf {E}_2\), we have

(25)

Note that:

  1. 1.

    U, \(\mathcal {Q}'_P(X\cap U)\), and \((\mathcal {Q}'_E)^{-1}(Y\cap V)\) are pairwise disjoint since:

    • U and \((\mathcal {Q}'_E)^{-1}(Y\cap V)\) are disjoint by (B.1),

    • U and \(\mathcal {Q}'_P(X\cap U)\) are disjoint by (B.2),

    • \((\mathcal {Q}'_E)^{-1}(Y\cap V)\) is contained in X, and X and \(\mathcal {Q}'_P(X\cap U)\) are disjoint by (B.4);

  2. 2.

    V, \(\mathcal {Q}'_E(X\cap U)\), and \((\mathcal {Q}'_P)^{-1}(Y\cap V)\) are pairwise disjoint since:

    • V and \(\mathcal {Q}'_E(X\cap U)\) are disjoint by (B.1),

    • V and \((\mathcal {Q}'_P)^{-1}(Y\cap V)\) are disjoint by (B.3),

    • \(\mathcal {Q}'_E(X\cap U)\) is contained in Y, and Y and \((\mathcal {Q}'_P)^{-1}(Y\cap V)\) are disjoint by (B.5).

Therefore we have

(26)

Let \(\alpha =\alpha _1+\alpha _2\). Conditioned on event \((P'\vdash \mathcal {Q}'_P)\wedge \mathsf {E}_1\wedge \mathsf {E}_2\), \(P'\) is fixed on \(q_p+\alpha \) points, and \(P'\circ P'\) agrees with \(\mathcal {Q}'_E\) on \(\alpha \) pairs \((x',y')\). It remains to lower bound the probability \(\mathsf {p}^*\) that \(P'\circ P'\) completes the remaining \(q_e-\alpha \) evaluations needed to extend \(\mathcal {Q}'_E\), namely

Let \(S\subseteq \{0,1\}^n\) denote the set of points for which \(P'\) has not been determined, more formally

$$\begin{aligned} S=\{0,1\}^n\setminus (U \sqcup \mathcal {Q}'_P(X\cap U) \sqcup (\mathcal {Q}'_E)^{-1}(Y\cap V)), \end{aligned}$$

and let \(T\subseteq \{0,1\}^n\) be the set of points for which \((P')^{-1}\) has not been determined, more formally

$$\begin{aligned} T=\{0,1\}^n \setminus (V\sqcup \mathcal {Q}'_E(X\cap U) \sqcup (\mathcal {Q}'_P)^{-1}(Y\cap V)). \end{aligned}$$

Let also

$$\begin{aligned} X'&=X\cap S=X\setminus (U \sqcup (\mathcal {Q}'_E)^{-1}(Y\cap V))\\ Y'&=Y\cap T=Y\setminus (V\sqcup \mathcal {Q}'_E(X\cap U)). \end{aligned}$$

(Note that \(\mathcal {Q}'_E(X')=Y'\).) Then, \(\mathsf {p}^*\) is exactly the probability that \(\overline{P'}\circ \overline{P'}(x')=y'\) for each \((x',y')\in \mathcal {Q}'_E\) such that \(x'\in X'\) and \(y'\in Y'\), over the random choice of bijection \(\overline{P'}:S\rightarrow T\). Note that

  1. 1.

    \(|S|=|T|=N-q_p-\alpha \);

  2. 2.

    \(|X'|=|Y'|=q_e-\alpha \);

  3. 3.

    \(|X'\cap Y'|\le |X\cap Y|\le M\) by (B.10);

  4. 4.

    \(|X'\setminus T|\le M\) since

    $$\begin{aligned} X'\setminus T\subseteq X\setminus T&=X\cap \overline{T}\\&=(X\cap V)\sqcup (X\cap \mathcal {Q}'_E(X\cap U)) \sqcup (X\cap (\mathcal {Q}'_P)^{-1}(Y\cap V))\\&\subseteq (X\cap V)\sqcup \mathcal {Q}'_E(X\cap U) \sqcup (\mathcal {Q}'_P)^{-1}(Y\cap V), \end{aligned}$$

    and \(|X\cap V|\), \(|X\cap U|\), and \(|Y\cap V|\) are at most M / 3 by resp. (B.8), (B.6), and (B.7);

  5. 5.

