(1) Background.

A Feistel structure is one of the widely used structures of a block cipher, and its security proof was given by Luby and Rackoff [2]. It is shown that the 3-round Feistel structure instantiated with 3 independent pseudorandom functions (PRFs), which we call the Feistel cipher, is a pseudorandom permutation (PRP), a block cipher that is indistinguishable from a random permutation against adversaries in a chosen plaintext attack (CPA) setting. Similarly, the 4-round Feistel cipher is a strong PRP (SPRP), where the adversary is in a chosen ciphertext attack (CCA) setting.

A question of whether one can securely reduce the number of independent PRFs has been studied, as reducing the number of PRFs implies the reduction of the key length, and hence it reduces the cost of maintaining, exchanging, and updating the secret key. Let \(\mathrm{\Phi}[F_1, F_2, \ldots, F_r]\) be the \(r\)-round Feistel cipher, where the PRF \(F_i\) is used in the \(i\)-th round. The structure that simply replaces all the PRFs with a single-keyed PRF \(F\), i.e., \(\mathrm{\Phi}[F, F, \ldots, F]\), is easily distinguishable from a random permutation regardless of the number of rounds [3]. Pieprzyk showed that \(\mathrm{\Phi}[F_1, F_1, F_1, F_2]\) and \(\mathrm{\Phi}[F_1, F_1, F_1, F_1 \circ F_1]\) are PRPs [4]. Patarin showed that \(\mathrm{\Phi}[F_1, F_2, F_1, F_2]\) is an SPRP [5]. Additionally, Patarin pointed out that \(\mathrm{\Phi}[F, F, F, F \circ \zeta \circ F]\) is an SPRP, where it uses 1-bit cyclic rotation \(\zeta\). Nandi proved that \(\mathrm{\Phi}[\zeta \circ F, F, F, F]\) is an SPRP and has the optimal number of PRF calls [6]. See also [7] for a related result that uses a mask.

A tweakable block cipher (TBC), formalized by Liskov et al. [8], is the generalization of a block cipher to take an additional input called a tweak. Minematsu pointed out that TBCs can be used as a primitive for constructing block ciphers, and instantiated a concrete structure by combining TBCs and universal hash functions [9]. By replacing the PRFs and XORs in the Feistel cipher with TBCs, Coron et al. formalized a TBC-based Feistel cipher and proved its indistinguishability security [10].

Indifferentiability, formalized by Maurer et al. [11], is one of the security definitions for cryptographic permutations, a key-less permutation. This definition captures the hardness to distinguish a cryptographic permutation from a random permutations, where the cryptographic permutation makes oracle calls to an ideal primitive. Some instances of random oracle (RO) based Feistel ciphers are analyzed with the indifferentiability notion. See [12]-[14] for the results on this line of research. The TBC-based Feistel cipher [10] can be seen as a cryptographic permutation by regarding the TBC as the ideal cipher (IC), which models an ideally secure block cipher, and its indifferentiability analysis is presented in [10], where independent ICs are used in the construction. Bhaumik et al. later improved the security bound [15].

Contracting Feistel structures are derivations of the Feistel structure, and we consider the TBC-based counterpart [16]. These structures have \(d\) lines, where \(d \ge 2\), and \(d-1\) lines are used as the tweak of the TBC to update the remaining line. See Fig. 1 for the structure. The security of the structure is known in the indistinguishability notion [16], [17], and in the indifferentiability notion [18], [19], where we consider the IC with key length of \(d-1\) lines instead of a TBC.

Fig. 1  (a) \(\mathrm{\phi}[\widetilde{E}_K](X^{[1..d]}) = X^{[2..d]} \mathbin{\|}Y\), where \(Y = \widetilde{E}_K(X^{[2..d]}, X^1)\), (b) \(\mathrm{\phi}[{\widehat{E}}](X^{[1..d]}) = X^{[2..d]} \mathbin{\|}Y\), where \(Y = {\widehat{E}}(X^{[2..d]}, X^1)\), and (c) \(\mathrm{\phi}_i[{\widehat{E}}](X^{[1..d]}) = X^{[2..d]} \mathbin{\|}Y\), where \(Y = {\widehat{E}}(X^{[2..d]} \oplus c_i^{[2..d]}, X^1)\).

(2) Our Contributions.

The indistinguishability results on the TBC-based Feistel ciphers [10] and on the TBC-based contracting Feistel ciphers [16], [17] assume independent TBCs, and the indifferentiability results on the IC-based Feistel ciphers [10], [15] and on the IC-based contracting Feistel ciphers [18], [19] assume independent ICs. In this paper, we investigate the security of the single primitive-based counter parts, which replace the TBCs or the ICs with a single primitive, i.e., a single-keyed TBC or a single IC. Our target is the \(n\)-bit block and \((d-1)n\)-bit tweak single-keyed TBC-based Feistel cipher for indistinguishability, and the \(n\)-bit block, \((d-1)n\)-bit key single IC-based Feistel cipher for indifferentiability. We remark that by setting \(d=2\), our results cover the case of regular Feistel ciphers of \(2\) lines. We present the following results:

(3) Indistinguishability Results.

