The Exact Multi-user Security of (Tweakable) Key Alternating Ciphers with a Single Permutation

Naito, Yusuke; Sasaki, Yu; Sugawara, Takeshi

doi:10.1007/978-3-031-58716-0_4

Yusuke Naito⁹,
Yu Sasaki¹⁰ &
Takeshi Sugawara¹¹

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14651))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

405 Accesses

Abstract

We prove the tight multi-user (mu) security of the (tweakable) key alternating cipher (KAC) for any round r with a single permutation and r-wise independent subkeys, providing a more realistic provable-security foundation for block ciphers. After Chen and Steinberger proved the single-user (su) tight security bound of r-round KAC in 2014, its extension under more realistic conditions has become a new research challenge. The state-of-the-art includes (i) single permutation by Yu et al., (ii) the mu security by Hoang and Tessaro, and (iii) correlated subkeys by Tessaro and Zhang. However, the previous works considered these conditions independently, and the tight security bound of r-round KACs with all of these conditions is an open research problem. We address it by giving the new mu-bound with an n-bit message space, approximately $q \cdot \left( \frac{p + r q}{2^n} \right) ^r$, wherein p and q are the number of primitive and construction queries, respectively. The bound ensures the security up to the $O(2^\frac{rn}{r+1})$ query complexity and is tight, matching the conventional attack bound. Moreover, our result easily extends to the r-round tweakable KAC when its subkeys generated by a tweak function is r-wise independent. The proof is based on the re-sampling method originally proposed for the mu-security analysis of the triple encryption. Its extension to any rounds is the core technique enabling the new bound.

You have full access to this open access chapter, Download conference paper PDF

Keywords

1 Introduction

An r-round key alternating cipher ($\textsf {KAC}$) constructs a block cipher using r permutations $\pi _1,\ldots ,\pi _{r}$ and $r+1$ subkeys $K_0,\ldots ,K_{r}$ as

$$\begin{aligned} K_{r} \oplus \pi _{r}( K_{r-1} \oplus \pi _{r-1}( \cdots \pi _2( K_1 \oplus \pi _1(K_0 \oplus M) \cdots ) ) ). \end{aligned}$$

(1)

The 1-round $\textsf {KAC}$ is also known as the Even-Mansour (EM) cipher, and the r-round $\textsf {KAC}$ is also referred to as the r-round iterated EM. $\textsf {KAC}$ describes the computational structure of block ciphers commonly used in the real world, such as AES and other substitution-permutation networks (SPN) ciphers, and the provable security of $\textsf {KAC}$ is their theoretical foundation. Consequently, obtaining tight security bounds for $\textsf {KAC}$ has been an important challenge in symmetric-key cryptography research. As summarized in Table 1, the tight security bounds of $\textsf {KAC}$ have been studied for different directions, i.e., the number of rounds, correlated subkeys, a reduced number of identical permutations, multi-user (mu) security, and tweakable $\textsf {KAC}$ ($\textsf {TKAC}$).

Table 1. Tight bounds of $\textsf {KAC}$ with different conditions.

Full size table

To prove security, each component of the scheme is often assumed to behave randomly. Several studies assumed that each subkey and each permutation were independent and proved the security for as many rounds as possible. Although the original EM cipher has been known since 1991, Dunkelman et al. [10] finally obtained its tight bound for $r=1$ in 2012, which is $O(2^{n/2})$ queries, including both queries to the construction and the internal permutation, with the message space $\{0, 1\}^n$. In the same year, Bogdanov et al. [3] tackled $r\ge 2$ and proved the lower bound for $r\ge 2$ to be $O(2^{2n/3})$. This is tight for $r=2$, and they further conjectured the one with general r to be $O(2^\frac{rn}{{r+1}})$. Steinberger extended the result to show the lower bound of $O(2^{3n/4})$ for $r\ge 3$, which is tight for $r=3$ [24]. Lampe et al. [16] tackled the problem with any r, proving the security up to $O(2^\frac{rn}{r+2})$ queries. Chen and Steinberger [5] finally resolved the conjecture and proved the $O(2^\frac{rn}{r+1})$-security bound for any r.

Unlike the the above works using independent random permutations for each round [3, 5, 16, 24], practical block ciphers use the same round function iteratively. Consequently, proving security of $\textsf {KAC}$ with a single permutation, i.e., $\pi _1=\pi _2= \cdots =\pi _{r}$, has become a new research challenge [4, 27, 28]. Chen et al. initiated this direction by proving the security bounds for $r=2$ in 2014 [4], and Wu et al. proved for $r=3$ in 2020 [27]. Finally, in 2023, Yu et al. proved the tight bound for any r [28].

Assuming that $r+1$ subkeys $K_0,\ldots ,K_{r}$ are independent is another gap from practical block ciphers that use correlated subkeys generated from a single secret key and a key-schedule algorithm. Addressing the issue, the other researchers tackled the security of $\textsf {KAC}$ with correlated subkeys [4, 10, 25]. Dunkelman et al. [10] addressed the problem for single-key EM cipher, i.e., $r=1$ with $K_0 = K_1$. Chen et al. [4] tackled $r=2$ with an identical permutation and proved the security with 1-wise independent subkeys, i.e., $K_0=K_2$ and $K_1=f(K_0)$ with a linear map f. Finally, Tessaro and Zhang [25] extended to any r with $(r-1)$-wise independent subkeys, i.e., $r-1$ independent and two dependent subkeys.

Yet another extension is $\textsf {KAC}$’s tight security bounds under the mu setting. Unlike the conventional single-user (su) setting, the mu security considers multiple users with independent secret keys. An adversary wins by breaking any of the keys, which better represents the real-world attacks targeting a particular service rather than a particular user. Researchers have studied the mu security of the standard algorithms, including AES-GCM [1, 15, 18], ChaCha20-Poly1305 [9], and TDES [20]. Popular internet protocols determine the AES-GCM’s rekeying frequency based on the mu-security bound [22, 23, 26].

The mu-security bound is generally lower than the su-security bound. In particular, in block ciphers, the key collision attack presented by Biham [2] allows one user’s k-bit key to be recovered with a query of $2^k/u$ when there are u users. In the mu-setting, an adversary can distribute q queries to multiple users as desired. The number of queries each user receives is not fixed in advance. In the most extreme case, a user will be queried q times. Thus, by the naive hybrid argument, the mu-security bound has an additional multiplicative factor u compared to the su-security bound, where u is an upper bound on the number of users, which again is upper bounded by q. Unfortunately, this multiplicative factor q can be significant.

On the other hand, Mouha and Luykx [19] proved the mu-security bound of the Even-Mansour construction, i.e., $r=1$ of $\textsf {KAC}$, in a dedicated manner without using a hybrid argument, showing no security degradation in the mu setting. Hoang and Tessaro [14] further extended the result to r-round $\textsf {KAC}$ with independent subkeys and permutations and showed that the mu-security bound is not degraded from the su-security bound even for any r.

The other researchers studied the security of $\textsf {TKAC}$, also known as the tweakable EM, $\textsf {KAC}$ extended with additional tweak input. Cogliati et al. initiated this direction by proving the tight 2-round bound while giving the asymptotic bound for more general cases [7]. Then, Cogliati and Seurin extended the tight security bound from 2 to 4 [8]. Finally, Dutta showed that the 4-round $\textsf {TKAC}$ achieves the same security using two independent permutations only [11].

1.1 Research Question

The previous works pushed forward $\textsf {KAC}$’s tight security bounds toward different directions, as shown in Table 1. Yu et al. proved the su security of r-round $\textsf {KAC}$ with single permutation and independent subkeys [28]. Tessaro and Zhang gave the su security of the r-round $\textsf {KAC}$ with independent permutations and $(r-1)$-wise independent subkeys [25]. Hoang and Tessaro obtained the mu security of r-round $\textsf {KAC}$ with independent permutations and subkeys [14]. In other words, the tight security bound of $\textsf {KAC}$ with all of these conditions, i.e., getting mu-security of the r-round $\textsf {KAC}$ with identical permutation and correlated subkeys, is still an open research problem. Obtaining tight security bounds of $\textsf {TKAC}$ is another open research problem, but the provable tight bound is limited to four [11] and an r-round bound is unknown even without the above conditions.

1.2 Contributions

We address the above open research problems by proving the mu-security of the r-round (tweakable) $\textsf {KAC}$ with identical permutation and correlated subkeys. Below we summarize the main contributions.

Tight Security Bound. The security bound of the r-round $\textsf {KAC}$ with a single permutation with the message space $\{0, 1\}^n$ and $\epsilon $ $r$-wise independent subkeys, where $\epsilon $ is the probability that one subkey results in some value, is

$$\begin{aligned} \left( \frac{4^rr^4}{12} +r+1 \right) \cdot q\left( (p+ rq) \cdot \max \left\{ \epsilon , \frac{2}{2^n} \right\} \right) ^r+ 2r^2 \cdot \frac{q}{2^n} , \end{aligned}$$

(2)

wherein $p$ and $q$ are the number of the primitive and construction queries, respectively. When using the optimal probability $\epsilon = \frac{1}{2^n}$, the first term becomes $O\left( q\left( \frac{p+ rq}{2^n} \right) ^r\right) $. Then, the adversary’s advantage becomes constant when the number of queries, including both p and q, and reaches $O(2^\frac{rn}{r+1})$, which matches Bogdanov et al.’s conjectured lower bound $O(2^\frac{rn}{r+1})$.

Compared to the tight bound given by Hoang and Tessaro [14] for independent subkeys and independent permutations, which is $2q \bigl (\frac{4(p+ rq)}{2^n} \bigr )^r$, our bound is the same up to the constant, indicating that using an identical permutation for all rounds would not degrade security if all the subkeys are independent.

We next extend our $\textsf {KAC}$ result to $\textsf {TKAC}$ that consists of a tweak function $h_K$ and $\textsf {KAC}$. Given a tweak $tw$ and a plaintext $M$, the tweak function $h_K$ first generates the subkeys $K_0, \ldots , K_r$ using $tw$, and then $\textsf {KAC}$ uses these subkeys to encrypt $M$. With the assumption that each tuple of subkeys defined by $h_K$ are $\epsilon $ $r$-wise independent, the mu-security of $\textsf {TKAC}$ can be reduced to that of $\textsf {KAC}$, and we obtain the same bound given in Eq. (2).

Our result improves the state-of-the-art tight security bounds of $\textsf {KAC}$ in multiple ways, as summarized in Table 1. First, we extend the security of the r-round $\textsf {KAC}$ with identical permutation [28] for the mu-setting with r-wise independent subkeys. Second, compared with the state-of-the-art result on the r-round $\textsf {KAC}$ with correlated subkeys [25], our result supports identical permutation in the mu-setting at the cost of using one additional independent subkey, i.e., r-wise instead of $(r-1)$-wise independence. Third, our result extends the mu security of the r-round $\textsf {KAC}$ [14] with identical permutation and correlated subkeys. Finally, we extend the provable tight security bound of $\textsf {TKAC}$ from four [11] to any under the aforementioned relaxed conditions.

Our Technique. Our proof is based on the re-sampling method for the triple encryption by Naito et al. [20]. However, the re-sampling method in [20] is only for the 3-round scheme, whereas our target scheme $\textsf {KAC}$ is an arbitrary-round one. Hence, we update their re-sampling method to support arbitrary round.

Original Re-sampling Method for a Small r. The re-sampling method [20] was originally proposed as a novel way of defining ideal-world dummy internal values in the proof based on the coefficient-H technique [21]. The dummy internal values, as well as dummy keys, are finally revealed to an adversary at the end of the query stage, which makes good-transcript analysis easier. Without this treatment, the previous proofs [4, 14] suffered from complicated counting of the number of solutions of the internal values with a huge number of cases.^{Footnote 1} The re-sampling method successfully obtained a tight mu-bound with triple encryption [20].

A naive method to define dummy internal values is to perform only the forward sampling that defines the values from the first round to the last round for each construction query-response pair. This method fails if a defined internal value collides with some primitive query-response or an internal value of some previous construction query. The collision probability is $O\left( q\left( \frac{p+q}{2^{k+n}}\right) \right) $ for the triple encryption with a $k$-bit key and an $n$-bit-block block cipher, which was insufficient for getting a tight bound. The original re-sampling method solves the problem by introducing the inverse sampling in addition to the forward sampling. Thus, in the re-sampling method, if the forward sampling fails, i.e., a collision with some construction query-response pair occurs at the i-th round, then the internal values are re-defined from the last round to the i-th round. As the number of chances to define compatible internal values increases, the failure probability of defining the internal values can be improved to $O\left( q\left( \frac{p+q}{2^{k+n}}\right) ^2 \right) $.

Re-sampling Method for any r (Section 4.5). The re-sampling method offers the bound $O\left( q\left( \frac{p+q}{2^{n}} \right) ^2 \right) $ for $\textsf {KAC}$ as $k=0$, but the bound is not tight for $r\ge 3$. To obtain the tight bound for $\textsf {KAC}$, we update the method by taking into account all chains involved in the inverse sampling. Intuitively, the original re-sampling method defines a bad event of the inverse sampling as the collision with some primitive query-response or some previous internal value. However, not all such collisions yield incompatible internal values. Namely, the naive extension of the original re-sampling method to 3-rounds or more will result in a loose evaluation of bad events. That is because a longer-round analysis involves a collision with a long chain, a sequence of primitive query-responses or previous internal values with the user’s key, which could be ignored in the analysis for 2 rounds or less. Hence, we update the inverse sampling by revisiting the bad event such that a collision of such a chain is taken into account. As such a chain includes the user’s key, which is secret and random, we can improve the failure probability of the inverse sampling. Consequently, the updated re-sampling method can define compatible internal values up to the tight bound, offering the tight bound of $\textsf {KAC}$ for any round.

1.3 Organization

This paper is organized as follows. We begin by giving basic notations in Sect. 2. We define $\textsf {KAC}$ with a Single Permutation and their security in Sect. 3. Section 4 summarizes the main results, followed by the formal proofs in Sect. 5. The results are extended to $\textsf {TKAC}$ in Sect. 6. Section 7 is conclusion.

