Keywords

1 Introduction

SPRPs. Strong Pseudo-Random Permutations (or wide-block ciphers), are important symmetric-key schemes for protecting the privacy of variable-length messages. Their tweakable variants (STPRPs) are useful to build strong authenticated encryption [12, 31] or onion AE [30]. During the previous two decades, the symmetric-key community proposed a considerable corpus of SPRPs. From a high-level point of view, existing constructions could be categorized into (1) Generalized Feistel networks, (2) Encrypt-Mix-Encrypt, (3) Hash-ECB-Hash, (4) Hash-Counter-Hash, and (5) miscellaneous designs.

Optimization Goals. The primary goals for optimizations in cryptographic schemes are, in general, low implementation costs, high provable security guarantees, and high performance. For the first criterion, it is desirable to construct higher-level schemes from a single well-analyzed primitive without large internal state and with a single key.

High security is essential in many domains that have to process large amounts of data without the ability of frequent re-keying. In most constructions, however, it comes at the cost of decreased performance. Unsurprisingly, the challenges of combining high security guarantees with high performance have been identified among the hot topics of symmetric-key cryptography at the ESC 2017 workshop [5]. Often, high security is associated with security beyond the birthday bound. In the areas of authentication (e.g., [19, 32, 33]), encryption, as well as authenticated encryption (e.g., [13, 14, 28]), beyond-birthday security has undergone a long line of research. In the area of SPRPs, however, the security of the vast majority of existing constructions is still limited by the birthday bound of n / 2 bits, where n is the state size of the underlying primitive. So, the privacy guarantees are lost if \(q \simeq 2^{n/2}\) message blocks have been encrypted under the same key. Assuming the AES as primitive, this would imply that significantly fewer than \(2^{64}\) blocks could safely be encrypted under a single key.

Security of SPRPs: State of the Art. Among the earlier proposals, the LargeBlock1 and LargeBlock2 constructions by Minematsu and Iwata [23] as well as \(\textsc {TCT}_{2}\) by Shrimpton and Terashima [31] are exceptional for their security guarantees. The LargeBlock designs can achieve optimal n-bit security, whereas \(\textsc {TCT}_{2}\) is limited by 2n / 3 bits. Both share similarities to the \(\varPsi _2\) and \(\varPsi _3\) constructions from Coron et al. [9], which use two and three calls to a tweakable block cipher. Both LargeBlock2 and \(\textsc {TCT}_{2}\) possess a sandwich structure, where an encryption layer is wrapped by two layers of hashing. In the former, the encryption layer is an application of \(\varPsi _2\) in ECB-mode; the hashing layers employs two calls to a polynomial hash of \(2(\ell -1)\)multiplications each. \(\textsc {TCT}_{2}\) can be seen as an unbalanced version of \(\varPsi _3\), where also \(2(\ell -1)\) of \(\ell \) input blocks are hashed in each hashing layer. Both constructions are remarkable for their time. To be comparably efficient, however, they required two primitives, a block cipher and a universal hash function.

A different direction is followed by HHFHFH [2] and its instantiations (e.g., [3]), which is a four-round unbalanced Feistel network, built on a large-state primitive. Instead of providing beyond-birthday security, it possesses large security margins due to a larger birthday bound of their internal primitives. However, the large state size limits its efficiency.

The only approach we are aware of that almost combines both security and performance desiderata is Simpira (v2) [10], a family of Feistel-like constructions built upon the AES round function. Its authors claim 128-bit security and high performance on current processors with support for AES native instructions. However, Simpira’s security claim stems purely from heuristics, which will demand intensive further cryptanalysis to increase trust into it.

Tweakable Block Ciphers. One established approach for achieving higher security without considerably sacrificing performance is to use a tweakable block cipher (TBC) [18] as underlying primitive. At the core, tweakable block ciphers employ an additional public input called tweak, which allows to efficiently separate the domains of different calls to the primitive. This fact can reduce the impact of internal collisions on the security of the scheme built around them. For message authentication codes (MACs), a series of recent works pushed the security bounds further [8, 15, 24], but a similar trend is also observable in the domain of encryption modes and authenticated encryption schemes [14, 17, 21, 28, 29]. This approach has also been used earlier for SPRPs [9, 20, 22, 23, 31] – those proposals, however, originate from at least half a decade ago where TBCs used to be constructed in cumbersome fashion from classical block ciphers. Nowadays, we have the option of using efficient dedicated TBCs, such as Deoxys-BC, Joltik-BC [16], or Skinny  [1].

The application of TBCs can also boost the efficiency of constructions, as has been demonstrated recently for MACs. At CRYPTO’17, Iwata et al. [15] introduced ZMAC, a TBC-based parallelizable, single-key single-primitive MAC whose internal hash function ZHash processed the message in both the tweak and plaintext simultaneously. The additional message bits per primitive call render ZMAC more efficient than previous MACs and suggest the adoption of the approach to other domains.

Open Research Questions. When abstracting away the details of the primitive, the number of calls to it per input block becomes the main efficiency metric. From Encrypt-Mix-Encrypt-based constructions, it is well-known that the bound is at most two calls per block (plus some minor overhead), assuming all further operations are linear. Thus, it is an interesting question if SPRPs can be built from fewer calls to a single-keyed primitive. Moreover, a strongly related question is that for the minimal number of calls necessary for SPRP security.

From a theoretical perspective, Nandi [26] showed that constructions built from a classical single-keyed block cipher require \(2\ell \) calls for \(\ell \)-block messages for SPRP security. Though, it seems as though this bound is reducible if one used a TBC instead as the underlying primitive. For Hash-Counter-Hash-based constructions, the most efficient (T)BC-based hash function we are aware of is ZHash. For a TBC with n-bit state and \(\tau \)-bit tweak length, it would yield a construction of about \(\ell + 2\left\lceil {\sigma /(n+\tau )}\right\rceil \) calls for messages of \(\sigma \) bits. For dedicated TBCs, such as Deoxys-BC-128-384 or Skinny-128-384, this figure still implies that approximately \(5\ell /3\) calls are necessary. Regarding the other design principles, it is unclear if similar results are applicable to constructions based on the Encrypt-Mix-Encrypt or Hash-ECB-Hash paradigms. We estimate that Hash-ECB-Hash constructions would need about \(\ell \) primitive calls in each hashing layer, plus \(\ell \) calls in the encryption layer. An instantiation of LargeBlock2 with ZHash instead of multiplications would yield \(2 \lceil (\ell -1)/2 \rceil \) calls in each hashing layer, plus \(\ell \) calls in the middle, or \(3\ell \) calls in sum. \(\textsc {TCT}_{2}\) could use a ZHash layer each for both top and bottom hashing layer. While further modifications could make it more efficient, its proposal employed \(2\ell -2\) calls in the middle. We compare the approaches in Table 1. Altogether, three interesting research questions remain: (1) to which extent can the number of primitive calls be reduced when employing a tweakable block cipher, (2) how can a specific construction be realized, and (3) can it be built with high provable security guarantees.

Table 1. Asymptotic #primitive calls for SPRP paradigms. We assume that hash functions and encryption layers use a single-keyed (tweakable) block cipher with n-bit state and \(\tau \)-bit tweak size to encrypt an \(\ell \)-block message of \(\sigma \) bits in total. We assume the hashing layers use ZHash (as the most efficient blockcipher-based hash function we are aware of).
Full size table

Contribution. This work tries to answer all three questions above: for the theoretical interest, (1) we show that \(1.5\ell \) primitive calls per message block is close to minimal by a generic distinguisher on any construction that employs fewer than \((3\ell -1)/2\) calls to a single-keyed primitive per message block, where all further operations are linear. For the practitioner’s interest, (2) we propose ZCZ (ZHash-Counter-ZHash), an almost fully parallelizable variable-input-length SPRP based on a single-keyed TBC with n-bit state and n-bit tweak size. ZCZ matches approximately the optimal number of \(1.5\ell \) calls to the primitive for an \(\ell \)-block message, plus a small overhead. Finally, we show (3) that ZCZ achieves optimal n-bit security, i.e., the SPRP advantage of any adversary that asks at most q queries of \(\sigma \) blocks in total is in \(O(\sigma ^2/2^{2n})\).

We note that instantiations of Hash-Counter-Hash with ZHash and a TBC with large tweaks of \(\tau = 3n\), the number of primitive calls could become equal to that of ZCZ. However, such primitives would introduce a significant slowdown, be it due to the requirements of more rounds in a TWEAKEY-like cipher, or due to the need of calling an additional universal hash function for compressing the tweak. Concerning practical tweak sizes \(\tau < 3n\), the number of calls is significantly lower for our construction.

Yet Another Encryption Scheme? It may appear that ZCZ is yet another encryption scheme after all, and with hundreds of encryption schemes already being present in the literature, it is difficult get excited about another one, notwithstanding small improvements in performance and security. We beg to differ on this point primarily for two reasons: (1) very few existing encryption schemes built upon a primitive with an n-bit output provide n-bit security — most in fact are only secure up to the birthday bound. As such, the improvement by ZCZ in terms of security is not a small step, but rather a leap. Since there is a considerable interest in the (still) small group of constructions that achieve this security, we believe that our encryption scheme is an exciting addition to this group. (2) Even more significant is the way that ZCZ exploits the randomness generated by a tweakable blockcipher. While most previous approaches were based on generic replacements of two or more blockcipher calls by a single call to a tweakable block cipher, the approach used by ZCZ is not a corollary of any previous work. Given its efficiency, we believe it can lead to exciting new directions in research on tweakable-blockcipher modes.

Outline. The remainder is structured as follows: first, Sect. 2 briefly summarizes the necessary preliminaries. Given a primitive with an effective tweak sizeFootnote 1 \(\tau = n\), Sect. 3 illustrates that every PRP with fewer than \(3\ell - 1\) primitive calls for \(2\ell \)-block messages is insecure, which was the core motivation for our search for constructions with about \(1.5\ell \) calls. Subsequently, Sect. 4 defines our basic construction, which is first described for messages whose length is a positive multiple of 2n bits. Thereupon, Sect. 5 extends our definition to messages of more general lengths. Section 6 provides the details of our security analysis.

We provide further insights on the starting point of our research in the full version of this work [4]. Therein, we also discuss attacks on insecure preliminary variants that motivated our studies towards the final design of ZCZ.

2 Preliminaries

General Notation. We use lowercase letters x for indices and integers, uppercase letters XY for binary strings and functions, and calligraphic uppercase letters \(\mathcal {X}, \mathcal {Y} \) for sets. We denote the concatenation of binary strings X and Y by \(X \,\Vert \, Y\); we mostly treat bit strings as representations of elements in the finite field \(\mathbb {F} _{2^n}\), which is the Galois Field \(\mathbb {GF} (2^n)\) with a fixed irreducible polynomial \(p(\mathtt {x})\). There, we interpret a bit string \((x_{n-1} \ldots x_1 x_0)\) as polynomial \(\sum _{i=0}^{n-1} a_i \cdot \mathtt {x}^{i}\) in \(\mathbb {F} _{2^n}\). Bit \(x_i\) represents the coefficient \(a_i \in \{0,1\}\), for \(0 \le i \le n-1\), and the most significant bit is the leftmost, and the least significant bit is the rightmost bit. We denote the result of the addition of two elements as \(X + Y\), which is equivalent to the XOR of X and Y. For tuples of bit strings \((X_1, \ldots , X_x)\), \((Y_1, \ldots , Y_x)\) of equal domain, we denote by \((X_1, \ldots , X_x) + (Y_1, \ldots , Y_x)\) the element-wise XOR, i.e., \((X_1 + Y_1, \ldots , X_x + Y_x)\). Unless stated otherwise, we consider all additions of n-bit values to be in \(\mathbb {F} _{2}^n\). Moreover, we will use \(\oplus \) for the XOR of bit strings in illustrations. However, all additions and subtractions in sub- and superscripts that denote indices represent integer additions. We indicate the length of a bit string X in bits by |X|, and write \(X_i\) for the i-th block. Moreover, we denote by \(X \twoheadleftarrow \mathcal {X} \) that X is chosen independently uniformly at random from the set \(\mathcal {X} \). We define three sets of particular interest: \(\mathsf {Func} (\mathcal {X}, \mathcal {Y})\) be the set of all functions \(F: \mathcal {X} \rightarrow \mathcal {Y} \), \(\mathsf {Perm} (\mathcal {X})\) the set of all permutations over \(\mathcal {X} \), and \(\mathsf {\widetilde{Perm}} (\mathcal {T}, \mathcal {X})\) for the set of tweaked permutations over \(\mathcal {X} \) with associated tweak space \(\mathcal {T} \).

