1 Introduction

Different tools from probability and statistics are now heavily used in different areas in cryptography. In this paper, we focus on a statistical tool, termed χ2 method, which has been introduced by Dai, Hoang, and Tessaro in CRYPTO 2017 [7]. Although a method which is essentially similar to the χ2 method is known in statistics (since 1978), we believe that the χ2 method is new in the context of cryptography. In [7], this method has been used to show pseudorandom function security (PRF-security) of two well known constructions, namely sum of random permutations [1, 17, 21, 22] and encrypted Davis-Meyer (EDM) [5, 19]. Further, we feel that this method may help us to obtain tight (and simplified) proofs for certain constructions where proofs so far have evaded more classical methods, such as the H-coefficient method [20].

χ2Method. The distinguishing advantage of a family of keyed functions is bounded by the total variation (also known as statistical distance) between the output distribution of the family and the output distribution of a random function. Total variation between two probability distributions P 0 and P 1 over a sample space Ω, denoted dTV(P 0 ,P 1 ), is defined as the half of L1-norm \(\| \mathbf {P}_{\mathbf {0}}- \mathbf {P}_{\mathbf {1}}\|_{1} := \sum _{x \in \mathrm {\Omega }} |\mathbf {P}_{\mathbf {0}}(x) - \mathbf {P}_{\mathbf {1}}(x)|\). In [7], the authors have revisited a variation of the additivity property of the KL divergence between two joint distributions. The authors have termed it χ2 method. When P 0 and P 1 are joint distributions, this method provides an upper bound on ∥P 0 P 1 1 based on the χ2 distances between the conditional distributions of P 0 and P 1 . Next, we recall the definition of χ2 distance. In what follows, we use the convention that 0/0 = 0.

Definition 1

The χ2 distance between distributions P 0 and P 1 (over a sample space Ω) with P 0 P 1 (i.e., the support of P 0 is contained in the support of P 1 ) is defined as

$$d_{\chi^{2}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}}) := \sum\limits_{x \in \Omega} \frac{(\mathbf{P}_{\mathbf{0}}(x) - \mathbf{P}_{\mathbf{1}}(x))^{2}}{\mathbf{P}_{\mathbf{1}}(x)}.$$

χ2 distance has its origin in mathematical statistics dating back to Pearson (see [18] for some history). It can be seen that χ2 distance is not symmetric and hence it is not a metric. However, this is useful for bounding other metrics, e.g., total variation. In the following, we briefly describe the χ2 method (see Section Appendix A for details and proof).

Let X = (X1,…,X q ) and Y = (Y1,…,Y q ) be two multivariate random variables taking values from Ωq. In order to simplify the notation, we denote by Xi− 1 the joint random variable (X1,…,Xi− 1). Let \(\mathbf {P}_{{0}_{x_{1}, \ldots , x_{i-1}}} \) denote the conditional probability distribution of X i given X1 = x1, …, Xi− 1 = xi− 1. We similarly write \(\mathbf {P}_{{1}_{x_{1},\ldots , x_{i-1}}}\) for the distribution of Y i given \(\mathsf {Y}_{1} = x_{1}\), …, Yi− 1 = xi− 1. Then the χ2 method says

$$ d_{\text{TV}}(\mathsf{X}, \mathsf{Y}) \leq \left( {1\over 2} \sum\limits_{i = 1}^{q} \mathbf{Ex}[{\chi}^{2}(\mathsf{X}_{1}, \ldots, \mathsf{X}_{i-1})]\right)^{1\over 2}, $$
(1)

where \(\chi ^{2}(x_{1}, \ldots , x_{i-1}) = d_{\chi ^{2}}(\mathbf {P}_{{0}_{x_{1},\ldots , x_{i-1}}}, \mathbf {P}_{{1}_{x_{1}, \ldots , x_{i-1}}})\) and for all x1,…,xi− 1, \(\mathbf {P}_{{0}_{x_{1},\ldots , x_{i-1}}}\ll \mathbf {P}_{{1}_{x_{1}, \ldots , x_{i-1}}}\). Note that we need this condition to define \(d_{\chi ^{2}}\).

XOR of Two Random Permutations. XOR or sum of two random permutations is a well known construction, proposed and studied by Hall et al. in [13], for conversion of pseudorandom permutations (PRPs) into pseudorandom functions (PRFs).Footnote 1 Given a permutation π : {0,1}n↦{0,1}n, the construction creates a function f : {0,1}n− 1↦{0,1}n, defined as f(x) = π(0||x) ⊕ π(1||x). When π is chosen uniformly at random from Perm n , the set of all permutations of {0,1}n, how well does f resemble (in a certain well defined sense) a random function with the same domain and range (a function chosen uniformly from the set of all functions from the domain to the range)? A satisfactory answer to this question remained elusive for over two decades. There have been attempts [1, 17, 21, 22] to prove information-theoretic security of the construction. However, the proofs either fell short of proving full security (to be made precise in the next section) of the construction [17] or were sketchy ([1]) or contained non-trivial gaps and were difficult to follow [21, 22] as has also been observed by the authors of [7].Footnote 2 Also, as a related problem, Cogliati, Lampe, and Patarin [4] gave weaker bounds for the case of the sum of at least three permutations. The XOR construction is important since it has been used to obtain some constructions achieving beyond birthday (or sometimes almost full) security (e.g., CENC [15], PMAC_Plus [3] and ZMAC [14]).