2 Basic Notation

Let $\varepsilon $ be an empty string and $\emptyset $ an empty set. For an integer $i \ge 0$, let $\{0,1\}^i$ be the set of all i-bit strings and $\{0,1\}^0 := \{\varepsilon \}$. For integers $0 \le i \le j$, let $[i,j]: = \{i,i+1,\ldots ,j\}$ and $[j] := [1,j]$. If $j<i$ then $[i,j]:= \emptyset $. For a value or a set X, $Y \leftarrow X$ means that X is assigned to Y. For a non-empty set $\mathcal {T}$, $T \xleftarrow {\$}\mathcal {T}$ means that an element is chosen uniformly at random from $\mathcal {T}$ and assigned to T. For two sets $\mathcal {T}_1$ and $\mathcal {T}_2$, $\mathcal {T}_1 \xleftarrow {\cup }\mathcal {T}_2$ means that $\mathcal {T}_1 \leftarrow \mathcal {T}\cup \mathcal {T}_2$. For integers s and t, “$i \in \overrightarrow{[s,t]}$ (resp. $i \in \overleftarrow{[s,t]}$)” means that in a for statement, i is chosen from [s, t] in ascending (resp. descending) order from s (resp. from t). If $s>t$, then there is no choice for i. Note that if $s=1$, then s is omitted such as $\overrightarrow{[t]}$.

3 KACs: Specification and Security Definition

We show the specification of $\textsf {KAC}$ with a single permutation. We then define an mu-PRP security notion with $\textsf {KAC}$.

3.1 KACs with a Single Permutation

Let $n$ be the bit-length of plaintext and ciphertext blocks of $\textsf {KAC}$. Let $r$ be the number of rounds of $\textsf {KAC}$. Let $K= (K_0, K_1,\ldots ,K_{r})$ be $n$-bit subkeys of $\textsf {KAC}$ and $\pi $ the underlying $n$-bit permutation of $\textsf {KAC}$. The inverse of $\pi $ is denoted by $\pi ^{-1}$. Let $\pi ^{\pm }:= (\pi , \pi ^{-1})$. Let $\mathcal {K}$ be the key space of $\textsf {KAC}$. Then, the encryption of $\textsf {KAC}$ with $K$ and $\pi ^{\pm }$ is defined as follows. For a plaintext block $M\in \{0,1\}^n$, the ciphertext block is defined as

$$\begin{aligned} \textsf {KAC}_{r}[K,\pi ](M) = K_{r} \oplus \pi ( K_{r-1} \oplus \pi ( \cdots \pi ( K_1 \oplus \pi (K_0 \oplus M) \cdots ) ) ) . \end{aligned}$$

The decryption of $\textsf {KAC}_{r}[K,\pi ]$ is denoted by $\textsf {KAC}^{-1}_{r}[K,\pi ^{-1}]$. For a ciphertext block $C\in \{0,1\}^n$, the plaintext block is defined as

$$\begin{aligned} \textsf {KAC}^{-1}_{r}[K,\pi ^{-1}](C) = K_{0} \oplus \pi ^{-1}( K_{1} \oplus \pi ^{-1}( \cdots \pi ^{-1}( K_{r-1} \oplus \pi ^{-1}(K_r\oplus C) \cdots ) ) ) . \end{aligned}$$

Let $\textsf {KAC}_{r}^{\pm }[K,\pi ^{\pm }] := (\textsf {KAC}_{r}[K,\pi ],\textsf {KAC}^{-1}_{r}[K,\pi ^{-1}])$.

3.2 Definition of Mu-SPRP Security of KACs

We consider multi-user (mu) strong-pseudo-random-permutation (SPRP) security of $\textsf {KAC}$ in the random permutation (RP) model. Let $u$ be the number of users. Let $\textsf{Perm}$ be the set of all $n$-bit permutations. In the security game, an adversary $\textbf{A}$ tries to distinguish between the real and ideal worlds, and has oracle access to the following oracles.

Real-world oracles:
- $u$ instantiations of $\textsf {KAC}$: $\textsf {KAC}_{r}^{\pm }[K^{(1)},\pi ^{\pm }], \ldots , \textsf {KAC}_{r}^{\pm }[K^{(u)},\pi ^{\pm }]$, and
- a RP: $\pi ^{\pm }$,
where $\pi \xleftarrow {\$}\textsf{Perm}$, and for each $\nu \in [u]$, $K^{(\nu )} \xleftarrow {\$}\mathcal {K}$.
Ideal-world oracles:
- $u$ RPs: $\varPi ^{\pm }_1,\ldots ,\varPi ^{\pm }_u$, and
- a RP: $\pi ^{\pm }$,
where $\pi \xleftarrow {\$}\textsf{Perm}$, and for each $\nu \in [u]$, $\varPi _\nu \xleftarrow {\$}\textsf{Perm}$ and $\varPi ^{\pm }_\nu := (\varPi _\nu , \varPi ^{-1}_\nu )$.

At the end of the game, $\textbf{A}$ returns a decision bit. Let $\textbf{A}^{\mathcal {O}} \in \{0,1\}$ denotes an output of $\textbf{A}$ with oracle access to the set of oracles $\mathcal {O}$. Then, the advantage function of $\textbf{A}$ is defined as

$$\begin{aligned} & \textbf{Adv}^{\textsf{mu}\textsf {-}\textsf{sprp}}_{\textsf {KAC}}(\textbf{A}) := \\ & \textrm{Pr}[\textbf{A}^{\textsf {KAC}_{r}^{\pm }[K^{(1)},\pi ^{\pm }], \ldots , \textsf {KAC}_{r}^{\pm }[K^{(u)},\pi ^{\pm }],\pi ^{\pm }} = 1] - \textrm{Pr}[\textbf{A}^{\varPi ^{\pm }_1,\ldots ,\varPi ^{\pm }_u,\pi ^{\pm }} = 1] , \end{aligned}$$

where the real (resp. ideal)-world probability is taken over $K^{(1)},\ldots ,K^{(u)}$ (resp. $\varPi _1,\ldots ,\varPi _u$), $\pi $, and $\textbf{A}$. We refer the particular queries to as follows:

Primitive queries: queries to $\pi ^{\pm }$;
Forward (resp. Inverse) queries: queries to $\pi $ (resp. $\pi ^{-1}$);
Construction queries (to the $\nu $-th user): queries to $\textsf {KAC}_{r}^{\pm }[K^{(\nu )},\pi ^{\pm }]$ or $\varPi ^{\pm }_\nu $;
Encryption (resp. decryption) queries (to the $\nu $-th user): construction queries to $\textsf {KAC}_{r}[K^{(\nu )},\pi ]$ or $\varPi _\nu $ (resp. $\textsf {KAC}^{-1}_{r}[K^{(\nu )},\pi ^{-1}]$ or $\varPi ^{-1}_\nu $).

4 Mu-Security of KACs with a Single Permutation

We first define $r$-wise independence which is a requirement for the subkeys of $\textsf {KAC}$. We then show an upper-bound for the mu-SPRP security of $\textsf {KAC}$ followed by the tools to prove the mu-SPRP security. Our proof is based on the re-sampling method [20] originally introduced for triple encryption. We briefly recall the original method, and show our extension to arbitrary round schemes.

4.1 r-Wise Independent Subkeys

We prove the mu-SPRP security of $\textsf {KAC}$ with $r$-wise independent subkeys. The definition of $r$-wise independent keys is given below.

Definition 1

Subkeys $K_0^{(\nu )}, K_1^{(\nu )},\ldots $, and $K_{r}^{(\nu )}$ are $\epsilon $ $r$-wise independent if for any subset $S \subseteq [0,r]$ and |S| values $V_j \in \{0,1\}^n$ for $j \in S$ that are defined independently of the subkeys, we have $\textrm{Pr}[\forall j \in S: K_j^{(\nu )} = V_j] \le \epsilon ^{\min \{ |S|, r\}}$.

We show examples of $r$-wise independent subkeys.

Example 1

($r$-wise independent subkeys). Let $i \in [0,r-1]$. For each $j \in [0,r-1]$, $R_j$ is chosen uniformly at random from $\{0,1\}^n$. Then, the following subkeys are $r$-wise independent, since the ranks are both $r$ regarding the subkeys.

$K_j = R_{j}$ for each $j \in [0,r] \backslash \{i\}$, and $K_i = \bigoplus _{j \in [0,r] \backslash \{i\}} K_j$.
$K_0 = R_{1}$, $K_i = R_{i-1} \oplus R_{i}$ for each $i \in [r-1]$, and $K_r= R_r$.

4.2 Mu-SPRP Security Bounds of KACs

The following theorem shows the upper-bound of the mu-SPRP security of $\textsf {KAC}$. The proof is given in Sect. 5.

Theorem 1

Assume that for each user the subkeys are $\epsilon $ $r$-wise independent. Let $\delta = \max \left\{ \epsilon , \frac{2}{2^n} \right\} $. Let $\textbf{A}$ be an adversary that makes at most $p$ primitive queries and $q$ construction queries. Let $\sigma := p+ rq$. Then, we have

$$\begin{aligned} \textbf{Adv}^{\textsf{mu}\textsf {-}\textsf{sprp}}_{\textsf {KAC}}(\textbf{A}) \le \left( \frac{4^rr^4}{12} +r+1 \right) \cdot q(\sigma \delta )^r+ 2r^2 \cdot \frac{q}{2^n} . \end{aligned}$$

When $\epsilon $ is optimal, i.e., $\epsilon =\frac{1}{2^n}$, the above bound becomes

$$8^r\cdot \left( \frac{r^4}{12} +r+1 \right) \cdot q\left( \frac{\sigma }{2^n} \right) ^r+ 2r^2 \cdot \frac{q}{2^n} .$$

The second term becomes a constant only when making full code-book queries. Ignoring the term, i.e., $q\ll O(\frac{2^n}{r^2})$, the bound becomes $O\left( q\left( \frac{\sigma }{2^{n}} \right) ^r\right) $ and is tight.

4.3 Tools for the Mu-SPRP Security Proof

Coefficient-H Technique. In this paper, we refer to the set of responses that an adversary obtains in a security game as a “transcript.” Let $\textsf{T}_R$ be a transcript obtained by sampling in the real world, i.e., sampling of $K^{(1)},\ldots ,K^{(u)}$ and $\pi $. Let $\textsf{T}_I$ be a transcript obtained by sampling in the ideal world, i.e., sampling of $\varPi _1,\ldots ,\varPi _u$ and $\pi $. We call a transcript $\tau $ valid if $\Pr [\textsf{T}_I=\tau ] > 0$. Let $\mathcal {T}$ be the set of all valid transcripts such that $\forall \tau \in \mathcal {T}: \Pr [\textsf{T}_R=\tau ]\le \Pr [\textsf{T}_I=\tau ]$. Then, we have $\textbf{Adv}^{\textsf{mu}\textsf {-}\textsf{sprp}}_{\textsf {KAC}}(\textbf{A}) \le \textsf{SD}(\textsf{T}_R,\textsf{T}_I) := \sum _{\tau \in \mathcal {T}} (\Pr [\textsf{T}_I=\tau ]-\Pr [\textsf{T}_R=\tau ])$.

We derive the mu-SPRP bound using the coefficient-H technique [21].

Lemma 1

Let $\mathcal {T}_{\textsf{good}}$ and $\mathcal {T}_{\textsf{bad}}$ be good and bad transcripts into which $\mathcal {T}$ is partitioned. If $\forall \tau \in \mathcal {T}_{\textsf{good}}:\frac{\Pr [\textsf{T}_R=\tau ]}{\Pr [\textsf{T}_I=\tau ]} \ge 1-\varepsilon $ s.t. $0 \le \varepsilon \le 1$, then $\textsf{SD}(\textsf{T}_R,\textsf{T}_I) \le \textrm{Pr}[\textsf{T}_I \in \mathcal {T}_\textsf{bad}] + \varepsilon $.

We thus show the following three points: (1) define good and bad transcripts; (2) upper-bound $\Pr [\textsf{T}_I \in \mathcal {T}_{\textsf{bad}}]$; (3) lower-bound $\frac{\Pr [\textsf{T}_R=\tau ]}{\Pr [\textsf{T}_I=\tau ]}$. Then, putting these bounds into the above lemma, we obtain an upper-bound of $\textbf{Adv}^{\textsf{mu}\textsf {-}\textsf{sprp}}_{\textsf {KAC}}(\textbf{A})$.

Lazy Sampled Random Permutations. Our proof makes use of lazy sampled RPs for $\pi ^{\pm }$ and $\varPi ^{\pm }_\nu $ ($\nu \in [u]$). The lazy sampled RPs use the following tables.

$\mathcal {L}_0$ (resp. $\mathcal {L}_{\nu }$): a table that is initially empty and keeps query-response pairs of $\pi ^{\pm }$ (resp. $\varPi ^{\pm }_\nu $).
$\mathcal {L}^1_{0}$ (resp. $\mathcal {L}^2_{0}$): a table that keeps the first (resp. second) elements of pairs defined in $\mathcal {L}_0$.
$\mathcal {L}^1_{\nu }$ (resp. $\mathcal {L}^2_{\nu }$): a table that keeps the first (resp. second) elements of pairs defined in $\mathcal {L}_{\nu }$.
$\mathcal {L}^2_{0}[X] := Y$ and $\mathcal {L}^1_{0}[Y] := X$ if $(X,Y) \in \mathcal {L}_0$, and $\mathcal {L}^2_{0}[X]=\varepsilon $ (resp. $\mathcal {L}^1_{0}[Y]=\varepsilon $) if $X\not \in \mathcal {L}^1_{0}$ (resp. $Y\not \in \mathcal {L}^2_{0}$).
$\mathcal {L}^2_{\nu }[M] := C$ and $\mathcal {L}^1_{\nu }[C] := M$ if $(M,C) \in \mathcal {L}_{\nu }$, and $\mathcal {L}^2_{\nu }[M]=\varepsilon $ (resp. $\mathcal {L}^1_{\nu }[C]=\varepsilon $) if $M\not \in \mathcal {L}^1_{\nu }$ (resp. $C\not \in \mathcal {L}^2_{\nu }$).

