Encryption Modes
Bishwajit Chakraborty, Ashwin Jha and Mridul Nandi
Indian Statistical Institute, Kolkata, India
{bishu.math.ynwa,ashwin.jha1991,mridul.nandi}@gmail.com
Abstract. The spongeduplexis a popular mode of operation for constructing authenticated encryption schemes. In fact, one can assess the popularity of this mode from the fact that around 25 out of the 56 round 1 submissions to the ongoing NIST lightweight cryptography (LwC) standardization process are based on this mode. Among these, 14 spongetype constructions are selected for the second round consisting of 32 submissions. In this paper, we generalize the duplexing interface of theduplexmode, which we call TransformthenPermute. It encompasses Beetle as well as a new spongetype modeSpoC(both are round 2 submissions to NIST LwC). We show a tight security bound forTransformthenPermutebased on bbit permutation, which reduces to finding an exact estimation of the expected number of multichains (defined in this paper). As a corollary of our general result, authenticated encryption advantage ofBeetleandSpoCis aboutT(D+r2r)
2b whereT,Dandrdenotes the number of offline queries (related to time complexity of the attack), number of construction queries (related to data complexity) and rate of the construction (related to efficiency). Previously the same bound has been proved forBeetleunder the limitation thatT min{2r,2b/2}(that compels to choose larger permutation with higher rate). In the context of NIST LwC requirement,SpoCbased on 192bit permutation achieves the desired security with 64bit rate, which is not achieved by eitherduplexorBeetle(as per the previous analysis).
Keywords: Sponge·duplex·Beetle·SpoC·lightweight·AEAD·tight bound
1
Introduction
TheSpongefunction was first proposed by Bertoni et al. at the ECRYPT Hash Workshop [BDPA07], as a mode of operation for variable output length hash functions. It received instant attention due to NIST’s SHA3 competition, which had several candidates based on the Spongeparadigm. Most notably, JH [Wu11] andKeccak [BDPA13] were among the five finalists, and Keccak became the eventual winner. In time, theSponge
mode found applications in message authentication [BDPA07,BDPA11b], pseudorandom sequence generation [BDPA10], and theduplexmode [BDPA11a] for authenticated encryption. In particular, the recently concluded CAESAR competition for the development of authenticated encryption with associated data (AEAD) schemes had received a dozen
Spongebased submissions. Ascon[DEMS16], a winner in lightweight applications (resource constrained environments) usecase of the CAESAR competition, also uses the duplex
mode of authenticated encryption.
of the submissions to the ongoing NIST lightweight cryptography (LwC) standardization process are inspired by theSpongeparadigm.
At a very high level,Spongetype constructions consist of abbit state, which is split into acbit inner state, called the capacity, and anrbit outer state, called the rate, where
b =c+r. Traditionally, in Sponge like modes, data absorption and squeezing is done via the rate part, i.e. r bits at a time. SpoC[AGH+19], a round 2 submission to NIST LwC standardization process, is a notable exception, where the absorption is done via the capacity part and the squeezing is done via the rate part. In [BDPA08], Bertoni et al. proved that the Spongeconstruction is indifferentiable from a random oracle with a birthdaytype bound in the capacity. While it is wellknown that this bound is tight for hashing, for keyed applications of theSponge, especially authenticated encryption schemes, such asduplex mode, it seems that the security could be significantly higher.
1.1
Existing Security Bounds for Spongetype AEAD Schemes
Spongetype authenticated encryption is mostly done via theduplexconstruction [BDPA11a]. Theduplex mode is a stateful construction that consists of an initialization interface and a duplexing interface. Initialization creates an initial state using the underlying permutation
π, and each duplexing call to π absorbs and squeezes r bits of data. The security of
Spongetype AEAD modes can be represented and understood in terms of two parameters, namely the data complexityD (total number of initialization and duplexing calls toπ), and the time complexity T (total number of direct calls toπ). Initially, Bertoni et al. [BDPA11a] proved thatduplexis as strong asSponge, i.e. secure up toDT 2c_{. Mennink}
et al. [MRV15] introduced the fullstateduplexand proved that this variant is secure up toDT 2κ,D2c/2, where κis the key size. Jovanovic et al. [JLM14] proved privacy up to D min{2b/2,2κ}, T min{2b/2,2c−log2r_{,}_{2}κ}_{, and integrity up to} _{DT} _{2}c_{,}
D min{2c/2,2κ,2τ},T min{2b/2,2c−log2r_{,}_{2}κ}_{, where}_{τ} _{denotes the tag size. Note} that integrity has an additional restriction that D 2c/2, where D is dominated by the decryption data complexity. Daemen et al. [DMA17] gave a generalization of duplex
that has builtin multiuser security. Very recently, a tight privacy analysis [JLM+_{19}_{] is}
provided. However, one of the dominating restrictions present in all of the existing integrity analysis of duplex authenticated encryption isDT 2c_{. Moreover, no forgery attack with}
a matching bound is known. A recent variant of duplexmode, called theBeetlemode of operation [CDNY18], modifies the duplexing phase by introducing a combined feedback based absorption/squeezing, similar to the feedback paradigm of CoFB[CIMN17]. In [CDNY18], Chakraborti et al. showed that feedback based duplexing actually helps in improving the security bound, mainly to get rid of the conditionDT 2c_{. They showed privacy}
up to DT 2b_{,} _{D} _{} _{2}b/2_{,} _{T} _{} _{2}c_{, and integrity up to} _{D} _{} _{min}_{{}_{2}b/2_{,}_{2}c−log2r_{,}_{2}r}_{,}
T min{2c−log2r_{,}_{2}r_{,}_{2}b/2}_{, with the assumptions that}_{κ}_{=}_{c}_{and}_{τ} _{=}_{r}_{.}
1.1.1 Security of Spongetype AEAD in Light of NIST LwC Requirement
In the call for submissions of NIST LwC standardization process, it is mentioned that the primary version of any AEAD submission should have at least 128bit key, at least 96bit nonce, at least 64bit tag, data complexity 250_{−}_{1 bytes, and time complexity 2}112_{. In}
1.2
Our Contributions
In this paper, inspired by the NIST LwC requirements, we extend a long line of research on the security of Spongetype AEAD schemes. We studySpongetype AEAD construction with a generalization of the feedback function used in the duplexing interface, that encompasses the feedback used in duplex, Beetle, SpoC etc. We show that for a class of feedback function, containing the BeetleandSpoCmodes, optimal AEAD security is achieved. To be specific, we show that the AEAD security of this generalized construction is bounded by adversary’s ability of constructing a special data structure, called the
multichains. We also show a matching attack exploiting the multichains. As a corollary of this we give
1. a security proof validating the security claims of SpoC, and
2. an improved and tight bound forBeetle.
We also derive improved security bounds for a variant of Beetle, calledPHOTONBeetle
[BCD+19], which is a round 2 candidate in ongoing NIST LwC standardization process. In particular, our analysis shows that both the primary and secondary recommendations of PHOTONBeetleachieve security as per NIST requirements.