    \(|Y'\setminus S|\le M\) since

    $$\begin{aligned} Y'\setminus S\subseteq Y\setminus S&=Y\cap \overline{S}\\&=(Y\cap U) \sqcup (Y\cap \mathcal {Q}'_P(X\cap U)) \sqcup (Y\cap (\mathcal {Q}'_E)^{-1}(Y\cap V)) \\&\subseteq (Y\cap U) \sqcup \mathcal {Q}'_P(X\cap U) \sqcup (\mathcal {Q}'_E)^{-1}(Y\cap V) , \end{aligned}$$

    and \(|Y\cap U|\), \(|X\cap U|\), and \(|Y\cap V|\) are at most M / 3 by resp. (B.9), (B.6), and (B.7).

At this point, let us recapitulate the problem of lower bounding \(\mathsf {p}^*\). We denote \(q=q_e-\alpha \) and \(q'=q_p+\alpha \).

Problem 1

Let \(N,q,q'\) be positive integers and \(M>0\). Let S, \(T\subseteq \{0,1\}^n\), where \(|S|=|T|=N-q'\). Let also \(X'=\{x_1,\ldots ,x_q\}\subseteq S\) and \(Y'=\{y_1,\ldots ,y_q\}\subseteq T\) be sets of size q. Assume that

$$\begin{aligned}&|X'\cap Y'|,|X'\setminus T|,\text { and } |Y'\setminus S|\le M,\end{aligned}$$
(A.1)
$$\begin{aligned}&6M\le q,\end{aligned}$$
(A.2)
$$\begin{aligned}&4q+2q'\le N. \end{aligned}$$
(A.3)

Find a lower bound on the probability \(\mathsf {p}^*\) that a random bijection P from S to T satisfies \(P(P(x_i))=y_i\) for every \(i=1,\ldots ,q\).\(\diamond \)

We will prove in Lemma 11 the lower bound

$$\begin{aligned} \mathsf {p}^*\ge \frac{1}{(N)_q}\left( 1-\frac{12M^2}{q} -\frac{2q^2}{MN}-\frac{4q(q+q')^2}{N^2}\right) . \end{aligned}$$
(27)

Before proving (27), let us finish the proof of Lemma 9. Note that assumptions (A.1), (A.2), and (A.3) needed to apply (27) are satisfied:

  • assumption (A.1) is satisfied since we assume that \(\tau \) is good;

  • \(\alpha \le M\) by (B.6) and (B.7) since \(\tau \) is good, and by our original assumption that \(n\ge 9\), which implies \(N=2^n\ge 7^3\), we have \(7M\le q_e\), so that \(6M\le q_e-M\le q_e-\alpha =q\), and hence assumption (A.2) is satisfied;

  • by our original assumption that \(4q_e+2q_p\le N\), assumption (A.3) is satisfied.

Therefore, combining (24), (25), (26), and (27), we have:

$$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}{\ge } \frac{(N)_{q_e}}{(N)_{q_e-\alpha }(N-q_p)_{\alpha }} \left( 1{-}\frac{12M^2}{q_e-\alpha } {-}\frac{2(q_e-\alpha )^2}{MN}{-}\frac{4(q_e-\alpha )(q_e+q_p)^2}{N^2}\right) . \end{aligned}$$

Since

$$\begin{aligned} \frac{(N)_{q_e}}{(N)_{q_e-\alpha }(N-q_p)_{\alpha }}{=}\frac{(N-q_e{+}\alpha )_{\alpha }}{(N-q_p)_{\alpha }}{\ge } \frac{(N-q_e)_{\alpha }}{(N)_{\alpha }}\ge 1-\frac{q_e\alpha }{N-\alpha +1}\ge 1-\frac{Mq_e}{N-M}, \end{aligned}$$

we obtain

$$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}\ge 1-\frac{Mq_e}{N-M}-\frac{12M^2}{q_e-M}-\frac{2q_e^2}{MN}-\frac{4q_e(q_e+q_p)^2}{N^2}. \end{aligned}$$