The procedures of the lazy sampled RPs are given in Algorithm 1.

4.4 Re-Sampling Method for Triple Encryption [20]

Our proof makes use of the re-sampling method for the triple encryption by Naito et al. [20]. It was originally proposed only for a 3-round scheme, and we update it to arbitrary rounds for $\textsf {KAC}$.

We first recall the previous method. Let $E$ be a $k$-bit key and $n$-bit block ideal cipher. The structure of the triple encryption is given in Fig. 1(a). The security proof is given in the ideal cipher model, and uses the coefficient-H technique.

The re-sampling method is a novel way of defining dummy internal values in the ideal world, and the dummy internal values and dummy keys are revealed to an adversary after finishing all queries. This method makes good-transcript analysis easier than the existing proofs for the triple encryption. The previous proofs, such as [5, 14], do not reveal internal values to the adversary, which makes the analysis of good transcripts complicated since one needs to count the number of solutions of the internal values with a huge number of cases.

A naive method for defining dummy internal values is to define all internal values only by the forward sampling, as shown in Fig. 1(b). This method can avoid such a heavy counting step but cannot offer a tight bound. The bad event for this method is that some internal value is connected with some primitive query-response tuple with the user’s key, which yields duplication of the internal value at the next round (See Fig. 1(c)).^{Footnote 2} If the forward sampling fails, then we cannot obtain compatible internal values anymore. Let $p$ (resp. $q$) be the number of primitive (resp. construction) queries. Then, the probability that the naive method fails is roughly $O(\frac{p}{2^{k+n}})$, since the key (resp. the internal value) is chosen uniformly at random from $2^k$ (resp. about $2^n$) elements. As the number of dummy internal values is at most $3q$, the probability that the naive method fails is at most $O(\frac{qp}{2^{k+n}})$. When making a full codebook construction queries, i.e., $q=O(2^n)$, the naive method yields the $O(2^k)$ security regarding primitive queries, which is not tight for the triple encryption.

The re-sampling method improves the bound by introducing the inverse sampling. This method first tries the forward sampling as described above using $E$ for each construction query-response pair $(M,C)$. If the forward sampling fails, then the remaining internal values, including the (incompatible) internal value, are (re)defined by $E^{-1}$ (the inverse of $E$) from the last round. This step is called the inverse sampling. Figure 1(d) exemplifies the procedure of the inverse sampling after the failure of the forward sampling in Fig. 1(c). In this example, the internal value $Z_2$ is (re)defined by the inverse sampling. By the re-sampling method, internal values that are compatible with construction query-response pairs and primitive ones can be defined up to the tight bound.

The inverse sampling fails if some internal value is connected with some primitive query-response tuple with the user’s key, which is the bad event of the re-sampling method. Figure 1(e) exemplifies the bad event: if the value $Z_2$ connects with some primitive query-response tuple with the user’s key $K_2$, then the internal value $Z_1$ is duplicately defined, and the re-sampling method fails. The probability that the bad event occurs is upper-bounded by the probability that forward and inverse samplings fail within the same construction query-response pair. For each construction query, the probability that an internal value by the forward (resp. inverse) sampling is connected with some primitive query-response tuple with the user’s key is roughly $\frac{p}{2^{n+k}}$ (resp. $\frac{p}{2^{n+k}}$). Hence, the probability that the bad event occurs is at most roughly $q(\frac{p}{2^{n+k}})^2$. The bound is tight as long as $q\le 2^n$ (the bound becomes $\frac{p^2}{2^{2k+n}}$).

For good transcripts $\tau $, we need to evaluate $\frac{\Pr [\textsf{T}_R=\tau ]}{\Pr [\textsf{T}_I=\tau ]}$, the ratio of the real-world and ideal-world probabilities. As transcripts include all internal values, we can avoid the heavy counting step. On the other hand, the re-sampling method increases the number of chances to satisfy the target good transcript, i.e., $\Pr [\textsf{T}_I=\tau ]$ is increased. In the real world, all input-output tuples are defined by an ideal cipher $E$. In the ideal world, responses to construction queries are defined by a random permutation, and those to primitive queries are defined by an ideal cipher $E$, which is independent of the random permutation. Hence, the output space of the ideal world is larger than that of the real world. Naito et al. [20] proved that regarding the triple encryption, the influence of the increase can be canceled out by using the budget of the output space of the ideal world, and the ratio can be greater than or equal to 1.

4.5 Updating the Re-Sampling Method for Arbitrary Round $\textsf {KAC}$s

We explain our updated re-sampling method that supports arbitrary round $\textsf {KAC}$s and offers the tight bound of $\textsf {KAC}$s $O \left( q\left( \frac{p+rq}{2^n}\right) ^r\right) $. The procedure of defining dummy internal values in the ideal world is similar to the one for the triple encryption. For each construction query-response pair, firstly, the internal values are defined by the forward sampling, and if the forward sampling fails, then the remaining internal values are defined by the inverse sampling.

The failure probability is essential in updating the re-sampling method to longer rounds. The original method in [20] provides the bound $O\left( q\left( \frac{p}{2^{n+k}} \right) ^2 \right) $ for the triple encryption. This evaluation offers the bound $O\left( q\left( \frac{p}{2^{n}} \right) ^2 \right) $ for $\textsf {KAC}$s as $k=0$, which is not tight for $r\ge 3$. To obtain the tight bound for $\textsf {KAC}$s, the updated method takes into account all chains involved in the inverse sampling. Here, a chain is a sequence of input-output pairs $(V_1,W_1),\ldots ,(V_\ell ,W_\ell )$ defined by previous queries. The key of the $\ell $-chain is defined as $((W_1 \oplus V_2) \Vert (W_2 \oplus V_3) \Vert \cdots \Vert (W_{\ell -1} \oplus V_\ell ))$.

In our updated method, even if some internal values are duplicately defined, i.e., in the inverse sampling some internal value connects with some long chain, the duplication is avoided by replacing the internal values defined by the forward sampling with those defined by the inverse sampling. We explain the method by using Fig. 2 that considers the 5-round $\textsf {KAC}$.

Firstly, as the original method, the forward sampling is performed. Figure 2(a) shows a successful case of the forward sampling, where the forward sampling starts from the first round^{Footnote 3} and ends with the fourth round. The input-output pair of the fifth round, which is called MITM round, is defined by $(W_5 \oplus K_4, C\oplus K_5)$. However, the forward sampling fails if an output of some round connects with a chain that offers an incompatible internal value. Then, the inverse sampling is performed. Figure 2(b) shows the failure event, where after the third round, the result $V_4 ~ (=K_3 \oplus W_3)$ connects with a 2-chain with the key $K_4$, and by the output of the 2-chain and $K_5 \oplus C$, the internal value $W_5$ is duplicately defined. In this case, the forward sampling defines the internal values up to the second round, and the inverse sampling defines the remaining internal values. Figure 2(c) shows a successful case of the inverse sampling. The inverse sampling is performed until the fourth round. The third round is the MITM round, i.e., the input-output pair is defined by using the results of the forward and inverse samplings, i.e., $(V_3, W_3) = (K_2\oplus W_2, K_3 \oplus V_4)$.

As the original re-sampling method, the inverse sampling fails if some internal value connects with a chain that offers duplication of some internal value. Figure 2(d) shows the failure case: the internal value $W_4$ defined by the inverse sampling connects with a 4-chain with keys $K_1,K_2,K_3$. Regarding the connection with some chain, the original re-sampling method can define compatible internal values even when in the inverse sample some internal value connects with some chain. The chain must not reach the last round in the forward sampling. Figure 2(e) exemplifies the cases: even if $W_4$ connects with a 1-chain, we can define compatible internal values as the chain does not reach the second round. However, the original method gives up on cases for connections with longer chains (the lengths are two or longer for the example in Fig. 2(e)).

We update the inverse sampling to salvage the cases by introducing a new procedure that updates internal values defined by the forward sampling with new values defined by the inverse sampling. Figures 2(f)(g) show examples of the updated method. In Fig. 2(f), the 2-chain reaches the second round that has been defined by the forward sampling, and the updated method replaces the previous internal value $W_2$ with the new one in the 2-chain. Then, the MITM round is also updated from the third round to the second one, and the new method succeeds in defining compatible internal values. Figure 2(g) is similar to Fig. 2(f), but the types of the second round are different. In Fig. 2(g), the input-output pair at the second round was defined by some previous query, and the 2-chain in the inverse sampling reaches the second round, i.e., the values $V_3$ from the forward sampling and from the inverse one were both fixed by some previous queries. Unlike Fig. 2(f), the value $V_3$ cannot be directly updated. The updated method salvages the case by going back to the round at which the input-output pair is defined by the forward sampling and is not fixed by previous queries (the first round in Fig. 2(g)). By performing the inverse sampling up to the round, the duplications can be eluded.

Regarding the bad event, as explained before, the updated inverse sampling fails if some internal value connects with a chain that reaches the first round in Fig. 2. The bad event requires avoidance of the updating procedure or connections with long chains. Our proof shows that the probability of the bad event is bounded by the tight one $O\left( q\left( \frac{(p+rq)}{2^n} \right) ^r\right) $, assuming the optimal probability $\epsilon = O\left( \frac{1}{2^n} \right) $.

4.6 Evaluation for Good Transcript

Our updated re-sampling method can define dummy internal values up to the tight bound. Thus, we can avoid the heavy counting step, which is required for the ideal-world analysis for a good transcript without dummy internal values. On the other hand, as mentioned in Sect. 4.4, the inverse sampling could increase the ideal-world probability of a good transcript. We thus need to carefully evaluate the ideal-world probability so that the inverse sampling does not cause a dominant term. As the original inverse sampling, the influence of the increase can be canceled out by using the budget of the output space of the ideal world, and the ratio $\frac{\Pr [\textsf{T}_R=\tau ]}{\Pr [\textsf{T}_I=\tau ]}$ can be greater than or equal to 1.

5 Proof of Theorem 1

Without loss of generality, we assume that an adversary is deterministic, makes no repeated construction query to the same user, and makes no repeated primitive query.

5.1 Notations and Definitions

We use the following notations and definitions.

$q_\nu $: the number of construction queries to the $\nu $-th user.
$K^{(\nu )} = K_0^{(\nu )} \Vert K_1^{(\nu )} \Vert \cdots \Vert K_{r}^{(\nu )}$: the key of the $\nu $-th user.
$K^{(\nu )}_{i,j} := K_i^{(\nu )} \Vert \cdots \Vert K_j^{(\nu )}$ where $i,j \in [0,r]$. If $i=j$ then $K^{(\nu )}_{i,j}:=K^{(\nu )}_{i}$, and if $i>j$ then $K^{(\nu )}_{i,j}:=\varepsilon $.
$(X^{(\alpha )}, Y^{(\alpha )})$: the $\alpha $-th primitive query-response pair, where $Y^{(\alpha )} = \pi (X^{(\alpha )})$, and $X^{(\alpha )} = \pi ^{-1}(Y^{(\alpha )})$.
$(M^{(\nu ,\alpha )}, C^{(\nu ,\alpha )})$: the $\alpha $-th construction query-response pair to the $\nu $-th user.
$W^{(\nu ,\alpha )}_0:=M^{(\nu ,\alpha )}$ and $V^{(\nu ,\alpha )}_{r+1}:=C^{(\nu ,\alpha )}$.
$V_i^{(\nu ,\alpha )}: = K^{(\nu )}_{i-1} \oplus W_{i-1}^{(\nu ,\alpha )}$ and $W_i^{(\nu ,\alpha )}:=\pi (V_i^{(\nu ,\alpha )})$: the input and output of $\pi $ at the i-th round of $\textsf {KAC}_{r}[K^{(\nu )}, \pi ](M^{(\nu ,\alpha )})$.^{Footnote 4}
$\mathcal {L}_{K}:= \{K^{(\nu )} \mid \nu \in [u]\}$: the set of user’s keys.
$\mathcal {L}_{X,Y}:= \{(X^{(\alpha )}, Y^{(\alpha )}) \mid \alpha \in [p] \}$: the set of primitive query-response pairs.
$\mathcal {L}_{V,W}:= \{(V_{i}^{(\nu ,\alpha )}, W_i^{(\nu ,\alpha )} ) \mid \nu \in [u], \alpha \in [q_\nu ], i \in [r]\}$: the set of all input-output pairs defined by construction queries.
$\mathcal {L}^{(< \nu ,\alpha )}$: the set of primitive query-responses, input-output pairs from the first to $(\nu -1)$-th users, and input-output pairs up to the $(\alpha -1)$-th construction query to the $\nu $-th user.
$\mathcal {L}^{(< \nu )} := \mathcal {L}^{(< \nu ,1)}$: the set of primitive query-responses and input-output pairs defined by construction queries from the first to $(\nu -1)$-th users.
$\mathcal {L}_{V,W}^{(\nu , \alpha )} := \{(V_{i}^{(\nu ,\alpha )}, W_i^{(\nu ,\alpha )} ) \mid \alpha \in [q_\nu ], i \in [r], (V_{i}^{(\nu ,\alpha )}, W_i^{(\nu ,\alpha )} ) \not \in \mathcal {L}^{(< \nu ,\alpha )}\}$.^{Footnote 5}
$\mathcal {L}_{V,W}^{(\nu , < \alpha )} := \bigcup _{\beta \in [\alpha -1]} \mathcal {L}_{V,W}^{(\nu , \beta )}$: the set of fresh input-output pairs defined from the first to $(\alpha -1)$-th construction queries to the $\nu $-th user.
Query stage: the stage that an adversary makes queries.
Decision stage: the stage after the query stage.