1.3
Organization of the Paper
In section2, we define different notations used in the paper. We give a brief description of the design and security models of AEAD. We also give a brief description of coefficient H technique [Pat91, Pat08]. In section3, we propose aSpongetype AEAD construction calledTransformthenPermute(orTtP) with a generalization of the feedback function used in the duplexing interface. In section4, we state some multicollision results with proofs which are used in the paper. In section5, we define what we call the multichain structure and give an upper bound on the expected number of multichains that can be formed by an adversary in a special case. In section 6, using the multichain security game from section 5we give a complete AEAD security proof forTtP(see Theorem4) in the special case when the feedback function is invertible. In section7, we show that the TtPgeneralization encompasses the feedback functions used in SpongeAE,Beetle, SpoCetc. Particularly,
BeetleandSpoCmodes fall under the class where the feedback functions are invertible and hence for those modes optimal AEAD security is achieved. Finally in section8, we give some attack strategies to justify the tightness of our bound.
2
Preliminaries
Notational Setup: For n∈N, (n] denotes the set {1,2, . . . , n}and [n] denotes the set
{0} ∪(n],{0,1}n _{denotes the set of bit strings of length}_{n}_{,} _{{}_{0}_{,}_{1}_{}}+_{:=}S
n≥0{0,1}
n _{and}
Perm(n) denotes the set of all permutations over{0,1}n_{.}
For any bit string x with x ≥ n, dxen (res. bxcn) denotes the most (res. least)
significant n bits of x. For n, k ∈ N, such thatn ≥ k, we define the falling factorial
(n)k :=n!/(n−k)! =n(n−1)· · ·(n−k+ 1).
Forq∈N,xqdenotes theqtuple (x1, x2, . . . , xq). Forq∈N, for any setX, (X)qdenotes
the set of allqtuples with distinct elements fromX. Two distinct stringsa=a1. . . am
andb=b1. . . bm0, are said to have a common prefix of lengthn≤min{m, m0}, ifa_{i}=b_{i}
for alli∈(n], andan+16=bn+1. For a finite setX,X←$X denotes the uniform sampling of X from X which is independent to all other previously sampled random variables. (X1, . . . ,Xt)
wor
← X denotes uniform sampling of t random variables X1, . . . ,Xt from X
2.1
Authenticated Encryption: Definition and Security Model
Authentication Encryption with Associated Data: An authenticated encryption
scheme with associated data functionality, or AEAD in short, is a tuple of deterministic algorithms AE = (E,D), defined over thekey space K, nonce space N, associated data space A,message spaceM,ciphertext spaceC, andtag space T, where:
E:K × N × A × M → C × T and D:K × N × A × C × T → M ∪ {⊥}.
Here, E and D are called the encryption and decryption algorithms, respectively, of
AE. Further, it is required that D(K, N, A,E(K, N, A, M)) =M for any (K, N, A, M)∈ K × N × A × M. For all keyK ∈ K, we writeEK(·) andDK(·) to denoteE(K,·) and
D(K,·), respectively. In this paper, we haveK,N,A,M,T ⊆ {0,1}+ _{and}_{C}_{=}_{M}_{, so we}
useMinstead ofCwherever necessary.
AEAD Security in the Random Permutation Model: LetΠ←$Perm(b) ,Func denote the set of all functions fromN × A × MtoM × T such that for any input (∗,∗, M) the output is of lengthM+tfor some predefined constanttandΓ←$Func. Let⊥denote the degenerate function from (N,A,M,T) to {⊥}. For brevity, we denote the oracle corresponding to a function (like E,Πetc.) by that function itself. A bidirectional access to Πis denoted by the superscript±.
Definition 1. LetAEΠbe an AEAD scheme, based on the random permutationΠ, defined
over (K,N,A,M,T). The AEAD advantage of any nonce respecting adversaryA against
AEΠis defined as,
AdvaeadAEΠ(A) :=
Pr
K←$K
Π±
h
AEK,DK,Π±_{= 1}i_{−} _{Pr}
Γ,Π±
h
AΓ,⊥,Π±
= 1i
. (1)
Here AEK,DK,Π± _{denotes} A_{’s response after its interaction with} _{E}
K, DK, and Π±,
respectively. Similarly,AΓ,⊥,Π± _{denotes}_{A}_{’s response after its interaction with}_{Γ}_{,}_{⊥}_{, and}
Π±.
In this paper, we assume that the adversary is noncerespecting, i.e. it never makes more than one encryption queries with same nonce. We further assume that the adversary is nontrivial, i.e. it never makes a duplicate query, and it never makes a query for which the response is already known due to some previous query. We use the following notations to parameterize the adversary’s resources:
• qe and qd denote the number of queries to EK and DK, respectively. σe and σd
denote the total number of blocks of input (associated data and message) across all encryption and decryption queries, respectively. The number of blocks per query is determined by the total number of primitive calls required to process the input (see Section 3.1 for formal definition). We sometime also write q = qe+qd and
σ = σe+σd to denote the combined construction query resources which can be
interpreted as theonline or data complexityD from section1.
• qf andqb denote the number of queries toΠ+ andΠ−, respectively. We sometime
also useqp=qf+qb, to denote the combined primitive query resources which can
be interpreted as theoffline or time complexityT from section1.
Any adversary that adheres to the above mentioned resource constraints is called a
2.2
Coefficient H Technique
Consider a computationally unbounded and deterministic adversary A that tries to distinguish between two oracles O0 andO1via black box interaction with one of them.
We denote the queryresponse tuple ofA’s interaction with its oracle by a transcriptω. Sometimes, this may also include any additional information that the oracle chooses to reveal to the distinguisher at the end of the queryresponse phase of the game. We will consider this extended definition of transcript. We denote by Θ1 (res. Θ0) the random
transcript variable when A interacts with O1 (res. O0). The probability of realizing a
given transcript ω in the security game with an oracle O is known as theinterpolation probability of ω with respect to O. Since A is deterministic, this probability depends only on the oracle O and the transcript ω. A transcript ω is said to be attainable if Pr [Θ0=ω]>0. In this paper,O1= (EK,DK,Π±),O0= (Γ,⊥,Π±), and the adversary is
trying to distinguishO1 fromO0in AEAD sense. Now we state a simple yet powerful tool
due to Patarin [Pat91], known as the coefficient H technique (or simply the Htechnique). A proof of this theorem is available in multiple papers including [Pat08, CS14,MN17].
Theorem 1(Htechnique [Pat91,Pat08]). LetΩ be the set of all attainable transcripts. For some bad, ratio>0, suppose there is a setΩbad⊆Ωsatisfying the following:
• Pr [Θ0∈Ωbad]≤bad;
• For anyω /∈Ωbad,ω is attainable and
Pr [Θ1=ω]
Pr [Θ0=ω]
≥1−ratio.
Then for any adversary A, we have the following bound on its AEAD distinguishing advantage:
Advaead_{O}_{1} (A)≤bad+ratio.
3
TransformthenPermute Construction
In this section we describe TransformthenPermute(orTtPin short), which generalizes duplexing method used in sponge AEAD encompassing many other constructions such as
Beetle,SpoC etc.