Let \(\mathrm{\Phi}_r\) be the \(r\)-round single-keyed TBC-based Feistel cipher with \(d\) lines. We show that for any \(r\le d\), \(\mathrm{\Phi}_r\) can be distinguished from a random permutation with \(O(1)\) queries. We then show that \(\mathrm{\Phi}_{d+1}\) is secure in the indistinguishability notion, where the security bound is \(O(q^2/2^n)\) for adversaries making \(q\) queries. This makes a sharp difference to the PRF-based Feistel cipher, which is insecure regardless of the number of rounds. Next, for any \(r\ge d+1\), we show that \(\mathrm{\Phi}_r\) can be distinguished from a random permutation with \(O(2^{n/2})\) queries, with a type of slide attack [20]. On one hand, this shows the tightness of the security bound of the case \(r=d+1\), i.e., it is impossible to show a better security bound for this case. This also shows that, even if we increase the number of rounds beyond \(d+1\) rounds, the security of \(\mathrm{\Phi}_r\) does not improve, showing an impossibility of improving the security by increasing the number of rounds.

These results show that the \((d+1)\)-round structure can be practically used in applications that are sufficient with \(O(2^{n/2})\) security, however, it cannot be used if higher security is needed, regardless of the number of rounds.

(4) Indifferentiability Results.

Let \(\mathrm{\widehat{\Phi}}_r\) be the \(r\)-round single IC-based Feistel cipher with \(d\) lines. We show that for any \(r\), \(\mathrm{\widehat{\Phi}}_r\) is not secure in the indifferentiability notion. The attack is the straightforward application of the attacks against \(\mathrm{\Phi}_r\), and they work with \(O(1)\) queries. The attack can be seen as a type of slide attack [20]. Using a round constant is a well-known countermeasure, and one may hope that a round constant can prevent the attack. We consider a variant of \(\mathrm{\widehat{\Phi}}_r\) that uses a round constant, and demonstrate that the round constant cannot prevent the indifferentiability attack for the case \(r=2d-1\).

These results show that single IC based structures should not be used in practice.

Table 1 and Table 2 summarize the previous results and our results. Table 1 shows the results for \(d=2\) and Table 2 shows the results for \(d\ge 2\).

Table 1  Summary of previous results and our results (\(d=2\)) on Feistel ciphers.

Table 2  Summary of previous results and our results on contracting Feistel ciphers. \(d\) denotes the number of lines, \(l\) is a constant value s.t. \(1 \le l \le d-1\). In “Security”, the maximum number of queries is additionally noted if exists.

(5) Further Related Works.

A problem of whether one can securely reduce the number of independent keys/primitives has been studied in various other constructions. See, e.g., [21]-[26]. With respect to slide attacks, key-reduced Feistel ciphers have been actively analyzed. See, e.g., [27]-[31]. Compared to these results, our attacks follow a fundamentally similar approach, while our targets employ stronger primitives, TBCs/ICs, instead of PRFs/ROs.

2.1  Notation

For a positive integer \(n\), let \(\{0, 1\}^n\) be the set of all \(n\)-bit strings. For two strings \(X\) and \(Y\), let \(X \mathbin{\|}Y\) denote their concatenation. For \(d\) string \(X^1,X^2,\ldots,X^d\), we denote their concatenation \(X^1 \mathbin{\|}X^2 \mathbin{\|}\dots \mathbin{\|}X^d\) by \(X^{[1..d]}\). For a finite set \(S\), \(s \xleftarrow{＄}S\) is the operation of uniformly sampling an element from \(S\) and assigning it to \(s\).

2.2  (Tweakable) Block Cipher

A block cipher \(E: \mathcal{K} \times \mathcal{M} \rightarrow \mathcal{M}\) is a keyed permutation. For key \(K \in \mathcal{K}\), plaintext \(M \in \mathcal{M}\), and ciphertext \(C \in \mathcal{M}\), we write the encryption as \(C = E_K(M)\) and the decryption as \(M = E_K^{-1}(C)\). If \(\mathcal{M} = \{0, 1\}^n\), we say that it is an \(n\)-bit block cipher. Let \(\mathrm{Perm}(n)\) be the set of all \(n\)-bit permutations, and a random permutation is an element selected from \(\mathrm{Perm}(n)\) uniformly at random.