Diagrams of primitive query-response pairs, internal values for construction queries, the sets $\mathcal {L}_{X,Y}$, $\mathcal {L}_{V,W}^{(\nu , \alpha )}$, $\mathcal {L}_{V,W}^{(\nu , < \alpha )}$, $\mathcal {L}^{(< \nu )}$, and $\mathcal {L}^{(< \nu ,\alpha )}$ are given in Fig. 3.

5.2 Definition of Chain

We define bad events by using chains which are sequences of input-output pairs of $\pi $. For each $\alpha $-th construction query to the $\nu $-th user, the chain is defined from $\mathcal {L}^{(< \nu , \alpha )}$. The definition is given below.

Definition 2

(Chains for the $\alpha $-th construction query to the $\nu $-th user). A sequence of $\ell $ pairs in $\mathcal {L}^{(< \nu , \alpha )}$, $\big ((X_1, Y_1)$, $\ldots ,$ $(X_\ell , Y_\ell )\big )$, is called an $\ell $-chain from $\mathcal {L}^{(< \nu , \alpha )}$. $(Y_1\oplus X_2) \Vert (Y_2\oplus X_3) \Vert \cdots \Vert (Y_{\ell -1}\oplus X_\ell )$ is called a key of the chain. If $\ell =1$, then the key is $\varepsilon $. $X_1$ is called a head of the chain, and $Y_\ell $ is called a tail of the chain. Let $\ell \text{- }\textbf{Chain}[\mathcal {L}^{(< \nu , \alpha )},K^*]$ be the set of all $\ell $-chains from $\mathcal {L}^{(< \nu , \alpha )}$ whose keys are equal to $K^*\in \{0,1\}^{(\ell -1)n}$. Let $\ell \text{- }\textrm{Chain}^H[\mathcal {L}^{(< \nu , \alpha )},K^*]$ be an $\ell $-chain from $\mathcal {L}^{(< \nu , \alpha )}$ whose key and head are respectively equal to $K^*$ and H. If there does not exist such chain or $\ell \le 0$, then $\ell \text{- }\textrm{Chain}^H[\mathcal {L}^{(< \nu , \alpha )},K^*] := \varepsilon $. Let $\ell \text{- }\textrm{Chain}_T[\mathcal {L}^{(< \nu , \alpha )},K^*]$ be an $\ell $-chain from $\mathcal {L}^{(< \nu , \alpha )}$ whose key and tail are respectively equal to $K^*$ and T. If there does not exist such chain or $\ell \le 0$, then $\ell \text{- }\textrm{Chain}_T[\mathcal {L}^{(< \nu , \alpha )},K^*] := \varepsilon $.

5.3 Dummy Internal Values in the Ideal World

In our poof, by using Algorithm 2, dummy keys and dummy internal input-output pairs of the ideal world are defined in the decision stage. $K^{(\nu )}$ is a dummy key of the $\nu $-th user and $(V_i^{(\nu ,\alpha )},W_i^{(\nu ,\alpha )})$ is an internal input-output pair at the i-th round of the $\alpha $-th construction query to the $\nu $-th user. Note that for the sake of simplicity, the superscript symbol $\nu $ on the values defined in the algorithm is omitted, i.e., $M^{(\alpha )}$, $C^{(\alpha )}$, $K_i$, $V_i^{(\alpha )}$, and $W_i^{(\alpha )}$ in the algorithm respectively represent $M^{(\nu ,\alpha )}$, $C^{(\nu ,\alpha )}$, $K_i^{(\nu )}$, $V_i^{(\nu ,\alpha )}$, and $W_i^{(\nu ,\alpha )}$. Figure 4 illustrates the algorithm.

In this algorithm, dummy internal input-output pairs $(V_i^{(\alpha )},W_i^{(\alpha )})$ are defined in the order of user numbers from 1 to $u$. $r_1$ (resp. $r_2$) is the round number such that input-output pairs up to the $r_1$-th (resp. from the $r_2$-th) round have been defined before the $\alpha $-th loop. The remaining input-output pairs are defined by the updated re-sampling method. The forward sampling is from the steps 11 to 17 (Fig. 4(a)), and the inverse one is from the steps 18 to 31 (Fig. 4(b)(c)(d)).

In the forward sampling, input-output pairs are defined up to the $(r_2-1)$-th round and are kept as temporary pairs $(V_i^\prime , W_i^\prime )$. If the forward sampling fails, i.e., the condition on Step 14 is satisfied ($V^\prime _{i+1}$ connects with some chain with the user’s subkey that influences the $r_2$-th round; see Fig. 4(a)^{Footnote 6}), then the round number where the sampling fails is recorded on $r_\textsf{m}$. Then, the inverse sampling is performed. Note that if the forward sampling succeeds, then the inverse one is not performed.

In the inverse sampling, input-output pairs are defined from the $(r_2-1)$-th round down to the $(r_\textsf{m}+1)$-th one, and are kept as temporary pairs $(V_i^*, W_i^*)$. The step 21 searches a chain with the tail $W_{i-1}^*$ that reaches the $r_\textsf{m}$-th round. If there is no such chain, then the round number is defined as $\rho :=r+1$. Throughout the inverse sampling, if there is no such chain, then input-output pairs from the $(r_2-1)$-th round down to the $(r_\textsf{m}+1)$-th one are defined, and a pair at the $r_\textsf{m}$-th round, called “meet-in-the-middle (or MITM)” one, is defined by using the results of the forward and inverse samplings (See Fig. 4(b)). If the condition on Step 22 is satisfied, i.e., $W^*_{i-1}$ connects with some chain with the user’s subkeys that influences the $r_1$-th round (See Fig. 4(d) and the footnote 6), then the internal value $W_{r_1}$ is duplicately defined, and the inverse sampling fails. On the other hand, if the condition is not satisfied, then we can continue the inverse sampling. After the condition on Step 23 is satisfied, i.e., $W^*_{i-1}$ connects with some chain that reaches some round defined in the forward sampling but does not influence the $r_1$-th round, the input-output pairs in the chain are kept as temporary pairs $(V_i^*, W_i^*)$, and $r_\textsf{m}$ is updated to $\rho -1$ in Step 29. If the condition on Step 25 is satisfied, i.e., the internal value $V_\rho $ is duplicately defined, then to avoid the duplication, the algorithm updates $r_\textsf{m}$ to the round number whose pair is not in $\mathcal {L}^{(< \nu , \alpha )}$, and continues the inverse sampling until all pairs are defined or the sampling fails (See Fig. 4(c)).

Finally, the internal input-output pairs are defined by using the temporary values $(V_i^\prime , W_i^\prime )$ for $i \in [r_1+1,r_\textsf{m}-1]$ and $(V_i^*, W_i^*)$ for $i \in [r_\textsf{m}+1, r_2-1]$, and the input-output pair $(V_{r_\textsf{m}}^{(\alpha )}, W_{r_\textsf{m}}^{(\alpha )})$ at the $r_\textsf{m}$-th round is defined by using the results of the forward and inverse sampling. Then, these pairs are added to the RP’s table $\mathcal {L}_0$.^{Footnote 7}

5.4 Adversary’s View

In the decision stage, all user’s keys and all internal input-output pairs are revealed to an adversary $\textbf{A}$. Hence, before outputting a decision bit, $\textbf{A}$ obtains a transcript $\tau $ which consists of

(dummy) user’s keys $\mathcal {L}_{K}$,
primitive query-response tuples $\mathcal {L}_{X,Y}$, and
(dummy) internal input-output pairs $\mathcal {L}_{V,W}$.

Note that construction query-response pairs can be obtained by combining $\mathcal {L}_{V,W}$ with $\mathcal {L}_{K}$, and thus are omitted.

5.5 Bad Events and Definitions of Good and Bad Transcripts

We define bad events below.

$\textsf{Chain}_0$: $\exists \nu \in [u], \alpha \in [q_\nu ]$ s.t. $r\text{- }\textrm{Chain}^{K^{(\nu )}_0 \oplus M^{(\nu ,\alpha )}}[\mathcal {L}^{(<\nu ,\alpha )},K^{(\nu )}_{1,r-1}] \ne \varepsilon $.
$\textsf{Chain}_i$ ($i \in [r-1]$): $\exists \nu \in [u], \alpha \in [q_\nu ]$ s.t.
- $(r-i)\text{- }\textrm{Chain}^{K^{(\nu )}_0 \oplus M^{(\nu ,\alpha )}}[\mathcal {L}^{(< \nu , \alpha )},K^{(\nu )}_{1,r-i-1}] \ne \varepsilon $ and
- $i\text{- }\textrm{Chain}_{K^{(\nu )}_r\oplus C^{(\nu ,\alpha )}}[\mathcal {L}^{(< \nu , \alpha )},K^{(\nu )}_{r-i+1,r-1}] \ne \varepsilon $
$\textsf{Chain}_r$: $\exists \nu \in [u], \alpha \in [q_\nu ]$ s.t. $r\text{- }\textrm{Chain}_{K^{(\nu )}_r\oplus C^{(\nu ,\alpha )}}[\mathcal {L}^{(< \nu ,\alpha )},K^{(\nu )}_{1,r-1}] \ne \varepsilon $.
$\textsf{Coll}_{V,W}$: $\exists \nu \in [u], \alpha \in [q_\nu ], i, j \in [r]$ s.t. $i \ne j$, $(V^{(\nu ,\alpha )}_{i}, W^{(\nu ,\alpha )}_{i}) \in \mathcal {L}_{V,W}^{(\nu , \alpha )}$, $(V^{(\nu ,\alpha )}_{j}, W^{(\nu ,\alpha )}_{j}) \in \mathcal {L}_{V,W}^{(\nu , \alpha )}$, and $\left( V^{(\nu ,\alpha )}_{i} = V^{(\nu ,\alpha )}_{j} \vee W^{(\nu ,\alpha )}_{i} = W^{(\nu ,\alpha )}_{j} \right) $.
$\textsf{Fail}_\pi $: $\exists \nu _1, \nu _2 \in [u], \alpha _1 \in [q_{\nu _1}], \alpha _2 \in [q_{\nu _2}], i_1, i_2 \in [r]$ s.t. $\Big ( V_{i_1}^{(\nu _1, \alpha _1)} = V_{i_2}^{(\nu _2, \alpha _2)} \wedge $ $W_{i_1}^{(\nu _1, \alpha _1)} \ne W_{i_2}^{(\nu _2, \alpha _2)} \Big )$ or $\left( V_{i_1}^{(\nu _1, \alpha _1)} \ne V_{i_2}^{(\nu _2, \alpha _2)} \wedge W_{i_1}^{(\nu _1, \alpha _1)} = W_{i_2}^{(\nu _2, \alpha _2)} \right) $

Let $\textsf{bad}= \textsf{Chain}_0 \vee \textsf{Chain}_1 \vee \cdots \vee \textsf{Chain}_r\vee \textsf{Coll}_{V,W}\vee \textsf{Fail}_\pi $. Note that the condition for the event $\textsf{fail}_\textsf{sample}$ is satisfied in only the ideal world. Then, $\mathcal {T}_{\textsf{bad}}$ is a set of transcripts that satisfy $\textsf{bad}$, and $\mathcal {T}_{\textsf{good}} := \mathcal {T}\backslash \mathcal {T}_{\textsf{bad}}$.

The bad events $\textsf{Chain}_i$ for $i \in [0,r]$ consider the case that for some $\nu \in [u]$ and $\alpha \in [q_\nu ]$, all the internal values of the $\alpha $-th construction query to the $\nu $-th user have been defined before the construction query. Under the events, there is no randomness for the $\alpha $-th construction query and thus the difference between the real and ideal worlds arises. The event $\textsf{Coll}_{V,W}$ considers a collision in internal inputs or outputs defined in the same construction query. The bad event $\textsf{Fail}_\pi $ is an event that breaks the property of a permutation. Note that the event never occurs in the real world.

5.6 Deriving the Upper-Bound in Theorem 1

In Sect. 5.7, we evaluate the probability for the bad transcripts in the ideal world $\Pr [\textsf{T}_I \in \mathcal {T}_{\textsf{bad}}]$, and show the upper-bound in Eq. (3). In Sect. 5.8, we evaluate the ratio of the real-world and ideal-word probabilities for the good transcripts, and prove that for any good transcript $\tau $, $\frac{\Pr [\textsf{T}_R=\tau ]}{\Pr [\textsf{T}_I=\tau ]} \ge 1$. Using these bounds, we obtain the upper-bound in Theorem 1.

5.7 Upper-Bounding $\Pr [\textsf{T}_I \in \mathcal {T}_{\textsf{bad}}]$

For $\textsf{E} \in \textbf{E}:=\{\textsf{Chain}_0,\ldots ,\textsf{Chain}_r,\textsf{Coll}_{V,W}, \textsf{Fail}_\pi \}$, let $\textrm{Pr}[\textsf{E}]$ be the probability that $\textsf{E}$ occurs before the other bad events $\textbf{E}\backslash \{\textsf{E}\}$. We then have

$$\begin{aligned} \Pr [\textsf{T}_I \in \mathcal {T}_{\textsf{bad}}] = \textrm{Pr}[\textsf{bad}] \le \left( \sum _{i \in (r]} \textrm{Pr}[\textsf{Chain}_i] \right) + \textrm{Pr}[\textsf{Coll}_{V,W}]+ \textrm{Pr}[\textsf{Fail}_\pi ] , \end{aligned}$$

and evaluate these probabilities below.^{Footnote 8} The upper-bounds are given in Eqs. (8), (9), (10), (11) and (12). Using the bounds, we have

$$\begin{aligned} \Pr [\textsf{T}_I \in \mathcal {T}_{\textsf{bad}}] \le \left( \frac{4^rr^4}{12} +r+1 \right) \cdot q(\sigma \delta )^r+ 2r^2 \cdot \frac{q}{2^n} . \end{aligned}$$

(3)

Upper-Bounding Collision Probabilities for ${\boldsymbol{\mathcal {L}}}^{\mathbf{(}<{\boldsymbol{\nu ,}}{\boldsymbol{\alpha )}}}$. Before evaluating the probabilities of the bad events, we show upper-bounds of collision probabilities involving $\mathcal {L}^{(<\nu ,\alpha )}$, subkeys, $M^{(\nu ,\alpha )}$, and $C^{(\nu ,\alpha )}$. These upper-bounds are used to evaluate the probability of constructing a chain with user’s subkeys considered in the bad events.

