The Indistinguishability of the XOR of $$k$$ Permutations

Cogliati, Benoit; Lampe, Rodolphe; Patarin, Jacques

doi:10.1007/978-3-662-46706-0_15

Benoit Cogliati¹⁵,
Rodolphe Lampe¹⁵ &
Jacques Patarin¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8540))

Included in the following conference series:

International Workshop on Fast Software Encryption

1807 Accesses
18 Citations

Abstract

Given $k$ independent pseudorandom permutations $f_1,\ldots ,f_k$ over $\{0,1\}^n$, it is natural to define a pseudorandom function by XORing the permutations: $f_1\oplus \ldots \oplus f_k$. In [9] Stefan Lucks studied the security of this PRF. In this paper we improve the security bounds of [9] by using different proof techniques.

You have full access to this open access chapter, Download conference paper PDF

On the XOR of Multiple Random Permutations

Full Indifferentiable Security of the Xor of Two or More Random Permutations Using the $$\chi ^2$$ Method

XLS is Not a Strong Pseudorandom Permutation

Keywords

1 Introduction

Much research dealt with constructing cryptographic operations from other ones: Levin [6] got “pseudorandom bit generators” from “one-way functions”, then Goldreich, Goldwasser and Micali [4] constructed pseudorandom functions (PRFs) from “pseudorandom bit generators”. In [1], Aiello and Venkatesan studied how to construct PRFs from smaller PRFs. Luby and Rackoff [7] dealt with the problem of getting pseudorandom permutations (PRPs) from PRFs; further work about their construction can be found in [8, 11]. Our article focuses on the reverse problem of converting PRPs into PRFs named “Luby-Rackoff backwards” which was first considered in [3]. This problem is obvious if we are interested in an asymptotical polynomial versus non polynomial security model (since a PRP is then a PRF), but not if we are interested in achieving more optimal and concrete security bounds. More precisely, the loss of security when regarding a PRP as a PRF comes from the “birthday attack” which can distinguish a random permutation from a random function of $n$ bits to $n$ bits in $2^{\frac{n}{2}}$ operations and $2^{\frac{n}{2}}$ queries. Therefore different ways to build PRF from PRP with a security above $2^\frac{n}{2}$ and by performing very few computations have been suggested (see [2, 3, 5, 9]). One of the simplest way is to XOR $k$ independent pseudorandom permutations with $k \ge 2$. In [9] (Theorem 2, p.474) Stefan Lucks proved, with a simple proof, that the XOR of $k$ independant PRPs gives a PRF with security at least in $\mathcal {O}\left( 2^{\frac{k}{k+1}} n\right) $. In [2, 12] difficult analyses of $k=2$ are given, with proofs that the security is good when the number of queries is lower than $\mathcal {O}\left( \frac{2^n}{n^{2/3}}\right) $ or $\mathcal {O}\left( 2^n\right) $. For $k\ge 3$ there is a significant gap between the proven security of [9] and the best attacks of [13].

In this paper we reduce this gap by improving the proven security for the XOR of $k$ permutations, $k \ge 3$. Constructions with $k \ge 3$ instead of $k=2$ are interesting for various reasons. First, our proofs are much simpler than the proofs of [2, 12]. Second, in many cryptographic applications the size $n$ of the blocks cannot be chosen by the designer of the algorithm since it is imposed by the application. Then it is interesting to have another parameter to decrease the proven advantage of any adversary to a value as small as wanted with a simple construction. Our proof technique is based on the “coefficient $H$ technique” of Patarin (cf [14]). However we only use the first steps (and not all the refinements) in order to keep very simple proofs with still better security results than previously known; we could achieve tighter bounds by using the full technique, but it would require more computations (such as [15]).

Related Problems. In [10] the security of the XOR of two public permutations are studied (i.e. indifferentiability instead of indistinguishability).

Organisation of the Paper. Section. 2 presents the notations and basic definitions that are used in this paper. In Sects. 3 and 4, two security bounds are shown with different techniques (respectively the “$H_\sigma $ coefficient” technique and the “$H$ coefficient” technique). Then both these results are compared to the one from [9] in the last section.

2 Preliminaries

We denote $I_n$ the set of $n-$bits strings and $J_n^q$ the subset of $I_n^q$ of values $(x_i)_{1\le i\le q}$ satisfying $x_i\ne x_j, \forall i\ne j$. We denote $F_n$ the set of functions from $I_n$ to $I_n$ and $B_n$ the set of permutations of $I_n$. The notation $x \in _R E$ stands for “$x$ is chosen randomly with a uniform distribution in $E$”.

An adversary $A$ trying to distinguish between $f_1\oplus \ldots \oplus f_k$, where $f_i \in _R B_n$ for each $i \in \{1,\ldots ,k\}$, from a random function $F \in _R F_n$ is considered to have access to an oracle $Q$. This oracle either simulates $F$ or $f_1 \oplus \ldots \oplus f_k$. $A$ chooses inputs $x \in \{0,1\}^n$; then $Q$ responds $Q(x) \in \{0,1\}^n$. After at most $q$ queries, $A$ outputs $A(Q) \in \{0,1\}$. $A(Q)$ is then seen as a random variable over $\{0,1\}$. This is an adaptative chosen plaintext attack (${\mathrm {cpa}}$). To measure the pseudorandomness of the XOR of $k$ permutations one must evaluate the advantage $ {\mathbf{Adv }}_{A,f_1 \oplus \ldots \oplus f_k}^{\mathrm {cpa}}$ of an adversary $A$ which is defined as

$$\begin{aligned} {\mathbf{Adv }}_{A,f_1 \oplus \ldots \oplus f_k}^{\mathrm {cpa}}= |Pr[A(f_1 \oplus \ldots \oplus f_k)=1]-Pr[A(F)=1]|. \end{aligned}$$

We write $ {\mathbf{Adv }}_{f_1 \oplus \ldots \oplus f_k}^{\mathrm {cpa}}$ for the maximal advantage any adversary can get when trying to distinguish the XOR of $k$ random permutations from a random function.

3 Security Bound from the $H_\sigma $ Technique

3.1 Linking the Advantage to a Combinatorial Problem

Let $k \ge 2$. We use Theorem 3 from [14]:

Theorem 1

Let $\alpha ,\beta \in \mathbb {R}^+$ and $q \in \mathbb {N}\setminus \{0\}$. Let $E$ be a subset of $I_n^q$ such that $|E| \ge (1-\beta )2^{nq}$. Suppose that, for each sequence $(a_i)_{1\le i \le q}, (b_i)_{1\le i \le q}\in J_n^q$, with $(b_i)_{1\le i \le q} \in E$:

$$\begin{aligned} H(a,b) \ge (1-\alpha )\frac{|B_n|^k}{2^{nq}}, \end{aligned}$$

with $H(a,b)$ the number of $(f_1,\ldots ,f_k)\in B_n^k$ such that:

$$\begin{aligned} \forall i, 1\le i \le q, (f_1\oplus \ldots \oplus f_k)(a_i)=b_i. \end{aligned}$$

Then:

$$\begin{aligned} {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le \alpha + \beta . \end{aligned}$$

For every $b\in J_n^q$, let $h_{q}(b)$ be the number of sequences $x^1,x^2,\ldots ,x^{k-1}\in J_n^q$ such that $x^1\oplus \ldots \oplus x^{k-1}\oplus b\in J_n^q$ then

Lemma 1

For all $a,b\in J_n^q$:

$$\begin{aligned} H(a,b)=h_{q}(b) \frac{|B_n|^k}{\big (2^n\times \cdots \times (2^n-q+1) \big )^k}. \end{aligned}$$

