Keywords

1 Introduction

Simplification of Blockcipher Construction. Designing a cryptographic scheme with minimal components is a main theme in cryptographic research over the last thirty years. Even and Mansour [8, 9] addressed this problem with respect to blockcipher design in 1991. They were motivated by DESX proposed by Rivest in 1984. DESX was designed to protect DES against exhaustive search attacks by XORing two independent prewhitening and postwhitening keys to the plaintext and ciphertext, respectively. The Even-Mansour (EM) scheme used such whitening keys but eliminated the keyed blockcipher, where it is replaced with a public random permutation. The constructions of DESX and EM are shown in Fig. 1, where \(E_{K'}:\{0,1\}^n\rightarrow \{0,1\}^n\) is a blockcipher with a key \(K'\), \(P:\{0,1\}^n\rightarrow \{0,1\}^n\) is a permutation, x is the input, and y is the output (Note that hereafter, we use these notations).

Fig. 1.
figure 1

Blockciphers: DESX and EM

Full size image

Dunkelman et al. [7] considered the minimal construction for EM. They showed that the two-key EM is not minimal in the sense that it can be further simplified into a single-key variant, i.e., \(K_1=K_2\), which has exactly the same provable security.

Tweakable Blockcipher Design. The same research direction has been done in the area of tweakable blockcipher (TBC) design. TBCs are a generalization of traditional blockciphers, which have been formalized by Liskov et al. [14, 15]. A TBC takes, in addition to the usual inputs (message and key), an extra input for performing rekeying efficiently. This input is called tweak.

Fig. 2.
figure 2

Tweakable blockciphers: LRW, TEM, XE and our target: XP

Full size image

Liskov et al. [14, 15] proposed the so-called LRW that is based on a blockcipher and a uniform and almost XOR-universal (AXU) family of functions \(\{h_{K}\}_{K\in \mathcal {K}_h}\) indexed by key set \(\mathcal {K}_h\) from tweak set \(\mathcal {TW}\) to \(\{0,1\}^n\). In this scheme, the underlying blockcipher is sandwiched between two maskings of offset \(h_{K}(tw)\). This construction is shown in the top left part of Fig. 2, where \(tw \in \mathcal {TW}\) is a tweak and \((K,K')\) is a key. They proved that LRW is a secure tweakable SPRP (Strong Pseudo-Random Permutation) up to the birthday bound, i.e., \(2^{n/2}\) adversarial queries, assuming \(E_{K'}\) is a secure SPRP.

Similar to the research direction from DESX to EM, Kurosawa [12, 13] eliminated the keyed blockcipher, where it is replaced with a permutation. This scheme is called tweakable Even-Mansour (TEM) [6], which is shown in the top right part of Fig. 2. He proved that TEM is a secure tweakable SPRP up to the birthday bound, assuming the underlying permutation is a public random permutation [12, 13]. The research direction from LRW to TEM is shown in Fig. 2 cited as (1).

Eliminating Output Masking. In LRW, there are three components, the input masking, the output masking, and the keyed blockcipher. Therefore, besides the elimination of the keyed blockcipher, it is natural to consider the elimination of the input masking or output masking. Regarding this research topic, Rogaway [18] showed that eliminating the output masking of LRW, the resultant scheme becomes a secure tweakable PRP (Pseudo-Random Permutation). This scheme is called XE, which is shown in the bottom left part of Fig. 2. Note that eliminating the input masking of LRW, the resultant scheme is not a secure tweakable PRP, since the linearity of the offsets appears in the outputs of this scheme. Therefore, regarding the elimination of a masking, XE has a minimal construction with tweakable PRP-security. The research direction from LRW to XE is shown in Fig. 2 cited as (2).

Main Question. From Fig. 2, it is quite natural to consider the research directions (3) and (4), both of which attain at the scheme shown in the bottom right part. The direction (3) eliminates the keyed blockcipher, where it is replaced with a permutation, and the direction (4) eliminates the output masking of TEM. We call the target scheme XP (Xor-Permutation). However XP is not a secure tweakable (S)PRP, since the offset can be obtained by inverting the underlying permutation from the output of XP. Therefore the next question is naturally arisen: can we securely incorporate XP with a cryptographic scheme?

Fig. 3.
figure 3

PMAC using \(\widetilde{E}\)

Full size image
Fig. 4.
figure 4

PMAC using XP

Full size image

Our Result. In this paper we consider PMAC [3, 18] that is a TBC-based message authentication code (MAC) and is a main application of XE. Indeed almost all blockcipher-based PMAC-type schemes such as [3, 18, 21] use the XE-type schemes. The PMAC construction is shown in Fig. 3, where the tweak space is defined as \(\mathcal {TW}:=\mathbb {N}\times \{0,1,2\}\), \(\widetilde{E}_K:\mathcal {TW}\times \{0,1\}^n\rightarrow \{0,1\}^n\) is a TBC having a key \(K\), \(M_1,M_2,\ldots ,M_l\) are message blocks with \(|M_i|=n~(i=1,\ldots ,l-1)\) and \(|M_l| \le n\), and \((1,0),(2,0), \ldots , (l-1,0), (l-1,1), (l-1,2) \in \mathcal {TW}\) are tweaks. In this construction, if \(|M_l|=n\), then the tweak \((l-1,1)\) is used, and else if \(|M_l|<n\), then 1 and zero strings are appended to \(M_l\) and the tweak \((l-1,2)\) is used.

Note that incorporating XP with PMAC, the resultant scheme does not become a secure PRF (Pseudo-Random Function), since the offset of XP at the last block can be obtained by inverting the underlying permutation from the output. In order to avoid this attack, we consider PMAC with output truncation. The resultant construction is shown in Fig. 4. We prove that truncating \(n-t\) bits (i.e., the tag length is \(t\) bit), it is a secure PRF up to \(\min \{2^{n-t}/t,2^{n/2}\}\) permutation calls by adversarial queries, assuming the underlying permutation is a public random permutation. As a result, setting \(t= n/2 - \log _2 (n/2)\), it becomes a secure PRF up to the birthday bound.

In addition to the theoretical result, we discuss practical benefit of the scheme. It should be noted that the advantage of XP over TEM would be similar to that of XE over LRW, however, the advantage has not been thoroughly discussed so far. In the previous work, Rogaway mentioned that XE is slightly more efficient than LRW because some XOR instructions/gates can be reduced [18]. In this paper, we show that the benefit can be even more significant. That is because the elimination of the output masking relaxes data dependency and enables further optimization. In particular, an architectural optimization enabled by the relaxed data dependency is discussed in detail for hardware implementation.

Organization. We start by giving notations and security definitions in Sect. 2. In Sect. 3, we give the description of PMAC with XP, and the PRF-security bound. In Sect. 4, we give the security proof. Finally, we discuss the benefit of PMAC with XP over PMAC with TEM with respect to hardware implementation, and describe a future work from this paper in Sect. 5.