Lemma 2

Let $\delta = \max \left\{ \epsilon , \frac{2}{2^n} \right\} $. Consider $\nu \in [u]$, $\alpha \in [q_\nu ]$, $2j+2$ pairs (S, T), $(S^\prime ,T^\prime )$, $(S_1,T_1)$, $\ldots $, $(S_{2j},T_{2j}) \in \mathcal {L}^{(<\nu ,\alpha )}$, and $a_1,\ldots ,a_j \in [r-1]$ such that $0 \le j \le r-1$ and $a_1,\ldots ,a_j$ are all distinct. Then, we have

$$\begin{aligned} & \textrm{Pr}\left[ \left( \forall i \in [j]: T_{2i-1} \oplus S_{2i}=K_{a_i}^{(\nu )} \right) \right] \le \delta ^{j} , \end{aligned}$$

(4)

$$\begin{aligned} & \textrm{Pr}\left[ \left( \forall i \in [j]: T_{2i-1} \oplus S_{2i}=K_{a_i}^{(\nu )} \right) \wedge \left( M^{(\nu ,\alpha )} \oplus S =K_0^{(\nu )} \right) \right] \le \delta ^{j+1} , \end{aligned}$$

(5)

$$\begin{aligned} & \textrm{Pr}\left[ \left( \forall i \in [j]: T_{2i-1} \oplus S_{2i}=K_{a_i}^{(\nu )} \right) \wedge \left( C^{(\nu ,\alpha )} \oplus T^\prime =K_r^{(\nu )} \right) \right] \le \delta ^{j+1} , \end{aligned}$$

(6)

$$\begin{aligned} & \textrm{Pr}\Big [ \left( \forall i \in [j]: T_{2i-1} \oplus S_{2i}=K_{a_i}^{(\nu )} \right) \wedge \left( M^{(\nu ,\alpha )} \oplus S =K_0^{(\nu )} \right) \nonumber \\ & \wedge \left( C^{(\nu ,\alpha )} \oplus T^\prime =K_r^{(\nu )} \right) \Big ]\le \delta ^{\min \{j+2, r\}} . \end{aligned}$$

(7)

In the above equations, we take into account the cases that several pairs are the same, as we consider $\textsf {KAC}$ with a single permutation. Since the equations include $r$-wise independent subkeys, we can ensure that the exponents of the bounds are equal to the number of equations that are less than or equal to $r$. Note that $\mathcal {L}^{(< \nu ,\alpha )} = \mathcal {L}^{(< \nu )} \cup \mathcal {L}_{V,W}^{(\nu , < \alpha )}$ is satisfied, and $\mathcal {L}_{V,W}^{(\nu , < \alpha )}$ is defined after the key $K^{(\nu )}$ is defined. Hence, for each equation, if there is a pair in $\mathcal {L}_{V,W}^{(\nu , < \alpha )}$, then instead of the subkey, the randomness of the pair is used, which is chosen uniformly at random from at least $2^n-\sigma \ge 2^{n-1}$ elements in $\{0,1\}^n$. The detailed proof is given in Subsect. 5.9.

Upper-Bounding ${\boldsymbol{\textrm{Pr}}}[$ Chain$_\textbf{0}]$. The number of $r$-chains from $\mathcal {L}^{(< \nu ,\alpha )}$ is at most $\sigma ^r$. For each $r$-chain, the probability that the key and the head are respectively equal to $K_{1,r-1}^{(\nu )}$ and $K^{(\nu )}_0 \oplus M^{(\nu ,\alpha )}$ is at most $\delta ^{r}$ by Eq. (5) in Lemma 2. Hence, for each $\nu , \alpha $, we have $p_{0,\nu , \alpha }:=\textrm{Pr}\left[ r\text{- }\textrm{Chain}^{K^{(\nu )}_0 \oplus M^{(\nu ,\alpha )}}[\mathcal {L}^{(<\nu ,\alpha )},K^{(\nu )}_{1,r-1}] \ne \varepsilon \right] \le \left( \sigma \delta \right) ^r$. Using the bound, we have

$$\begin{aligned} \textrm{Pr}[\textsf{Chain}_0] \le \sum _{\nu \in [u]} \sum _{\alpha \in [q_\nu ]} p_{0,\nu , \alpha } \le \sum _{\nu \in [u]} \sum _{\alpha \in [q_\nu ]} \left( \sigma \delta \right) ^r= q\left( \sigma \delta \right) ^r. \end{aligned}$$

(8)

Upper-Bounding ${\boldsymbol{\textrm{Pr}}}[$ Chain$_{{\boldsymbol{r}}}]$. The evaluation of $\textrm{Pr}[\textsf{Chain}_{r}]$ is the same as that of $\textrm{Pr}[\textsf{Chain}_0]$. In this evaluation, a tail collision (a collision with $K_{r}^{(\nu )} \oplus C^{(\nu ,\alpha )}$) is considered instead of the head collision in $\textsf{Chain}_0$ (the collision with $K_0^{(\nu )} \oplus M^{(\nu ,\alpha )})$. Using Eq. (6) in Lemma 2, we have

$$\begin{aligned} \textrm{Pr}[\textsf{Chain}_r] \le q\left( \sigma \delta \right) ^r. \end{aligned}$$

(9)

Upper-Bounding ${\boldsymbol{\textrm{Pr}}}[$ Chain$_{{\boldsymbol{i}}}]$ (${\boldsymbol{i}} \in [{\boldsymbol{r}}{} \mathbf{-1}]$). We fix $i \in [r-1]$ and evaluate $\textrm{Pr}[\textsf{Chain}_i]$.

We fix $\nu \in [u]$ and $\alpha \in [q_\nu ]$. The number of $(r-i)$-chains from $\mathcal {L}^{(< \nu ,\alpha )}$ is at most $\sigma ^{r-i}$, and the number of i-chains from $\mathcal {L}^{(< \nu ,\alpha )}$ is at most $\sigma ^{i}$. For each pair of $(r-i)$-chain and i-chain, the probability that the key and the head of the $(r-i)$-chain are respectively equal to $K^{(\nu )}_{1,i-1}$ and $K_0^{(\nu )} \oplus M^{(\nu ,\alpha )}$; and the key and the tail of i-chain are respectively equal to $K^{(\nu )}_{i+1,r-1}$ and $K_r^{(\nu )} \oplus C^{(\nu ,\alpha )}$ is at most $\left( \sigma \delta \right) ^r$, by using Eq. (7) in Lemma 2. Hence, we have

$$\begin{aligned} p_{i,\nu , \alpha } & := \textrm{Pr}\Big [ (r-i)\text{- }\textrm{Chain}^{K^{(\nu )}_0 \oplus M^{(\nu ,\alpha )}}[\mathcal {L}^{(< \nu , \alpha )},K^{(\nu )}_{1,r-i-1}] \ne \varepsilon \\ & \qquad \qquad \wedge i\text{- }\textrm{Chain}_{K^{(\nu )}_r\oplus C^{(\nu ,\alpha )}}[\mathcal {L}^{(< \nu , \alpha )},K^{(\nu )}_{r-i+1,r-1}] \ne \varepsilon \Big ] \le \left( \sigma \delta \right) ^r. \end{aligned}$$

Using the bound, we have

$$\begin{aligned} \textrm{Pr}[\textsf{Chain}_i] \le \sum _{\nu \in [u]} \sum _{\alpha \in [q_\nu ]} p_{i,\nu , \alpha } \le q\left( \sigma \delta \right) ^r \end{aligned}$$

(10)

Upper-Bounding ${\boldsymbol{\textrm{Pr}}}[$ Coll$_{{\boldsymbol{V}}{} \textbf{,}{\boldsymbol{W}}}]$. Fix $\nu \in [u], \alpha \in [q_\nu ], i, j \in [r]$ s.t. $(V^{(\nu ,\alpha )}_{i}, W^{(\nu ,\alpha )}_{i}) \in \mathcal {L}_{V,W}^{(\nu , \alpha )}$ and $(V^{(\nu ,\alpha )}_{j}, W^{(\nu ,\alpha )}_{j}) \in \mathcal {L}_{V,W}^{(\nu , \alpha )}$.

We first evaluate $\textrm{Pr}[V^{(\nu ,\alpha )}_{i} = V^{(\nu ,\alpha )}_{j}]$. Without loss of generality, we assume that $V^{(\nu ,\alpha )}_{j}$ is defined after $V^{(\nu ,\alpha )}_{i}$ is defined. Then, $j \ne 1$ is satisfied, since $V^{(\nu ,\alpha )}_{j} = M^{(\nu ,\alpha )} \oplus K_{j}^{(\nu )}$. Since $V^{(\nu ,\alpha )}_{j} = W^{(\nu ,\alpha )}_{j-1} \oplus K_{j-1}^{(\nu )}$ and $V^{(\nu ,\alpha )}_{j}$ or $W^{(\nu ,\alpha )}_{j-1}$ is chosen uniformly at random from at least $2^n- \sigma \ge 2^{n-1}$ elements in $\{0,1\}^n$, we have $\textrm{Pr}[V^{(\nu ,\alpha )}_{i} = V^{(\nu ,\alpha )}_{j}] \le \frac{2}{2^n}$.

We next evaluate $\textrm{Pr}[W^{(\nu ,\alpha )}_{i} = W^{(\nu ,\alpha )}_{j}]$. Without loss of generality, we assume that $W^{(\nu ,\alpha )}_{j}$ is defined after $W^{(\nu ,\alpha )}_{i}$ is defined. Then, $j \ne r$ is satisfied, since $W^{(\nu ,\alpha )}_{j} = C^{(\nu ,\alpha )} \oplus K_{j}^{(\nu )}$. $W^{(\nu ,\alpha )}_{j} = V^{(\nu ,\alpha )}_{j+1} \oplus K_{j}^{(\nu )}$ is satisfied and $W^{(\nu ,\alpha )}_{j}$ or $V^{(\nu ,\alpha )}_{j+1}$ is chosen uniformly at random from at least $2^{n-1}$ elements in $\{0,1\}^n$. Using the randomness of $W^{(\nu ,\alpha )}_{j}$, we have $\textrm{Pr}[W^{(\nu ,\alpha )}_{i} = W^{(\nu ,\alpha )}_{j}] \le \frac{2}{2^n}$.

Using these bounds, we have

$$\begin{aligned} \textrm{Pr}[\textsf{Coll}_{V,W}] \le \sum _{\nu \in [u]} \sum _{\alpha \in [q_\nu ]} 2\cdot \left( {\begin{array}{c}r\\ 2\end{array}}\right) \cdot \frac{2}{2^{n}} \le 2r^2 \cdot \frac{q}{2^n} . \end{aligned}$$

(11)

Upper-Bounding ${\boldsymbol{\textrm{Pr}}}[$ Fail$_{\boldsymbol{\pi }}]$. In this proof, we use the following lemma. The proof is given in Subsect. 5.10.

Lemma 3

Assume that $\textsf{Chain}_0,\ldots ,\textsf{Chain}_r$, and $\textsf{Coll}_{V,W}$ do not occur. $\textsf{Fail}_\pi $ occurs if and only if $\textsf{fail}_\textsf{sample}$ becomes $\textsf{true}$.

Hence, we evaluate $\textrm{Pr}[\textsf{fail}_\textsf{sample}]$, the probability that $\textsf{fail}_\textsf{sample}$ becomes $\textsf{true}$ under the assumption that $\textsf{Chain}_0,\ldots ,\textsf{Chain}_r$, and $\textsf{Coll}_{V,W}$ do not occur.

For $\nu \in [u]$ and $\alpha \in [q_\nu ]$, let $\textsf{fail}_\textsf{sample}{(\nu ,\alpha )}$ be an event that $\textsf{fail}_\textsf{sample}$ occurs for the $\alpha $-th loop of the $\nu $-th user in Algorithm 2. The upper-bound of $\textrm{Pr}[\textsf{fail}_\textsf{sample}{(\nu ,\alpha )}]$ is given in Eq. (13), which gives

$$\begin{aligned} \textrm{Pr}[\textsf{Fail}_\pi ] \le \textrm{Pr}[\textsf{fail}_\textsf{sample}] & \le \sum _{\nu \in [u]} \sum _{\alpha \in [q_\nu ]} \textrm{Pr}[\textsf{fail}_\textsf{sample}{(\nu ,\alpha )}] \nonumber \\ & \le \sum _{\nu \in [u]} \sum _{\alpha \in [q_\nu ]} \frac{4^rr^4}{12} \cdot \left( \sigma \delta \right) ^r= \frac{4^rr^4 }{12} \cdot q\left( \sigma \delta \right) ^r. \end{aligned}$$

(12)

Fix $\nu \in [u]$ and $\alpha \in [q_\nu ]$, and evaluate the probability $\textrm{Pr}[\textsf{fail}_\textsf{sample}{(\nu ,\alpha )}]$. In this evaluation, we first fix round numbers $r_1$, $r_2$, and $r_\textsf{f}$, and sets of round numbers $\mathcal {R}_\textsf{f}$ and $\mathcal {R}_\textsf{i}$ such that $\mathcal {R}_\textsf{f}\cup \mathcal {R}_\textsf{i}= [r_1+1,r_\textsf{f}]$. $r_1$ and $r_2$ are the (target) round numbers defined on the $\alpha $-th loop of the $\nu $-th user in Algorithm 2. $r_\textsf{f}$ is the (target) round number at which forward sampling fails, i.e., the condition on Step 14 is satisfied of Algorithm 2. $\mathcal {R}_\textsf{f}$ and $\mathcal {R}_\textsf{i}$ are respectively (target) non-fresh round numbers defined by the forward and inverse samplings, i.e., for each $i \in \mathcal {R}_\textsf{f}$ (resp. $i \in \mathcal {R}_\textsf{i}$), the sampling satisfies $(V_i^\prime , W_i^\prime ) \in \mathcal {L}^{(<\nu ,\alpha )}$ (resp. $(V_i^*, W_i^*) \in \mathcal {L}^{(<\nu ,\alpha )}$). We then consider the following conditions $\textsf{C1}$-$\textsf{C4}$. If $\textsf{fail}_\textsf{sample}{(\nu ,\alpha )}$ occurs, then for some $r_1$, $r_2$, $r_\textsf{f}$, $\mathcal {R}_\textsf{f}$, and $\mathcal {R}_\textsf{i}$ such that $\mathcal {R}_\textsf{f}\cup \mathcal {R}_\textsf{i}= [r_1+1,r_\textsf{f}]$, these conditions are satisfied. The condition $\textsf{C1}$ (resp. $\textsf{C2}$) implies that internal input-output pairs up to the $r_1$-th round (resp. from the $r_2$-th round) have been defined before the $\alpha $-th loop. The condition $\textsf{C3}$ implies that the forward sampling fails at the $r_\textsf{f}$-th round. The conditions $\textsf{C4}$ and $\textsf{C5}$ imply that the inverse sampling fails. If $\textsf{fail}_\textsf{sample}{(\nu ,\alpha )}$ occurs, then there is no MITM round, and thus we have $\mathcal {R}_\textsf{f}\cup \mathcal {R}_\textsf{i}= [r_1+1,r_\textsf{f}]$. See Fig. 5 for these conditions. Note that in the following evaluation, the superscript symbol $\nu $ is omitted except for the set $\mathcal {L}^{(< \nu , \alpha )}$.