Substituting \(M= q_e/N^{\frac{1}{3}}\), and noting that \(N-M\ge N/2\) and \(q_e-M\ge 6q_e/7\), we finally obtain

$$\begin{aligned} \frac{\Pr [T_{\mathrm{re}}=\tau ]}{\Pr [T_{\mathrm{id}}=\tau ]}\ge 1-\frac{2q_e^2}{N^{\frac{4}{3}}}-\frac{7\times 12q_e}{6\times N^{\frac{2}{3}}}-\frac{2q_e}{N^{\frac{2}{3}}}-\frac{4q_e(q_e+q_p)^2}{N^2} = 1-\varepsilon _1 \end{aligned}$$

where

$$\begin{aligned} \varepsilon _1= \frac{4q_e(q_e+q_p)^2}{N^2}+\frac{2q_e^2}{N^{\frac{4}{3}}}+\frac{16q_e}{N^{\frac{2}{3}}}. \end{aligned}$$

This concludes the proof. \(\square \)

It remains to prove the answer to Problem 1, which we do in the following lemma.

Fig. 8
figure 8

Graphical help for the proof of Lemma 11. S and T are of size \(N-q'\), while \(X'\) and \(Y'\) are of size q. The gray zones \(X'\cap Y'\), \(X'\setminus T\), and \(Y'\setminus S\) are of size at most M. Sets \(X_1,X_2,Y_1,Y_2\) are each of size k. The set W is of size \(q-2k\)

Full size image

Lemma 11

Let \(N,q,q'\) be positive integers and \(M>0\). Let S, \(T\subseteq \{0,1\}^n\), where \(|S|=|T|=N-q'\). Let also \(X'=\{x_1,\ldots ,x_q\}\subseteq S\) and \(Y'=\{y_1,\ldots ,y_q\}\subseteq T\) be sets of size q. Assume that

$$\begin{aligned}&|X'\cap Y'|,|X'\setminus T|,\text { and } |Y'\setminus S|\le M, \end{aligned}$$
(A.1)
$$\begin{aligned}&6M\le q,\end{aligned}$$
(A.2)
$$\begin{aligned}&4q+2q'\le N. \end{aligned}$$
(A.3)

Let \(\mathsf {p}^*\) be the probability that a random bijection P from S to T satisfies \(P(P(x_i))=y_i\) for every \(i=1,\ldots ,q\).Footnote 9 Then

$$\begin{aligned} \mathsf {p}^*\ge \frac{1}{(N)_q}\left( 1-\frac{12M^2}{q} -\frac{2q^2}{MN}-\frac{4q(q+q')^2}{N^2}\right) . \end{aligned}$$

Proof

The reader might find helpful to refer to Fig. 8 along the proof. A simple way to lower bound \(\mathsf {p}^*\) would be to only count bijections P such that \(P(X')\cap X'=\emptyset \). However, this is not good enough for our purpose since this only yields a \(q^2/N\) bound. Hence, we also need to count bijections P such that \(|P(X')\cap X'|=k\) for k in some sufficiently large range. (Jumping ahead, \(P(X')\cap X'\) will be \(X_2\) in the proof below).

Let \(Z\subseteq X'\) be defined as

$$\begin{aligned} Z&=\{x_i\in X':x_i\in T \wedge x_i\notin Y' \wedge y_i\in S \wedge y_i\notin X'\}\\&=X'\setminus (\overline{T}\cup Y'\cup \{x_i\in X': y_i\in Y'\setminus S\} \cup \{x_i\in X':y_i\in X'\cap Y'\})\\&=X'\setminus ((X'\setminus T)\cup (X'\cap Y')\cup \{x_i\in X': y_i\in Y'\setminus S\} \cup \{x_i\in X':y_i\in X'\cap Y'\}). \end{aligned}$$

Let \(q''=|Z|\). Since by assumption (A.1) we have \(|X'\cap Y'|\), \(|X'\setminus T|\), and \(|Y'\setminus S|\le M\), it follows that \(q''\ge q-4\lfloor M\rfloor \ge 2\lfloor M \rfloor \), where the last inequality follows from assumption (A.2) which implies that \(6\lfloor M \rfloor \le q\).