2 Notation and Security Definition

Notation. Let \(\{0,1\}^*\) be the set of all bit strings, for an integer \(n\ge 0\), \(\{0,1\}^n\) the set of \(n\)-bit strings, \(\{0,1\}^{\le n}:=\cup _{i=0}^n\{0,1\}^i\) the set of bit strings whose bit lengths are \(n\) bit or less, \(0^n\) the bit string of \(n\)-bit zeroes, and \(\lambda \) the empty string. For integers \(0 \le i \le n\) and a bit string \(x \in \{0,1\}^n\), we denote by \([x]_i\) the least significant i-bit string of x and by \([x]^i\) the most significant i-bit string of x. For a finite set X, \(x \xleftarrow {\$}X\) means that an element is randomly drawn from X and is set to x. For a set X, let \(\mathsf {Perm}(X)\) be the set of all permutations: \(X \rightarrow X\). For sets X and Y, let \(\mathsf {Func}(X,Y)\) be the set of all functions: \(X \rightarrow Y\). We denote by \(\emptyset \) the empty set. For sets X and Y, \(X \leftarrow Y\) means that Y is assigned to X, and \(X \xleftarrow {\cup }Y\) means \(X \leftarrow X \cup Y\). For a bit string x and a set X, we denote by |x| and |X| the bit length of x and the number of elements in X, respectively. Let \(\mathbb {F}_{2^n}\) be the set \(\{0,1\}^n\) seen as the field with \(2^n\) elements defined by some irreducible polynomial of degree \(n\) over \(\mathbb {F}_2\). \(a \otimes b\) denotes multiplication of two elements \(a,b \in \mathbb {F}_{2^n}\) in the field.

PRF-Security. Through this paper, a distinguisher \(\mathbf {D}\) is a computationally unbounded algorithm. It is given query access to one or more oracles \(\mathcal {O}\), denoted by \(\mathbf {D}^\mathcal {O}\). Its complexity is solely measured by the number of queries made to its oracles. Let \(t\ge 0\) be an integer, \(\mathcal {K}\) a key set, and \(\{\mathcal {F}^P_K\}_{K\in \mathcal {K}}\) a family of functions from \(\{0,1\}^*\) to \(\{0,1\}^t\) indexed by \(\mathcal {K}\) and based on a permutation \(P\in \mathsf {Perm}(\{0,1\}^n)\) for an integer \(n>0\). The security proof will be done in the ideal model, regarding the underlying permutation as a random permutation \(\mathcal {P}\xleftarrow {\$}\mathsf {Perm}(\{0,1\}^n)\). We denote by \(\mathcal {P}^{-1}\) its inverse.

The PRF-security of \(\mathcal {F}\) is defined in terms of indistinguishability between the real world and the ideal world. In the real world, \(\mathbf {D}\) has query access to \(\mathcal {F}_K^\mathcal {P}\), \(\mathcal {P}\), and \(\mathcal {P}^{-1}\) for \(K\xleftarrow {\$}\mathcal {K}\) and \(\mathcal {P}\xleftarrow {\$}\mathsf {Perm}(\{0,1\}^n)\). In the ideal world, it has query access to a random function \(\mathcal {R}\), \(\mathcal {P}\), and \(\mathcal {P}^{-1}\) for \(\mathcal {R}\xleftarrow {\$}\mathsf {Func}(\{0,1\}^*,\{0,1\}^t)\) and \(\mathcal {P}\xleftarrow {\$}\mathsf {Perm}(\{0,1\}^n)\). After interacting with oracles, \(\mathbf {D}\) outputs \(y \in \{0,1\}\). This event is denoted by \(\mathbf {D}\Rightarrow y\). We define the advantage function as

We call queries to \(\mathcal {F}^\mathcal {P}_K/\mathcal {R}\) “online queries” and queries to \((\mathcal {P},\mathcal {P}^{-1})\) “offline queries.” Through this paper, without loss of generality, we assume that \(\mathbf {D}\) is deterministic, and makes no repeated query which includes offline queries such that once \(\mathbf {D}\) obtains (XY) such that \(Y=\mathcal {P}(X)\), it does not ask X nor Y as an offline query.

3 PMAC with XP and the PRF-Security

In this section, first we give the description of PMAC using XP. This construction is denoted by \(\mathtt {PMAC\_XP}\). Secondly, we define a uniform and almost XOR-universal (AXU) family of hash functions whose properties will be used in the security proof of \(\mathtt {PMAC\_XP}\). Thirdly, we give the PRF-security bound of \(\mathtt {PMAC\_XP}\).

3.1 \(\mathtt {PMAC\_XP}\)

Fix integers \(n\ge 1\) and \(p \ge 0\). Let \(\mathcal {TW}:=\mathbb {Z}_p\times \{0,1,2\}\) be the set of tweaks, and \(\mathcal {K}\) the set of keys. Let \(\mathcal {H}= \{h_K\}_{K\in \mathcal {K}}\) be a family of functions from \(\mathcal {TW}\) to \(\{0,1\}^n\) indexed by \(\mathcal {K}\). By \(\mathtt {PMAC\_XP}^P_K\), we simply denote the function with \(\mathtt {PMAC\_XP}\), which uses a permutation \(P\in \mathsf {Perm}(\{0,1\}^n)\) as the underlying permutation and a key \(K\in \mathcal {K}\). For a message \(M \in \{0,1\}^{\le n\times (p+1)}\), the response \(\mathtt {PMAC\_XP}^P_K(M)=T\) is defined as follows. Here, \(M\Vert 10^*\) means that first 1 is appended to M, and if the bit length of \(M\Vert 1\) is not a multiple of \(n\) bits, then a sequence of the minimum number of zeros is appended to \(M\Vert 1\) so that it becomes a multiple of \(n\) bits.

  1. 1.

    If \(|M| \mod n= 0\) and \(M \ne \lambda \) then \(M' \leftarrow M\); Else \(M' \leftarrow M\Vert 10^*\)

  2. 2.

    Partition \(M'\) into \(n\)-bit blocks \(M_1,\ldots ,M_l\)

  3. 3.

    \(S \leftarrow 0^{n}\); For \(i=1,\ldots ,l-1\) do \(B_i \leftarrow M_i \oplus h_K(i,0)\); \(C_i \leftarrow P(B_i)\); \(S \leftarrow S \oplus C_i\)

  4. 4.

    If \(|M| \mod n= 0\) and \(M \ne \lambda \) then \(B_l\leftarrow S \oplus M_l\oplus h_K(l-1,1)\); \(C_l\leftarrow P(B_l)\); Else \(B_l\leftarrow S \oplus M_l\oplus h_K(l-1,2)\); \(C_l\leftarrow P(B_l)\)

  5. 5.

    \(T \leftarrow [C_l]_t\); Return T

3.2 Uniform AXU Hash Function Family

We will need the following property of the family of functions \(\mathcal {H}\).

Definition 1

Let \(\mathcal {H}= \{h_K\}_{K\in \mathcal {K}}\) be a family of functions from (some set) \(\mathcal {TW}\) to \(\{0,1\}^n\) indexed by a set of keys \(\mathcal {K}\). \(\mathcal {H}\) is said to be uniform if for any \(tw \in \mathcal {TW}\) and \(y \in \{0,1\}^n\),

$$\begin{aligned} \mathrm {Pr}[K\xleftarrow {\$}\mathcal {K}: h_K(tw) = y] = 2^{-n} . \end{aligned}$$

\(\mathcal {H}\) is said to be \(\varepsilon \)-almost XOR-universal (\(\varepsilon \)-AXU) if for all distinct \(tw,tw' \in \mathcal {TW}\) and all \(y \in \{0,1\}^n\),

$$\begin{aligned} \mathrm {Pr}[K\xleftarrow {\$}\mathcal {K}: h_K(tw) \oplus h_K(tw') = y] \le \varepsilon . \end{aligned}$$

\(\mathcal {H}\) is simply said to be XOR-universal (XU) if it is \(2^{-n}\)-AXU.