A tweakable block cipher \(\widetilde{E}: \mathcal{K} \times \mathcal{T} \times \mathcal{M} \rightarrow \mathcal{M}\) is a keyed permutation that takes an additional input called a tweak [8]. For key \(K \in \mathcal{K}\), tweak \(T \in \mathcal{T}\), plaintext \(M \in \mathcal{M}\), and ciphertext \(C \in \mathcal{M}\), we write the encryption as \(C = \widetilde{E}_K(T, M)\) and the decryption as \(M = \widetilde{E}_K^{-1}(T, C)\). If \(\mathcal{T} = \{0, 1\}^t\) and \(\mathcal{M} = \{0, 1\}^n\), we say that it is an \((t, n)\)-bit TBC. Let \(\widetilde{\mathrm{Perm}}(t, n)\) be the set of all the functions \(\widetilde{P}: \{0, 1\}^t \times \{0, 1\}^n \rightarrow \{0, 1\}^n\) s.t. for any \(T \in \{0, 1\}^t\), \(\widetilde{P}(T, \cdot) \in \mathrm{Perm}(n)\), and a tweakable random permutation (TRP) is an element selected from \(\widetilde{\mathrm{Perm}}(t, n)\) uniformly at random, which we call an \((t, n)\)-bit TRP.

The ideal cipher \({\widehat{E}}: \mathcal{K} \times \mathcal{M} \rightarrow \mathcal{M}\) is the set of random permutations that idealizes a block cipher. For each \(K\), \({\widehat{E}}(K,\cdot)\) is a random permutation over \(\mathcal{M}\). For key \(K \in \mathcal{K}\), plaintext \(M \in \mathcal{M}\), and ciphertext \(C \in \mathcal{M}\), we write the encryption as \(C = {\widehat{E}}(K,M)\) and the decryption as \(M = {\widehat{E}}^{-1}(K,C)\). If \(\mathcal{K} = \{0, 1\}^k\) and \(\mathcal{M} = \{0, 1\}^n\), we say that it is an \((k, n)\)-bit IC.

2.3  Security Definitions

We consider the security of block cipher \(E\) as a keyed primitive and as a cryptographic permutation. As a keyed primitive, we consider the indistinguishability notion [2], i.e., the notion of a pseudorandom permutation (PRP) and a strong pseudorandom permutation (SPRP). A PRP-adversary has oracle access to a cryptographic permutation oracle \(E_K\) in the real world, and random permutation \(\pi\) in the ideal world. For an adversary \(\mathcal{A}\) that makes a maximum of \(q\) oracle queries, we define the PRP-advantage and SPRP-advantage as follows:

Next, as a cryptographic permutation, we consider the indifferentiability notion [11]. Let \(C\) be a cryptographic permutation that is built on the ideal cipher \({\widehat{E}}\), i.e., \(C\) makes oracle calls to \({\widehat{E}}\) to compute its output, and we write \(C^{\widehat{E}}\) for this. In the real world, an adversary \(\mathcal{A}\) has oracle access to \({\widehat{E}}\) and \(C^{\widehat{E}}\). In the ideal world, \(\mathcal{A}\) makes queries to a random permutation \(\pi\) and a simulator \(\mathrm{Sim}^\pi\), where the simulator \(\mathrm{Sim}\) has oracle access to \(\pi\). We call a query to \(C^{\widehat{E}}\) or \(\pi\) as a construction query, and a query to \(E\) or \(\mathrm{Sim}^\pi\) as a primitive query. For an adversary \(\mathcal{A}\) that makes a maximum of \(q\) oracle queries in total, we define the advantage as follows:

2.4  Coefficient-H Technique [32], [33]

Our security proof is based on the coefficient-H technique. Let \(\mathcal{R}\) and \(\mathcal{R}^{-1}\) be the real world oracles that internally call a block cipher \(E_K\) and its inverse \(E^{-1}_K\). Similarly, let \(\mathcal{I}\) and \(\mathcal{I}^{-1}\) be the ideal world oracles that internally call a random permutation \(\pi\) and its inverse \(\pi^{-1}\). For an adversary \(\mathcal{A}\) that makes a maximum of \(q\) oracle queries, a transcript \(\theta\) denotes a tuple that records all the interactions between \(\mathcal{A}\) and the oracles. Let \(\Theta_\mathcal{R}\) be the random variable of \(\theta\) when \(\mathcal{A}\) interacts with \(\mathcal{R}\) and \(\mathcal{R}^{-1}\), and \(\Theta_\mathcal{I}\) be the random variable of \(\theta\) when \(\mathcal{A}\) interacts with \(\mathcal{I}\) and \(\mathcal{I}^{-1}\). An attainable transcript is a transcript \(\theta\) such that \(\Pr[\Theta_\mathcal{I}= \theta] > 0\). Then, the coefficient-H technique states the following result:

Lemma 1: Consider a deterministic adversary \(\mathcal{A}\). Partition all the attainable transcripts into two disjoint sets \(\mathcal{T}_\mathrm{good}\) and \(\mathcal{T}_\mathrm{bad}\). Suppose that there exists \(\epsilon_1\) such that \(\Pr[\Theta_\mathcal{I}\in \mathcal{T}_\mathrm{bad}] \le \epsilon_1\), and there exists \(\epsilon_2\) such that, for all \(\theta \in \mathcal{T}_\mathrm{good}\), \(\Pr[\Theta_\mathcal{R}= \theta]/\Pr[\Theta_\mathcal{I}= \theta] \ge 1 - \epsilon_2\). Then we have \(\mathbf{Adv}^\mathrm{sprp}_E(\mathcal{A}) \le \epsilon_1 + \epsilon_2\).