3.1
Parameters and Components
We first describe some parameters of our wide family of AEAD algorithms.
1. Statesize: The underlying primitive of the construction is abbit public permutation. We callbstate size of the permutation.
2. Keysize: Letκdenote the keysize. Here we assumeκ < b.
3. Noncesize: In this paper we consider fixed size nonce. Letν denote the size of nonce.
4. Rate: Letr, r0≤b denote the rate of processing message and associate data respectively. The capacity is defined asc:=b−r.
LetN0 be the set of all nonnegative integers andθ:=b−κ−ν. Forx∈N0, we define
a(x) :=
(
0 ifx≤θ,
dx−θ
Note that, we allow θto be negative as well. This happens whenν > b−κ. For instance, this is the case for SpoC 64[AGH+_{19}_{], where}_{b}_{= 192,}_{κ}_{= 128 and}_{ν} _{= 128.}
Parsing Function: LetD=NkAwhere N∈ {0,1}ν _{and}_{A}_{∈ {}_{0}_{,}_{1}_{}}∗ _{with}_{a}_{:=}_{a}_{(}_{}_{A}_{}_{).}
– CaseA ≤θ: parse(N, A) =D k0θ−A_{.}
– CaseA> θ: parse(N, A) := (IV, A1, . . . , Aa) where D=IVkD0, IV ∈ {0,1}b−κ
and (A1, . . . , Aa) r0
←D0. Note thatD0=A −θand so when we parseD0to blocks of sizer0_{, we get}_{a}_{(}_{}_{A}_{}_{) =}_{d}A−θ
r0 emany blocks.
In addition to parsingNkA, we also parse a message or ciphertextZ as (Z1, . . . , Zm) r
←Z
into m blocks of size rwherem=dZ/re.
We definet:=a+m to be the total number of blocks corresponding to a input query of the form (N, A, Z).
Domain Separation: To every pair of nonnegative integers (A,Z) witha=a(A),
m=dZ/re, and for every 0≤i≤a+m, we associate a small integerδi where
δi=
0 if i6∈ {a} ∪ {t}
1 if (i=a∧r0 _{ }_{A}_{ −}_{θ}_{)}_{∨}_{(}_{i}_{=}_{t}_{∧}_{r}_{ }_{M}_{}_{)}
2 otherwise.
We collect all theseδvalues through the following functionDS(A,Z) = (δ0, δ1, . . . , δa+m).
Encoding Function: LetDDS :={0,1}2× {0,1,2} andrmax= max{r, r0}. Let
encode:{0,1}≤rmax_{× D}
DS → {0,1}b
be an injective function such that for any D, D0 ∈ {0,1}x_{, 1} _{≤} _{x} _{≤} _{r}
max and for all
∆∈ DDS, we haveencode(D,∆)⊕encode(D0,∆) = 0b−xk(D⊕D0). Actual description of
thisencode function is determined by the construction.
Format Function: We define a formatting functionFmt which maps a triple (N, A, M)
to (D0, . . . , Da+m) ∈ ({0,1}b)a+m+1 where a := a(A) and m = dZ/re. The exact
description of format function is described in Algorithm1.
Algorithm 1Description of the format function (Fmt) functionFmt(N, A, Z)
a←a(A),m← dZ/re (A0, A1, . . . , Aa)←Parse(N, A)
(Z1, . . . , Zm) r
←Z
(δ0, . . . , δt)←DS(A,Z)
fori= 0 toado
ifi=aandm= 0then
Di←encode(Ai,(0,1, δi))
else
Di←encode(Ai,(0,0, δi))
fori= 1 tomdo
Da+i←encode(Zi,(1,0, δi+m))
Π
Xold
⊕ M
C
Le ⊕
encode(M,∆)
Π
−
r
−
c

b Xnew
Ynew
Figure 1: Illustration of the feedback process for a message block M of M bits. Here encode(M,∆) represents some encoding ofMbits string to abbit string as described above and Leis a linear transformation applied onbbit strings.
Π
KkN L0_{ad}
encode(A1,∆1)
L0_{ad}
encode(Aa,∆a)
Π L0_{e}
encode(M1,∆a+1)
C1
L0_{e}
encode(Mm,∆a+l)
Cm
Π  T
d·eτ
Figure 2: Schematic of theTransformthenPermuteAEAD mode. Here we assumeN=b−κ, L0ad(Y, A) =Lad(Y)⊕A. Lad, L0e,encodefunctions and ∆ values are as described before.
Feedback functions: We also need some linear functionsLad, Le :{0,1}b → {0,1}b
which are used to process associate data and message respectively in an encryption algorithm.
Now, given a linear functionL:{0,1}b_{→ {}_{0}_{,}_{1}_{}}b_{, 1}_{≤}_{x}_{≤}_{r}_{, the following function}
L0 _{:}_{{}_{0}_{,}_{1}_{}}b_{× {}_{0}_{,}_{1}_{}}x_{× D}
DS → {0,1}b× {0,1}x, is used to process thejth blockZ (either
a plaintext or a ciphertext) using the outputY of the previous invocation of the random permutation:
L0(Y, Z,∆) = (X :=L(Y) ⊕encode(Z,∆), Z0:=dYeZ ⊕Z)
For 1≤i≤r, letLd,i(x) to denote the linear functionLe(x)⊕0b−ikdxei. Then, it is easy
to see from the property of encoding function thatL0
d,C(Y, C,∆) = (X, M) if and only if
L0e(Y, M,∆) = (X, C). Figure1 provides an illustration how a message block is processed.
3.2
Description of the TransformthenPermute AEAD
We describe theTransformthenPermuteconstruction in Algorithm 2which generalizes duplexing method used in spongetype AEADs. Figure2illustrates a simple case when
N=b−κ.
Lemma 1. Given any two tuples(N, A, Z)6= (N0, A0, Z0)andFmt(N, A, Z) = (D0, . . . , Dt)
andFmt(N0, A0, Z0) = (D_{0}0, . . . , D_{a}00_{+}_{m}0), we have
1. (D0_{0}, . . . , D_{a}0)6= (D0, . . . , Da)whenever(N, A)6= (N0, A0)anda≤a0.
2. (D0a, . . . , D0t)6= (Da, . . . , Dt)whenever(N, A) = (N0, A0)andm≤m0.
Proof. We writeparse(N, A) = (A0, A1, . . . , Aa) andparse(N0, A0) = (A00, A01, . . . , A0a0).
1. Let (N, A) 6= (N0, A0). Then we have (A0, A1, . . . , Aa) 6= (A00, A01, . . . , A0a0). Now
if, a < a0 then we have Da = encode(Aa,0, δ) where δ ∈ {1,2} and Da0 =
encode(A0a,0,0). Hence by injectivity of encode we have Da 6= D0a. If a = a0
Algorithm 2 Description of Encryption/Decryption algorithms of the TransformthenPermute mode with Associated data. X= (x=?y:p, q) meansX =pifx=y andX =q
otherwise.