Example 1

Let \(\mathcal {K}:= \mathbb {F}_{2^n}\). For any integer \(\ell \ge 1\), we define a family of functions \(\mathcal {H}= \{h_K\}_{K\in \mathcal {K}}\) from \((\mathbb {F}_{2^n})^\ell \) to \(\mathbb {F}_{2^n}\) as \(h_K(X_1,\ldots ,X_\ell ) = \sum _{i=1}^\ell K^i \otimes X_i\). Then \(\mathcal {H}\) is \(\ell \cdot 2^{-n}\)-AXU [20]. Note, however, that \(\mathcal {H}\) is not uniform since the tweak with \((X_{1},\ldots ,X_{\ell })=(0,\ldots ,0)\) is always mapped to 0 independently of the key. This can be handled by forbidding the all-zero input, in which case the family is not exactly uniform, but rather \(\ell \cdot 2^{-n}\)-almost uniform, i.e., for \(\forall (X_{1},\ldots ,X_{\ell }) \in (\mathbb {F}_{2^n})^\ell \{(0,\ldots ,0)\}\) and \(y \in \{0,1\}^n\), \(\mathrm {Pr}[K\xleftarrow {\$}\mathcal {K}: h_K(X_{1},\ldots ,X_{\ell }) = y] \le \ell \cdot 2^{-n}\).

Example 2

Rogaway [18] proposed a powering-up method that offers a uniform AXU function family, e.g., \(\mathcal {TW}:= \{1,\ldots ,2^{n/2}\} \times \{0,\ldots ,10\} \times \{0,\ldots ,10\}\), \(\mathcal {K}:= \mathbb {F}_{2^n}\), and the family of functions \(\mathcal {H}= \{h_K\}_{K\in \mathcal {K}}\) is defined as \(h_K(i,j,r) := 2^{i}3^j7^r \otimes K\).Footnote 1 The multiplications by 2, 3 and 7 can be calculated by XOR and shift operations. Using this method, the offsets of \(\mathtt {PMAC\_XP}\) can be efficiently calculated, e.g., \(2 \otimes K, 2^2 \otimes K, 2^3 \otimes K,\ldots ,2^{l-1} \otimes K,2^{l-1} 3 \otimes K\), etc.

Example 3

Several methods for efficiently implementing the uniform AXU function family have been proposed such as Gray-code-based schemes [3, 11] and LFSR-based schemes [4, 10].

3.3 The PRF-Security of \(\mathtt {PMAC\_XP}\)

The PRF-security bound of \(\mathtt {PMAC\_XP}\) is given in the following, where the underlying permutation is modeled as a random permutation. The proof will be provided in the next section.

Theorem 1

Let \(\mathcal {H}\) be a uniform \(\varepsilon \)-AXU family of functions from \(\mathcal {TW}\) to \(\{0,1\}^n\). Let \(\mathbf {D}\) be a distinguisher which makes Q offline queries and q online queries. Let \(\sigma \) be the total number of the blocks in q online queries, namely, \(\sigma = \sum _{i=1}^q l_i\), where \(l_i\) is the number of the blocks l at the i-th online query. Then, we have

where \(e = 2.71828 \cdots \) is Napier’s constant.

Theorem 1 can be interpreted as implying that setting \(t= n/2\), \(\mathtt {PMAC\_XP}\) becomes a secure PRF as long as \(\sigma \) and Q do not exceed roughly \(2^{n/2}\) and \(2^{n/2}/n\), respectively, and setting \(t\le n/2 - \log _2(n/2)\), it becomes a secure PRF as long as both of \(\sigma \) and Q do not exceed roughly \(2^{n/2}\), assuming \(\varepsilon = 2^{-n}\).

Remark 1

The requirement for a secure MAC is unforgeability under chosen-message attacks, i.e., in the \(\mathtt {PMAC\_XP}\) case, for a key \(K\xleftarrow {\$}\mathcal {K}\) and a random permutation \(\mathcal {P}\xleftarrow {\$}\mathsf {Perm}(\{0,1\}^n)\), an attacker \(\mathcal {A}\), given adaptive access to \(\mathtt {PMAC\_XP}^\mathcal {P}_K\), cannot output a valid pair (MT) such that \(\mathtt {PMAC\_XP}^\mathcal {P}_K(M)=T\) and M was not a query to \(\mathtt {PMAC\_XP}^\mathcal {P}_K\). We note that if for any distinguisher \(\mathbf {D}\) making \(q+q_V\) online queries, then no attacker making q queries to \(\mathtt {PMAC\_XP}_K^\mathcal {P}\) can output such a valid pair (MT) within \(q_V\) attempts, except with probability at most \(\epsilon +q_V/2^t\). Combining Theorem 1 with this fact and setting \(t= n/2\), \(\mathtt {PMAC\_XP}\) is secure in the sense of unforgeability as long as \(q_V\), \(\sigma \) and Q do not exceed roughly \(2^{n/2}\), \(2^{n/2}\) and \(2^{n/2}/n\), respectively, and setting \(t= n/2 - \log _2(n/2)\), \(\mathtt {PMAC\_XP}\) is secure in the sense of unforgeability as long as \(q_V\), \(\sigma \) and Q do not exceed roughly \(2^{n/2}/n\), \(2^{n/2}\), and \(2^{n/2}\), respectively.

4 Proof of Theorem 1

We give the PRF-security bound of \(\mathtt {PMAC\_XP}_K^\mathcal {P}\) via three games denoted by Game 1, Game 2, and Game 3. For \(i \in \{1,2,3\}\), let \(G_i := (L_i,\mathcal {P},\mathcal {P}^{-1})\) be oracles to which \(\mathbf {D}\) has query access in Game i. Note that in each game, \(\mathcal {P}\) is independently drawn as \(\mathcal {P}\xleftarrow {\$}\mathsf {Perm}(\{0,1\}^n)\). Let \(L_1:=\mathtt {PMAC\_XP}_K^\mathcal {P}\) and \(L_3 := \mathcal {R}\). \(L_2\) will be defined in Subsect. 4.1. Then,

(1)

Hereafter, we upper-bound \(\Pr [\mathbf {D}^{G_i} \Rightarrow 1]-\Pr [\mathbf {D}^{G_{i+1}} \Rightarrow 1]\) for \(i \in \{1,2\}\). In this evaluation, we use the following notations. For \(\alpha \in \{1,\ldots ,Q\}\), we denote the \(\alpha \)-th offline query by \(X^\alpha \), resp. \(Y^\alpha \), and the response by \(Y^\alpha \), resp. \(X^\alpha \), where \(Y^\alpha = \mathcal {P}(X^\alpha )\), resp. \(X^\alpha = \mathcal {P}^{-1}(Y^\alpha )\). For \(\alpha \in \{1,\ldots ,q\}\), we denote the \(\alpha \)-th online query by \(M^\alpha \) and the response by \(T^\alpha \). We also use superscripts for internal values defined by online queries except for their block length \(l\), e.g., \(B_1^1,C_1^1,S_1^1\), etc. For \(\alpha \in \{1,\ldots ,q\}\), we denote the block length \(l\) at the \(\alpha \)-th online query by \(l_\alpha \).

4.1 Upper-Bound of \(\Pr [\mathbf {D}^{G_1} \Rightarrow 1] - \Pr [\mathbf {D}^{G_2} \Rightarrow 1]\)

We start by defining \(L_2\). Let \(\mathcal {G}\xleftarrow {\$}\mathsf {Func}(\mathcal {TW}\times \{0,1\}^n,\{0,1\}^n)\) be a random function (Note that \(\mathcal {TW}=\mathbb {Z}_p\times \{0,1,2\}\)). For an online query \(M \in \{0,1\}^{\le n\times (p+1)}\), the response \(L_{2}(M) = T\) is defined as follows.

  1. 1.

    If \(|M| \mod n= 0\) and \(M \ne \lambda \) then \(M' \leftarrow M\); Else \(M' \leftarrow M\Vert 10^*\)

  2. 2.

    Partition \(M'\) into \(n\)-bit blocks \(M_1,\ldots ,M_l\)

  3. 3.