1.1 Main results in the paper

In [7], Dai et al. have used the χ2 method to prove full security of the XOR construction (XOR of two random permutations). In this paper, we have a closer inspection of the proof and we find a non-trivial gap in it. The gap is due to incorrect equalities involving conditional expectations. We have also made an attempt to fix the proof and we have shown that the proof can be fixed under Asssumption 1 (stated in Section 4). We have proved the assumption for two special cases and left the general case as an open problem.

In this note, we communicate the above observation formally. This serves two purposes: (a) to motivate a flawless proof of this problem, especially owing to its importance and a two-decades old legacy, (b) to prevent these types of loopholes from creeping into the proofs involving the χ2 method, especially since the method seems to have potential for application to similar problems.

Truncation of Random Permutation. Although the application (in [7]) of the χ2 method to the XOR construction contains gap, this technique can be powerful for bounding PRF-security of other constructions. In fact, in [7], the authors applied this method to bound the PRF-security of the EDM (or encrypted Davis-Meyer) construction. In this note, we apply this technique to the truncated random permutation construction and obtain a very simple proof of the known tight bound on the PRF-security of the construction. This has been studied by Stam (in a statistical context) in 1978 [25] and later by many others (e.g., [1, 8,9,10, 13]). Stam’s proof technique is very close to the χ2 method. However, the other proofs are very different and produce different results. The difference between the proof methods of the relevant results from [1, 8, 13] and [25] is discussed in [10]. Our proof approach is more modular and uses the χ2 method explicitly. We discuss these very briefly in Remark 1 and Remark 2.

The PRF property of the truncated random permutation construction has recently been used in the key derivation for the AES-GCM, Counter based authenticated encryption constructions [11].

1.2 Organization of the paper

The rest of the paper is organized as follows. In the next section, we provide a brief overview of relevant security notions and the χ2 method. There we also discuss the two constructions: XOR of two random permuations construction and trucated random permutation construction. Section 3 is devoted to the proof of Theorem 2. In Section 4, we discuss the proof, by Dai et al., of the full security of the XOR of two random permutation construction, where we also point out the gap in it. In Section 5, we provide the proofs of Assumption A1 for two specific cases. We conclude in Section 6 by remarking on an identical gap in the proof of full security of a related construction, termed XOR of two independent random permutations. Finally, in Appendix A, we provide a self-contained proof of the χ2 method; essential ingredients of the proof is same as that of [7], however, we also cover the finer details (such as the proof of the Pinsker’s inequality).

2 Preliminaries

Notation and Convention

We use the short-hand notation Xt to denote a tuple (X1,…,X t ). We also write \({\mathcal {S}}^{t}\) to denote the t-fold Cartesian product of the set \(\mathcal {S}\) with itself. It will be clear from the context whether Xt means a t-tuple (when X is a tuple) or product set (when X is a set).

We use notations X,Y,Z etc. (possibly with suffix) to represent random variables over some sets. Following the above notational convention, Xt would represent a t-tuple of random variables or random vector (X1,…,X t ). We use \(\mathcal {E}, \mathcal {S}, \mathcal {T}\) etc. (possibly with suffix) to denote sets. \(\mathcal {A}\) will always represent an adversary.

In this paper, we fix a positive integer n, and we denote 2n by N.

2.1 PRF-security definition

Pseudorandom function (PRF) is a very popular security notion in cryptography. While analyzing a message authentication code (MAC), we mostly study its PRF-security as it is a stronger notion than MAC. It has also been used to define encryption schemes, authenticated encryptions, and other cryptographic algorithms.

Now we formally define the PRF-advantage of an algorithm or a keyed function. By \(\mathsf {X} \leftarrow _{\$} \mathcal {S}\) we mean that X is sampled uniformly from a finite set \(\mathcal {S}\). Let m and p be positive integers. Let RP m denote the random permutation chosen uniformly from Perm m , the set of all permutations on {0,1}m, i.e., RP m $ Perm m . Similarly, let RFmp $ Funcmp (the set of all functions from {0,1}m to {0,1}p). Let \(\mathcal {K}\) be a finite set (it is the key space of the construction). Given a function \(f : \mathcal {K} \times \{0,1\}^{m} \to \{0,1\}^{p}\) and for every \(k \in \mathcal {K}\), we denote f k to represent the function (also called keyed function) f(k,⋅) ∈Funcmp. We now define the PRF-advantage of an oracle adversary \(\mathcal {A}\) against f as follows.

Definition 2 (PRF-advantage)

Let \(\mathcal {A}\) be a distinguisher (oracle algorithm) and \(f : {\mathcal {K}} \times \{0,1\}^{m} \to \{0,1\}^{p}\). Then, the PRF-advantage of \(\mathcal {A}\) against f is defined as

$$\mathbf{Adv}^{\text{prf}}_{f}(\mathcal{A}) = | \textbf{P}[\mathcal{A}^{f_{\textit{\textsf{K}}}} \rightarrow 1 : \textit{\textsf{K}} \leftarrow_{\$} \mathcal{K}] - \textbf{P}[\mathcal{A}^{\textsf{RF}_{m \to p}} \rightarrow 1]|.$$

As we restrict to only deterministic keyed functions (i.e., functions which give same output on same input) we can assume, without loss of generality, that the adversary does not repeat its queries. In other words, if Q1,…,Q q are all queries then these are distinct. We can also assume that \(\mathcal {A}\) is deterministic as it can always run with the best random coins which maximize the advantage. Suppose \(\mathcal {A}\) makes q distinct queries adaptively, denoted Q1,…,Q q , and obtains responses U1,…,U q . So, when \(\mathcal {A}\) in interacting with RFmp, the outputs are uniformly and independently distributed over {0,1}p which we denote as U1,…,U q $ {0,1}p.

