Post-quantum Security of Tweakable Even-Mansour, and Applications

Abstract

The tweakable Even-Mansour construction yields a tweakable block cipher from a public random permutation. We prove post-quantum security of tweakable Even-Mansour when attackers have quantum access to the random permutation but only classical access to the secretly-keyed construction, the relevant setting for most real-world applications. We then use our results to prove post-quantum security—in the same model—of the symmetric-key schemes Chaskey (an ISO-standardized MAC), Elephant (an AEAD finalist of NIST’s lightweight cryptography standardization effort), and a variant of Minalpher (an AEAD second-round candidate of the CAESAR competition).

J. Katz—Work done in part while at the University of Maryland.

1 Introduction

The development of large-scale quantum computers would have a significant impact on cryptography. For symmetric-key cryptosystems—even ideal ciphers—one must at least double the key length in order to achieve the same security against quantum attackers as is enjoyed against classical adversaries, due to the possibility of using Grover’s search algorithm [8] to carry out a key-recovery attack. In general, however, doubling the key length may not be sufficient [4, 13, 14], and it is therefore critical to understand the security of various symmetric-key constructions against quantum attackers.

One can consider two models of quantum attacks [3]. In the so-called Q2 model, the attacker is given quantum access to any underlying public primitives (e.g., a block cipher) as well as the secretly keyed construction itself. In contrast, the Q1 model assumes the adversary has quantum access to all public primitives but only classical access to the secretly keyed scheme. The distinction between Q1 and Q2 is significant: for many symmetric-key constructions, polynomial-query attacks are known in the Q2 model but not in the Q1 model [12,13,14]. At the same time, the Q2 model appears to be highly unrealistic, particularly for real-world applications where the honest parties only run the construction on classical inputs, and do not expose any quantum interface to an attacker (which is necessarily the case when the honest devices implementing the construction are entirely classical). The Q1 model is thus a much better fit for realistic quantum attacks, and several recent works [1, 4, 11] have focused on that model. From here on, by “post-quantum security” we will mean the Q1 model by default.

Proving security in the Q1 model is challenging since it requires reasoning about a combination of (related) classical and quantum oracles. Additional complications arise when reasoning about permutations (rather than functions), particularly when their inverse may also be queried, as in the random-permutation and ideal-cipher models. Indeed, most results in a “hybrid” classical-/quantum-query setting (e.g., [5, 9, 16]) deal with oracles for functions, and there are only a few existing results in the Q1 model that deal with random permutations. Jaeger et al. [11] gave positive results for security of the FX construction (a mechanism for key-length extension of an ideal cipher); their work also implies security for the Even-Mansour construction either for non-adaptive adversaries or for a variant of the construction based on a public random function. Subsequent work by Alagic et al. [1] showed post-quantum security of the full Even-Mansour construction (i.e., based on a random permutation) against adaptive adversaries.

1.1 Our Results

We show post-quantum security of the tweakable Even-Mansour construction, a tweakable block cipher constructed from a public random permutation. We then use this result to establish post-quantum security of several symmetric-key schemes. We stress that post-quantum security of tweakable Even-Mansour does not follow from post-quantum security of Even-Mansour. Indeed, the tweak must be incorporated in a way that satisfies several technical conditions; in addition, incorporating both tweaks and possible key expansion introduces dependencies and requires significant technical work to analyze. In all of our results, adversaries can make adaptive queries to any permutations to which they have access (whether quantum or classical, as appropriate) in both the forward and inverse directions. We now summarize our results.

Tweakable Even-Mansour. Let \(P:\{0,1\}^n\rightarrow \{0,1\}^n\) be a permutation. The tweakable Even-Mansour scheme \(\textsf{TEM} ^{f_1,f_2}[P]: \{0,1\}^n \times \mathcal {T}\times \{0,1\}^n \rightarrow \{0,1\}^n\) is defined as

$$\begin{aligned} \textsf{TEM} _k^{f_1, f_2}[P](t, x) = P(x \oplus f_1(t, k)) \oplus f_2(t, k), \end{aligned}$$

where the key k is of length n, the set \(\mathcal {T}\) is a tweak space, and \(f_1, f_2\) are functions satisfying some technical conditions we omit here. We also consider a variant \(\textsf{TEM}\text {-}\textsf{KX} ^{f_1, f_2}[P]:\{0,1\}^\kappa \times \mathcal {T}\times \{0,1\}^n \rightarrow \{0,1\}^n\) (where \(\kappa \le n\)) that combines tweakable Even-Mansour with key expansion, and is defined as

$$\begin{aligned} \textsf{TEM}\text {-}\textsf{KX} _{k}^{f_1, f_2}[P] (t, x) = P(x \oplus f_1(t, P(k\Vert 0^{n-\kappa }))) \oplus f_2(t, P(k\Vert 0^{n-\kappa })) . \end{aligned}$$

Our main result is that both the above are secure (post-quantum) tweakable block ciphers when P is modeled as a random permutation.

Theorem 1

(informal). An adaptive adversary making \(q_C\) classical queries to \(\textsf{TEM}\text {-}\textsf{KX} _k^{f_1, f_2}[P]\) (for uniform \(k \in \{0,1\}^\kappa \)) and \(q_Q\) quantum queries to a random permutation P can distinguish the former from a uniform tweakable block cipher with probability at most \(\mathcal O\!\left( 2^{{-\kappa }/2} \cdot (q_C \sqrt{q_Q} + q_Q \sqrt{q_C})\right) \).

(The above is stated formally as Theorem 3 and proved in Sect. 4.1.) Setting \(\kappa =n\) implies security of \(\textsf{TEM} \) as a corollary (since P(k) is uniform when \(k \in \{0,1\}^n\) is uniform, for any permutation P). It follows that any post-quantum attack against TEM requires \(q^2_C\cdot q_Q+q^2_Q\cdot q_C \approx 2^n\); hence \(\varOmega (2^{n/3})\) queries are necessary for constant success probability, matching known attacks [3, 10].

We also consider an alternative method of performing key expansion in which a key \(k \in \{0,1\}^\kappa \) is expanded to an “effective key” of length n by computing \(F_P(k) = P(k\Vert 0^{n-\kappa }) \oplus k\Vert 0^{n-\kappa }\). This gives rise to another variant of tweakable Even-Mansour, defined as

$$\begin{aligned} \textsf{TEM}\text {-}\textsf{KX1} _{k}^{f_1, f_2}[P] (t, x) = P(x \oplus f_1(t, F_P(k))) \oplus f_2(t, F_P(k))). \end{aligned}$$

We show that the key-expansion function \(F_P\) is a pseudorandom generator (even for adversaries having quantum access to P). Using this fact, we are able to prove a tighter security bound for TEM-KX1 than what we show for TEM-KX (see Theorem 5 in Sect. 4.2 for a formal statement):

Theorem 2

(informal). An adaptive adversary making \(q_C\) classical queries to \(\textsf{TEM}\text {-}\textsf{KX1} _k^{f_1, f_2}[P]\) (for uniform \(k \in \{0,1\}^\kappa \)) and \(q_Q\) quantum queries to a random permutation P can distinguish the former from a uniform tweakable block cipher with probability at most \(\mathcal O\!\left( 2^{-\kappa /2} \cdot (q_C + q_Q) + 2^{-n/2} \cdot (q_C \sqrt{q_Q} + q_Q \sqrt{q_C})\right) \).

A New Resampling Lemma. As a key technical tool used in our results, we prove a generalization of existing “resampling lemmas” [1, 7] sufficient to handle tweakable block ciphers, something we believe to be of independent interest. A resampling lemma controls the success probability of a quantum-query adversary \(\mathcal D\) in an experiment of the following form:

1. 1.

   \(\mathcal D\) receives quantum oracle access to a random permutation P;

2. 2.

   two inputs \(s_0, s_1\) are sampled from some distribution;

3. 3.

   \(\mathcal D\) receives quantum oracle access to either P, or P with inputs \(s_0\) and \(s_1\) “swapped”; it succeeds if it can correctly guess which is the case.

Prior work considered only the uniform distribution on \(s_0, s_1\). We give a new resampling lemma that handles a wider class of (adversarially influenced) distributions, and even allows the distribution to depend on information \(\mathcal {D}\) learns about P during step 1 of the above experiment (cf. Lemma 3 in Sect. 3):

Lemma 1

(informal). In the above experiment, for any \(\mathcal {D}\) making at most q quantum queries to P in step 1, \(\Pr [\mathcal {D}\,\, succeeds] \le 1/2 + \mathcal {O}(\sqrt{q\varepsilon })\), where \(\varepsilon \) is the min-entropy of \(s_0, s_1\).

To prove the lemma, we develop a novel permutation variant of the stateful simulation technique for quantum-accessible random oracles [19] (i.e., the superposition oracle technique). In this context, some information about the input-output pairs learned by the adversary via quantum queries can be read directly from the oracle’s internal quantum register. In the original superposition oracle technique [19], this useful feature is a consequence of the statistical independence of the function values of a random oracle. Existing generalizations to invertible random permutations [1] lack this feature.

Applications. In Sect. 5 we use our results to derive corollaries regarding the post-quantum security of various symmetric-key schemes when modeling the underlying permutations on which they are based as ideal permutations. In each case, security is established in two stages. First, we choose the tweak space \(\mathcal {T}\) and the tweak functions \(f_1\) and \(f_2\) appropriately, and apply our theorems above to prove security for a certain block cipher construction. Then, we invoke existing results to reduce security of the overall cryptographic scheme (in the appropriate sense) to security of this cipher. Specifically:

1. 1.

   We show how to specialize TEM so it captures the three pseudorandom permutations used by Chaskey  [15], an ISO-standardized lightweight MAC. We can thus prove post-quantum security of Chaskey using Theorem 1.

2. 2.

   We show how to specialize TEM-KX to the tweakable block cipher at the core of Elephant  [2], an authenticated encryption scheme that was a finalist of NIST’s lightweight standardization effort [18]. Theorem 1 then implies post-quantum security for Elephant. Using Theorem 2, we can prove a tighter security bound for a variant of Elephant that uses a slightly different key-expansion step.

3. 3.

   We show how to specialize TEM-KX1 to the tweakable block cipher used by (a variant of) Minalpher  [17], an authenticated encryption scheme that was a second-round candidate of the CAESAR competition. Theorem 2 then implies post-quantum security for this variant.

To our knowledge, these are the first proofs of post-quantum security for any versions of Chaskey, Elephant, or Minalpher.

2 Preliminaries

Notation and Basic Definitions. We let \(\mathcal{P}(n)\) denote the set of all permutations on \(\{0,1\}^n\). In the public-permutation model (or random-permutation model), a uniform permutation \(P \leftarrow \mathcal{P}(n)\) is sampled and then provided as an oracle (in both the forward and inverse directions) to all parties.

A block cipher \(E: \{0,1\}^\kappa \times \{0,1\}^n \rightarrow \{0,1\}^n\) is a keyed permutation, i.e., \(E_k(\cdot ) = E(k, \cdot )\) is a permutation of \(\{0,1\}^n\) for all \(k \in \{0,1\}^\kappa \). We say E is a pseudorandom permutation if \(E_k\) (for uniform \(k \in \{0,1\}^\kappa \)) is indistinguishable from a uniform permutation in \(\mathcal{P}(n)\) even for adversaries who may query their oracle in both the forward and inverse directions.

For a set \(\mathcal {T}\), let \(\mathcal E(\mathcal {T},n)\) be the set of all functions \(E: \mathcal {T}\times \{0,1\}^n \rightarrow \{0,1\}^n\) such that \(E(t,\cdot )\) is a permutation on \(\{0,1\}^n\) for all \(t \in \mathcal {T}\). A tweakable block cipher \(\tilde{E} : \{0,1\}^\kappa \times \mathcal {T}\times \{0,1\}^n \rightarrow \{0,1\}^n\) is a family of permutations indexed by both a key \(k \in \{0,1\}^\kappa \) and a tweak \(t \in \mathcal {T}\), i.e., we now require that \(\tilde{E}_k(t, \cdot ) = \tilde{E}(k, t, \cdot )\) is a permutation of \(\{0,1\}^n\) for all \(k \in \{0,1\}^\kappa \) and \(t \in \mathcal {T}\). Tweakable block cipher \(\tilde{E}_k\) is secure if \(\tilde{E}_k\) (for uniform choice of \(k \in \{0,1\}^\kappa \)) is indistinguishable from a uniform \(\tilde{E} \leftarrow \mathcal E(\mathcal {T},n)\).

In all the security notions mentioned above we consider algorithms having only classical access to secretly keyed primitives. When we consider constructions of keyed primitives (e.g., a tweakable block cipher) from public primitives (e.g., a random permutation), however, we provide the distinguisher with quantum oracle access to the public primitive. Thus, for example, a quantum distinguisher in the public-permutation model can apply the unitary operators

$$\begin{aligned} |x\rangle |y\rangle & \mapsto |x\rangle |y\oplus P(x)\rangle \\ |x\rangle |y\rangle & \mapsto |x\rangle |y\oplus P^{-1}(x)\rangle \end{aligned}$$

to quantum registers of the adversary’s choice. (We emphasize that this includes evaluating \(P/P^{-1}\) on arbitrary superpositions of inputs.) This is well-motivated, as in practice P would be instantiated by a publicly known permutation; adversaries with quantum computers would thus be able to coherently execute the reversible circuit for computing \(P/P^{-1}\). On the other hand, secretly keyed primitives would be implemented by honest parties; if honest parties only evaluate the primitive on classical inputs then the attacker has no way to obtain quantum access to that keyed primitive.