1: functionEnc(K, N, A, M)
2: a←a(A),m← dM/re
3: (D0, D1, . . . , Da+m)←Fmt(N, A, M)
4: (M1, . . . , Mm) r
←M
5: X0←Kk0b−κ⊕D0
6: Y0←Π(X0)
7: fori= 1 toado
8: Xi←Lad(Yi−1)⊕Di
9: Yi←Π(Xi)
10: forj= 1 tomdo
11: i=a+j
12: Xi←Le(Yi−1)⊕Di
13: Cj←Mj⊕ dYi−1eMj 14: Yi←Π(Xi)
15: T ← dYa+meτ
16: return(C1k. . .kCm, T)
1: functionDec(K, N, A, C, T)
2: a←a(A),m← dC/re
3: (D0, D1, . . . , Da+m)←Fmt(N, A, C)
4: (C1, . . . , Cm) r
←C
5: X0←Kk0b−κ⊕D0
6: Y0←Π(X0)
7: fori= 1 toado
8: Xi←Lad(Yi−1)⊕Di
9: Yi←Π(Xi)
10: forj= 1 tomdo
11: i=a+j
12: Xi←Ld,Ci(Yi−1)⊕Di 13: Mj←Cj⊕ dYi−1eCj 14: Yi←Π(Xi)
15: T← dYa+meτ
16: returnT0_{=}
?T:M1k. . .kMm,⊥
2. Let (N, A) = (N, A0). Then we have (A0, Ai, . . . , Aa) = (A00, A0i, . . . , A0a). Note that
m, m0 both cannot be 0. So ifm = 0, thenm0 >0 =⇒ Da = encode(Aa,0, δ)
for some δ ∈ {1,2} andD_{a}0 = encode(Aa,0,0). HenceDa 6=D0a. Let m, m0 >0
then if, m < m0 then we have Dt=encode(Mm,1, δ) where δ∈ {1,2} andDa0 =
encode(M_{m}0 ,1,0). Else if m = m0, then there exists positive i ≤ m such that
Mi6=Mi0. Hence Da+i6=D0a+i.
We analyze the security of TransformthenPermutein section6. In this paper, our main focus is the analysis of TtPwith invertible Le andLd. However, we also present some
results when the invertibility condition onLd is relaxed.
4
Some Results on Multicollision
In this section, we briefly revisit some useful results on the expected value of maximum multicollision in a random sample. This problem has seen a lot of interest (see for instance [Gon81,BYG91,SF96,RS98]) in context of the complexity of hash table1_{probing. However,}
most of the results available in the literature are given in asymptotic forms. We state some relevant results in a more concrete form, following similar proof strategies and probability calculations as before. Moreover, we also extend these results for samples which, although are not uniform, have high entropy, almost close to uniform.
4.1
Expected Maximum Multicollision in a Uniform Random Sample
LetX1, . . . ,Xq←$DwhereD=N andN ≥2. We denote the maximum multicollision random variable for the sample as mcq,N. More precisely, mcq,N = maxa{i: Xi =a}.
For any integerρ≥2,
Pr[mcq,N ≥ρ]≤
X
a∈D
Pr[{i:Xi=a} ≥ρ]
≤N·
q ρ
Nρ
≤N· q
ρ
Nρ_{ρ}_{!}
≤N·
_{qe}
ρN
ρ
.
We justify the inequalities in the following way: The first inequality is due to the union bound. If there are at leastρindices for whichXi takes valuea, we can choose the firstρ
indices in q_{ρ}
ways. This justifies the second inequality. The last inequality follows from
the simple observation thateρ_{=}X
i≥0
ρi/i!≥ρρ/ρ!. Thus, we have
Pr[mcq,N ≥ρ]≤N·
qe ρN
ρ
. (2)
For any positive integer valued random variable Ybounded above byq, we define another random variableY0 as
Y0=
(
ρ−1 ifY< ρ q otherwise.
Clearly,Y≤Y0 and
Ex[Y]≤(ρ−1) +q·Pr[Y≥ρ].
Using Eq. (2), and the above relation we can prove the following results for the expected value of maximum multicollision. We writemcoll(q, N) to denoteEx[mcq,N]. So from the
above relation,
mcoll(q, N)≤(ρ−1) +qN ·
_{qe}
ρN
ρ
(3)
for all positiveρ. We use this relation to prove an upper bound ofmcoll(q, N) by plugging in some suitable value forρ.
Proposition 1. ForN ≥4, n= log_{2}N,
mcoll(q, N)≤
( _{4 log}
2q
log2log2q if4≤q≤N 5n q
nN
ifN < q
Proof. We first prove the result when q = N. A simple algebra shows that for n ≥2,
_{e}_{log}
2n
4n
≤n−12. In other words,
e ρ
ρ
≤N−2_{where} _{ρ}_{= 4}_{n/}_{log} 2n. So
mcoll(q, N)≤ρ−1 +N2·
_{e}
ρ
ρ
≤ρ.
Whenq < N, we can simply boundEx[mcq,N]≤Ex[mcq,q]≤ _{log}4 log2q 2log2q. ForN < q≤N n, we chooseρ= 4n. Now,
mcoll(q, N)≤4n−1 +nN2×e
4
4n
≤4n−1 +nN2/4n≤5n.
Remark 1. Note that, similar bound as in Proposition1can be achieved in the case of nonuniform sampling. For example, when we sampleX1, . . . ,Xq
wor
← {0,1}b_{and then define}
Yi=dXierfor some r < b. In this case, we have
Pr(Yi1=a,· · ·,Yiρ =a)≤
(2b−r)ρ
(2b_{)} ρ
≤ 1
2rρ.
This can be easily justified as we have to choose the remaining b−r bits distinct (as
X1, . . . ,Xq must be distinct). So, same bound as given in Proposition1 can be applied for
this distribution.
4.2
A Special Example of NonUniform Random Sample
In this paper we consider the following nonuniform random samples. Let x1, . . . xq be
distinct andy1, . . . , yq be distinctbbits. LetΠdenote the random permutation overbbits,
Π2:=Π◦Πdenotes the composition ofΠwith itself. We defineZi,j =Π(xi)⊕Π−1(yj).
Now, for all distinct i1, . . . , iρ, distinct j1, . . . , jρ and a ∈ {0,1}b, we want to bound
Pr
Zi1,j1 =a,· · · ,Ziρ,jρ =a
. By abuse of notations we write bothik andjk ask.
LetN := 2b. We can assumea= 0b. Since otherwise, we considerΠ0(x) =Π(x)⊕a
which is also a random permutation and considery_{i}0 =yi⊕ainstead of yi, ∀1≤i≤ρ.
Note thaty_{i}0’s are clearly distinct. So the problem reduces to bounding
θ:= Pr
Π2(x1) =y1,· · · ,Π2(xρ) =yρ
=X
cρ
Pr [Π(x1) =c1,Π(c1) =y1,· · ·,Π(xρ) =cρ,Π(cρ) =yρ]
We say that cρ valid if ci = xj if and only if cj = yi. The set of all such valid
tuples is denoted asV. For any valid cρ, define S :={x1, . . . , xρ} ∪ {c1, . . . , cρ}. Then,
Pr [Π(x1) =c1,Π(c1) =y1,· · ·,Π(xρ) =cρ,Π(cρ) =yρ] = _{(}_{N}1_{)}
S. On the other hand, ifc
ρ
is not valid then the above probability is zero. Let Vsbe the set of all valid tuples for
whichS=s.