Proof

The number $H(a,b)$ can be seen as the sum, over the sequences $x^1,x^2,\ldots ,$ $x^{k-1}\in J_n^q$ such that $x^1\oplus \ldots \oplus x^{k-1}\oplus b\in J_n^q$, of the number of $f_1,\ldots ,f_k\in B_n$ satisfying the equations $f_j(a_i)=x_i^j$ for all $j\le k-1, i\le q$ and $f_k(a_i)=x_i^1\oplus \ldots \oplus x_i^{k-1}\oplus b_i, \forall i\le q$. Then, for each choices of $x^1,\ldots ,x^{k-1}$, each $f_j$ is a uniformly random permutation fixed on $q$ points so $H(a,b)=h_{q}(b) \left( \frac{|B_n|}{ 2^n\times \cdots \times (2^n-q+1)}\right) ^k$, which also shows that $H(a,b)$ does not depend of $a$. $\square $

We now see $h_q$ as a random variable over $b\in _R I^q_n$. The security of the XOR of $k$ permutations is closely related to the variance and the expectancy of this random variable:

Lemma 2

The advantage satisfies:

$$\begin{aligned} {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le 2\ \left( \frac{{{\mathbb {V}}\left[ h_q\right] }}{{{\mathbb {E}}\left[ h_q\right] }^2} \right) ^{1/3}. \end{aligned}$$

(1)

Proof

For all $a$, we define $H(a)$ the random variable over $b$ equal to $H(a,b)$. The Bienayme-Chebyshev’s inequality yields:

$$\begin{aligned} \forall \epsilon > 0, \Pr \left[ {|H(a)-{{\mathbb {E}}\left[ H(a)\right] }|\le \epsilon }\right] \ge 1-\frac{{{\mathbb {V}}\left[ H(a)\right] }}{\epsilon ^2}. \end{aligned}$$

Taking $\epsilon =\alpha {{\mathbb {E}}\left[ H(a)\right] }$:

$$\begin{aligned} \forall \alpha > 0, \Pr \left[ {|H(a)-{{\mathbb {E}}\left[ H(a)\right] }|\le \alpha {{\mathbb {E}}\left[ H(a)\right] }}\right] \ge 1-\frac{{{\mathbb {V}}\left[ H(a)\right] }}{\alpha ^2 {{\mathbb {E}}\left[ H(a)\right] }^2}. \end{aligned}$$

Then

$$\begin{aligned} \forall \alpha > 0, \Pr \left[ {H(a)\ge (1-\alpha ) {{\mathbb {E}}\left[ H(a)\right] }}\right] \ge 1-\frac{{{\mathbb {V}}\left[ H(a)\right] }}{\alpha ^2 {{\mathbb {E}}\left[ H(a)\right] }^2}. \end{aligned}$$

Thus, defining $E=\{ (b_i)_{1\le i \le q} | H(a,b)\ge (1-\alpha ) {{\mathbb {E}}\left[ H(a)\right] }\}$, Theorem 1 yields:

$$\begin{aligned} \forall \alpha > 0, {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le \alpha + \frac{{{\mathbb {V}}\left[ H(a)\right] }}{\alpha ^2 {{\mathbb {E}}\left[ H(a)\right] }^2}. \end{aligned}$$

Then, with $\alpha =\left( \frac{{{\mathbb {V}}\left[ H(a)\right] }}{{{\mathbb {E}}\left[ H(a)\right] }^2} \right) ^{1/3}$:

$$\begin{aligned} {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le 2\ \left( \frac{{{\mathbb {V}}\left[ H(a)\right] }}{{{\mathbb {E}}\left[ H(a)\right] }^2}\right) ^{1/3}=2\ \left( \frac{{{\mathbb {V}}\left[ h_q\right] }}{{{\mathbb {E}}\left[ h_q\right] }^2}\right) ^{1/3}. \end{aligned}$$

$\square $

Lemma 3

The mean of $h_q$ satisfies:

$$\begin{aligned} {{\mathbb {E}}\left[ h_q\right] }=\frac{\big [2^n(2^n-1)\ldots (2^n-q+1)\big ]^k}{2^{nq}}. \end{aligned}$$

Proof

This result generalizes a theorem found in [12]. We define $\delta _x$, with $x=(x^1,\ldots ,x^{k-1})\in (J_n^q)^{k-1}$, a random variable over $b$ such that $\delta _x=1$ if $x^1,\ldots ,$ $x^{k-1}, b\oplus x^1\oplus \cdots \oplus x^{k-1}\in J_n^q$ and $\delta _x=0$ otherwise. It’s clear that $h_q=\sum \limits _{x \in (J_n^q)^{k-1}}\delta _x$, then

$$\begin{aligned} {{\mathbb {E}}\left[ h_q\right] }= & {} \sum \limits _{x \in (J_n^q)^{k-1}}{{\mathbb {E}}\left[ \delta _x\right] }\\= & {} \sum \limits _{x \in (J_n^q)^{k-1}}\Pr \left[ {\text {the } b_i\oplus x_i^1\oplus \ldots \oplus x_i^{k-1} \text { are pairwise distinct}}\right] \\= & {} \sum \limits _{x \in (J_n^q)^{k-1}} \frac{2^n(2^n-1)\ldots (2^n-q+1)}{2^{nq}}\\= & {} \left| J_n^q\right| ^{k-1} \times \frac{2^n(2^n-1)\ldots (2^n-q+1)}{2^{nq}}\\= & {} \frac{\big [2^n(2^n-1)\ldots (2^n-q+1)\big ]^k}{2^{nq}}. \end{aligned}$$

$\square $

We now focus on the variance of $h_q$.

3.2 Study of ${{\mathbb {V}}\left[ h_q\right] }$

We denote $\lambda _q$ the number of sequences $g^1,\ldots ,g^{2k}\,{\in }\, J_n^q$ such that $g^1\oplus \cdots \oplus g^{2k}\,{=}\,0$. These conditions will be referred to as the $\lambda _q$ conditions. This is $2k$ sequences of $q$ pairwise distinct elements and $q$ equations so, we could expect $\lambda _q$ to be close to

$$ U_q:=\frac{\left( 2^n(2^n-1)(2^n-q+1)\right) ^{2k}}{2^{2nq}}. $$

We see in the next lemma that the problem of knowing how close $\lambda _q$ is from $U_q$ is at the core of the computation of the advantage.

Lemma 4

The advantage satisfies:

$$ {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le 2 \left( \frac{\lambda _q}{U_q}-1\right) ^{1/3}. $$

Proof

We know that $h_q=\sum _x \delta _x$ with the sum being over $x\in (J_n^q)^{k-1}$, so the linearity of the expected value operator yields:

$$\begin{aligned} {{\mathbb {V}}\left[ h_q\right] }= & {} {{\mathbb {E}}\left[ \left( \sum _x \delta _x - {{\mathbb {E}}\left[ h_q\right] }\right) ^2\right] }\\= & {} {{\mathbb {E}}\left[ \left( \sum _x \delta _x\right) ^2-2\left( \sum _x \delta _x\right) {{\mathbb {E}}\left[ h_q\right] }+{{\mathbb {E}}\left[ h_q\right] }^2\right] }\\= & {} {{\mathbb {E}}\left[ \left( \sum _x \delta _x\right) \left( \sum _{x'} \delta _{x'}\right) \right] }-2{{\mathbb {E}}\left[ \sum _x \delta _x\right] }{{\mathbb {E}}\left[ h_q\right] }+{{\mathbb {E}}\left[ h_q\right] }^2\\= & {} {{\mathbb {E}}\left[ \sum _{x,x'}\delta _x\delta _{x'}\right] }-{{\mathbb {E}}\left[ h_q\right] }^2, \end{aligned}$$

the sum being over $x,x'\in (J_n^q)^{k-1}$. Then:

$$ {{\mathbb {E}}\left[ \sum _{x,x'}\delta _x\delta _{x'}\right] }=\frac{1}{2^{nq}}\sum _{b,x, x'}\delta _x(b)\delta _{x'}(b). $$