\((X_1, \ldots , X_x) \xleftarrow {n} X\) denotes that X is split into the minimal number of n-bit blocks possible i.e., \(X_1 \,\Vert \, \ldots \,\Vert \, X_{x} = X\), and \(|X_i| = n\) for \(1 \le i \le {x-1}\), and \(|X_x| \le n\). So, when \(|X| > 0\), then \(|X_x| > 0\). If \(|X| = 0\), \(Y \xleftarrow {x} X\) sets Y to the empty string. \(\langle X \rangle _{n} \) denotes an encoding of an integer \(X \in \mathbb {Z}_n\) as an n-bit string. For two sets \(\mathcal {X} \) and \(\mathcal {Y} \), a uniform random function \(\rho : \mathcal {X} \rightarrow \mathcal {Y} \) maps inputs \(X \in \mathcal {X} \) independently and uniformly at random to outputs \(Y \in \mathcal {Y} \). For an event E, we denote by \(\Pr [E]\) the probability of E; \(\varepsilon \) is the empty string. For a given set \(\mathcal {X} \) and integer x, we define \(\mathcal {X} ^{\le x} = \bigcup _{i = 1}^{x} {\mathcal {X}}^i\) and \(\mathcal {X} ^{+} = \bigcup _{j = 1}^{\infty }{\mathcal {X}}^j\). For two integers nk with \(n \ge k \ge 1\), we denote the falling factorial as \(\left( n\right) _{k} = \prod _{i = 0}^{k-1} (n - i)\).

Adversaries. An adversary \(\mathbf {A} \) is an efficient Turing machine that interacts with a given set of oracles that appear as black boxes to \(\mathbf {A}\). We denote by \(\mathbf {A} ^{\mathcal {O}}\) the output of \(\mathbf {A}\) after interacting with some oracle \(\mathcal {O}\). We write for the advantage of \(\mathbf {A}\) to distinguish between oracles \(\mathcal {O} ^1\) and \(\mathcal {O} ^2\). All probabilities are defined over the random coins of the oracles and those of \(\mathbf {A}\), if any. W.l.o.g., we assume that \(\mathbf {A}\) never asks queries to which it already knows the answer.

A block cipher E with associated key space \(\mathcal {K} \) and message space \(\mathcal {M} \) is a mapping \(E: \mathcal {K} \times \mathcal {M} \rightarrow \mathcal {M} \) such that for every key \(K \in \mathcal {K} \), it holds that \(E(K, \cdot )\) is a permutation over \(\mathcal {M} \). A tweakable block cipher \(\widetilde{E} \) with additional tweak space \(\mathcal {T} \) is a mapping \(\widetilde{E}: \mathcal {K} \times \mathcal {T} \times \mathcal {M} \rightarrow \mathcal {M} \) such that for every key \(K \in \mathcal {K} \) and tweak \(T \in \mathcal {T} \), it holds that \(\widetilde{E} (K, T, \cdot )\) is a permutation over \(\mathcal {M} \). We also write \(\widetilde{E} _K^T(\cdot )\) as short form. In this work, we assume that SPRPs allow variable-length inputs, i.e., there is no single fixed length, but the length of the ciphertext always equals that of the plaintext and vice versa; moreover, over all inputs of equal length, the construction is a permutation. The advantage is defined as follows.

Definition 1

( Advantage). Let \(\mathcal {K} \) be a non-empty set and \(\mathcal {M} \subset \{0,1\}^{*}\). Let \(\varPi : \mathcal {K} \times \mathcal {M} \rightarrow \mathcal {M} \) be a length-preserving permutation. Let \(\pi \twoheadleftarrow \mathsf {Perm} (\mathcal {M})\) be sampled from the set of all length-preserving permutations of \(\mathcal {M} \), and \(K \twoheadleftarrow \mathcal {K} \). Then, the SPRP advantage of \(\mathbf {A}\) with respect to \(\varPi \) is defined as .

Definition 2

( Advantage). Let \(\mathcal {K} \) and \(\mathcal {T} \) be non-empty sets and let \(\widetilde{E}: \mathcal {K} \times \mathcal {T} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) denote a tweakable block cipher. Let \(\widetilde{\pi } \twoheadleftarrow \mathsf {\widetilde{Perm}} (\mathcal {T}, \{0,1\}^{n})\) and \(K \twoheadleftarrow \mathcal {K} \). Then, the STPRP advantage of \(\mathbf {A}\) w.r.t. \(\widetilde{E} \) is defined as .

Definition 3

(Almost-XOR-Universal Hash Function). Let \(\mathcal {K} \), \(\mathcal {X} \), and \(\mathcal {Y} \subseteq \{0,1\}^{*}\) be non-empty sets. Let \(H: \mathcal {K} \times \mathcal {X} \rightarrow \mathcal {Y} \) be a function keyed by \(K \in \mathcal {K} \). We call H \(\epsilon \)-almost-XOR-universal (\(\epsilon \)-AXU) if, for all distinct \(X, X' \in \mathcal {X} \) and any \(\varDelta \in \mathcal {Y} \), it holds that \(\Pr _{K \twoheadleftarrow \mathcal {K}}\left[ H_K(X) - H_K(X') = \varDelta \right] \le \epsilon \), where subtraction is in \(\mathbb {F} _{2^n}\).

The H-Coefficient Technique. The H-coefficient technique is a proof method by Patarin [27]. It assumes that the results of the interaction of an adversary \(\mathbf {A}\) with its oracles are collected in a transcript \(\tau \) of the attack: \(\tau = \langle (M_1, C_1, d_1)\), ..., \((M_q, C_q, d_q) \rangle \). \((M_i, C_i)\) denotes the in- and output of the i-th query of \(\mathbf {A}\); a Boolean variable \(d_i\) denotes the query direction: \(d_i = 1\) indicates that \(C_i\) was result of an encryption query, and \(d_i = 0\) that \(M_i\) was the result of a decryption query. The task of \(\mathbf {A}\) is to distinguish the real world \(\mathcal {O}_{\text {real}} \) from the ideal world \(\mathcal {O}_{\text {ideal}} \). A transcript \(\tau \) is called attainable if the probability to obtain \(\tau \) in the ideal world is non-zero. We denote by \(\varTheta _{\text {real}} \) and \(\varTheta _{\text {ideal}} \) the distribution of transcripts in the real and the ideal world, respectively. Then, the fundamental Lemma of the H-coefficients technique, whose proof is given in [6, 27], states:

Lemma 1

(Fundamental Lemma of the H-coefficient Technique [27]). Assume that the set of attainable transcripts is partitioned into two disjoint sets GoodT and BadT. Further assume that there exist \(\epsilon _1, \epsilon _2 \ge 0\) such that for any transcript \(\tau \in \textsc {GoodT} \), it holds that

$$\begin{aligned} \frac{\Pr \left[ \varTheta _{\text {real}} = \tau \right] }{\Pr \left[ \varTheta _{\text {ideal}} = \tau \right] }&\ge 1 - \epsilon _1, \quad \text { and } \quad \Pr \left[ \varTheta _{\text {ideal}} \in \textsc {BadT} \right] \le \epsilon _2. \end{aligned}$$

Then, for all adversaries \(\mathbf {A}\), it holds that .

3 On the Minimal Number of Required Primitive Calls

This section shows that any PRP with fewer than \(3\ell -1\) calls for messages of \(2\ell \) blocks to a primitive with n-bit tweak size and n-bit state size is insecure. We follow the approach by [26], who proved that an SPRP based on a single-keyed classical block cipher needs at least \(2\ell \) calls to the primitive for \(\ell \)-block messages.

3.1 Generic Construction

Define positive integers n, \(\tau \), and \(\ell \), and let \(\mathcal {M} \subseteq \{0,1\}^{*}\) denote a space for which \((\{0,1\}^{n})^{2\ell } \subseteq \mathcal {M} \). Let \(r \le 3\ell -2\) and let \(\widetilde{\pi } _i: \{0,1\}^{\tau } \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\), for all \(1 \le i \le r\), denote tweakable permutations with tweak space \(\{0,1\}^{\tau }\) and state size n. Let \(\varPi [\widetilde{\pi } _1, \ldots , \widetilde{\pi } _r]: \mathcal {M} \rightarrow \mathcal {M} \) be a length-preserving cipher that employs as its only non-linear functions in total r calls to the permutations \(\widetilde{\pi } _1\), ..., \(\widetilde{\pi } _r\). For simplicity, we also write \(\varPi \) as short form, hereafter. All further components of \(\varPi \) are linear over \(\mathbb {F} _{2^n}\). For any such construction, we can formulate this as follows. Let \(X_i\) denote the input to \(\pi _i\), \(T_i\) the tweak to \(\pi _i\), and let \(Y_i \leftarrow \pi _i(X_i)\) denote its output. The linear operations in \(\varPi \) must be describable as non-zero linear functions \(L_i: \mathcal {M} \times (\{0,1\}^{n})^{i-1} \rightarrow \{0,1\}^{n} \times \{0,1\}^{\tau }\), for \(1 \le i \le r\), and an additional non-zero linear function \(L_{r+1}: \mathcal {M} \times (\{0,1\}^{n})^r \rightarrow \mathcal {M} \) that, for all given inputs \((M, Y_1, \ldots , Y_r) \in \mathcal {M} \times (\{0,1\}^{n})^r\), outputs C s.t. it holds that \(|C| = |M|\). Then, we can describe the encryption with \(\varPi (M)\) as

$$\begin{aligned} (X_i, T_i)&\leftarrow L_i\left( M, Y_1, \ldots , Y_{i-1}\right) ,&\quad \text { for all } 1 \le i \le r, \\ Y_i&\leftarrow \widetilde{\pi } ^{T_i}(X_i),&\quad \text { for all } 1 \le i \le r, \text { and} \\ C&\leftarrow L_{r+1}(M, Y_1, \ldots , Y_r). \end{aligned}$$

\(\varPi \) must be correct for all inputs, i.e., for all \(M, C \in \mathcal {M} \), it must hold that \(\varPi ^{-1}(\varPi (M)) = M\) and \(\varPi (\varPi ^{-1}(C)) = C\). Figure 1 gives an illustration.

Fig. 1.
figure 1

Generic model of a PRP that consists of at most \(r \le 3\ell -2\) calls to tweakable block ciphers \(\widetilde{\pi } _i\) for messages of \(2\ell \) blocks.

Full size image

Remark 1

It may not be instantaneously clear why the generic construction above covers all considered schemes. Note that it computes the values \(X_i\) and \(T_i\) by a non-zero linear function of M, \(Y_1\), \(Y_2\), ..., \(Y_{i-1}\). So, the previous values \(Y_i\) can also be used to generate \(X_i\). Indeed, it is generic enough to include all such constructions where the only non-linear components are the permutation calls.

For simplicity, we consider independent permutations with tweak domain \(\mathbb {F} _2^{\tau }\) in this section. For efficiency, our proposal later in this work will employ only a single tweakable primitive with a composite tweak domain \(\mathcal {T} _D = \mathcal {D} \times \mathbb {F} _{2}^{\tau }\), where \(\mathcal {D} \) is a non-empty set of domains. So, this approach achieves the same goal of having independent permutations. We consider that \(\tau \) is the effectively usable size of the tweaks without domains.