Similarly, let X1,…,X q denote the outputs of fK where \(\textsf {K} \leftarrow _{\$} {\mathcal {K}}\). We denote the probability distributions associated with U1,…,U q and X1,…,X q by P 1 and P 0 respectively. Thus,

$$ {{\mathbf{Adv}}^{\text{prf}}_{f}}(\mathcal{A}) = |\mathbf{P}_{\mathbf{1}}({\mathcal{E}}) - \mathbf{P}_{\mathbf{0}}({\mathcal{E}})| $$
(2)

where \({\mathcal {E}}\) is the set of all q-tuple of responses xq := (x1,…,x q ) ∈ ({0,1}n)q for which \(\mathcal {A}\) returns 1. From the definition the total variation (also known as the statistical distance) between P 0 and P 1 is

$$ d_{\text{TV}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}}) \overset{\text{def}}{=} \frac{1}{2}\sum\limits_{x^{q} \in (\{0,1\}^{n})^{q}}|\mathbf{P}_{\mathbf{0}}(x^{q}) - \mathbf{P}_{\mathbf{1}}(x^{q})| = \max_{{\mathcal{E}} \subseteq \mathrm{\Omega}} (\mathbf{P}_{\mathbf{0}}({\mathcal{E}}) - \mathbf{P}_{\mathbf{1}}({\mathcal{E}})). $$
(3)

Hence,

$${{\mathbf{Adv}}^{\text{prf}}_{f}}(\mathcal{A}) \leq d_{\text{TV}}(\mathbf{P}_{\mathbf{1}}, \mathbf{P}_{\mathbf{0}}). $$

Footnote 3 Thus, the main cryptographic objective (that of determining the PRF-advantage \({{\mathbf {Adv}}^{\text {prf}}_{f}}(\mathcal {A})\)) turns out to be a purely probability or statistical problem. Next, we discuss the χ2 method which provides an upper bound of total variation between two joint distributions.

2.2 χ 2 method

Let \(\mathsf {X} := (\mathsf {X}_{1}, \ldots , \mathsf {X}_{q})\) and Z := (Z1,…,Z q ) are two random vectors of size q distributed over Ωq. Let us denote the probability distributions of X and Z as P 0 and P 1 respectively. We denote the conditional probability distributions as follows.

$$\begin{array}{@{}rcl@{}} \mathbf{P}_{\mathbf{0}|x^{i-1}}(x_{i}) & =& \mathbf{P}(\mathsf{X}_{i}= x_{i}| \mathsf{X}_{1} = x_{1}, \ldots, \mathsf{X}_{i-1} = x_{i-1}) \\ \mathbf{P}_{\mathbf{1}|x^{i-1}}(x_{i}) & =& \mathbf{P}(\mathsf{Z}_{i}= x_{i}| \mathsf{Z}_{1} = x_{1}, \ldots, \mathsf{Z}_{i-1} = x_{i-1}) \end{array} $$

When i = 1, \(\mathbf {P}_{\mathbf {0}|x^{i-1}}(x_{1})\) represents \(\mathbf {P}(\mathsf {X}_{1} = x_{1})\). Similarly, for \(\mathbf {P}_{\mathbf {1}|x^{i-1}}(x_{1})\). Let \(x^{i-1} \in \mathrm {\Omega }^{i-1}\), i ≥ 1. Let us denote the χ2 distance between \(\mathbf {P}_{\mathbf {0}|x^{i-1}}\) and \(\mathbf {P}_{\mathbf {1}|x^{i-1}}\) as \(\chi ^{2}(x^{i-1})\), i.e.,

$$\chi^{2}(x^{i-1}):= d_{\chi^{2}}(\mathbf{P}_{\mathbf{0}|x^{i-1}}, \mathbf{P}_{\mathbf{1}|x^{i-1}}). $$

Thus, χ2 is a real valued function. The next theorem is the crux of the χ2 method; it bounds the total variation between two joint distributions in terms of the χ2 distance between the corresponding conditional distributions.

Theorem 1 ([7])

Suppose P 0 and P 1 denote probabilitydistributions ofX := (X1,…,X q )and\(\mathsf {Z} := (\mathsf {Z}_{1}, \ldots , \mathsf {Z}_{q})\)andfor all\(x_{1}, \ldots , x_{i-1}\),we have\(\mathbf {P}_{\mathbf {0}|x^{i-1}}\ll \mathbf {P}_{\mathbf {1}|x^{i-1}}\).Then

$$d_{\text{TV}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}}) \leq \left( {1\over 2} \sum\limits_{i = 1}^{q} \mathbf{Ex}[{\chi}^{2}(\mathsf{X}^{i-1})]\right)^{1\over 2}. $$

For the sake of completeness, we provide a complete proof of this theorem in Appendix A. In our setup, note that \(\mathsf {Z}_{1}, \ldots , \mathsf {Z}_{q} \leftarrow _{\$} {\{0,1\}}^{p}\) for some p and hence \(\mathbf {P}_{\mathbf {1}|x^{i-1}}(x_{i}) = \frac {1}{2^{p}}\) for all xi. So,

$$\mathbf{Ex}[{\chi}^{2}(\mathsf{X}^{i-1})] = 2^{p}\sum\limits_{x_{i}} \mathbf{Ex}_{\mathsf{X}^{i-1}}\left[\left( \mathbf{P}(\mathsf{X}_{i}= x_{i}| \mathsf{X}_{1},\ldots, \mathsf{X}_{i-1}) - \frac{1}{2^{p}}\right)^{2}\right]. $$

In the following subsection, we describe two constructions for which this method was applied.