A Reprogramming Lemma. We recall here a reprogramming lemma from prior work [1] that applies to the following experiment. A distinguisher \(\mathcal {D}\) chooses an arbitrary function F along with a randomized process \(\mathcal B\) for determining a set of points B at which F should (potentially) be reprogrammed to some known value. \(\mathcal {D}\) is then given quantum access to either F or a reprogrammed version of F; when it is done making its oracle queries, \(\mathcal {D}\) is given B. Roughly, the lemma says that \(\mathcal {D}\) cannot determine whether it was interacting with F or the reprogrammed version of F as long as no point is reprogrammed with high probability.

Formally, for a function \(F:\{0,1\}^m \rightarrow \{0,1\}^n\) and a set \(B \subset \{0,1\}^m \times \{0,1\}^n\) such that each \(x \in \{0,1\}^m\) is the first element of at most one tuple in B, define

$$\begin{aligned} F^{(B)}(x) := {\left\{ \begin{array}{ll} y &{}\text {if } (x, y) \in B\\ F(x) &{}\text {otherwise.} \end{array}\right. } \end{aligned}$$

The following is taken verbatim from [1, Lemma 3]:

Lemma 2

Let \(\mathcal {D}\) be a quantum distinguisher in the following experiment:

• Phase 1: \(\mathcal {D}\) outputs descriptions of a function \(F_0=F: \{0,1\}^m \rightarrow \{0,1\}^n\) and a randomized algorithm \(\mathcal B\) whose output is a set \(B \subset \{0,1\}^m \times \{0,1\}^n\) where each \(x \in \{0,1\}^m\) is the first element of at most one tuple in B. Let \(B_1 = \{x \mid \exists y: (x, y) \in B\}\) and \( \varepsilon = \max _{x \in \{0,1\}^m}\left\{ \Pr _{B \leftarrow \mathcal {B}}[x \in B_1]\right\} .\)

• Phase 2: \(\mathcal {B}\) is run to obtain B. Let \(F_1=F^{(B)}\). A uniform bit b is chosen, and \(\mathcal {D}\) is given quantum access to \(F_b\).

• Phase 3: \(\mathcal {D}\) loses access to \(F_b\), and receives the randomness r used to invoke \(\mathcal B\) in phase 2. Then \(\mathcal {D}\) outputs a guess \(b'\).

For any \(\mathcal {D}\) making q queries in expectation when its oracle is \(F_0\), it holds that

$$\begin{aligned} \left| \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=1] - \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=0]\right| \le 2q \cdot \sqrt{\varepsilon } \,. \end{aligned}$$

3 A New Resampling Lemma

In this section, we describe a new resampling lemma for random permutations that generalizes earlier results [1, 7]. We consider a two-phase experiment in which a distinguisher \(\mathcal {D}\) is first given quantum oracle access to a uniform permutation \(P:\{0,1\}^n \rightarrow \{0,1\}^n\). Then, a point \(s_0 \in \{0,1\}^n\) is chosen in a manner specified by the distinguisher and a uniform point \(s_1 \in \{0,1\}^n\) is also chosen; in a second phase \(\mathcal {D}\) is given access either to the original permutation \(P^{(0)}=P\) or a modified permutation \(P^{(1)}\) that is the same as P except that the values of \(P(s_0)\) and \(P(s_1)\) are swapped. (See below for details.) We show, roughly speaking, that so long as the distribution of \(s_0\) has high min-entropy and \(\mathcal {D}\) makes only a bounded number of queries in the first phase of the experiment, \(\mathcal {D}\) cannot distinguish those possibilities.

Compared to prior work of Alagic et al. [1], our result is more general in the following ways:

• it allows for more general distributions of \(s_0\);

• it allows for the distribution of \(s_0\) to be adaptively chosen by \(\mathcal {D}\), after \(\mathcal {D}\) makes queries to P in the first phase;

• it furthermore allows \(\mathcal {D}\) to select a sampling algorithm for \(s_0\) that will itself make a query to P.

In order to achieve these improvements, we use a different proof technique from that of Alagic et al. [1]. Our approach is closer in spirit to an earlier technique of Grilo et al. [7], which was previously only applied to random functions.

We now state our new resampling lemma. For \(s_0, s_1 \in \{0,1\}^n\), define

$$\begin{aligned} \textsf{swap}_{s_0,\,s_1} (x) = {\left\{ \begin{array}{ll} s_1 &{}\text {if } x=s_0\\ s_0 &{} \text {if } x=s_1\\ x &{}\text {otherwise.} \end{array}\right. } \end{aligned}$$

Lemma 3

Let \(F\subset \mathcal {P}(n)\). Consider the following experiment involving a quantum distinguisher \(\mathcal {D}\):

• Phase 1: Choose uniform \(P \in \mathcal {P}(n)\), and give \(\mathcal {D}\) quantum access to P. \(\mathcal {D}\) outputs \((D,\tau )\), where D is a distribution on \(\{0,1\}^n\) and \(\tau \in F\).

• Phase 2: Sample \(\hat{s}\leftarrow D\), set \(s_0=\tau \circ P(\hat{s})\), and choose \(s_1 \leftarrow \{0,1\}^n\). Let \(P^{(0)}=P\) and define \(P^{(1)} = P \circ \textsf{swap}_{s_0,\,s_1} \). A uniform bit \(b \in \{0,1\}\) is chosen, and \(\mathcal {D}\) is given \(\hat{s}\) and quantum access to \(P^{(b)}\). Then \(\mathcal {D}\) outputs a guess \(b'\).

Let \(\varepsilon =2 \cdot \mathbb E_{(D,\tau )\leftarrow \mathcal D^P}\left[ \max _{x \in \{0,1\}^n} \Pr _{x' \leftarrow D}[x'=x]\right] \). For any \(\mathcal {D}\) making at most q queries to P in phase 1,

$$\begin{aligned} {} & {} {\left| \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=1] - \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=0]\right| } \\ {} & {} \qquad \qquad \qquad \le \sqrt{\varepsilon }\cdot \left( 1+\sqrt{q+\log \left( \frac{11\cdot |F|}{\sqrt{\varepsilon }}\right) }\right) . \end{aligned}$$

The proof of Lemma 3 is given in Appendix A.

4 Post-quantum Security of Tweakable Even-Mansour

We use the result of the previous section to prove the post-quantum security of three different variants of the tweakable Even-Mansour construction. In Sect. 4.1, we prove security of \(\textsf{TEM}\text {-}\textsf{KX} \); we then prove security of \(\textsf{TEM} \) as a corollary. In Sect. 4.2, we prove security of \(\textsf{TEM}\text {-}\textsf{KX1} \) by showing that its key-expansion function is a pseudorandom generator.

4.1 Security of \(\textsf{TEM}\text {-}\textsf{KX} \) and \(\textsf{TEM} \)

Let \(P \in \mathcal {P}(n)\) be a permutation and \(\mathcal {T}\) a finite set, and fix two functions \(f_1,f_2 :\mathcal {T}\times \{0,1\}^n \rightarrow \{0,1\}^n\). We consider a key-expanding version of the tweakable Even-Mansour scheme \(\textsf{TEM}\text {-}\textsf{KX} ^{f_1,f_2}[P] : \{0,1\}^{\kappa } \times \mathcal {T}\times \{0,1\}^n \rightarrow \{0,1\}^n\) defined as

$$ \textsf{TEM} _{k}^{f_1, f_2}[P] (t, x) = P(x \oplus f_1(t, P(k || 0^{n-\kappa }))) \oplus f_2(t, P(k || 0^{n-\kappa }))\,. $$

We assume the tweak functions \(f_1, f_2\) satisfy some structural properties.

Definition 1

A function \(f: \mathcal {T}\times \{0,1\}^n \rightarrow \{0,1\}^n\) is proper (with respect to \(\mathcal {T}\)) if it satisfies the following two properties:

• Uniformity: For all \(t \in \mathcal {T}\), the function \(f(t, \cdot )\) is a permutation.

• XOR-universality: For all distinct \(t, t' \in \mathcal {T}\) and all \(y \in \{0,1\}^n\),

  $$\begin{aligned} {\textstyle \Pr _{k \leftarrow \{0,1\}^n}[f(t,k) \oplus f(t',k) = y]} \le 2^{-n} \,. \end{aligned}$$

Theorem 3

Let \(\textsf{TEM}\text {-}\textsf{KX} \) be as above, and let \({\mathcal A}\) be an adversary making \(q_C\) classical queries to its first oracle and \(q_Q \ge \max \{n,\log \left( 11\cdot |\mathcal {T}|\right) \}\) quantum queries¹ to its second oracle. If \(f_1, f_2\) are proper with respect to \(\mathcal {T}\), then

$$\begin{aligned} {} & {} {\left| \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k \leftarrow \{0,1\}^{\kappa }; \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\textsf{TEM}\text {-}\textsf{KX} ^{f_1,f_2}_{k}[P], P} = 1\right] - \mathop {\textrm{Pr}}\limits _{\begin{array}{c} \tilde{E}\leftarrow \mathcal E(\mathcal {T},n); \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\tilde{E}, P} = 1\right] \right| } \\ {} & {} \qquad \qquad \qquad \qquad \qquad \quad \le 7\cdot 2^{-\kappa /2}\left( q_C\sqrt{q_Q}+q_Q \sqrt{q_C}\right) . \end{aligned}$$

Proof

The high-level structure of our proof is similar to the proof of security for the Even-Mansour construction by Alagic et al. [1], though here relying heavily on our new resampling lemma. For that reason, we copy some portions of their proof (with appropriate updates for our setting).

Without loss of generality, we assume \({\mathcal A}\) never makes a redundant classical query; that is, once it learns a triple (t, x, y) of tweak, input, and output by making a query to its classical oracle, it never again submits a query (t, x) (resp., (t, y)) to that oracle in the forward (resp., inverse) direction. We divide an execution of \({\mathcal A}\) into \(q_C+1\) stages \(0, \ldots , q_C\), where the jth stage corresponds to the time between the jth and \((j+1)\)st classical queries of \({\mathcal A}\). (The 0th stage is the period of time before \({\mathcal A}\) makes its first classical query, and the \(q_C\)th stage is the period of time after \({\mathcal A}\) makes its last classical query.) \({\mathcal A}\) may adaptively² distribute its \(q_Q\) quantum queries between these stages arbitrarily, and we let \(q_{Q,j}\) be the expected number of quantum queries that \({\mathcal A}^{\tilde{E},P}\) makes in the jth stage, where the expectation is taken over \(\tilde{E}\leftarrow \mathcal E(\mathcal {T},n)\) and \(P\leftarrow \mathcal{P}(n)\) and any internal randomness/measurements of \({\mathcal A}\). Note that \(\sum _{j=0}^{q_C} q_{Q,j} = q_Q\).

Fixing \(f_1, f_2\), we write \(\textsf{TEM}\text {-}\textsf{KX} _{k}\) for \(\textsf{TEM}\text {-}\textsf{KX} _{k}^{f_1, f_2}\). In a given execution of \({\mathcal A}\), we denote its jth classical query by \((t_j,x_j,y_j,b_j)\), where \(t_j \in \mathcal {T}\) is a tweak, \((x_j,y_j) \in \{0,1\}^n \times \{0,1\}^n\) is an input/output pair, and \(b_j\in \{0,1\}\) indicates the query direction, i.e., \(b_j=0\) (resp., \(b_j=1\)) means that the jth classical query was in the forward (resp., inverse) direction. We let \(T_j = \big ((t_1,x_1, y_1, b_1)\), \(\dots , (t_j,x_j, y_j, b_j)\big )\) be the ordered list of the first j classical queries of \({\mathcal A}\).