3.2 A PRP Attack on Constructions with at Most \(3\ell -2\) Calls

Case \(\tau = n\). Let \(\mathbf {A}\) be an adversary with the goal to distinguish the outputs of a variable-input-length PRP \(\varPi \) under a secret key as above from an ideal PRP. First, \(\mathbf {A}\) chooses two messages M and \(M'\) of \(2\ell \) blocks each, i.e., \(M = (M_1\), \(\ldots \), \(M_{2\ell })\) and \(M' = (M'_1\), \(\ldots \), \(M'_{2\ell })\). We define the differences \(\varDelta M = M - M'\), and analogously the differences \(\varDelta X_i\), \(\varDelta Y_i\), and \(\varDelta C\) in the obvious manner. Choose M and \(M'\) such that it holds that \(\varDelta X_i = 0\) and \(\varDelta T_i = 0\), for \(1 \le i \le \ell -1\). Note that such a choice of M and \(M'\) must be possible since these variables correspond to \(2\ell - 2\) equations (\(\ell - 1\) equations for adjusting the values \(\varDelta X_i\) and \(\ell - 1\) equations for adjusting the values \(\varDelta T_i\)) and there exist \(2\ell \) blocks \(\varDelta M_i\). For instance, the adversary can efficiently derive an element N from the null space of \(L_1, \ldots , L_{2(\ell -1)}\). It chooses M arbitrarily and derives \(M' = M + N\).

From \(\varDelta X_i = 0^n\) and \(\varDelta T_i = 0^{\tau }\) for \(1 \le i \le \ell -1\), it follows that \(\varDelta Y_i = \widetilde{\pi } ^{T_i}(X_i) \oplus \widetilde{\pi } ^{T'_i}(X'_i) = 0^n\), for all \(1 \le i \le \ell -1\). The non-linear layer of calls to the tweakable block cipher maps \((\varDelta X_1, \ldots , \varDelta X_r)\) to \((\varDelta Y_1, \ldots , \varDelta Y_r)\). We obtain

$$\begin{aligned} L_{r+1}( \varDelta M, \underbrace{\varDelta Y_1, \ldots , \varDelta Y_{\ell -1}}_{=\,(0,\,\ldots ,\,0)}, \varDelta Y_\ell , \ldots , \varDelta Y_r ) = \varDelta C. \end{aligned}$$

Since \(\mathbf {A}\) fixed \(\varDelta M\) and chose M and \(M'\) so that \(\varDelta X_1 = \ldots = \varDelta X_{\ell -1} = 0^n\) and \(\varDelta T_1 = \ldots = \varDelta T_{\ell -1} = 0^{\tau }\), we obtain \(\varDelta Y_1, \ldots , \varDelta Y_{\ell -1} = 0^n\). So, there are at most \(2\ell -1\) free variables \(\varDelta Y_{\ell }, \ldots \varDelta Y_r\), and \(2\ell \) equations for \(\varDelta C_1, \ldots , \varDelta C_{2\ell }\), which implies that \(2\ell \) blocks of \(\varDelta C\) are a linear combination of \(2\ell -1\) values \(\varDelta Y_{\ell }, \ldots , \varDelta Y_r\). So, in the real construction, \(L_{r+1}\) defines a map from \(2\ell -1\) to \(2\ell \) n-bit variables, and \(\mathbf {A} \) can efficiently derive a solution \(\varDelta Y_{\ell }, \ldots , \varDelta Y_r\) from the null space of the equation system. This becomes a distinguishing event happening with probability one in the real construction and with probability \(1/2^n\) in the ideal world for this example. The distinguishing advantage is hence \(1 - 1/2^n\). \(\mathbf {A}\) can query it with two messages as above and output real if such a non-zero linear function L exists and random otherwise, as summarized in Algorithm 1.

For general values of \(\tau \). A similar attack is applicable for general values of \(\tau \). Though, we have to consider linearity over \(\mathbb {F} _{2}\) then. Define

$$\begin{aligned} s = \left\lfloor \frac{2\ell n}{n + \tau } \right\rfloor - 1. \end{aligned}$$

The adversary chooses \(M \in (\mathbb {F} _{2}^{n})^{2\ell }\) arbitrarily, and \(M' \in (\mathbb {F} _{2}^{n})^{2\ell }\) with \(M \ne M'\) s. t. \(\varDelta X_{1} = \ldots \varDelta X_{s} = 0^n\) and \(\varDelta T_1 = \ldots = \varDelta T_{s} = 0^{\tau }\). Note that we consider the inputs \(X_i \in \mathbb {F} _{2}^n\) and the tweaks \(T_i \in \mathbb {F} _{2}^{\tau }\) as blocks. Again, such a choice of \(M'\) exists for the same reason as above and can be found efficiently from the null space of the linear functions \(L_1\), \(L_2\), ...that are involved in the computation of \(\varDelta X_1, \ldots , \varDelta X_{s}\) and \(\varDelta T_1, \ldots , \varDelta T_{s}\). Again, we obtain \(\varDelta Y_i = 0^n\), for \(1 \le i \le s\) for the real construction. We obtain the equation

$$\begin{aligned} L_{r+1}( \varDelta M, \underbrace{\varDelta Y_1, \ldots , \varDelta Y_{s}}_{=\,(0,\,\ldots ,\,0)}, \varDelta Y_{s+1}, \ldots , \varDelta Y_r ) = \varDelta C. \end{aligned}$$

The blocks \(\varDelta Y_{s+1}, \ldots , \varDelta Y_r\) contain \((r - s)n\) bits, that are mapped through \(L_{r+1}\) to \(\varDelta C_{2\ell n}\) bits. For all schemes \(\varPi \) that use r calls to the primitive with

$$\begin{aligned} (r - s) \cdot n&< 2 \ell n, \qquad \text {which leads to}\qquad r < 2\ell \left( 1 + \frac{n}{n+\tau }\right) - 1, \end{aligned}$$

we obtain a compressing mapping. Then, there exist are more equations than variables, and the distinguisher as before applies. However, the advantage may be smaller and depends on the values of r, n, and \(\tau \).

figure a

4 Definition of the Basic ZCZ Construction

This section defines the basic ZCZ scheme. First, we consider messages that consist of at most 2n blocks, and will extend it thereupon to all messages whose length is a multiple of 2n bits. The subsequent section will then further define it for messages whose lengths are not necessarily multiples of 2n bits.

Parameters. Let \(n, \tau , k, d \ge 1\) be integers with \(d \ll n\) and \(n = \tau \); we define as an alias. Let \(\mathcal {B} = \{0,1\}^{2n}\) define a di-block (or dual block, double block), i.e., 2n bits. We define non-empty sets of tweaks \(\mathcal {T} = \{0,1\}^{\tau }\), keys \(\mathcal {K} = \{0,1\}^{k}\), domains \(\mathcal {D} = \{\mathsf {t}, \mathsf {s}, \mathsf {c}, \mathsf {b}, \mathsf {t\$}, \mathsf {s\$}, \mathsf {c\$}, \mathsf {b\$}, \mathsf {xl}, \mathsf {xr}, \mathsf {yl}, \mathsf {yr}, \mathsf {p}, \mathsf {kd}\} \subseteq \{0,1\}^{d}\), and a set of indices \(\mathcal {I} \subseteq \{1, \ldots , 2^n - 1\}\). The purpose of domains and indices is to define an extended tweak set \(\mathcal {T} _{D,I} = \mathcal {D} \times \mathcal {I} \times \mathcal {T} \) for a tweakable block cipher \(\widetilde{E}: \mathcal {K} \times \mathcal {T} _{D,I} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\).

Fig. 2.
figure 2

Encryption of a message with \(\ell \) complete di-blocks with \(\textsc {ZCZ} [\widetilde{E} _K]\).

Full size image

Overview. The basic \(\textsc {ZCZ} [\widetilde{E} _K]\) construction takes as input a secret key \(K \in \mathcal {K} \) and a plaintext \(M \in \mathcal {B} ^{\le n} \) that is split into \(\ell \in [1..n]\) di-blocks. The design can be split into a top, middle, and a bottom layer. In the top layer, the first \(\ell -1\) complete di-blocks \((L_i, R_i)\) are processed similarly as in the \(\mathbb {ZHASH}\) construction by Iwata et al. [15]. The TBC outputs \(X_i\) are accumulated by an MDS code to two values \(X_L^*\) and \(X_R^*\) using the Horner rule, which are finally encrypted in a butterfly-like structure [24] to \(X_L \leftarrow \widetilde{E} _K^{\mathsf {xl}, \ell , X_R^*}(X_L^*)\) and \(X_R \leftarrow \widetilde{E} _K^{\mathsf {xr}, \ell , X_L^*}(X_R^*)\). \(X_L\) and \(X_R\) are used to mask the branches of the final di-block, \(L_{\ell }\) and \(R_{\ell }\). The final di-block is processed by a four-round Feistel-like network of four TBC calls in the spirit of the constructions by Coron et al. [9].

This four-round network generates two intermediate values S and T after the first and second call to \(\widetilde{E} \). The middle layer derives from S and T a value \(S_1 \leftarrow \widetilde{E} ^{\mathsf {s},0,1}_K(S)\) and a series of \(\ell -1\) chaining values \(Z_{1,j} \leftarrow \widetilde{E} ^{\mathsf {c}, j, T}(S_1)\). For the j-th di-block, the chaining value \(Z_{1,j}\) is added to both branches of the j-th block. Moreover, \(S_{1}\) is also added to the right branch of each di-block: \(L'_j \leftarrow X_j + Z_{i,j}\) and \(Y_j \leftarrow R_j + Z_{1,j} + S_1\). So, this middle layer ensures that each di-block depends on all others. Finally, the middle layer generates from the blocks \(Y_j\) and \(L'_j\) two values \(Y_L\) and \(Y_R\) symmetrically as \(X_L\) and \(X_R\), from the values \(Y_j\).

The bottom layer is then a symmetric version of the top layer. The \(\ell -1\) di-blocks are processed by another \(\mathbb {ZHASH}\) layer to compute the ciphertext blocks: \(L'_j \leftarrow X_j\) and \(R'_j \leftarrow \widetilde{E} _K^{\mathsf {b}, i, L'_j}(Y_j)\). The final complete di-block is processed by two further Feistel rounds before \(Y_L\) added to the left branch, and \(Y_R\) is added to the right branch of the \(\ell \)-th di-block. The resulting values \(L'_i, R'_i\), for \(1 \le i \le \ell \), are concatenated and returned as the ciphertext. The details of the encryption with \(\textsc {ZCZ} [\widetilde{E} _K]\) is given in Algorithm 2, and is illustrated in parts in Fig. 2, already for more than n complete di-blocks.

