Tight Indistinguishability Bounds for the XOR of Independent Random Permutations by Fourier Analysis

Dinur, Itai

doi:10.1007/978-3-031-58716-0_2

Itai Dinur⁹

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14651))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

87 Accesses
1 Citations

Abstract

The XOR of two independent permutations (XoP) is a well-known construction for achieving security beyond the birthday bound when implementing a pseudorandom function using a block cipher (i.e., a pseudorandom permutation). The idealized construction (where the permutations are uniformly chosen and independent) and its variants have been extensively analyzed over nearly 25 years.

The best-known asymptotic information-theoretic indistinguishability bound for the XoP construction is $O(q/2^{1.5n})$, derived by Eberhard in 2017.

A generalization of the XoP construction outputs the XOR of $r \ge 2$ independent permutations, and has also received significant attention in both the single-user and multi-user settings. In particular, for $r = 3$, the best-known bound (obtained by Choi et al. [ASIACRYPT’22]) is about $q^2/2^{2.5 n}$ in the single-user setting and $\sqrt{u} q_{\max }^2/2^{2.5 n}$ in the multi-user setting (where u is the number of users and $q_{\max }$ is the number of queries per user).

In this paper, we prove an indistinguishability bound of $q/2^{(r - 0.5)n}$ for the (generalized) XoP construction in the single-user setting, and a bound of $\sqrt{u} q_{\max }/2^{(r - 0.5)n}$ in the multi-user setting. In particular, for $r=2$, we obtain the bounds $q/2^{1.5n}$ and $\sqrt{u} q_{\max }/2^{1.5n}$ in single-user and multi-user settings, respectively. For $r=3$ the corresponding bounds are $q/2^{2.5n}$ and $\sqrt{u} q_{\max }/2^{2.5n}$. All of these bounds hold assuming $q < 2^{n}/2$ (or $q_{\max } < 2^{n}/2$).

Compared to previous works, we improve all the best-known bounds for the (generalized) XoP construction in the multi-user setting, and the best-known bounds for the generalized XoP construction for $r \ge 3$ in the single-user setting (assuming $q \ge 2^{n/2}$). For the basic two-permutation XoP construction in the single-user setting, our concrete bound of $q/2^{1.5n}$ stands in contrast to the asymptotic bound of $O(q/2^{1.5n})$ by Eberhard.

Since all of our bounds are matched (up to constant factors) for $q > 2^{n/2}$ by attacks published by Patarin in 2008 (and their generalizations to the multi-user setting), they are all tight.

We obtain our results by Fourier analysis of Boolean functions. Most of our technical work involves bounding (sums of) Fourier coefficients of the density function associated with sampling without replacement. While the proof of Eberhard relies on similar bounds, our proof is elementary and significantly simpler.

You have full access to this open access chapter, Download conference paper PDF

1 Introduction

Many cryptosystems such as encryption modes, MAC algorithms and authenticated encryption schemes require pseudorandom functions to achieve security. However, in practice, pseudorandom functions are typically implemented by block ciphers, which are pseudorandom permutations that are only secure up to the birthday bound of $q = 2^{n/2}$ queries (where n is the block length). In order to overcome this limitation, achieving security beyond the birthday bound has become a prominent research area, initiated by the seminal papers by Bellare, Krovetz, and Rogaway [2], and by Hall, Wagner, Kelsey, and Schneier [18].

1.1 The XoP Construction

One of the main constructions analyzed in the literature for achieving security beyond the birthday bound is the XOR of permutations (XoP) construction, which has two main variants. One variant uses two permutations $\pi _1,\pi _2:\{0,1\}^n \mapsto \{0,1\}^n$ to define $f_{\pi _1,\pi _2}:\{0,1\}^n \mapsto \{0,1\}^n$ by $f(x) = \pi _1(x) \oplus \pi _2(x)$. In practice, $\pi _1$ and $\pi _2$ are implemented using a block cipher, instantiated with independent keys. In the following, we simply refer to this variant as the XoP construction. Another variant uses a single permutation $\pi :\{0,1\}^n \mapsto \{0,1\}^n$ to define $f_{\pi }:\{0,1\}^{n-1} \mapsto \{0,1\}^n$ by $f(x) = \pi (0 \Vert x) \oplus \pi (1 \Vert x)$ (where $\Vert $ denotes concatenation). We refer to this construction as a single-permutation XoP construction. Similarly to the two-permutation variant, $\pi $ is implemented using a block cipher. However, in information-theoretic security proofs, the block ciphers in both variants are replaced by idealized random permutations.

We note that there are other variants of the XoP construction defined in the literature that we do not deal with in this paper. For example, the recent result [16] by Gunsing et al. analyzes a variant where the underlying permutations are public and the adversary is allowed to query them. Previous works that analyze additional variants include [3, 4, 7, 17].

Previous Results. There have been several works on the security of the (idealized) XoP construction [1, 20, 24, 26], analyzing one or both of its variants. Yet, a simple and verifiable proof that the XoP construction variants achieve security up to $q = O(2^n)$ queries was only published in 2017 in a paper by Dai, Hoang, and Tessaro [10]. Specifically, [10] proved that any adversary that makes q queries to the (two-permutation) XoP construction can distinguish it from a truly random function with advantage of at most (about) $\frac{q^{1.5}}{2^{1.5n}}$.

Independently, in [13, Thm. 1.5] Eberhard proved a substantially better indistinguishability bound of $O(\frac{q}{2^{1.5n}})$, relying and extending results of [14] in additive combinatorics. The bound was given in asymptotic form with an unspecified constant. An additional paper that analyzed the XoP construction is [12].

For the single-permutation XoP variant, the distinguishing advantage was bounded in [10, 12] by about $\frac{q}{2^n}$. The works of [8, 12], essentially confirm (and improve) the results obtained earlier by Patarin [24, 26] (using the so-called mirror theory technique).

The indistinguishability bound $\frac{q}{2^n}$ for the single permutation XoP construction variant is essentially tight. Indeed, it is matched by a simple attack based on the observation that since $\pi $ is a permutation, for all $x \in \{0,1\}^{n-1}$, $f(x) = \pi (0 \Vert x) \oplus \pi (1 \Vert x) \ne \vec {0}$, while for a random function, $\vec {0}$ is output with probability $2^{-n}$ for each query.

The attack above does not work for the variant where the permutations are independent, and indeed the bound $O(\frac{q}{2^{1.5n}})$ of [13] for this variant is much better (particularly when q is large). This bound is matched by an attack published by Patarin [25, 27], which obtains distinguishing advantage of about $\frac{q}{2^{1.5n}}$, assuming $q = O(2^n)$. Note that if $q = 2^n$, then the distinguishing advantage is close to 1 since the XOR of the outputs of all inputs to $f(x) = \pi _1(x) \oplus \pi _2(x)$ is $\vec {0}$.

Multi-user Setting. The XoP construction also recently received attention in the multi-user setting in [6, 7]. A trivial extension of the result in [13] gives a bound of $O(\frac{u \cdot q_{\max }}{2^{1.5n}})$ in the multi-user setting, where u is the number of users and $q_{\max }$ is the allowed number of queries to each user.

In terms of attacks, one can generically extend the attacks by Patarin [25, 27] to the multi-user setting by independently applying the single-user attacker to each user, and then taking the majority of answers (which attempt to deduce whether the oracle is the XoP construction or a random function). Applying a standard Chernoff bound, the attack achieves a distinguishing advantage of about $\frac{\sqrt{u} q_{\max }}{2^{1.5n}}$.

Generalized XoP Construction. A natural generalization of the XOR construction defines f by XORing together $r \ge 2$ permutations, where r is a (small) parameter. As in the case of $r = 2$, the generalized construction also has two variants, but we focus on the case where all permutations are independent.

Previous Results. This construction was first analyzed by Lucks [20] and this analysis was improved by Cogliati, Lampe, and Patarin [9], who proved security up to roughly $2^{rn/(r+1)}$ queries (also see [22]). More recently, this analysis has been improved in [10], which obtained an indistinguishability bound to about $(\frac{q}{2^n})^{1.5 \lfloor r/2 \rfloor }$ using the generic amplification technique of Maurer, Pietrzak, and Renner [21]. The specific case of $k = 3$ was analyzed in [7] by Choi et al., who proved an indistinguishability bound of about $\frac{\sqrt{u} q_{\max }^2}{2^{2.5 n}}$ in the multi-user setting.

On the other hand, the best known attacks on the generalized XoP construction, published in [25, 27], obtained distinguishing advantage of about $\frac{q}{2^{(r - 0.5)n}}$. One can also consider attacks on the generalized XoP construction in the multi-user setting. Similarly to the case of $r= 2$, the best known attack is the generic extension of the single-user attack by Patarin [25, 27] to the multi-user setting, which achieves advantage of about $\frac{\sqrt{u} \cdot q_{\max }}{2^{(r - 0.5)n}}$.

1.2 Our Contribution

Our Results. In this paper, we prove an indistinguishability bound of $\frac{q}{2^{(r - 0.5)n}}$ for the (generalized) XoP construction in the single-user setting, and a bound of $\frac{\sqrt{u} q_{\max }}{2^{(r - 0.5)n}}$ in the multi-user setting. Specifically, for the basic two-permutation XoP construction, we obtain a bound of $\frac{q}{2^{1.5n}}$ in the single-user setting and $\frac{\sqrt{u} q_{\max }}{2^{1.5n}}$ in the multi-user settings. All of these bounds have no hidden constants. They hold as long as $q < 2^{n}/2$ (or $q_{\max } < 2^{n}/2$ in the multi-user setting), assuming $2^n \ge 1000$.

Compared to previous results, we improve all the best-known bounds for the (generalized) XoP construction in the multi-user setting, and the best-known bounds for the generalized XoP construction for $r \ge 3$ in the single-user setting (assuming $q \ge 2^{n/2}$). For the basic XoP construction (with $r=2$), our concrete bound of $q/2^{1.5n}$ in the single-user setting stands in contrast to the asymptotic bound of $O(q/2^{1.5n})$, derived in [13].

All of our bounds are tight assuming $q \le 2^{n/2}$, as they match (up to constant factors) the single-user attacks published by Patarin in [25, 27], as well as their trivial generalization to the multi-user setting.

Our Techniques. Similarly to [13, 14], the main framework that we use to obtain our results is Fourier analysis (of Boolean functions). This is a standard tool for analyzing probability distributions in mathematics, yet it is not commonly used as a main framework in information-theoretic security proofs in symmetric-key cryptography. For example, [5] used Fourier analysis as an auxiliary tool in order to prove an internal lemma, but not as the main framework. The application of Fourier analysis in the more recent work [19] is somewhat more related to ours. We summarize the main ideas of our proof below.

First, the distinguishing advantage of the adversary is bounded by the statistical distance between the distribution generated by the XoP construction and the uniform distribution. Consider a sample in $\mathbb {F}_2^{q \times n}$ composed of q elements in $\{0,1\}^n$, generated by the XoP construction. We can bound the statistical distance of this distribution from the uniform distribution in the “Fourier domain” by bounding the bias (i.e., Fourier coefficient) of each of the $2^{q \cdot n}$ possible masks (i.e., linear equations over $\mathbb {F}_2$) applied to the bits of the sample. To gain intuition, note that for the uniform distribution over $\mathbb {F}_2^{q \times n}$, all non-empty linear equations have 0 bias (i.e., hold with probability 1/2), and thus a distribution that is close to uniform has biases (Fourier coefficients) that are very close to 0.

Our task is thus to bound the Fourier coefficients for the distribution function generated by the XoP construction.^{Footnote 1} Next, we use standard techniques to reduce this task to the task of bounding the Fourier coefficients for the distribution generated by the underlying primitive, namely, a random permutation. Specifically, we consider k elements (for any $1 \le k \le q$) drawn uniformly without replacement. Our goal is reduced to bounding two quantities of Fourier coefficients on masks that involve all of these k elements (called level-k coefficients).

1.
The maximal level-k Fourier coefficient in absolute value.
2.
The level-k Fourier weight, which is equal to the sum of squares of all Fourier coefficients of level k.

Intuitively, level-k (Fourier) weight is a measure of dependence between k elements drawn from the distribution. For example, the level-k Fourier weight of a q-wise uniform distribution is 0 for any $1 \le k \le q$. We remark that calculating the above two Fourier quantities for various levels has the additional advantage of hinting at the best attack strategy. In particular, we show that for the XoP construction, level-2 Fourier coefficients are dominant. This suggests that the best attack strategy should consider pairwise relations, and indeed, the optimal attacks by Patarin [25, 27] count pairwise collisions.

Most of our technical work involves bounding the two quantities above, which is non-trivial due to intricate dependencies among the bits of the sample. This analysis does not directly deal with the XoP construction, but rather derives fundamental Fourier properties of the sampling without replacement distribution.

Bounding the Quantities. We briefly summarize the main ideas used to bound each of the above quantities. Fix a mask involving bits from exactly k elements. In order to bound the associated bias of the linear equation (in absolute value), we devise an algorithm that allows to partition a subset of the sample space into sample couples with opposite signs (i.e., one satisfies the linear equation and one does not). Thus, the bias (in absolute value) is bounded by the fraction of samples that are not coupled. This fraction is bounded by probabilistic analysis of the algorithm. We note that our analysis does more than merely bound the maximal level-k Fourier coefficients. It actually classifies them into types (or groups) and obtains a refined bound for each type.

Our bound on the maximal level-k Fourier coefficient is tight, yet by itself, it is not sufficient in order to derive tight indistinguishability bounds for the XoP construction. For this purpose, we bound the level-k Fourier weight of the sampling without replacement distribution. While an exact expression for the weight is relatively easy to derive, this expression is a complex sum of terms, and therefore not immediately useful. Hence, we manipulate this expression in two main steps. First, we show how to compute the level-k Fourier weight via a recursive formula, and then we bound this weight by induction. Overall, although the weight is bounded by elementary analysis, it requires insight which is somewhat non-trivial.