Our proof involves a sequence of experiments in which \({\mathcal A}\)’s oracles are modified based on the classical queries made by \({\mathcal A}\) thus far. We first establish the appropriate notation. We use the product symbol \(\prod \) to denote sequential composition of operations, i.e., \(\prod _{i=1}^{n}f_i=f_1\circ \cdots \circ f_n\). Note that order matters, since function composition is not commutative in general. We use the notation \(\prod _{i=n}^{1}f_i=f_n\circ \cdots \circ f_1\) to denote the composition in reverse order. For a permutation P, a key k, and a list \(T_j = \big ((t_1,x_1, y_1, b_1), \dots , (t_j,x_j, y_j, b_j)\big )\) as above, define the operators

$$\begin{aligned} \overrightarrow{S}_{T_j,P,k} = & {} \prod _{i=1}^j\textsf{swap}_{P(x_i \oplus f_1(t_i,P(k||0^{n-\kappa }))),\,y_i\oplus f_2(t_i,P(k||0^{n-\kappa }))} ^{1-b_i} \\ \overrightarrow{Q}_{T_j,P,k} = & {} \prod _{i=1}^j\textsf{swap}_{x_i \oplus f_1(t_i,P(k||0^{n-\kappa })),\,P^{-1}(y_i\oplus f_2(t_i,P(k||0^{n-\kappa })))} ^{1-b_i} \\ \overleftarrow{S}_{T_j,P,k} = & {} \prod _{i=j}^1\textsf{swap}_{P(x_i \oplus f_1(t_i,P(k||0^{0-\kappa }))),\,y_i\oplus f_2(t_i,P(k||0^{n-\kappa }))} ^{b_i} \\ \overleftarrow{Q}_{T_j,P,k} = & {} \prod _{i=j}^1\textsf{swap}_{x_i \oplus f_1(t_i,P(k||0^{n-\kappa })),\,P^{-1}(y_i\oplus f_2(t_i,P(k||0^{n-\kappa })))} ^{b_i} \end{aligned}$$

where, as usual, \(f^0\) is the identity map and \(f^1=f\) for any function f. We define the modified permutation \(P^{T_j,k}\) as

$$\begin{aligned} P^{T_j, k}(x) = \overleftarrow{S}_{T_j,P,k}\circ \overrightarrow{S}_{T_j,P,k}\circ P(x) . \end{aligned}$$

Since \(P \circ \textsf{swap}_{x,\,y} =\textsf{swap}_{P(x),\,P(y)} \circ P\) for all x, y, we have

$$\begin{aligned} \overleftarrow{S}_{j,P,k}\circ \overrightarrow{S}_{T_j,P,k}\circ P = \overleftarrow{S}_{T_j,P,k}\circ P \circ \overrightarrow{Q}_{T_j,P,k} = P \circ \overleftarrow{Q}_{T_j,P,k}\circ \overrightarrow{Q}_{T_j,P,k} . \end{aligned}$$

Roughly speaking, \(P^{T_j, k}\) is the minimal modification of P that is consistent with the forward (\(\rightarrow \)) and inverse (\(\leftarrow \)) queries from the transcript \(T_j\) when post-composed (S) or pre-composed (Q) with P. For compactness we occasionally write \(P^j\) in place of \(P^{T_j, k}\) when \(T_j\) and k are understood from the context.

We now define a sequence of hybrid experiments \({\textbf{H}}_j\), for \(j=0, \ldots , q_C\).

Experiment \({\textbf{H}}_j\) . Sample uniform \(\tilde{E}\in \mathcal{E}(\mathcal {T},n)\) and \(P\in \mathcal{P}(n)\), and a uniform key \(k \in \{0,1\}^{\kappa }\). Then:

1. 1.

   Run \({\mathcal A}\), answering its classical queries using \(\tilde{E}\) and its quantum queries using P, stopping immediately before its \((j+1)\)st classical query. Let \(T_j = \big ((t_1,x_1, y_1,b_1), \dots , (t_j,x_j, y_j,b_j)\big )\) be the list of classical queries so far.

2. 2.

   For the remainder of the execution of \({\mathcal A}\), answer its classical queries using \(\textsf{TEM}\text {-}\textsf{KX} _k[P^{T_j, k}]\) and its quantum queries using \(P^{T_j, k}\).

We can compactly represent \({\textbf{H}}_j\) as the experiment in which \({\mathcal A}\)’s queries are answered using the oracle sequence

$$\begin{aligned} \underbrace{P, \tilde{E}, P, \cdots , \tilde{E}, P,}_ {j\,\,\text{ classical } \text{ queries }} \, \underbrace{\textsf{TEM}\text {-}\textsf{KX} _k[P^j], P^j, \cdots , \textsf{TEM}\text {-}\textsf{KX} _k[P^j], P^j}_{ q_C\,-\,j\,\,\text{ classical } \text{ queries }}. \end{aligned}$$

Each instance of \(\tilde{E}\) or \(\textsf{TEM}\text {-}\textsf{KX} _k[P^{j}]\) represents a single classical query, while each instance of P or \(P^j\) represents a stage during which \({\mathcal A}\) makes multiple quantum queries to that oracle but no queries to its classical oracle. Observe that \({\textbf{H}}_0\) corresponds to the execution of \({\mathcal A}\) in the real world, i.e., \({\mathcal A}^{\textsf{TEM}\text {-}\textsf{KX} _k[P], P}\), and \({\textbf{H}}_{q_C}\) is the execution of \({\mathcal A}\) in the ideal world, i.e., \({\mathcal A}^{\tilde{E}, P}\).

For \(j=0, \ldots , q_C-1\), we introduce additional experiments \({\textbf{H}}_j'\):

Experiment \({\textbf{H}}_j'\). Sample uniform \(\tilde{E}\in \mathcal{E}(\mathcal {T},n)\) and \(P\in \mathcal{P}(n)\), and uniform \(k \in \{0,1\}^{\kappa }\). Then:

1. 1.

   Run \({\mathcal A}\), answering its classical queries using \(\tilde{E}\) and its quantum queries using P, stopping immediately after its \((j+1)\)st classical query. Let \(T_{j+1} = \big ((t_1,x_1, y_1,b_1), \dots , (t_{j+1},x_{j+1}, y_{j+1},b_{j+1})\big )\) be the classical queries so far.

2. 2.

   For the remainder of the execution of \({\mathcal A}\), answer its classical queries using \(\textsf{TEM}\text {-}\textsf{KX} _k[P^{T_{j+1},k}]\) and its quantum queries using \(P^{T_{j+1},k}\).

Thus, \({\textbf{H}}'_j\) corresponds to running \({\mathcal A}\) using the oracle sequence

$$\begin{aligned} \underbrace{P, \tilde{E}, P, \cdots , \tilde{E}, P,}_{ j\,\,\text{ classical } \text{ queries }}\,\tilde{E}, P^{j+1},\, \underbrace{\textsf{TEM}\text {-}\textsf{KX} _k[P^{j+1}], P^{j+1} \cdots , \textsf{TEM}\text {-}\textsf{KX} _k[P^{j+1}], P^{j+1}}_{q_C\,\,-\,\,j\,-\,1\,\,\text{ classical } \text{ queries }} . \end{aligned}$$

In Lemma 4 and Lemma 5, we establish the following bounds on the distinguishability of \({\textbf{H}}_j'\) and \({\textbf{H}}_{j+1}\), as well as \({\textbf{H}}_j\) and \({\textbf{H}}_j'\), for \(0 \le j < q_C\):

$$\begin{aligned} &\left| \Pr [{\mathcal A}({\textbf{H}}_j') = 1] - \Pr [{\mathcal A}({\textbf{H}}_{j+1})=1]\right| \le 2^{-\kappa /2} \cdot 2\cdot q_{Q,j+1} \sqrt{2\cdot (j+1)} \end{aligned}$$

and

$$\begin{aligned} &\left| \Pr [{\mathcal A}({\textbf{H}}_j) = 1] - \Pr [{\mathcal A}({\textbf{H}}'_j)=1]\right| \\ &\le 2^{-\kappa /2}\left( 1+\sqrt{q_Q+\log (11\, |\mathcal {T}|)+n+\kappa /2}\right) +\frac{4j}{2^\kappa } \,. \end{aligned}$$

Using the above, we have

$$\begin{aligned} {} & {} {\left| \Pr [{\mathcal A}({\textbf{H}}_0) = 1] - \Pr [{\mathcal A}({\textbf{H}}_{q_C})=1]\right| } \\ {} & {} \,\,\, \le \sum _{j=0}^{q_C-1} \left( 2^{-\kappa /2} \left( 1+\sqrt{q_Q+\log (11\, |\mathcal {T}|)+n+\kappa /2}+2 q_{Q,j+1} \sqrt{2 (j+1)}\right) +\frac{4j}{2^\kappa }\right) \\ {} & {} \,\,\,\le \frac{4q_C^2}{2^\kappa }+ \sum _{j=0}^{q_C-1}2^{-\kappa /2} \left( 1+\sqrt{q_Q+\log (11\, |\mathcal {T}|)+n+\kappa /2}+2\cdot q_{Q,j+1} \sqrt{2q_C}\right) \\ {} & {} \,\,\,\le \frac{4q_C^2}{2^\kappa }+ {2^{-\kappa /2}} \left( q_C+ q_C\sqrt{q_Q+\log (11\, |\mathcal {T}|)+n+\kappa /2}+ 2\sqrt{2} q_Q \sqrt{q_C}\right) . \end{aligned}$$

The above bound can be simplified. By assumption, \(q_Q \ge \log (11\cdot |\mathcal {T}|)\) and \(q_Q\ge n\ge \kappa \). So \(\sqrt{q_Q+\log (11\cdot |\mathcal {T}|)+n+\kappa /2} \le \sqrt{7q_Q/2}\). We may also assume \(q_C\le 2^{\kappa /2}\) since otherwise the bound is larger than 1. Under these assumptions, we have \(4q_C^2\cdot 2^{-\kappa }\le 4q_C\cdot 2^{-\kappa /2}\le 4q_C\sqrt{q_Q}\cdot 2^{-\kappa /2}\) and so

$$\begin{aligned} &\frac{4q_C^2}{2^\kappa }+ 2^{-\kappa /2}\cdot \left( q_C+ q_C\sqrt{q_Q+\log (11\cdot |\mathcal {T}|)+n+\kappa /2}+ 2\sqrt{2}q_Q \sqrt{q_C}\right) \\ &\le 2^{-\kappa /2}\cdot \left( 5q_C+q_C \sqrt{7q_Q/2}+ 2\sqrt{2}q_Q \sqrt{q_C}\right) \\ & \le 2^{-\kappa /2}\cdot \left( \left( 5+\sqrt{\frac{7}{2}}\right) q_C\sqrt{q_Q}+ 2\sqrt{2}q_Q \sqrt{q_C}\right) \\ & \le 2^{-\kappa /2}\cdot \left( 7q_C\sqrt{q_Q}+ 2\sqrt{2}q_Q \sqrt{q_C}\right) \le 7\cdot 2^{-\kappa /2}\cdot \left( q_C\sqrt{q_Q}+ q_Q \sqrt{q_C}\right) , \end{aligned}$$

as claimed.

We now prove Lemma 4 and Lemma 5.

Lemma 4

For \(j=0, \ldots , q_C-1\),

$$\begin{aligned} \Pr [{\mathcal A}({\textbf{H}}_j') = 1] - \Pr [{\mathcal A}({\textbf{H}}_{j+1})=1]| \le 2 \cdot q_{Q,j+1} \sqrt{2\cdot (j+1)/2^{\kappa }} \,, \end{aligned}$$

where \(q_{Q,j+1}\) is the expected number of queries \({\mathcal A}\) makes to P in the \((j+1)\)st stage in the ideal world (i.e., in \({\textbf{H}}_{q_C}\)).

Proof

Let \({\mathcal A}\) be a distinguisher between \({\textbf{H}}'_j\) and \({\textbf{H}}_{j+1}\). We construct a distinguisher \(\mathcal {D}\) for the experiment from Lemma 2:

• Phase 1: \(\mathcal {D}\) samples uniform \(\tilde{E}\in \mathcal{E}(\mathcal {T},n)\) and \(P \in \mathcal{P}(n)\). It then runs \({\mathcal A}\), answering its quantum queries using P and its classical queries using \(\tilde{E}\), until after it responds to \({\mathcal A}\)’s \((j+1)\)st classical query. Let \(T_{j+1} = \big ((t_1,x_1, y_1,b_1), \dots ,\) \((t_{j+1},x_{j+1}, y_{j+1},b_{j+1})\big )\) be the list of classical queries by \({\mathcal A}\) thus far. \(\mathcal {D}\) defines \(F(a,x) {:}{=}P^{a}(x)\) for \(a \in \{1, -1\}\). It also defines the following randomized algorithm \(\mathcal {B}\): sample \(k \leftarrow \{0,1\}^{\kappa }\) and then compute the set B of input/output pairs to be reprogrammed so that \(F^{(B)}(a, x)={(P^{T_{j+1},k})}^{a}(x)\) for all a, x. Finally, \(\mathcal {D}\) outputs \((F, \mathcal {B})\).

• Phase 2: \(\mathcal {B}\) is run to generate B, and \(\mathcal {D}\) is given quantum access to an oracle \(F_b\). \(\mathcal {D}\) resumes running \({\mathcal A}\), answering its quantum queries using \(F_b\). Phase 2 ends before \({\mathcal A}\) makes its next (i.e., \((j+2)\)nd) classical query.

• Phase 3: \(\mathcal {D}\) is given k. It resumes running \({\mathcal A}\), answering its classical queries using \(\textsf{TEM}\text {-}\textsf{KX} _k[P^{T_{j+1},k}]\) and its quantum queries using \(P^{T_{j+1},k}\). Finally, it outputs whatever \({\mathcal A}\) outputs.

It is immediate that if \(b=0\) (i.e., \(\mathcal {D}\)’s oracle in phase 2 is \(F_0=F\)), then \({\mathcal A}\)’s output is identically distributed to its output in \({\textbf{H}}_{j+1}\), whereas if \(b=1\) (i.e., \(\mathcal {D}\)’s oracle in phase 2 is \(F_1=F^{(B)}\)), then \({\mathcal A}\)’s output is identically distributed to its output in \({\textbf{H}}'_j\). It follows that \(|\Pr [{\mathcal A}({\textbf{H}}_j') = 1] - \Pr [{\mathcal A}({\textbf{H}}_{j+1})=1]|\) is equal to the distinguishing advantage of \(\mathcal {D}\) in the reprogramming experiment of Lemma 2. To bound this quantity, we bound the parameter \(\varepsilon \) and the expected number of queries made by \(\mathcal {D}\) in phase 2 (when \(F = F_0\)).