We remark that although Lemma 1 is modified specifically for an SPRP adversary, the coefficient-H technique can be applied to general security definitions. See e.g., [32], [33].

3.1  Block Ciphers

Fix \(d\ge 2\). Let \(\widetilde{E}\) be a \(((d-1)n, n)\)-bit TBC and \(K\) be a key of \(\widetilde{E}\). First, we define an encryption round function \(\mathrm{\phi}\) as

where \(X^{[1..d]} \in \{0, 1\}^{dn}\) is the input. See Fig. 1(a). Then, the \(r\)-round single-keyed TBC-based Feistel cipher \(\mathrm{\Phi}_r\) is defined by iterating the round function \(\mathrm{\phi}\) for \(r\) times as follows:

It takes \(M^{[1..d]} \in \{0, 1\}^{dn}\) as input.

Likewise, we define a decryption round function \(\mathrm{\phi}^{-1}\) as

where \(X^{[1..d]} \in \{0, 1\}^{dn}\) is the input. Next, the decryption of \(\mathrm{\Phi}_r\), which we write \(\mathrm{\Phi}^{-1}_r\), is defined by repeating \(\mathrm{\phi}^{-1}\) for \(r\) times as follows:

It takes \(C^{[1..d]} \in \{0, 1\}^{dn}\) as input.

3.2  Cryptographic Permutations

Let \({\widehat{E}}\) be a \(((d-1)n, n)\)-bit IC. Cryptographic permutations can be defined from an ideal cipher similarly to block ciphers.

With round functions \(\mathrm{\phi}[{\widehat{E}}]\) and \(\mathrm{\phi}^{-1}[{\widehat{E}}]\) shown in Fig. 1(b), where the key of \({\widehat{E}}\) is regarded as a tweak of \(\widetilde{E}_K\) in \(\mathrm{\phi}[\widetilde{E}_K]\), the \(r\)-round single IC-based Feistel cipher, which we write \(\mathrm{\widehat{\Phi}}_r\), is defined as follows:

Cryptographic permutations with round constants are defined by introducing round constants to the key of \(\mathrm{\phi}\). We define an encryption round function \(\mathrm{\phi}_i\) and a decryption round function \(\mathrm{\phi}^{-1}_i\) as follows:

where \(c_i^2, \dots, c_i^d\) is an \(n\)-bit constant. See Fig. 1(c). Then the \(r\)-round single IC-based Feistel cipher with round constants \(\mathrm{\widehat{\Phi}}'_r\) is defined as follows:

4.1  Attack on \(\mathrm{\Phi}_r\) for \(r \le d\)

We have the following theorem for \(\mathrm{\Phi}_r\) for \(r \le d\).

Theorem 1: Fix \(d \ge 2\). Let \(\widetilde{E}\) be the \(((d-1)n, n)\)-bit TRP, and \(\mathrm{\Phi}_r = \mathrm{\Phi}_r[\widetilde{E}]\) be the \(r\)-round single-keyed TBC-based Feistel cipher. Then there exists an adversary \(\mathcal{A}\) against \(\mathrm{\Phi}_r\) with \(r \le d\) such that \(\mathbf{Adv}^\mathrm{prp}_{\mathrm{\Phi}_r}(\mathcal{A})=O(1)\), where \(\mathcal{A}\) makes \(O(1)\) queries.

Proof: Let \(O\) be the oracle, which is either the block cipher \(\mathrm{\Phi}_r\) or the random permutation \(\pi\).

(1) The Attack on \(\mathrm{\Phi}_r\) for \(r \le d-1\).

We first introduce \(\mathcal{A}\) on \(\mathrm{\Phi}_r\) for \(r \le d-1\).

\(\mathcal{A}\) makes an encryption query using an arbitrary message \(M^{[1..d]}\in \{0, 1\}^{dn}\) to obtain the corresponding ciphertext \(C^{[1..d]}\in \{0, 1\}^{dn}\), and returns \(1\) iff \(C^{d-r}=M^d\). In \(\mathrm{\Phi}_r\), \(M^d\) never goes through \(\widetilde{E}\), and it directly appears as \(C^{d-r}\). In \(\pi\), \(C^{d-r}\) is a part of a uniformly random output of \(\pi\), thus \(\mathcal{A}\) outputs \(0\) except for a negligible probability of an \(n\)-bit collision. Therefore \(\mathcal{A}\) can distinguish \(\mathrm{\Phi}_r\) from \(\pi\) with \(1\) query.