Rationale. The structure is inspired by ZHash  [15] and AEZ  [12]. The use of \(\alpha \) and \(\alpha ^2\) prevents that a collision in \(X_L\) would automatically lead to a collision also in \(X_R\) and vice versa; considering also the tweak values \(R_i\) for \(X_R\) renders birthday collisions in \(X_i\) from separate tweaks ineffective. Encrypting \(X_L^*\), \(X_R^*\), \(Y_L^*\), and \(Y_R^*\) avoids that differences in the masks cancel differences in the final di-block. Finally, adding \(S_i\) and \(Z_{i,j}\) prevents adversaries from observing differences \(\varDelta Z_{1,j}\). Using the masks \(X_L\), \(X_R\), \(Y_L\), and \(Y_R\) in the final block makes its outputs depend on all blocks; Using S and T for the counter mode in the middle layer creates a dependency of each di-block on all others. We elaborate on attacks on preliminary versions of ZCZ in the full version of this work. We employ pairwise distinct domains for all calls to \(\widetilde{E} \) to prevent dependencies between the calls.

figure b

Extension to Longer Messages. Messages with more than n di-blocks are partitioned into chunks. The i-th (complete) chunk denotes the series of the n consecutive di-blocks \((L_{(i-1)n+1}, R_{(i-1)n+1}, \ldots L_{i \cdot n}, R_{i \cdot n})\), and employs the chaining values \(S_i\) and \(Z_{i,j}\). We derive all chaining values under distinct domains as before. Furthermore, we derive \(\ell -1\) chaining values \(Z_{i,j}\) by a TBC call each from S. For the i-th chunk, \(S_i\) is computed as \(S_i \leftarrow \widetilde{E} _K^{\mathsf {s},0,i}(S)\). Then, for \(j \in [1..n]\), \(Z_{i,j}\) for the j-th block of the i-th chunk is generated as \(Z_{i, j} \leftarrow \widetilde{E} _K^{\mathsf {c},0,n(i-1)+j}(S_i)\). \(Y^{ }_{n(i-1) + j}\) is then computed as \(Y^{ }_{n(i-1) + j} \leftarrow R^{ }_{n(i-1) + j} + S_i + Z^{ }_{n(i-1) + j}\). The rest of the computations remain unchanged. Letting j take any value in \([1..\ell ]\), we can rewrite this as

$$\begin{aligned}&\qquad \qquad \qquad \qquad \qquad \qquad \qquad Y_j \leftarrow R_j + S_{\left\lceil {j/n}\right\rceil } + Z_j.&\qquad \qquad \qquad (2\text {'}) \end{aligned}$$

The encryption of \(\textsc {ZCZ} [\widetilde{E} _K]\) is defined in Algorithm 2, and illustrated in parts in Fig. 2, already for more than n complete di-blocks. The figure employs bold bars in the blocks of \(\widetilde{E} \) to indicate the parts of the tweaks that stem from \(\mathcal {T} \). The decryption is defined in the obvious way.

5 \(\textsc {ZCZ}^*\) for Messages with Partial Final Di-block

We extend the definition of ZCZ to messages whose length is not a multiple of 2n bits. We denote the last \(r \leftarrow |M| \bmod 2n\) bits as partial di-block. Our approach for \(\textsc {ZCZ}^*\) is inspired by the DE domain extender from [25]. Therefore, we briefly recap it.

figure c

The Domain Extender \(\textsc {DE} [\varPi , F, H]: \{0,1\}^{\ge n} \rightarrow \{0,1\}^{\ge n}\) [25] takes a blockwise-operating length-preserving permutation \(\varPi : (\{0,1\}^{n})^+ \rightarrow (\{0,1\}^{n})^+\), a PRF \(F: \{0,1\}^{n} \rightarrow \{0,1\}^{n}\), and an XOR-universal hash function \(H: \{0,1\}^{n} \times \{0,1\}^{2n} \rightarrow \{0,1\}^{n}\). It produces a length-preserving permutation over bit strings of any length \(\ge n\) bits. A message \(M \in \{0,1\}^{\ge n}\) is split into blocks \((M_1, \ldots , M_\ell )\); \(\textsc {DE} [\varPi , F, H]\) computes the corresponding ciphertext \(C = (C_1, \ldots , C_\ell )\) as: (1) \(M^*_{\ell -1} \leftarrow H(M_{\ell -1}, M_\ell )\), (2) \((C_1, \ldots , C_{\ell -2}, C^*_{\ell -1}) \leftarrow \varPi (M_1, \ldots , M_{\ell -2}, M^*_{\ell -1})\), (3) \(C_{\ell } \leftarrow F(M^*_{\ell -1} + C^*_{\ell -1}) +_{|M_\ell |} M_\ell \), and (4) \(C_{\ell -1} \leftarrow H(C^*_{\ell -1}, C_\ell )\). Where

for any \(x,y \in \{0,1\}^{*}\) and integer n. To obtain that DE is a permutation, the hash function H must satisfy \(H(H(M_{\ell -1}, M_\ell ), M_\ell ) = M_{\ell -1}\) for any allowed input \(M_{\ell -1}\), \(M_\ell \) (see [25, Remark 2]).

Overview of \(\textsc {ZCZ}^*\). Our extension \(\textsc {ZCZ}^*\) requires that the message length is still at least 2n bits. Let \(M_* = (L_*, R_*)\) be the partial message di-block that follows after \(\ell \) complete di-blocks. Further assume that the partial di-block consists of \(\ge n\) bits that are split into \(|L_*| = n\) and \(|R_*| < n\). The right part is padded to n bits by a single 1 and as many zero bits as necessary to extend it to n bits: \(\overline{R}_* \leftarrow \mathsf {pad}_n(R_*)\). The values are given as inputs to a hash function \(\mathcal {H} [\widetilde{E} _K, i]\), with \(i = 0\), that is illustrated on the right side of Fig. 3. \(\left\{ H\right\} \) uses one of the two n-bit values as state and the other one as tweak input for two calls to \(\widetilde{E} _K\) under distinct tweaks: \(U' \leftarrow \widetilde{E} _K^{\mathsf {p}, i, V}(U)\) and \(V' \leftarrow \widetilde{E} _K^{\mathsf {p}, i+1, V}(U)\). The 2n-bit output \((U', V')\) is added to the final complete di-block. The resulting final di-block \((L_{\ell }, R_{\ell })\) is then processed by \(\textsc {ZCZ} [\widetilde{E} _K]\). The sum of \((L_{\ell }, R_{\ell }) + (L'_{\ell }, R'_{\ell })\) is then given again into \(\mathcal {H} [\widetilde{E} _K, i]\), with \(i = 2\) to produce a 2n-bit value \((P'_{\ell }, Q'_{\ell })\). The most significant r bits of it are added to the final partial di-block to obtain the partial ciphertext di-block \(M'_*\). \(M'_*\) is again padded to 2n bits and given as input to a third call to \(\mathcal {H} [\widetilde{E} _K, i]\), with \(i = 4\). The hash output is added to the final ciphertext di-block to produce \(M'_{\ell }\). If the partial di-block consists of less than n bits, it is also padded to 2n bits and processed analogously. So, the hash function H from the original definition of \(\textsc {DE} [\varPi , F, H]\) is given by . One can see that the requirement from above holds for arbitrary \(M_{\ell }\) and \(M_*\): \(H\left( H\left( M_{\ell }, M_*\right) , M_*\right) = M_{\ell }\).

Fig. 3.
figure 3

Encryption of a partial message \(M_1, \ldots , M_{\ell }, M^*\) whose length is not a multiple of 2n bit with \(\textsc {ZCZ}^* [\widetilde{E} _K]\). All preceeding di-blocks \(M_1, \ldots , M_{\ell }\) are processed with \(\textsc {ZCZ} [\widetilde{E} _K]\) as before.

Full size image

Remark 2

Note that \(\textsc {ZCZ}^*\) still requires messages to consist of at least 2n bits. A further minor improvement in future work could be the integration of smaller messages. For instance, the use of the very recent length-doubling construction LDT [7] could reduce the minimal message length to \(n+1\) bits. Though, this step would require an appropriate integration and \(\textsc {ZCZ}^*\) is already a variable-input-length SPRP for lengths \(\ge 2n\) bit.

6 Security Analysis of ZCZ and \(\textsc {ZCZ}^*\)

This section studies the SPRP security of ZCZ and \(\textsc {ZCZ}^*\). Figure 4 provides a high-level overview on ZCZ. A given message M is split an input message into \((M_L, M_R)\), where \(M_R\) consists of one 2n-bit di-block, and \(M_L\) of the remaining di-blocks; the major part \(M_L\) is then processed by a variant of ZHash, that is denoted \(\textsc {ZHash} ^*\) here. It differs from ZHash in two aspects: \(\textsc {ZHash} ^*\) omits the XOR of the TBC output to the tweak input blocks. More prominently, \(\textsc {ZHash} ^*\) does not compress the input to two hash values, but is a permutation over \((n+\tau )^*\). So, the top layer returns the TBC outputs and the tweaks. \(\widetilde{V}_1\) and \(\widetilde{V}_2\) represent tweakable permutations. Internally, they can use the same primitive as also for \(\textsc {ZHash} ^*\), and the tweakable variant of Counter mode, \(\textsc {CTR} ^*\). H symbolizes an error-correcting code that sums up the inputs to 2n bits.

This high-level view allows to give a rationale for a dedicated analysis. A straight-forward use of a rate-1 counter mode would allow to apply a standard generic proof as for HCTR. Though, such an approach would yield \(2\ell \) calls to the primitive alone in the counter mode. In combination with \(\textsc {ZHash} ^*\), this approach would need \(4\ell \) calls to the primitive for messages of \(2\ell \) blocks. ZCZ considers a special variant of counter mode that uses only \(\ell \) blocks of entropy to mask \(2\ell \) blocks, similar as has been used in AEZ from version 2 [12]. However, this counter mode disallows to simply adopt the analysis from HCTR-like constructions when the goal is showing n-bit security. So, a dedicated analysis is needed, which is a major contribution of the present work. In the following, we study the security of the basic construction before we consider the extensions for inputs whose length is not necessarily a multiple of 2n bits, but at least 2n bits. We show the security of the extension \(\textsc {ZCZ}^*\) at the end of this section.

Fig. 4.
figure 4

High-level view on our proposal of ZCZ.

Full size image

6.1 Security of the Basic Construction

Theorem 1

Let \(\widetilde{\pi } \twoheadleftarrow \mathsf {\widetilde{Perm}} (\mathcal {T} _{D,I}, \{0,1\}^{n})\). Let \(\mathbf {A}\) be an SPRP adversary on \(\textsc {ZCZ} [\widetilde{\pi } ]\), s.t. \(\mathbf {A}\) asks at most q queries of domain \(\mathcal {B} ^{\le n} \), that sum up to at most \(\sigma \) di-blocks in total. Then

$$\begin{aligned} \mathbf {{Adv}}^{\textsc {SPRP}}_{\textsc {ZCZ} [\widetilde{\pi } ]}(\mathbf {A})&\le \frac{3\sigma ^2 + 9q^2}{2N^2}. \end{aligned}$$

Proof

The queries 1 through q by \(\mathbf {A}\) are collected in a transcript \(\tau \) where we define two disjoint sets of indices E and D s.t. \([1..q] = E \sqcup D\), and it holds that E consists of exactly those indices i s.t. the i-th query of \(\mathbf {A}\) is an encryption query; similarly, D consists of exactly those indices i s.t. the i-th query of \(\mathbf {A}\) is an decryption query. We define \(\ell ^i\) to be the number of di-blocks in the i-query, where \(\ell ^i \le n\).

In both worlds, the adversary’s queries are answered immediately with the corresponding outputs; certain internal parts of the transcript will be revealed to the adversary after it made all its queries, but before it outputs its decision bit that represents its guess of which world it interacted with. The internal parts consist of \(S^i, T^i, S_1^i, X^i_L, X^i_R, Y^i_L, Y^i_R\) for \(i\in [1..q]\) and \(Z^i_{1,j}\) for \(i\in [1..q],j\in [1..\ell ^i-1]\); for ease of notation, we write \(Z^i_j\) to refer to \(Z^i_{1,j}\).

We will subsequently define certain transcripts to be good. More specifically, we describe a mechanism for the ideal oracle to sample the internal values to be given to the adversary at the end of the query phase, and define the event \(\textsf {bad} \) as the union of five events \(\mathsf {badA},\mathsf {badB},\mathsf {badC},\mathsf {badD}\) and \(\mathsf {badE}\). We call a transcript good if it can be obtained by the ideal oracle without encountering the event \(\textsf {bad} \). Now we state two lemmas.