$\textsf{C1}$: $r_1\text{- }\textrm{Chain}^{M^{(\alpha )} \oplus K_0}[\mathcal {L}^{(< \nu , \alpha )},K_{1,r_1-1}] \ne \varepsilon $
$\textsf{C2}$: $(r-r_2+1)\text{- }\textrm{Chain}_{C^{(\alpha )} \oplus K_{r}}[\mathcal {L}^{(< \nu , \alpha )},K_{r_2,r-1}] \ne \varepsilon $
$\textsf{C3}$: $(r_2- r_\textsf{f}- 1)\text{- }\textrm{Chain}^{K_{r_\textsf{f}} \oplus W^\prime _{r_\textsf{f}}}[\mathcal {L}^{(<\nu ,\alpha )}, K_{r_\textsf{f}+1,r_2-2}]\ne \varepsilon $
$\textsf{C4}$: $\forall i \in \mathcal {R}_\textsf{f}: (V^{\prime }_{i}, W^{\prime }_{i}) \in \mathcal {L}^{(< \nu ,\alpha )}$
$\textsf{C5}$: $\forall i \in \mathcal {R}_\textsf{i}: (V^{*}_{i}, W^{*}_{i}) \in \mathcal {L}^{(< \nu ,\alpha )}$.

Regarding the condition $\textsf{C1}$, each $r_1$-chain has $r_1$ equations (2 equations in Fig. 5). Using Eq. (5) in Lemma 2, we have $\textrm{Pr}[\textsf{C1}] \le (\sigma \delta )^{r_1}$.

Regarding the condition $\textsf{C2}$, each $(r-r_2+1)$-chain has $r- r_2+ 1$ equations (1 equation in Fig. 5). Using Eq. (6) in Lemma 2, we have $\textrm{Pr}[\textsf{C2}] \le (\sigma \delta )^{r- r_2+ 1}$.

Regarding the condition $\textsf{C3}$, each $(r_2- r_\textsf{f}- 1)$-chain has $(r_2- r_\textsf{f}- 2)$ equations (1 equation in Fig. 5). As $W^{\prime }_{r_\textsf{f}}$ is chosen uniformly at random from at least $2^n-\sigma \ge 2^{n-1}$ elements in $\{0,1\}^n$, for each $(r_2- r_\textsf{f}- 1)$-chain, the probability that $W^{\prime }_{r_\textsf{f}}$ is equal to the head of the $(r_2- r_\textsf{f}- 1)$-chain is at most $\frac{2}{2^n}$. Using Eq. (4) in Lemma 2, we have $\textrm{Pr}[\textsf{C3}] \le \sigma ^{r_2- r_\textsf{f}- 1} \cdot \delta ^{r_2- r_\textsf{f}- 2} \cdot \frac{2}{2^n} \le (\sigma \delta )^{r_2- r_\textsf{f}- 1}$.

We consider the condition $\textsf{C4}$. We split $\mathcal {R}_\textsf{f}$ into sequences of consecutive round numbers. Let $n_\textsf{f}$ be the number of the sequences in $\mathcal {R}_\textsf{f}$. For $i \in [n_\textsf{f}]$, let $\mathcal {R}_\textsf{f}[i]$ be the i-th sequence, $n_{\textsf{f},i}=|\mathcal {R}_\textsf{f}[i]|$, $r_{\textsf{max},i} = \max \left( \mathcal {R}_\textsf{f}[i] \right) $, and $r_{\textsf{min},i} = \min \left( \mathcal {R}_\textsf{f}[i] \right) $, i.e., $\mathcal {R}_\textsf{f}= \bigcup _{i \in [n_\textsf{f}]}\mathcal {R}_\textsf{f}[i]$, $n_\textsf{f}= \sum _{i \in [n_\textsf{f}]} n_{\textsf{f},i}$, and $\forall i < j \in [n_\textsf{f}]: r_{\textsf{max},i} < r_{\textsf{min},j} + 1$. For example, in Fig. 5, $n_{\textsf{f}}=2$, $\mathcal {R}_\textsf{f}[1] = \{4,5\}$, and $\mathcal {R}_\textsf{f}[2] = \{7,8\}$. The first condition on $\textsf{C4}$ implies that $\forall i \in [n_\textsf{f}] : n_{\textsf{f},i}\text{- }\textrm{Chain}^{K_{r_{\textsf{min},i}-1} \oplus W^\prime _{r_{\textsf{min},i}-1} }[\mathcal {L}^{(<\nu ,\alpha )}, K_{r_{\textsf{min},i},r_{\textsf{max},i}-1}]\ne \varepsilon $. Similar to the evaluation of the condition $\textsf{C3}$, we have

$$\begin{aligned} \textrm{Pr}[\textsf{C4}] & \le \textrm{Pr}\left[ \forall i \in [n_\textsf{f}] : n_{\textsf{f},i}\text{- }\textrm{Chain}^{K_{r_{\textsf{min},i}-1} \oplus W^\prime _{r_{\textsf{min},i}-1} }[\mathcal {L}^{(<\nu ,\alpha )}, K_{r_{\textsf{min},i},r_{\textsf{max},i}-1}]\ne \varepsilon \right] \\ & \le \prod _{i \in [n_\textsf{f}]} (\sigma \delta )^{n_{\textsf{f},i}} = (\sigma \delta )^{|\mathcal {R}_\textsf{f}|} . \end{aligned}$$

Regarding the condition $\textsf{C5}$, the evaluation is the same as that of the condition $\textsf{C4}$, and we have $\textrm{Pr}[\textsf{C4}] \le (\sigma \delta )^{|\mathcal {R}_\textsf{i}|} $.

By the above bounds, for each $r_1$, $r_2$, $r_\textsf{f}$, $\mathcal {R}_\textsf{f}$, and $\mathcal {R}_\textsf{i}$, we have

$$\begin{aligned} \textrm{Pr}\left[ \wedge _{i\in [5]} \textsf{C}i \right] \le \left( \sigma \delta \right) ^{r_1+ (r- r_2+ 1) + (r_2- r_\textsf{f}- 1) + |\mathcal {R}_\textsf{f}| + |\mathcal {R}_\textsf{i}|} \le \left( \sigma \delta \right) ^r, \end{aligned}$$

where the last inequality is due to the relation $\mathcal {R}_\textsf{f}\cup \mathcal {R}_\textsf{i}= [r_1+1,r_\textsf{f}]$.

Since $0 \le r_1< r_\textsf{f}< r_\textsf{i}< r_2\le r$ and the numbers of choices of $\mathcal {R}_\textsf{f}$ and of $\mathcal {R}_\textsf{i}$ are respectively at most $2^r$ (for each round the pair is either fresh or non-fresh), we have

$$\begin{aligned} \textrm{Pr}[\textsf{fail}_\textsf{sample}{(\nu ,\alpha )}] & \le 2^r\cdot 2^r\cdot \sum _{0 \le r_1< r_\textsf{f}< r_\textsf{i}< r_2\le r} \textrm{Pr}\left[ \wedge _{i\in [5]} \textsf{C}i \right] \nonumber \\ & \le 4^r\cdot \left( {\begin{array}{c}r+1\\ 4\end{array}}\right) \left( \sigma \delta \right) ^r\le \frac{4^rr^4}{12} \cdot \left( \sigma \delta \right) ^r. \end{aligned}$$

(13)

5.8 Lower-Bounding $\frac{\Pr [\textsf{T}_R=\tau ]}{\Pr [\textsf{T}_I=\tau ]}$

The following analysis shows that $\frac{\Pr [\textsf{T}_R=\tau ]}{\Pr [\textsf{T}_I=\tau ]} \ge 1$.

Fix a good transcript $\tau $ which consists of user’s keys $\mathcal {L}_{K}$, primitive query-response pairs $\mathcal {L}_{X,Y}$, and internal input-output pairs $\mathcal {L}_{V,W}$. For a set $\mathcal {L}^\prime $, let $\textsf{T}_R \vdash \mathcal {L}^\prime $ (resp. $\textsf{T}_I \vdash \mathcal {L}^\prime $) be an event that $\textsf{T}_R$ (resp. $\textsf{T}_I$) satisfies elements in $\mathcal {L}^\prime $.

Evaluating ${\boldsymbol{\textrm{Pr}}}[{\boldsymbol{\textsf{T}}}_{{\boldsymbol{R}}}\, {\boldsymbol{\vdash }}\, {\boldsymbol{\mathcal {L}_{X,Y}}}]$ and ${\boldsymbol{\textrm{Pr}}}[{\boldsymbol{\textsf{T}}}_{\boldsymbol{I}}\, {\boldsymbol{\vdash }}\, {\boldsymbol{\mathcal {L}_{X,Y}}}]$. Firstly, we define responses to primitive queries. As there is no difference between the real-world sampling and the ideal-world one, we have $\textrm{Pr}[\textsf{T}_R \vdash \mathcal {L}_{X,Y}] = \textrm{Pr}[\textsf{T}_I \vdash \mathcal {L}_{X,Y}]$. Hereafter, we assume that $\textsf{T}_R \vdash \mathcal {L}_{X,Y}$ and $\textsf{T}_I \vdash \mathcal {L}_{X,Y}$ are satisfied.

Evaluating ${\boldsymbol{\textrm{Pr}}}[{\boldsymbol{\textsf{T}}}_{\boldsymbol{R}}\, {\boldsymbol{\vdash }}\, {\boldsymbol{\mathcal {L}_{K}}}]$ and ${\boldsymbol{\textrm{Pr}}}[{\boldsymbol{\textsf{T}}}_{\boldsymbol{I}}\, {\boldsymbol{\vdash }}\, {\boldsymbol{\mathcal {L}_{K}}}]$. Next, we define user’s keys. In both worlds, for each $\nu \in [u]$, the key $K^{(\nu )}$ is chosen uniformly at random from $\mathcal {K}$, we have $\textrm{Pr}[\textsf{T}_R \vdash \mathcal {L}_{K}] = \textrm{Pr}[\textsf{T}_I \vdash \mathcal {L}_{K}]$. Hereafter, we assume that $\textsf{T}_R \vdash \mathcal {L}_{K}$ and $\textsf{T}_I \vdash \mathcal {L}_{K}$ are satisfied.

Evaluating ${\boldsymbol{\textrm{Pr}}}[{\boldsymbol{\textsf{T}}}_{\boldsymbol{R}}\, {\boldsymbol{\vdash }}\, {\boldsymbol{\mathcal {L}_{V,W}}}]$ and ${\boldsymbol{\textrm{Pr}}}[{\boldsymbol{\textsf{T}}}_{\boldsymbol{I}}\, {\boldsymbol{\vdash }}\, {\boldsymbol{\mathcal {L}_{V,W}}}]$. Finally, we define internal input-output pairs $(V_{i}^{(\nu ,\alpha )}, W_i^{(\nu ,\alpha )} )$ for $\nu \in [u]$ and $\alpha \in [q_\nu ]$.

For $\nu \in [u]$ and $\alpha \in [q_\nu ]$, we show $\frac{\textrm{Pr}[\textsf{T}_R \vdash \mathcal {L}_{V,W}^{(\nu ,\alpha )}]}{\textrm{Pr}[\textsf{T}_I \vdash \mathcal {L}_{V,W}^{(\nu ,\alpha )}]} \ge 1$ under the condition $\forall U \in \{R,I\}: \textsf{T}_U \vdash \mathcal {L}^{(< \nu , \alpha )}$, ensuring $\frac{\textrm{Pr}[\textsf{T}_R \vdash \mathcal {L}_{V,W}]}{\textrm{Pr}[\textsf{T}_I \vdash \mathcal {L}_{V,W}]} \ge 1$.