2.3 Two random permutation based constructions

In this paper, we mainly deal with two constructions based on a random permutation RP n . Similar to a random function, if all queries to a random permutation RP n are distinct and depends only on the previous responses (which is the case for an adversary), the outputs V1,…,V q behave like a random sample without replacement (WOR) from {0,1}n. We write \(\mathsf {V}_{1}, \ldots , \mathsf {V}_{q} \gets _{\text {wor}} \{0,1\}^{n}\) to denote this. More formally, for all distinct\(x_{1}, \ldots , x_{q} \in \{0,1\}^{n}\), \(\textbf {P}(\mathsf {V}_{1} = x_{1}, \ldots \mathsf {V}_{q} = x_{q}) = \frac {1}{(N)_{q}}\), where (N) q = N(N − 1)⋯(Nq + 1). Now, we briefly describe the constructions.(1) XORConstruction. Define XOR π : {0,1}n− 1 →{0,1}n to be the construction that takes a permutation πPerm n x ∈{0,1}n− 1 it returns π(x∥0) ⊕ π(x∥1). Thus, XOR construction based on a random permutation RP n returns X1,…,X q where X1 :=V1V2, …, X q :=V2q− 1V2q and V1,…,V2qwor{0,1}n.(2) trRPConstruction. Let mn and trunc m denotes the truncation function which returns the first m bits of x ∈{0,1}n. Truncated random permutation is a composition of random permutation followed by a truncation function. More formally, we define for every x ∈{0,1}n,

$$\mathsf{trRP}_{m}(x) = \mathsf{trunc}_{m}(\textsf{RP}_{n}(x)).$$

Note that it is a function family, keyed by random permutation, mapping the set of all n-bit sequences to the set of all m-bit sequences. Let X1,…,X q denote the q outputs of trRP m . Then X i =trunc m (V i ) for all i.

PRF-security of this construction has been studied by Stam in 1978, though in a much broader context (see [25] for details), and later by others (e.g., [1, 8,9,10, 13]). In particular, Stam proved the following statement.

Theorem 2 ([25])

LetV1,…,V q wor{0,1}n,U1,…,U q $ {0,1}mandX i =trunc m (V i )foralli.Then

$$d_{\text{TV}}(\mathsf{X}, \mathsf{U}) \leq {1\over 2}\left( \sum\limits_{i = 1}^{q} \frac{(M-1)q(q-1)}{(N-1)(N-q + 1)}\right)^{1\over 2} $$

whereX = (X1,…,X q )andU = (U1,…,U q ).

The following corollary (though not proved by Stam) is immediate from the relationship between PRF-advantage and total variation.

Corollary 1

LetM = 2m,N = 2nandmn. For anyadversary\(\mathcal {A}\)makingqqueries wehave

$${{\mathbf{Adv}}^{\text{prf}}_{{\mathsf{trRP}}_{m}}}(\mathcal{A}) \leq {1\over 2}\left( \sum\limits_{i = 1}^{q} \frac{(M-1)q(q-1)}{(N-1)(N-q + 1)}\right)^{1\over 2}.$$

Remark 1

The upper bounds on the PRF-advantage of the trRP Construction given in [8, 13] are different (and weaker) than the one obtained by Stam. Although the bounds are similar for some choices of parameters. In [10], all these results are mentioned, and the proofs are briefly surveyed. In [10], a general tight lower bound on the PRF-advantage has been proved (improving on the lower bound declared in [13]).

3 Proof of theorem 2 using the χ 2 method

Now we provide an alternative proof of Theorem 2 using the χ2 method. We briefly recall the setup. Here V1,…,V q wor{0,1}n and X i =trunc m (V i ). Let x ∈{0,1}m, i ≥ 1 be an integer, and K = N/M. Also, let H denote the number of j < i, for which trunc m (V j ) = x. The probability distribution of H is well known as the hypergeometric distribution HG(N,K,i − 1). For every max(0,s + KN) ≤ a ≤ min(K,s) we have

$$\mathbf{P}(\mathsf{H} = a) = \frac{{K \choose a} \times {N-K \choose s -a}}{{N \choose s}}.$$

The following fact states the expectation and variance formula of a hypergeometric distribution. Its proof can be found in standard probability theory text books and hence we skip it.

Fact 1

Let H follow hypergeometric distribution HG(N,K,s) and let p denote \(\frac {K}{N}\). Then,

$$\begin{array}{@{}rcl@{}} \mathbf{Ex}[\mathsf{H}] &= & sp. \end{array} $$
(4)
$$\begin{array}{@{}rcl@{}} \mathbf{Var}[\mathsf{H}] := \mathbf{Ex}[\mathsf{H} - \mathbf{Ex}[\mathsf{H}]]^{2} &= & sp(1-p) \times \frac{N - s}{N-1}. \end{array} $$
(5)

As an aside, we mention that the factor \(\frac {N-s}{N-1}\) is also known as the finite sampling correction factor. Up to this factor, the expression of variance is same as that of the binomial distribution.