The value of \(\varepsilon \) can be bounded using the definition of \(P^{T_{j+1},k}\) and the fact that \(F^{(B)}(a,x) = {(P^{T_{j+1},k})}^{a}(x)\). Fixing P and \(T_{j+1}\), the probability that any particular input (a, x) is reprogrammed is at most the probability (over k) that it lies in the set

$$\begin{aligned} \left\{ \begin{array}{c}(1, x_i \oplus f_1(t_i, P(k||0^{n-\kappa }))), \; (1, P^{-1}(y_i \oplus f_2(t_i, P(k||0^{n-\kappa })))), \\ (-1, P(x_i \oplus f_1(t_i, P(k||0^{n-\kappa })))), \;(-1, y_i \oplus f_2(t_i, P(k||0^{n-\kappa }))) \end{array} \right\} _{i=1}^{j+1} . \end{aligned}$$

We compute the probability that \((a, x)=(1, x_i \oplus f_1(t_i, P(k||0^{n-\kappa })))\) for some fixed i. P is a permutation, and so is \(f_1(t_i, \cdot )\). As k is uniform,

$$\begin{aligned} {\textstyle \mathop {\textrm{Pr}}\limits _k[(a, x)=(1, x_i \oplus f_1(t_i, P(k||0^{n-\kappa })))]} = {\left\{ \begin{array}{ll} 2^{-\kappa }&{}a=1\\ 0&{}a=-1 \end{array}\right. }\,. \end{aligned}$$

A similar bound holds for the other possibilities. By distinguishing the cases \(a=1\) and \(a=-1\) and applying a union bound, we get \(\varepsilon \le 2 (j+1) / 2^{\kappa }\).

The expected number of queries made by \(\mathcal {D}\) in phase 2 when \(F=F_0\) is equal to the expected number of queries made by \({\mathcal A}\) in its \((j+1)\)st stage in \({\textbf{H}}_{j+1}\). Since \({\textbf{H}}_{j+1}\) and \({\textbf{H}}_{q_E}\) are identical until after the \((j+1)\)st stage is complete, this is precisely \(q_{Q,j+1}\).    \(\square \)

Lemma 5

For \(j=0, \ldots , q_C\),

$$\begin{aligned} &\left| \Pr [{\mathcal A}({\textbf{H}}_j) = 1] - \Pr [{\mathcal A}({\textbf{H}}'_j)=1]\right| \\ &\le \frac{1}{2^{\kappa /2}}\left( 1+\sqrt{q_Q+\log (11\, |\mathcal {T}|)+n+\kappa /2}\right) +\frac{4j}{2^\kappa } . \end{aligned}$$

Proof

We introduce additional experiments \({\textbf{H}}_j^{*}\) and \({\textbf{H}}_j^{**}\).

Experiment \({\textbf{H}}_j^{*}\) . Sample uniform \(\tilde{E}\in \mathcal{E}(\mathcal {T},n)\), \(P \in \mathcal{P}(n)\), and \(k \in \{0,1\}^{\kappa }\). Then

1. 1.

   Run \({\mathcal A}\), answering its classical queries using \(\tilde{E}\) and its quantum queries using P, until \({\mathcal A}\) makes its \((j+1)\)st classical query \((t_{j+1},x_{j+1},b_{j+1}=0)\), which we assume for concreteness to be in the forward direction.³

2. 2.

   Define \(s_0= f_1(t_{j+1},P(k||0^{n-\kappa }))\oplus x_{j+1}\) and sample uniform \(s_1 \in \{0,1\}^n\). Define \(P^{(1)}\) as \( P^{(1)}(x)= (P \circ \textsf{swap}_{s_0,\,s_1})(x). \) Then continue running \({\mathcal A}\), answering its remaining classical queries (including the \((j+1)\)st) using \(\textsf{TEM}\text {-}\textsf{KX} _k[(P^{(1)})^{T_j,k}]\), and its quantum queries using \((P^{(1)})^{T_j,k}\).

Experiment \({\textbf{H}}_j^{**}\) is the same as \({\textbf{H}}_j^{*}\), except that the \((j+1)\)st query is answered using \(\tilde{E}\) to obtain \(y_{j+1}= \tilde{E}(t_{j+1}, x_{j+1})\), and then we define \(s_1 = (P^{T_j,k})^{-1}( y_{j+1} \oplus f_2(t_{j+1},P(k||0^{n-\kappa })))\). We have

$$\begin{aligned} \left| \Pr [{\mathcal A}({\textbf{H}}_j) = 1] - \Pr [{\mathcal A}({\textbf{H}}'_j) = 1]\right| &\le \left| \Pr [{\mathcal A}({\textbf{H}}_j) = 1] - \Pr [{\mathcal A}({\textbf{H}}_j^{*}) = 1]\right| \\ & + \left| \Pr [{\mathcal A}({\textbf{H}}_j^{*}) = 1] - \Pr [{\mathcal A}({\textbf{H}}_j^{**}) = 1]\right| \\ & + \left| \Pr [{\mathcal A}({\textbf{H}}_j^{**}) = 1] - \Pr [{\mathcal A}({\textbf{H}}'_j) = 1]\right| . \end{aligned}$$

We now bound the three differences on the right-hand side.

Let \({\mathcal A}\) be a distinguisher between \({\textbf{H}}_j\) and \({\textbf{H}}_j^*\). We construct a distinguisher \(\mathcal {D}\) for the experiment of Lemma 3, where \(F=\{f_1(t,\cdot ) \oplus x\}_{ t\in \mathcal {T},x\in \{0,1\}^n}\).

• Phase 1: \(\mathcal {D}\) is given quantum access to a uniform permutation P. It samples uniform \(\tilde{E}\leftarrow \mathcal{E}(\mathcal {T},n)\) and then runs \({\mathcal A}\), answering its quantum queries using P and its classical queries using \(\tilde{E}\) (in the appropriate directions), until \({\mathcal A}\) submits its \((j+1)\)st classical query \((t_{j+1},x_{j+1},b_{j+1}=0\)). At that point, \(\mathcal {D}\) has a list \(T_j=\big ((t_1,x_1, y_1,b_1), \ldots , (t_j,x_j, y_j,b_j)\big )\) of the queries \({\mathcal A}\) has made to its classical oracle thus far. \(\mathcal {D}\) lets \(\tau \in F\) be such that \(\tau (\cdot )=f_1(t_{j+1}, \cdot )\oplus x_{j+1}\), and defines the distribution D on \(\{0,1\}^{n}\) that chooses uniform \(k \in \{0,1\}^\kappa \) and outputs \(k\Vert 0^{n-\kappa }\). Finally, \(\mathcal {D}\) outputs \((D,\tau )\).

• Phase 2: The challenger samples \(\hat{s} \leftarrow D\) with \(\hat{s}= k\Vert 0^{n-\kappa }\). Then \(\mathcal {D}\) is given \(\hat{s}\) and quantum oracle access to the permutation \(P^{(b)}\). It continues running \({\mathcal A}\), answering its remaining classical queries—including the \((j+1)\)st—using \(\textsf{TEM}\text {-}\textsf{KX} _k[(P^{(b)})^{T_j,k}]\), and its remaining quantum queries using \((P^{(b)})^{T_j,k}\). \(\mathcal {D}\) outputs whatever \({\mathcal A}\) does.

In phase 1, distinguisher \(\mathcal {D}\) perfectly simulates experiments \({\textbf{H}}_j\) and \({\textbf{H}}_j^{*}\) for \({\mathcal A}\) until the point where \({\mathcal A}\) makes its \((j+1)\)st classical query. If \(b=0\), \(\mathcal {D}\) gets access to \(P^{(0)} = P\) in phase 2. Since \(\mathcal {D}\) answers all quantum queries using \((P^{(0)})^{T_j,k}\) and all classical queries using \(\textsf{TEM}\text {-}\textsf{KX} _k[(P^{(0)})^{T_j,k}]\), we see that \(\mathcal {D}\) perfectly simulates \({\textbf{H}}_j\) for \({\mathcal A}\) in that case. If, on the other hand, \(b=1\) in phase 2, then \(\mathcal {D}\) gets access to \(P^{(1)}\), where \(P^{(1)}(x)=P \circ \textsf{swap}_{s_0,\,s_1} (x)\). In this case \(\mathcal {D}\) perfectly simulates \({\textbf{H}}_j^{*}\) for \({\mathcal A}\). Applying Lemma 3 thus gives

$$\begin{aligned} \left| \Pr [{\mathcal A}({\textbf{H}}_j) = 1] - \Pr [{\mathcal A}({\textbf{H}}_j^*)=1]\right| &\le \sqrt{\varepsilon }\left( 1+\sqrt{q_Q+\log \left( \frac{11\, |F|}{\sqrt{\varepsilon }}\right) }\right) \nonumber \\ &= \frac{1}{2^{\kappa /2}} \left( 1+\sqrt{q_Q+\log \left( \frac{11\, |\mathcal {T}|\, 2^{n}}{2^{-\kappa /2}}\right) }\right) . \end{aligned}$$

(1)

Next, we bound the distinguishability of \({\textbf{H}}_j^{*}\) and \({\textbf{H}}_j^{**}\). Recall that in \({\textbf{H}}_j^{*}\) the answer to the \((j+1)\)st classical query is \(y_{j+1}=\textsf{TEM}\text {-}\textsf{KX} _k[(P^{(1)})^{T_j,k}](t_{j+1},x_{j+1})\), whereas in \({\textbf{H}}_j^{**}\) the response is \(y_{j+1}=\tilde{E}_{t_{j+1}}(x_{j+1})\). In \({\textbf{H}}_j^{*}\), we have

$$\begin{aligned} y_{j+1} & {\mathop {=}\limits ^\textrm{def}} \textsf{TEM}\text {-}\textsf{KX} _k[(P^{(1)})^{T_j,k}](t_{j+1}, x_{j+1}) \\ &= (P^{(1)})^{T_j,k}(s_0) \oplus f_2(t_{j+1},P(k||0^{n-\kappa }))\\ &= P^{T_j,k}(s_1) \oplus f_2(t_{j+1},P(k||0^{n-\kappa })) . \end{aligned}$$

Since \(s_1\) is uniform and \(P^{T_j,k}(\cdot ) \oplus f_2(t_{j+1},P(k||0^{n-\kappa }))\) is a permutation, we conclude that \(y_{j+1}\) is uniform. This is not identical to the distribution of \(y_{j+1}\) in \({\textbf{H}}_j^{**}\), which is uniform subject to the constraint that \(\tilde{E}_{t_{j+1}}\) is a permutation. Define the set \(\mathcal {Y}_{j+1} = \{y_i \mid t_i = t_{j+1}\}\), i.e., these are the outputs of \(\tilde{E}\) that \({\mathcal A}\) learned from queries with the same tweak \(t_{j+1}\) used in the \((j+1)\)st query. Bounding the probability that \(y_{j+1} \in \mathcal {Y}_{j+1}\) when \(y_{j+1}\) is uniform gives an upper bound on the probability that \({\mathcal A}\) can distinguish \({\textbf{H}}_j^*\) and \({\textbf{H}}_j^{**}\). Thus,

$$\begin{aligned} \left| \Pr [{\mathcal A}({\textbf{H}}_j^*) = 1] - \Pr [{\mathcal A}({\textbf{H}}_j^{**})=1]\right| \le \frac{|\mathcal {Y}_{j+1}|}{2^{n}} \le \frac{j}{2^{n}}\le \frac{j}{2^{\kappa }} . \end{aligned}$$

(2)

Finally, we bound the distinguishability of \({\textbf{H}}_j^{**}\) and \({\textbf{H}}'_j\). Recall that the difference between these experiments is that from the \((j+1)\)st query onward the former uses \((P^{(1)})^{T_j,k}\) while the latter uses \(P^{T_{j+1},k}\) (both for the quantum queries of \({\mathcal A}\) and to instantiate TEM-KX for the classical queries of \({\mathcal A}\)). Thus, the two experiments are identical if \((P^{(1)})^{T_j,k}\) and \(P^{T_{j+1},k}\) are equal. In what follows we upper bound the probability that they are not equal.

Both \((P^{(1)})^{T_j,k}\) and \(P^{T_{j+1},k}\) involve \(j+1\) swaps: \((P^{(1)})^{T_j,k}\) involves j swaps from the first j queries plus the extra swap by the definition of \(P^{(1)}\), whereas \(P^{T_{j+1},k}\) involves \(j+1\) swaps from the first \(j+1\) queries. Since the \((j+1)\)st query is a forward query, we have

$$\begin{aligned} {(P^{(1)})}^{T_j,k}(x) = \overleftarrow{S}_{T_j,P^{(1)},k}\circ \overrightarrow{S}_{T_j,P^{(1)},k}\circ P^{(1)}(x) \end{aligned}$$

and

$$\begin{aligned} (P)^{T_{j+1},k}(x) = \overleftarrow{S}_{T_{j+1},P,k}\circ \overrightarrow{S}_{T_{j+1},P,k}\circ P(x) . \end{aligned}$$

Let \(\mathcal {X}=\{x_1\oplus f_1(t_{1},P(k||0^{n-\kappa })),\dots , x_j \oplus f_1(t_{j},P(k||0^{n-\kappa }))\}\), i.e., \(\mathcal {X}\) contains the inputs to P from the first j classical queries of \({\mathcal A}\). Let \(\textsf{Bad}_0\) be the event that \(x_{j+1} \oplus f_1(t_{j+1},P(k||0^{n-\kappa })) \in \mathcal {X}\) and \(\textsf{Bad}_1\) be the event that \(s_1 \in \mathcal {X}\). We upper bound the probabilities of \(\textsf{Bad}_0\), \(\textsf{Bad}_1\), and then show that \((P^{(1)})^{T_j,k}=P^{T_{j+1},k}\) when neither \(\textsf{Bad}_0\) nor \(\textsf{Bad}_1\) occurs.