If S = 2ρ−k, then we must have exactly k many pairs (i1, j1), . . . ,(ik, jk) such
that ci = xj. Now the number of ways this kmany pairs can be chosen is bounded
by ρ2k_{. The remaining} _{ρ}_{−}_{k} _{many} _{c}
i’s can be chosen in (N −k)ρ−k ways. Hence,
V2ρ−k ≤ρ2k(N−k)ρ−k.
PrΠ2(xi) =yi ∀1≤i≤ρ
=
2ρ
X
s=ρ
X
cρ_{∈}_{V}_{s}
Pr [Π(xi) =ci,Π(ci) =yi ∀1≤i≤ρ]
≤ 2ρ
X
s=ρ
Vs
(N)s
≤
ρ
X
k=0
V2ρ−k
(N)2ρ−k
≤
ρ
X
k=0
ρ2k_{(}_{N}_{−}_{k}_{)} ρ−k
(N)2ρ−k
≤
ρ
X
k=0
ρ2(ρ−k)
(N−2ρ)ρ
≤
ρ
X
k=0
1
ρ2k
!
·
ρ2 N−2ρ
ρ
≤2·
ρ2 N−2ρ
ρ
Since the sample space{(xi, yj)}i,j∈[q] is of sizeq2, we denote the maximum multicollision
random variable for the sample asmc0_{q}2_{,N}. Then we have by a similar analysis as in the previous section,
Pr
mc0_{q}2_{,N} ≥ρ
≤2N·
_{q}2
ρ
·
_{ρ}2
N−2ρ
ρ
≤2N
_{q}2_{eρ}
N−2ρ
ρ
We writemcoll0(q2, N) to denoteExhmc0_{q}2,N
i
. So from the above relation,
mcoll0(q2, N)≤(ρ−1) + 2q2N·
_{q}2_{eρ}
N−2ρ
ρ
Proposition 2. Forb >16,
mcoll0(q2, N)≤ 4b
log_{2}b
_{b}2_{q}2
N
.
Proof. Let b2_{q}2 _{≤} _{N}_{. Since} _{N >} _{2}16_{,} _{ρ} _{=} 4b
log_{2}b =⇒ q
2 _{≤} N−2ρ
ρ2 . Hence, 2q
2_{N} _{·}
_{q}2_{eρ} N−2ρ
ρ
≤N2_{·}e ρ
ρ
. Now,e_{ρ}
ρ
≤ e
4
4b
≤ 1
N2 =⇒ N2·
e ρ
ρ
≤1.
Now forq2_{≥} N
b2 we can group theq2samples into
l_{b}2_{q}2 N
m
groups each of size exactly
N
b2 (we can add more samples if required). This would prove the bounds.
4.2.1 A Generalization of the NonUniform Random Sample
Here, we study a generalization of of the above problem, which will be useful when a noninvertible linear function is sandwiched between two random permutation calls. For example, this happens in case of PHOTONBeetle[BCD+19] and duplex[BDPA11a].
Let x1, . . . xq be distinct and y1, . . . , yq be distinct bbit strings. Let Π denote the
random permutation overbbits,L:{0,1}b _{→ {}_{0}_{,}_{1}_{}}b_{be a linear function with rank}_{rank}_{(}_{L}_{),}
andϕ:=Π◦L◦Π. We defineZi,j=L(Π(xi))⊕Π−1(yj). Now, for all distincti1, . . . , iρ,
distinctj1, . . . , jρ anda∈ {0,1}b, we want to bound Pr
Zi1,j1 =a,· · ·,Ziρ,jρ =a
. By a slight abuse of notations we write bothik andjk as k.
LetN := 2b. We can assume a= 0b. Since otherwise, we consider Π0(x) =Π(x⊕a) which is also a random permutation and considerx0
i =xi⊕ainstead of xi, ∀1≤i≤ρ.
Note thatx0_{i}’s are clearly distinct. So the problem reduces to bounding
θ:= Pr [ϕ(x1) =y1,· · · , ϕ(xρ) =yρ]
=X
cρ
Pr [Π(x1) =c1,Π(L(c1)) =y1,· · ·,Π(xρ) =cρ,Π(L(cρ)) =yρ]
For all 1≤i≤ρ, letdi=L(ci). We say thatcρvalid ifdi=xj if and only ifcj=yi. The
set of all such valid tuples is denoted as V. For any validcρ_{, define} _{S}_{:=}_{{}_{x}
1, . . . , xρ} ∪
{d1, . . . , dρ}. Then, Pr [Π(x1) =c1,Π(d1) =y1,· · ·,Π(xρ) =cρ,Π(dρ) =yρ] = _{(}_{N}1_{)}
S. On
the other hand, ifcρ is not valid then the above probability is zero. LetVsbe the set of
all valid tuples for whichS=s.
We say thatdi is old if di =xj for 1≤i, j≤ρ. If S= 2ρ−k, then we must have
exactly k many pairs (i1, j1), . . . ,(ik, jk) such that di =xj. Now, the number of ways
thesekmany pairs can be chosen is bounded byρ2k_{. This fixes all old} _{d}
i values. Then,
the number ofcivalues corresponding to olddivalues is bounded by at mostρ2kN˜k where
˜
N = 2b−rank(L), as once we fix theb−rank(L) bits there is a unique solution forL(ci) =di.
manyci’s can be chosen in (N−k)ρ−kN˜ρ−k ways. Hence,V2ρ−k ≤ρ2k(N−k)ρ−kN˜ρ.
Pr [ϕ(xi) =yi ∀1≤i≤ρ] =
2ρ
X
s=ρ
X
cρ_{∈}_{V}_{s}
Pr [Π(xi) =ci,Π(di) =yi, ∀1≤i≤ρ]
≤ 2ρ
X
s=ρ
Vs
(N)s
≤
ρ
X
k=0
V2ρ−k
(N)2ρ−k
≤
ρ
X
k=0
ρ2k_{(}_{N}_{−}_{k}_{)} ρ−kN˜ρ
(N)2ρ−k
≤
ρ
X
k=0
ρ2(ρ−k)_{N}_{˜}ρ
(N−2ρ)ρ
≤
ρ
X
k=0
1
ρ2k
!
·
_{ρ}2_{N}˜
N−2ρ
ρ
≤2·
_{ρ}2_{N}˜
N−2ρ
ρ
Since the sample space{(xi, yj)}i,j∈[q] is of sizeq2, we denote the maximum multicollision
random variable for the sample asmc_{f}q2_{,N,}_{rank}_{(}_{L}_{)}. Then, we have by a similar analysis as in the previous section,
Pr f
mcq2_{,N,}_{rank}_{(}_{L}_{)}≥ρ≤2N·
_{q}2 ρ · _{ρ}2 e N N−2ρ
ρ
≤2N
_{q}2_{eρ}
e
N N−2ρ
ρ
.