Remark 1

Our bounds on the level-k Fourier weight can be formulated in terms of the so-called Efron-Stein orthogonal decomposition [23, Ch. 8] of the density function of sampling without replacement. This decomposition is independent of a specific Fourier basis, and thus these bounds apply more generally to the density function of sampling without replacement from an arbitrary set.

Technical Comparison to Previous Works. Below, we compare our techniques to those of [13, 14]. Comparison to additional proof techniques is given in the full version of this paper [11].

Comparison to [13, 14]. The papers [13, 14] obtained several results in additive combinatorics. One of them is [13, Thm. 1.5], which gives an asymptotic indistinguishability bound of $O(\frac{q}{2^{1.5n}})$ for the two-permutation XoP construction. We compare our techniques to the ones of [13, 14], focusing on the aforementioned result.

Both our proof and the one of [13, 14] use Fourier analysis and (in our language) bound the (sums of) Fourier coefficients of the density function of sampling without replacement. However, the proof of [13, Thm. 1.5] is significantly more complicated. In particular, it relies on several bounds which are not required to obtain our result. Moreover, it uses complex analysis, whereas our proof is completely elementary.

The two bounds that we use (mentioned above) have comparable bounds in [13, 14]. The analog of our first bound (the maximal level-k Fourier coefficient in absolute value) is [13, Lem. 4.1]. After normalization, our bound is identical for even k and slightly better for odd k. It is proved using a completely different technique. The analog of our second bound (the level-k Fourier weight) is [13, Thm 2.3] ([14, Thm. 5.1]). After normalization, our bound is somewhat inferior for small k (e.g., for $k \le 2^{n/3}$), and becomes better for large k (e.g., denoting $N=2^n$, it is better by a factor of $2^{\varOmega (N)}$ for $k \ge \varOmega (N)$). However, such an improvement seems insignificant to the asymptotic results of [13, 14]. Our proof of the second bound begins by deriving an exact expression for the weight, as the proof of [14, Thm. 5.1]. On the other hand, our analysis of this expression is elementary, while the one of [14] is based on complex analysis.

In terms of generality of results, [13, Thm. 1.5] was proved for a (generalized variant of the) XoP construction defined over an arbitrary additive abelian group. While our results only apply to the original XoP construction, it is not difficult to extend them to the variant defined over an arbitrary abelian group. In fact, our second bound is already independent of the actual group (see Remark 1), and it only remains to modify the proof of the first bound. However, we leave this to future work.

1.3 Paper Structure

The rest of this paper is organized as follows. We describe preliminaries in Sect. 2. In Sect. 3, we summarize our bounds on the two Fourier properties of sampling without replacement, and use them to prove indistinguishability bounds for the XoP construction. Finally, we prove these bounds in Sect. 4 and Sect. 5. Specifically, in Sect. 4 we bound the maximal (absolute value of the) level-k Fourier coefficient of the sampling without replacement density function, while in Sect. 5, we bound its level-k Fourier weight.

2 Preliminaries

For a natural number m, denote $[m] = \{1,2,\ldots ,m\}$. For natural numbers $m_1$ and $m_2$ such that $m_1 \le m_2$, denote $[m_1,m_2] = \{m_1,m_1+1, \ldots , m_2\}$. For a set $\mathcal {A}$, denote its size by $|\mathcal {A}|$. For any integer $k > 0$ and a real number t, define the falling factorial as $(t)_k = t(t-1)\ldots (t - (k-1))$. Further define $(t)_0 = 1$.

Let $\mathbb {F}$ be a field and $v \in \mathbb {F}^{k_1 \times k_2}$ a matrix of elements in $\mathbb {F}$. We index the elements of v in a natural way, namely, for $i \in [k_1]$, $v_i \in \mathbb {F}^{k_2}$ is the i’th row of v and for $j \in [k_2]$, $v_{i,j} \in \mathbb {F}$ is its j’th entry.

For two vectors $v,u \in \mathbb {F}^k$, we denote by $\langle u, v \rangle _{\mathbb {F}} = \sum _{i \in [k]} u_i v_i$ their inner product. Similarly, for matrices $v,u \in \mathbb {F}^{k_1 \times k_2}$, $\langle u, v \rangle _{\mathbb {F}} = \sum _{(i,j) \in [k_1] \times [k_2]} u_{i,j} v_{i,j}$.

In this paper, we typically deal with matrices $x \in \mathbb {F}_2^{k \times n}$, where n is considered a parameter and k may vary. We denote $N = 2^n$. We further denote by $(e_1,e_2,\ldots ,e_n)$ the standard basis vectors of $\mathbb {F}_2^{n}$.

2.1 Probability

Definition 1

(Density function). A (probability) density function on $\mathbb {F}_2^{q \times n}$ is a nonnegative function $\varphi :\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}^{\ge 0}$ satisfying $\mathop {\textrm{E}}\nolimits _{x \in \mathbb {F}_2^{q \times n}}[\varphi (x)] = 1$, where $x \in \mathbb {F}_2^{q \times n}$ is uniformly chosen.

We write $x \sim \varphi $ to denote that x is a random string drawn from the associated probability distribution, defined by

$$\mathop {\textrm{Pr}}\limits _{x \sim \varphi }[x = y] = \varphi (y)/2^{n \cdot q} \text { for every } y \in \mathbb {F}_2^{q \times n}.$$

In particular, the uniform probability density function over $\mathbb {F}_2^{q \times n}$ is the constant function 1, and we denote it by $\textbf{1}_{q \cdot n}$.

Let $\mathcal {A} \subseteq \mathbb {F}_2^{q \times n}$. We write $x \sim \mathcal {A}$ to denote that x is selected uniformly at random from $\mathcal {A}$.

Definition 2

(Collision probability). The collision probability of a density function $\varphi :\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}^{\ge 0}$ is

$$\text {Col}[\varphi ] = \mathop {\textrm{Pr}}\limits _{\begin{array}{c} x,x' \sim \varphi \\ independently \end{array}}[x = x'].$$

Definition 3

(Convolution). Let $f,g:\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}$. Their convolution is the function $f *g:\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}$ defined by

$$(f *g)(x) = \mathop {\textrm{E}}\limits _{y \sim \mathbb {F}_2^{q \times n}}[f(y)g(x \oplus y)].$$

For a function $f:\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}$ and a natural number $r \ge 2$, we denote the r-fold convolution of f with itself by $f^{(*r)} = f *f *\ldots *f$ (in particular $f^{(*2)} = f *f $).

Proposition 1

([23], Proposition 1.26). If $\varphi ,\psi :\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}^{\ge 0}$ are density functions, then so is $\varphi *\psi $. It represents the distribution over $\mathbb {F}_2^{q \times n}$ given by choosing $y \sim \varphi $ and $z \sim \psi $ independently and setting $x = y \oplus z$.

Definition 4

(Statistical distance). The statistical distance between two probability density functions $\varphi ,\psi :\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}^{\ge 0}$ is

$${\text {SD}}(\varphi ,\psi ) = 1/2 \cdot \mathop {\textrm{E}}\limits _{x \sim \mathbb {F}_2^{q \times n}} |\varphi (x) - \psi (x)|.$$

2.2 Fourier Analysis

We define the Fourier-Walsh expansion of functions on the Boolean cube, adapted to our setting, and state the basic results that we will use. These results are taken from [23].

Definition 5

(Fourier expansion). Given $\alpha \in \mathbb {F}_2^{q \times n}$, define $\chi _{\alpha }:\mathbb {F}_2^{q \times n} \mapsto \{-1,1\}$ by

$$\chi _{\alpha }(x) = (-1)^{ \langle \alpha , x \rangle _{\mathbb {F}_2} } = \prod _{i \in [q]} (-1)^{ \langle \alpha _i, x_i \rangle _{\mathbb {F}_2} } = \prod _{i \in [q], j \in [n]} (-1)^{ \alpha _{i,j} \cdot x_{i,j} }.$$

The set $\{\chi _\alpha \}_{\alpha \in \mathbb {F}_2^{q \times n}}$ is an orthonormal basis for the set of functions $\{f \mid f:\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}\}$, with respect to the normalized inner product $\frac{1}{|\mathbb {F}_2^{q \times n}|} \langle f,g \rangle _{\mathbb {R}} = \mathop {\textrm{E}}\nolimits _{x \sim \mathbb {F}_2^{q \times n} }[f(x)g(x)]$. Hence each $\{f \mid f:\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}\}$ can be decomposed to

$$\begin{aligned} f = \sum _{\alpha \in \mathbb {F}_2^{q \times n}} \widehat{f}(\alpha ) \chi _\alpha , \end{aligned}$$

where $\widehat{f}(\alpha ) = \mathop {\textrm{E}}\limits [\chi _\alpha f]$, and in particular, $\widehat{f}(0) = \mathop {\textrm{E}}\limits [f]$.

Each element in $\{\chi _\alpha \}_{\alpha \in \mathbb {F}_2^{q \times n}}$ is called a character. We refer to $\alpha $ as a mask, and to $\widehat{f}(\alpha )$ as the Fourier coefficient of f on $\alpha $. To distinguish the domain of characters from the input domain we write it as $\widehat{\mathbb {F}}_{\mathbb {F}_2^{q \times n}}$, and thus

$$f(x) = \sum _{\alpha \in \widehat{\mathbb {F}}_2^{q \times n}} \widehat{f}(\alpha ) \chi _\alpha (x).$$

For a mask $\alpha \in \widehat{\mathbb {F}}_2^{q \times n}$, we write

$$\text {supp}(\alpha ) = \{i \mid \alpha _i \ne 0 \} \text { and } \# \alpha = |\text {supp}(\alpha )|.$$

We call $\# \alpha $ the level of $\alpha $, and $\widehat{f}(\alpha )$ is a Fourier coefficient of level $\# \alpha $.

Definition 6

(Fourier weight and maximal magnitude). For a function $f:\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}$, we define the Fourier weight of f at level k to be

$$\text {W}^{=k}[f] = \sum _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \# \alpha = k \end{array}} \widehat{f}(\alpha )^2.$$

The Fourier weight of f up to level k is $\text {W}^{\le k}[f] = \sum _{i = 0}^{k} \text {W}^{=i}[f]$.

The maximal magnitude of a level-k Fourier coefficient of f is

$$\text {M}^{=k}[f] = \max _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \# \alpha = k \end{array}} \{ |\widehat{f}(\alpha )|\}.$$

Finally, let $\text {M}^{\ge 1}[f] = \max _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \alpha \ne 0 \end{array}} \{ |\widehat{f}(\alpha )|\}$ denote the maximal magnitude of a Fourier coefficient on a non-zero mask.

Proposition 2

([23], Fact 1.21). If $\varphi :\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}^{\ge 0}$ is a density function and $f:\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}$, then

$$\mathop {\textrm{E}}\limits _{x \sim \varphi }[f(x)] = \mathop {\textrm{E}}\limits _{x \sim \mathbb {F}_2^{q \times n}}[\varphi (x)f(x)].$$

Proposition 3

([23], Theorem 1.27 – Fourier coefficients of convolution). Let $f,g:\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}$. Then for all $\alpha \in \widehat{\mathbb {F}}_2^{q \times n}$, $\widehat{f *g}(\alpha ) = \widehat{f}(\alpha )\widehat{g}(\alpha )$.

Proposition 4

([23], Exercise 1.23 – relation between Fourier weight and collision probability). For a density function $\varphi :\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}^{\ge 0}$,

$$\text {W}^{\le q}[\varphi ] = \text {Col}[\varphi ] \cdot 2^{q \cdot n}.$$

Proposition 5

([23], Proposition 1.13 – variance). The variance of $f:\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}$ is

$$\mathop {\textrm{Var}}\limits [f] = \mathop {\textrm{E}}\limits [f^2] - \mathop {\textrm{E}}\limits [f]^2 = \sum _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \alpha \ne 0 \end{array}} \widehat{f}(\alpha )^2 = \sum _{k = 1}^{q}\text {W}^{=k}[f].$$

Proposition 6

([23], Exercise 1.23 – bound on statistical distance from uniform). Let $\varphi :\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}^{\ge 0}$ be a density function. Then

$${\text {SD}}(\varphi , \textbf{1}_{q \cdot n})\le \frac{1}{2} \sqrt{\mathop {\textrm{Var}}\limits [\varphi ]}.$$

We prove two additional basic results regarding variance.