Since \(s_1\) is \(\frac{j}{2^n}\)-close to uniform by (2), \(\Pr [\textsf{Bad}_1]\le \frac{2j}{2^n}\). Bounding the probability of \(\textsf{Bad}_{0}\) is more complex since we have to consider the tweaks from the first j queries of \({\mathcal A}\). Intuitively, for queries whose tweak was the same as \(t_{j+1}\), we rely on the assumption that \({\mathcal A}\) does not repeat queries; for queries where the tweaks are different, we use the XOR-universality of \(f_1, f_2\). Define

$$\begin{aligned} \mathcal {X}^{=} &= \{x_i \oplus f_1(t_i,P(k||0^{n-\kappa })) \mid 1 \le i \le j, \; t_i = t_{j+1}\} \\ \mathcal {X}^{\ne } & = \{x_i \oplus f_1(t_i,P(k||0^{n-\kappa })) \mid 1 \le i \le j, \; t_i \ne t_{j+1}\}. \end{aligned}$$

These sets partition \(\mathcal {X}\) into those inputs using the same tweak as in the \((j+1)\)st query (\(\mathcal {X}^{=}\)) and those using different tweaks (\(\mathcal {X}^{\ne }\)). Hence,

$$\begin{aligned} \Pr [\textsf{Bad}_{0}] = \Pr [\textsf{Bad}_{0}^{=}] + \Pr [\textsf{Bad}_{0}^{\ne }] , \end{aligned}$$

where \(\textsf{Bad}_{0}^{=}\) is the event that \(x_{j+1} \oplus f_1(t_{j+1},P(k||0^{n-\kappa })) \in \mathcal {X}^{=}\) and \(\textsf{Bad}_{0}^{\ne }\) is the event that \(x_{j+1} \oplus f_1(t_{j+1},P(k||0^{n-\kappa })) \in \mathcal {X}^{\ne }\). For \(\textsf{Bad}_{0}^{=}\), we have

$$\begin{aligned} {} & {} {x_{j+1} \oplus f_1(t_{j+1},P(k||0^{n-\kappa })) \in \{ x_i \oplus f_1(t_{i},P(k||0^{n-\kappa })) \mid t_{i} = t_{j+1} \}} \\ {} & {} \qquad \qquad \qquad \qquad \qquad \qquad \qquad \quad \Leftrightarrow x_{j+1} \in \{ x_i \mid t_{i} = t_{j+1} \} . \end{aligned}$$

Since \({\mathcal A}\) does not repeat queries, this means \(\Pr [\textsf{Bad}_{0}^{=}] = 0\).

For \(\textsf{Bad}_{0}^{\ne }\), rewriting yields

$$\begin{aligned} {} & {} \quad \, {x_{j+1} \oplus f_1(t_{j+1},P(k||0^{n-\kappa })) \in \{ x_i \oplus f_1(t_{i},P(k||0^{n-\kappa })) \,|\, t_{i} \ne t_{j+1} \} } \\ {} & {} \Leftrightarrow x_{j+1} \in \{ x_i \oplus f_1(t_{i},P(k||0^{n-\kappa })) \oplus f_1(t_{j+1},P(k||0^{n-\kappa })) \,|\, t_{i} \ne t_{j+1} \} . \end{aligned}$$

XOR-universality of \(f_1\), together with the fact that \(f_1(t,\cdot )\) is a permutation for all t, implies that the mapping \(g_{t,t'}:x\mapsto f_1(t,x) \oplus f_1(t',x)\) is a permutation whenever \(t\ne t'\). Thus \(g_{t_i,t_{j+1}}\circ P\) preserves the min-entropy of \(k\Vert 0^{n-\kappa }\) and \(\Pr [\textsf{Bad}_{0}^{\ne }] \le |\mathcal {X}^{\ne }|/2^{\kappa } \le j/2^\kappa \). Summarizing,

$$\begin{aligned} \Pr [\textsf{Bad}_{0}] = \Pr [\textsf{Bad}_{0}^{=}] + \Pr [\textsf{Bad}_{0}^{\ne }] \le 0 + \frac{|\mathcal {X}^{\ne }|}{2^{\kappa }} \le \frac{j}{2^{\kappa }} \,. \end{aligned}$$

If neither \(\textsf{Bad}_0\) or \(\textsf{Bad}_1\) happens, we have \(P^{(1)}(x_i \oplus f_1(t_i,P(k||0^{n-\kappa })))=P(x_i \oplus f_1(t_i,P(k||0^{n-\kappa })))\) for all \(1 \le i \le j\); furthermore, \(P^{T_j,k}(s_1)=P(s_1)\) or, in other words, \(P(s_1)= y_{j+1} \oplus f_2(t_{j+1},P(k||0^{n-\kappa }))\). Therefore,

$$\begin{aligned} \overrightarrow{S}_{T_j,P^{(1)},k} &= \prod _{i=1}^j\textsf{swap}_{P^{(1)}(x_i \oplus f_1(t_i,P(k||0^{n-\kappa }))),\,y_i\oplus f_2(t_i,P(k||0^{n-\kappa }))} ^{1-b_i} \\ &= \prod _{i=1}^j\textsf{swap}_{P(x_i \oplus f_1(t_i,P(k||0^{n-\kappa }))),\,y_i\oplus f_2(t_i,P(k||0^{n-\kappa }))} ^{1-b_i} \;=\; \overrightarrow{S}_{T_j,P,k} \end{aligned}$$

and

$$\begin{aligned} \overleftarrow{S}_{T_j,P^{(1)},k}&= \prod _{i=j}^1\textsf{swap}_{P^{(1)}(x_i \oplus f_1(t_i,P(k||0^{n-\kappa }))),\,y_i\oplus f_2(t_i,P(k||0^{n-\kappa }))} ^{b_i} \\ &= \prod _{i=j}^1\textsf{swap}_{P(x_i \oplus f_1(t_i,P(k||0^{n-\kappa }))),\,y_i\oplus f_2(t_i,P(k||0^{n-\kappa }))} ^{b_i} \; = \; \overleftarrow{S}_{T_j,P,k}, \end{aligned}$$

and so

$$\begin{aligned} (P^{(1)})^{T_j,k}(x) &= \overleftarrow{S}_{j,P^{(1)},k}\circ \overrightarrow{S}_{j,P^{(1)},k}\circ P^{(1)}(x) \, \\ &= \overleftarrow{S}_{j,P,k}\circ \overrightarrow{S}_{j,P,k} \\ &\quad \,\, \circ \textsf{swap}_{P(f_1(t_{j+1},P(k||0^{n-\kappa })) \oplus x_{j+1}),\,y_{j+1}\oplus f_2(t_{j+1},P(k||0^{n-\kappa }))} \circ P(x) \, \\ &= \overleftarrow{S}_{j+1,P,k}\circ \overrightarrow{S}_{j+1,P,k}\circ P(x) \;=\; P^{T_{j+1},k}. \end{aligned}$$

Putting everything together, we conclude that

$$\begin{aligned} \left| \Pr [{\mathcal A}({\textbf{H}}_j^{**}) = 1] - \Pr [{\mathcal A}({\textbf{H}}'_j) = 1]\right| \le \Pr [\textsf{Bad}_{0}] + \Pr [\textsf{Bad}_{1}] \le \frac{3j}{2^\kappa } \,. \end{aligned}$$

Combining the above with (1) and (2) concludes the proof of Lemma 5, and hence the proof of Theorem 3.    \(\square \)

Tweakable Even-Mansour. Recall that the tweakable Even-Mansour construction TEM is defined as

$$\begin{aligned} \textsf{TEM} _{k}^{f_1, f_2}[P] (t, x) = P(x \oplus f_1(t, k)) \oplus f_2(t, k) . \end{aligned}$$

Setting \(\kappa =n\) and noting that P(k) is uniform when k is uniform (since P is a permutation), Theorem 3 yields the following as an easy corollary:

Theorem 4

Let \({\mathcal A}\) be an adversary making \(q_C\) classical queries to its first oracle and \(q_Q\ge 1\) quantum queries to its second oracle. If \(f_1, f_2\) are proper with respect to \(\mathcal {T}\), then

$$\begin{aligned} {} & {} {\left| \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k\leftarrow \{0,1\}^n;\\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\textsf{TEM} _{k}^{f_1, f_2}[P], P} = 1\right] - \mathop {\textrm{Pr}}\limits _{\begin{array}{c} \tilde{E}\leftarrow \mathcal E(\mathcal {T},n); \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\tilde{E}, P} = 1\right] \right| } \\ {} & {} \qquad \qquad \qquad \qquad \qquad \quad \le 7\cdot 2^{-n/2}\cdot \left( q_C\sqrt{q_Q}+q_Q\sqrt{q_C}\right) . \end{aligned}$$

(Note: Theorem 4 is a corollary of Theorem 3 only for \(q_Q\ge \max \{n,\log (11\cdot |\mathcal T|)\}\). While small values of \(q_Q\) are not particularly interesting, Theorem 4 can be shown to hold for \(q_Q\ge 1\) by a dedicated analysis that we omit here).

4.2 Security of \(\textsf{TEM}\text {-}\textsf{KX1} \)

We also consider an alternate method of expanding a key \(k \in \{0,1\}^\kappa \) to an effective key of length n, in which we compute \(F_P(k) = P(k\Vert 0^{n-\kappa }) \oplus k\Vert 0^{n-\kappa }\). This gives rise to \(\textsf{TEM}\text {-}\textsf{KX1} \), a variant of tweakable Even-Mansour defined as

$$\begin{aligned} \textsf{TEM}\text {-}\textsf{KX1} _{k}^{f_1, f_2}[P] (t, x) = P(x \oplus f_1(t, F_P(k))) \oplus f_2(t, F_P(k))) . \end{aligned}$$

We obtain a tighter security bound for this variant than for \(\textsf{TEM}\text {-}\textsf{KX} \); this allows us to give a tighter bound for Elephant in Sect. 5.2.

We first show that \(F_P\) is a pseudorandom generator, even against adversaries with quantum oracle access to P and \(P^{-1}\).

Lemma 6

For any quantum algorithm \(\mathcal A\) making \(q_Q\) quantum queries,

$$\begin{aligned} \left| \mathop {\textrm{Pr}}\limits _{\begin{array}{c} r \leftarrow \{0,1\}^n\\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{P}(r) = 1\right] - \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k \leftarrow \{0,1\}^{\kappa }\\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{P}(P(k||0^{n-\kappa }) \oplus k||0^{n-\kappa }) = 1\right] \right| \le \frac{4\cdot q_Q}{2^{\kappa /2}} . \end{aligned}$$

Proof

Given an adversary \({\mathcal A}\), we construct a distinguisher \(\mathcal {D}\) for the reprogramming experiment from Lemma 2:

• Phase 1: \(\mathcal {D}\) samples uniform \(P \in \mathcal P_n\) and \(r\in \{0,1\}^n\), and defines a randomized algorithm \(\mathcal B\) that proceeds as follows:

  1. 1.

     sample uniform \(k\in \{0,1\}^{\kappa }\);

  2. 2.

     output a set of reprogramming pairs B so that P blinded with B is \(P^{(B)}(x)= P \circ \textsf{swap}_{P^{-1}((k||0^{n-\kappa }) \oplus r),\,k||0^{n-\kappa }} \).

  Then \(\mathcal {D}\) outputs P and \(\mathcal B\).

• Phase 2: \(\mathcal B\) is run with a uniform \(k\in \{0,1\}^{\kappa }\) to compute B. Let \(P_0=P\) and \(P_1=P^{(B)}\). A uniform \(b\in \{0,1\}\) is chosen and \(\mathcal {D}\) is given access to \(P_b\) (in the forward and inverse directions). \(\mathcal {D}\) runs \({\mathcal A}\) with input r and oracle \(P_b\). This phase ends when \({\mathcal A}\) has made its last query and outputs its guess.

• Phase 3: \(\mathcal {D}\) outputs what \({\mathcal A}\) outputs.