Now, we apply the χ2 method to bound the total variation dTV(X,U), where U1,…,U q $ {0,1}m. Let P 0 and P 1 denote the probability distributions of X and U respectively. Note that

$$\begin{array}{@{}rcl@{}} \mathbf{P}_{\mathbf{0}|x^{i-1}}(x) & =& \mathbf{P} (\mathsf{X}_{i} =x | \mathsf{X}_{1} = x_{1}, \ldots, \mathsf{X}_{i-1} = x_{i-1}) \\ & =& \mathbf{P} (\mathsf{V}_{i} \not\in {\mathcal{S}}), \text{where} \ {\mathcal{S}}_{i,x}(x^{i-1}) = \{v \in {\{0,1\}}^{n}: \exists j <i \mathsf{\ trunc}_{m}(v) = x_{j} \}\\ & =& \frac{{N \over M} - |{\mathcal{S}}_{i,x}(x^{i-1})|}{N - i + 1}. \end{array} $$

Let \(N_{i,x}(x^{i-1}) := |{\mathcal {S}}_{i,x}(x^{i-1})|\) and Hi,x = Ni,x(Xi− 1). Then it is easy to see from the definition of the heypergeometric distribution that Hi,x follows HG(N,N/M,(i − 1)). Now, we compute the χ2 function evaluated at xi− 1.

$$\begin{array}{@{}rcl@{}} \chi^{2}(x^{i-1}) & = &\sum\limits_{x \in [M]} M\left( \frac{{N \over M} - N_{i,x}(x^{i-1})}{N - i + 1} - \frac{1}{M}\right)^{2} \\ & = &\sum\limits_{x \in [M]} \frac{M}{(N-i + 1)^{2}} \times \left( N_{i,x}(x^{i-1}) - \frac{i-1}{M}\right)^{2}. \end{array} $$

Hence,

$$\begin{array}{@{}rcl@{}} \mathbf{Ex}[\chi^{2}(\mathsf{X}^{i-1})] & = &\mathbf{Ex}\left[\sum\limits_{x \in [M]} \frac{M}{(N-i + 1)^{2}} \times \left( \mathsf{H}_{i,x} - \frac{i-1}{M}\right)^{2} \right] \\ & =& \sum\limits_{x \in [M]} \frac{M}{(N-i + 1)^{2}} \times \mathbf{Var}[\mathsf{H}_{i,x}]. \end{array} $$
(6)

This follows from the linearity of the expectation and the fact that Ex[Hi,x] = (i − 1)/M. By substituting the value of Var[N x ] as described in the Fact 1, we obtain

$$\begin{array}{@{}rcl@{}} \mathbf{Ex}[\chi^{2}(\mathsf{X}^{i-1})] & = &\frac{M^{2}}{(N-i + 1)^{2}} \times \frac{i-1}{M} \times \left( 1 - {1 \over M}\right) \times \frac{N-i + 1}{N-1} \\ & =& \frac{(M-1)(i-1)}{(N-1)(N-i + 1)}. \end{array} $$

Now by using Theorem 1 we have

$$\begin{array}{@{}rcl@{}} d_{\text{TV}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}}) & \leq &\left( {1\over 2} \sum\limits_{i = 1}^{q} \mathbf{Ex}[{\chi}^{2}(\mathsf{X}^{i-1})]\right)^{1\over 2} \\ & =& \left( {1\over 2}\sum\limits_{i = 1}^{q} \frac{(M-1)(i-1)}{(N-1)(N-i + 1)}\right)^{1\over 2} \\ &\leq& \left( {1\over 2}\sum\limits_{i = 1}^{q} \frac{(M-1)(i-1)}{(N-1)(N-q + 1)}\right)^{1\over 2} \\ &=& {1\over 2}\left( \sum\limits_{i = 1}^{q} \frac{(M-1)q(q-1)}{(N-1)(N-q + 1)}\right)^{1\over 2}. \end{array} $$

Remark 2

In order to draw comparison between our proof (using the χ2 method) of Theorem 2 and the proof due to Stam, we remark that the main ideas of both the proofs are same; namely both use the chain rule of the KL divergence, concavity of the logarithm function, and also the hypergeometric distribution. However, unlike in our case (in (6)) Stam did not make explicit use of variance of the hypergeometric distribution. Instead, he used Jensen’s inequality. Moreover, our proof is simpler and modular compared to Stam’s proof with a more direct approach.

4 Overview of the proof by Dai et al. and its flaw

In this section, we provide a brief overview of the proof by Dai et al. to precisely point out the gap in their proof. In order to better emphasize, we provide a brief sketch of the proof due to Dai et al. We mostly follow the notation by the authors along with our notational convention. For example, we mostly use N instead of 2n. Moreover, for simplicity we write the set {0,1}n ∖{0n} as [N].

Theorem 3 ([7])

Fix an integern ≥ 8and letN = 2n. Forany adversary\(\mathcal {A}\)that makes\(q \leq \frac {N}{32}\)queries we have

$$\mathbf{Adv}^{\text{prf}}_{\mathsf{XOR}}(\mathcal{A}) \leq \frac{1.5q + 3 \sqrt{q}}{N}.$$

Proof due to Dai et al. in [7]

Let \(\mathcal {A}\) be an adversary making exactly q distinct queries adaptively. As we have observed before, the output distributions of random function and XOR function do not depend on \(\mathcal {A}\). In fact, \(\mathsf {U}^{\prime }_{1}, \ldots , \mathsf {U}^{\prime }_{q} \leftarrow _{\$} \{0,1\}^{n}\) and X1 :=V1V2,…,X q :=V2q− 1V2q are the outputs of random function and XOR construction respectively, where V1,…,V2qwor{0,1}n. Let P 1 and P2 denote the output distributions of X := (X1,…,X q ) and \(\mathsf {U}^{\prime } := (\mathsf {U}^{\prime }_{1}, \ldots , \mathsf {U}^{\prime }_{q})\) respectively. Thus,

$${{\mathbf{Adv}}^{\text{prf}}}_{\mathsf{XOR}}(\mathcal{A}) \leq d_{\text{TV}}(\mathbf{P}_{\mathbf{1}}, \mathbf{P}_{{2}}).$$