We know that $\delta _x(b)\delta _{x'}(b)$, with $x,x'\in (J_n^q)^{k-1}$, equals $1$ if and only if $b\oplus x^1\oplus \cdots \oplus x^{k-1}\in J_n^q$ and $b\oplus x'^1\oplus \cdots \oplus x'^{k-1}\in J_n^q$. If we change variables like this: $g^i:=x^i$ and $g^{i+k-1}:=x'^i$ for all $1\le i\le k-1$ and $g^{2k-1}:=b\oplus x^1\oplus \cdots \oplus x^{k-1}, g^{2k}:=b\oplus x'^1\oplus \cdots \oplus x'^{k-1}$, we see that $\sum _{b,x,x'}\delta _x(b)\delta _{x'}(b)$ is equal to $\lambda _q$. Then:

$$\begin{aligned} {{\mathbb {V}}\left[ h_q\right] }= & {} \frac{\lambda _q}{2^{nq}}-{{\mathbb {E}}\left[ h_q\right] }^2\\= & {} \frac{\lambda _q-U_q}{2^{nq}}\text { since }{{\mathbb {E}}\left[ h_q\right] }^2=\frac{U_q}{2^{nq}}. \end{aligned}$$

Moreover, using Lemma 2:

$$\begin{aligned} {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le & {} 2\ \left( \frac{{{\mathbb {V}}\left[ h_q\right] }}{{{\mathbb {E}}\left[ h_q\right] }^2} \right) ^{1/3}\\\le & {} 2\ \left( \frac{\lambda _q-U_q}{U_q}\right) ^{1/3}\\\le & {} 2\ \left( \frac{\lambda _q}{U_q}-1\right) ^{1/3}. \end{aligned}$$

$\square $

The strategy we follow is to evaluate recursively, more and more accurately, the coefficients $\lambda _\alpha $ for $1 \le \alpha \le q$.

3.3 First Evaluation of $\lambda _\alpha $

By definition, $\lambda _{\alpha +1}$ is the number of tuples $g^1,\ldots ,g^{2k}\in J_n^{\alpha +1}$ such that:

1.
the $\lambda _\alpha $ conditions hold,
2.
for all $1 \le j \le 2k$, $g^j_{\alpha +1} \not \in \{g^j_i, 1 \le i \le \alpha \}$,
3.
$g_{\alpha +1}^1\oplus \cdots \oplus g_{\alpha +1}^{2k}=0.\quad (E_{\alpha +1})$

Hence there are $2k\alpha $ equations that should not be verified. For $1\le i \le 2k\alpha $, we denote $\beta _i$ the i-th such equation. Let $B_i$ be the set of tuples $(g^1,\ldots ,g^{2k})$ which satisfy the $\lambda _\alpha $ conditions, the equation $(E_{\alpha +1})$ and the equation $\beta _i$, for $1\le i \le 2k\alpha $. Then:

$$\begin{aligned} \lambda _{\alpha +1}=2^{(2k-1)n}\lambda _\alpha - \left| \bigcup _{i=1}^{2k\alpha } B_i\right| . \end{aligned}$$

Using the inclusion-exclusion principle:

$$\begin{aligned} \lambda _{\alpha +1}=2^{(2k-1)n}\lambda _\alpha + \sum \limits _{l=1}^{2k \alpha }(-1)^{l}\sum \limits _{i_1<\ldots <i_l}|B_{i_1}\cap \ldots \cap B_{i_l}|. \end{aligned}$$

When more than $2k+1$ equations $\beta _i$ are considered, at least two of them use the same variable, for example $g^1_{\alpha +1}=g^1_1$ and $g^1_{\alpha +1}=g^1_2$, which is impossible according to the $\lambda _{\alpha }$ conditions. Thus:

$$\begin{aligned} \lambda _{\alpha +1}=2^{(2k-1)n}\lambda _\alpha + \sum \limits _{l=1}^{2 k}(-1)^{l}\sum \limits _{i_1<\ldots <i_l}|B_{i_1}\cap \ldots \cap B_{i_l}|. \end{aligned}$$

(2)

Now, we study every kind of intersection.

$1$ equation:

The $\beta _i$ equation fixes the value of one new variable, whereas the others are free, so:

$$\begin{aligned} |B_i|=2^{(2k-2)n}\lambda _\alpha \end{aligned}$$

and there exists $2k\alpha $ such sets.

$l$ equations ($2\le l \le 2k-1$):

Such an intersection is non-empty if every equation $\beta _i$ uses a different new variable. In this case, $l$ new variables are fixed and the others remain free. Thus,

$$ |B_{i_1}\cap \ldots \cap B_{i_l}|=2^{(2k-1-l)n}\lambda _\alpha $$

and there are $\left( \begin{array}{c} 2k \\ \ell \end{array}\right) \alpha ^k$ such non-empty intersections.

$2k$ equations:

Like before, such a set is non-empty if every equation $\beta _i$ uses a different new variable. In this case, the set $B_{i_1}\cap \ldots \cap B_{i_{2k}}$ is composed of tuples such that $g_{\alpha +1}^1=g_{i_1}^1,\ldots ,g_{\alpha +1}^{2k}=g_{i_{2k}}^{2k}$ and the equation $(E_{\alpha +1})$ implies that:

$$ g_{i_1}^1\oplus \cdots \oplus g_{i_{2k}}^{2k}=0. $$

We denote $X$ this equation and $\lambda '_\alpha (X)$ the size of $|B_{i_1}\cap \ldots \cap B_{i_{2k}}|$. There are 3 possible cases:

If the $2k$ indexes in $X$ are equal then $X$ is always true. There are $\alpha $ possibilities and $\lambda '_{\alpha }(X)=\lambda _\alpha $.
If $2k-1$ indexes are equal and the last is different, then $\lambda '_{\alpha }(X)=0$ since $X$ is in contradiction with $\lambda _\alpha $. There are $2k\alpha (\alpha -1)$ possibilities.
We denote $S$ the set of equations $X$ that are not of the previous types. We denote $\lambda '_\alpha =\max _S \lambda '_\alpha (X)$.

Hence, thanks to (2), one has:

$$\begin{aligned} \lambda _{\alpha +1}= & {} 2^{(2k-1)n}\lambda _\alpha - 2k\alpha \lambda _\alpha + \sum _{\ell =2}^{2k-1} \left( \begin{array}{c} 2k \\ \ell \end{array}\right) (-1)^{l}\alpha ^l 2^{(2k-1-\ell )n}\lambda _\alpha + \sum _X \lambda '_\alpha (X)\\= & {} \left( 2^{2kn}-2k\alpha 2^n+\sum _{\ell =2}^{2k-1} \left( \begin{array}{c} 2k \\ \ell \end{array}\right) (-1)^{l}\alpha ^l 2^{(2k-\ell )n}\right) \frac{\lambda _\alpha }{2^n}+\alpha \lambda _\alpha + \sum _{X\in S} \lambda '_\alpha (X)\\\le & {} \frac{\left( (2^n-\alpha )^{2k}-\alpha ^{2k}+2^n\alpha \right) \lambda _\alpha }{2^n}+\left( \alpha ^{2k}-\alpha -2k\alpha (\alpha -1)\right) \lambda '_\alpha \end{aligned}$$