We writemcoll](q2_{, N,}_{rank}_{(}_{L}_{)) to denote}_{Ex} f
mcq2_{,N,}_{rank}_{(}_{L}_{)}. So from the above relation,
]
mcoll(q2, N,rank(L))≤(ρ−1) + 2q2N· q 2_{eρ}
e
N N−2ρ
!ρ
.
Finally, we have the following upper bound onmcoll](q2, N,rank(L)).
Proposition 3. Forb >16,
]
mcoll(q2, N,rank(L))≤ 4b
log_{2}b
_{b}2_{q}2
2rank(L)
.
Proof. Let b2_{q}2 _{≤}_{2}rank(L)_{. Since} _{N >}_{2}16_{,} _{ρ}_{=} 4b
log2b =⇒ q
2 _{≤} N−2ρ ρ2
e
N . Hence, 2q
2_{N}_{·}
_{q}2_{eρ} N−2ρ
ρ
≤N2_{·}e ρ
ρ
. Now,e_{ρ}
ρ
≤ e
4
4b
≤ 1
N2 =⇒ N
2_{·}e ρ
ρ
≤1.
Now, forb2_{q}2_{>}_{2}rank(L) _{we can group the}_{q}2 _{samples into}l b2_{q}2
2rank(L)
m
groups each of size
exactly 2rank_{b}2(L) (we can add more samples if required). This would prove the bounds.
Remark 2. Note that, forrank(L) =b,mcoll](q2_{, N,}_{rank}_{(}_{L}_{)) =}_{mcoll}0_{(}_{q}2_{, N}_{).}
4.3
Multicollisions in Context of the Analysis of Spongetype AEAD
In later sections, we will use the bound on the expected number of multicollisions to give a tight security bound for TransformthenPermuteand some of its instantiations.
Here, we note that multicollisions have been previously studied in context with the
duplex mode, most notably in [DMA17] and [JLM+_{19}_{]. However, there is a fundamental}
difference between our approach and the previously used strategies in [DMA17,JLM+_{19}_{].}
In the following,r,c andbhave their usual meaning in context of Sponge, i.e.,b=r+c. In [DMA17], the authors try to upper bound a parameter called the multicollision limiting functionνr,cq . Assume we distributeq balls into 2rbins, one at a time, where the
νq
r,c is defined as the smallest natural numberxsuch that Pr [mcq,2r > x]< x/2c. On a
closer inspection of the proof, one can see that theνq
r,c is dependent uponbandλ=q2−r.
The authors derive bounds forνq
r,c, for three cases, viz. λ <1,λ= 1, and λ >1.
In [JLM+_{19}_{], the authors upper bound Pr [}_{mc}
q,2r > ρ] toq/S, whereS= min{2b/2,2c}
andρis viewed as a function ofrandc. Basically, based on the value ofrandc, they derive choices forρ, such that the desired probability is bounded byq/S. To derive sharp bounds on ρ for various choices of r andc, they employ a detailed analysis involving Sterling’s approximation and Lambert W function.
In contrast to the above strategies, we are interested in good estimates for the expectation of mcq,2r depending upon the relationship betweenqand 2r. Further, our analysis is
much more straightforward.
5
Multichain Security Game
In this section we consider a new security game which we call multichain security game. In this game, adversary A interacts with a random permutation and its inverse. It’s goal is to construct multiple walks having same labels. We first need to describe some notations which would be required to define the security game.
5.1
MultiChain Structure
Labeled Walk: LetL= ((u1, v1), . . . ,(ut, vt)) be a list of pairs of bbit elements such
thatu1, . . . utare distinct andv1, . . . , vtare distinct. For any such list of pairs, we write
domain(L) ={u1, . . . , ut} andrange(L) ={v1, . . . , vt}.
LetLbe a linear function overbbits. Given such a list we define a labeled directed graphGL
L over the set of verticesrange(L)⊆ {0,1}b as follows: A directed edgevi→vj
with labelx(also denoted asvi x
→vj) is in the graph ifL(vi)⊕x=uj. We can similarly
extend this to a label walk W from a nodew0 towk as
W:w0
x1
→w1
x2
→w2· · ·
xk →wk.
We simply denote it as w0
x
−→ wk where x= (x1, . . . , xk). Here k is the length of the
walk. We simply denote the directed graphGL
L byGL wherever the linear functionLis
understood from the context.
Definition 2. LetLbe a fixed linear function overbbits. Letr, τ≤bbe some parameters. We say that a set of labeled walks{W1, . . . ,Wp} forms amultichain with a label x:=
(x1, . . . , xk) in the graphGL if for all 1≤i≤p, Wi:v0i
x
−→v_{k}i anddu10er=· · ·=du p
0er
anddv1
keτ =· · ·=dv p
keτ. We also say that the multichain is of length k. The labeled
walksWi are also called chains in this context.
Note that if{W1, . . . ,Wp}is a multichain then so is any subset of it. Also there can
be different set of multichains depending on the starting and ending vertices and different
x= (x1, . . . , xk). LetWk denote the maximum order of all such multichains of length
k. For a fixed linear function L, Wk is completely determined by L. Now we describe
how the listLis being generated through an interaction of an adversaryAand a random permutation.
5.2
MultiChain Advantage
Consider an adversary A interacting with a bbit random permutation Π±. Suppose, the adversaryA makes at most t interactions withΠ±. Let (xi,diri) denote ith query
diri = +, it gets response yi as Π(xi), else the response yi is set as Π−1(xi). After t
interactions, we define a list L of pairs (ui, vi)i where (ui, vi) = (xi, yi) if diri = +, and
(ui, vi) = (yi, xi) otherwise. So we haveΠ(ui) =vi for alli. We call the tuple of triples
θ := ((u1, v1,dir1), . . . ,(ut, vt,dirt)) the transcript of the adversary A interacting with
Π±. We also write θ0 = ((u1, v1), . . . ,(ut, vt)) which only stores the information about
the random permutation. For the sake of simplicity we assume that adversary makes no redundant queries and so allu1, . . . ut are distinct andv1, . . . , vt are distinct. For a linear
function Lconsider the directed graphGθ0. For anyk, we have already definedW_{k}. Now
we define the maximum multichain advantage as
µt= max
A maxk Ex
_{W}
k
k
.
5.2.1 Bounding µt for InvertibleLFunctions
In this section, we derive concrete bounds for µt under a special assumption that the
underlying linear function is invertible.
Theorem 2. If the linear functionL is invertible, then we have
µt≤mcoll(t,2τ) +mcoll(t,2r) +mcoll0(t2,2b). (4)
Proof of Theorem 2: We first make the following observation which is straightforward as Lis invertible.
Observation 1: Ifvi x
→vk andvj x
→vk thenvi=vj.
We now describe some more notations related to multichains:
1. Let Wfwd,a denote the size of the set {i: diri = +,dvieτ =a} and maxaWfwd,a is
denoted asWfwd. This denotes the maximum multicollision amongτmost significant bits of forward query responses.