Now, we note that X i ’s cannot take 0n and hence it is natural to consider the q-tuple of random variables U1,…,U q $ [N] := {0,1}n ∖{0n}. Let us denote by P 0 the probability distribution of U1,…,U q . By simple algebra, we have dTV(P 0 ,P2) ≤ q/2n. Also, using triangle inequalityFootnote 4, we have

$$\mathbf{Adv}^{\text{prf}}_{\mathsf{XOR}}(\mathcal{A}) \leq d_{\text{TV}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}}) + q/2^{n}.$$

At this point, the χ2 method (i.e., Theorem 1) gives an upper bound on dTV(P 0 ,P 1 ). The rest of the proof is devoted to show \(d_{\text {TV}}(\mathbf {P}_{\mathbf {0}}, \mathbf {P}_{\mathbf {1}}) \leq \frac {0.5q + 3 \sqrt {q}}{2^{n}}\).

For every non-zero x1,…,x i , we clearly have \(\mathbf {P}_{\mathbf {0}|x^{i-1}}(x_{i}) = 1/(N-1)\). For simplicity, let us denote by Yi,x the conditional probability \(\mathbf {P}_{\mathbf {1}}(x)\) which is also a function over xi− 1. When xi− 1 is chosen following the distribution of Xi− 1, we denote Yi,x as Yi,x. From the definition of χ2 function corresponding to (V1,…,V q ) and (U1,…,U q ), we have

$$ \chi^{2}(x^{i-1}) = \sum\limits_{x \neq 0^{n}} (N-1)\left( Y_{i,x} - \frac{ 1}{N-1}\right)^{2}. $$
(7)

Now, we give a brief description of the rest but critical part of the proof where the authors provided an upper bound on Ex[χ2(Xi− 1)]. We keep the authors’ flow (suppressing some calculation which will be denoted as ∗∗∗) and wordings. However, we change some of their notations in order to make them consistent with our notation. Authors complete the proof as described below.

We now expand Yi,x into a more expressive and convenient formula to work with. ∗∗∗ Let S = {V1,V2,…,V2i− 2}. Let Di,x be the number of pairs (u,ux) such that both u and ux belongs to S. Note that S and Di,x are both random variables, and in fact functions of the random variables V1,V2,…,V2i− 2. ∗∗∗ Hence,

$$ \mathsf{Y}_{i,x} = \frac{N- 4(i-1)+ \mathsf{D}_{i,x}}{(N- 2i + 1)(N- 2i)}.\\ $$
(8)
$$\begin{array}{cc} ***\\ \left( \mathsf{Y}_{i,x} - \frac{ 1}{N-1}\right)^{2} \leq \frac{3(\mathsf{D}_{i,x}- 4(i-1)^{2}/N)^{2} + 18}{N^{4}}. \end{array} $$

From (7),

$$\begin{array}{@{}rcl@{}} \mathbf{Ex}[\chi^{2}(\mathsf{X}^{i-1})] & \leq &\sum\limits_{x \neq 0^{n}} N \cdot \mathbf{Ex}\left[\left( \mathsf{Y}_{i,x} - \frac{ 1}{N-1}\right)^{2}\right] \end{array} $$
(9)
$$\begin{array}{@{}rcl@{}} & \leq &\sum\limits_{x \neq 0^{n}} \frac{18}{N^{3}} + \frac{3}{N^{3}} \cdot \mathbf{Ex}\left[\left( \mathsf{D}_{i,x} - \frac{4(i-1)^{2}}{N}\right)^{2}\right] \end{array} $$
(10)

In the last formula, it is helpful to think of each Di,x as a function of V1,V2,…,V2i− 2, and the expectation is taken over the choices of V1,V2,…,V2i− 2 sampled uniformly without replacement from {0,1}n. We will show thatFootnote 5 for any x ∈{0,1}n ∖{0n},

$$ \mathbf{Ex}\left[\left( \mathsf{D}_{i,x} - \frac{4(i-1)^{2}}{N}\right)^{2}\right] \leq \frac{4(i-1)^{2}}{N} $$
(11)

and thus

$$\mathbf{Ex}[\chi^{2}(\mathsf{X}^{i-1})] \leq \frac{18}{N^{2}} + \frac{12(i-1)^{2}}{N^{3}}.$$

Summing up, from χ2-method

$$\begin{array}{@{}rcl@{}} d_{\text{TV}}(\mathbf{P}_{\mathbf{0}}, \mathbf{P}_{\mathbf{1}}) & \leq \left( {1\over 2} \sum\limits_{i = 1}^{q} \mathbf{Ex}[{\chi}^{2}(\mathsf{X}^{i-1})]\right)^{1\over 2} \\ & \leq \frac{3\sqrt{q}+ .5q}{N}. \end{array} $$