    \(S \leftarrow 0^{n}\); For \(i=1,\ldots ,l-1\) do \(C_i \leftarrow \mathcal {G}((i,0),M_i)\); \(S \leftarrow S \oplus C_i\)

  4. 4.

    If \(|M| \mod n= 0\) and \(M \ne \lambda \) then \(C_l\leftarrow \mathcal {G}((l-1,1), S \oplus M_l)\); Else \(C_l\leftarrow \mathcal {G}((l-1,2), S \oplus M_l)\)

  5. 5.

    \(T \leftarrow [C_l]_t\); Return T

Independently of the above procedure, a key is defined as \(K\xleftarrow {\$}\mathcal {K}\) before \(\mathbf {D}\) makes the first query. In addition, at the \(\alpha \)-th online query for \(\alpha \in \{1,\ldots ,q\}\), \(B_i^\alpha \) for \(i \in \{1,\ldots ,l_\alpha -1\}\) is defined as \(B_i^\alpha := M_i^\alpha \oplus h_K(i,0)\), and \(B_{l_\alpha }^\alpha \) is defined as \(B_{l_\alpha }^\alpha := S^\alpha \oplus M_l^\alpha \oplus h_K(l_\alpha -1,1)\) if \(|M^\alpha | \mod n= 0\) and \(M^\alpha \ne \lambda \); \(B_{l_\alpha }^\alpha := S^\alpha \oplus M_{l_\alpha }^\alpha \oplus h_K(l_{l_\alpha }-1,2)\) otherwise. These values are defined after \(\mathbf {D}\) ends all queries. Note that these values do not affect the procedure of \(L_2\) but are used in the following proof.

Transcript

Since \(\mathbf {D}\) is deterministic, its output is determined by the transcript, which is a list of values obtained by its queries. Let \(\mathsf {T}_1\) be the transcript in Game 1 obtained by sampling \(K\xleftarrow {\$}\mathcal {K}\) and \(\mathcal {P}\xleftarrow {\$}\mathsf {Perm}(\{0,1\}^n)\). Let \(\mathsf {T}_2\) be the transcript in Game 2 obtained by sampling \(K\xleftarrow {\$}\mathcal {K}\), \(\mathcal {P}\xleftarrow {\$}\mathsf {Perm}(\{0,1\}^n)\) and \(\mathcal {G}\xleftarrow {\$}\mathsf {Func}(\mathcal {TW}\times \{0,1\}^n,\{0,1\}^n)\). We call a transcript \(\tau \) valid if an interaction with their oracles could render this transcript, namely, \(\Pr [\mathsf {T}_i=\tau ] > 0\) for \(i \in \{1,2\}\). Then \(\Pr [\mathbf {D}^{G_1} \Rightarrow 1] - \Pr [\mathbf {D}^{G_2} \Rightarrow 1]\) is upper bounded by the statistical distance of transcripts, i.e.,

$$\begin{aligned} \Pr [\mathbf {D}^{G_1} \Rightarrow 1] - \Pr [\mathbf {D}^{G_2} \Rightarrow 1] \le \mathsf {SD}(\mathsf {T}_1,\mathsf {T}_2) = \frac{1}{2} \sum _{\tau }|\Pr [\mathsf {T}_1=\tau ]-\Pr [\mathsf {T}_2=\tau ]|, \end{aligned}$$

where the sum is over all valid transcripts.

Regarding \(\mathbf {D}\)’s transcript, it obtains the following sets of query-response pairs after queries: \(\tau _L := \left\{ (M^1,T^1),\ldots , (M^q,T^q) \right\} \) the set of query-response pairs defined by online queries; \(\tau _\mathcal {P}:= \left\{ (X^1,Y^1),\ldots ,(X^Q,Y^Q) \right\} \) the set of query-response pairs defined by offline queries. In addition to these sets, we define a set \(\tau _{i,j}\) for \((i,j) \in \mathcal {TW}\), which keeps all pairs for \((B_i,C_i)\) defined by using the tweak (ij). Formally, \(\tau _{i,j}:= \cup _{\alpha =1}^q\{(B_{i,j}^\alpha ,C_{i,j}^\alpha )\}\), where \(\{B_{i,j}^\alpha ,C_{i,j}^\alpha \}:=\{(B_i^\alpha ,C_i^\alpha )\}\) if \(tw_i^\alpha = (i,j)\), and \(\{B_{i,j}^\alpha ,C_{i,j}^\alpha \}:=\emptyset \) otherwise, where for \(\alpha \in \{1,\ldots ,q\}\) and \(i \in \{1,\ldots , l_\alpha \}\), let \(tw^\alpha _i\) denotes the tweak used at the i-th block of the \(\alpha \)-th online query, i.e., if \(i \ne l_\alpha \), then \(tw^\alpha _i := (i,0)\); if \(i = l_\alpha \wedge |M^\alpha | \mod n= 0 \wedge M \ne \lambda \), then \(tw^\alpha _{l_\alpha } := (l_\alpha -,1)\); if \(i = l_\alpha \wedge (|M^\alpha | \mod n\ne 0 \vee M = \lambda )\), then \(tw^\alpha _{l_\alpha } := (l_\alpha -1,2)\). This proof permits \(\mathbf {D}\) to obtain these sets and a secret key \(K\) after \(\mathbf {D}\)’s interaction but before it outputs a result. Let \(\tau _\mathrm {prim} := \bigcup _{(i,j) \in \mathcal {TW}} \tau _{i,j}\). Consequently, \(\mathbf {D}\)’s transcript is summarized as \(\tau := \{\tau _L, \tau _\mathcal {P}, \tau _\mathrm {prim}, K\}\).

Coefficient H Technique

We upper-bound the statistical distance by using the coefficient H technique [5, 17], in which valid transcripts are partitioned into good transcripts \(\mathcal {T}_{\mathrm {good}}\) and bad transcripts \(\mathcal {T}_{\mathrm {bad}}\), and then the following lemma holds.

Lemma 1

(Coefficient H Technique). Let \(0 \le \delta \le 1\) be such that for all \(\tau \in \mathcal {T}_{\mathrm {good}}\), \(\frac{\Pr [\mathsf {T}_1=\tau ]}{\Pr [\mathsf {T}_2=\tau ]} \ge 1-\delta .\) Then, \(\mathsf {SD}(\mathsf {T}_1,\mathsf {T}_2) \le \delta + \Pr [\mathsf {T}_2 \in \mathcal {T}_{\mathrm {bad}}].\)

The proof of the lemma is given in [5]. Hence, we can upper-bound \(\Pr [\mathbf {D}^{G_1} \Rightarrow 1] - \Pr [\mathbf {D}^{G_2} \Rightarrow 1]\) by defining good and bad transcripts and by evaluating \(\delta \) and \(\Pr [\mathsf {T}_2 \in \mathcal {T}_{\mathrm {bad}}]\).