Lemma 2

\(\displaystyle \Pr \left[ \textsf {bad} \right] \le \frac{3\sigma ^2 + 8q^2}{N^2}.\)

Lemma 3

For any good transcript \(\tau \),

$$\begin{aligned} \frac{\Pr \left[ \varTheta _{\text {real}} = \tau \right] }{\Pr \left[ \varTheta _{\text {ideal}} = \tau \right] }&\ge 1 - \frac{q^2}{N^2}. \end{aligned}$$

Then, the proof follows from Lemmas 12, and 3.    \(\square \)

For proving Lemmas 2 and 3, we first define the sampling mechanism of the ideal oracle and the bad events.

Equations. First, we write the internal variables \(X^i_j, Y^i_j\) for \(i \in [1..q], j \in [1..\ell ^i]\) and \(U^i_L, U^i_R, V^i_L, V^i_R\) for \(i \in [1..q]\) in terms of \(S^i, T^i, S^i_1, X^i_L, X^i_R, Y^i_L, Y^i_R, Z^i_j\):

$$\begin{aligned} X^i_j&= L'^i_j + Z^i_j, \end{aligned}$$
(1)
$$\begin{aligned} Y^i_j&= R^i_j + Z^i_j + S^i_1, . \end{aligned}$$
(2)

Moreover, we define four auxiliary variables to easier referral:

$$\begin{aligned} U^i_L&= L^i_\ell + X^i_L, \end{aligned}$$
(3)
$$\begin{aligned} U^i_R&= R^i_\ell + X^i_R, \end{aligned}$$
(4)
$$\begin{aligned} V^i_L&= L'^i_\ell + Y^i_L, \end{aligned}$$
(5)
$$\begin{aligned} V^i_R&= R'^i_\ell + Y^i_R. \end{aligned}$$
(6)

Identifying A Basis. A basis is the set of variables (internal to the constructions) which can be sampled uniformly and independently in the ideal oracles after fixing the inputs and outputs that are known to adversary. By looking at the construction and eliminating the relationships between the internal variables, plaintexts, and ciphertexts, some internal variables can be chosen almost freely, and still the real construction will behave indistinguishable from the ideal world for the adversary even after observing the plain- and ciphertexts. We call those variables a basis. For \(i \in [1..q], j \in [1..\ell ^i]\), we define (ij) to be fresh if either of the following is true:

  • \(i \in E\), and for any \(i' \in [1..i-1]\): \((L^{i'}_j,R^{i'}_j) \ne (L^i_j,R^i_j)\);

  • \(i \in D\), and for any \(i' \in [1..i-1]\): \((L'^{i'}_j,R'^{i'}_j) \ne (L'^i_j,R'^i_j)\).

For \(i \in [2..q], i' \in [1..i-1]\), we say i is akin to \(i'\) if either of the following holds:

  • \(\ell ^i = \ell ^{i'}\), \(i \in E\), and for any \(j \in [1..\ell ^i - 1]\): \((L^{i'}_j,R^{i'}_j) = (L^i_j,R^i_j)\);

  • \(\ell ^i = \ell ^{i'}\), \(i \in D\), and for any \(j \in [1..\ell ^i - 1]\): \((L'^{i'}_j,R'^{i'}_j) = (L'^i_j,R'^i_j)\);

We say i is new if it is not akin to any \(i' \in [1..i-1]\). Now we define the basis as follows: for \(i \in [1..q]\),

  • For \(j \in [1..\ell ^i-1]\), \(Z^i_j\) is in the basis if (ij) is fresh;

  • \(X^i_L\) and \(X^i_R\) are in the basis if \(i \in D\), or if \(i \in E\) and i is new;

  • \(Y^i_L\) and \(Y^i_R\) are in the basis if \(i \in E\), or if \(i \in D\) and i is new;

  • \(S^i, T^i,\) and \(S^i_1\) are in the basis.

Let \(\sigma _F\) represent the total number of fresh pairs in the set \(\{(i,j) \mid i \in [q], j \in [\ell ^i-1]\}\). Moreover, let \(q_\nu \) be the total number of new queries in [1..q]. Then, the size of the basis is \(\sigma _F + 2q_\nu + 5q\).

Extension from Basis. Now we show how all the internal variables \(X^i_j, Y^i_j\) for \(i \in [1..q], j \in [1..\ell ^i]\) and \(U^i_L, U^i_R, V^i_L, V^i_R\) for \(i \in [1..q]\) can be written in terms of basis variables. Since we have already seen how to write them in terms of \(S^i, T^i, S_1^i, X^i_L, X^i_R, Y^i_L, Y^i_R\) for \(i\in [1..q]\) and \(Z^i_j\) for \(i\in [1..q],j\in [1..\ell ^i-1]\), and \(S^i, T^i, S_1^i\) for \(i\in [1..q]\) are already in the basis, it suffices to show that \(Z^i_j\) for \(i\in [1..q],j\in [1..\ell ^i-1]\) and \(X^i_L, X^i_R, Y^i_L, Y^i_R\) for \(i \in [1..q]\) can be written in terms of basis variables. An expression of an internal variable in terms of basis variables and the oracle inputs and outputs will be called the extension expression of the basis variable. Thus, whenever we sample all the basis elements, we can extend this through these equations to assign values to all the internal variables.

For \(i\in E,j\in [1..\ell ^i]\), let \(i'\) be such that \((i',j)\) is fresh, and \((L^{i'}_{j}, R^{i'}_{j}) = (L^i_j, R^i_j)\). Then, \(i'\) is called the j-predecessor of i, denoted i : j. Similarly, for \(i\in D,j\in [1..\ell ^i]\), if for some \(i'\) we have \((i',j)\) fresh and \((L'^{i'}_{j},R'^{i'}_{j}) = (L'^i_j,R'^i_j)\), we set \(i:j=i'\). (Thus, when (ij) is fresh, i : j is i itself.) For \(i\in E,j\in [1..\ell ^i]\) we have from (1) that \(X^i_j = X^{i:j}_{j} = L'^{i:j}_{j} + Z^{i:j}_{j}\), so

$$\begin{aligned} Z^i_j = L'^{i:j}_{j} + L'^i_j + Z^{i:j}_{j}; \end{aligned}$$
(7)

and for \(i\in D,j\in [1..\ell ^i]\) we have from (2)

$$\begin{aligned} Y^i_j=Y^{i:j}_{j}=R^{i:j}_{j}+Z^{i:j}_{j} +S^{i:j}_1, \end{aligned}$$

so

$$\begin{aligned} Z^i_j = R^{i:j}_{j} + R^i_j + Z^{i:j}_{j} + S^{i:j}_1 + S^i_1. \end{aligned}$$
(8)

Now if i and i : j are both in E or both in D, \(Z^{i:j}_{j}\) is a basis element. (In particular, when \(i:j=i\), \(Z^{i}_{j}\) is a basis element.) Otherwise, we can go back one step further to (i : j) : j, the j-predecessor of i : j, denoted \(i:j^2\). We call (1) and (2) the extension equations. They will serve useful in the later proofs. Note that it does not hold in general that \((i:j):j = i:j\). This holds only if i : j and i are both in E or both in D, or when i : j points to a fresh input block.

For \(i \in [2..q]\), the smallest query index in \([1..i-1]\) which i is akin to is called the origin of i, denoted \(\overline{i}\). We also define the origin of 1 to be 1 itself. Thus, for \(i \in E\),

$$\begin{aligned} X^i_L&= X^{\overline{i}}_L, \end{aligned}$$
(9)
$$\begin{aligned} X^i_R&= X^{\overline{i}}_R; \end{aligned}$$
(10)

and for \(i \in D\),

$$\begin{aligned} Y^i_L&= Y^{\overline{i}}_L, \end{aligned}$$
(11)
$$\begin{aligned} Y^i_R&= Y^{\overline{i}}_R. \end{aligned}$$
(12)

Since for \(i \in E\), \(X^{\overline{i}}_L\) and \(X^{\overline{i}}_R\) are in the basis, and for \(i \in D\), \(Y^{\overline{i}}_L\) and \(Y^{\overline{i}}_R\) are in the basis, this completes the extensions.

Oracles and Bad Events. The real oracle employs \(\textsc {ZCZ} [\widetilde{\pi } ]\) to answer the queries of \(\mathbf {A}\). In the ideal world, the encryption oracle samples and returns \(L'^{i}_{j}, R'^{i}_{j}\) for \(i \in E, j \in [1..\ell ^i]\) uniformly at random; the decryption oracle samples and returns \(L^{i}_{j}, R^{i}_{j}\) for \(i \in D\), \(j \in [1..\ell ^i]\) uniformly at random. Once the interaction phase is over, the ideal world oracle samples and returns each basis element uniformly at random from \(\{0,1\}^{n}\), with two exceptions:

  • For \(i \in E\), \(S^i\) is drawn uniformly from the set

    \(\{0,1\}^{n} \setminus \left\{ S^{i'} \mid i \text { is akin~to } i', R^i = R^{i'}\right\} \);

  • For \(i \in D\), \(T^i\) is drawn uniformly from the set

    \(\{0,1\}^{n} \setminus \left\{ T^{i'} \mid i \text { is akin~to } i', L'^i = L'^{i'}\right\} \).

The real world releases the values of the basis variables to the adversary. (Thus, from the extension equations, \(\mathbf {A}\) can calculate the values of the inputs, tweaks, and outputs of all internal TBC calls.) \(\mathbf {A}\) shall distinguish the real world \(\mathcal {O}_{\text {real}}\) from the ideal world \(\mathcal {O}_{\text {ideal}}\), given a transcript \(\tau \) of its interaction with the available oracles. We say that the event \(\textsf {bad} \) occurs when one of the following occurs:

  • \(\mathsf {badA}\) occurs when one of the following holds:

    • For some \(i \in E,j \in [1..\ell ^i]\), there exists \(i' \in [1..i-1]\) with \(\ell ^{i'} \ge j\) such that \((L'^{i'}_j,R'^{i'}_j) = (L'^i_j,R'^i_j)\);

    • For some \(i \in D,j \in [1..\ell ^i]\), there exists \(i' \in [1..i-1]\) with \(\ell ^{i'} \ge j\) such that \((L^{i'}_j,R^{i'}_j) = (L^i_j,R^i_j)\);

  • \(\mathsf {badB}\) occurs when for some \(i \in [2..q]\) there exists \(i' \in [1..i-1]\) with \(\ell ^i = \ell ^{i'}\) such that one of the following holds:

    • \((U^i_L, U^i_R)=(U^{i'}_L, U^{i'}_R)\);

    • \((S^i, U^i_R)=(S^{i'}, U^{i'}_R)\);

    • \((S^i, T^i)=(S^{i'}, T^{i'})\);

    • \((V^i_L, T^i)=(V^{i'}_L, T^{i'})\);

    • \((V^i_L, V^i_R)=(V^{i'}_L, V^{i'}_R)\);

  • \(\mathsf {badC}\) occurs when one of the following holds:

    • For some \(i \in [1..q]\), there exists \(i' \in [1..i-1]\) such that \((S^i_1, T^i)=(S^{i'}_1, T^{i'})\);

    • For some \(i \in [1..q],j \in [1..\ell ^i-1]\), there exists \(i' \in [1..i-1]\) with \(\ell ^{i'} \ge j+1\) such that \((Z^i_j, T^i)=(Z^{i'}_j, T^{i'})\);

  • \(\mathsf {badD}\) occurs when one of the following holds:

    • For some \(i \in E,j \in [1..\ell ^i-1]\), there exists \(i' \in [1..i-1]\) with \(\ell ^{i'} \ge j+1\) such that \((L'^i_j,Y^i_j) = (L'^{i'}_j,Y^{i'}_j)\);

    • For some \(i \in D,j \in [1..\ell ^i-1]\), there exists \(i' \in [1..i-1]\) with \(\ell ^{i'} \ge j+1\) such that \((R^i_j,X^i_j) = (R^{i'}_j,X^{i'}_j)\);

  • \(\mathsf {badE}\) occurs when for some \(i \in [2..q]\), there exists \(i' \in [1..i-1]\) such that i is not akin to \(i'\) and yet one of the following holds:

    • \((X^{*i}_L,X^{*i}_R)=(X^{*i'}_L,X^{*i'}_R)\);

    • \((Y^{*i}_L,Y^{*i}_R)=(Y^{*i'}_L,Y^{*i'}_R)\);

Thus, . Clearly,

$$\begin{aligned} \Pr \left[ \textsf {bad} \right] \le \Pr \left[ \mathsf {badA}\right] + \Pr \left[ \mathsf {badB}\right] + \Pr \left[ \mathsf {badC}\right] + \Pr \left[ \mathsf {badD}\right] + \Pr \left[ \mathsf {badE}\right] . \end{aligned}$$
(13)

Now, we are in a position to prove Lemmas 2 and 3.