Note that there are at most four reprogrammed points. By construction, it holds that \(\Pr _{k\leftarrow \{0,1\}^{\kappa }}[x\in B_1]\le 4 \cdot 2^{-\kappa }\). By Lemma 2,

$$\begin{aligned} \left| \Pr [\mathcal {D}\text { outputs } 1 \mid b=0] - \Pr [\mathcal {D}\text { outputs } 1 \mid b=1]\right| \le 4q_Q\cdot 2^{-\kappa /2} . \end{aligned}$$

(3)

When \(b=0\), \(\mathcal {D}\) runs \({\mathcal A}^P(r)\) for uniform and independent P, r. When \(b=1\), \(\mathcal {D}\) runs \({\mathcal A}^{P_1}(r)\) where \(P_1\) and r are each uniform but are not independent. Indeed,

$$\begin{aligned} P_1(k||0^{n-\kappa }) \oplus k||0^{n-\kappa } = & {} P(P^{-1}((k||0^{n-\kappa }) \oplus r)) \oplus k||0^{n-\kappa } \\ = & {} k||0^{n-\kappa } \oplus r \oplus k||0^{n-\kappa } = r . \end{aligned}$$

We prove that \(P_1\) is uniform subject to that constraint. Let \(\ell =2^n-1\), and let \(x_1,\ldots ,x_\ell \) and \(y_1,\ldots ,y_\ell \) be arbitrary enumerations of \(X=\{0,1\}^n \setminus \{k||0^{n-\kappa }\}\) and \(Y=\{0,1\}^n \setminus \{r \oplus k||0^{n-\kappa }\}\), respectively. We show that

$$\begin{aligned} \Pr [\forall i=1,\ldots ,\ell : P_1(x_i)=y_i]=\frac{1}{(2^n-1)!} . \end{aligned}$$

Letting

$$\begin{aligned} {\textbf{A}}= & {} \Pr [P^{-1}((k||0^{n-\kappa })\oplus r) \notin X]\\ {} & {} \cdot \Pr [\forall i=1,\ldots ,\ell : P_1(x_1)=y_i\mid P^{-1}((k||0^{n-\kappa })\oplus r) \notin X]\\ = & {} 2^{-n} \cdot \frac{1}{(2^n-1)!} \; = \; \frac{1}{2^n!} \end{aligned}$$

and

$$\begin{aligned} {\textbf{B}}= & {} \sum _{j=1}^\ell \Pr [P^{-1}((k||0^{n-\kappa })\oplus r) =x_j] \\ {} & {} \cdot \Pr [\forall i\ne j: P(k||0^{n-\kappa })=y_j \wedge P_1(x_i)=y_i \mid P^{-1}((k||0^{n-\kappa })\oplus r) =x_j ] \\ = & {} \sum _{j=1}^\ell 2^{-n}\cdot \frac{1}{(2^n-1)!} = \frac{\ell }{2^n!} = \frac{2^n-1}{2^n!} , \end{aligned}$$

we have

$$\begin{aligned} \Pr [\forall i=1,\ldots ,\ell : P_1(x_i)=y_i]= {\textbf{A}}+{\textbf{B}}= \frac{1}{(2^n-1)!} , \end{aligned}$$

as desired. The claimed result thus follows from (3).    \(\square \)

The following is an immediate corollary of Theorem 4 and Lemma 6.

Theorem 5

Let \({\mathcal A}\) be an adversary making \(q_C\) classical queries to its first oracle and \(q_Q\ge 1\) quantum queries to its second oracle. If \(f_1, f_2\) are proper with respect to \(\mathcal {T}\), then

$$\begin{aligned} {} & {} {\left| \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k \leftarrow \{0,1\}^{\kappa }; \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\textsf{TEM}\text {-}\textsf{KX1} ^{f_1,f_2}_{k}[P], P} = 1\right] - \mathop {\textrm{Pr}}\limits _{\begin{array}{c} \tilde{E}\leftarrow \mathcal E(\mathcal {T},n); \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\tilde{E}, P} = 1\right] \right| } \\ {} & {} \qquad \quad \,\,\,\, \le 4 \cdot q_Q2^{-\kappa /2} +7\cdot 2^{-n/2}\left( q_C\sqrt{q_Q}+q_Q\sqrt{q_C}\right) . \end{aligned}$$

5 Applications

In this section we use our results of Sect. 4 to show post-quantum security of the lightweight symmetric-key schemes Chaskey  [15], Elephant  [2], and a variant of Minalpher  [17]. Note that our proofs of security hold when some public permutation at the core of each scheme is modeled as a random permutation; we do not analyze the public permutations themselves.

5.1 Chaskey

Chaskey  [15] is an ISO-standardized lightweight MAC whose construction is based on a specific permutation P that we model as a random permutation. Define \(\textsf{F}^P_{k, k'}(x) = P(x \oplus k) \oplus k'\), i.e., the Even-Mansour cipher based on P. Evaluating Chaskey using key k involves evaluating \(\textsf{F}^P_{k,k}\), \(\textsf{F}^P_{k\oplus k_1,k_1}\), and \(\textsf{F}^P_{k\oplus k_2,k_2}\), where \(k_1=2k\), \(k_2=4k\), and multiplication is in the field \(GF(2^n)\) with respect to a particular representation of field elements as n-bit strings. Prior work [15] shows that Chaskey is a secure MAC if these three instances of \(\textsf{F}^P\) are indistinguishable from three independent random permutations—a notion called 3PRP security—and also proves 3PRP security of \(\textsf{F}\) when P is modeled as a public random permutation. Although this prior work considered classical adversaries only, it is not hard to verify that the proofs carry through to imply security of Chaskey against quantum adversaries making classical MAC queries, so long as 3PRP security of \(\textsf{F}\) holds against adversaries making classical queries to the secretly keyed ciphers and quantum queries to P.

As we now show, Theorem 4 readily implies 3PRP security of \(\textsf{F}\) in the post-quantum setting.

Theorem 6

Let \({\mathcal A}\) be a quantum algorithm making \(q_C\) classical queries to its first three oracles and \(q_Q\ge 1\) quantum queries to its fourth oracle. Then

$$\begin{aligned} {} & {} {\left| \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k\leftarrow \{0,1\}^n ,\\ P\leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\textsf{F}^P_{k,k}, \textsf{F}^P_{k\oplus k_1,k_1}, \textsf{F}^P_{k\oplus k_2,k_2}, P} = 1\right] - \mathop {\textrm{Pr}}\limits _{R_1, R_2, R_3,P\leftarrow \mathcal{P}(n)} \left[ {\mathcal A}^{R_1, R_2, R_3, P } = 1\right] \right| } \\ {} & {} \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \le 7 \cdot 2^{-n/2}\left( q_C\sqrt{q_Q}+q_Q\sqrt{q_C}\right) , \end{aligned}$$

where \(k_1=2k\) and \(k_2=4k\).

Proof

Letting \(\mathcal {T}= \{0,1,2\}\subset GF(2^n)\) and defining \(f_1(t, k) = k \oplus (2t k)\) and \(f_2(t, k) = 2^t \cdot k\), we see that

$$\begin{aligned} & \textsf{TEM} _{k}^{f_1,f_2}[P](0, x) = P(x \oplus k) \oplus k = \textsf{F}_{k,k}(x) & \\ & \textsf{TEM} _{k}^{f_1,f_2}[P](1, x) = P(x \oplus k \oplus 2k) \oplus 2k = \textsf{F}_{k \oplus k_1, k_1}(x) & \\ & \textsf{TEM} _{k}^{f_1,f_2}[P](2, x) = P(x \oplus k \oplus 4k) \oplus 4k = \textsf{F}_{k \oplus k_2,k_2}(x)\,. & \end{aligned}$$

The theorem thus follows from Theorem 4 once we verify that \(f_1, f_2\) are proper. Uniformity of \(f_1\) and \(f_2\) follows readily from invertibility of non-zero elements in \(GF(2^n)\). Finally, note that

$$\begin{aligned} f_1(t, k) \oplus f_1(t', k) = 2\cdot (t\oplus t') \cdot k \text{ and } f_2(t, k) \oplus f_2(t',k) = (2^t\oplus 2^{t'}) \cdot k \,, \end{aligned}$$

with \(t \oplus t'\) and \(2^t\oplus 2^{t'}\) non-zero for distinct \(t, t'\); XOR-universality follows. This concludes the proof of the theorem.    \(\square \)

As discussed earlier, the above theorem in combination with prior results [15] imply post-quantum security (in the random-permutation model) of Chaskey. Below we state a simple version of the theorem, leaving out some details and parameters. We formulate MAC unforgeability in terms of a distinguishing experiment in which the adversary is equipped with the \(\textsf{Mac} _k\) oracle, and must distinguish the oracle implementing \(\textsf{Ver} _k\) from the oracle (denoted by \(\perp \)) that always rejects. (To exclude trivial attacks, the adversary cannot forward a message/tag pair obtained from the first oracle to the second oracle).

Theorem 7

Let \((\textsf{Mac}, \textsf{Ver})\) be the Chaskey MAC, and let \({\mathcal A}\) be a quantum algorithm making \(q_C\) classical queries to its first two oracles and \(q_Q\) quantum queries to its third oracle. Then

$$\begin{aligned} {} & {} {\left| \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k \leftarrow \{0,1\}^n; \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\textsf{Mac} _k,\textsf{Ver} _k, P} = 1\right] - \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k \leftarrow \{0,1\}^n\\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\textsf{Mac} _k,\bot , P} = 1\right] \right| } \\ {} & {} \qquad \qquad \qquad \quad \le \mathcal {O}(2^{-n} \cdot q_C) + 7 \cdot 2^{-n/2}\left( q_C\sqrt{q_Q}+q_Q\sqrt{q_C}\right) . \end{aligned}$$

5.2 Elephant

Elephant  [2] is a lightweight authenticated encryption scheme with associated data (AEAD) that was a finalist in the NIST lightweight cryptography standardization effort [18]. It is based on a tweakable block cipher we call \(\textsf{ELE} \), which is constructed from a specific permutation P. Prior work [2] proves—in the purely classical setting—that Elephant is secure if \(\textsf{ELE} \) is a secure tweakable block cipher, and that \(\textsf{ELE} \) is a secure tweakable block cipher if P is modeled as a public random permutation. As with Chaskey, it is straightforward to verify that the former result carries over to the setting of quantum adversaries with classical access to Elephant if \(\textsf{ELE} \) is post-quantum secure.

The tweakable block cipher \(\textsf{ELE} [P]: \{0,1\}^{n-s} \times \mathcal {T}\times \{0,1\}^n \rightarrow \{0,1\}^n\) used by Elephant is defined as

$$\begin{aligned} \textsf{ELE} [P]_k(t, x) = P(x \oplus f(t, P(k\Vert 0^{s}))) \oplus f(t, P(k\Vert 0^{s})) , \end{aligned}$$

(4)

where \(f : \mathcal {T}\times \{0,1\}^n \rightarrow \{0,1\}^n\) is a function that is proper with respect to \(\mathcal {T}\). (The particular structure of f and \(\mathcal {T}\) is not relevant here.) Since \(\textsf{ELE} \) is a special case of \(\textsf{TEM}\text {-}\textsf{KX} \) where \(f_1=f_2=f\), post-quantum security of \(\textsf{ELE} \) follows directly from Theorem 3.

Theorem 8

Let \(\textsf{ELE} \) be as above and let \({\mathcal A}\) be an adversary making \(q_C\) classical queries to its first oracle and \(q_Q\ge \max \{n,\log \left( 11\cdot |\mathcal {T}|\right) \}\) quantum queries to its second oracle. Then

$$\begin{aligned} {} & {} {\left| \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k \leftarrow \{0,1\}^n; \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\textsf{ELE} [P]_{k}, P} = 1\right] - \mathop {\textrm{Pr}}\limits _{\begin{array}{c} \tilde{E}\leftarrow \mathcal E(\mathcal {T},n); \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\tilde{E}, P} = 1\right] \right| } \\ {} & {} \qquad \qquad \qquad \qquad \qquad \quad \le 7\cdot 2^{-n/2}\left( q_C\sqrt{q_Q}+q_Q\sqrt{q_C}\right) . \end{aligned}$$

As discussed earlier, the above theorem in combination with [2, Theorem B.3] implies post-quantum security (in the random-permutation model) of Elephant. Recall that in the authenticated encryption security experiment the adversary is tasked with distinguishing the oracles \((\textsf{Enc} _k, \textsf{Dec} _k)\) from the pair of oracles in which the first (denoted \(\$\)) outputs random ciphertexts and the second (denoted \(\perp \)) always rejects. (Typical restrictions have to be imposed on the adversary to avoid trivial attacks; we do not state these here explicitly.) A fully flexible security theorem for Elephant involves many parameters; for simplicity, we record only a simple version below.

Theorem 9

Let \((\textsf{Enc},\textsf{Dec})\) be the Elephant AEAD scheme, and let \({\mathcal A}\) be a quantum adversary making a total of \(q_C\) classical queries to its first two oracles and \(q_Q \ge \max \{n,\log \left( 11\cdot |\mathcal {T}|\right) \} \) quantum queries to its third oracle. Then

$$\begin{aligned} {} & {} {\left| \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k \leftarrow \{0,1\}^n; \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\textsf{Enc} _k,\textsf{Dec} _k, P} = 1\right] - \mathop {\textrm{Pr}}\limits _{\begin{array}{c} P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\$,\bot , P} = 1\right] \right| } \\ {} & {} \qquad \qquad \qquad \quad \le \mathcal {O}(2^{-n}\cdot q_C)+ 7\cdot 2^{-n/2}\left( q_C\sqrt{q_Q}+q_Q\sqrt{q_C}\right) . \end{aligned}$$

A Variant with a Tighter Security Bound. Next, we consider a slight variant of Elephant for which we can give a tighter security bound. Recall that ELE expands the key via \(k\Vert 0^s \mapsto P(k\Vert 0^s)\). Here we instead expand the key via \(k \mapsto k||0^s \oplus P(k||0^s).\) The tweakable block cipher then becomes

$$\begin{aligned} \textsf{ELE}\text {-}\textsf{KX1} [P]_k(t, x) = P(x \oplus f(t, P(k\Vert 0^{s})\oplus k||0^{s})) \oplus f(t, P(k\Vert 0^{s})\oplus k||0^{s}) . \end{aligned}$$

(5)

Security of the above is then a direct consequence of Theorem 5.