For each \(0\le k\le M\), choose two disjoint subsets \(X_1\), \(X_2\subset Z\) of size k. We will write

$$\begin{aligned} X_1&=\{x_{i_1},\ldots ,x_{i_k}\}\\ X_2&=\{x_{i_{k+1}},\ldots ,x_{i_{2k}}\}\\ X'\setminus (X_1\cup X_2)&=\{x_{i_{2k+1}},\ldots ,x_{i_{q}}\} \end{aligned}$$

where \(i_1< \cdots <i_k\) and \(i_{k+1}<\cdots <i_{2k}\) and \(i_{2k+1}<\cdots <i_{q}\). Given \((X_1,X_2)\), choose a bijection \(F:X_1\rightarrow X_2\) such that \(F(X_1)=X_2\). The number of possibilities for \((X_1,X_2,F)\) is

$$\begin{aligned} \left( {\begin{array}{c}q''\\ k\end{array}}\right) \left( {\begin{array}{c}q''-k\\ k\end{array}}\right) k!=\frac{(q'')_{2k}}{k!}. \end{aligned}$$
(28)

For each pair of sets \((X_1,X_2)\), let \(Y_1=\{y_{i_1},\ldots ,y_{i_k}\}\) and \(Y_2=\{y_{i_{k+1}},\ldots ,y_{i_{2k}}\}\). For a fixed pair of sets \((X_1,X_2)\), we also choose

$$\begin{aligned} W\subset (S\cap T)\setminus (X'\cup Y') \end{aligned}$$

such that \(|W|=q-2k\). This is possible (i.e., \((S\cap T)\setminus (X'\cup Y')\) is large enough) since by assumption (A.3), \(N\ge 3q+2q'\), so that for \(0\le k\le M\) we have

$$\begin{aligned} |(S\cap T)\setminus (X'\cup Y')|\ge |S\cap T|-|X'\cup Y'|\ge (N-2q')-2q\ge q-2k. \end{aligned}$$

For each choice of W, we also choose a bijection \(G:X'\setminus (X_1\cup X_2)\rightarrow W\). Then, the number of possibilities for the pair (WG) is at least

$$\begin{aligned} \left( {\begin{array}{c}N-2q-2q'\\ q-2k\end{array}}\right) \times (q-2k)!=(N-2q-2q')_{q-2k}. \end{aligned}$$
(29)

For each choice of \((X_1,X_2,F,W,G)\), the probability that a random bijection \(P:S\rightarrow T\) satisfies

  1. (1)

    \(P(x)=F(x)\) for each \(x\in X_1\),

  2. (2)

    \(P(x)=G(x)\) for each \(x\in X'\setminus (X_1\cup X_2)\),

  3. (3)

    \(P(P(x_i))=y_i\) for every \(i=1,\ldots ,q\)

is exactly

$$\begin{aligned} \frac{1}{(N-q')_{2q-k}}. \end{aligned}$$
(30)

To see why this last claim holds, denote \(\varPi :X'\rightarrow Y'\) the bijection such that \(\varPi (x_i)=y_i\) for \(i=1,\ldots ,q\). Then, a bijection \(P:S\rightarrow T\) satisfies (1), (2) and (3) above iff (see also Fig. 8):

  1. (i)

    \(P(x)=F(x)\) for each \(x\in X_1\), which yields k equations;

  2. (ii)

    \(P(x)=G(x)\) for each \(x\in X'\setminus (X_1\cup X_2)\), which yields \(q-2k\) additional equations;

  3. (iii)

    \(P(z)=\varPi (F^{-1}(z))\) for each \(z\in X_2\) (note that \(X_2\subseteq S\)), so that \(P(P(x))=\varPi (x)\) for each \(x\in X_1\); this yields k additional equations;

  4. (iv)

    \(P(z)=\varPi (F(\varPi ^{-1}(z)))\) for each \(z\in Y_1\) (note that \(Y_1\subseteq S\)), so that \(P(P(x))=\varPi (x)\) for each \(x\in X_2\); this yields k additional equations since \(Y_1\cap X'=\emptyset \);

  5. (v)

    \(P(z)=\varPi (G^{-1}(z))\) for each \(z\in W\), so that \(P(P(x))=\varPi (x)\) for each \(x\in X'\setminus (X_1\cup X_2)\); this yields \(q-2k\) additional equations since W is disjoint from \(X'\cup Y_1\).