We denote $\epsilon _\alpha =\frac{2^n \lambda '_\alpha }{\lambda _\alpha }-1$, so:

$$\begin{aligned} \frac{2^n\lambda _{\alpha +1}}{\lambda _\alpha }\le & {} (2^n-\alpha )^{2k}- \alpha ^{2k}+2^n\alpha +\frac{2^n\lambda '_\alpha }{\lambda _\alpha } \times (\alpha ^{2k}-\alpha -2k\alpha (\alpha -1))\\\le & {} (2^n-\alpha )^{2k}+2^n\alpha -\alpha -2k\alpha (\alpha -1)+\epsilon _\alpha \times (\alpha ^{2k}-\alpha -2k\alpha (\alpha -1))\\\le & {} (2^n-\alpha )^{2k}-2k\alpha ^2+\alpha (2^n+2k-1)+\epsilon _\alpha \times (\alpha ^{2k}-2k\alpha ^2+\alpha (2k-1)) \end{aligned}$$

3.4 Relation Between the Advantage and $\epsilon _\alpha $

Lemma 5

For every $m\ge 1$, the advantage satisfies:

$$ {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le 2\left( \prod _{\alpha =1}^{m -1}\left( 1+\frac{-2k\alpha ^2+\alpha (2^n+2k-1)+\epsilon _\alpha \times (\alpha ^{2k}-2k\alpha ^2+\alpha (2k-1))}{(2^n-\alpha )^{2k}}\right) - 1\right) ^{1/3}. $$

Proof

We know that

$$ \frac{2^nU_{\alpha +1}}{U_\alpha }=(2^n-\alpha )^{2k}, $$

and the result of the previous section yields:

$$\begin{aligned} \frac{\lambda _{\alpha +1}}{U_{\alpha +1}}\le & {} \frac{\lambda _{\alpha }}{U_{\alpha }}\left( \frac{(2^n-\alpha )^{2k}-2k\alpha ^2+\alpha (2^n+2k -1)+\epsilon _\alpha \times (\alpha ^{2k}-2k\alpha ^2+\alpha (2k-1))}{(2^n -\alpha )^{2k}}\right) \\\le & {} \frac{\lambda _{\alpha }}{U_{\alpha }}\left( 1+\frac{-2k\alpha ^2 +\alpha (2^n+2k-1)+\epsilon _\alpha \times (\alpha ^{2k}-2k\alpha ^2+ \alpha (2k-1))}{(2^n-\alpha )^{2k}}\right) \end{aligned}$$

Since $U_1=\lambda _1=2^{(2k-1)n}$:

$$ \frac{\lambda _{m}}{U_{m}}\le \prod _{\alpha =1}^{m-1}\left( 1+\frac{-2k \alpha ^2+\alpha (2^n+2k-1)+\epsilon _\alpha \times (\alpha ^{2k}-2k \alpha ^2+\alpha (2k-1))}{(2^n-\alpha )^{2k}}\right) $$

And Lemma 4 ends the proof. $\square $

3.5 First Approximation of $\epsilon _\alpha $

Before evaluating $\epsilon _\alpha $, we need a technical lemma:

Lemma 6

For every $\alpha \in \{2,\ldots ,m\}$, one has:

$$\begin{aligned} 1-\frac{2k\alpha }{2^n} \le \frac{\lambda _{\alpha }}{2^{(2k-1) n}\lambda _{\alpha -1}} \le 1. \end{aligned}$$

(3)

Proof

We consider $g^1,\ldots ,g^{2k}\in J_n^{\alpha }$ satisfying the conditions $\lambda _{\alpha -1}$. To satisfy the conditions $\lambda _{\alpha }$, there are $(2^n-(\alpha -1))$ possibilities for each $g^1_{\alpha },\ldots ,g^{2k-2}_{\alpha }$ and there are $2(\alpha -1)$ non-equalities left: $g^{2k-1}_{\alpha }\ne g^{2k-1}_i$ and $g^{2k}_{\alpha }\ne g^{2k}_i$ for all $i\le \alpha -1$. Since $g^{2k}_{\alpha }=g^1_{\alpha }\oplus \cdots \oplus g^{2k-1}_{\alpha }$, one sees these $2(\alpha -1)$ non-equalities as equations on $g^{2k-1}_{\alpha }$. So, there are between $2^n-2(\alpha -1)$ and $2^n-(\alpha -1)$ possible choices for $g^{2k-1}_{\alpha }$ and $1$ choice for $g^{2k}_{\alpha }$. Then:

$$\begin{aligned} \lambda _{\alpha -1}(2^n-(\alpha -1))^{2k-2}(2^n-2(\alpha -1))\le \lambda _{\alpha }\le \lambda _{\alpha -1}(2^n-(\alpha -1))^{2k-1} \end{aligned}$$

which is equivalent to:

$$ \left( 1-\frac{\alpha -1}{2^n}\right) ^{2k-2}\left( 1-\frac{2(\alpha -1)}{2^n} \right) \le \frac{\lambda _{\alpha }}{2^{(2k-1)n}\lambda _{\alpha -1}} \le \left( 1-\frac{\alpha -1}{2^n}\right) ^{2k-1}. $$

Since the left term is bigger than $1-\frac{2k\alpha }{2^n}$ and the right term is inferior to $1$, it ends the proof. $\square $

Lemma 7

Every value $\lambda '_{\alpha }(X)$ with $X\in S$ satisfies:

$$ \frac{2^n\lambda '_{\alpha }(X)}{\lambda _\alpha }\le 1+\frac{2k\alpha }{\left( 1-\frac{2k\alpha }{2^n} \right) 2^n}. $$

Proof

We now express $\lambda '_{\alpha }$ in terms of $\lambda _{\alpha -1}$. Without loss of generality, we suppose that $X$ involves $g^1_{\alpha }$, otherwise we can just reorder the variables. Let $i$ be any index such that $g^i_{\alpha }$ is not involved in $X$ (this is possible since $X\in S$). Let $g^1,\ldots ,g^{2k}\in J_n^{\alpha }$ such that the $\lambda _{\alpha -1}$ conditions are satisfied. We now count $\lambda '_\alpha (X)$. There are at most $2^n-(\alpha -1)$ possible choices for each $g^j_\alpha , j\ne 1,i$. After we made these choices, there are two variables left: $g^1_\alpha $ and $g^i_\alpha $. Since $g^i_\alpha $ is not involved in $X$, there is only, at most, one possible choice for $g^1_\alpha $ and there is, at most, one possible choice for $g^i_\alpha $ using the equation $g^1_\alpha \oplus \cdots \oplus g^{2k}_\alpha =0$. Then:

$$ \lambda '_\alpha (X)\le (2^n-(\alpha -1))^{2k-2}\lambda _{\alpha -1}. $$

Applying Lemma 6, one finds that:

$$ \lambda '_\alpha (X)\le (2^n-(\alpha -1))^{2k-2}\ \left( \frac{1}{1- \frac{2k\alpha }{2^n}}\right) \frac{\lambda _\alpha }{2^{(2k-1)n}} $$

Since $2^n-\alpha -1\le 2^n$ and $\frac{1}{1-\frac{2k\alpha }{2^n}}= 1+\frac{2k\alpha }{\left( 1-\frac{2k\alpha }{2^n}\right) 2^n}$, this ends the proof. $\square $

Remark: These two technical lemmas formalize the intuition that, when one equation is added to the system, one degree of freedom is lost and this divides the number of possible solutions by around $2^n$.