2. Similarly, we define the multicollision for backward query responses as follows: Let
Wbck,a _{denote the size of the set}_{{}_{i}_{:}_{dir}
i=−,duier=a}and maxaWbck,a is denoted
asWbck_{.}
3. In addition to the multicollisions in forward only and backward only queries, we consider multicollisions due to both forward and backward queries. Let Wmitm,a
denote size of the set{(i, j) :diri= +, dirj=−, L(vi)⊕uj=a}and maxaWmitm,a
is denoted asWmitm_{.}
Now, we state an intermediate result which is the main step of the proof.
Lemma 2. For all possible interactions, we have
Wk≤Wfwd+Wbck+k·Wmitm.
Proof. We can divide the set of multichains into three sets:
Forwardonly chains: Each chain is constructed byΠqueries only. By definition, the size of such multichain is at mostWfwd.
Backwardonly chains: Each chain is constructed byΠ− queries only. By definition, the size of such multichain is at mostWbck.
Then, we must have
Wk≤Wfwd+Wbck+Wfwdbckk .
Now, we claim thatWfwdbck
k ≤k·W
mitm_{. Suppose}_{W}fwdbck
k =w. Then, it is sufficient to
show that there exist an indexj ∈[k], such that the size of the set {i : (diri_{j}_{−}_{1},diri_{j})∈ {(+,−),(−,+)}, L(vi
j−1)⊕uij=xj} ≥ dw/ke. This can be easily argued by pigeonhole
principle, givenObservation 1. The argument works as follows:
For each of the individual chain Wi, we have at least one index j ∈ [k] such that
(diri_{j}_{−}_{1},dir_{j}i)∈ {(+,−),(−,+)}. We put theith chain in a bucket labeledj, if (dir_{j}i_{−}_{1},diri_{j})∈ {(+,−),(−,+)}. Note that, it is possible that the ith chain can coexist in multiple buckets. But more importantly, it will exist in at least one bucket. As there are kbuckets andwchains, by pigeonhole principle, we must have one bucketj∈[k], such that it holds at leastdw/kechains.
Now we complete the proof of Theorem2. Observe thatWfwd_{and}_{W}bck _{are the random}
variables corresponding to the maximum multicollision in a truncated random permutation sample of sizet, and corresponds to Remark1of subsection4.1. Further, if we denote
xi:=ui andyi:=L(vi)∀i∈[t] then usingObservation 1,Wmitm is the random variable
corresponding to the maximum multicollision in a sum of random permutation sample of sizet2_{, i.e., the distribution of subsection}_{4.2}_{. Now, using linearity of expectation, we have}
µt≤Ex
Wfwd
+Ex
Wbck
+Ex
Wmitm
≤mcoll(t,2τ) +mcoll(t,2r) +mcoll0(t2,2b).
5.2.2 Bounding µt for NoninvertibleL Functions
In case of invertible functions, Observation 1 facilitates a fairly simple argument in favor of an upper bound onµtin terms of some multicollision sizes. However, the same observation
is not applicable to noninvertible functions. Specifically, Lemma2is not guaranteed to hold. For example, now the adversary can try to create a binary tree like structure using forward queries only. Clearly, we have to accommodate such attack strategies in order to upper boundµt.
LetCollapsedenote the event that there exists distinctiandj, such thatdiri=dirj=
+, andL(yi) =L(yj). We say that a transcriptLiscollapsefree if the event¬Collapse
holds. The following result is a variant of lemma2for collapsefree transcripts.
Lemma 3. For all possible collapsefree transcripts, we have
Wk≤Wfwd+Wbck+k·Wmitm.
Proof. We can again divide the set of multichains into three sets:
Forwardonly chains: Each chain is constructed byΠqueries only. We collect all such chains into listFWD.
Backwardonly chains: Each chain is constructed byΠ− queries only. We collect all such chains into listBCK.
Forwardbackward chains: Each chain is constructed by using bothΠandΠ−queries.
For the set of forwardbackward chains, consider the smallest indexj such that for two2
distinct chains Wi and W1i0 we have vji = vi
0
j, i.e. the two chains merge. Since, the
transcript is collapsefree, we must havedirij−1=−ordir
i0
j−1=−, or both. Now, we may
have two cases:
2_{We may have more than two distinct chains merging at the same index. For brevity we consider only}
1. Without loss of generality assume that onlydiri_{j}_{−}_{1}=−. Now, if we traverse back along the walkWifrom vertexvij, then either we get all backward edges (i.e. dir
i j0=−
for allj0 < j), or there exists aj0 < j such thatdir_{j}i0 = + anddiri_{j}0_{+1}=−. In the
first case we insertWi in BCK, and in the second case we collectWi in list MITM.
2. Supposedirij−1=−anddir
i0
j−1=−. In this case, we traverse bothWi andWi0 and
collect them in eitherBCKorMITM using the preceding argumentation.
We follow similar approach for all indices (in increasing order) where two or more chains merge collecting chains in either BCKor MITM. Once, we have exhausted all merging indices, we are left with some uncollected chains. We claim that these chains are disjoint of each other. This is easy to argue as for any pair of merged chains the chains with backward edge are already collected before. So all that is remaining is a collection of disjoint chains. Further, each of these chains must contain an index j such that (dirj,dirj+1)∈ {(+,−),(−,+)}. We collect all these remaining chains in the list MITM0.
Thus, we have
Wk=FWD+BCK+MITM+MITM0.
By using the collapsefree property of L we get FWD ≤ Wfwd_{, and} _{BCK ≤}_{W}bck _{by}
definition. Further, by using the Pigeonhole argument used in the proof of Lemma2, we getMITM+MITM0 ≤k·Wmitm_{.}
Finally, we get the following upper bound onµt for noninvertibleLfunctions.
Theorem 3. If the linear function Lis noninvertible andLis collapsefree, then we have
µt≤mcoll(t,2τ) +mcoll(t,2r) +mcoll](t2,2b,rank(L)). (5)
Proof. As beforeExWfwd≤mcoll(t,2r),ExWbck≤mcoll(t,2τ). Further,Wmitm is the multicollision random variablemc_{f}t2_{,}_{2}b_{,}_{rank}_{(}_{L}_{)}defined in section4.2.1. Thus, ExWmitm≤
]
mcoll(t2_{,}_{2}b_{,}_{rank}_{(}_{L}_{)). The result follows from linearity of expectation.}
Remark 3. Theorem 3has a limited applicability. Specifically, it holds only when Lis collapsefree. A straightforward upper bound on Pr [Collapse] is t2_{/}_{2}rank(L)_{, where} _{t}
denotes the size of L andrank(L) denotes the rank of linear function L. At times this bound is weaker than the bound achievable from a more straightforward approach of using the loose upper bound ofµt≤t. See section6.4.1for further details.
5.3
Related Work
In [Men18] Mennink analyzed the Keyprediction security of KeyedSpongeusing a special type of data structure which is close to but different from our multichain structure. Here we give a brief overview of Mennink’s work in our notations and describe how our structure is different from the structure considered by him.