In total this amounts to \((2q-k)\) equations, hence the claim. Gathering (28), (29), and (30), we have

$$\begin{aligned} \mathsf {p}^*\ge \sum _{0\le k\le M} \frac{(q'')_{2k}(N-2q-2q')_{q-2k}}{k!(N-q')_{2q-k}}. \end{aligned}$$

To study the summation appearing on the right-hand side, we take advantage of the fact that the summand “looks like” (but is not exactly) the hypergeometric distribution. The hypergeometric distribution typically applies to sampling without replacement from a finite population whose elements can be classified into two mutually exclusive categories. The random variable, parameterized by N, a, and b, counts the number of elements selected from a certain subset of b “good” elements when a elements are selected from the universe of N elements without replacement. The probability that exactly k elements are selected from the subset of b “good” elements is

$$\begin{aligned} \mathsf {Hyp}_{N,a,b}(k)=\frac{\left( {\begin{array}{c}b\\ k\end{array}}\right) \left( {\begin{array}{c}N-b\\ a-k\end{array}}\right) }{\left( {\begin{array}{c}N\\ a\end{array}}\right) }=\frac{(a)_k(b)_k(N-b)_{a-k}}{k!(N)_a}, \end{aligned}$$

and the mean of this variable is ab / N. Hence, we write

$$\begin{aligned} \mathsf {p}^*&\ge \frac{1}{(N)_q}\sum _{0\le k\le M} \frac{(q'')_{2k}(N)_q(N-2q-2q')_{q-2k}}{k!(N-q')_{2q-k}} \times \frac{k!(N-q')_q}{(q)_k(q)_k(N-q'-q)_{q-k}}\\&\quad \times \mathsf {Hyp}_{N-q',q,q}(k)\\&= \frac{1}{(N)_q}\sum _{0\le k\le M} \underbrace{\frac{(q'')_{2k}}{(q)_k(q)_k}}_{A} \times \underbrace{\frac{(N)_q(N-2q-2q')_{q-2k}}{(N-q-q')_{q-k}(N-q-q')_{q-k}}}_{B} \times \mathsf {Hyp}_{N-q',q,q}(k). \end{aligned}$$

We now lower bound A and B independently of k. For any \(0\le k\le M\), we have, since \(q''\ge q-4\lfloor M \rfloor \),

$$\begin{aligned} A\ge & {} \frac{(q-4\lfloor M \rfloor )_{2k}}{q^{2k}} = \prod _{i=0}^{2k-1}\frac{q-4\lfloor M \rfloor -i}{q}\ge \left( 1-\frac{6\lfloor M \rfloor }{q}\right) ^{2k}\\\ge & {} 1-\frac{12\lfloor M \rfloor ^2}{q}\ge 1-\frac{12M^2}{q}, \end{aligned}$$

and

$$\begin{aligned} B=\frac{(N)_q(N-2q-2q')_{q}}{(N-q-q')_{q}(N-q-q')_{q}}\times \underbrace{\frac{((N-2q-q'+k)_k)^2}{(N-3q-2q'+2k)_{2k}}}_{\ge 1}\ge 1-\frac{4q(q+q')^2}{N^2}, \end{aligned}$$

where we applied Lemma 3 with \(a=q\), \(b=q+q'\), \(c=d=q+q'\) (note that \(2a+2b\le N\) by assumption (A.3)). Hence, we obtain

$$\begin{aligned} \mathsf {p}^*\ge \frac{1}{(N)_q}\left( 1-\frac{12 M^2}{q}-\frac{4q(q+q')^2}{N^2}\right) \sum _{0\le k\le M}\mathsf {Hyp}_{N-q',q,q}(k). \end{aligned}$$