Good and Bad Transcripts

In order to define \(\mathcal {T}_\mathrm {good}\) and \(\mathcal {T}_\mathrm {bad}\), we need to recall the difference between Game 1 and Game 2. In Game 1, the i-th output block at the \(\alpha \)-th query is defined as \(\mathcal {P}(h_K(tw_i^\alpha ) \oplus M^\alpha _i)\) (\(i \ne l_\alpha \)); \(\mathcal {P}(h_K(tw_i^\alpha ) \oplus M^\alpha _i \oplus S^\alpha )\) (\(i = l_\alpha \)). On the other hand, in Game 2, it is defined as \(\mathcal {G}(tw_i^\alpha , M^\alpha _i)\) (\(i \ne l_\alpha \)); \(\mathcal {G}(tw_i^\alpha , M^\alpha _i \oplus S^\alpha )\) (\(i = l_\alpha \)), which implies that in Game 2, (1) the output block is defined independently of all offline queries, since \(\mathcal {G}\) is defined independently of \(\mathcal {P}\), and (2) the output block is also defined independently of the other blocks with distinct inputs. Therefore, if Game 1 and Game 2 are indistinguishable, these independences should also hold in Game 1. Thus we consider four conditions \(\mathsf {hit}_{BB}, \mathsf {hit}_{CC}, \mathsf {hit}_{BX}\), and \(\mathsf {hit}_{CY}\). \(\mathsf {hit}_{BB}\) and \(\mathsf {hit}_{CC}\) come from the independence (2), where \(\mathsf {hit}_{BB}\) considers an input collision by online queries (collision in B-values) and \(\mathsf {hit}_{CC}\) considers an output collision by online queries (collision in C-values). \(\mathsf {hit}_{BX}\) and \(\mathsf {hit}_{CY}\) come from the independence (1), where \(\mathsf {hit}_{BX}\) considers an input collision between online and offline queries (collision between B-values and X-values) and \(\mathsf {hit}_{CY}\) considers an output collision between online and offline queries (collision between C-values and Y-values). Formally, these conditions are defined as follows.

$$\begin{aligned} \mathsf {hit}_{BB}\Leftrightarrow&\exists \alpha , \beta \in \{1,\ldots ,q\}, i \in \{1,\ldots ,l_\alpha \}, j \in \{1,\ldots ,l_\beta \}\\&\text{ s.t. } B_i^\alpha = B_j^\beta \wedge tw_i^\alpha \ne tw_j^\beta \\ \mathsf {hit}_{CC}\Leftrightarrow&\exists \alpha , \beta \in \{1,\ldots ,q\}, i \in \{1,\ldots ,l_\alpha \}, j \in \{1,\ldots ,l_\beta \}\\&\text{ s.t. } C_i^\alpha = C_j^\beta \wedge (tw_i^\alpha ,B_i^\alpha ) \ne (tw_j^\beta ,B_j^\beta ) \\ \mathsf {hit}_{BX}\Leftrightarrow&\exists \alpha \in \{1,\ldots ,q\}, i \in \{1,\ldots ,l_\alpha \}, \beta \in \{1,\ldots ,Q\} \text{ s.t. } B_i^\alpha = X^\beta \\ \mathsf {hit}_{CY}\Leftrightarrow&\exists \alpha \in \{1,\ldots ,q\}, i \in \{1,\ldots ,l_\alpha \}, \beta \in \{1,\ldots ,Q\} \text{ s.t. } C_i^\alpha = Y^\beta \end{aligned}$$

We define \(\mathcal {T}_\mathrm {bad}\) by the set of transcripts which satisfy one of the above conditions, and \(\mathcal {T}_\mathrm {good}\) by the set of transcripts which do not satisfy any of the above conditions.

Upper-Bound of \(\varvec{\Pr [\mathsf {T}_2 \in \mathcal {T}_\mathrm {bad}]}\)

We first note that the following inequation holds.

$$\begin{aligned} \Pr [\mathsf {T}_2 \in \mathcal {T}_{\mathrm {bad}}] \le&\Pr [ \mathsf {hit}_{BB}\vee \mathsf {hit}_{CC}\vee \mathsf {hit}_{BX}\vee \mathsf {hit}_{CY}] \nonumber \\ \le&\Pr [\mathsf {hit}_{BB}] + \Pr [\mathsf {hit}_{CC}] + \Pr [\mathsf {hit}_{BX}] + \Pr [\mathsf {hit}_{CY}]. \end{aligned}$$
(2)

Hereafter, we upper bound \(\Pr [\mathsf {hit}_{BB}]\), \(\Pr [\mathsf {hit}_{CC}]\), \(\Pr [\mathsf {hit}_{BX}]\), and \(\Pr [\mathsf {hit}_{CY}]\). Note that these events are considered within Game 2, and \(L_2\) is independent of \(K\).

Upper-Bound of \(\varvec{\Pr [\mathsf {hit}_{BB}]}\) . First we fix \(\alpha , \beta \in \{1,\ldots ,q\}, i \in \{1,\ldots ,l_\alpha \}, j \in \{1,\ldots ,l_\beta \}\) such that \(tw^\alpha _i \ne tw^\beta _j\), and evaluate the probability that \(\mathsf {hit}_{BB}\) is satisfied due to \(B_i^\alpha \) and \(B_j^\beta \), that is, \(B_i^\alpha = B_j^\beta \). Here, \(B_i^\alpha \) is of the form \(h_K(tw_i^\alpha ) \oplus D_i^\alpha \), and \(B_j^\beta \) is of the form \(h_K(tw_j^\beta ) \oplus D_j^\beta \), where for \(\gamma \in \{\alpha ,\beta \}\), \(D_i^\gamma := M_i^\gamma \) for \(i \in \{1,\ldots ,l_\gamma -1\}\) and \(D_{l_\gamma }^\gamma := M_{l_\gamma }^\gamma \oplus S^\gamma \). Thus,

$$\begin{aligned} B_i^\alpha = B_j^\beta \Leftrightarrow&h_K(tw_i^\alpha ) \oplus D_i^\alpha = h_K(tw_j^\beta ) \oplus D_j^\beta \\ \Leftrightarrow&h_K(tw_i^\alpha ) \oplus h_K(tw_j^\beta ) = D_i^\alpha \oplus D_j^\beta \end{aligned}$$

By the \(\varepsilon \)-AXU property of \(h\), the probability that the above equation holds is at most \(\varepsilon \). Finally, we have \(\Pr [\mathsf {hit}_{BB}] \le \left( {\begin{array}{c}\sigma \\ 2\end{array}}\right) \times \varepsilon \le 0.5 \sigma ^2 \varepsilon \).

Upper-Bound of \(\varvec{\Pr [\mathsf {hit}_{CC}]}\) . First we fix \(\alpha , \beta \in \{1,\ldots ,q\}, i \in \{1,\ldots ,l_\alpha \}, j \in \{1,\ldots ,l_\beta \}\) such that \((tw_i^\alpha ,B_i^\alpha ) \ne (tw_j^\beta ,B_j^\beta )\), and evaluate the probability that \(\mathsf {hit}_{CC}\) is satisfied due to \(C_i^\alpha \) and \(C_j^\beta \), that is, \(C_i^\alpha = C_j^\beta \). By \((tw_i^\alpha ,B_i^\alpha ) \ne (tw_j^\beta ,B_j^\beta )\), \((tw_i^\alpha ,M_i^\alpha ) \ne (tw_j^\beta ,M_j^\beta )\) holds, and thereby, \(C_i^\alpha \) and \(C_j^\beta \) are independently drawn. As a result, the probability that \(C_i^\alpha = C_j^\beta \) is at most \(1/2^n\). Finally, we have \(\Pr [\mathsf {hit}_{CC}] \le \left( {\begin{array}{c}\sigma \\ 2\end{array}}\right) \times \frac{1}{2^n} \le \frac{0.5 \sigma ^2}{2^n}\).