Proof of Lemma

2. Below, we show that each of the collision-pairs that would result in one of the bad events has a joint probability of \(\le 1/N^2\). Clearly, we need the assumption that all basis elements are uniformly sampled from \(\{0,1\}^{n}\) for this purpose. Moreover, the values \(S^i\) and \(T^i\) are sampled without replacement under certain circumstances, their bound is at most \(1/N(N-1)\), which can be upper bounded by \(1/N(N-1) < 2/N^2\). Thus, for bounding the bad events, we simply need to bound the number of candidate collision-pairs.

For \(\mathsf {badA}\), there can be:

  • at most \(\sigma _E^2/2\) collision events of the form \((L'^{i'}_j,R'^{i'}_j) = (L'^i_j,R'^i_j)\);

  • at most \(\sigma _D^2/2\) collision events of the form \((L^{i'}_j,R^{i'}_j) = (L^i_j,R^i_j)\);

where \(\sigma _E\) is the total number of encryption query blocks and \(\sigma _D\) is the total number of decryption query blocks, so that \(\sigma _E^2+\sigma _D^2 \le \sigma ^2\). Thus

$$\begin{aligned} \Pr \left[ \mathsf {badA}\right] \le \frac{\sigma ^2}{N^2}. \end{aligned}$$
(14)

For \(\mathsf {badB}\), there can be:

  • at most \(q^2/2\) collision events of the form \((U^i_L, U^i_R) = (U^{i'}_L, U^{i'}_R)\);

  • at most \(q^2/2\) collision events of the form \((S^i, U^i_R) = (S^{i'}, U^{i'}_R)\);

  • at most \(q^2/2\) collision events of the form \((S^i, T^i) = (S^{i'}, T^{i'})\);

  • at most \(q^2/2\) collision events of the form \((V^i_L, T^i) = (V^{i'}_L, T^{i'})\);

  • at most \(q^2/2\) collision events of the form \((V^i_L, V^i_R) = (V^{i'}_L, V^{i'}_R)\);

Thus

$$\begin{aligned} \Pr \left[ \mathsf {badB}\right] \le \frac{5q^2}{N^2}. \end{aligned}$$
(15)

For \(\mathsf {badC}\), there can be:

  • at most \(q^2/2\) collision events of the form \((S^i_1, T^i) = (S^{i'}_1, T^{i'})\).

  • at most \(\sigma ^2/2\) collision events of the form \((Z^i_j, T^i) = (Z^{i'}_j, T^{i'})\);

Thus

$$\begin{aligned} \Pr \left[ \mathsf {badC}\right] \le \frac{q^2+\sigma ^2}{N^2}. \end{aligned}$$
(16)

For \(\mathsf {badD}\), there can be:

  • at most \(\sigma _E^2/2\) collision events of the form \((L'^i_j,Y^i_j) = (L'^{i'}_j,Y^{i'}_j)\);

  • at most \(\sigma _D^2/2\) collision events of the form \((R^i_j,X^i_j) = (R^{i'}_j,X^{i'}_j)\).

Thus

$$\begin{aligned} \Pr \left[ \mathsf {badD}\right] \le \frac{\sigma ^2}{N^2}. \end{aligned}$$
(17)

For \(\mathsf {badE}\), there can be:

  • at most \(q^2/2\) collision events of the form \((X^{*i}_L,X^{*i}_R) = (X^{*i'}_L,X^{*i'}_R)\);

  • at most \(q^2/2\) collision events of the form \((Y^{*i}_L,Y^{*i}_R) = (Y^{*i'}_L,Y^{*i'}_R)\).

Thus

$$\begin{aligned} \Pr \left[ \mathsf {badE}\right] \le \frac{2q^2}{N^2}. \end{aligned}$$
(18)

The lemma follows from (13)–(18).

Now, all that is left to do is to establish our claim that each of the collision-pairs that would result in one of the bad events has a joint probability \(\le 1/N^2\). This is to be done by examining each bad event separately. \(\mathsf {badA}\), \(\mathsf {badB}\) and \(\mathsf {badC}\) are fairly straightforward, and we leave out the proofs. \(\mathsf {badD}\) is more interesting; we provide below a complete analysis of it. The trickiest case is \(\mathsf {badE}\); here, due to space constraints, we only examine two of its main subcases in detail. The complete case-by-case analysis, along with a short analysis of \(\mathsf {badA}\), \(\mathsf {badB}\) and \(\mathsf {badC}\), can be found in the Appendix of the full version [4].

Full Analysis of \(\mathsf {badD}\). We consider the two cases separately:

  • \((L'^i_j,Y^i_j) = (L'^{i'}_j,Y^{i'}_j)\), \(i \in E\), \(i' < i\): We will show that \(Y^i_j = Y^{i'}_j\) always leads to an equation containing at least one basis variable that cannot get canceled out. The required bound follows since the basis variable and \(L'^i_j\) are independently sampled. From (2) we have

    $$\begin{aligned} R^i_j + Z^i_j + S^i_1 = R^{i'}_j + Z^{i'}_j + S^{i'}_1. \end{aligned}$$
    (19)

    Note that \(S^i_1\) cannot occur in the expansion of \(Z^{i:j}_j\), since \(i\in E\). Now we have two options of \(i'\):

    • \(i' \in E\): From (7) and (19) we have

      $$\begin{aligned} R^i_j + L'^{i:j}_j + L'^i_j + Z^{i:j}_j + S^i_1&= R^{i'}_j + L'^{i':j}_j + L'^{i'}_j + Z^{i':j}_j + S^{i'}_1. \end{aligned}$$

      Here the basis element \(S^i_1\) cannot be canceled out, since \(i'<i\).

    • \(i' \in D\): From (7), (8) and (19), we have

      $$\begin{aligned} R^i_j + L'^{i:j}_j + L'^i_j + Z^{i:j}_j + S^i_1&= R^{i'}_j + R^{i':j}_j + R^{i'}_j + Z^{i':j}_j + S^{i':j}_1. \end{aligned}$$

      Again, the basis element \(S^i_1\) cannot be canceled out since \(i':j \le i' < i\).

  • \((R^i_j,X^i_j) = (R^{i'}_j,X^{i'}_j)\), \(i \in D\), \(i' < i\): As above, we show that \(X^i_j = X^{i'}_j\) always leads to an equation containing at least one basis variable that cannot get canceled out, and the required bound follows since the basis variable and \(R^i_j\) are independently sampled. From (1), we have

    $$\begin{aligned} L'^i_j + Z^i_j = L'^{i'}_j + Z^{i'}_j. \end{aligned}$$
    (20)

    Now, we have two options of \(i'\):

    • \(i'\in E\): From (8), (7) and (20), we have

      $$\begin{aligned} L'^i_j + R^{i:j}_j + R^i_j + Z^{i:j}_j + S^{i:j}_1 + S^i_1&= L'^{i':j}_j + Z^{i':j}_j. \end{aligned}$$

      When \(i:j<i\), the basis element \(S^i_1\) cannot be canceled out, and when \(i = i:j\), we have \(i':j \le i'<i = i:j\), so the basis element \(Z^{i:j}_j = Z^i_j\) cannot be canceled out.

    • \(i' \in D\): From (8) and (19), we have

      $$\begin{aligned} L'^i_j + R^{i:j}_j + R^i_j + Z^{i:j}_j + S^{i:j}_1 + S^i_1&= L'^{i'}_j + R^{i':j}_j+R^{i'}_j+Z^{i':j}_j +S^{i':j}+S^{i'}, \end{aligned}$$

      Here again, either \(S^i_1\) or the basis element \(Z^i_j\) cannot be canceled out, and the argument is identical to the above.

Partial Analysis of \(\mathsf {badE}\). This is trickier than the other bad events, and requires some careful case analysis. We examine the two most difficult sub-cases here. Let \(i'<i\) and , and let \(\alpha _j(\cdot )\) and \(\alpha ^2_j(\cdot )\) be linear functions defined as

Both the sub-cases we examine here fall under the case of \((X^{*i}_L,X^{*i}_R)=(X^{*i'}_L,X^{*i'}_R)\). We can write this collision as

$$\begin{aligned} \sum _{j=0}^{\ell -1} \alpha _j(X^i_j+X^{i'}_j)&= 0 \quad \text {and}\quad \sum _{j=0}^{\ell -1} \alpha ^2_j(X^i_j+X^{i'}_j) = \sum _{j=0}^{\ell -1} \alpha ^2_j(R^i_j+R^{i'}_j). \end{aligned}$$

Using (1) we can rewrite these as

$$\begin{aligned} \sum _{j=0}^{\ell -1} \alpha _j(Z^i_j+Z^{i'}_j)&= \sum _{j=0}^{\ell -1} \alpha _j(L'^i_j+L'^{i'}_j), \end{aligned}$$
(21)
$$\begin{aligned} \sum _{j=0}^{\ell -1} \alpha ^2_j(Z^i_j+Z^{i'}_j)&= \sum _{j=0}^{\ell -1} \alpha ^2_j(L'^i_j+L'^{i'}_j+R^i_j+R^{i'}_j). \end{aligned}$$
(22)

We first observe that since i is not akin to \(i'\), \(X^i_j+X^{i'}_j\) cannot trivially disappear for all \(j \in [1,..,\ell - 1]\). Also, since \(\alpha _j(X^i_j+X^{i'}_j)\) sum to 0, there must be at least two indices in \([1,..,\ell - 1]\) where \(X^i_j+X^{i'}_j\) does not trivially disappear; let \(j_0\) and \(j_1\) be the two largest such indices, with \(j_0 > j_1\). Now, we first consider the sub-case \(i \in E, i' \in E\). From (7), (21) and (22) we have

$$\begin{aligned} \sum _{j=0}^{\ell -1} \alpha _j (Z^{i:j}_j + Z^{i':j}_j)&= \sum _{j=0}^{\ell -1} \alpha _j (L'^{i:j}_j + L'^{i':j}_j), \end{aligned}$$
(23)
$$\begin{aligned} \sum _{j=0}^{\ell -1} \alpha ^2_j (Z^{i:j}_j + Z^{i':j}_j)&= \sum _{j=0}^{\ell -1} \alpha ^2_j (L'^{i:j}_j + L'^{i':j}_j + R^{i:j}_j + R^{i':j}_j). \end{aligned}$$
(24)

By choice of \(j_0\), \(i:j_0 \ne i':j_0\). Suppose \(i:j_0 > i':j_0\). If \(i:j_0 \in D\), using (8), we replace \(Z^{i:j_0}_{j_0}\) by \(R^{i:j_0^2}_{j_0} + R^{i:j_0}_{j_0} + Z^{i:j_0^2}_{j_0} + S^{i:j_0^2}_1 + S^{i:j_0}_1\). The basis element \(S^{i:j_0}_1\) does not get canceled out; moreover, \(R^{i:j_0}_{j_0}\) remains only in the top equation, while it gets canceled out in the bottom equation. Since \(i:j = i':j\) for all \(j > j_0\), none of the adversary-queried blocks remaining in either equation came after \(R^{i:j_0}_{j_0}\), so it is independent of the rest of the equation; along with the basis element \(S^{i:j_0}_1\) (which appears in both equations), this makes the two collisions independent, thus occurring jointly with a probability \(1/N^2\).