An example of \(\mathrm{\Phi}_4\) with \(d=5\) is shown in Fig. 2.

Fig. 2  Structure of \(\mathrm{\Phi}_4\) for \(d = 5\). \(M^5\) directly appears as \(C^1\).

(2) The Attack on \(\mathrm{\Phi}_d\).

We introduce our adversary \(\mathcal{A}\) on \(\mathrm{\Phi}_d\).

\(\mathcal{A}\) first makes an encryption query \(M\) to obtain \(C\), and then makes an encryption query \(M'\) to obtain \(C'\), where \(M'=M^{[1..d-1]}\mathbin{\|}C'^1\). Then \(\mathcal{A}\) outputs \(1\) iff \(C^{[2..d]}=C'^{[1..d-1]}\). In \(\mathrm{\Phi}_d\), the first round of the second query reproduces the second round of the first query. This state collision continues in the subsequent rounds, and eventually, \(C^{[2..d]} = C'^{[1..d-1]}\) always holds. In \(\pi\), \(C^{[2..d]}\) and \(C'^{[1..d-1]}\) are the outputs of random permutation \(\pi\), and hence \(\mathcal{A}\) outputs \(0\) except for a negligible probability of a \((d-1)n\)-bit collision. Therefore, \(\mathcal{A}\) can distinguish \(\mathrm{\Phi}_d\) from \(\pi\) with \(O(1)\) queries.

An example of \(\mathrm{\Phi}_5\) with \(d=5\) is shown in Fig. 3. \(\tag*{◻}\)

Fig. 3  Structure of \(\mathrm{\Phi}_5\) for \(d = 5\). (a) step 1, (b) step 2.

4.2  Security of \(\mathrm{\Phi}_{d+1}\)

We have the following theorem for \(\mathrm{\Phi}_{d+1}\).

Theorem 2: Fix \(d \ge 2\). Let \(\widetilde{E}\) be the \((n, (d-1)n)\)-bit TRP, and \(\mathrm{\Phi}_{d+1} = \mathrm{\Phi}_{d+1}[\widetilde{E}]\) be the \(r\)-round single-keyed TBC-based Feistel cipher, where \(r=d+1\). Then for any adversary \(\mathcal{A}\) that makes at most \(q\) queries, we have

We present the outline of the proof. The detailed proof is given in Appendix.

Outline of Proof 1: In \(\mathrm{\Phi}_{d+1} = \mathrm{\Phi}_{d+1}[\widetilde{E}]\), we use a single TRP \(\widetilde{E}\), and we write \(\widetilde{E}^i\) to indicate \(\widetilde{E}\) in the \(i\)-th round. Note that \(\widetilde{E}^i = \widetilde{E}\) for all \(i\).

Let \(S=\widetilde{E}^1(M^{[2..d]}, M^1)\), an output of the TRP in the 1st round. We regard \(S\) as the internal state, and we see that, for each of the TRP calls, \(S\) appears as the output block of the TRP (as \(\widetilde{E}^1\)), or as a tweak (as \(\widetilde{E}^2,\ldots,\widetilde{E}^{d}\)), or as the input block (as \(\widetilde{E}^{d+1}\)). See Fig. 4 for an example of \(\mathrm{\Phi}_6\) for \(d=5\).

Fig. 4  Structure of \(\mathrm{\Phi}_6\) for \(d = 5\). \(S\) appears in all the tweaks from \(\widetilde{E}^2\) to \(\widetilde{E}^5\), and is used as an output in \(\widetilde{E}^1\) and an input in \(\widetilde{E}^6\).

Our proof is based on the coefficient-H technique. Let \(M_i^{[1..d]}\), \(S_i\), and \(C_i^{[1..d]}\) be the message, internal state, and the ciphertext of the \(i\)-th query, respectively. We define the bad conditions as follows:

Namely, if any of the \(S_i\) collides with other variables, then the transcript is bad.

If \(S_i\) is a unique value, then all the tweaks of \(\widetilde{E}^2, \dots, \widetilde{E}^d\) in the \(i\)-th query are unique. For example, in \(\widetilde{E}^2\) in Fig. 4, \(S_i\) appears in the 4th line of the tweak. It never appears on the same line in other TRPs. Because of this, if \(S_i\) is unique, the tweak of \(\widetilde{E}^2\) never collides with other tweaks. Furthermore, an output of \(\widetilde{E}^1\) and an input of \(\widetilde{E}^{d+1}\) are clearly unique.

Intuitively, without the bad conditions and with an assumption that the adversary does not make redundant queries, we can show that every TRP has at least one unique element in the output block, tweak, or in the input block. This is sufficient to show that all the TRPs, which is actually a single TRP, can interpolate them with a non-zero probability.