It remains to lower bound the sum on the right-hand side. Since the mean of the hypergeometric distribution \(\mathsf {Hyp}_{N-q',q,q}\) is \(\frac{q^2}{N-q'}\), we have

$$\begin{aligned} \sum _{k>M}\mathsf {Hyp}_{N-q',q,q}(k)\le \frac{q^2}{M(N-q')}\le \frac{2q^2}{MN} \end{aligned}$$

by Markov’s inequality and using the fact that \(q'\le N/2\) by assumption (A.3). So it follows that

$$\begin{aligned} \sum _{0\le k\le M}\mathsf {Hyp}_{N-q',q,q}(k)\ge 1-\frac{2q^2}{MN}, \end{aligned}$$

which completes the proof. \(\square \)

6.4 Concluding the Proof of Theorem 5

We are now ready to complete the proof of Theorem 5.

Proof (of Theorem 5)

We first prove (i). Combining the H-coefficient Lemma (Lemma 1) with Lemma 9 (i) and Lemma 10, we obtain, under the assumption that \(q_e\le N^{\frac{1}{3}}\),

$$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMSP}[n,2,\varvec{\gamma }]}(q_e,q_p)&\le \frac{4q_e^3+8q_e^2q_p+4q_eq_p^2}{N^2}+\frac{2q_e^2}{N^{\frac{4}{3}}}+\frac{16q_e}{N^{\frac{2}{3}}}+\frac{q_e^2+4q_eq_p}{N}\\&\le \left( \frac{4q_e^3}{N^2}{+}\frac{2q_e^2}{N^{\frac{4}{3}}}{+}\frac{16q_e}{N^{\frac{2}{3}}}{+}\frac{q_e^2}{N}\right) {+} \left( \frac{8q_e^2q_p+4q_eq_p^2}{N^2}+ \frac{4q_eq_p}{N}\right) \\&\le \frac{23}{N^{\frac{1}{3}}} + \frac{16q_e q_p}{N}. \end{aligned}$$

To prove (ii), note that it trivially holds when \(q_e> 2^{\frac{2n}{3}}\) or \(q_p> 2^{\frac{2n}{3}}\). Hence, we can assume that \(q_e\le 2^{\frac{2n}{3}}\) and \(q_p\le 2^{\frac{2n}{3}}\). We now use Lemma 9 (ii) (note that the assumption \(4q_e+2q_p\le N\) implies that \(q_e\le N/2\) and \(q_p\le N/2\)) to get

$$\begin{aligned} \mathbf{Adv }^{\mathrm {cca}}_{\mathsf {EMSP}[n,2,\varvec{\gamma }]}(q_e,q_p)&\le \frac{10}{N}+\frac{4q_e^3+12q_e^2q_p+11q_eq_p^2 +4q_p^2\sqrt{q_eq_p}}{N^2}+\frac{2q_e^2}{N^{\frac{4}{3}}}\\&\quad +\frac{15q_p\sqrt{nq_e}+10q_e\sqrt{nq_p}}{N}+\frac{17q_e+12q_p}{N^{\frac{2}{3}}}\\&\le \frac{10}{N} +\left( \frac{4q_e^3}{N^2} +\frac{2q_e^2}{N^{\frac{4}{3}}}+\frac{17q_e}{N^{\frac{2}{3}}} +\frac{10q_e\sqrt{nq_p}}{N}\right) \\&\quad +\left( \frac{12q_p}{N^{\frac{2}{3}}} +\frac{12q_e^2q_p+11q_eq_p^2+4q_p^\frac{5}{2}\sqrt{q_e}}{N^2} + \frac{15q_p\sqrt{nq_e}}{N}\right) \\&\le \frac{10}{N} + (23+10\sqrt{n})\frac{q_e}{N^{\frac{2}{3}}} +(39+15\sqrt{n})\frac{q_p}{N^{\frac{2}{3}}}. \end{aligned}$$

\(\square \)