LetL = ((u1, v1), . . . ,(ut, vt)) be a list of pairs of bbit elements such thatu1, . . . ut
are distinct andv1, . . . , vtare distinct. Letc < b be any positive integer. For any such
list of pairs, we writedomain(L) ={u1, . . . , ut}andrange(L) ={v1, . . . , vt}. Given such a
list we define a labeled directed graph GL over the set of vertices range(L)⊆ {0,1}b as
follows: A directed edgevi→vj with labelx(also denoted asvi x
→vj) is in the graph if
vi⊕xk0c=uj. We can similarly extend this to a label walkW from a nodew0 towk as
W:w0
x1
→w1
x2
→w2· · ·
xk →wk.
We simply denote it asw0
x
−→wk wherex= (x1, . . . , xk). Herekis the length of the walk.
The setyieldc,k(L) consists of all possible labelsxsuch that there exists aklength walk
Consider the graph,GL. The configuration of a walk fromw0towkis defined as a tuple
C= (C1, . . . , Ck)∈ {0,1}k where Ci = 0 ifwi−1
xi
−→wi comes from a forward primitive
query andCi= 1 if it corresponds to an inverse primitive query.
Mennink provided an upper bound ofyieldc,k(L) by bounding the maximum number
of possible labeled walks from 0b _{to any given} _{w}
k ∈ {0,1}b with a given configurationC.
The use of tools like multicollision and the similarity in the data structure of [Men18] with our multichain structure can be misleading. Here we try to discuss the difference between them and show that the underlying motivation behind both the problems are philosophically as different as possible.
Note that using multichain structure, we try to bound the number of different walks with the same label and distinct starting points whereas yieldc,k(L) is the number of
different walks with same starting point namely 0b _{and distinct labels. Hence the }
multichain structure deals with a different problem thanyieldc,k(L). A notable change in our
work is to deal with multicollision of sum of two permutation calls (we call it meet in the middle multicollision, see definition ofWmitm_{). This computation is not straightforward}
like usual computation of expectation of multicollision (see subsection 4.2).
6
Security Analysis of TransformthenPermute
In Theorem 4, we prove the main technical result of this paper on the AEAD security of TransformthenPermute when the linear functions Le and Ld,i are invertible for all
1≤i ≤r. Towards the end of this section we also give a result when the invertibility condition on Ld,i is relaxed.
Recall the notations qp,qe,qd,σeandσd from section2.1. Let
common:=
qp
2κ +
2qd
2τ +
2σ(2σ+qp)
2b +
6σeqp
2b +
2qpmcoll(σe,2r)
2c
+qpmcoll(σe,2
τ_{)}
2b−τ +
σe+qp
2b +
qpσdmcoll(σe,2r)
22c . (6)
Theorem 4 (Main Theorem). Let Le and Ld,i be invertible for all i ∈ [r]. For any
(qp, qe, qd, σe, σd)adversary A, we have
Advaead_{inv}TtP(A)≤invmBAD+common,
whereinvmBAD:=
σdmcoll(qp,2τ)
2c +
σdmcoll(qp,2r)
2c +
σdmcoll0(qp2,2b)
2c .
The proof employs coefficient Htechnique of Theorem1. To apply this method we need to first describe the ideal world. The real world behaves same as the construction and would be described later. For the sake of notational simplicity we assume size of the nonce is at mostb−κ. Later we mention how one can extend the proof when nonce size is more thanb−κ. We also assume that the adversary makes exactlyqp,qeandqd many
primitive, encryption and decryption queries respectively.
6.1
Ideal World and Real World
Online Phase of Ideal World. The ideal world responds three oracles, namely
encryption queries, decryption queries and primitive queries in the online phase.
The ideal world simulates Π± _{query honestly.}3 _{In particular, if} _{dir}
i = 1, it sets
Ui←Wi and returns Vi=Π(Ui). Similarly, whendiri =−1, it setsVi←Wi and
returnsUi=Π−1(Vi).
(2)On Encryption QueryQi:= (Ni,Ai,Mi):
It samples Yi,0, . . . ,Yi,ti←${0,1}
b _{where} _{t}
i = ai +mi, ai = a(Ai) and mi =
dM_{r}ie. Then, it returns (Ci,1k · · · kCi,mi,Ti) where (Mi,1, . . . ,Mi,mi)
r
←Mi ,Ci,j=
dYi,ai+j−1eMi,j⊕Mi,j for allj∈[mi] andTi← dYi,tieτ.
(3)On Decryption QueryQi:= (N∗i,A∗i,C∗i,T∗i):
According to our convention we assume that the decryption query is always nontrivial. So the ideal world returns abort symbolM∗_{i} :=⊥.
Offline Phase of Ideal World. After completion of oracle interaction (the above three types of queries possibly in an interleaved manner), the ideal oracle setsE, ,D,P to denote the set of all query indices corresponding to encryption, decryption and primitive queries respectively. SoE t D t P = [qe+qd+qp] andE=qe, D=qd,P=qp. Let
the primitive transcriptωp = (Ui,Vi,diri)i∈P and letωp0 := (Ui,Vi)i∈P. The decryption
transcriptωd:= (M∗i)i∈D whereM∗i is always⊥.
Now we describe some extended transcript (releasing additional information) for encryption queries. It samplesK←${0,1}κ. For alli, letFmt(Ni,Ai,Mi) = (Di,0, . . . , Di,ti)
and for every 0≤j≤ti, the intermediate input (Xvalue) is defined as
Xi,j=
(
Di,0⊕Kk0b−κ if j= 0
Le(Yi,j−1)⊕Di,j if 1≤j≤ti
The encryption transcriptωe= (Xi,jYi,j)i∈E,j∈[0..ti]. So, the transcript of the adversary
consists ofω:= (Q, ωp, ωe, ωd) whereQ:= (Qi)i∈E∪D.
Real World. In the online phase, the AE encryption and decryption queries and
direct primitive queries are faithfully responded based onΠ±. Like the ideal world, after completion of interaction, the real world returns allXvalues andYvalues corresponding to the encryption queries only. Note that a decryption query may returnMi which is not
⊥.
6.2
Bad Transcripts
We define the bad transcripts into two main parts. We first define bad events due to encryption and primitive transcript. The following bad events says that (i) there is a collision among inputs/outputs ofωp andωe (ii) there is a collision among input/outputs
ofωe. So, given that there are no such collision, all inputs and outputs are distinct and
henceωe∪ωp is permutation compatible (can be realized by random permutation). More
formally, we define the following bad events:
B1: For some (U,V)∈ωp,K=bUcκ.
B2: For somei∈ E,j∈[ti],Yi,j ∈range(ωp), (in other words,range(ωe)∩range(ωp)6=∅)
B3: For some i ∈ E, j ∈ [ti], Xi,j ∈ domain(ωp), (in other words, domain(ωe) ∩
domain(ωp)6=∅)
B4: For some (i∈ E, j∈[ti])6= (i0∈ E, j0∈[ti0]),Y_{i,j}=Y_{i}0_{,j}0,