Upper-Bound of \(\varvec{\Pr [\mathsf {hit}_{BX}]}\) . First we fix \(\alpha \in \{1,\ldots ,q\}, i \in \{1,\ldots ,l_\alpha \}\) and \(\beta \in \{1,\ldots ,Q\}\), and evaluate the probability that \(\mathsf {hit}_{BX}\) is satisfied due to \(B_i^\alpha \) and \(X^\beta \), that is, \(B_i^\alpha = X^\beta \). Here, \(B_i^\alpha \) is of the form \(h_K(tw_i^\alpha ) \oplus D_i^\alpha \), where \(D_i^\alpha := M_i^\alpha \) with \(i \in \{1,\ldots ,l_\gamma -1\}\) and \(D_{l_\alpha }^\alpha := M_{l_\alpha }^\alpha \oplus S^\alpha \). Thus,

$$\begin{aligned} B_i^\alpha = X^\beta \Leftrightarrow&h_K(tw_i^\alpha ) \oplus D_i^\alpha = X^\beta \\ \Leftrightarrow&h_K(tw_i^\alpha ) = D_i^\alpha \oplus X^\beta \end{aligned}$$

By the property of uniformity of \(h\), the probability that the above equation holds is at most \(1/2^n\). Finally, we have \(\Pr [\mathsf {hit}_{BX}] \le \frac{\sigma Q}{2^n}\).

Upper-Bound of \(\varvec{\Pr [\mathsf {hit}_{CY}]}\) . Let \(\rho \) be any threshold, and \(\mathcal {C}_\mathsf {last}:= \Big \{C_{l_\alpha }^\alpha : \big (\alpha \in \{1,\ldots ,q\}\big ) \wedge \big (\forall \beta \in \{1,\ldots , \alpha -1\}: (tw^\alpha _{l_\alpha },S^\alpha \oplus M^\alpha _{l_\alpha }) \ne (tw^\beta _{l_\beta },S^\beta \oplus M^\beta _{l_\beta }) \big ) \Big \}\) the set of outputs of \(\mathcal {G}\) at the last block with distinct inputs. Thus, all elements in \(\mathcal {C}_\mathsf {last}\) are independently drawn. Then we define the following condition.

$$\begin{aligned} \mathsf {mcoll}(\rho ) \Leftrightarrow \exists C^{(1)},C^{(2)},\ldots ,C^{(\rho )} \in \mathcal {C}_\mathsf {last} \text{ s.t. } [C^{(1)}]_t= [C^{(2)}]_t= \ldots = [C^{(\rho )}]_t\end{aligned}$$

Then we have

$$\begin{aligned} \Pr [\mathsf {hit}_{CY}] \le \Pr [\mathsf {mcoll}(\rho )] + \Pr [\mathsf {hit}_{CY}| \lnot \mathsf {mcoll}(\rho )]. \end{aligned}$$

Hereafter, we evaluate the probabilities \(\Pr [\mathsf {mcoll}(\rho )]\) and \(\Pr [\mathsf {hit}_{CY}| \lnot \mathsf {mcoll}(\rho )]\).

  • We evaluate \(\Pr [\mathsf {mcoll}(\rho )]\). Fixing \(C \in \mathcal {C}_\mathsf {last}\) and \(C' \in \{0,1\}^t\), since \([C]_t\) is randomly drawn from \(\{0,1\}^t\), the probability that \([C]_t=C'\) holds is at most \(1/2^t\). Since all elements in \(\mathcal {C}_\mathsf {last}\) are independently drawn and \(|\mathcal {C}_\mathsf {last}| \le q\), we have

    $$\begin{aligned} \Pr [\mathsf {mcoll}(\rho )] \le 2^t\cdot \left( {\begin{array}{c}q\\ \rho \end{array}}\right) \cdot \left( \frac{1}{2^t} \right) ^\rho \le 2^t\cdot \left( \frac{eq}{\rho 2^t} \right) ^\rho , \end{aligned}$$

    using Stirling’s approximation (\(x! \ge (x/e)^x\) for any x).

  • We evaluate \(\Pr [\mathsf {hit}_{CY}| \lnot \mathsf {mcoll}(\rho )]\). We assume that \(\mathsf {mcoll}(\rho )\) is not satisfied. First we fix \(\beta \in \{1,\ldots ,Q\}\), and evaluate the probability that \(\mathsf {hit}_{CY}\) is satisfied due to \(Y^\beta \), that is, \(\exists \alpha \in \{1,\ldots ,q\}, i \in \{1,\ldots ,l_\alpha \}\) s.t. \(C_i^\alpha = Y^\beta \).

    • We consider the case where \(\exists \alpha \in \{1,\ldots ,q\}, i \in \{1,\ldots ,l_\alpha -1\}\) s.t. \(C_i^\alpha = Y^\beta \). Since \(C_i^\alpha \) is randomly drawn from \(\{0,1\}^n\), the probability that \(\mathsf {hit}_{CY}\) is satisfied in this case is at most \(\sigma /2^n\).

    • Next we consider the case where \(\exists \alpha \in \{1,\ldots ,q\}\) s.t. \(C_{l_\alpha }^\alpha = Y^\beta \). By \(\lnot \mathsf {mcoll}(\rho )\), the number of outputs at the last block whose inputs are distinct and whose last \(t\) bits equal \([Y^\beta ]_t\) is at most \(\rho \). Thus the probability that \(\mathsf {hit}_{CY}\) is satisfied in this case is at most \(\rho /2^{n-t}\).

    We thus have

    $$\begin{aligned} \Pr [\mathsf {hit}_{CY}| \lnot \mathsf {mcoll}(\rho )] \le \sum _{\beta =1}^Q \left( \frac{\rho }{2^{n-t}} + \frac{\sigma }{2^n} \right) = \frac{\rho Q}{2^{n-t}} + \frac{\sigma Q}{2^n}. \end{aligned}$$

Finally, we have

$$\begin{aligned} \Pr [\mathsf {hit}_{CY}] \le \frac{\rho Q}{2^{n-t}} + \frac{\sigma Q}{2^n} + 2^t\left( \frac{eq}{\rho 2^t} \right) ^\rho . \end{aligned}$$

and then putting \(\rho = \max \left\{ t, \left( \frac{2eq 2^{n-t}}{Q 2^{t}} \right) ^{1/2} \right\} \) gives

$$\begin{aligned} \Pr [\mathsf {hit}_{CY}] \le&\max \left\{ t, \left( \frac{2eq 2^{n-t}}{Q 2^{t}} \right) ^{1/2} \right\} \times \frac{Q}{2^{n-t}} + \frac{\sigma Q}{2^n}\\&+ 2^t\left( \frac{eq}{\max \left\{ t, \left( \frac{2eq 2^{n-t}}{Q 2^{t}} \right) ^{1/2} \right\} 2^t} \right) ^{\max \left\{ t, \left( \frac{2eq 2^{n-t}}{Q 2^{t}} \right) ^{1/2} \right\} } \\ \le&\frac{tQ}{2^{n-t}} + \left( \frac{2eqQ}{ 2^n} \right) ^{1/2} + \frac{\sigma Q}{2^n} + 2^t\left( \frac{eq}{\left( \frac{2eq 2^{n-t}}{Q 2^{t}} \right) ^{1/2} 2^t} \right) ^{t} \\ \le&\frac{tQ}{2^{n-t}} + \left( \frac{2eqQ}{ 2^n} \right) ^{1/2} + \frac{\sigma Q}{2^n} + \left( \frac{2eqQ}{2^n} \right) ^{t/2} \\ \le&\frac{tQ}{2^{n-t}} + \frac{\sigma Q}{2^n} + \left( \frac{8eqQ}{ 2^n} \right) ^{1/2}. \end{aligned}$$

Upper-Bound of \(\varvec{\Pr [\mathsf {T}_2 \in \mathcal {T}_\mathrm {bad}]}\) . Finally, we have

$$\begin{aligned} \Pr [\mathsf {T}_2 \in \mathcal {T}_\mathrm {bad}] \le 0.5 \sigma ^2 \varepsilon + \frac{0.5 \sigma ^2 + 2\sigma Q}{2^n} + \frac{tQ}{2^{n-t}} + \left( \frac{8eqQ}{ 2^n} \right) ^{1/2}. \end{aligned}$$

Upper-Bound of \(\varvec{\delta }\)