The good probabilities are almost the same in \(\mathrm{\Phi}_{d+1}\) and \(\pi\), and from the coefficient-H technique, we obtain the upper bound of the distinguishing advantage.

4.3  Attack on \(\mathrm{\Phi}_r\) for \(r \ge d+1\)

We have the following theorem for \(\mathrm{\Phi}_r\) for \(r \ge d+1\).

Theorem 3: Fix \(d \ge 2\). Let \(\widetilde{E}\) be the \(((d-1)n, n)\)-bit TRP, and \(\mathrm{\Phi}_r = \mathrm{\Phi}_r[\widetilde{E}]\) be the \(r\)-round single-keyed TBC-based Feistel cipher. Then there exists an adversary \(\mathcal{A}\) against \(\mathrm{\Phi}_r\) with \(r \ge d+1\) such that \(\mathbf{Adv}^\mathrm{prp}_{\mathrm{\Phi}_r}(\mathcal{A})=O(1)\), where \(\mathcal{A}\) makes \(O(2^{n/2})\) queries.

Proof: We present our adversary \(\mathcal{A}\) for \(d \ge 3\) and \(r \ge d+1\). We later cover the case \(d=2\).

This algorithm adopts the same approach as the one for \(\mathrm{\Phi}_d\). However, the internal states \(S_i = \widetilde{E}(M^{[2..d]}, M_i)\) cannot be directly observed. We make \(O(2^{n/2})\) queries so that we have the \(dn\)-bit state collision with a high probability. Let \(q=2^{n/2}\). The collision probability among the \(q\) values of \(S_i\) and \(q\) values of \(S'_j\) can be evaluated as follows:

Here, \(e\) is the base of the natural logarithm and the last approximation follows from \(q = 2^{n/2}\).

As for the random permutation, the probability of the collision among \(C^{[2..d]}_i\) and \(C'^{[1..d-1]}_j\) can be evaluated in a similar way by regarding them as \((d-1)n\)-bit random values. We obtain

where we used \(q = 2^{n/2}\) for the last equality.

From the discussion above, we obtain the lower bound of the distinguishing advantage as

An example of \(\mathrm{\Phi}_6\) for \(d=5\) is shown in Fig. 5.

Fig. 5  Structure of \(\mathrm{\Phi}_6\) for \(d = 5\). (a): \(i\)-th query, (b) \(j\)-th query satisfying \(S'_j = S_i\).

If \(d=2\), this algorithm does not work because in \(\pi\), we have an \(n\)-bit output collision in step 4 with a high probability. To deal with this problem, we modify the algorithm as follows:

Steps with a prime symbol are modified or added for \(d=2\). In both \(\mathrm{\Phi}_r\) and \(\pi\), this algorithm aborts in step 4 with almost the same probability, and we see that the algorithm proceeds to steps \(5'\) and \(6'\) with a high probability.

Extra steps (steps \(5'\) and \(6'\)) are based on the distinguisher on \(\mathrm{\Phi}_d\). If \(S_i = S'_j\) holds for some (\(i, j\)) in \(\mathrm{\Phi}_r\), then we see that \(C_i^{[1..2]}\) and \(C'^{[1..2]}_j\) in step \(5'\) are the input and output of the \(r\)-th round of the encryption of \((M^2,S_j')\). Therefore, this algorithm outputs 1 with a high probability in \(\mathrm{\Phi}_r\) and outputs 0 in \(\pi\) with a similar discussion for \(\mathrm{\Phi}_d\). \(\tag*{◻}\)

1. Fix \(S^1_1 = \dots = S^{d-1}_1 = C^1_1 = 0^n\).

2. Obtain \(M^d_1\) by a primitive query of \(\phi_d^{-1}\) with \(S^1_1, \dots, S^{d-1}_1, C^1_1\).

3. Obtain \(C^2_1, \dots, C^d_1\) by primitive queries of \(\phi_{d+1}, \dots, \phi_{2d-1}\) with \(S^1_1, \dots, S^{d-1}_1, C^1_1\).

4. Fix \(S^1_2 = M^d_1 \oplus c^2_{d-1} \oplus c^2_d, S^2_2 = c^3_{d-1} \oplus c^3_d, \dots, S^{d-1}_2 = c^d_{d-1} \oplus c^d_d\), and \(C^1_2 = 0^n\).

5. Obtain \(C^2_2, \dots, C^d_2\) by primitive queries of \(\phi_{d+1}, \dots, \phi_{2d-1}\) with \(S^1_2, \dots, S^{d-1}_2, C^1_2\).