If \(i:j_0 \in E\), \(Z^{i:j_0}_{j_0}\) is in the basis, and does not cancel out. On the right hand side of both equations, \(L'^{i:j_0}_{j_0}\) remains uncanceled as well, while all later adversary queries get canceled. Thus, the two equations can become dependent with probability at most 1 / N; then, the common collision can occur with probability at most 1 / N. Thus, in either case, the joint collision can occur with a probability of more than \(1/N^2\). The analysis is similar when \(i:j_0 < i:j_0\); then we focus on the latter instead.

The other sub-case we consider is \(i \in E, i' \in D\). From (7), (8), (21) and (22) we have

$$\begin{aligned} \sum _{j=0}^{\ell -1} \alpha _j(Z^{i:j}_j+Z^{i':j}_j+S^{i'}_1+S^{i':j}_1)&= \sum _{j=0}^{\ell -1} \alpha _j(L'^{i:j}_j+L'^{i':j}_j+R^{i'}_j+R^{i':j}_j), \end{aligned}$$
(25)
$$\begin{aligned} \sum _{j=0}^{\ell -1} \alpha ^2_j(Z^{i:j}_j+Z^{i':j}_j+S^{i'}_1+S^{i':j}_1)&= \sum _{j=0}^{\ell -1} \alpha ^2_j(L'^{i:j}_j+L'^{i':j}_j+R^{i:j}_j+R^{i':j}_j). \end{aligned}$$
(26)

By choice of \(j_0\) and \(j_1\), \(i:j_0 \ne i'\) and \(i:j_1 \ne i'\). Suppose \(i:j_0 < i'\). Then \(S^{i'}_1\) and \(R^{i'}_{j_0}\) remain uncanceled in (25), and no adversary query block queried after \(R^{i'}_{j_0}\) remains uncanceled; in (26), \(S^{i'}_1\) remains uncanceled again, but there is no \(R^{i'}_{j_0}\) and no adversary query block queried after it. Thus these two can occur jointly with a probability at most \(1/N^2\).

A symmetric argument can be used when \(i:j_0 > i'\) and \(i:j_0 \in D\): we replace \(Z^{i:j_0}_{j_0}\) by \(R^{i:j_0^2}_{j_0} + R^{i:j_0}_{j_0} + Z^{i:j_0^2}_{j_0} + S^{i:j_0^2}_1 + S^{i:j_0}_1\) using (8), and observe that \(S^{i:j_0}_1\) remains uncanceled in either equation, while \(R^{i:j_0}_{j_0}\) remains uncanceled in (25), but gets canceled out in (26), and no adversary query block queried after it remains in either equation.

When \(i:j_0 > i'\) and \(i:j_0 \in E\), but \(i:j_1\) satisfied one of the above two conditions, we can argue as above using \(i:j_1\) instead. If we also have \(i:j_1 > i'\) and \(i:j_1 \in E\), we observe that \(Z^{i:j_0}_{j_0}\) and \(Z^{i:j_1}_{j_1}\) are basis elements that do not get canceled out in either equation. Their combined contribution to the left-hand side of (25) is \(\alpha ^{\ell -1-j_0} \cdot Z^{i:j_0}_{j_0} + \alpha ^{\ell -1-j_1} \cdot Z^{i:j_1}_{j_1}\) and to the left-hand side of (26) is \((\alpha ^2)^{\ell -1-j_0} \cdot Z^{i:j_0}_{j_0} + (\alpha ^2)^{\ell -1-j_1} \cdot Z^{i:j_1}_{j_1}\). These two collisions are independent since \(\alpha ^{\ell -1-j_0} \cdot (\alpha ^2)^{\ell -1-j_1} \ne \alpha ^{\ell -1-j_1} \cdot (\alpha ^2)^{\ell -1-j_0}\), and thus can occur with a probability at most \(1/N^2\). The rest of the subcases can be analysed similarly. This completes the proof of Lemma 2.   \(\square \)

Proof of Lemma

3. Let \(\tau \) be a good transcript, i.e., none of the events \(\mathsf {badA}\), \(\mathsf {badB}\), \(\mathsf {badC}\), \(\mathsf {badD}\), or \(\mathsf {badE}\) occurred. Then, in the ideal world, there are \(2\sigma \) samplings for generating the query responses and \(\sigma _F + 2q_{\nu } + 5q\) for generating the basis elements. In the ideal world, the basis elements are sampled uniformly at random and independently from each other. Hence, the probability for those is given by \(1/N^{\sigma _F + 2q_{\nu } + 5q}\). The situation differs for the outputs of the scheme. The ideal world is an ideal SPRP; hence, the outputs are sampled without replacement. Since all queries are from the domain \(\mathcal {B} ^{\le n}\), we can group encryption and decryption queries into disjoint sets \(\mathcal {L} ^1, \ldots , \mathcal {L} ^{n}\) s.t. their union contains all queries, and Set \(\mathcal {L} ^i\) contains exactly the queries of length i di-blocks. We define by \(\textsc {Load}\left( \mathcal {L} ^i\right) \) the number of queries in Set \(\mathcal {L} ^i\), for all \(1 \le i \le n\). The probability for ciphertext outputs from encryption queries and plaintext outputs from decryption queries is

$$\begin{aligned} \prod _{i = 1}^{n} \frac{1}{ \left( N^{2i} \right) _{\textsc {Load}\left( \mathcal {L} ^i\right) } }. \end{aligned}$$

Since each query has at least 2n bits, we can lower bound the probability by

$$\begin{aligned} \prod _{i = 1}^{n} \frac{1}{ \left( N^{2i} \right) _{\textsc {Load}\left( \mathcal {L} ^i\right) } }&\le \frac{1}{ \left( N^2\right) _{2q} } \cdot \frac{1}{N^{2\sigma - 2q}}. \end{aligned}$$

We obtain that

$$\begin{aligned} \Pr \left[ \varTheta _{\text {ideal}} = \tau \right] \le \frac{1}{N^{\sigma _F+2q_{\nu }+3q+2\sigma }} \cdot \frac{1}{ \left( N^2\right) _{q} }. \end{aligned}$$
(27)

In the real world, the construction employs a permutation \(\widetilde{\pi } ^{\mathsf {T}}(\cdot )\) for each tweak \(\mathsf {T} \in \mathcal {T} _{\mathcal {D} \times \mathcal {I}}\) that was used in the transcript, . We write the set of all occurred tweaks of all di-blocks of all queries in the transcript and write it as \(\left\{ \mathsf {T}^{1}, \ldots , \mathsf {T}^{\theta } \right\} \). We further define by \(\textsc {Load}\left( \mathsf {T}\right) \) the load of a tweak \(\mathsf {T}\), i.e., the number of distinct inputs used for it over all queries and di-blocks of the transcript. It holds that \(\sum _{i = 1}^{\theta } \textsc {Load}\left( \mathsf {T}^i\right) = \sigma _F+2\sigma +2q_{\nu }+5q\). We adopt the notion of transcript-compatible permutations from [6]. We call \(\widetilde{\pi } \) compatible with \(\tau \) if for all queries, \(\widetilde{\pi } \) produced all intermediate variables as well as all outputs in \(\tau \). Let \(\textsf {Comp} (\tau )\) denote the set of tweakable permutations \(\widetilde{\pi } \) that are compatible with \(\tau \). Thus

$$\begin{aligned} \Pr \left[ \varTheta _{\text {real}} = \tau \right]&= \Pr \left[ \widetilde{\pi } \twoheadleftarrow \mathsf {\widetilde{Perm}} \left( \mathcal {T} _{D, I}, \{0,1\}^{n}\right) : \widetilde{\pi } \in \textsf {Comp} (\tau ) \right] . \end{aligned}$$

For a fixed tweak \(\mathsf {T}\), the fraction of compatible permutations is

$$\begin{aligned} \prod _{i = 0}^{\textsc {Load}\left( \mathsf {T}\right) -1} \frac{1}{N - i}&= \frac{1}{\left( N\right) _{\textsc {Load}\left( \mathsf {T}\right) }}. \end{aligned}$$

Over all tweaks \(\mathsf {T}^i\), for \(1 \le i \le \theta \), the fraction of compatible permutations is given by

$$\begin{aligned} \prod _{i = 1}^{\theta } \frac{1}{\left( N\right) _{\textsc {Load}\left( \mathsf {T^i}\right) }} \end{aligned}$$

It is hard to work with this probability directly. Instead, since we are interested in a bound for the real-world probability of transcripts, we can lower bound the probability of all \(\sigma _F + 2q_{\nu } + 5q\) basis variables by the naive probability that they are all computed from fresh tweaks: \(1/N^{\sigma _F + 2q_{\nu } + 5q}\). For the ciphertext and plaintext outputs, we can employ similar sets \(\mathcal {L} ^i\), for \(1 \le i \le n\), as we had for the ideal world, where Set \(\mathcal {L} ^i\) again consists of all queries of length i di-blocks. The probability of outputs in the real world can then be lower bounded by

$$\begin{aligned} \prod _{i = 1}^{n} \frac{1}{ \left( N^{2i}\right) _{\textsc {Load}\left( \mathcal {L} ^i\right) } }. \end{aligned}$$

Now, we can upper bound the ratio of the probability of our transcripts by

$$\begin{aligned} \frac{\Pr \left[ \varTheta _{\text {real}} = \tau \right] }{\Pr \left[ \varTheta _{\text {ideal}} = \tau \right] }&\ge \frac{ \frac{1}{N^{\sigma _F + 2q_{\nu } + 5q }} \cdot \prod _{i = 1}^{n} \frac{1}{ \left( N^{2i}\right) _{\textsc {Load}\left( \mathcal {L} ^i\right) } } }{ \frac{1}{N^{\sigma _F+2q_{\nu }+5q}} \cdot \frac{1}{N^{2\sigma - 2q}} \cdot \frac{1}{ \left( N^2\right) _{q}} } \\&\ge \frac{ \prod _{i = 1}^{n} \frac{1}{ \left( N^{2i} \right) _{ \textsc {Load}\left( \mathcal {L} ^i\right) } } }{ \frac{1}{ \left( N^2\right) _{q} } \cdot \frac{1}{ N^{2\sigma - 2q} } } \ge \frac{ \left( N^2\right) _{q} \cdot N^{2\sigma - 2q} }{ N^{2\sigma } } = \frac{ \left( N^2\right) _{q} }{ (N^2)^q } \\&= \frac{ (N^2)(N^2 - 1) \cdot \cdots \cdot (N^2 - q + 1) }{ (N^2)^q } \ge \left( \frac{ N^2 - q + 1 }{N^2} \right) ^q \\&\ge \left( \frac{ N^2 - q }{N^2} \right) ^q = \left( 1 - \frac{q}{N^2} \right) ^q \ge 1 - \frac{q^2}{N^2}, \end{aligned}$$

where the last inequality is Bernoulli’s. So, we obtain our claim in Lemma 3.    \(\square \)

6.2 Proof Sketch for Messages with Arbitrary Number of Complete Di-blocks

Theorem 2

Let \(\widetilde{\pi } \twoheadleftarrow \mathsf {\widetilde{Perm}} (\mathcal {T} _{D,I}, \{0,1\}^{n})\). Let \(\mathbf {A}\) be an SPRP adversary on \(\textsc {ZCZ} [\widetilde{\pi } ]\) that asks at most q queries queries of domain \(\mathcal {B} ^+\), whose lengths sum up to at most \(\sigma \) di- blocks in total, and \(\mathbf {A}\) runs in time at most \(\textsc {time} \). Then

$$\begin{aligned} \mathbf {{Adv}}^{\textsc {SPRP}}_{\textsc {ZCZ} [\widetilde{\pi } ]}(\mathbf {A})&\le \frac{4\sigma ^2 + 8q^2}{N^2}. \end{aligned}$$