4.1 Flaw in the above proof and its repair under an assumption

Let us revisit (8). Let us fix distinct v1,…,v2i− 2 and define the set \({\mathcal {S}} = \{v_{1}, \ldots , v_{2i-2} \}\). Let Di,x denote the number of pairs (u,ux) such that both u and ux belong to \(\mathcal {S}\). Let x1 = v1v2,…,xi− 1 = v2i− 3v2i− 2. Now, it is easy to see that

$$ \mathbf{P}(\mathsf{X}_{i} = x|\mathsf{V}_{1} = v_{1}, \ldots, \mathsf{V}_{2i-2} = v_{2i-2}) = \frac{N- 4(i-1)+ D_{i,x}}{(N- 2i + 1)(N- 2i)} $$
(12)

which appeared in the right hand side of (8). Whereas the left hand side of the equation is P(X i = x|X1 = x1,…,Xi− 1 = xi− 1). Note that in general,

$$ \mathbf{P}(\mathsf{X}_{i} = x|\mathsf{V}_{1} = v_{1}, \ldots, \mathsf{V}_{2i-2} = v_{2i-2}) = \mathbf{P}(\mathsf{X}_{i} = x|\mathsf{X}_{1} = x_{1}, \ldots, \mathsf{X}_{i-1} = x_{i-1}) $$
(13)

does not hold for everyv 1 ,…,v2i− 2. Hence (8) is incorrect.

After observing this flaw in the proof, let us see how we can fix it. If we can prove (10) in some other way, we can still continue with the rest of the proof. This can be proved if we can prove a variant of the (8) as follows:

$$\begin{array}{@{}rcl@{}} \sum\limits_{x} \mathbf{Ex}[(\mathsf{Y}_{i,x} - c)^{2}] = \sum\limits_{x} \mathbf{Ex}\left[\left( \frac{N- 4(i-1)+ \mathsf{D}_{i,x}}{(N- 2i + 1)(N- 2i)} -c\right)^{2}\right], \end{array} $$

where c = 1/(N − 1). In other words,

$$\begin{array}{@{}rcl@{}}\ \sum\limits_{x} \mathbf{Ex}\left[(\mathbf{P}(\mathsf{X}_{i} = x|\mathsf{X}^{i-1}) - c)^{2}\right] = \sum\limits_{x} \mathbf{Ex}\left[(\mathbf{P}(\mathsf{X}_{i} = x|\mathsf{V}^{2i-2}) -c)^{2}\right]. \end{array} $$

The above equation is equivalent to

$$\begin{array}{@{}rcl@{}} \underset{\mathsf{V}^{2i-2}}{\mathbf{Ex}}\left[\sum\limits_{x \in [N]^*}\mathbf{P}(\mathsf{X}_{i} = x|\mathsf{V}^{2i-2})^{2}\right] = \underset{\mathsf{X}^{i-1}}{\mathbf{Ex}}\left[\sum\limits_{x \in [N]^*}\mathbf{P}(\mathsf{X}_{i} = x|\mathsf{X}^{i-1})^{2}\right] \end{array} $$
(14)

We will show in the subsequent section that (14) is not actually true. This in fact shows that the (13) is actually an inequality for certain choices of v i ’s. However, the proof can still survive if we have the following weaker statement which we place here as an assumption.

Assumption 1

$$\begin{array}{@{}rcl@{}} \underset{\mathsf{V}^{2i-2}}{\mathbf{Ex}}\left[\sum\limits_{x \in [N]^*}\mathbf{P}(\mathsf{X}_{i} = x|\mathsf{V}^{2i-2})^{2}\right] \geq \underset{\mathsf{X}^{i-1}}{\mathbf{Ex}}\left[\sum\limits_{x \in [N]^*}\mathbf{P}(\mathsf{X}_{i} = x|\mathsf{X}^{i-1})^{2}\right] \end{array} $$
(15)

Under this assumption, we can justify the inequalities appearing in (9) and (10). Hence, we can complete the proof of PRF-security of XOR construction under the above assumption. In the following section, we study the assumption for i = 2 and i = 3.

5 On the correctness of Assumption 1

In this section, we study the correctness of our assumption stated in the previous section for some small choices of i, namely for i = 2 and 3.

Theorem 4

$$\begin{array}{@{}rcl@{}} \underset{\mathsf{X}_{1}}{\mathbf{Ex}}\left[\sum\limits_{x_2 \in [N]^*}\mathbf{P}(\mathsf{X}_{2} = x_2| \mathsf{X}_{1})^{2}\right] = \underset{\mathsf{V}^{2}}{\mathbf{Ex}}\left[\sum\limits_{x_2 \in [N]^*}\mathbf{P}(\mathsf{X}_{2} = x_2|\mathsf{V}^{2})^{2}\right]. \end{array} $$
(16)

Proof

For notational simplicity we will write [N] to represent the set {1,2,…,N − 1}. Now, we evaluate the two sides of (16).

L.H.S. of (16): Expanding the l.h.s. of (16) we get

$$\begin{array}{@{}rcl@{}} \underset{\mathsf{X}_{1}}{\mathbf{Ex}}\left[\sum\limits_{x_2 \in [N]^*}\mathbf{P}(\mathsf{X}_{2}=x_2| \mathsf{X}_{1})^{2}\right] = \sum\limits_{x_1} \sum\limits_{x_2 \in [N]^*} {\mathbf{P}(\mathsf{X}_{2}=x_2, \mathsf{X}_{1}=x_1)^{2} \over \textbf{P}(\mathsf{X}_{1}=x_{1})}. \end{array} $$
(17)

Now, it follows that

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{X}_{1}=x_1) &=& \mathbf{P}(\mathsf{V}^{2}=v^{2}| \mathsf{V}_{1}+\mathsf{V}_{2}=x_1)\\ &=& {N \over N(N-1)}\\ &=& {1 \over N-1}. \end{array} $$

Next, we split the sum in (17) into the following two subcases: (i) Case 1.1, where we consider the condition x2 = x1, and (ii) Case 1.2, where we consider the condition x2x1. In each of the subcases, we determine the number of tuples (x2,x1) and probability P(X2 = x2,X1 = x1) of a particular tuple satisfying the conditions of the subcase.