Let \(\tau \in \mathcal {T}_{\mathrm {good}}\). Let \(\mathrm {all}_i\) be the set of all oracles in Game i for \(i=1,2\). Let \(\mathrm {comp}_i(\tau )\) be the set of oracles compatible with \(\tau \) in Game i for \(i=1,2\). Then

$$\begin{aligned} \Pr [\mathsf {T}_1=\tau ] = \frac{|\mathrm {comp}_1(\tau )|}{|\mathrm {all}_1|} \text{ and } \Pr [\mathsf {T}_2=\tau ] = \frac{|\mathrm {comp}_2(\tau )|}{|\mathrm {all}_2|}. \end{aligned}$$

Hereafter, we evaluate \(|\mathrm {all}_1|\), \(|\mathrm {all}_2|\), \(|\mathrm {comp}_1(\tau )|\) and \(|\mathrm {comp}_2(\tau )|\). In this evaluation, we use the following notations: \(N_{tw} := |\mathcal {TW}|\), \(N_K:= |\mathcal {K}|\), \(\gamma _{i,j} := |\tau _{i,j}|\) for \((i,j) \in \mathcal {TW}\), \(\gamma _\mathcal {P}:= |\tau _\mathcal {P}|\), and \(\gamma := \gamma _\mathcal {P}+ \sum _{(i,j) \in \mathcal {TW}} \gamma _{i,j}\).

Firstly, we evaluate \(|\mathrm {all}_1|\). By \(K\in \mathcal {K}\) and \(\mathcal {P}\in \mathsf {Perm}(\{0,1\}^n)\), \(|\mathrm {all}_1| = N_K\cdot 2^n!\).

Secondly, we evaluate \(|\mathrm {all}_2|\). By \(K\in \mathcal {K}\), \(\mathcal {P}\in \mathsf {Perm}(\{0,1\}^n)\), and \(\mathcal {G}\in \mathsf {Func}(\mathcal {TW}\times \{0,1\}^n,\{0,1\}^n)\), \(|\mathrm {all}_2| = N_K\cdot 2^n! \cdot \left( 2^n\right) ^{N_{tw} \cdot 2^n}\).

Thirdly, we evaluate \(|\mathrm {comp}_1(\tau )|\). \(\tau _{i,j}\)’s with \((i,j) \in \mathcal {TW}\) and \(\tau _\mathcal {P}\) are defined so that they do not overlap each other. In this case, the number of input-output pairs of \(\mathcal {P}\) defined by online and offline queries is \(\gamma \), and thereby \(|\mathrm {comp}_1(\tau )| = (2^n-\gamma )!\).

Fourthly, we evaluate \(|\mathrm {comp}_2(\tau )|\). In this case, the number of input-output pairs of \(\mathcal {P}\) defined by online queries is \(\gamma _\mathcal {P}\), the number of input-output pairs of \(\mathcal {G}\) with tweak (ij) defined by offline queries is \(\gamma _{i,j}\), and thereby

$$\begin{aligned} |\mathrm {comp}_2(\tau )| = (2^n-\gamma _\mathcal {P}) ! \cdot \prod _{(i,j) \in \mathcal {TW}}(2^n)^{2^n-\gamma _{i,j}} = (2^n-\gamma _\mathcal {P})! \cdot (2^n)^{N_{tw} \cdot 2^n- \gamma + \gamma _\mathcal {P}}. \end{aligned}$$

Finally, we have

$$\begin{aligned} \frac{\Pr [\mathsf {T}_1=\tau ]}{\Pr [\mathsf {T}_2=\tau ]} =&~ \frac{|\mathrm {comp}_1(\tau )|}{|\mathrm {all}_1|} \times \frac{|\mathrm {all}_2|}{|\mathrm {comp}_2(\tau )|} = \frac{(2^n-\gamma )!}{N_K\cdot 2^n!} \times \frac{N_K\cdot 2^n! \cdot \left( 2^n\right) ^{N_{tw} \cdot 2^n}}{(2^n-\gamma _\mathcal {P})! \cdot (2^n)^{N_{tw} \cdot 2^n- \gamma + \gamma _\mathcal {P}}} \\ =&~ \frac{(2^n)^\gamma \cdot (2^n-\gamma )!}{(2^n)^{\gamma _\mathcal {P}} \cdot (2^n-\gamma _\mathcal {P})!} \ge 1, \end{aligned}$$

and thereby \(\delta =0\).

Upper-Bound of \(\varvec{\Pr [\mathbf {D}^{G_1} \Rightarrow 1] - \Pr [\mathbf {D}^{G_2} \Rightarrow 1]}\)

We apply the above results to Lemma 1, and thereby

$$\begin{aligned} \Pr [\mathbf {D}^{G_1} \Rightarrow 1] - \Pr [\mathbf {D}^{G_2} \Rightarrow 1] \le 0.5 \sigma ^2 \varepsilon + \frac{0.5 \sigma ^2 + 2\sigma Q}{2^n} + \frac{tQ}{2^{n-t}} + \left( \frac{8eqQ}{ 2^n} \right) ^{1/2}. \end{aligned}$$
(3)

4.2 Upper-Bound of \(\Pr [\mathbf {D}^{G_2} \Rightarrow 1] - \Pr [\mathbf {D}^{G_3} \Rightarrow 1]\)

First we prove the following lemma.

Lemma 2

\(G_2\) and \(G_3\) are indistinguishable unless the following condition holds in Game 2.

$$\begin{aligned} \mathsf {coll}\Leftrightarrow \exists \alpha , \beta \in \{1,\ldots ,q\} \text{ s.t. } \alpha \ne \beta \wedge tw^\alpha _{l_\alpha } = tw^\beta _{l_\beta } \wedge M_{l_\alpha }^\alpha \oplus S^\alpha = M_{l_\beta }^\beta \oplus S^\beta . \end{aligned}$$

Proof

We assume that \(\mathsf {coll}\) does not hold. Then for any \(\alpha , \beta \in \{1,\ldots ,q\}\) with \(\alpha \ne \beta \), \((tw^\alpha _{l_\alpha },M_{l_\alpha }^\alpha \oplus S^\alpha ) \ne (tw^\beta _{l_\beta },M_{l_\beta }^\beta \oplus S^\beta )\) holds, where for \(\gamma \in \{\alpha ,\beta \}\), \((tw^\gamma _{l_\gamma },M_{l_\gamma }^\gamma \oplus S^\gamma )\) is the input to \(\mathcal {G}\) at the last block of the \(\gamma \)-th online query. Hence, the outputs \(C^\alpha _{l_\alpha }\) and \(C^\beta _{l_\beta }\) are independently and randomly drawn from \(\{0,1\}^n\). As a result, all outputs of \(L_2\): \(T^1,\ldots ,T^q\) are independently and randomly drawn from \(\{0,1\}^n\), and thereby \(G_2\) and \(G_3\) are indistinguishable.    \(\Box \)

By the above lemma, \(\Pr [\mathbf {D}^{G_2} \Rightarrow 1 | \lnot \mathsf {coll}] = \Pr [\mathbf {D}^{G_3} \Rightarrow 1]\) holds, and thereby

$$\begin{aligned} \Pr [\mathbf {D}^{G_2} \Rightarrow 1] - \Pr [\mathbf {D}^{G_3} \Rightarrow 1] \le \Pr [\mathsf {coll}]. \end{aligned}$$

The detail for deriving the upper-bound is given in Appendix A. Hereafter, we upper bound \(\Pr [\mathsf {coll}]\).