Proof Sketch

The proof follows a similar strategy as that of Theorem 1. So, we only consider the equations in the analysis of bad events that differ. We add each \(S^{i}_{k}\), \(i \in [1..q]\), \(k \in \left[ 1..\left\lceil {\ell ^i/n}\right\rceil \right] \) to the basis. The ideal oracle samples the additional basis elements along with the original basis elements in the second step, and the definitions of the bad cases do not change. From the Eqs. (1)–(6) that we began with, only (2) is now replaced by

$$\begin{aligned}&\qquad \qquad \qquad \qquad \qquad \qquad \qquad Y^i_j = R^i_j + Z^i_j + S^i_{\left\lceil {j/n}\right\rceil }.&\qquad \qquad \qquad \qquad (2\text {'}) \end{aligned}$$

In the extension equations, this changes only (8), which is replaced by

$$\begin{aligned}&\qquad \qquad Z^i_j = R^{i:j}_{j} + R^i_j + Z^{i:j}_{j} + S^{i:j}_{\left\lceil {j/n}\right\rceil } + S^i_{\left\lceil {j/n}\right\rceil }.&\qquad \qquad \qquad \qquad \qquad \,\,\, (8\text {'}) \end{aligned}$$

The definitions of the bad cases remain the same except \(\mathsf {badC}\), which now occurs when:

  • For some \(i \in [1..q], k \in \left[ 1..\left\lceil {\ell ^i/n}\right\rceil \right] \), there exists \(i' \in [1..i-1]\) with \(\ell ^{i'} \ge n(k-1)\) s.t. \((S^i_k, T^i)=(S^{i'}_k, T^{i'})\);

  • For some \(i \in [1..q],j \in [1..\ell ^i-1]\), there exists \(i' \in [1..i-1]\) with \(\ell ^{i'} \ge j+1\) s.t. \((Z^i_{k,c}, T^i)=(Z^{i'}_{k,c}, T^{i'})\), where \(k = \left\lceil {j/n}\right\rceil , c = j - n(k-1)\).

Of these, the counting does not change for the latter; for the former, there are now at most \(c_{\text {max}}q^2/2\) possible collision pairs now, where \(c_{\text {max}}\) is the maximum number of chunks in one query; we generously bound this by \(\sigma ^2/2\). This adds \((\sigma ^2-q^2)/2N\) to our earlier bound, to obtain the new bound for the extended version. To ensure that the counting argument for \(\mathsf {badE}\) still goes through, we only note that for \(k \in \left[ 1..\left\lceil {\ell /n}\right\rceil \right] \), \(S^i_k\) can only occur in any of the collision equations from \(\mathsf {badE}\) with coefficients \(\beta ^{\ell -1-j}\) for \(j \in \left[ n(k-1)+1..nk\right] \), where \(\beta \) is either \(\alpha \) or \(\alpha ^2\), and for any choice of k, a non-empty subset of these coefficients cannot add to 0.

6.3 Proof Sketch for the Security of \(\textsc {ZCZ}^*\)

Theorem 3

Let \(\widetilde{\pi } \twoheadleftarrow \mathsf {\widetilde{Perm}} (\mathcal {T} _{D,I}, \{0,1\}^{n})\). Let \(\mathbf {A}\) be an SPRP adversary on \(\textsc {ZCZ}^* [\widetilde{\pi } ]\) that asks at most q queries of domain \(\{0,1\}^{\ge 2n}\), whose lengths sum up to at most \(\sigma \) di-blocks in total, \(q'\) of which contains an incomplete di-block at the end. Then

$$\begin{aligned} \mathbf {{Adv}}^{\textsc {SPRP}}_{\textsc {ZCZ}^* [\widetilde{\pi } ]}(\mathbf {A})&\le \frac{4\sigma ^2 + 8q^2 + 9q'^2}{N^2}. \end{aligned}$$

Proof Sketch

The ideal oracle’s sampling mechanism for the tweakable blockcipher outputs for the partial di-block messages is slightly trickier. Let \(\mathcal {I}\) denote the indices of the queries with incomplete di-blocks. Instead of simulating an ideal permutation, the ideal oracle simulates what [11] calls an \(\pm \tilde{\mathbf {rnd}}\) oracle, which always returns random bits, as long as no pointless queries are asked. (It is easy to argue for our construction why not permitting pointless queries does not diminish the adversary’s power, so we can confine our attention to the no-pointless-query scenario.)

We use the notation \((U,V), (U_m,V_m), (U',V')\) for outputs of the blockcipher calls in the top, middle, and bottom layers respectively. \(M_j\) denotes \((L_j,R_j)\), and \(*\) denotes the index of the incomplete di-block.

  • For the smallest \(i \in \mathcal {I}\), \(U^i_*,V^i_*,U'^i_*,V^i_*\) are sampled uniformly from \(\{0,1\}^{n}\);

  • For each i in \(\mathcal {I}\) such that for no \(i'\) in \(\mathcal {I}\) with \(i' < i\) we have \((L^i_*,R^i_*) \ne (L^{i'}_*,R^{i'}_*)\):

    • \(U^i_*\) is sampled uniformly from \(\{0,1\}^{n} \setminus \left\{ U^{i'}_* \mid i' \in \mathcal {I}, i' < i\right\} \);

    • \(V^i_*\) is sampled uniformly from \(\{0,1\}^{n} \setminus \left\{ V^{i'}_* \mid i' \in \mathcal {I}, i' < i\right\} \);

  • For each i in \(\mathcal {I}\) such that for no \(i'\) in \(\mathcal {I}\) with \(i' < i\) we have \((L'^i_*,R'^i_*) \ne (L'^{i'}_*,R'^{i'}_*)\):

    • \(U'^i_*\) is sampled uniformly from \(\{0,1\}^{n} \setminus \left\{ U'^{i'}_* \mid i' \in \mathcal {I}, i' < i\right\} \);

    • \(V'^i_*\) is sampled uniformly from \(\{0,1\}^{n} \setminus \left\{ V'^{i'}_* \mid i' \in \mathcal {I}, i' < i\right\} \);

  • For each \(i\in \mathcal {I}\) the \((2n-s)\)-bit suffix \(R^i\) of \((U^i_{m*},V^i_{m*})\) is sampled uniformly from \(\{0,1\}^{2n-s}\), and \((U^i_{m*},V^i_{m*})\) is set to \((M^i_* + M'^i_*)||R^i\).

The new bad cases are:

  • For some distinct \(i,i'\) in \(\mathcal {I}\) with \(\ell ^i=\ell ^{i'}=\ell \) we have

    $$\begin{aligned} (M^i_{1..\ell -1},M^i_\ell + (U^i_*,V^i_*)) = (M^{i'}_{1..\ell -1},M^{i'}_\ell + (U^{i'}_*,V^{i'}_*)); \end{aligned}$$

  • For some distinct \(i,i'\) in \(\mathcal {I}\) with \(\ell ^i=\ell ^{i'}=\ell \) we have

    $$\begin{aligned} (M'^i_{1..\ell -1},M'^i_\ell + (U'^i_*,V'^i_*)) = (M'^{i'}_{1..\ell -1},M'^{i'}_\ell + (U'^{i'}_*,V'^{i'}_*)); \end{aligned}$$

  • For some distinct \(i,i'\) in \(\mathcal {I}\) with \(\ell ^i=\ell ^{i'}=\ell \) we have

    $$\begin{aligned}&\quad \,\, (L^i_\ell + L'^i_\ell + U^i_* + U'^i_*, R^i_\ell + R'^i_\ell + V^i_* + V'^i_*) \\&= (L^{i'}_\ell + L'^{i'}_\ell + U^{i'}_* + U'^{i'}_*, R^{i'}_\ell + R'^{i'}_\ell + V^{i'}_* + V'^{i'}_*); \end{aligned}$$

  • For some distinct \(i,i'\) in \(\mathcal {I}\) with \(\ell ^i=\ell ^{i'}=\ell \) we have

    $$\begin{aligned} (R^i_\ell + R'^i_\ell + V^i_* + V'^i_*, U^i_{m*}) = (R^{i'}_\ell + R'^{i'}_\ell + V^{i'}_* + V'^{i'}_*, U^{i'}_{m*}); \end{aligned}$$

  • For some distinct \(i,i'\) in \(\mathcal {I}\) with \(\ell ^i=\ell ^{i'}=\ell \) we have

    $$\begin{aligned} (R^i_\ell + R'^i_\ell + V^i_* + V'^i_*, V^i_{m*}) = (R^{i'}_\ell + R'^{i'}_\ell + V^{i'}_* + V'^{i'}_*, V^{i'}_{m*}). \end{aligned}$$

The probabilities of these bad cases can be bounded by \(q'^2/2N'^2\), \(q'^2/2N'^2\), \(q'^2/2N'^2\), \(q'^2/2NN'\), \(q'^2/2NN'\) in that order, where \(N' = N - q'\). With the reasonable assumption that \(q' \le N/2\), we can replace \(N'\) with N / 2 in these bounds and have them sum to \(8q'^2/N^2\), which is our bound for the combined probability of the new bad cases. The theorem follows from Theorem 2 and Lemma 6 of [11].

Our results in Theorems 1 and 3 had considered the instantiation with an ideal random tweaked permutation \(\widetilde{\pi } \twoheadleftarrow \mathsf {\widetilde{Perm}} (\mathcal {T} _{I, D}, \{0,1\}^{n})\). Corollaries 1 and 2 yield the resulting security bounds when ZCZ and \(\textsc {ZCZ}^*\) are instantiated with a given tweakable block cipher \(\widetilde{E} _K: \mathcal {K} \times \mathcal {T} _{I, D} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) be a tweakable block cipher with \(K \twoheadleftarrow \mathcal {K} \).

Corollary 1

Let \(\mathbf {A}\) be an SPRP adversary on \(\textsc {ZCZ} [\widetilde{E} _K]\), s.t. \(\mathbf {A}\) asks at most q queries of domain \(\mathcal {B} ^{\le n} \), that sum up to at most \(\sigma \) di-blocks in total, and \(\mathbf {A}\) runs in time at most \(\textsc {time} \). Then

$$\begin{aligned} \mathbf {{Adv}}^{\textsc {SPRP}}_{\textsc {ZCZ} [\widetilde{E} _K]}(\mathbf {A})&\le \frac{3\sigma ^2 + 10q^2}{2N^2} + \mathbf {{Adv}}^{\textsc {STPRP}}_{\widetilde{E} _K, \widetilde{E} ^{-1}_K}(\mathbf {A} '), \end{aligned}$$

where \(\mathbf {A} '\) is an STPRP adversary against \(\widetilde{E} _K\) that asks at most \(a' = 3\sigma + \lceil \sigma / n \rceil + 6q\) queries and runs in time at most \(\textsc {time} + O(a')\).

Corollary 2

Let \(\mathbf {A}\) be an SPRP adversary on \(\textsc {ZCZ}^* [\widetilde{E} _K]\) that asks at most q queries of domain \(\{0,1\}^{\ge 2n}\), whose lengths sum up to at most \(\sigma \) di-blocks in total, \(q'\) of which contains an incomplete di-block at the end, and \(\mathbf {A}\) runs in time at most \(\textsc {time} \). Then

$$\begin{aligned} \mathbf {{Adv}}^{\textsc {SPRP}}_{\textsc {ZCZ}^* [\widetilde{E} _K]}(\mathbf {A})&\le \frac{4\sigma ^2 + 8q^2 + 9q'^2}{N^2} + \mathbf {{Adv}}^{\textsc {STPRP}}_{\widetilde{E} _K, \widetilde{E} ^{-1}_K}(\mathbf {A} '), \end{aligned}$$

where \(\mathbf {A} '\) is an STPRP adversary against \(\widetilde{E} _K\) that asks at most \(a' = 3\sigma + \lceil \sigma / n \rceil + 6q + 6q'\) queries and runs in time at most \(\textsc {time} + O(a')\).