For $\nu \in [u]$ and $\alpha \in [q_\nu ]$, let $\omega _{\nu ,\alpha } := \left| \mathcal {L}_{V,W}^{(\nu ,\alpha )} \right| $ and $\omega _{<\nu ,\alpha } := \left| \mathcal {L}^{(< \nu ,\alpha )} \right| $. Thus, before the $\alpha $-th construction query to the $\nu $-th user, $\omega _{<\nu ,\alpha }$ input-output pairs have been defined, and at the $\alpha $-th construction query, $\omega _{\nu ,\alpha }$ input-output ones are freshly defined. Since $\forall i \in [0,r]: \lnot \textsf{Chain}_{i}$, $\omega _{\nu ,\alpha } \ge 1$ must be satisfied. Let $\gamma _1, \ldots ,\gamma _{\omega _{\nu ,\alpha }}$ be the round numbers at which the input-output pairs are not defined before the $\alpha $-th construction query such that $\gamma _1< \cdots <\gamma _{\omega _{\nu ,\alpha }}$, i.e., $\Big ( \forall i \in \{\gamma _1, \ldots ,\gamma _{\omega _{\nu ,\alpha }}\}: (V_{i}^{(\nu ,\alpha )}, W_{i}^{(\nu ,\alpha )}) \not \in \mathcal {L}^{(< \nu ,\alpha )} \Big ) \wedge \Big ( \forall i \in [r] \backslash \{\gamma _1, \ldots ,\gamma _{\omega _{\nu ,\alpha }}\}: (V_{i}^{(\nu ,\alpha )}, W_{i}^{(\nu ,\alpha )}) \in \mathcal {L}^{(< \nu ,\alpha )} \Big ) \wedge \Big ( \gamma _1< \cdots <\gamma _{\omega _{\nu ,\alpha }} \Big ) $.

$\bullet $ Real-World Probability. In the real world, we define the internal input-output pairs $(V_i^{(\nu ,\alpha )}, W_i^{(\nu ,\alpha )})$ ($i \in [r]$) by forward queries to $\pi $. Then, we have $\textrm{Pr}[\textsf{T}_R \vdash \mathcal {L}_{V,W}^{(\nu ,\alpha )}] = \prod _{i \in [\omega _{\nu ,\alpha }]} \frac{1}{2^n- (\omega _{<\nu ,\alpha } + (i-1))}$.

$\bullet $ Ideal-World Probability. In the ideal world, we first define $C^{(\nu ,\alpha )}$ by the encryption query $\varPi _\nu (M^{(\nu ,\alpha )})$, and define $V_{r+1}^{(\nu ,\alpha )}:=C^{(\nu ,\alpha )} \oplus K^{(\nu )}_r$. Then, we have $\textrm{Pr}[\textsf{T}_I \vdash \{V_{r+1}^{(\nu ,\alpha )*} \}] = \frac{1}{2^n- (\alpha -1)}$, where $V_{r+1}^{(\nu ,\alpha )*}$ is the value in $\mathcal {L}_{V,W}^{(\nu ,\alpha )}$ corresponding with $V_{r+1}^{(\nu ,\alpha )}$.

We next evaluate the probability that $\textsf{T}_I$ satisfies the remaining $(\omega _{\nu ,\alpha }-1)$ internal values in $\mathcal {L}_{V,W}^{(\nu ,\alpha )}$. For $\eta \in [\omega _{\nu ,\alpha }]$, let $\textsf{Fail}_\textsf{fwd}[\eta ]$ be an event that the forward sampling fails at the $\gamma _{\eta }$-th round, i.e., $(V_{\gamma _\eta }^{(\nu ,\alpha )}, W_{\gamma _\eta }^{(\nu ,\alpha )})$ is defined in Step 12 of Algorithm 2 and satisfies the condition on Step 14. For the sake of convenience, let $\textsf{Fail}_\textsf{fwd}[\omega _{\nu ,\alpha }]$ be an event that the forward sampling does not fail. Let $\mathcal {R}_{\eta ,\textsf{f}}$ (resp. $\mathcal {R}_{\eta ,\textsf{i}}$) be the set of target round numbers at which the input-output pairs are defined by the forward (resp. inverse) sampling under the condition that $\textsf{Fail}_\textsf{fwd}[\eta ]$ occurs. Hence, for each $i \in \mathcal {R}_{\eta ,\textsf{f}}$ (resp. $i \in \mathcal {R}_{\eta ,\textsf{i}}$), $W_{i}^{(\nu ,\alpha )}$ (resp. $V_{i}^{(\nu ,\alpha )}$) is defined by the forward (resp. inverse) sampling. Let $\mathcal {R}_{\eta } := \left\{ \mathcal {R}_{\eta ,\textsf{f}}, \mathcal {R}_{\eta ,\textsf{i}} \right\} $. We abuse the notation $\vdash $ for these sets, i.e., $\textsf{T}_I \vdash \mathcal {R}_{\eta }$ denotes an event that input-output pairs from $\textsf{T}_I$ at the rounds in $\mathcal {R}_{\textsf{f},\eta }$ and in $\mathcal {R}_{\textsf{f},\eta }$ are respectively defined by the forward sampling and the inverse one. Assuming that $\textsf{Fail}_\textsf{fwd}[\eta ]$ occurs, each fresh internal value is chosen uniformly at random from $(2^n- \omega _{<\nu ,\alpha })$ elements in $\{0,1\}^n$ by Algorithm 2, and thus the probability that $\textsf{T}_I$ satisfies the remaining $(\omega _{\nu ,\alpha }-1)$ internal values in $\mathcal {L}_{V,W}^{(\nu ,\alpha )}$ is $\left( \frac{1}{2^n- \omega _{<\nu ,\alpha }}\right) ^{\omega _{\nu ,\alpha }-1}$. Then, we have

$$\begin{aligned} & \textrm{Pr}\left[ \textsf{T}_I \vdash \mathcal {L}_{V,W}^{(\nu ,\alpha )}\right] = \sum _{\eta \in [\omega _{\nu ,\alpha }]} \sum _{\mathcal {R}_{\textsf{f},\eta },\mathcal {R}_{\textsf{i},\eta }} \Big ( \textrm{Pr}\left[ \textsf{T}_I \vdash \mathcal {L}_{V,W}^{(\nu ,\alpha )} \mid \textsf{T}_I \vdash \mathcal {R}_{\eta } \wedge \textsf{Fail}_\textsf{fwd}[\eta ] \right] \\ & \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \times \textrm{Pr}\left[ \textsf{T}_I \vdash \mathcal {R}_{\eta } \right] \cdot \textrm{Pr}[\textsf{Fail}_\textsf{fwd}[\eta ]] \Big ) \\ & \le \frac{1}{2^n- (\alpha -1)} \cdot \left( \frac{1}{2^n- \omega _{<\nu ,\alpha }}\right) ^{\omega _{\nu ,\alpha }-1} \cdot \textrm{Pr}[\textsf{Fail}_\textsf{fwd}[\omega _{\nu ,\alpha }]] \\ & \quad + \frac{1}{2^n- (\alpha -1)} \cdot \left( \frac{1}{2^n- \omega _{<\nu ,\alpha }}\right) ^{\omega _{\nu ,\alpha }-1} \cdot \underbrace{ \left( \sum _{\eta \in [\omega _{\nu ,\alpha }-1]} \textrm{Pr}[\textsf{Fail}_\textsf{fwd}[\eta ]] \right) }_{=:p_{\nu ,\alpha }} . \end{aligned}$$

We next evaluate the probability $p_{\nu ,\alpha } := \sum _{\eta \in [\omega _{\nu ,\alpha }-1]} \textrm{Pr}[\textsf{Fail}_\textsf{fwd}[\eta ]]$, where

$$\begin{aligned} \textrm{Pr}[\textsf{Fail}_\textsf{fwd}[\eta ]] \le \textrm{Pr}\Big [ (r_2- \gamma _\eta - 1)\text{- }\textrm{Chain}^{K^{(\nu )}_{\gamma _\eta } \oplus W^\prime _{\gamma _\eta }} [\mathcal {L}_{V,W}^{(<\nu ,\alpha )}, K^{(\nu )}_{\gamma _\eta +1,r_2-2}] \ne \varepsilon \Big ] . \end{aligned}$$

Let

$$\begin{aligned} c_{\eta } := \left| (r_2- \gamma _\eta - 1)\text{- }\textbf{Chain}[\mathcal {L}_{V,W}^{(<\nu ,\alpha )}, K^{(\nu )}_{\gamma _\eta +1,r_2-2}] \right| \text{ and } c_0:=(\alpha -1). \end{aligned}$$

Note that $c_0$ is the number of (trivial) chains with (a part of) the user’s key $K^{(\nu )}$ that are defined from the first to $(\alpha -1)$-th loops for the $\nu $-th user. Since $(r_2- \gamma _\eta - 1)\text{- }\textbf{Chain}[\mathcal {L}_{V,W}^{(<\nu ,\alpha )}, K^{(\nu )}_{\gamma _\eta +1,r_2-2}]$ include all chains in $(r_2- \gamma _{\eta -1} - 1)\text{- }\textbf{Chain}[\mathcal {L}_{V,W}^{(<\nu ,\alpha )}, K^{(\nu )}_{\gamma _{\eta -1}+1,r_2-2}]$ where the first $(\gamma _{\eta -1} - \gamma _{\eta })$ rounds are removed, we have $\textrm{Pr}[\textsf{Fail}_\textsf{fwd}[\eta ]] \le \frac{c_{\eta } - c_{\eta -1}}{2^n- \omega _{<\nu ,\alpha }}$, and

$$\begin{aligned} p_{\nu ,\alpha } & \le \sum _{\eta \in [\omega _{\nu ,\alpha }-1]} \frac{c_{\eta } - c_{\eta -1}}{2^n- \omega _{<\nu ,\alpha }} = \frac{c_{\omega _{\nu ,\alpha }-1} - (\alpha -1)}{2^n- \omega _{<\nu ,\alpha }} \le \frac{\omega _{<\nu ,\alpha } - (\alpha -1)}{2^n- \omega _{<\nu ,\alpha }} . \end{aligned}$$

Using the bound, we have

$$\begin{aligned} \textrm{Pr}[\textsf{T}_I \vdash \mathcal {L}_{V,W}^{(\nu ,\alpha )}] \le \frac{1}{2^n- (\alpha -1)} \cdot \left( \frac{1}{2^n- \omega _{<\nu ,\alpha }}\right) ^{\omega _{\nu ,\alpha }-1} \cdot \left( 1 + \frac{\omega _{<\nu ,\alpha } - (\alpha -1)}{2^n- \omega _{<\nu ,\alpha }} \right) . \end{aligned}$$

$\bullet $ Conclusion of the Evaluation. Using the above probabilities, we have

$$\begin{aligned} \frac{\textrm{Pr}[\textsf{T}_R \vdash \mathcal {L}_{V,W}]}{\textrm{Pr}[\textsf{T}_I \vdash \mathcal {L}_{V,W}]} & \ge \prod _{\nu \in [u], \alpha \in [q_\nu ]} \frac{\prod _{i \in [\omega _{\nu ,\alpha }]} \frac{1}{2^n- (\omega _{<\nu ,\alpha } + (i-1))}}{\frac{1}{2^n- (\alpha -1)} \cdot \left( \frac{1}{2^n- \omega _{<\nu ,\alpha }}\right) ^{\omega _{\nu ,\alpha }-1} \cdot \left( 1 + \frac{\omega _{<\nu ,\alpha } - (\alpha -1)}{2^n- \omega _{<\nu ,\alpha }} \right) } \\ & \ge \prod _{\nu \in [u], \alpha \in [q_\nu ]} \left( \frac{2^n- \omega _{<\nu ,\alpha }}{2^n- (\alpha -1)} \cdot \left( 1 + \frac{\omega _{<\nu ,\alpha } - (\alpha -1)}{2^n- \omega _{<\nu ,\alpha }} \right) \right) ^{-1} = 1 . \end{aligned}$$

5.9 Proof of Lemma 2

We fix $\nu \in [u]$, $\alpha \in [q_\nu ]$, and $a_1,\ldots ,a_j \in [r-1]$ such that $a_1,\ldots ,a_j$ are all distinct. We consider $2j+2$ pairs (S, T), $(S^\prime ,T^\prime )$, $(S_1,T_1)$, $\ldots $, $(S_{2j},T_{2j}) \in \mathcal {L}^{(<\nu ,\alpha )}$.

We first evaluate the probability in Eq. (7): $\textrm{Pr}\Big [\left( \forall i \in [j]: T_{2i-1} \oplus S_{2i}=K_{a_i}^{(\nu )} \right) $ $\wedge \left( M^{(\nu ,\alpha )} \oplus S =K_0^{(\nu )} \right) \wedge \left( C^{(\nu ,\alpha )} \oplus T^\prime =K_r^{(\nu )} \right) \Big ]$, where the subkeys are $r$-wise independent. Hence, there are $\min \{j+2, r\}$ independent random variables in these equations. For an equation $T_{2i-1} \oplus S_{2i}=K_{a_i}^{(\nu )}$, by Algorithm 2, if $(S_{2i-1},T_{2i-1}) \in \mathcal {L}_{V,W}^{(\nu , < \alpha )}$ (resp. $(S_{2i},T_{2i}) \in \mathcal {L}_{V,W}^{(\nu , < \alpha )}$), then $T_{2i-1}$ (resp. $S_{2i}$) is defined after the subkey $K_{a_i}^{(\nu )}$ is defined. Hence, the randomness is used to evaluate the probability, instead of the subkey. For each $Z \in \{0,1\}^n$ and $(S^*,T^*) \in \mathcal {L}_{V,W}^{(\nu , < \alpha )}$, since $S^*$ (resp. $T^*$) is defined by using $\pi ^{\pm }$ or by XORing a sub-key with the previous output (resp. following input) of $\pi $, the probability that $S^*=Z$ is at most $\max \left\{ \epsilon , \frac{1}{2^n-\sigma } \right\} \le \max \left\{ \epsilon , \frac{2}{2^n} \right\} =: \delta $, and the one that $T^*=Z$ is at most $\delta $, assuming $\sigma \le 2^{n-1}$. The evaluation holds for the equations $T_{2i-1} \oplus S_{2i}=K_{a_i}^{(\nu )}$, $M^{(\nu ,\alpha )} \oplus S =K_0^{(\nu )}$ and $C^{(\nu ,\alpha )} \oplus T^\prime =K_r^{(\nu )}$. Using the randomnesses of the subkeys and of $\mathcal {L}_{V,W}^{(\nu , < \alpha )}$, we have

$$\begin{aligned} \textrm{Pr}\Big [\left( \forall i \in [j]: T_{2i-1} \oplus S_{2i}=K_{a_i}^{(\nu )} \right) & \wedge \left( M^{(\nu ,\alpha )} \oplus S =K_0^{(\nu )} \right) \\ & \wedge \left( C^{(\nu ,\alpha )} \oplus T^\prime =K_r^{(\nu )} \right) \Big ] \le \delta ^{\min \{j+2, r\}} . \end{aligned}$$

Regarding Eqs. (4), (5) and (6), as the above evaluation, using the randomnesses of the subkeys and of $\mathcal {L}_{V,W}^{(\nu , < \alpha )}$, we obtain the bounds.