6. Make a construction query \(M^{[1..d]}_1 \leftarrow O^{-1}(C^{[1..d]}_1)\).

7. Make a construction query \(M^{[1..d]}_2 \leftarrow O^{-1}(C^{[1..d]}_2)\).

8. If \(M^{d-1}_1 = M^d_2\) holds, then output 1, else output 0.

A.1 Transcripts

The adversary \(\mathcal{A}\) is given access to the encryption and decryption oracles. If the \(i\)-th query is an encryption query \(M_i^{[1..d]}\), then \(\mathcal{A}\) obtains the corresponding ciphertext \(C_i^{[1..d]}\). If the \(i\)-th query is a decryption query \(C_i^{[1..d]}\), then \(\mathcal{A}\) obtains \(M_i^{[1..d]}\). Without loss of generality, we assume that \(\mathcal{A}\) makes exactly \(q\) queries, does not repeat a query, and does not make a redundant query, i.e., if \(\mathcal{A}\) obtains \(C_i^{[1..d]}\) for an encryption query \(M_i^{[1..d]}\), then it does not use \(C_i^{[1..d]}\) in the subsequent decryption queries, and vice versa. As we detail below, after making \(q\) queries and before returning the decision bit, \(\mathcal{A}\) is given all the internal state values \(S_1,\ldots,S_q\). Since it is only beneficial to \(\mathcal{A}\), there is no loss of generality of giving the additional input to \(\mathcal{A}\). Then the transcript is defined as follows:

A.2 Definition of the Oracles

The real world oracles \(\mathcal{R}, \mathcal{R}^{-1}\) internally make use of the block cipher \(\mathrm{\Phi}_{d+1}\) and its inverse \(\mathrm{\Phi}_{d+1}^{-1}\). After making \(q\) queries, the oracles \(\mathcal{R}, \mathcal{R}^{-1}\) give \(\mathcal{A}\) all the internal states \(S_1, \dots, S_q\). Fig.A⋅1 shows the algorithms of \(\mathcal{R}, \mathcal{R}^{-1}\).

Fig. A⋅1  Algorithm of \(\mathcal{R}\) and \(\mathcal{R}^{-1}\).

The ideal world oracles \(\mathcal{I}, \mathcal{I}^{-1}\) internally make use of the random permutation \(\pi\) and its inverse \(\pi^{-1}\). After \(q\) queries, \(\mathcal{I}, \mathcal{I}^{-1}\) generate dummy internal states \(S_1, \dots, S_q\) with the same probability distribution as TRP \(\widetilde{E}\). For this, for an encryption query, the oracle simulates the 1st round TRP. For a decryption query, the oracle simulates the \((d+1)\)-st round TRP. After completing the simulation, \(S_1, \dots, S_q\) are given to \(\mathcal{A}\). Fig. A⋅2 shows the algorithms of \(\mathcal{I}, \mathcal{I}^{-1}\).

Fig. A⋅2  Algorithm of \(\mathcal{I}\) and \(\mathcal{I}^{-1}\), where \(\mathrm{Dom}(T)\) and \(\mathrm{Ran}(T)\) are defined as \(\mathrm{Dom}(T) = \{x \mid \widetilde{E}(T, x) = y \mbox{ is defined for some } y\}\) and \(\mathrm{Ran}(T) = \{y \mid \widetilde{E}(T, x) = y \mbox{ is defined for some } x\}\).

A.3 Bad Conditions

For the TRP \(\widetilde{E}\) in the real world, the tweak determines the permutation between the input and output of the TRP. Accordingly, if the tweaks are the same, the TRP does not output distinct outputs from the same inputs or distinct inputs from the same outputs. By applying this to all the combinations of the TRPs in \(\mathrm{\Phi}_{d+1}\), we obtain the bad conditions of the whole structure of \(\mathrm{\Phi}_{d+1}\) as follows:

Recall that a transcript is defined as (A\(\cdot\)1), and let \(\mathcal{T}_\mathrm{bad}\) be the set of all the transcripts that satisfy at least one of the conditions above. Let \(\mathcal{T}_\mathrm{good}\) be the set of all the transcripts that does not satisfy any of the conditions above.

In what follows, we discuss the correctness of the above bad conditions, i.e., without the bad conditions, we show that the underlying TRP \(\widetilde{E}\) can interpolate all the relevant inputs, tweaks, and the outputs with a non-zero probability. See Fig. 4 for an example of \(\mathrm{\Phi}_6\).

First, observe that the absence of the above three conditions guarantees that all the tweaks in \(\widetilde{E}^2\), …, \(\widetilde{E}^d\) are distinct. That is, there are \(q\) tweaks for each of \(\widetilde{E}^2, \dots, \widetilde{E}^d\), and we thus have \(q(d-1)\) values of the tweak in total for \(\widetilde{E}^2, \dots, \widetilde{E}^d\). It can be verified that all these \(q(d-1)\) values are distinct, and they are also different from the \(q\) tweaks of \(\widetilde{E}^1\) and the \(q\) tweaks of \(\widetilde{E}^{d+1}\).