Finally

$$ \epsilon _\alpha \le \frac{2k\alpha }{\left( 1-\frac{2k\alpha }{2^n}\right) 2^n}. $$

First notice that if $q \le \frac{2^n}{2k}$, $-2k \alpha ^2+\alpha (2^n)\ge 0$. Then, from Lemma 5,

$$\begin{aligned} {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le & {} 2\ \left( \prod _{\alpha = 1}^{q-1}\left( 1+\frac{-2k\alpha ^2+\alpha (2^n+2k-1)+\epsilon _\alpha \times (\alpha ^{2k}-2k\alpha ^2+\alpha (2k-1))}{(2^n-\alpha )^{2k}}\right) -1\right) ^{1/3}. \end{aligned}$$

If $q \le \frac{2^n}{2k}$, all the terms of the product are greater than 1 and

$$\begin{aligned} {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le & {} 2\ \left( \prod _{\alpha = 1}^{q-1}\left( 1+\frac{-2k\alpha ^2+\alpha (2^n+2k-1)}{(2^n-\alpha )^{2 k}}+\frac{2k\alpha \times (\alpha ^{2k}-2k\alpha ^2+\alpha (2k-1))}{\left( 1-\frac{2k\alpha }{2^n} \right) 2^n\times (2^n-\alpha )^{2k}}\right) -1\right) ^{1/3}\\\le & {} 2\ \left( \prod _{\alpha =1}^{q-1}\left( 1+\frac{\alpha 2^n}{(2^n- \alpha )^{2k}}+\frac{2k\alpha ^{2k+1}}{\left( 1-\frac{2k\alpha }{2^n} \right) 2^n(2^n-\alpha )^{2k}}\right) -1\right) ^{1/3}\\\le & {} 2\ \left( \left( 1+\frac{q2^n}{(2^n-q)^{2k}}+\frac{2kq^{2k+1}}{\left( 1-\frac{2kq}{2^n}\right) 2^n(2^n-q)^{2k}}\right) ^q-1\right) ^{1/3}. \end{aligned}$$

Thus we have proven that:

Theorem 2

(Upper Bound of the Advantage Using $H_\sigma $ ). The maximal advantage an adversary can get using $q$ queries, with $q \le \frac{2^n}{2k}$ verifies:

$$ {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le 2\ \left( \left( 1+\frac{q2^n}{(2^n-q)^{2k}}+\frac{2kq^{2k+1}}{\left( 1-\frac{2kq}{2^n} \right) 2^n (2^n-q)^{2k}}\right) ^q-1\right) ^{1/3}. $$

Notice that

$$ {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{{\mathrm {cpa}}} \lesssim 2\ \left( \frac{q^2}{2^{(2k-1)n}(1-\frac{q}{2^n})^{2k}} + \frac{2kq^{2k+2}}{2^{(2k+1)n}(1-\frac{6kq}{2^n})} \right) ^{1/3}. $$

Since $k \ge 3$ and $q \le 2^n$, the first term is negligible in front of 1. Moreover, when $q^{2k+2} \ll 2^{(2k+1)n}$, $ {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\ll 1$. Hence we have proven that the XOR of $k$ permutations is safe as long as $q\ll 2^{\frac{2k+1}{2k+2}n}$ with this first technique.

4 Security Bound from the Standard $H$ Technique

We now use the “standard $H$ technique”, i.e. proofs from the general result (the Corollary 8) below. In this section, $\mathbb {E}[h_q]$ is noted $\tilde{h}_q$ to lighten the notations.

Corollary 8

Let $\alpha >0$. If, for every sequence $b=(b_i)_{1 \le i \le q} \in I_n^q$

$$ h_q(b)\ge (1-\alpha )\tilde{h}_q, $$

then

$$\begin{aligned} {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le \alpha . \end{aligned}$$

Proof

This result comes immediately from Theorem 1 with $\beta =0$ and Lemmas 1 and 3. $\square $

4.1 First Approximation

Let us study $\frac{h_{\alpha }}{\tilde{h}_\alpha }$.

One has:

$$\begin{aligned} \tilde{h}_{\alpha +1}=\tilde{h}_{\alpha }\frac{(2^n-\alpha )^k}{2^n}. \end{aligned}$$

We now evaluate $h_{\alpha +1}$ from $h_\alpha $. From the definition of $h_\alpha $ (see Sect. 3.1), we see that $h_{\alpha +1}$ is the number of sequence $(P_i^j)_{1\le i \le m, 1 \le j \le k}$ such that:

the $h_\alpha $ conditions hold;
$P^1_{\alpha +1} \oplus \ldots \oplus P^k_{\alpha +1} = b_{\alpha +1}$, this equation will be called $X$;
$P^j_{\alpha +1}\ne P^j_{i}$ for every $1\le i \le \alpha $, $1 \le j \le k$.

Let $\beta _i$, $1 \le k\alpha $ be the $k\alpha $ equations which should be false. Let, for $1\le i \le k\alpha $, $B_i$ be the set of the $\left( P^j_i\right) _{1\le i \le \alpha +1, 1\le j \le k}$ for which the $h_\alpha $ conditions and the equation $\beta _i$ hold.

From the inclusion-exclusion principle, we get:

$$\begin{aligned} h_{\alpha +1}= & {} 2^{(k-1)n}h_{\alpha }-|\cup _{i=1}^{k\alpha }B_i|\\= & {} 2^{(k-1)n}h_\alpha + \sum \limits _{1\le l \le k\alpha }(-1)^l\sum \limits _{i_1<\ldots <i_l}|B_{i_1}\cap \ldots \cap B_{i_l}|. \end{aligned}$$

When $k+1$ sets are intersected, at least two equations will use the same $P^j_{\alpha +1}$ variable, which is in contradiction with $h_\alpha $. Thus,

$$\begin{aligned} h_{\alpha +1}=2^{(k-1)n}h_\alpha + \sum \limits _{1\le l \le k}(-1)^l\sum \limits _{i_1<\ldots <i_l}|B_{i_1}\cap \ldots \cap B_{i_l}|. \end{aligned}$$

(4)

We study the number of possible messages in function of the number of sets in the intersection.

$l$ equations, $1\le l \le k-1$ :

If we want $|B_{i_1}\cap \ldots \cap B_{i_l}| \ne 0$, every new $\beta _i$ equation should bring a new variable $P^j_{\alpha +1}$. In this case, $X$ and $\beta _i$ fix $l+1$ variables, the remaining ones are free, so $|B_{i_1}\cap \ldots \cap B_{i_l}|=2^{(k-l-1)n}h_{\alpha }$ and

$$ \sum \limits _{i_1<\ldots <i_l}|B_{i_1}\cap \ldots \cap B_{i_l}|= \left( \begin{array}{c} k \\ l \end{array} \right) \alpha ^l 2^{ (k-l-1)n}h_{\alpha } $$

$k$ equations:

As well as above, in order to have $|B_{i_1}\cap \ldots \cap B_{i_k}| \ne 0$, there must be an equation in every new variable:

$$ P^j_{\alpha +1}=P^j_{i_j}, \, 1 \le j \le k. $$

So the condition $P^1_{\alpha +1} \oplus \ldots \oplus P^k_{\alpha +1} = b_{\alpha +1}$ becomes:

$$ P^1_{i_1} \oplus \ldots \oplus P^k_{i_k} = b_{\alpha +1}. $$

Let $h'_{\alpha }(b_1,\ldots ,b_{\alpha +1})(i_1,\ldots ,i_k)$ or $h'_{\alpha }(i_1,\ldots ,i_k)$ the number of $(P^j_i)_{1 \le i \le \alpha , 1 \le j \le k} \in I_n^{k\alpha }$ such that:

the conditions $h_{\alpha }$ hold,
$P^1_{i_1} \oplus \ldots \oplus P^k_{i_k} = b_{\alpha +1}.$

Let $Y(i_1,\ldots ,i_k)$ be this equality. Thus

$$ \sum \limits _{i_1<\ldots <i_k}|B_{i_1}\cap \ldots \cap B_{i_k}| = \sum \limits _{1\le i_1,\ldots ,i_k \le \alpha }h'_{\alpha }(i_1,\ldots ,i_k). $$

From (4), we have:

$$\begin{aligned} h_{\alpha +1}=\frac{(2^n-\alpha )^k-(-1)^k\alpha ^k}{2^n}h_\alpha +(-1)^k \sum \limits _{1\le i_1,\ldots ,i_k \le \alpha }h'_{\alpha }(i_1,\ldots ,i_k). \end{aligned}$$

(5)

Remark: if $k$ is even, one has:

$$ h_{\alpha +1}\ge h_\alpha \left( \frac{(2^n-\alpha )^k-\alpha ^k}{2^n}\right) . $$

So

$$ \frac{h_{\alpha +1}}{\tilde{h}_{\alpha +1}} \ge \frac{h_{\alpha }}{\tilde{h}_{\alpha }}\ \left( 1-\frac{\alpha ^k}{(2^n-\alpha )^k}\right) . $$

As $h_1=\tilde{h}_1=2^{(k-1)n}$,

$$\begin{aligned} h_q\ge & {} \tilde{h}_q\ \left( 1- \frac{q^k}{(2^n-q)^k}\right) ^q\\\ge & {} \tilde{h}_q\ \left( 1- \frac{q^{k+1}}{(2^n-q)^k}\right) \end{aligned}$$

Then, using Corollary 8,

$$ {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le \frac{q^{k+1}}{(2^n -q)^k}. $$

The upper bound we get in this case is in the same order of magnitude as the one from [9]. If we study more closely $h'_{\alpha }$, we will get a better inequality.