Proposition 7

(Variance reduction by convolution). Let $\varphi :\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}^{\ge 0}$ be a density function. Let $r_1,r_2$ be integers such that $0 < r_2 < r_1$. Then,

$$\mathop {\textrm{Var}}\limits [\varphi ^{(*r_1)}] \le (\text {M}^{\ge 1}[\varphi ])^{2(r_1 - r_2)} \mathop {\textrm{Var}}\limits [\varphi ^{(*r_2)}].$$

Proof

By Proposition 5 and Proposition 3,

$$\begin{aligned} &\, \mathop {\textrm{Var}}\limits [\varphi ^{(*r_1)} ] = \sum _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \alpha \ne 0 \end{array}} \widehat{\varphi ^{(*r_1)} }(\alpha )^2 = \sum _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \alpha \ne 0 \end{array}} \widehat{\varphi }(\alpha )^{2r_1} \\ \le &\, (\text {M}^{\ge 1}[\varphi ])^{2(r_1 - r_2)} \sum _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \alpha \ne 0 \end{array}} \widehat{\varphi }(\alpha )^{2r_2} = (\text {M}^{\ge 1}[\varphi ])^{2(r_1 - r_2)} \mathop {\textrm{Var}}\limits [\varphi ^{(*r_2)}]. \end{aligned}$$

$\blacksquare $

Proposition 8

(Variance of independent samples). Let $\varphi :\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}^{\ge 0}$ be a density function. Let u be a natural number and let $\varphi ^{\times u}:\mathbb {F}_2^{(q \cdot u) \times n} \mapsto \mathbb {R}^{\ge 0}$ be the density function obtained by concatenating u independent samples drawn from $\varphi $. Then,

$$\mathop {\textrm{Var}}\limits [\varphi ^{\times u}] \le 2u \cdot \mathop {\textrm{Var}}\limits [\varphi ], \text{ assuming } u \cdot \mathop {\textrm{Var}}\limits [\varphi ] \le 1/2.$$

Proof

By independence of the u samples, we have $\text {Col}[\varphi ^{\times u}] = \text {Col}[\varphi ]^u$. Applying Proposition 4 and Proposition 5,

$$\begin{aligned} &\, \text {W}^{\le q \cdot u}[\varphi ^{\times u}] = \text {Col}[\varphi ^{\times u}] \cdot 2^{q \cdot n \cdot u} = (\text {Col}[\varphi ] \cdot 2^{q \cdot n})^u = (\text {W}^{\le q}[\varphi ])^u = \left( \widehat{\varphi }(0)^2 + \mathop {\textrm{Var}}\limits [\varphi ] \right) ^u. \end{aligned}$$

Writing $z = \mathop {\textrm{Var}}\limits [\varphi ]$ and noting that $\widehat{\varphi }(0)^2 = 1$ since $\varphi $ is a density function, we have $ \text {W}^{\le q \cdot u}[\varphi ^{\times u}] = (1 + z)^u = 1 + \sum _{i = 1}^{u} \left( {\begin{array}{c}u\\ i\end{array}}\right) z^i $. The ratio between two consecutive terms in the sum $\sum _{i = 1}^{u} \left( {\begin{array}{c}u\\ i\end{array}}\right) z^i$ is upper bounded by $u \cdot z \le 1/2$ (by the assumption). Thus, the sum is upper bounded by a geometric series with ratio 1/2 (i.e., twice the first term). We conclude that

$$\begin{aligned} \text {W}^{\le q \cdot u}[\varphi ^{\times u}] \le 1 + 2u \cdot z = \widehat{\varphi ^{\times u}}(0)^2 + 2u \cdot z. \end{aligned}$$

Hence, by Proposition 5, $ \mathop {\textrm{Var}}\limits [\varphi ^{\times u}] = \sum _{k = 1}^{q \cdot u}\text {W}^{=k}[\varphi ^{\times u}] \le 2u \cdot z $.

$\blacksquare $

2.3 Cryptographic Preliminaries and Sampling Without Replacement

We use the standard notion of PRF security, as defined below. Let $H:\mathcal {K} \times \{0,1\}^{m_1} \mapsto \{0,1\}^{m_2}$ be a family of functions and $\text {Func}(m_1,m_2)$ be the set of all functions $g:\{0,1\}^{m_1} \mapsto \{0,1\}^{m_2}$. Let A be an algorithm with oracle access to a function $f:\{0,1\}^{m_1} \mapsto \{0,1\}^{m_2}$. The PRF advantage of A against H is

$$\text {Adv}_{H}^{\text {prf}}(A) = \left| \mathop {\textrm{Pr}}\limits _{K \sim \mathcal {K}}[A^{H_K(\cdot )} \Rightarrow 1] - \mathop {\textrm{Pr}}\limits _{f \sim \text {Func}(m_1,m_2)}[A^{f(\cdot )} \Rightarrow 1] \right| .$$

We also define the optimal advantage

$$\text {Opt}_{H}^{\text {prf}}(q) = \max \{\text {Adv}_{H}^{\text {prf}}(A) \mid A \text { makes } q \text { queries} \}.$$

In this paper we also consider the multi-user setting, where we have u users, each with an independent instantiation of the cryptosystem. The adversary can issue (up to) $q_{\max }$ queries to each user with the goal of distinguishing the u instantiations of the cryptosystem from u instantiations of a random function. Extending the single-user definitions, we define the PRF advantage of A against H in the multi-user setting as

$$\begin{aligned} \text {Adv}_{H,u}^{\text {mu-prf}}(A) = &\, \big | \mathop {\textrm{Pr}}\limits _{K_1,\ldots ,K_u \sim \mathcal {K}}[A^{H_{K_1}(\cdot ),\ldots ,H_{K_u}(\cdot )} \Rightarrow 1] \\ - &\, \mathop {\textrm{Pr}}\limits _{f_1,\ldots ,f_u \sim \text {Func}(m_1,m_2)}[A^{f_1(\cdot ),\ldots ,f_u(\cdot )} \Rightarrow 1] \big | \end{aligned}$$

We further define the optimal advantage

$$\text {Opt}_{H,u}^{\text {mu-prf}}(q_{\max }) = \max \{\text {Adv}_{H,u}^{\text {mu-prf}}(A) \mid A \text { makes } q_{\max } \text { queries to each user} \}.$$

The $\boldsymbol{\text {XoP}[r,n]}$ Construction and Sampling Without Replacement. Let $\text {Perm}(n)$ be the set of all permutations on $\{0,1\}^n$ (i.e., the set of all $\pi :\{0,1\}^n \mapsto \{0,1\}^n$). For natural numbers r, n such that $r \ge 2$, define the family of functions XoP$[r,n]:(\text {Perm}(n))^r \times \{0,1\}^n \mapsto \{0,1\}^n$ by

$$\text {XoP}[r,n](\pi _1,\ldots ,\pi _r,i) = \pi _1(i) \oplus \pi _2(i) \oplus \ldots \oplus \pi _r(i).$$

The main goal of this paper is to bound $\text {Opt}_{\text {XoP}[r,n]}^{\text {prf}}(q)$ as a function of the parameters r, n, q. By symmetry of the randomly chosen permutations $\pi _1,\ldots ,\pi _r$, an adversary against $\text {XoP}[r,n]$ obtains the XOR of r independent samples, each containing q elements of $\{0,1\}^n$, chosen uniformly without replacement (regardless of the actual queries). Below, we formalize this statement.

Definition 7

(Density function of sampling without replacement). For natural numbers n, q such that $1 \le q \le 2^n$, let $\mu _{n,q}:\mathbb {F}_2^{q \times n} \mapsto \mathbb {R}^{\ge 0}$ be the density function associated with the process of uniformly sampling q elements from $\mathbb {F}_2^n$ without replacement. Specifically, for $x \in \mathbb {F}_2^{q \times n}$,

$$\begin{aligned} \mu _{n,q}(x) = {\left\{ \begin{array}{ll} \frac{(N-q)!}{N!} \cdot N^q &{} \text {if } x_i \ne x_j \text { for all } i,j \in [q] \,\, (i \ne j), \\ 0 &{} \text {otherwise.} \end{array}\right. } \end{aligned}$$

Furthermore, define $\mu _{n,0}$ to be the constant 1.

Then, by Proposition 1 an adversary against $\text {XoP}[r,n]$ that makes q distinct queries obtains a sample from $\mu _{n,q}^{(*r)}$. By well-known properties of statistical distance,

$$\begin{aligned} \text {Opt}_{\text {XoP}[r,n]}^{\text {prf}}(q) \le {\text {SD}}(\mu _{n,q}^{(*r)}, \textbf{1}_{q \cdot n}). \end{aligned}$$

(1)

Therefore, our task reduces to upper bounding ${\text {SD}}(\mu _{n,q}^{(*r)}, \textbf{1}_{q \cdot n})$.

We further consider the multi-user setting. Observe that in this setting, an adversary against XoP[r, n] obtains a sample of $(\mu _{n,q_{\max }}^{(*r)})^{\times u}: \mathbb {F}_2^{(q_{\max } \cdot u) \times n} \mapsto \mathbb {R}^{\ge 0}$, where $(\mu _{n,q_{\max }}^{(*r)})^{\times u}$ is the density function obtained by concatenating u independent samples drawn from $\mu _{n,q_{\max }}^{(*r)}$. Similarly to the single-user setting,

$$\begin{aligned} \text {Opt}_{\text {XoP}[r,n],u}^{\text {mu-prf}}(q_{max}) \le {\text {SD}}( (\mu _{n,q_{\max }}^{(*r)})^{\times u} , \textbf{1}_{u \cdot q_{\max } \cdot n}). \end{aligned}$$

(2)

Therefore, in this setting our task reduces to upper bounding ${\text {SD}}( (\mu _{n,q_{\max }}^{(*r)})^{\times u}, \textbf{1}_{u \cdot q_{\max } \cdot n} )$.

3 Indistinguishability Bounds for XoP[r, n] Using Fourier Properties of Sampling Without Replacement

In this section we derive tight indistinguishability bounds for XoP[r, n] and then extend them to the multi-user setting. For this purpose, we start by stating the fundamental Fourier properties of $\mu _{n,k}$ that we prove in this paper.

3.1 Basic Properties of $\mu _{n,k}$

We will obtain bounds for the maximal magnitude of Fourier coefficients by level, namely $\text {M}^{=k}[\mu _{n,q}]$, and Fourier weight by level, namely $\text {W}^{=k}[\mu _{n,q}]$. First, note that if $x \sim \mu _{n,q}$, then for every set of k distinct indices $\{i_1,i_2, \ldots ,i_k\} \subseteq [q]$, $(x_{i_1},\ldots ,x_{i_k})$ are k elements that are marginally sampled without replacement from $\mathbb {F}_2^{k \times n}$, namely, $(x_{i_1},\ldots ,x_{i_k}) \sim \mu _{n,k}$. Therefore, for $1 \le k \le q$, we have $\text {M}^{=k}[\mu _{n,q}] = \text {M}^{=k}[\mu _{n,k}]$ and

$$\begin{aligned} \text {W}^{=k}[\mu _{n,q}] = \sum _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \# \alpha = k \end{array}} \widehat{\mu _{n,q}}(\alpha )^2 = &\,\sum _{\{i_1,\ldots ,i_k\} \subseteq [q] \text { distinct}} \sum _{\begin{array}{c} \beta \in \widehat{\mathbb {F}}_2^{k \times n} \\ \text {supp}(\beta ) = \{i_1,\ldots ,i_k\} \end{array}} \widehat{\mu _{n,k}}(\beta )^2 \\ = &\, \sum _{\{i_1,\ldots ,i_k\} \subseteq [q] \text { distinct}} \text {W}^{=k}[\mu _{n,k}] = \left( {\begin{array}{c}q\\ k\end{array}}\right) \text {W}^{=k}[\mu _{n,k}]. \end{aligned}$$

Consequently, our main results bound $\text {M}^{=k}[\mu _{n,k}]$ and $\text {W}^{=k}[\mu _{n,k}]$. Lemma 1 below is proved in Sect. 4, while Lemma 2 is proved in Sect. 5.

Lemma 1

(Bounds on magnitude of level-k Fourier coefficients). We have $\text {M}^{=2}[\mu _{n,2}] \le \frac{1}{N-1}$. Generally,

$$\begin{aligned} \text {M}^{=k}[\mu _{n,k}]^2 \le {\left\{ \begin{array}{ll} \frac{1}{\left( {\begin{array}{c}N\\ k\end{array}}\right) } &{} \text {if } k < N/2 \text { is even,} \\ \frac{1}{\left( {\begin{array}{c}N\\ k\end{array}}\right) } \cdot \frac{k + 1}{N - k} < \frac{1}{\left( {\begin{array}{c}N\\ k\end{array}}\right) } & \text {if } k < N/2 \text { is odd.} \end{array}\right. } \end{aligned}$$

Note that the bound $\text {M}^{=2}[\mu _{n,2}] \le \frac{1}{N-1}$ is slightly better (by a factor of about $\sqrt{2}$) than the generic bound for $k=2$. The quantity $\text {M}^{=2}[\mu _{n,2}]$ plays a significant role in our analysis, as it is the maximal magnitude of a Fourier coefficient with a non-zero mask ($\text {M}^{=1}[\mu _{n,1}] = 0$ can be deduced from Lemma 2 below).

Lemma 2

(Bounds on weight of level-k Fourier coefficients). We have

$$\text {W}^{=1}[\mu _{n,1}] = 0, \text {W}^{=2}[\mu _{n,2}] = \frac{1}{N-1}, \text { and } \text {W}^{=3}[\mu _{n,3}] = \frac{4}{(N-1)(N-2)}.$$

Generally,

$$\begin{aligned} \text {W}^{=k}[\mu _{n,k}] \le {\left\{ \begin{array}{ll} \frac{(N(k-1))^{k/2}}{(N)_k} \le \varPsi _N(k) &{} \text {if } k \ge 2 \text { is even,} \\ \frac{(N(k-1))^{(k+1)/2}}{(N)_{k+1}} \le \varPsi _N(k+1) &{} \text {if } k \ge 3 \text { is odd,} \end{array}\right. } \end{aligned}$$

where

$$\varPsi _N(k) = \left( \frac{k}{N-k} \right) ^{k/2} \exp \left( -\frac{k(k - 2)}{8N(N-k) + 2 \cdot k^2} \right) ^{k/2}.$$

Remark 2

The fact that $\text {W}^{=1}[\mu _{n,1}] = 0$ is obvious since $\mu _{n,1}$ is the uniform distribution over $\{0,1\}^n$, and thus all non-empty linear equations on these bits are unbiased.