Next, let \(\mathcal{T}^1=\{M_1^{[2..d]},\ldots,M_q^{[2..d]}\}\) be the set of the \(q\) tweaks of \(\widetilde{E}^1\) and \(\mathcal{T}^{d+1}=\{C_1^{[1..d-1]},\ldots,C_q^{[1..d-1]}\}\) be the set of the \(q\) tweaks of \(\widetilde{E}^{d+1}\). From the discussion above, all these \(2q\) tweaks are different from those of \(\widetilde{E}^2\), …, \(\widetilde{E}^d\), while we may have \(|\mathcal{T}^1|<q\), \(\mathcal{T}^1\cap\mathcal{T}^{d+1}\neq\emptyset\), or \(|\mathcal{T}^{d+1}|<q\).

Therefore, the absence of the bad conditions implies that the TRP \(\widetilde{E}\) can interpolate all the relevant inputs, tweaks, and the outputs with a non-zero probability. We next compute the probability of the bad conditions and the ratio of the good probabilities to use the coefficient-H Technique.

A.4 Probability of the Bad Conditions

We have the following lemma.

Lemma 2: We have \(\Pr[\Theta_\mathcal{I}\in \mathcal{T}_\mathrm{bad}] \le \dfrac{(4d+1)q^2}{2^n}\).

Proof: We compute the probability of the bad conditions based on the randomness of \(S_1,\dots,S_q\). Assume that \(\mathcal{A}\) has completed making \(q\) queries to the oracles, and hence \((M_1^{[1..d]},C_1^{[1..d]}),\ldots,(M_q^{[1..d]},C_q^{[1..d]})\) are fixed. We further assume that we do not have the bad conditions for \(S_1,\ldots,S_{i-1}\), and we compute the probability that \(S_i\) causes one of the bad conditions, which we write “\(S_i\) is bad.” We then have

The term \(2q\) of the denominator indicates the maximum value of \(|\mathrm{Ran}(M_i^{[2..d]})|\) or \(|\mathrm{Dom}(C_i^{[1..d-1]})|\). Due to the uniqueness of \(S_1, \dots, S_{i-1}\), the tweaks of TRPs other than \(\widetilde{E}^1\) and \(\widetilde{E}^{d+1}\) also have unique values. Therefore, \(|\mathrm{Ran}(M_i^{[2..d]})|\) or \(|\mathrm{Dom}(C_i^{[1..d-1]})|\) takes the maximum value of \(2q\) when \(M_j^{[2..d]}\) and \(C_j^{[1..d-1]}\) take the same value for all \(j = 1, \dots, i-1\). Besides, from the uniqueness of \(S_1, \dots, S_{i-1}\) and the assumption that no queries are repeated, it is guaranteed that the corresponding entry, i.e., \((M_i^{[2..d]},M_i^{1})\) for encryption or \((C_i^{[1..d-1]},C_i^{d})\) for decryption, does not exist at the generation of \(S_i\). That is, \(S_i\) has randomness when generating it.

Now, by taking the summation of \(\Pr[\mbox{$S_i$ is bad}]\), we have

where the third inequality follows from \(2q < 2^{n-1}\).

A.5 Ratio of the Good Probabilities

We have the following lemma.

Lemma 3: For any \(\theta \in \mathcal{T}_\mathrm{good}\), we have \(\dfrac{\Pr[\Theta_\mathcal{R}= \theta]}{\Pr[\Theta_\mathcal{I}= \theta]} \ge 1 - \dfrac{0.5q^2}{2^{dn}}\).

Proof: First, we define the following two sets:

In the real world, we additionally define two sets as follows:

Intuitively, \(S^{\mathrm{enc},x}_i\) is the set of \((j,k)\) that shares the same tweak as the \(i\)-th tweak of \(\widetilde{E}^x\) when the \(i\)-th query is encryption, and \(S^{\mathrm{dec},x}_i\) is that when the \(i\)-th query is decryption. That is, for the \(i\)-th tweak of \(\widetilde{E}^x\), these sets indicate the indices that share the same tweak in the previous TRP calls. Then, the probability can be evaluated as follows:

The last inequality is obtained by assuming \(|S^{\mathrm{enc},x}_i| = |S^{\mathrm{dec},x}_i| = 0\) except for \(|S^{\mathrm{enc},1}_i|\) and \(|S^{\mathrm{dec},d+1}_i|\).

In the ideal world, as with the real world, we define two sets as follows:

Here, in the definitions above, we abuse the notation to write \(\widetilde{E}^k\) for the TRP \(\widetilde{E}\) used in the \(k\)-th round in Algorithm 5. Then, the probability can be evaluated as follows:

Finally, we compute the ratio of the two possibilities. We have

where the last inequality follows since \(S^{\mathrm{enc},x}_i = T^{\mathrm{enc},x}_i\) and \(S^{\mathrm{dec},x}_i = T^{\mathrm{dec},x}_i\) are always satisfied from the definitions of the oracles.

From Lemma 2, Lemma 3, and the coefficient-H technique, we obtain Theorem 2.