4.2 Second Approximation

In this section, we suppose that $k\ge 3$.

Let $M=\{i,\, 1 \le i \le \alpha , \, b_i = b_{\alpha +1}\}$. If $i\in M$, we have $h'_{\alpha }(i,\ldots ,i)=h_\alpha $ and if $i\not \in M$, $h'_{\alpha }(i,\ldots ,i)=0$. Furthermore, in order to be compatible with $h_\alpha $, if $i\in M$, for each $1 \le j \le \alpha $, $i \ne j$, $h'_\alpha (j,i,\ldots ,i)=h'_\alpha (i,j,\ldots ,i)=\ldots = h'_\alpha (i,\ldots ,i,j)=0$. Let $I$ be the set of the tuples that do not satisfy these requirements. Then $|I|=\alpha ^{k}-\alpha - k|M|(\alpha -1)$. By applying (5), one gets:

$$\begin{aligned} h_{\alpha +1}=\frac{(2^n-\alpha )^k-(-1)^k\alpha ^k +(-1)^k 2^n|M|}{2^n}h_\alpha +(-1)^k \sum \limits _{(i_1,\ldots ,i_k)\in I}h'_{\alpha }(i_1,\ldots ,i_k). \end{aligned}$$

(6)

We now need a technical lemma:

Lemma 9

If $i=(i_1,\ldots ,i_k)\in I$,

$$ 1- \frac{3\alpha }{(2^n-\alpha )(1-\frac{\alpha }{2^n})} \le \frac{2^n h'_{\alpha }(i_1,\ldots ,i_k)}{h_\alpha } \le \frac{1}{1- \frac{3\alpha }{2^n}}. $$

Proof

Without loss of generality, we can suppose that $i_1=\alpha $ and $i_2=\alpha -1$ (because we can reorder the queries). Let us evaluate $h'_\alpha $ and $h_\alpha $ from $h_{\alpha -2}$. To get $h_{\alpha }$ from $h_{\alpha -2}$, we have $2k$ new variables $P^j_{\alpha -1}$ and $P^j_{\alpha }$, $1\le j \le k$, such that:

$P^1_{\alpha } \oplus \ldots \oplus P^k_{\alpha } = b_{\alpha }$,
$P^1_{\alpha -1} \oplus \ldots \oplus P^k_{\alpha -1} = b_{\alpha -1}$,
$\forall j,\, 1\le j \le k,\, \forall i,\, 1 \le i \le \alpha -2,\, P^j_{\alpha -1}\ne P^j_i,$
$\forall j,\, 1\le j \le k,\, \forall i,\, 1 \le i \le \alpha -1,\, P^j_{\alpha }\ne P^j_i.$

We decide that the first equation will fix $P^1_{\alpha -1}$ and the next one $P^1_{\alpha }$. For $j\ge 3$, we have respectively $2^n-(\alpha -2)$ and $2^n-(\alpha -1)$ possibilities for $P^j_{\alpha -1}$ and $P^j_{\alpha }$. When these messages have been chosen, only $P^2_{\alpha -1}$ and $P^2_{\alpha }$ remain, and they must satisfy:

$P^2_{\alpha -1} \ne P^2_i,\, 1\le i \le \alpha -2$,
$P^2_{\alpha -1} \ne P^1_{i}\oplus b_{\alpha -1}\oplus P^3_{\alpha -1} \oplus \ldots \oplus P^k_{\alpha -1},\, 1\le i \le \alpha -2$,
$P^2_{\alpha } \ne P^2_i,\, 1\le i \le \alpha -1$,
$P^2_{\alpha } \ne P^1_{i}\oplus b_{\alpha }\oplus P^3_{\alpha } \oplus \ldots \oplus P^k_{\alpha },\, 1\le i \le \alpha -1$.

There are for $P^2_{\alpha -1}$ between $2^n-2(\alpha -2)$ and $2^n-(\alpha -2)$ choices and for $P^2_{\alpha -1}$ between $2^n-2(\alpha -1)$ and $2^n-(\alpha -1)$. Thus

$$\begin{aligned}&(2^n-(\alpha -2))^{k-2}(2^n-(\alpha -1))^{k-2}(2^n-2(\alpha -2))(2^n -2(\alpha -1))\le \frac{h_{\alpha }}{h_{\alpha -2}},\quad \end{aligned}$$

(7)

$$\begin{aligned}&\frac{h_{\alpha }}{h_{\alpha -2}} \le (2^n-(\alpha -2))^{k-1}(2^n-(\alpha -1))^{k-1}. \end{aligned}$$

(8)

In order to go from $h_{\alpha -2}$ to $h'_{\alpha }$, we also have $2k$ new variables $P^j_{\alpha -1}$ and $P^j_{\alpha }$, $1\le j \le k$, such that:

$P^1_{\alpha -1} \oplus \ldots \oplus P^k_{\alpha -1} = b_{\alpha -1}$,
$P^1_\alpha =b_{\alpha +1} \oplus P^2_{\alpha -1}\oplus P^3_{i_3} \oplus \ldots \oplus P^k_{i_k},$
$P^1_{\alpha } \oplus \ldots \oplus P^k_{\alpha } = b_{\alpha }$,
$\forall j,\, 1\le j \le k,\, \forall i,\, 1 \le i \le \alpha -2,\, P^j_{\alpha -1}\ne P^j_i,$
$\forall j,\, 1\le j \le k,\, \forall i,\, 1 \le i \le \alpha -1,\, P^j_{\alpha }\ne P^j_i.$

We have, for $j \ge 4$, respectively $2^n-(\alpha -2)$ and $2^n-(\alpha -1)$ possibilities for $P^j_{\alpha -1}$ and $P^j_{\alpha }$. From these 3 equalities, we can fix the following variables:

1.
$P^1_{\alpha -1}=b_{\alpha -1} \oplus P^2_{\alpha -1}\oplus \ldots \oplus P^k_{\alpha -1}$,
2.
$P^1_\alpha =b_{\alpha +1} \oplus P^2_{\alpha -1} \oplus P^3_{i_3} \oplus \ldots \oplus P^k_{i_k},$
3.
$P^2_{\alpha }=(b_{\alpha +1}\oplus b_\alpha )\oplus P^2_{\alpha -1} \oplus (P^3_{i_3}\oplus P^3_\alpha )\oplus \ldots \oplus (P^k_{i_k}\oplus P^k_\alpha )$.