Remark 3

For $k < N/2$, $\frac{k}{N-k} < 1$. Therefore, the lemma shows that the Fourier weight of $\mu _{n,k}$ at level k is exponentially small in k up to $k < N/2$. In particular, in the extreme case of $k \approx N/2$, we have

$$\begin{aligned} \exp \left( -\frac{k(k - 2)}{8N(N-k) + 2 \cdot k^2} \right) ^{k/2} \approx \exp \left( -\frac{N^2/4}{4N^2 + N^2/2} \right) ^{N/4} = e^{-N/72} \approx e^{-k/36}. \end{aligned}$$

Nevertheless, we will only use a simpler bound of the form $\text {W}^{=k}[\mu _{n,k}] \le \left( \frac{k}{N-k} \right) ^{k/2}$ in our application. Furthermore, since $\text {W}^{=k}[\mu _{n,q}] = \left( {\begin{array}{c}q\\ k\end{array}}\right) \text {W}^{=k}[\mu _{n,k}]$, the number of queries q obviously also plays a significant role in the analysis.

3.2 Application to Indistinguishability Bounds for XoP[r, n]

We now use the results about $\mu _{n,k}$ in our main application to derive indistinguishability bounds for XoP[r, n], starting with $r=2$.

Theorem 1

For $N \ge 1000$ and $q < N/2$,

$$ \text {Opt}_{\text {XoP}[2,n]}^{\text {prf}}(q) \le \frac{q}{2 \cdot (N-1)^{3/2}} < \frac{q}{N^{3/2}}. $$

Proof

Using (1), and applying Proposition 6,

$$\begin{aligned} \text {Opt}_{\text {XoP}[2,n]}^{\text {prf}}(q) \le {\text {SD}}(\mu _{n,q} *\mu _{n,q}, \textbf{1}_{q \cdot n}) \le \frac{1}{2} \sqrt{\mathop {\textrm{Var}}\limits [\mu _{n,q} *\mu _{n,q}]}. \end{aligned}$$

Thus, it remains to prove that

$$\begin{aligned} \mathop {\textrm{Var}}\limits [\mu _{n,q} *\mu _{n,q}] \le \frac{q^2}{(N-1)^3}. \end{aligned}$$

(3)

Applying Proposition 5, and then Proposition 3, we have

$$\begin{aligned} &\, \mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*2)}] = \sum _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \alpha \ne 0 \end{array}} \widehat{ \mu _{n,q} *\mu _{n,q} }(\alpha )^2 = \sum _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \alpha \ne 0 \end{array}} \widehat{ \mu _{n,q} }(\alpha )^4 = \sum _{k = 1}^q \sum _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \#\alpha = k \end{array}} \widehat{ \mu _{n,q} } (\alpha )^4 \\ \le &\, \sum _{k = 1}^q \text {M}^{=k}[\mu _{n,q}]^2 \sum _{\begin{array}{c} \alpha \in \widehat{\mathbb {F}}_2^{q \times n} \\ \#\alpha = k \end{array}} \widehat{ \mu _{n,q} } (\alpha )^2 = \sum _{k = 1}^q \text {M}^{=k}[\mu _{n,q}]^2 \cdot \text {W}^{=k}[\mu _{n,q}] \\ = &\ \sum _{k = 1}^q \text {M}^{=k}[\mu _{n,k}]^2 \cdot \left( {\begin{array}{c}q\\ k\end{array}}\right) \text {W}^{=k}[\mu _{n,k}], \end{aligned}$$

where the final equality exploits the symmetry of $\mu _{n,q}$. Next, applying Lemma 1, and using the fact that $\text {W}^{=1}[\mu _{n,1}] = 0$ (by Lemma 2),

$$\begin{aligned} &\, \mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*2)}] \le \frac{1}{(N-1)^2} \cdot \left( {\begin{array}{c}q\\ 2\end{array}}\right) \cdot \text {W}^{=2}[\mu _{n,2}] + \sum _{k = 3}^q \frac{\left( {\begin{array}{c}q\\ k\end{array}}\right) }{\left( {\begin{array}{c}N\\ k\end{array}}\right) } \text {W}^{=k}[\mu _{n,k}] \\ \le &\, \frac{q^2}{(N-1)^2} \cdot (1/2) \cdot \text {W}^{=2}[\mu _{n,2}] + \sum _{k = 3}^q \frac{(q)(q-1) \ldots (q - (k-1))}{(N)(N-1) \ldots (N - (k - 1))} \text {W}^{=k}[\mu _{n,k}] \\ \le &\, \frac{q^2}{(N-1)^2} \cdot (1/2) \cdot \text {W}^{=2}[\mu _{n,2}] + \sum _{k = 3}^q (q/N)^{k} \cdot \text {W}^{=k}[\mu _{n,k}] \\ \le &\, \frac{q^2}{(N-1)^2} \left( (1/2) \cdot \text {W}^{=2}[\mu _{n,2}] + \sum _{k = 3}^q (q/N)^{k - 2} \cdot \text {W}^{=k}[\mu _{n,k}] \right) \end{aligned}$$

We now apply Lemma 2. We will also separate the term $\text {W}^{=3}[\mu _{n,3}] = \frac{4}{(N-1)(N-2)}$ from the sum of terms for $k \ge 4$. For these we use a simple bound

$$\begin{aligned} \text {W}^{=k}[\mu _{n,k}] \le \left( \frac{k+1}{N-k-1} \right) ^{k/2} \le \left( \frac{2(k+1)}{N} \right) ^{k/2}, \end{aligned}$$

which holds both for even and odd k, and uses the fact that $k \le q < N/2$. We will further split the remaining sum at $k = 4n$ and use once again the fact that $q/N < 1/2$. Thus, $\mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*2)}]$ is upper bounded by

$$\begin{aligned} &\,\frac{q^2}{(N-1)^2} \cdot \left( (1/2) \cdot \text {W}^{=2}[\mu _{n,2}] + (q/N) \cdot \text {W}^{=3}[\mu _{n,3}] + \sum _{k = 4}^{4 n} (q/N)^{k - 2} \cdot \text {W}^{=k}[\mu _{n,k}] \right) \\ + &\, \sum _{k = 4 n + 1}^{q} (q/N)^{k} \cdot \text {W}^{=k}[\mu _{n,k}] \\ \le &\, \frac{q^2}{(N-1)^2} \cdot \left( \frac{1}{2(N-1)} + \frac{2}{(N-1)(N-2)} + 4 \sum _{k = 4}^{4 n} 2^{-k} \cdot \left( \frac{2(k+1)}{N} \right) ^{k/2} \right) + \sum _{k = 4 n + 1}^{q} 2^{-k} \\ \le &\, \frac{q^2}{(N-1)^2} \cdot \left( \frac{1}{2(N-1)} + \frac{2}{(N-1)(N-2)} + 4 \sum _{k = 4}^{4 n}\left( \frac{k+1}{2N} \right) ^{k/2} \right) + N^{-4}. \end{aligned}$$

We now upper bound $\sum _{k = 4}^{4 n} \left( \frac{k+1}{2N} \right) ^{k/2}$. The (inverse) squared ratio between two consecutive terms is

$$\begin{aligned} \frac{ ((k+1)/2N)^{k}}{((k+2)/2N)^{k+1}} = &\,\left( \frac{k+1}{k+2}\right) ^k \cdot \frac{2N}{k+2} = \left( 1 - \frac{1}{k+2}\right) ^k \cdot \frac{2N}{k+2} \\ \ge &\, e^{-2k/(k+2)} \frac{2N}{k+2} \ge e^{-2} \frac{2N}{k+2} \ge \frac{2N}{(4n + 2)e^2}. \end{aligned}$$

where we have used the inequality $1 - (x/2) > e^{-x}$, which holds for $0 < x \le 1$, as well as the fact that $k \le 4n$ in the analyzed sum. Since $\frac{2N}{(4n + 2)e^2} \ge 4$ holds for $N \ge 1000$, the sum is upper bounded by the sum of a geometric series with ratio at most 1/2. Hence, $\sum _{k = 4}^{4 n} \left( \frac{k+1}{2N} \right) ^{k/2} \le 2 \left( \frac{5}{2N} \right) ^{2} = \frac{25}{2N^2}.$ Also, noting that $N^{-4} \le (q^2/(N-1)^2) \cdot 1/N^2$, we plug these into the above bound and obtain

$$\begin{aligned} \mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*2)}] \le \frac{q^2}{(N-1)^2} \cdot \left( \frac{1}{2(N-1)} + \frac{2}{(N-1)(N-2)} + \frac{50}{N^2} + \frac{1}{N^2} \right) . \end{aligned}$$

As each one of the last three summands is bounded by $\frac{1}{8(N-1)}$ assuming $N \ge 1000$, we conclude that $\mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*2)}] \le \frac{q^2}{(N-1)^3}$ as in (3).

$\blacksquare $

Next, we generalize Theorem 1 to derive indistinguishability bounds for XoP[r, n] for arbitrary $r \ge 2$.

Theorem 2

For $N \ge 1000$, $q < N/2$ and $r \ge 2$,

$$ \text {Opt}_{\text {XoP}[r,n]}^{\text {prf}}(q) \le \frac{q}{2 \cdot (N-1)^{r - (1/2)}} < \frac{q}{N^{r - (1/2)}}, $$

where the last inequality assumes $r \le N/2$.

Proof

By (1) and Proposition 6, $\text {Opt}_{\text {XoP}[r,n]}^{\text {prf}}(q) \le {\text {SD}}(\mu _{n,q}^{(*r)}, \textbf{1}_{q \cdot n}) \le \frac{1}{2} \sqrt{\mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*r)}]} $, and thus it remains to prove that

$$\begin{aligned} \mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*r)}] \le \frac{q^2}{(N-1)^{2r - 1}}. \end{aligned}$$

(4)

Applying Proposition 6 and then Proposition 7 (with $r_2 = 2$),

$$\begin{aligned} \mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*r)}] \le (\text {M}^{\ge 1}[\mu _{n,q}])^{2r - 4} \cdot \mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*2)}] = (\max _{0 < k \le q}\{ \text {M}^{=k}[\mu _{n,k}]\})^{2r - 4} \cdot \mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*2)}], \end{aligned}$$

where the final equality is by symmetry of $\mu _{n,q}$. Next, note from Lemma 1 that (the bound on) $\text {M}^{=k}[\mu _{n,k}]$ is maximized for $k=2$ assuming $q < N/2$, and $\text {M}^{=2}[\mu _{n,2}] \le \frac{1}{N-1}$. Moreover $\mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*2)}] \le \frac{q^2}{(N-1)^3}$ by (3). Hence,

$$\begin{aligned} \mathop {\textrm{Var}}\limits [\mu _{n,q}^{(*r)}] \le \frac{1}{(N-1)^{2r - 4}} \frac{q^2}{(N-1)^3} = \frac{q^2}{(N-1)^{2r - 1}}. \end{aligned}$$

$\blacksquare $

The Multi-user Setting. We extend Theorem 2 to derive indistinguishability bounds for XoP[r, n] in the multi-user setting.

Theorem 3

For $N \ge 1000$, $q < N/2$ and $r \ge 2$,

$$ \text {Opt}_{\text {XoP}[r,n],u}^{\text {mu-prf}}(q_{max}) \le \frac{\sqrt{u/2} \cdot q_{\max }}{(N-1)^{r - (1/2)}} \le \frac{\sqrt{u} \cdot q_{\max }}{N^{r - (1/2)}}, $$

assuming $\frac{\sqrt{u/2} \cdot q_{\max }}{(N-1)^{r - (1/2)} } \le 1/2$ (and $r \le N/3$ for the last inequality).

Proof

By (2) and Proposition 6,

$$\text {Opt}_{\text {XoP}[r,n],u}^{\text {mu-prf}}(q_{max}) \le {\text {SD}}( (\mu _{n,q_{\max }}^{(*r)})^{\times u} , \textbf{1}_{u \cdot q_{\max } \cdot n}) \le \frac{1}{2}\sqrt{\mathop {\textrm{Var}}\limits [(\mu _{n,q_{\max }}^{(*r)})^{\times u}]},$$

and thus is remains to prove that $\mathop {\textrm{Var}}\limits [(\mu _{n,q_{\max }}^{(*r)})^{\times u}] \le \frac{2u \cdot q_{\max }^2}{(N-1)^{2r - 1}}$.

Applying Proposition 8 (assuming $u \cdot \mathop {\textrm{Var}}\limits [\mu _{n,q_{\max }}^{(*r)}] \le 1/2$), we have

$$\begin{aligned} \mathop {\textrm{Var}}\limits [(\mu _{n,q_{\max }}^{(*r)})^{\times u}] \le 2u \cdot \mathop {\textrm{Var}}\limits [\mu _{n,q_{\max }}^{(*r)}] \le \frac{2u \cdot q_{\max }^2}{(N-1)^{2r - 1}}, \end{aligned}$$

where the final inequality is by (4). Finally, note that by (4), $u \cdot \mathop {\textrm{Var}}\limits [\mu _{n,q_{\max }}^{(*r)}] \le \frac{u \cdot q_{\max }^2}{(N-1)^{2r - 1}}$, so the condition for applying Proposition 8 is assured if $\frac{u \cdot q_{\max }^2}{(N-1)^{2r - 1}} \le 1/2$, namely $\frac{\sqrt{u/2} \cdot q_{\max }}{(N-1)^{r - (1/2)} } \le 1/2$.

$\blacksquare $

4 Bounding $\text {M}^{=k}[\mu _{n,k}]$ (Proof of Lemma 1)

The goal of this section is to prove Lemma 1. We first bound the Fourier coefficients on a specific subset of masks (called masks of type $K = (k)$). We will later generalize these results to all mask.

4.1 Bounding $|\widehat{\mu _{n,k}}(\alpha )|$ for $\alpha $ of Type $K = (k)$

Definition 8

(Mask of type $K = (k)$). Let $\alpha \in \widehat{\mathbb {F}}_2^{k \times n}$ be a non-zero mask such that $\# \alpha = k$ (i.e., $\alpha _i \ne 0$ for all $i \in [k]$). We define the type of $\alpha $ to be $K = (k)$, if for every $i \in [k]$, $\alpha _{i,1} = 1$.