Theorem 10

Let \(\textsf{ELE}\text {-}\textsf{KX1} \) be as above and let \({\mathcal A}\) be an adversary making \(q_C\) classical queries to its first oracle and \(q_Q\ge 1\) quantum queries to its second oracle. Then

$$\begin{aligned} {} & {} {\left| \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k \leftarrow \{0,1\}^{n-s}; \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\textsf{ELE}\text {-}\textsf{KX1} [P]_{k}, P} = 1\right] - \mathop {\textrm{Pr}}\limits _{\begin{array}{c} \tilde{E}\leftarrow \mathcal E(\mathcal {T},n); \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\tilde{E}, P} = 1\right] \right| } \\ {} & {} \qquad \,\,\, \le 2(q_Q+q_C)\cdot \sqrt{2/2^{n-s}} + 7\cdot 2^{-n/2}\left( q_C\sqrt{q_Q}+q_Q\sqrt{q_C}\right) . \end{aligned}$$

The above implies post-quantum security of the variant of Elephant constructed from the cipher in (5) (in place of the cipher from (4)).

5.3 (A Variant of) Minalpher

Minalpher  [17] is an AEAD scheme⁴ that was a second-round candidate in the CAESAR competition. Minalpher is based on a single-round tweakable Even-Mansour cipher that we call \(\textsf{MA} \), which is constructed from a specific permutation P. Prior work in the purely classical setting [17] first proves that \(\textsf{MA} \) is a secure tweakable block cipher when P is modeled as a random permutation and then proves, as a consequence, that Minalpher is a secure AEAD scheme. Just as with Elephant and Chaskey, the latter step easily translates to the post-quantum setting if \(\textsf{MA} \) is secure in that setting.

We specify \(\textsf{MA} \) in more detail. The tweak space \(\mathcal {T}\) contains tweaks of the form \((\textsf{flag}, N, i, j)\), where \(\textsf{flag}\) is an s-bit string that takes two possible values, \(N \in \{0,1\}^{n/2-s}\), and i, j are non-negative integers with \(i<2^\ell \) giving an upper bound on the message length and \(j \in \{0, 1, 2\}\). The tweakable block cipher \(\textsf{MA}: \{0,1\}^{n/2} \times \mathcal {T}\times \{0,1\}^n \rightarrow \{0,1\}^n\) used by Minalpher is then given by

$$\begin{aligned} \textsf{MA} _k(t, x) = P(x \oplus L(t,k))) \oplus L(t,k) , \end{aligned}$$

where

$$\begin{aligned} L((\textsf{flag}, N, i, j), k)= y^i(y+1)^j \cdot \left( P(k|| \textsf {flag}||N) \oplus (k||\textsf {flag}||N) \right) \end{aligned}$$

with y some fixed element of \(GF(2^n)\). Note that Minalpher pads the key with part of the tweak (in contrast to Elephant which just pads the key with 0s), which prevents us from using Theorem 3 to analyze \(\textsf{MA} \). We thus consider a variant of Minalpher based on a different tweakable block cipher \(\textsf{MA} '\) in which the key is padded with 0s. Specifically, we set \(s=1\) so that \(\textsf{flag}\) is simply a bit, encode j using two bits, and then fix the lengths of N and i so their combined length is \(n-3\) bits. We then define

$$\begin{aligned} \textsf{MA} '_k(t, x) = P(x \oplus f(t,k)) \oplus f(t,k) , \end{aligned}$$

where

$$\begin{aligned} f(t,k)=(\textsf{flag}||N||i||j)\cdot \left( P(k||0^{n/2}) \oplus (k||0^{n/2}) \right) . \end{aligned}$$

Since f is proper, Theorem 5 implies:

Theorem 11

Let \(\textsf{MA} '\) be as above and let \({\mathcal A}\) be an adversary making \(q_C\) classical queries to its first oracle and \(q_Q\) quantum queries to its second oracle. Then

$$\begin{aligned} {} & {} {\left| \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k \leftarrow \{0,1\}^{n/2}; \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\textsf{MA} '_{k}, P} = 1\right] - \mathop {\textrm{Pr}}\limits _{\begin{array}{c} \tilde{E}\leftarrow \mathcal E(\mathcal {T},n); \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\tilde{E}, P} = 1\right] \right| } \\ {} & {} \qquad \quad \,\, \le 2(q_Q+q_C)\cdot \sqrt{2/2^{n/2}} +7\cdot 2^{-n/2}\left( q_C\sqrt{q_Q}+q_Q\sqrt{q_C}\right) . \end{aligned}$$

Let \(\textsf{Minalpher} '\) be the variant of Minalpher constructed by using \(\textsf{MA} '\) in place of MA. We can combine the above with classical results about the security of Minalpher  [17] to prove post-quantum security of \(\textsf{Minalpher} '\).

Theorem 12

Let \((\textsf{Enc}, \textsf{Dec})\) be the \(\textsf{Minalpher} '\) AEAD scheme, and let \({\mathcal A}\) be a quantum adversary making a total of \(q_C\) classical queries to its first two oracles and \(q_Q\) quantum queries to its third oracle. Then

$$\begin{aligned} {} & {} {\left| \mathop {\textrm{Pr}}\limits _{\begin{array}{c} k \leftarrow \{0,1\}^{n/2}; \\ P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\textsf{Enc} _k,\textsf{Dec} _k, P} = 1\right] - \mathop {\textrm{Pr}}\limits _{\begin{array}{c} P \leftarrow \mathcal{P}(n) \end{array}} \left[ {\mathcal A}^{\$,\bot , P} = 1\right] \right| } \\ {} & {} \,\, \le \mathcal {O}(2^{-n/2} \cdot q_C) + 2(q_Q+q_C)\cdot \sqrt{2/2^{n/2}} +7\cdot 2^{-n/2}\left( q_C\sqrt{q_Q}+q_Q\sqrt{q_C}\right) . \end{aligned}$$

A Proof of New Resampling Lemma

We now restate and prove Lemma 3.

Lemma 7

Let \(F\subset \mathcal {P}(n)\). Consider the following experiment involving a quantum distinguisher \(\mathcal {D}\):

• Phase 1: Choose uniform \(P \in \mathcal {P}(n)\), and give \(\mathcal {D}\) quantum access to P. \(\mathcal {D}\) outputs \((D,\tau )\), where D is a distribution on \(\{0,1\}^n\) and \(\tau \in F\).

• Phase 2: Sample \(\hat{s}\leftarrow D\), set \(s_0=\tau \circ P(\hat{s})\), and choose \(s_1 \leftarrow \{0,1\}^n\). Let \(P^{(0)}=P\) and define \(P^{(1)} = P \circ \textsf{swap}_{s_0,\,s_1} \).

Let \(\varepsilon =2 \cdot \mathbb E_{(D,\tau )\leftarrow \mathcal D^P}\left[ \max _{x \in \{0,1\}^n} \Pr _{x' \leftarrow D}[x'=x]\right] \). For any \(\mathcal {D}\) making at most q queries to P in phase 1,

$$\begin{aligned} &\left| \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=1] - \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=0]\right| \\ &\le \sqrt{\varepsilon }\cdot \left( 1+\sqrt{q+\log \left( \frac{11\,F|}{\sqrt{\varepsilon }}\right) }\right) . \end{aligned}$$

Proof

Note that \(s_1=s_0\) then \(P^{(0)}=P^{(1)}\). Thus, the distinguishing advantage of \(\mathcal {D}\) is upper bounded by its distinguishing advantage conditioned on \(s_1\ne s_0\), and this is what we analyze in the rest of the proof.

Given \(s_1 \ne s_0\), let \(H \subset \{0,1\}^n\) be a set of size \(2^{n-1}\) containing \(s_0\) but not \(s_1\), and let M be a bijection between H and \(\{0,1\}^n\setminus H\) that maps \(s_0\) to \(s_1\). Define

$$\begin{aligned} \langle x\rangle ={\left\{ \begin{array}{ll} \{x, M(x)\}&{}\text { if }x\in H\\ \{x, M^{-1}(x)\}&{}\text { if }x\notin H \end{array}\right. } . \end{aligned}$$

We use the plain superposition oracle for permutations as defined, e.g., by Alagic et al. [1] to simulate the permutation P. The resampling experiment with a superposition in place of P acts on quantum registers X (query input), Y (query output), E (adversary memory), and F (the oracle simulation’s internal register). The oracle register F is partitioned into \(2^n\) registers \(F_x\), indexed by permutation inputs x. The initial state is

$$\begin{aligned} |\eta \rangle _F = \left( 2^n !\right) ^{-1/2}\sum _{\pi \in \mathcal {P}(n)}|\pi \rangle _F , \end{aligned}$$

where \(|\pi \rangle _F = \bigotimes _x |\pi (x)\rangle _{F_x}\).

We begin by defining a basis \(B_{M}\) of \(\mathbb {C}\mathcal {P}(n)=\textrm{span}\{|\pi \rangle : \pi \in \mathcal {P}(n)\}\). Define the relation \(R_M\subset \mathcal {P}(n)\times \mathcal {P}(n)\) such that

$$\begin{aligned} (\pi ,\sigma )\in R_M \Leftrightarrow \{\pi (x), \pi (M(x))\}=\left\{ \sigma (x), \sigma (M(x))\right\} \text { for all }x\in H , \end{aligned}$$

with the corresponding equivalence classes

$$\begin{aligned}{}[\pi ]_M =\{\sigma \in \mathcal {P}(n) : (\pi ,\sigma )\in R_M\} . \end{aligned}$$

We denote the set of all equivalence classes by \(\mathcal {P}(n)/R_M\). For any \(x, x' \in \{0,1\}^n\) and \(c \in \{0,1\}\), define the quantum state

$$\begin{aligned} |\varPsi ^c_{x,x'}\rangle =\frac{1}{\sqrt{2}}\left( |x\rangle |x'\rangle +(-1)^c|x'\rangle |x\rangle \right) . \end{aligned}$$

Define \(\varGamma _M = \mathcal {P}(n)/R_M\times \{0,1\}^H\). Although \(\varGamma _M\) and the equivalence classes \([\pi ]_M\) depend on M, we will sometimes suppress this in the notation.

For each pair \(([\pi ], y) \in \varGamma \) we define a vector \(|([\pi ], y)\rangle _F\) as follows. Let \(\pi \) be such that \(\pi (x)>\pi (M(x))\) for all \(x\in H\), where “<” denotes lexicographic order; we call this \(\pi \) the canonical representative of \([\pi ]\). Define

$$\begin{aligned} |([\pi ], y)\rangle _F {:}{=}\bigotimes _{x\in H}\Big |{\varPsi ^{y_x}_{\pi (x),\pi (M(x))}}\Big \rangle _{F_xF_{M(x)}} . \end{aligned}$$

Observe that if \([\pi ]=[\sigma ]\) and \(y=y'\) then \(\left\langle ([\pi ], y) \mid ([\sigma ], y') \right\rangle =1\), and otherwise \(\left\langle ([\pi ], y) \mid ([\sigma ], y') \right\rangle =0\). The set

$$\begin{aligned} B_{M}=\left\{ |([\pi ], y)\rangle : ([\pi ], y) \in \varGamma \right\} \end{aligned}$$

is thus an orthonormal set. To see that it forms a basis of \(\mathbb {C}\mathcal {P}(n)\), observe that \(|B_M|=|\mathcal {P}(n)|\). It follows that any state \(|\varphi \rangle _{XYEF}\) can be decomposed as

$$\begin{aligned} |\varphi \rangle _{XYEF}=\sum _{([\pi ], y)\in \varGamma }|\varphi ([\pi ], y)\rangle _{XYE}\otimes |([\pi ], y)\rangle _F , \end{aligned}$$

where \(|\varphi ([\pi ], y)\rangle \) are subnormalized such that

$$\begin{aligned} \sum _{([\pi ], y)\in \varGamma }\Vert |\varphi ([\pi ], y)\rangle \Vert ^2=1 . \end{aligned}$$

Define \(\varGamma _j =\{ ([\pi ], y) \in \varGamma : |y| \le j\}\), where |y| denotes Hamming weight.

Claim

Let \(|\phi _q\rangle _{XYEF}\) be the global state after the (unitary part of the) distinguisher has made q queries in phase 1 to a superposition oracle initialized in any state \(|\tilde{\tau }\rangle \) such that \(\left\langle ([\pi ],y) \mid \tilde{\tau } \right\rangle =0\) for all \(y\ne 0\). Then for all y with \(|y|>q\), we have \(|\,\phi _q([\pi ]_M, y)\,\rangle =0\).