Then

the condition $\forall i, 1\le i \le \alpha -2, P^1_{\alpha -1} \ne P^1_i$ becomes:
$$ \forall i, 1\le i \le \alpha -2, P^2_{\alpha -1}\ne P^1_i \oplus b_{\alpha -1} \oplus P^3_{\alpha -1}\oplus \ldots \oplus P^k_{\alpha -1}, $$
$\forall i, 1\le i \le \alpha -1, P^1_{\alpha }\ne P^1_i$ becomes:
$$ \forall i, 1\le i \le \alpha -1, P^2_{\alpha -1}\ne b_{\alpha +1} \oplus P^1_i \oplus P^3_{i_3} \oplus \ldots \oplus P^k_{i_k}, $$
$\forall i, 1\le i \le \alpha -2, P^2_{\alpha }\ne P^1_i$ becomes:
$$\begin{aligned}&\forall i, 1\le i \le \alpha -2,\, P^2_{\alpha -1} \ne (b_{\alpha +1} \oplus b_\alpha )\oplus P^2_{i}\oplus (P^3_{i_3}\oplus P^3_\alpha )\oplus \ldots \oplus (P^k_{i_k}\oplus P^k_\alpha ) \end{aligned}$$

For $P^2_\alpha \ne P^2_{\alpha -1}$, there are two cases. If $i_3=\ldots =i_k=\alpha $, since $(i_1,\ldots ,i_k)\in I$, we have $b_{\alpha +1}\ne b_\alpha $ and this non-equality is automatically verified. Else, this means that there is an index $3 \le j \le k$ such that $i_j \ne \alpha $, e.g. $j=3$. Then $P^2_\alpha \ne P^2_{\alpha -1}$ becomes:

$$ P^3_\alpha \ne (b_{\alpha +1}\oplus b_\alpha ) \oplus P^3_{i_3}\oplus \ldots \oplus (P^k_{i_k}\oplus P^k_\alpha ). $$

Thus, after the other messages have been chosen, there are between $2^n-\alpha $ and $2^n-(\alpha -1)$ possibilities for $P^3_\alpha $, $2^n-(\alpha -2)$ possibilities for $P^3_{\alpha -1}$ and finally between $2^n-(4\alpha -7)$ and $2^n-(\alpha -2)$ possibilities for $P^2_{\alpha -1}$. Then

$$\begin{aligned} (2^n-(\alpha -2))^{k-2}(2^n-(\alpha -1))^{k-3}(2^n-\alpha )(2^n-(4\alpha -7))\le & {} \frac{h'_\alpha }{h_{\alpha -2}}\end{aligned}$$

(9)

$$\begin{aligned} (2^n-(\alpha -2))^{k-1}(2^n-(\alpha -1))^{k-2}\ge & {} \frac{h'_\alpha }{h_{\alpha -2}}. \end{aligned}$$

(10)

From 7 and 9 we can deduce the following inequalities that allow us to get the result we want:

$$\begin{aligned}&\frac{2^n h'_{\alpha }}{h_{\alpha -2}}\ge 2^n\frac{(2^n-4\alpha +7)(2^n-\alpha )}{(2^n-(\alpha -2))(2^n-(\alpha -1))^2},\\&\frac{2^n h'_{\alpha }}{h_{\alpha -2}}\le 2^n \frac{2^n-(\alpha -2)}{(2^n-2(\alpha -2))(2^n-2(\alpha -1)).} \end{aligned}$$

$\square $

Remark: if we suppose $\alpha < \frac{2^n}{12}$, we get

$$\begin{aligned} 0 < 1- \frac{12\alpha }{2^n} \le \frac{2^n h'_{\alpha } (i_1,\ldots ,i_k)}{h_\alpha } \le 1+\frac{3\alpha }{2^n- 3\alpha }. \end{aligned}$$

(11)

One has:

$$\begin{aligned} \frac{h_{\alpha +1}}{\tilde{h}_{\alpha +1}}= & {} \frac{h_{\alpha }}{\tilde{h}_{\alpha }}\left( 1+\frac{(-1)^{k+1}\alpha ^k}{(2^n- \alpha )^k}+(-1)^k\frac{2^n|M|}{(2^n-\alpha )^k}+(-1)^k \frac{\sum \frac{2^nh'_{\alpha }}{h_\alpha }}{(2^n-\alpha )^k}\right) \end{aligned}$$

(12)

$$\begin{aligned}= & {} \frac{h_{\alpha }}{\tilde{h}_{\alpha }}(1-A_\alpha ) \end{aligned}$$

(13)

where

$$ A_\alpha :=\frac{(-1)^{k}\alpha ^k}{(2^n-\alpha )^k}-(-1)^k \frac{2^n|M|}{(2^n-\alpha )^k}-(-1)^k \frac{\sum \frac{2^nh'_{\alpha }}{h_\alpha }}{(2^n-\alpha )^k}. $$

Lemma 10

If $q < \frac{2^n}{12}$,

$$\begin{aligned} A_\alpha \le \frac{k.2^{n}\alpha }{(2^n-\alpha )^k}+12\frac{\alpha ^{k +1}}{(2^n-3\alpha )(2^n-\alpha )^k}. \end{aligned}$$

Proof

We have to study $A_\alpha $ according to the parity of $k$.

$k$ even:

$$\begin{aligned} A_\alpha\le & {} \frac{\alpha ^k}{(2^n-\alpha )^k}-\frac{2^n|M|}{(2^n- \alpha )^k}-\frac{(\alpha ^k-\alpha -k|M|(\alpha -1))(1-\frac{12\alpha }{2^n})}{(2^n-\alpha )^k}\\\le & {} -\frac{2^n|M|}{(2^n-\alpha )^k}+\frac{(\alpha +k|M|(\alpha -1)) (1-\frac{12\alpha }{2^n})}{(2^n-\alpha )^k}+12\frac{\alpha ^{k+1}}{2^n(2^n-\alpha )^k}\\\le & {} \frac{k.\alpha ^2}{(2^n-\alpha )^k}+12\frac{\alpha ^{k+1}}{2^n (2^n-\alpha )^k} \end{aligned}$$

$k$ odd:

$$\begin{aligned} A_\alpha\le & {} -\frac{\alpha ^k}{(2^n-\alpha )^k}+\frac{2^n|M|}{(2^n- \alpha )^k}+\frac{(\alpha ^k-\alpha -k|M|(\alpha -1))(1+\frac{3\alpha }{2^n- 3\alpha })}{(2^n-\alpha )^k}\\\le & {} \frac{2^n|M|}{(2^n-\alpha )^k}-\frac{(\alpha +k|M|(\alpha -1)) (1+\frac{3\alpha }{2^n-3\alpha })}{(2^n-\alpha )^k}+\frac{3\alpha ^{k+1}}{(2^n-\alpha )^k(2^n-3\alpha )}\\\le & {} \frac{2^{n}\alpha }{(2^n-\alpha )^k}+\frac{3\alpha ^{k+1}}{(2^n- \alpha )^k(2^n-3\alpha )} \end{aligned}$$

So, in both cases,

$$\begin{aligned} A_\alpha \le \frac{k.2^{n}\alpha }{(2^n-\alpha )^k}+12\frac{\alpha ^{k+1}}{(2^n-3\alpha )(2^n-\alpha )^k}, \end{aligned}$$

$\square $

From this lemma and 12,

$$\begin{aligned} \frac{h_{\alpha +1}}{\tilde{h}_{\alpha +1}}\ge \frac{h_{\alpha }}{\tilde{h}_{\alpha }}\left( 1-\frac{k.2^{n}\alpha }{(2^n-\alpha )^k} -12\frac{\alpha ^{k+1}}{(2^n-3\alpha )(2^n-\alpha )^k}\right) . \end{aligned}$$

Since $h_1=\tilde{h}_1$, we get:

$$\begin{aligned} \frac{h_{q}}{\tilde{h}_{q}}\ge & {} \left( 1-\frac{k2^{n}q}{(2^n-q)^k}- 12\frac{q^{k+1}}{(2^n-3q)(2^n-q)^k}\right) ^q\\\ge & {} 1-\frac{kq^2.2^{n}}{(2^n-q)^k}-12\frac{q^{k+2}}{(2^n-3q)(2^n-q)^k}. \end{aligned}$$