In other words, $\alpha $ is of type $K = (k)$ if the first bit of all of its k elements is 1. The bounds on the Fourier coefficients are formulated using the following function.

Definition 9

For natural numbers a, b such that b is even and $a \ge b$ let

$$\varGamma (a, b) = \prod _{i = 1,3,\ldots ,b-1} \frac{b - i}{a - i}.$$

The main result of this section is as follows.

Proposition 9

Let $\alpha \in \widehat{\mathbb {F}}_2^{k \times n}$ be of type $K = (k)$. Then,

$$|\widehat{\mu _{n,k}}(\alpha )| \le \varGamma (N, k) = \prod _{i = 1,3,\ldots ,k-1} \frac{k - i}{N - i}$$

if k is even and 0 otherwise.

In particular,

$$|\widehat{\mu _{n,1}}(\alpha )| = 0, |\widehat{\mu _{n,2}}(\alpha )| \le \frac{1}{N - 1}, |\widehat{\mu _{n,3}}(\alpha )|= 0, |\widehat{\mu _{n,4}}(\alpha )| \le \frac{3}{(N-1)(N-3)}, $$

etc. We need the following definitions.

Definition 10

(Pairing of two elements). Two elements $a,b \in \mathbb {F}_2^n$ are paired on bit $j \in [n]$ if $a \oplus b = e_j$ (where $e_j \in \mathbb {F}_2^n$ is the j’th vector of the standard basis).

Definition 11

(Pairing of a sequence of elements). Let $x = (x_1,\ldots ,x_k) \in \mathbb {F}_2^{k \times n}$. Then, x is self-paired on bit $j \in [n]$ if $(x_1,\ldots ,x_k)$ are distinct (i.e., $x_{i_1} \ne x_{i_2}$ for $i_1 \ne i_2$), and for every $i_1 \in [k]$, there exists $i_2 \in [k]$ such that $(x_{i_1},x_{i_2})$ are paired on bit j.

Note that since $(x_1,\ldots ,x_k)$ are distinct, each element $x_i$ cannot be paired to more than one other element on bit j, and thus if x is self-paired (on any $j \in [n]$), then k is even.

In order to prove Proposition 9, we define the following algorithm.

Define the random variable T(x) for the output of the algorithm.

We will prove the following two claims, whose combination immediately implies Proposition 9.

Proposition 10

(Magnitude of Fourier coefficient bounded by success probability).$|\widehat{\mu _{n,k}}(\alpha )| \le \Pr _{x \sim \mu _{n,k}}[T(x) = 1]$.

Proposition 11

(Bound on success probability).

$$\begin{aligned} \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 1] = {\left\{ \begin{array}{ll} \varGamma (N,k) &{} \text {if } k \text { is even,} \\ 0 &{} \text {if } k \text { is odd.} \end{array}\right. } \end{aligned}$$

Proof

(of Proposition 10). By Proposition 2,

$$\begin{aligned} \begin{aligned} & |\widehat{\mu _{n,k}}(\alpha )| = |\mathop {\textrm{E}}\limits _{x \sim \mathbb {F}_2^n} [\mu _{n,k}(x) \chi _{\alpha }(x)] | = |\mathop {\textrm{E}}\limits _{x \sim \mu _{n,k}}[\chi _{\alpha }(x)] | \\ = &\, | \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 1] \mathop {\textrm{E}}\limits _{x \sim \mu _{n,k}}[\chi _{\alpha }(x) \mid T(x) = 1] \\ + &\, \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 0] \mathop {\textrm{E}}\limits _{x \sim \mu _{n,k}}[\chi _{\alpha }(x) \mid T(x) = 0] | \\ \le &\, | \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 1] \mathop {\textrm{E}}\limits _{x \sim \mu _{n,k}}[\chi _{\alpha }(x) \mid T(x) = 1] | \\ + &\, | \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 0] \mathop {\textrm{E}}\limits _{x \sim \mu _{n,k}}[\chi _{\alpha }(x) \mid T(x) = 0] | \\ \le &\, | \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 1] \mathop {\textrm{E}}\limits _{x \sim \mu _{n,k}}[|\chi _{\alpha }(x)| \mid T(x) = 1] | \\ + &\, | \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 0] \mathop {\textrm{E}}\limits _{x \sim \mu _{n,k}}[\chi _{\alpha }(x) \mid T(x) = 0] | \\ = &\, \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 1] + | \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 0] \mathop {\textrm{E}}\limits _{x \sim \mu _{n,k}}[\chi _{\alpha }(x) \mid T(x) = 0] |. \end{aligned} \end{aligned}$$

(5)

Next, we prove that $\mathop {\textrm{E}}\nolimits _{x \sim \mu _{n,k}}[\chi _{\alpha }(x) \mid T(x) = 0] = 0$, which concludes the proof. This is proved by partitioning the sample space of the algorithm conditioned on $T(x) = 0$ into couples of the form $(x,x')$ such that $\chi _{\alpha }(x) = - \chi _{\alpha }(x')$. Since all samples in the space (conditioned on $T(x) = 0$) have identical probability, the total contribution of each couple to the expectation is $\chi _{\alpha }(x) + \chi _{\alpha }(x') = 0$, which proves that $\mathop {\textrm{E}}\nolimits _{x \sim \mu _{n,k}}[\chi _{\alpha }(x) \mid T(x) = 0] = 0$.

We now define how to couple the samples. Assume that $T(x) = 0$. Then, there exists an element of x that is not paired. Define $in(x) \in [k]$ to be the index of the first unpaired element in [k]. Then, $x' = (x_1,\ldots ,x_{in(x)-1}, x_{in(x)} \oplus e_1,x_{in(x)+1},\ldots ,x_k)$ is a valid sample from the space (conditioned on $T(x) = 0$). We couple together $(x,x')$. Note that we need to prove that this is a valid coupling, i.e., if x is coupled to $x'$, then $x'$ is coupled to x. This indeed holds since $in(x') = in(x)$, as x and $x'$ only differ on the element with index in(x).

Finally, we prove that $\chi _{\alpha }(x) = - \chi _{\alpha }(x')$ or $\chi _{\alpha }(x) \chi _{\alpha }(x') = -1$. As $\alpha \in \widehat{\mathbb {F}}_2^{k \times n}$ is of type $K = (k)$, then $\alpha _{i,1} = 1$ for any $i \in [k]$. Therefore,

$$\begin{aligned} \chi _{\alpha }(x) \chi _{\alpha }(x') = &\, (-1)^{ \langle \alpha , x \rangle _{\mathbb {F}_2} } (-1)^{ \langle \alpha , x' \rangle _{\mathbb {F}_2} } = (-1)^{ \langle \alpha , x \oplus x' \rangle _{\mathbb {F}_2} } \\ = &\, (-1)^{ \langle \alpha _{in(x)} , e_1 \rangle _{\mathbb {F}_2} } = (-1)^{ 1 \cdot 1 } = -1. \end{aligned}$$

$\blacksquare $

Proof

(of Proposition 11). First, if k is odd, then x cannot be self-paired. Hence, $\Pr _{x \sim \mu _{n,k}}[T(x) = 0] = 1$ and $\Pr _{x \sim \mu _{n,k}}[T(x) = 1] = 0$.

Next, assume that k is even and consider $x_1$. There is a single element it can be paired to on bit 1, which is $x_{1} \oplus e_1$. The probability that $x_{1} \oplus e_1$ appears among $x_{2},\ldots ,x_k$ is $\frac{k-1}{N-1}$. Next, assuming $x_1$ is paired, continue by induction after removing the pair from the set of available elements. We obtain

$$\mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 1] = \frac{k-1}{N-1} \frac{k-3}{N-3} \ldots \frac{1}{N - k + 1} = \varGamma (N, k),$$

as claimed. $\blacksquare $

4.2 Classification of Masks

Towards proving bounds on the magnitude of Fourier coefficients on general masks, we define two basic operations on masks and prove that they preserve Fourier coefficients. These operations will allow us to focus on a subset of masks whose associated Fourier coefficient is easier to bound. Bounds on the magnitude of Fourier coefficients on the remaining masks will follow by preservation of Fourier coefficients.

Proposition 12

(Permuting elements preserves Fourier coefficients). Let $\alpha \in \widehat{\mathbb {F}}_2^{k \times n}$. Let $\pi :[k] \mapsto [k]$ be a permutation and define the mask $\alpha ^{\pi } \in \widehat{\mathbb {F}}_2^{k \times n}$ by $\alpha ^{\pi }_i = \alpha _{\pi (i)}$ for $i \in [k]$. Then, $\widehat{\mu _{n,k}} (\alpha ^{\pi }) = \widehat{\mu _{n,k}} (\alpha )$.

Proof

Similarly to the definition of $\alpha ^{\pi }$, for $x \in \mathbb {F}_2^{k \times n}$, define $x^{\pi } \in \mathbb {F}_2^{k \times n}$ by $x^{\pi }_i = x_{\pi (i)}$ for $i \in [k]$. Observe that since $\pi $ merely permutes the elements of x, it preserves equality and inequality among elements, and thus $\mu _{n,k}(x) = \mu _{n,k}(x^{\pi })$. Furthermore $\chi _{\alpha }(x) = \chi _{\alpha ^{\pi }}(x^{\pi })$ as inner product in invariant under permutation of elements of $\alpha $ and x. Combining these observations,

$$\begin{aligned} \widehat{\mu _{n,k}} (\alpha ) = &\, \mathop {\textrm{E}}\limits _{x \sim \mathbb {F}_2^{k \times n} }[\mu _{n,k}(x) \chi _{\alpha }(x)] = \mathop {\textrm{E}}\limits _{x \sim \mathbb {F}_2^{k \times n} }[\mu _{n,k}(x^{\pi }) \chi _{\alpha ^{\pi }}(x^{\pi }) ] \\ = &\, \mathop {\textrm{E}}\limits _{y \sim \mathbb {F}_2^{k \times n} }[\mu _{n,k}(y) \chi _{\alpha ^{\pi }}(y) ] = \widehat{\mu _{n,k}} (\alpha ^{\pi }). \end{aligned}$$

$\blacksquare $

Proposition 13

(Invertible element-wise linear operations preserve Fourier coefficients). Let $\alpha \in \widehat{\mathbb {F}}_2^{k \times n}$. Let $L:\mathbb {F}_2^{n \times n} \mapsto \mathbb {F}_2^{n \times n}$ be an invertible matrix and define the mask $\alpha ^{L} \in \widehat{\mathbb {F}}_2^{k \times n}$ by $\alpha ^{L}_i = \alpha _{i} \cdot L$ for $i \in [k]$ (where we view $\alpha _{i}$ as a row vector in $\mathbb {F}_2^n$, multiplied with L). Then, $\widehat{\mu _{n,k}} (\alpha ^{L}) = \widehat{\mu _{n,k}} (\alpha )$.

Proof

For $x \in \mathbb {F}_2^{k \times n}$, define $x^{L} \in \mathbb {F}_2^{k \times n}$ similarly to the definition of $\alpha ^{L}$. By the properties of the inner product, for any $a,b \in \mathbb {F}_2^n$,

$$\langle a , b \rangle _{\mathbb {F}_2} = \langle a \cdot L \cdot L^{-1} , b \rangle _{\mathbb {F}_2} = \langle a \cdot L , b \cdot L^{-T} \rangle _{\mathbb {F}_2}, $$

where $L^{T}$ is the transpose of L and $L^{-T}$ is the inverse of $L^{T}$. Hence, $\chi _{\alpha }(x) = \chi _{\alpha ^{L}}(x^{L^{-T}})$. Furthermore, since $L^{-T}$ is an invertible transformation on the elements of x, it preserves equality and inequality among elements, and thus $\mu _{n,k}(x) = \mu _{n,k}(x^{L^{-T}})$. Therefore,

$$\begin{aligned} \widehat{\mu _{n,k}} (\alpha ) = &\, \mathop {\textrm{E}}\limits _{x \sim \mathbb {F}_2^{k \times n} }[\mu _{n,k}(x) \chi _{\alpha }(x)] = \mathop {\textrm{E}}\limits _{x \sim \mathbb {F}_2^{k \times n} }[\mu _{n,k}(x^{L^{-T}}) \chi _{\alpha ^{L}}(x^{L^{-T}})] \\ = &\, \mathop {\textrm{E}}\limits _{y \sim \mathbb {F}_2^{k \times n} }[\mu _{n,k}(y) \chi _{\alpha ^{L}}(y) ] = \widehat{\mu _{n,k}} (\alpha ^{L}). \end{aligned}$$

$\blacksquare $

These two propositions motivate the following definition.

Definition 12

(Equivalence of masks). Masks $\alpha ,\beta \in \widehat{\mathbb {F}}_2^{k \times n}$ are called equivalent (with respect to $\mu _{n,k}$) if $\beta $ can be obtained from $\alpha $ by permuting its elements and performing invertible element-wise linear operations.

By invertibility of the basic operations, equivalence of masks is a well-defined equivalence relation. By the above propositions, if $\alpha $ and $\beta $ are equivalent, then $\widehat{\mu _{n,k}} (\alpha ) = \widehat{\mu _{n,k}} (\beta )$ (and obviously $\# \alpha = \# \beta $).

We now define a classification of masks that will later be used to bound their associated Fourier coefficients.

Definition 13

(Rank of mask). Let $\alpha \in \widehat{\mathbb {F}}_2^{k \times n}$ be a non-zero mask. We define the rank of $\alpha $ as its rank when viewed as a $k \times n$ matrix over $\mathbb {F}_2$.

The following definition generalizes Definition 8.