First we fix \(\alpha , \beta \in \{1,\ldots ,q\}\) such that \(\alpha \ne \beta \wedge tw^\alpha _{l_\alpha } = tw^\beta _{l_\beta }\), and upper bound the probability that \(M_{l_\alpha }^\alpha \oplus S^\alpha = M_{l_\beta }^\beta \oplus S^\beta \) holds. Note that

$$\begin{aligned} M_{l_\alpha }^\alpha \oplus S^\alpha = M_{l_\beta }^\beta \oplus S^\beta \Leftrightarrow&M_{l_\alpha }^\alpha \oplus \left( \bigoplus _{i=1}^{l_\alpha -1} C^\alpha _i \right) = M_{l_\beta }^\beta \oplus \left( \bigoplus _{i=1}^{l_\beta -1} C^\beta _i \right) \nonumber \\ \Leftrightarrow&M_{l_\alpha }^\alpha \oplus M_{l_\beta }^\beta = \left( \bigoplus _{i=1}^{l_\alpha -1} C^\alpha _i \right) \oplus \left( \bigoplus _{i=1}^{l_\beta -1} C^\beta _i \right) . \end{aligned}$$
(4)

Let \(\mathsf {twM}^{\alpha ,\beta }:= \cup _{\gamma \in \{\alpha ,\beta \}} \cup _{i=1}^{l_\gamma -1} \{(tw_i^\gamma ,M^\gamma _i)\}\) be the set of the inputs to \(\mathcal {G}\) at the \(\alpha \)-th and \(\beta \)-th online queries except for the last blocks (thus \(tw_i^\gamma =(i,0)\)), and \(\mathsf {C}^{\alpha ,\beta }:= \cup _{\gamma \in \{\alpha ,\beta \}} \cup _{i=1}^{l_\gamma -1}\{C_i^\gamma \}\) the set of the corresponding outputs of \(\mathcal {G}\).

  • If \(M^\alpha _{l_\alpha } = M^\beta _{l_\beta }\), then since \(\mathbf {D}\) makes no repeated query, \(M_1^\alpha \Vert \cdots \Vert M^\alpha _{l_\alpha -1} \ne M_1^\beta \Vert \cdots \Vert M^\beta _{l_\beta -1}\) holds. Note that \(l_\alpha = l_\beta \) by \(tw^\alpha _{l_\alpha } = tw^\beta _{l_\beta }\). Then there exist \(\gamma \in \{\alpha ,\beta \}, i \in \{1,\ldots ,l_\gamma -1\}\) such that \((tw_{i}^\gamma ,M^\gamma _i) \not \in \mathsf {twM}^{\alpha ,\beta } \backslash \{(tw_{i}^\gamma ,M^\gamma _i)\}\). Therefore, \(C_i^\gamma \) is drawn independently of \(\mathsf {C}^{\alpha ,\beta }\backslash \{C_i^\gamma \}\). Hence, the probability that the equation of (4) holds is at most \(1/2^n\).

  • If \(M^\alpha _{l_\alpha } \ne M^\beta _{l_\beta }\), then in order to satisfy the equation of (4), \(S^\alpha \ne S^\beta \) should hold. \(S^\alpha \ne S^\beta \) implies that there exists \(\gamma \in \{\alpha ,\beta \}, i \in \{1,\ldots ,l_\gamma -1\}\) such that \(C_i^\gamma \not \in \mathsf {C}^{\alpha ,\beta }\backslash \{C_i^\gamma \}\), namely, \(C_i\) is drawn independently of \(\mathsf {C}^{\alpha ,\beta }\backslash \{C_i^\gamma \}\). Hence, the probability that the equation of (4) holds is at most \(1/2^n\).

By the above analysis, we have

$$\begin{aligned} \Pr [\mathbf {D}^{G_2} \Rightarrow 1] - \Pr [\mathbf {D}^{G_3} \Rightarrow 1] \le \Pr [\mathsf {coll}] \le \left( {\begin{array}{c}q\\ 2\end{array}}\right) \times \frac{1}{2^n} \le \frac{0.5q^2}{2^n}. \end{aligned}$$
(5)

4.3 Upper-Bound of

Finally, putting upper-bounds (3) and (5) into (1) gives

5 Discussion

5.1 Benefit in Hardware Implementation

In this section, we discuss benefits of PMAC with XP over the previous permutation-based PMAC, PMAC with TEM, with respect to hardware implementation. In summary, there are two main advantages. Firstly and apparently, some XOR gates can be reduced. Secondly, architectural optimization is enabled because data dependency is relaxed.

The reduction of XOR gates is discussed. Two common architectures shown in Fig. 5 are considered. Figure 5(a) and (b) are ones for the TEM- and XP-based schemes, respectively. Both are based on a reference circuit found in the specification document of Minalpher [19]. Note that offsets are assumed to be serially updated for each permutation call (e.g., \(2 \otimes K, 2^2 \otimes K, 2^3 \otimes K, \ldots \) in a field for \(K\in \{0,1\}^n\)) in the component labeled “offset update”. If a single XOR gate is approximated by 2 [GE], then XOR gates corresponding to 2N [GE] are reduced by the XP-based scheme in which N is the datapath width. In addition, some accompanying gates can be reduced. In case of Minalpher, the permutation can be called without any masking and thus there are accompanying AND gates for disabling the XORs (see Fig. 5). The AND gates can also be reduced in the XP-based scheme.

Fig. 5.
figure 5

Common circuit architectures for (a) TEM-based and (b) XP-based schemes

Full size image

Secondly, and more importantly, data dependency is relaxed by eliminating the output masking. The architectures in Fig. 5 are considered again. Data dependency is discussed using concurrency diagrams shown in Fig. 6. In the diagrams, horizontal axes represent time and squares represent that the resource is occupied. In the TEM-based scheme in Fig. 6(a), the offset should be maintained until the end of permutation and thus “offset update” should be suspended while permutation is being executed. Similarly, permutation should be suspended while the offset is being updated. In the XP-based scheme in Fig. 6(b), on the other hand, permutation and “offset update” can be processed simultaneously because the data dependency is relaxed by eliminating the output masking. The property brings advantages both in throughput and circuit area: (i) throughput is improved because the idling period is removed and (ii) a smaller implementation can be used for “offset update” because that is no longer a bottleneck for speed.

Fig. 6.
figure 6

Concurrency diagram: occupancy of resources in circuits for (a) TEM-based and (b) XP-based schemes

Full size image

An alternative way to tackle the data dependency issue in the TEM-based scheme is to use a temporal register that stores the offset until the end of permutation. In that case, the XP-based scheme is advantageous in the sense that the temporal register can be removed. The reduction is effective because register is relatively expensive (i.e., a 1-bit register is approximated by 5–7 [GE]). The capability to reduce temporal register is more important in a pipelined implementation. Figure 7 shows a 4-stage pipelined implementation for the TEM-based scheme. In order to carry offset values to the last stage, multiple of temporal registers (i.e. pipeline registers) are needed. The registers can be simply eliminated in the XP-based scheme.

Fig. 7.
figure 7

A 4-stage pipeline architecture and pipeline registers for delaying tweak values

Full size image

5.2 Open Problem

Recently, Mennink [16] discussed the tweakable SPRP-security (Strong Pseudo-Random Permutation security) of TEM against related-key attacks. He defined a family of functions calculating an offset from a tweak. He call the TEM construction with this function XPX. He showed sufficient conditions for functions to become secure tweakable SPRPs against related-key attacks within the framework of Bellare and Kohno [2] and Albrecht et al. [1]. Note that our result considers only single-key attacks, and proving the PRF-security of \(\mathtt {PMAC\_XP}\) against related-key attacks is an open problem from this paper. We conjecture that applying the function of XPX to the offset generating function \(h_K\) of XP, \(\mathtt {PMAC\_XP}\) becomes a secure PRF against related-key attacks.