Thus, with Corollary 8, we have proven that, when $q < \frac{2^n}{12}$:

$$\begin{aligned} {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le & {} \frac{kq^2.2^{n}}{ (2^n-q)^k}+12\frac{q^{k+2}}{(2^n-3q)(2^n-q)^k}\end{aligned}$$

(14)

$$\begin{aligned}\le & {} \frac{kq^2}{2^{(k-1)n}(1-k\frac{q}{2^n})}+12\frac{q^{k+2}}{2^{(k+1)n}(1-(k+3)\frac{q}{2^n})}. \end{aligned}$$

(15)

Hence we get the following result:

Table 1. Comparison of the bounds on the advantage from 3 techniques

Full size table

Table 2. Upper bound plotted versus the logarithm of $q$

Full size table

Table 3. Upper bound plotted versus the logarithm of $q$: comparison between $H$ and $H_\sigma $

Full size table

Theorem 3

(Upper Bound for the Advantage with the Standard $H$ Technique). Let $k\ge 3$ and $q < \frac{2^n}{12}$. The advantage to distinguish, with $q$ queries, the XOR of $k$ bijections from a function $f \in _R F_n$ satisfies:

$$ {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\le \frac{kq^2}{2^{(k-1)n} (1-k\frac{q}{2^n})}+12\frac{q^{k+2}}{2^{(k+1)n}(1-(k+3)\frac{q}{2^n})}. $$

Since $k\ge 3$, the first term is negligible when $q \ll 2^n$. This theorem shows that the XOR of $k$ bijections is indistinguishable when $q \ll 2^{\frac{k+1}{k+2}n}$. This upper bound on $q$ is worse than the previous one, but if $q \ll 2^{\frac{k+2}{k+4}n}$ (i.e. for small values of $q$) this new upper bound on the advantage is actually better.

5 Conclusion

This table regroups our results and the previous one from S. Lucks in [9], with order of magnitudes for these bounds beyond the birthday bound (Tables 1, 2 and 3):

The upper bound we got with the coefficients $H$ technique is smaller than the one from [9] by a factor $\frac{q}{2^n}$. The one we proved with the coefficients $H_\sigma $ technique allows us to have $ {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\ll 1$ when $q \ll 2^{\frac{2k+1}{2k+2}n}$ instead of $q \ll 2^{\frac{k}{k+1}n}$ for [9]. For example with $k=3$ we have proven that $ {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\ll 1$ when $q \ll 2^{\frac{7}{8}n}$ instead of $q \ll 2^{\frac{3}{4}n}$. However, when $q$ is fixed and $k$ increases, the upper bound from the $H$ technique becomes better than the one from $H_\sigma $. This graph shows the evolution of the order of magnitude of these three upper bounds in function of the logarithm of $q$, with $k=5$ and $n=40$:

Here is a more accurate view of the region where the curves from $H$ and $H_\sigma $ intersect:

This illustrates that, depending on the value of $q$, our best bound can be the one from Sect. 3 or the one from Sect. 4. Moreover, the curve from [9] does not appear in this second graph because its values were much higher than ours (around $6\cdot 10^{-4}$ whereas the bounds from this article are around $4\cdot 10^{-7}$ in this graph). This shows why the two techniques studied in this paper are both useful.

References

Aiello, W., Venkatesan, R.: Foiling birthday attacks in length-doubling transformations. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 307–320. Springer, Heidelberg (1996)
Google Scholar
Bellare, M., Impagliazzo, R.: A Tool for Obtaining Tighter Security Analyses of Pseudorandom Function Based Constructions, with Applications to PRP to PRF Conversion. ePrint Archive 1999/024: Listing for 1999 (1999)
Google Scholar
Bellare, M., Krovetz, T., Rogaway, P.: Luby-rackoff backwards: increasing security by making block ciphers non-invertible. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 266–280. Springer, Heidelberg (1998)
Chapter Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)
Article MathSciNet Google Scholar
Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 370. Springer, Heidelberg (1998)
Google Scholar
Levin, L.: One way functions and pseudorandom generators. Combinatorica 7(4), 357–363 (1987)
Article MATH MathSciNet Google Scholar
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)
Article MATH MathSciNet Google Scholar
Lucks, S.: Faster Luby-Rackoff ciphers. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 189–203. Springer, Heidelberg (1996)
Chapter Google Scholar
Lucks, S.: The sum of PRPs is a secure PRF. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 470–484. Springer, Heidelberg (2000)
Chapter Google Scholar
Mandal, A., Patarin, J., Nachef, V.: Indifferentiability beyond the birthday bound for the XOR of two public random permutations. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 69–81. Springer, Heidelberg (2010)
Chapter Google Scholar
Naor, M., Reingold, O.: On the construction of pseudo-random permutations: Luby-Rackoff revisited. J. Cryptol. 12(1), 29–66 (1999)
Article MATH MathSciNet Google Scholar
Patarin, J.: A proof of security in $O(2^n)$ for the XOR of two random permutation. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008)
Google Scholar
Patarin, J.: Generic Attacks for the XOR of $k$ Random Permutations. Available on eprint (2008)
Google Scholar
Patarin, J.: The “coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009)
Chapter Google Scholar
Patarin, J.: Security in $O(2^n)$ for the XOR of Two Random Permutations - Proof with the standard $H$ technique - Available on eprint (2013)
Google Scholar

Download references

Author information

Authors and Affiliations

University of Versailles, Paris, France
Benoit Cogliati, Rodolphe Lampe & Jacques Patarin

Authors

Benoit Cogliati
View author publications
You can also search for this author in PubMed Google Scholar
Rodolphe Lampe
View author publications
You can also search for this author in PubMed Google Scholar
Jacques Patarin
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benoit Cogliati .

Editor information

Editors and Affiliations

Royal Holloway, University of London, Egham, United Kingdom
Carlos Cid
Technical University of Denmark, Lyngby, Denmark
Christian Rechberger

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Cogliati, B., Lampe, R., Patarin, J. (2015). The Indistinguishability of the XOR of $k$ Permutations. In: Cid, C., Rechberger, C. (eds) Fast Software Encryption. FSE 2014. Lecture Notes in Computer Science(), vol 8540. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-46706-0_15

Download citation

DOI: https://doi.org/10.1007/978-3-662-46706-0_15
Published: 19 April 2015
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-46705-3
Online ISBN: 978-3-662-46706-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

The Indistinguishability of the XOR of \(k\) Permutations

Abstract

Similar content being viewed by others

On the XOR of Multiple Random Permutations

Full Indifferentiable Security of the Xor of Two or More Random Permutations Using the $$\chi ^2$$ Method

XLS is Not a Strong Pseudorandom Permutation

Keywords

1 Introduction

2 Preliminaries

3 Security Bound from the \(H_\sigma \) Technique

3.1 Linking the Advantage to a Combinatorial Problem

Theorem 1

Lemma 1

Proof

Lemma 2

Proof

Lemma 3

Proof

3.2 Study of \({{\mathbb {V}}\left[ h_q\right] }\)

Lemma 4

Proof

3.3 First Evaluation of \(\lambda _\alpha \)

3.4 Relation Between the Advantage and \(\epsilon _\alpha \)

Lemma 5

Proof

3.5 First Approximation of \(\epsilon _\alpha \)

Lemma 6

Proof

Lemma 7

Proof

Theorem 2

4 Security Bound from the Standard \(H\) Technique

Corollary 8

Proof

4.1 First Approximation

4.2 Second Approximation

Lemma 9

Proof

Lemma 10

Proof

Theorem 3

5 Conclusion

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Search

Navigation