Definition 14

(Type of mask). Let $\alpha \in \widehat{\mathbb {F}}_2^{k \times n}$ be a mask such that $\# \alpha = k > 0$. Let $K = (k_1,k_2,\ldots ,k_t)$ be a t-tuple of natural positive indices such that $k_j < k_{j+1}$ for all $j \in [t-1]$ and $k_t = k$. Define $k_0 = 0$. We define the type of $\alpha $ to be K, if for every $j \in [t]$, the following two conditions hold:

1.
For every $i \in [k_{j-1} + 1 , k_{j}]$, $\alpha _{i,j} = 1$.
2.
For every $i \in [k_{j}+1 , k]$, $\alpha _{i,j} = 0$.

If $\alpha $ is not of type K for any tuple K, then we define its type to be NULL.

In other words, $\alpha $ is of type $K = (k_1,k_2,\ldots ,k_t)$ if the first bit of its first $k_1$ elements is 1, and the first bits of elements $x_{k_1 + 1},\ldots ,x_k$ is 0. Next, bit 2 of elements $x_{k_1 + 1},\ldots ,x_{k_2}$ is 1, while bit 2 of elements $x_{k_2 + 1},\ldots ,x_{k}$ is 0, and so forth.

Example 1

Let $n = 4$ and $k = 3$ and assume the leftmost bit is the first bit. Then, the mask (1011, 1101, 1001) is of type (3), (1011, 0110, 0101) is of type (1, 3), (1011, 0110, 0011) is of type (1, 2, 3), while (1011, 0101, 1001), (1011, 0010, 0101) and (1011, 0110, 0001) are all of type NULL.

While many non-zero masks have type NULL, they can be easily transformed to a non-NULL type by basic operations. More specifically, the following holds.

Proposition 14

(Every non-zero mask is equivalent to a mask of non-NULL type). Let $\alpha \in \widehat{\mathbb {F}}_2^{k \times n}$ have $\# \alpha = k > 0$ and rank r. Then, $\alpha $ is equivalent to some $\beta \in \widehat{\mathbb {F}}_2^{k \times n}$ of type $K = (k_1,\ldots ,k_t)$, such that $k_t = k$ and $t=r$.

Proposition 14 thus allows us to focus on bounding the Fourier coefficients on masks of non-NULL type.

Proof

We transform $\alpha $ to $\beta $ by basic operations as follows. First, since the rank of $\alpha $ is r, it contains r linearly independent elements. Define and apply to $\alpha $ an invertible linear transformation that maps the first r linearly independent elements (in lexicographical order) to the first r vectors of the standard basis of $\mathbb {F}_2^n$, $e_1,\ldots ,e_r$. Denote the outcome by $\alpha '$.

Next, permute the elements of $\alpha '$ by moving all elements $\alpha '_i$ such that $\alpha '_{i,1} = 1$ to be first, and elements with $\alpha '_{i,1} = 0$ to be last. Let $k_1$ be the index such that $\alpha '_{i,1} = 1$ if $i \le k_1$ and $\alpha '_{i,1} = 0$ if $i > k_1$. Note that $k_1 \ge 1$ since the first bit of $e_1$ is 1 and $k_1 \le k - r + 1$, as the first bit of all the elements $e_2,\ldots ,e_r$ is 0. If $r = 1$, then since $\# \alpha = k$ we must have $k_1 = k$ (otherwise, $\alpha $ has two linearly independent elements). Thus, define $\beta = \alpha '$, which is of type (k), and we are done after 1 step. If $r > 1$, define $k_2$ after permuting the elements $\alpha '_{k_1 + 1},\ldots ,\alpha '_{k}$ according to their second bit and continue inductively. After the process terminates, define $\beta = \alpha '$.

Denote by t the total number of steps in the process. The process cannot end with $t < r$ as the first bit set to j in $e_j$ has index j, and thus $e_j$ will be among the elements $\alpha '_{k_{j-1} + 1},\ldots ,\alpha '_{k_{j}}$. On the other hand, the process cannot end with $t > r$ steps, since vectors $\alpha '_{k_1},\ldots ,\alpha '_{k_t}$ are linearly independent. Therefore, $t =r$. Furthermore, $k_t = k$ since $\# \alpha = k$. We conclude that $\alpha $ is equivalent to $\beta = \alpha '$ of type $K = (k_1,\ldots ,k_t)$ such that $k_t = k$ and $t=r$. $\blacksquare $

4.3 Bounding $|\widehat{\mu _{n,k}}(\alpha )|$ for General $\alpha $

In this section we prove bounds on the magnitude of Fourier coefficients on general masks. The main result of this section is the following.

Proposition 15

(Bounds on Fourier magnitude for general masks). We have

$$\begin{aligned} \text {M}^{=k}[\mu _{n,k}] \le {\left\{ \begin{array}{ll} \varGamma (N,k) &{} \text {if } k < N/2 \text { is even,} \\ \varGamma (N,k-1) \cdot \frac{k}{N - k} &{} \text {if } k < N/2 \text { is odd.} \end{array}\right. } \end{aligned}$$

Equivalently, let $\alpha \in \widehat{\mathbb {F}}_2^{k \times n}$ have $\# \alpha = k$. Then,

$$\begin{aligned} |\widehat{\mu _{n,k}}(\alpha )| \le {\left\{ \begin{array}{ll} \varGamma (N,k) &{} \text {if } k < N/2 \text { is even,} \\ \varGamma (N,k-1) \cdot \frac{k}{N - k} &{} \text {if } k < N/2 \text { is odd.} \end{array}\right. } \end{aligned}$$

Lemma 1 (stated in Sect. 3) is proved in Appendix A based on this proposition by a straightforward bound on $\varGamma (N,k)$.

Proposition 15 is a consequence of the following proposition.

Proposition 16

(Bounds on Fourier magnitude for masks of non-NULL type). Let $\alpha \in \widehat{\mathbb {F}}_2^{k \times n}$ be of type $K = (k_1,\ldots ,k_t)$ where $k_t = k$. Then,

$$\begin{aligned} |\widehat{\mu _{n,k}}(\alpha )| \le {\left\{ \begin{array}{ll} \varGamma (N,k) &{} \text {if } k < N/2 \text { is even,} \\ \varGamma (N,k-1) \cdot \frac{k}{N - k} &{} \text {if } k < N/2 \text { is odd.} \end{array}\right. } \end{aligned}$$

Proof

(of Proposition 15). Let $\alpha \in \widehat{\mathbb {F}}_2^{k \times n}$ have $\# \alpha = k$. Then, by Proposition 14, it is equivalent to some $\beta \in \widehat{\mathbb {F}}_2^{k \times n}$ of type $K = (k_1,\ldots ,k_t)$ where $k_t = k$ (with the same rank as $\alpha $). This proposition follows by applying Proposition 16 to $\beta $.

$\blacksquare $

It remains to prove Proposition 16. We need the following additional definition.

Definition 15

(Pairing of a subsequence of elements). Let $x = (x_1,\ldots ,x_k) \in \mathbb {F}_2^{k \times n}$. Let $k' \in [k]$. Define $(x_{k'},\ldots ,x_k)$ as paired within $x = (x_1,\ldots ,x_k)$ on bit $j \in [n]$ if $(x_1,\ldots ,x_k)$ are distinct (i.e., $x_{i_1} \ne x_{i_2}$ for $i_1 \ne i_2$), and for every $i_1 \in [k',k]$, there exists $i_2 \in [k]$ such that $(x_{i_1},x_{i_2})$ are paired on bit j.

We define the following algorithm that generalizes the algorithm of Sect. 4.1 to handle a mask with arbitrary non-NULL type. It takes as input the tuple $K = (k_1,\ldots ,k_t)$ (recall the $k_0 = 0$ by definition).

For $j \in [t]$, define the random variable $T_j(x)$ to be equal to 1 if the algorithm has not returned 0 in iterations $1,\ldots ,j$, and let $T_j(x) = 0$ otherwise. Furthermore, define $T(x) = T_t(x)$ to be the output of the algorithm.

We need the following definition.

Definition 16

For integers $a,b \ge 0,c \ge 1$ such that $a \ge b + c$ ($a > b + c$ if c is odd), define

$$\begin{aligned} \varLambda (a, b, c) = {\left\{ \begin{array}{ll} \prod _{i = 1,3 \ldots , c-1} \frac{b + c - i}{a - b - i} = \frac{b + c - 1}{a - b - 1} \frac{b + c - 3}{a - b - 3} \ldots \frac{b + 1}{a - b - c + 1} &{} \text {if } c \text { is even,} \\ \prod _{i = 1,3 \ldots , c} \frac{b + c - i}{a - b - i} \,\,\,\,\,\, = \frac{b + c - 1}{a - b - 1} \frac{b + c - 3}{a - b - 3} \ldots \frac{b}{a - b - c} &{} \text {if } c \text { is odd.} \end{array}\right. } \end{aligned}$$

Note that for even k, $\varGamma (N,k) = \varLambda (N, 0, k)$.

Proposition 16 immediately follows from the three propositions below (that refer to the type of $\alpha $, namely $K = (k_1,\ldots ,k_t)$).

Proposition 17

(Magnitude of Fourier coefficient bounded by success probability).$|\widehat{\mu _{n,k}}(\alpha )| \le \Pr _{x \sim \mu _{n,k}}[T(x) = 1]$.

Proposition 18

(Bound on success probability). If $k_1$ is even, then

$$\mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 1] \le \varGamma (N, k_1) \cdot \prod _{j = 2}^{t} \varLambda (N, k_{j-1}, k_{j} - k_{j-1}),$$

while if $k_1$ is odd then, $\Pr _{x \sim \mu _{n,k}}[T(x) = 1] = 0$.

Proposition 19

For even $k_1$, we have

$$\begin{aligned} \varGamma (N, k_1) \cdot \prod _{j = 2}^{t} \varLambda (N, k_{j-1}, k_{j} - k_{j-1}) \le {\left\{ \begin{array}{ll} \varGamma (N,k) &{} \text {if } k = k_t < N/2 \text { is even,} \\ \varGamma (N,k-1) \cdot \frac{k}{N - k} &{} \text {if } k = k_t < N/2 \text { is odd.} \end{array}\right. } \end{aligned}$$

In the rest of this section we will prove Proposition 17 and Proposition 18. Proposition 19 is proved in the full version of this paper [11] by elementary analysis.

Proof

(of Proposition 17). The proof is a generalization of the proof of Proposition 10, and we focus on the differences. As in (5),

$$|\widehat{\mu _{n,k}}(\alpha )| \le \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 1] + | \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T(x) = 0] \mathop {\textrm{E}}\limits _{x \sim \mu _{n,k}}[\chi _{\alpha }(x) \mid T(x) = 0] |,$$

and it remains to prove that $\mathop {\textrm{E}}\nolimits _{x \sim \mu _{n,k}}[\chi _{\alpha }(x) \mid T(x) = 0] = 0$. Once again this is proved by partitioning the sample space conditioned on $T(x) = 0$ into couples $(x,x')$ that satisfy $\chi _{\alpha }(x) = - \chi _{\alpha }(x')$. However, this time the coupling depends on the iteration $j \in [t]$ which the algorithm executed and returned 0, namely, $T_\ell (x) = 1$ for $\ell \in [j-1]$ and $T_j(x) = 0$. Fix this iteration $j \in [t]$, let $in(x) \in [k_{j-1}+1,k_j]$ be the index of the first unpaired element among $(x_{k_{j-1}+1},\ldots ,x_{k_j})$.

We now consider two cases depending on whether $x_{in(x)} \oplus e_j$ appears among $x_{k_j + 1},\ldots ,x_k$ (note that it does not appear among $(x_1,\ldots ,x_{k_j})$ since $x_{in(x)}$ is not paired to any of these elements).

If $x_{in(x)} \oplus e_j$ does not appear among $(x_{k_j + 1},\ldots ,x_k)$, then it does not appear among $(x_1,\ldots ,x_k)$, and thus we couple x and $x' = (x_1,\ldots ,x_{in(x)-1},x_{in(x)} \oplus e_j,x_{in(x)+1}, \ldots , x_k)$, as in the proof of Proposition 10. Specifically, in this case we have $in(x) = in(x')$. Moreover, since $\alpha $ is of type K, then $\alpha _{i,j} = 1$ for all $i \in [k_{j-1}+1,k_j]$, and in particular, $\alpha _{in(x),j} = 1$. Since $x_{in(x),j} \ne x'_{in(x),j}$ and they are they equal otherwise, $\chi _{\alpha }(x) = - \chi _{\alpha }(x')$. The proof of this case is thus essentially the same as the one of Proposition 10.

We remain with the case that there exists $i \in [k_j + 1,k]$ such that $x_i = x_{in(x)} \oplus e_j$. In this case, we couple $(x,x')$, where $x'$ is defined by exchanging the positions of elements $x_{in(x)}$ and $x_i$ in x, namely, $x'_{in(x)} = x_i$, $x'_{i} = x_{in(x)}$ and $x'_{\ell } = x_{\ell }$ for all $\ell \notin \{in(x),i\}$.

This is indeed a valid coupling since the execution of the algorithm on $x'$ returns 0 for the same iteration j and $in(x) = in(x')$. Moreover, since $\alpha $ is of type K, then $\alpha _{in(x),j} = 1$, but $\alpha _{i,j} = 0$ (as $i \in [k_j + 1,k]$). Thus,

$$\chi _{\alpha }(x) \chi _{\alpha }(x') = (-1)^{ \langle \alpha , x \oplus x' \rangle _{\mathbb {F}_2} } = (-1)^{ \langle \alpha _{in(x)}, e_j \rangle _{\mathbb {F}_2} } (-1)^{ \langle \alpha _{i}, e_j \rangle _{\mathbb {F}_2} } = -1 \cdot 1 = -1, $$

i.e., $\chi _{\alpha }(x) = - \chi _{\alpha }(x')$. This concludes the proof. $\blacksquare $

Proof

(of Proposition 18). First, if $k_1$ is odd then already $T_1(x) = 0$ and $\Pr _{x \sim \mu _{n,k}}[T(x) = 1] = 0$.