5.10 Proof of Lemma 3

Fix $\nu \in [u]$ and $\alpha \in [q_\nu ]$. Assume that $\textsf{Chain}_0,\ldots ,\textsf{Chain}_r$, and $\textsf{Coll}_{V,W}$ do not occur. Also assume that $\textsf{Fail}_\pi $ does not occur before the $\alpha $-th loop of the $\nu $-th user. In Algorithm 2, the internal input-output pairs of the $\alpha $-th loop except for the pair of the MITM round, $(V_i^{(\alpha )}, W_i^{(\alpha )})$ ($i \in [r]\backslash \{r_\textsf{m}\}$), are defined at Steps 8, 9, 12 or 19. The sampling method and the assumption ensure that $\textsf{Fail}_\pi $ does not occur due to these pairs. Hence, $\textsf{Fail}_\pi $ occurs if and only if $(V_{r_\textsf{m}}^{(\alpha )}, W_{r_\textsf{m}}^{(\alpha )})$ breaks the property of the permutation, i.e., $\textsf{fail}_\textsf{sample}$ becomes $\textsf{true}$ (See Fig. 4(d), wherein $r_\textsf{m}=4$ and the value $V_4$ is duplicately defined).

6 The Exact Mu-Security of Tweakable KACs

We drive the mu-security bound of the single-permutation-based tweakable KAC $\textsf {TKAC}$, a.k.a tweakable Even-Mansour, from the mu-security of $\textsf {KAC}$ in Theorem 1. Let $\mathcal{T}\mathcal{W}$ be a set of tweaks. Let $h_K: [0,r] \times \mathcal{T}\mathcal{W}\rightarrow \{0,1\}^n$ be a tweak function with a hash key $K$ that takes a round number $i \in [0,r]$ and a tweak $tw\in \mathcal{T}\mathcal{W}$, and returns the i-th round subkey $K_i$. Then, $\textsf {TKAC}$ is defined as

$$\begin{aligned} & \textsf {TKAC}[h_K,\pi ](tw, M) = \textsf {KAC}_{r}[h_K(0,tw)\Vert h_K(1,tw)\Vert \cdots \Vert h_K(r,tw),\pi ](M) . \end{aligned}$$

Assume that the tweak function $h$ is an $\epsilon $ $r$-wise independent function, that is, for each key $K$ and tweak $tw\in \mathcal{T}\mathcal{W}$, the subkeys $h_K(0,tw), h_K(1,tw), \ldots , h_K(r,tw)$ are $\epsilon $ $r$-wise independent and for each pair of distinct tweaks the subkeys are independent. Then, one can apply the bound of Theorem 1 to the mu-security of $\textsf {TKAC}$ with respect to multi-user strong tweakable PRP (mu-STPRP). Hence, we have the following tight bound.

Theorem 2

Assume that $h$ is an $\epsilon $ $r$-wise independent function. Let $\delta = \max \left\{ \epsilon , \frac{2}{2^n} \right\} $. Let $\textbf{A}$ be an adversary that makes at most $p$ primitive queries and $q$ construction queries. Let $\sigma := p+ rq$. Then, we have

$$\begin{aligned} \textbf{Adv}^{\textsf{mu}\text{- }\textsf{stprp}}_{\textsf{TKAC}}(\textbf{A}) \le \left( \frac{4^rr^4}{12} +r+1 \right) \cdot q(\sigma \delta )^r+ 2r^2 \cdot \frac{q}{2^n} . \end{aligned}$$

Remark 1

When the permutation $\pi $ is secret, $\textsf {TKAC}$ is $r\text{- }\textsf{CLRW2}$ that is the $r$-round cascading LRW2 (with a single-key block cipher). Hence, putting $p= 0$ into the bound of Theorem 2, we have the $\frac{r}{r+1} n$-bit mu-bound of $r\text{- }\textsf{CLRW2}$ that is better than the existing bounds [7, 17].

7 Conclusion

We proved the tight security bound of the r-round $\textsf {KAC}$ with a single permutation and correlated subkeys under the mu setting. The new bound $q\cdot \left( \frac{p+rq}{2^{n}} \right) ^r$ matches with the conventional attack bound [3] and is tight both in the su and mu settings. Based on the previous works separately proved the r-round $\textsf {KAC}$’s tight security bounds either with (i) a single permutation, (ii) correlated subkeys, or (iii) the mu setting, this work pushes one step further by proving the security with all three conditions combined. Moreover, our result easily supports the tweakable $\textsf {KAC}$, extending its provable tight security bound from 4 to any even with the aforementioned relaxed conditions. The key technique is the updated re-sampling method; the original method was limited to 3 rounds, i.e., triple encryption, and we extend it to any round. This result gives a more realistic provable-security foundation for practical block ciphers, including AES.

There are several future research directions. The updated re-sampling method can be applied to other block-cipher constructions, such as the Feistel networks [13] and substitution-permutation networks [6]. Also, further reducing the number of independent subkeys, e.g., $(r-1)$-wise independence [25] is another important open problem.

Notes

1.
Yu et al. recently simplified the proof technique, and derived the tight su-bound for $\textsf {KAC}$. The proof is limited to the su-setting, and proving the mu-security is still open.
2.
This is because in the ideal world, a random permutation and the underlying ideal cipher are independently defined.
3.
Note that if first some internal values have been defined by previous queries, the forward sampling starts from the round at which the internal value is not defined.
4.
For a pair $(M^{(\nu ,\alpha )},C^{(\nu ,\alpha )})$ of plaintext and ciphertext defined by $\textsf {KAC}^{-1}_{r}[K^{(\nu )}, \pi ^{-1}](C^{(\nu ,\alpha )})$, the input-output pairs of $\pi ^{-1}$ can be written by the definition with $\textsf {KAC}_{r}[K^{(\nu )}, \pi ](M^{(\nu ,\alpha )})$ since $\textsf {KAC}^{-1}_{r}[K^{(\nu )}, \pi ^{-1}](C^{(\nu ,\alpha )})$ is the inverse of $\textsf {KAC}_{r}[K^{(\nu )}, \pi ](M^{(\nu ,\alpha )})$.
5.
In the ideal world, the pairs are freshly defined at the $\alpha $-th construction query by our algorithm defined in Sect. 5.3.
6.
In the forward (resp. inverse) sampling, the internal value after the 4th (before the 5th) round connects with the 2-chain (resp. 4-chain) with the user’s subkeys that influences the 7th (resp. 1st) round. Since the pair at the 7th (resp. 1st) round is fixed by some previous query, the duplication of the internal value cannot be fixed. .
7.
Note that in a loop of Algorithm 2, each fresh value is sampled from a set including values defined in the same loop. Hence, the sampling method probabilistically yields a collision within the same loop. The collision event is handled in the bad transcript analysis. On the other hand, the sampling method contributes to obtaining a nice ratio for a good transcript.
8.
The bound comes from the fact that if $\textsf{bad}$ occurs, then one of $\textbf{E}$ occurs before the other bad events occur.

References

Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_10
Chapter Google Scholar
Biham, E.: How to decrypt or even substitute DES-encrypted messages in $2^{28}$ steps. Inf. Process. Lett. 84(3), 117–124 (2002)
Article MathSciNet Google Scholar
Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_5
Chapter Google Scholar
Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the two-round even-mansour cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, pp. 39–56. Springer Berlin Heidelberg, Berlin, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_3
Chapter Google Scholar
Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014, pp. 327–350. Springer Berlin Heidelberg, Berlin, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19
Chapter Google Scholar
Cogliati, B., et al.: Provable security of (tweakable) block ciphers based on substitution-permutation networks. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018: 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2018, Proceedings, Part I, pp. 722–753. Springer International Publishing, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_24
Chapter Google Scholar
Cogliati, B., Lampe, R., Seurin, Y.: Tweaking even-mansour ciphers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015: 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pp. 189–208. Springer Berlin Heidelberg, Berlin, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_9
Chapter Google Scholar
Cogliati, B., Seurin, Y.: Beyond-birthday-bound security for tweakable even-mansour ciphers with linear tweak and key mixing. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015: 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29 – December 3, 2015, Proceedings, Part II, pp. 134–158. Springer Berlin Heidelberg, Berlin, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_6
Chapter Google Scholar
Degabriele, J.P., Govinden, J., Günther, F., Paterson, K.G.: The Security of ChaCha20-Poly1305 in the Multi-User Setting. In: CCS ’21, pp. 1981–2003. ACM (2021)
Google Scholar
Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the even-mansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012, pp. 336–354. Springer Berlin Heidelberg, Berlin, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_21
Chapter Google Scholar
Dutta, A.: Minimizing the two-round tweakable even-mansour cipher. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020: 26th International Conference on the Theory and Application of Cryptology and Information Security, Daejeon, South Korea, December 7–11, 2020, Proceedings, Part I, pp. 601–629. Springer International Publishing, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_20
Chapter Google Scholar
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997)
Article MathSciNet Google Scholar
Guo, C., Wang, L.: Revisiting key-alternating Feistel ciphers for shorter keys and multi-user security. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018: 24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2–6, 2018, Proceedings, Part I, pp. 213–243. Springer International Publishing, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_8
Chapter Google Scholar
Hoang, V.T., Tessaro, S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016: 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part I, pp. 3–32. Springer Berlin Heidelberg, Berlin, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_1
Chapter Google Scholar
Hoang, V.T., Tessaro, S., Thiruvengadam, A.: The multi-user security of GCM, revisited: tight bounds for nonce randomization. In: CCS 2018, pp. 1429–1440. ACM (2018)
Google Scholar
Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated even-mansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012, pp. 278–295. Springer Berlin Heidelberg, Berlin, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_18
Chapter Google Scholar
Lampe, R., Seurin, Y.: Tweakable blockciphers with asymptotically optimal security. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 133–151. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_8
Chapter Google Scholar
Luykx, A., Mennink, B., Paterson, K.G.: Analyzing multi-key security degradation. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 575–605. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_20
Chapter Google Scholar
Mouha, N., Luykx, A.: Multi-key security: the even-mansour construction revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015: 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pp. 209–223. Springer Berlin Heidelberg, Berlin, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_10
Chapter Google Scholar
Naito, Y., Sasaki, Y., Sugawara, T., Yasuda, K.: The multi-user security of triple encryption, revisited: exact security, strengthening, and application to TDES. In: CCS 2022, ACM (2022)
Google Scholar
Patarin, J.: The “Coefficients H’’ Technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Chapter Google Scholar
Rescorla, E.: RFC 8446: The transport layer security (TLS) protocol version 1.3. https://doi.org/10.17487/RFC8446 (2018)
Rescorla, E., Tschofenig, H., Modadugu, N.: The datagram transport layer security (DTLS) protocol version 1.3 - draft-ietf-tls-dtls13-43. https://tools.ietf.org/html/draft-ietf-tls-dtls13-43 (2021)
Steinberger, J.P.: Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance. IACR Cryptol. ePrint Arch., p. 481 (2012). http://eprint.iacr.org/2012/481
Tessaro, S., Zhang, X.: Tight Security for Key-Alternating Ciphers with Correlated Sub-keys. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021: 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6–10, 2021, Proceedings, Part III, pp. 435–464. Springer International Publishing, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_15
Chapter Google Scholar
Thomson, M., Turner, S.: Using TLS to secure QUIC. RFC 9001, 1–52 (2021). https://doi.org/10.17487/RFC9001
Wu, Y., Yu, L., Cao, Z., Dong, X.: Tight security analysis of 3-round key-alternating cipher with a single permutation. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020: 26th International Conference on the Theory and Application of Cryptology and Information Security, Daejeon, South Korea, December 7–11, 2020, Proceedings, Part I, pp. 662–693. Springer International Publishing, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_22
Chapter Google Scholar
Yu, L., Wu, Y., Yu, Yu., Cao, Z., Dong, X.: Security proofs for key-alternating ciphers with non-independent round permutations. In: Rothblum, G., Wee, H. (eds.) Theory of Cryptography: 21st International Conference, TCC 2023, Taipei, Taiwan, November 29 – December 2, 2023, Proceedings, Part I, pp. 238–267. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-48615-9_9
Chapter Google Scholar

Download references

Acknowledgement

We thank anonymous reviewers for useful comments.

Author information

Authors and Affiliations

Mitsubishi Electric Corporation, Kanagawa, Japan
Yusuke Naito
NTT Social Informatics Laboratories, Tokyo, Japan
Yu Sasaki
The University of Electro-Communications, Tokyo, Japan
Takeshi Sugawara

Authors

Yusuke Naito
View author publications
You can also search for this author in PubMed Google Scholar
Yu Sasaki
View author publications
You can also search for this author in PubMed Google Scholar
Takeshi Sugawara
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yusuke Naito .

Editor information

Editors and Affiliations

Zama, Paris, France
Marc Joye
Ruhr University Bochum, Bochum, Germany
Gregor Leander

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Naito, Y., Sasaki, Y., Sugawara, T. (2024). The Exact Multi-user Security of (Tweakable) Key Alternating Ciphers with a Single Permutation. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14651. Springer, Cham. https://doi.org/10.1007/978-3-031-58716-0_4

Download citation

DOI: https://doi.org/10.1007/978-3-031-58716-0_4
Published: 29 April 2024
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58715-3
Online ISBN: 978-3-031-58716-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

The Exact Multi-user Security of (Tweakable) Key Alternating Ciphers with a Single Permutation