Proof

We prove the claim by induction on q. The base case \(q=0\) holds by assumption. For the inductive step, say the claim holds for \(q-1\), and recall that

$$\begin{aligned} |\phi _q\rangle _{XYEF}=U_{XYE}O_{XYF}|\phi _{q-1}\rangle _{XYEF} . \end{aligned}$$

By the induction hypothesis we can decompose

$$\begin{aligned} |\phi _{q-1}\rangle _{XYEF}=\sum _{([\pi ], y)\in \varGamma _{q-1}}|\psi _{q-1}([\pi ], y)\rangle _{XYE}\otimes |([\pi ], y)\rangle _F . \end{aligned}$$

Using this decomposition and a linearity argument, it suffices to show that for \(|y|\le q-1\), the state \(O_{XYF}|x\rangle _X|y\rangle _Y|([\pi ], y)\rangle _F\) is supported on basis vectors \(|([\pi '], y')\rangle _F\) with \(|y'| \le q\). This follows from the fact that

$$\begin{aligned} O_{XYF}|x\rangle _X = |x\rangle _X\otimes O^{(x)}_{YF_x} . \end{aligned}$$

for some operator \(O^{(x)}\). This establishes the claim.    \(\square \)

Next, define the projector

$$\begin{aligned} \varPi ^{\le q}_F {:}{=}\sum _{([\pi ], y)\in \varGamma _q}|([\pi ], y)\rangle \langle ([\pi ], y)|_F \end{aligned}$$

and let \(\varPi ^{\pm }=\frac{1}{2}(\mathbbm {1}\pm \textsf{Swap})\) be the projectors onto the symmetric and antisymmetric subspaces of \(\mathbb {C}^{2^n}\otimes \mathbb {C}^{2^n}\).

We will rely on the following claim:

Claim

For any \(m\in \mathbb {N}\) we have

$$\begin{aligned} \mathop {\textrm{Pr}}\limits _{\sigma \leftarrow \mathcal {P}(n)}\left[ \exists \tau \in F, S\subset \{0,1\}^n\; \forall x\in S : |S|=m\wedge \tau \circ \sigma (x)\in \langle x\rangle \right] \le 11\cdot 2^{-m}\cdot |F| , \end{aligned}$$

Proof

For fixed \(\tau \in F\) and \(S\subset \{0,1\}^n\) of size m, the number of permutations P for which \(P(x) \in \langle x \rangle \) for all \(x \in S\) is at most \(2^m \cdot (2^n-m)!\). Thus,

$$\begin{aligned} \mathop {\textrm{Pr}}\limits _{\sigma \leftarrow \mathcal {P}(n)}\left[ \forall x\in S:\tau \circ \sigma (x)\in \langle x\rangle \right] \le 2^m\frac{(2^n-m)!}{2^n!} . \end{aligned}$$

A union bound over all \(\tau \) and S yields

$$\begin{aligned} \mathop {\textrm{Pr}}\limits _{\sigma \leftarrow \mathcal {P}(n)}\left[ \exists \tau \in F, S\subset \{0,1\}^n \text { with } |S|=m\; \forall x\in S:\tau \circ \sigma (x)\in \langle x\rangle \right] \le \frac{|F|2^m}{m!} . \end{aligned}$$

Using \(11 m!\ge 4^m\) proves the claim.    \(\square \)

We now return to the proof of Lemma 3. Let \(\Sigma ^{\le m}_F\) be the projector onto the subspace of \(\mathbb {C}\mathcal {P}(n)\) spanned by the permutations \(\pi \) such that

$$\begin{aligned} \left| \left\{ x\in \{0,1\}^n \mid \forall \tau \in F: \tau \circ \pi (x)\in \langle x\rangle \right\} \right| \le m . \end{aligned}$$

The claim implies

$$\begin{aligned} \left\| |\eta \rangle -\frac{1}{\sqrt{\Vert \Sigma ^{\le m}_F|\eta \rangle \Vert }}\Sigma ^{\le m}_F|\eta \rangle \right\| \le 2\cdot \sqrt{11\cdot 2^{-m}|F|} . \end{aligned}$$

Note that \(\varPi ^{\le 0}\Sigma ^{\le m}|\eta \rangle =\Sigma ^{\le m}|\eta \rangle \). We analyze the resampling experiment where the random permutation is replaced by a superposition oracle initialized with \(\frac{1}{\sqrt{\Vert \Sigma ^{\le m}_F|\eta \rangle \Vert }}\Sigma ^{\le m}_F|\eta \rangle _F\).

Let \(|\psi \rangle _{XYEF}\) denote the global state after phase 1, conditioned on a particular pair \((D,\tau )\) output by the distinguisher. As in [7], we can relax the task of the distinguisher as follows: instead of merely providing access to an oracle interface acting on \(|\psi \rangle _{XYEF}\) for \(b=0\) and \(\textsf{Swap}_{F_{s_0}F_{s_1}}|\psi \rangle _{XYEF}\) for \(b=1\), we give the distinguisher arbitrary access to all registers; the distinguisher’s task is then to distinguish those quantum states.

For \(x\in \{0,1\}^n\), define the projector \(Q^{\langle x\rangle }=\sum _{y\in \langle x\rangle }|y\rangle \langle y|\). In the following, z is a variable that corresponds to the result of measuring \(F_{\hat{s}}\), i.e., \(\tau (z)=s_0\). Setting

$$\begin{aligned} \varPi _{\psi ,\hat{s},z} = \frac{1}{\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle \langle \psi |_{XYEF}|z\rangle \langle z|_{F_{\hat{s}}} , \end{aligned}$$

it follows that

$$\begin{aligned} & 2\Pr [b=b'\mid (D,H,M),s_0]-1\\ &\le \frac{1}{2} \left\| \varPi _{\psi ,\hat{s},z} - \textsf{Swap}_{F_{\langle \tau (z)\rangle }}\varPi _{\psi ,\hat{s},z}\textsf{Swap}_{F_{\langle \tau (z)\rangle }}\right\| _1\\ &=\frac{1}{2}\left\| \varPi _{\psi ,\hat{s},z}\left( \mathbbm {1}-\textsf{Swap}\right) _{F_{\langle \tau (z)\rangle }}+\left( \mathbbm {1}-\textsf{Swap}\right) _{F_{\langle \tau (z)\rangle }}\varPi _{\psi ,\hat{s},z}\textsf{Swap}_{F_{\langle \tau (z)\rangle }}\right\| _1\\ &\le \left\| \varPi _{\psi ,\hat{s},z}\varPi ^-_{F_{\langle \tau (z)\rangle }}\right\| _1+\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}\varPi _{\psi ,\hat{s},z}\textsf{Swap}_{F_{\langle \tau (z)\rangle }}\right\| _1\\ &=\frac{2}{\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| }\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| _2 . \end{aligned}$$

(The second inequality is the triangle inequality.) Taking the expectation over \(\hat{s}\leftarrow D\) and z, we get

$$\begin{aligned} &2\Pr [b=b'\mid (D,H,M)]-1 \nonumber \\ &\le 2\mathbb E_{\hat{s},z}\frac{1}{\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| }\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| _2 \nonumber \\ &\le 2\sqrt{\mathbb E_{\hat{s},z}\frac{1}{\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| }\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2} \nonumber \\ &=2\sqrt{\sum _{\hat{s}, z}D(\hat{s})\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2} , \end{aligned}$$

(6)

where the first inequality is Jensen’s inequality.

It remains to prove the following claim:

Claim

For any pair \((D,\tau )\) and any normalized state \(|\varphi \rangle _{XYEF}\) such that

$$\begin{aligned} \varPi ^{\le q}_F|\varphi \rangle _{XYEF}=|\varphi \rangle _{XYEF} \;\; \text{ and } \;\; \Sigma ^{\le m}_F|\varphi \rangle _{XYEF}=|\varphi \rangle _{XYEF} , \end{aligned}$$

we have

$$\begin{aligned} \sum _{\hat{s}, z}D(\hat{s})\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2 \le (m+ q) \varepsilon _D . \end{aligned}$$

Proof

Observe that

$$\begin{aligned} \varPi ^-\Big |{\varPsi ^{0}_{\pi (x),\pi (M(x))}}\Big \rangle =0 \;\; \text {and} \;\; \varPi ^-\Big |{\varPsi ^{1}_{\pi (x),\pi (M(x))}}\Big \rangle =\Big |{\varPsi ^{1}_{\pi (x),\pi (M(x))}}\Big \rangle \end{aligned}$$

for all x and all canonical representatives \(\pi \). It follows that

$$\begin{aligned} \varPi ^-_{F_{s_0}F_{s_1}}|\varphi \rangle _{XYEF}=\sum _{\begin{array}{c} ([\pi ], y)\in \varGamma _q:\\ y_{s_0}=1 \end{array}}|\varphi ([\pi ], y)\rangle _{XYE}\otimes |([\pi ], y)\rangle _F . \end{aligned}$$

We can now bound

$$\begin{aligned} & \sum _{\hat{s}, z}D(\hat{s})\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2\\ &\le \sum _{\hat{s}}\sum _{z: \hat{s}\in \langle \hat{\tau }(z)\rangle }D(\hat{s})\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2\\ &+ \sum _{\hat{s}}\sum _{z: \hat{s}\notin \langle \hat{\tau }(z)\rangle }D(\hat{s})\left\| \left( \varPi ^-_{F_{\langle \tau (z)\rangle }}\otimes |z\rangle \langle z|_{F_{\hat{s}}}\right) |\psi \rangle _{XYEF}\right\| ^2 . \end{aligned}$$

We bound the two terms separately, beginning with the second. We decompose

$$\begin{aligned} |\psi \rangle _{XYEF}=\sum _{([\pi ],y)\in \varGamma _q}|\psi ([\pi ], y)\rangle _{XYE}\otimes |([\pi ], y)\rangle _F \end{aligned}$$

and denote the only element of \(\langle x\rangle \cap H\) by \(\tilde{x}\). We have

$$\begin{aligned} {} & {} {\sum _{\hat{s}}\sum _{z: \hat{s}\notin \langle \hat{\tau }(z)\rangle }D(\hat{s})\left\| \left( \varPi ^-_{F_{\langle \tau (z)\rangle }}\otimes |z\rangle \langle z|_{F_{\hat{s}}}\right) |\psi \rangle _{XYEF}\right\| ^2} \\ {} & {} \,\,\,=\sum _{\hat{s}}\sum _{z: \hat{s}\notin \langle \hat{\tau }(z)\rangle }D(\hat{s})\sum _{([\pi ],y)\in \varGamma _q}\left\| \left( \varPi ^-_{F_{\langle \tau (z)\rangle }}\otimes |z\rangle \langle z|_{F_{\hat{s}}}\right) |\psi ([\pi ], y)\rangle _{XYE}\otimes |([\pi ], y)\rangle _F\right\| ^2\\ {} & {} \,\,\,=\sum _{([\pi ],y)\in \varGamma _q}\sum _{\begin{array}{c} \hat{s}\notin \langle \tau \circ \pi (x)\rangle :\\ y_{\tilde{\pi (x)}}=1 \end{array}}D(\hat{s})\left\| |\psi ([\pi ], y)\rangle _{XYE}\right\| ^2\\ {} & {} \,\,\,\le \sum _{([\pi ],y)\in \varGamma _q}q\varepsilon _D\left\| |\psi ([\pi ], y)\rangle _{XYE}\right\| ^2 \; = \; q\cdot \varepsilon _D . \end{aligned}$$

For the first term, we have \(\Sigma ^{\le m}_F|\varphi \rangle _{XYEF}=|\varphi \rangle _{XYEF}\), i.e., for any permutation \(\pi \) in the support of this state there are at most m values x such that \(\tau \circ \pi (x)\in \langle x\rangle \). For the second term, we have \(\Sigma ^{\le m}_F|\varphi \rangle _{XYEF}=|\varphi \rangle _{XYEF}\), i.e., \(|\varphi \rangle \) is supported on basis states \(|[\pi ],y\rangle \) where \(\pi \) has at most m fixed points. Using essentially the same chain of inequalities as for the second term, we get

$$\begin{aligned} \sum _{\hat{s}}\sum _{z: \hat{s}\in \langle \hat{\tau }(z)\rangle }D(\hat{s})\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2 \le m\varepsilon _D . \end{aligned}$$

This completes the proof.    \(\square \)

Combining the above claim with (6), taking the expectation over \((D,\tau )\), and applying Jensen’s inequality one more time results in the bound

$$\begin{aligned} \left| \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=1] - \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=0]\right| \le \sqrt{(q+m)\varepsilon } \end{aligned}$$

for the modified resampling experiment and thus

$$\begin{aligned} \left| \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=1] - \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=0]\right| \le \sqrt{(q+m)\varepsilon }+11\cdot 2^{-m}|F| . \end{aligned}$$

Setting \(m=\log \left( \frac{11 |F|}{\sqrt{\varepsilon }}\right) \) we get

$$\begin{aligned} {} & {} {\left| \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=1] - \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=0]\right| } \\ {} & {} \qquad \qquad \qquad \qquad \qquad \quad \,\,\, \le \sqrt{\varepsilon }\left( 1+\sqrt{q+\log \left( 11\frac{|F|}{\sqrt{\varepsilon }}\right) }\right) , \end{aligned}$$

matching the lemma.    \(\square \)