Next, assume that $k_1$ is even. We prove by induction on $j \in [t]$ that

$$\mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T_j(x) = 1] \le \varGamma (N, k_1) \cdot \prod _{\ell = 2}^{j} \varLambda (N, k_{\ell -1}, k_{\ell } - k_{\ell -1}).$$

The result then follows since $T(x) = T_t(x)$.

For the base case of $j =1$, we have $\Pr _{x \sim \mu _{n,k}}[T_1(x) = 1] \le \varGamma (N, k_1)$ as in the proof of Proposition 11. For the induction step, we have

$$\mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T_{j}(x) = 1] = \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T_{j-1}(x) = 1] \cdot \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T_{j}(x) = 1 \mid T_{j-1}(x) = 1].$$

Thus, we need to prove that

$$\mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T_{j}(x) = 1 \mid T_{j-1}(x) = 1] \le \varLambda (N, k_{j-1}, k_{j} - k_{j-1}).$$

Fix any values for $x_1,\ldots ,x_{k_{j-1}}$ which have positive probability. We prove the above inequality by taking the probability only over the selection of $x_{k_{j-1} + 1},\ldots ,x_{k_j}$ (which we may assume are only selected in iteration j of the algorithm).

We show that $\varLambda (N, k_{j-1}, k_{j} - k_{j-1})$ is an upper bound on the probability to pair $(x_{k_{j-1} + 1}, \ldots , x_{k_{j}})$ within $(x_1,\ldots ,x_{k_{j}})$ on bit j. For this purpose, we assume that all $x_1,\ldots ,x_{k_{j-1}}$ are available for pairing on bit j, namely, they are not paired among themselves on bit j (this assumption can only increase the success probability of the algorithm, i.e., its pairing probability).

We upper bound $\Pr _{x \sim \mu _{n,k}}[T_{j}(x) = 1 \mid T_{j-1}(x) = 1]$ as follows: the probability that the first element in $(x_{k_{j-1} + 1}, \ldots , x_{k_{j}})$ is paired with one of the $k_{j} - 1$ other elements in $x_1,\ldots ,x_{k_{j}}$ is (at most) $\frac{k_{j} - 1}{N - k_{j-1} - 1}$. Assuming this occurs, we remove both of these elements and then the probability that the next element in $(x_{k_{j-1} + 1}, \ldots , x_{k_{j} })$ is paired is either $\frac{k_{j} - 3}{N - k_{j-1} - 3}$ (if the first element was paired among $(x_{k_{j-1} + 1}, \ldots , x_{k_{j} })$ or $\frac{k_{j} - 3}{N - k_{j-1} - 2}$ (if the first element was paired among $(x_1, \ldots , x_{k_{j-1}})$. In any case, this probability is at most $\frac{k_{j} - 3}{N - k_{j-1} - 3}$. Continue this way until all elements in $(x_{k_{j-1} + 1}, \ldots , x_{k_{j} })$ are paired. Clearly, if $k_{j} - k_{j-1}$ is even, then at least $(k_{j} - k_{j-1})/2$ pairings are required (which occurs if $(x_{k_{j-1} + 1}, \ldots , x_{k_{j} })$ are only paired among themselves).

Taking the product of the corresponding $(k_{j} - k_{j-1})/2$ terms,

$$\begin{aligned} &\, \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T_{j}(x) = 1 \mid T_{j-1}(x) = 1] \\ &\, \le \frac{k_{j} - 1}{N - k_{j-1} - 1} \frac{k_{j} - 3}{N - k_{j-1} - 3} \ldots \frac{k_{j - 1} + 1}{N - k_{j} + 1} = \varLambda (N, k_{j-1}, k_{j} - k_{j-1}), \end{aligned}$$

as claimed. If $k_{j} - k_{j-1}$ is odd, then at least $(k_{j} - k_{j-1} + 1)/2$ pairing are required. Similarly,

$$\begin{aligned} &\, \mathop {\textrm{Pr}}\limits _{x \sim \mu _{n,k}}[T_{j}(x) = 1 \mid T_{j-1}(x) = 1] \\ &\, \le \frac{k_{j} - 1}{N - k_{j-1} - 1} \frac{k_{j} - 3}{N - k_{j-1} - 3} \ldots \frac{k_{j - 1}}{N - k_{j}} = \varLambda (N, k_{j-1}, k_{j} - k_{j-1}). \end{aligned}$$

$\blacksquare $

5 Bounding $\text {W}^{=k}[\mu _{n,k}]$ (Proof of Lemma 2)

The goal of this section is to prove Lemma 2. We start by deriving an exact (but unwieldy) expression for $\text {W}^{=k}[\mu _{n,k}]$.

Proposition 20

$$\text {For } 0 \le k \le 2^n,\,\, \text {W}^{=k}[\mu _{n,k}] = \sum _{i = 0}^{k} (-1)^{k - i} \left( {\begin{array}{c}k\\ i\end{array}}\right) \frac{N^i}{(N)_i}.$$

Proof

For any integer $0 \le i \le k$, $\text {Col}[\mu _{n,i}] = \Pr _{x,x' \sim \mu _{n,i}}[x = x'] = \frac{(N - i)!}{N!} = \frac{1}{(N)_i}.$ Hence, by Proposition 4,

$$\begin{aligned} \text {W}^{\le i}[\mu _{n,i}] = \text {Col}[\mu _{n,i}] \cdot N^i = \frac{N^i}{(N)_i}. \end{aligned}$$

(6)

For a subset $\mathcal {S} \subseteq [k]$ of size $|\mathcal {S}|$, define the functions $h(\mathcal {S}) = \text {W}^{=|\mathcal {S}|}[\mu _{n,|\mathcal {S}|}]$ and $g(\mathcal {S}) = \text {W}^{\le |\mathcal {S}|}[\mu _{n,|\mathcal {S}|}]$. Then, $g(\mathcal {S}) = \sum _{\mathcal {R} \subseteq \mathcal {S}} h(\mathcal {R})$, and by the inclusion-exclusion principle [15, Pg. 1049], $h(\mathcal {S}) = \sum _{\mathcal {R} \subseteq \mathcal {S}} (-1)^{|\mathcal {S}| - |\mathcal {R}|} g(\mathcal {R}) = \sum _{\mathcal {R} \subseteq \mathcal {S}} (-1)^{|\mathcal {S}| - |\mathcal {R}|} \text {W}^{\le |\mathcal {R}|}[\mu _{n,|\mathcal {R}|}]$. Therefore,

$$\begin{aligned} \text {W}^{=k}[\mu _{n,k}] &\, = h([k]) = \sum _{\mathcal {S} \subseteq [k]} (-1)^{k - |\mathcal {S}|} \text {W}^{\le |\mathcal {S}|}[\mu _{n,|\mathcal {S}|}] = \sum _{i = 0}^{k} (-1)^{k - i} \left( {\begin{array}{c}k\\ i\end{array}}\right) \text {W}^{\le i}[\mu _{n,i}] \\ &\, = \sum _{i = 0}^{k} (-1)^{k - i} \left( {\begin{array}{c}k\\ i\end{array}}\right) \frac{N^i}{(N)_i}, \end{aligned}$$

where the third equality is by the symmetry of $\mu _{n,k}$, and the final equality is by (6). $\blacksquare $

The following definition will be useful in deriving a useful bound on $\text {W}^{=k}[\mu _{n,k}]$ for all k.

Definition 17

For a positive integer N and non-negative integers k, a such that $N \ge k+a$, let

$$F_N(k,a) = \sum _{i = 0}^{k} (-1)^{k - i} \left( {\begin{array}{c}k\\ i\end{array}}\right) \frac{N^i}{(N - a)_i}.$$

Note that by Proposition 20, $\text {W}^{=k}[\mu _{n,k}] = F_N(k,0)$. We now derive a recursive formula which will allow to analyze $\text {W}^{=k}[\mu _{n,k}]$.

Proposition 21

(Recursive formula for level-k weight). For $k \ge 2$, $F_N(k,a)$ satisfies the recurrence relation

$$\begin{aligned} F_N(k,a) = \frac{a}{N-a} \cdot F_N(k-1,a+1) + \frac{(k-1)N}{(N-a)(N- a - 1)} \cdot F_N(k-2,a+2), \end{aligned}$$

with the starting conditions $F_N(0,a) = 1$ and $F_N(1,a) = \frac{N}{N-a} -1 = \frac{a}{N-a}$.

Proof

The starting conditions are easily checked by plugging in the parameters into the explicit formula for $F_N(k,a)$. We now prove the recurrence relation holds assuming $k \ge 2$.

To simplify notation, denote $G_i = \frac{N^i}{(N - a)_i}$ and write $F_N(k,a) = \sum _{i = 0}^{k} (-1)^{k - i} \left( {\begin{array}{c}k\\ i\end{array}}\right) G_i$. For $1 \le i \le k-1$, substitute $\left( {\begin{array}{c}k\\ i\end{array}}\right) = \left( {\begin{array}{c}k-1\\ i\end{array}}\right) + \left( {\begin{array}{c}k-1\\ i-1\end{array}}\right) $ and $\left( {\begin{array}{c}k\\ 0\end{array}}\right) = \left( {\begin{array}{c}k-1\\ 0\end{array}}\right) , \left( {\begin{array}{c}k\\ k\end{array}}\right) = \left( {\begin{array}{c}k-1\\ k - 1\end{array}}\right) $ into the expression, which divides each term into a pair of terms. We obtain

$$\begin{aligned} &\, F_N(k,a) = \sum _{i = 0}^{k} (-1)^{k - i} \left( {\begin{array}{c}k\\ i\end{array}}\right) G_i \\ = &\, \left( (-1)^k \left( {\begin{array}{c}k-1\\ 0\end{array}}\right) \cdot G_0 + (-1)^{k - 1} \left( {\begin{array}{c}k-1\\ 0\end{array}}\right) G_1 \right) \\ + &\, \left( (-1)^{k - 1} \left( {\begin{array}{c}k-1\\ 1\end{array}}\right) G_1 + (-1)^{k - 2} \left( {\begin{array}{c}k-1\\ 1\end{array}}\right) G_2 \right) \\ + \ldots + &\, \left( (-1)^{k - (k-1)} \left( {\begin{array}{c}k-1\\ k-1\end{array}}\right) G_{k-1} + (-1)^{k - k} \left( {\begin{array}{c}k-1\\ k-1\end{array}}\right) G_k \right) \\ = &\, \sum _{i = 1}^{k} (-1)^{k- i} \left( {\begin{array}{c}k-1\\ i-1\end{array}}\right) \left( G_i - G_{i-1} \right) . \end{aligned}$$

We have $G_i = G_{i-1} \cdot \frac{N}{N - a - (i - 1)}$, so $G_i - G_{i-1} = G_{i-1} \cdot (\frac{N}{N - a - (i - 1)} - 1) = G_{i-1} \cdot \frac{a + (i - 1)}{N - a - (i - 1)}$. Therefore, the above expression is equal to

$$\begin{aligned} &\, \sum _{i = 1}^{k} (-1)^{k- i} \left( {\begin{array}{c}k-1\\ i-1\end{array}}\right) G_{i-1} \cdot \frac{a + (i - 1)}{N - a - (i - 1)} \\ = &\, \sum _{i = 1}^{k} (-1)^{k- i} \left( {\begin{array}{c}k-1\\ i-1\end{array}}\right) \frac{(a + (i - 1)) N^{i-1}}{(N-a)(N - a - 1) \ldots (N - a - (i - 1))} \\ = &\, \frac{1}{N-a} \cdot \sum _{i = 1}^{k}(-1)^{k- i} \left( {\begin{array}{c}k-1\\ i-1\end{array}}\right) \frac{(a + (i - 1)) N^{i-1}}{(N- a -1)_{i-1}} \\ = &\, \frac{1}{N-a} \cdot \sum _{i = 0}^{k-1}(-1)^{k - 1 - i} \left( {\begin{array}{c}k-1\\ i\end{array}}\right) \frac{(a + i) N^{i}}{(N- a -1)_{i}} \\ = &\, \frac{a}{N-a} \cdot \sum _{i = 0}^{k-1}(-1)^{k - 1 - i} \left( {\begin{array}{c}k-1\\ i\end{array}}\right) \frac{N^{i}}{(N- a - 1)_{i}} \\ + &\,\frac{1}{N-a} \cdot \sum _{i = 1}^{k-1}(-1)^{k - 1 - i} \left( {\begin{array}{c}k-1\\ i\end{array}}\right) \frac{i \cdot N^{i}}{(N- a - 1)_{i}} \\ = &\, \frac{a}{N-a} \cdot F_N(k-1,a+1) \\ + &\, \frac{N}{(N- a - 1)(N-a)} \cdot \sum _{i = 1}^{k-1}(-1)^{k - 1 - i} \left( {\begin{array}{c}k-1\\ i\end{array}}\right) \frac{i \cdot N^{i-1}}{(N- a - 1)_{i-1}}. \end{aligned}$$

To complete the proof, it remains to show that

$$\sum _{i = 1}^{k-1}(-1)^{k - 1 - i} \left( {\begin{array}{c}k-1\\ i\end{array}}\right) \frac{i \cdot N^{i-1}}{(N- a - 1)_{i-1}} = (k-1) \cdot F_N(k-2,a+2).$$

Observe that $i \cdot \left( {\begin{array}{c}k-1\\ i\end{array}}\right) = (k-1) \cdot \left( {\begin{array}{c}k-2\\ i-1\end{array}}\right) $. Therefore,

$$\begin{aligned} &\, \sum _{i = 1}^{k-1}(-1)^{k - 1 - i} \left( {\begin{array}{c}k-1\\ i\end{array}}\right) \frac{i \cdot N^{i-1}}{(N- a - 1)_{i-1}} \\ = &\, (k-1) \cdot \sum _{i = 1}^{k-1}(-1)^{k - 1 - i} \left( {\begin{array}{c}k-2\\ i - 1\end{array}}\right) \frac{N^{i-1}}{(N- a - 1)_{i-1}} \\ = &\, (k-1) \cdot \sum _{i = 0}^{k-2}(-1)^{k - i} \left( {\begin{array}{c}k-2\\ i\end{array}}\right) \frac{N^{i}}{(N- a - 2)_{i}} \\ = &\, (k-1) \cdot F_N(k-2,a+2). \end{aligned}$$

This completes the proof. $\blacksquare $

Next, we use the recurrence relation to bound $F_N(k,a)$.

Proposition 22

$$\begin{aligned} F_N(k,a) \le {\left\{ \begin{array}{ll} \frac{(N(a+k-1))^{k/2}}{(N - a)_{k}} &{} \text {if } k \text { is even,} \\ \frac{(N(a+k-1))^{(k-1)/2} \cdot (a+k-1)}{(N - a)_{k}} &{} \text {if } k \text { is odd.} \end{array}\right. } \end{aligned}$$

Proof

We prove the result using Proposition 21 by induction on k. It is easy to verify that it holds for $k=0$ and $k=1$ by the starting conditions. We prove the induction step.

If k is odd, then by the assumption

$$\begin{aligned} &\, F_N(k,a) = \frac{a}{N-a} \cdot F_N(k-1,a+1) + \frac{(k-1)N}{(N-a)(N- a - 1)} \cdot F_N(k-2,a+2) \\ \le &\, \frac{a}{N-a} \cdot \frac{(N(a+k-1))^{(k-1)/2}}{(N - a - 1)_{k-1}} \\ + &\, \frac{(k-1)N}{(N-a)(N- a - 1)} \cdot \frac{(N(a+k-1))^{(k-3)/2}(a + k - 1)}{(N - a - 2)_{k-2}} \\ = &\, a \cdot \frac{(N(a+k-1))^{(k-1)/2}}{(N - a)_{k}} + (k-1) \cdot \frac{(N(a+k-1))^{(k-1)/2}}{(N - a)_{k}} \\ = &\, \frac{(N(a+k-1))^{(k-1)/2} \cdot (a+k-1)}{(N - a)_{k}}, \end{aligned}$$

as desired. If k is even, then

$$\begin{aligned} &\, F_N(k,a) \le \frac{a}{N-a} \cdot \frac{(N(a+k-1))^{(k-2)/2} \cdot (a+k-1)}{(N - a - 1)_{k - 1}} \\ + &\, \frac{(k-1)N}{(N-a)(N- a - 1)} \cdot \frac{(N(a+k-1))^{(k-2)/2}}{(N - a - 2)_{k-2}} \\ = &\, a \cdot \frac{(N(a+k-1))^{(k-2)/2} \cdot (a+k-1)}{(N - a)_{k}} + (k-1)N \cdot \frac{(N(a+k-1))^{(k-2)/2}}{(N - a)_{k}} \\ = &\, \frac{(N(a+k-1))^{(k-2)/2}}{(N - a)_{k}} \cdot (a(a+k-1) + (k-1)N ). \end{aligned}$$

It remains to prove that $a(a+k-1) + (k-1)N \le N(a+k-1)$ or $a+k-1 \le N$, which indeed holds (as the quantity $a+k$ is preserved throughout the recursive calls).

$\blacksquare $

Finally, Lemma 2 is proved in the full version of this paper [11] by straightforward manipulation of the bound on $F_N(k,a)$ of Proposition 22, and based on the fact that by Proposition 20, $\text {W}^{=k}[\mu _{n,k}] = F_N(k,0)$.

Notes

1.
More accurately, the task is to bound the Fourier coefficients for the normalized distribution function (i.e., density function) generated by the XoP construction.

References

Bellare, M., Impagliazzo, R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. IACR Cryptol. ePrint Arch, p. 24 (1999). http://eprint.iacr.org/1999/024
Bellare, M., Krovetz, T., Rogaway, P.: Luby-Rackoff backwards: increasing security by making block ciphers non-invertible. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 266–280. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054132
Chapter Google Scholar
Bhattacharya, S., Nandi, M.: Revisiting variable output length XOR pseudorandom function. IACR Trans. Symmetric Cryptol. 2018(1), 314–335 (2018). https://doi.org/10.13154/tosc.v2018.i1.314-335
Bhattacharya, S., Nandi, M.: Luby-Rackoff backwards with more users and more security. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021, Part III. LNCS, vol. 13092, pp. 345–375. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_12
Chapter Google Scholar
Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.P.: Minimizing the two-round even-Mansour cipher. J. Cryptol. 31(4), 1064–1119 (2018). https://doi.org/10.1007/s00145-018-9295-y
Article MathSciNet Google Scholar
Chen, Y.L., Choi, W., Lee, C.: Improved multi-user security using the squared-ratio method. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14082, pp. 694–724. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38545-2_23
Chapter Google Scholar
Choi, W., Kim, H., Lee, J., Lee, Y.: Multi-user security of the sum of truncated random permutations. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022. LNCS, vol. 13792, pp. 682–710. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22966-4_23
Chapter Google Scholar
Cogliati, B., Dutta, A., Nandi, M., Patarin, J., Saha, A.: Proof of mirror theory for a wide range of $\xi _{\rm max}$. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. Lecture Notes in Computer Science, vol. 14007, pp. 470–501. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30634-1_16
Cogliati, B., Lampe, R., Patarin, J.: The indistinguishability of the XOR of $k$ permutations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 285–302. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_15
Chapter Google Scholar
Dai, W., Hoang, V.T., Tessaro, S.: Information-theoretic indistinguishability via the chi-squared method. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 497–523. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_17
Chapter Google Scholar
Dinur, I.: Tight indistinguishability bounds for the XOR of independent random permutations by Fourier analysis. IACR Cryptol. ePrint Arch. (2024). http://eprint.iacr.org/2024/338
Dutta, A., Nandi, M., Saha, A.: Proof of mirror theory for $\xi _{\rm max}$ = 2. IEEE Trans. Inf. Theory 68(9), 6218–6232 (2022). https://doi.org/10.1109/TIT.2022.3171178
Eberhard, S.: More on additive triples of bijections (2017). https://arxiv.org/abs/1704.02407
Eberhard, S., Manners, F., Mrazović, R.: Additive triples of bijections, or the toroidal semiqueens problem. J. Eur. Math. Soc. 21(2), 441–463 (2018). https://doi.org/10.4171/JEMS/841
Article MathSciNet Google Scholar
Gessel, I.M., Stanley, R.P.: Algebraic enumeration. In: Handbook of Combinatorics, vol. 2, pp. 1021–1061. MIT Press, Cambridge (1996)
Google Scholar
Gunsing, A., Bhaumik, R., Jha, A., Mennink, B., Shen, Y.: Revisiting the indifferentiability of the sum of permutations. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. NCS, vol. 14083, pp. 628–660. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38548-3_21
Chapter Google Scholar
Gunsing, A., Mennink, B.: The summation-truncation hybrid: reusing discarded bits for free. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 187–217. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_7
Chapter Google Scholar
Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 370–389. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055742
Chapter Google Scholar
Liu, T., Tessaro, S., Vaikuntanathan, V.: The t-wise independence of substitution-permutation networks. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 454–483. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_16
Chapter Google Scholar
Lucks, S.: The sum of PRPs is a secure PRF. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 470–484. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_34
Chapter Google Scholar
Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_8
Chapter Google Scholar
Mennink, B., Preneel, B.: On the XOR of multiple random permutations. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 619–634. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_30
Chapter Google Scholar
O’Donnell, R.: Analysis of Boolean Functions. Cambridge University Press, New York (2014)
Book Google Scholar
Patarin, J.: A proof of security in O(2ⁿ) for the Xor of Two Random Permutations. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85093-9_22
Chapter Google Scholar
Patarin, J.: Generic attacks for the XOR of K random permutations. IACR Cryptol. ePrint Arch. p. 9 (2008). http://eprint.iacr.org/2008/009
Patarin, J.: Introduction to mirror theory: analysis of systems of linear equalities and linear non equalities for cryptography. IACR Cryptol. ePrint Arch., p. 287 (2010). http://eprint.iacr.org/2010/287
Patarin, J.: Generic attacks for the Xor of k random permutations. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 154–169. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_10
Chapter Google Scholar

Download references

Acknowledgements

The author was supported by the Israel Science Foundation through grant no. 1903/20. The author would like to thank Samuel Neves for pointing him to the prior works [13, 14].

Author information

Authors and Affiliations

Department of Computer Science, Ben-Gurion University, Beersheba, Israel
Itai Dinur

Authors

Itai Dinur
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Itai Dinur .

Editor information

Editors and Affiliations

Zama, Paris, France
Marc Joye
Ruhr University Bochum, Bochum, Germany
Gregor Leander

A Missing Proofs from Section 4

Proof

(of Lemma 1). We use Proposition 15 to bound $\text {M}^{=k}[\mu _{n,k}]$. First we have $\text {M}^{=2}[\mu _{n,2}] \le \varGamma (N,2) = \frac{1}{N-1}$.

Next, for even k, by Proposition 15,

$$\begin{aligned} &\, \text {M}^{=k}[\mu _{n,k}]^2 \le \varGamma (N,k)^2 = \left( \frac{k-1}{N-1} \right) ^2 \left( \frac{k-3}{N-3} \right) ^2 \ldots \left( \frac{1}{N - (k - 1)} \right) ^2 \\ \le &\, \frac{k}{N} \frac{k-1}{N-1} \frac{k-2}{N-2} \frac{k-3}{N-3} \ldots \frac{2}{N - (k - 2)} \frac{1}{N -( k - 1)} = \frac{1}{\left( {\begin{array}{c}N\\ k\end{array}}\right) }. \end{aligned}$$

Similarly, for odd k,

$$\begin{aligned} &\, \text {M}^{=k}[\mu _{n,k}]^2 \le \varGamma (N,k-1)^2 \cdot \left( \frac{k}{N - k} \right) ^2 \le \frac{1}{\left( {\begin{array}{c}N\\ k-1\end{array}}\right) }\cdot \left( \frac{k}{N - k} \right) ^2 \\ = &\, \frac{1}{\left( {\begin{array}{c}N\\ k\end{array}}\right) }\cdot \frac{N - (k - 1)}{k} \left( \frac{k}{N - k} \right) ^2 = \frac{1}{\left( {\begin{array}{c}N\\ k\end{array}}\right) }\cdot \frac{N - (k - 1)}{N - k} \frac{k}{N - k} \\ < &\, \frac{1}{\left( {\begin{array}{c}N\\ k\end{array}}\right) }\cdot \frac{N - (k - 1)}{N - k} \frac{k + 1}{N - (k - 1)} = \frac{1}{\left( {\begin{array}{c}N\\ k\end{array}}\right) } \cdot \frac{k + 1}{N - k}. \end{aligned}$$

$\blacksquare $

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Dinur, I. (2024). Tight Indistinguishability Bounds for the XOR of Independent Random Permutations by Fourier Analysis. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14651. Springer, Cham. https://doi.org/10.1007/978-3-031-58716-0_2

Download citation

DOI: https://doi.org/10.1007/978-3-031-58716-0_2
Published: 29 April 2024
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58715-3
Online ISBN: 978-3-031-58716-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Tight Indistinguishability Bounds for the XOR of Independent Random Permutations by Fourier Analysis

Abstract

1 Introduction

1.1 The XoP Construction

1.2 Our Contribution

Remark 1

1.3 Paper Structure

2 Preliminaries

2.1 Probability

Definition 1

Definition 2

Definition 3

Proposition 1

Definition 4

2.2 Fourier Analysis

Definition 5

Definition 6

Proposition 2

Proposition 3

Proposition 4

Proposition 5

Proposition 6

Proposition 7

Proof

Proposition 8

Proof

2.3 Cryptographic Preliminaries and Sampling Without Replacement

Definition 7

3 Indistinguishability Bounds for XoP[r, n] Using Fourier Properties of Sampling Without Replacement

3.1 Basic Properties of \(\mu _{n,k}\)

Lemma 1

Lemma 2

Remark 2

Remark 3

3.2 Application to Indistinguishability Bounds for XoP[r, n]

Theorem 1

Proof

Theorem 2

Proof

Theorem 3

Proof

4 Bounding \(\text {M}^{=k}[\mu _{n,k}]\) (Proof of Lemma 1)

4.1 Bounding \(|\widehat{\mu _{n,k}}(\alpha )|\) for \(\alpha \) of Type \(K = (k)\)

Definition 8

Definition 9

Proposition 9

Definition 10

Definition 11

Proposition 10

Proposition 11

Proof

Proof

4.2 Classification of Masks

Proposition 12

Proof

Proposition 13

Proof

Definition 12

Definition 13

Definition 14

Example 1

Proposition 14

Proof

4.3 Bounding \(|\widehat{\mu _{n,k}}(\alpha )|\) for General \(\alpha \)

Proposition 15

Proposition 16

Proof

Definition 15

Definition 16

Proposition 17

Proposition 18

Proposition 19

Proof

Proof

5 Bounding \(\text {W}^{=k}[\mu _{n,k}]\) (Proof of Lemma 2)

Proposition 20

Proof

Definition 17

Proposition 21

Proof