Case 1.1: (x2 = x1).

$$\begin{array}{@{}rcl@{}}\lvert\{(x_2, x_1)| x_2 = x_1 \}\rvert = N-1.\\ \end{array} $$

Next, we have

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{X}_{2}=x_2, \mathsf{X}_{1}=x_1) &=& \mathbf{P}(\mathsf{V}^{4}| \mathsf{V}_{1}+\mathsf{V}_{2} = x_1 =x_2= \mathsf{V}_{3} +\mathsf{V}_{4})\\ &=& {N(N-2)\over N(N-1)(N-2)(N-3)} \\ &=& {1 \over (N-1)(N-3)}. \end{array} $$

Therefore,

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \sum\limits_{{x_1, x_2 \in [N]^* \atop x_2 = x_1}}{\mathbf{P}(\mathsf{X}_{2}=x_2, \mathsf{V}^{2}=v^{2})^{2} \over \mathbf{P}(\mathsf{V}^{2}=v^{2})}&= {1 \over (N-3)^{2}}. \end{array} \end{array} $$
(18)

Case 1.2: (x2x1).

$$\begin{array}{@{}rcl@{}}\lvert\{(x_2, x_1)| x_2 \neq x_1 \}\rvert = (N-2)(N-3). \end{array} $$

Now,

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{X}_{2}=x_2, \mathsf{X}_{1}=x_1) &=& \mathbf{P}(\mathsf{V}^{4}| \mathsf{V}_{1}+\mathsf{V}_{2} = x_1 \neq x_2= \mathsf{V}_{3} +\mathsf{V}_{4})\\ &=&{N(N-4)\over N(N-1)(N-2)(N-3)} \\ &=& {N-4 \over (N-1)(N-2)(N-3)}. \end{array} $$

Hence,

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \sum\limits_{{x_1, x_2 \in [N]^* \atop x_2 \neq x_1}}{\mathbf{P}(\mathsf{X}_{2}=x_2, \mathsf{X}_{1}=x_1)^{2} \over \mathbf{P}(\mathsf{X}_{1}=x_1)}&= {(N-4)^{2} \over (N-2)(N-3)^{2}}. \end{array} \end{array} $$
(19)

From (18) and (19) we get

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \underset{\mathsf{X}_{1}}{\mathbf{Ex}}[\sum\limits_{x_2 \in [N]^*}\mathbf{P}(\mathsf{X}_{2}=x_2| \mathsf{X}_{1})^{2}] &= {1 \over (N-3)^{2}}+{(N-4)^{2} \over (N-2)(N-3)^{2}}. \end{array} \end{array} $$
(20)

R.H.S. of (16): Expanding the r.h.s. of (16) we get

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \underset{\mathsf{V}^{2}}{\mathbf{Ex}}[\sum\limits_{x_2 \in [N]^*}\mathbf{P}(\mathsf{X}_{2}=x_2| \mathsf{V}^{2})^{2}] &= \sum\limits_{v^{2}} \sum\limits_{x_2 \in [N]^*}{\mathbf{P}(\mathsf{X}_{2}=x_2, \mathsf{V}^{2}=v^{2})^{2} \over \mathbf{P}(\mathsf{V}^{2}=v^{2})}. \end{array} \end{array} $$
(21)

Next, it follows that

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{V}^{2}= v^{2}) &= {1 \over N(N-1)}. \end{array} $$

Similar to the l.h.s., we split the sum in the r.h.s of (21) depending on the conditions (i) (Case 2.1), and (ii) x2 = v1 + v2 (iii) x2v1 + v2 (Case 2.2). In each of the subcases, we determine the number of tuples (x2,v2) and probability P(X2 = x2,V2 = v2) of a particular tuple satisfying the conditions of the subcase.

Case 2.1: (x2 = v1 + v2).

$$\begin{array}{@{}rcl@{}}\lvert\{(x_2,v^{2}) | x_2 =v_1+v_2 \}\rvert = N(N-1).\\ \end{array} $$
$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{X}_{2}=x_2, \mathsf{V}^{2}=v^{2}) &=& \mathbf{P}(\mathsf{V}^{4}=v^{4}| \mathsf{V}_{1}+\mathsf{V}_{2} = \mathsf{V}_{3} +\mathsf{V}_{4}= x_2)\\ &=&{(N-2)\over N(N-1)(N-2)(N-3)} \\ &=& {1 \over N(N-1)(N-3)}. \end{array} $$

So,

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \sum\limits_{v^{2}} \sum\limits_{{x_2 \in [N]^* \atop x_2 = v_1+v_2}} {\mathbf{P}(\mathsf{X}_{2}=x_2, \mathsf{V}^{2}=v^{2})^{2} \over \mathbf{P}(\mathsf{V}^{2}=v^{2})} &={1 \over (N-3)^{2}}. \end{array} \end{array} $$
(22)

Case 2.2: (x2v1 + v2).

$$\begin{array}{@{}rcl@{}}\lvert\{(x_2,v^{2}) | x_2 \neq v_1+v_2 \}\rvert = N(N-1)(N-2). \end{array} $$
$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{X}_{2}=x_2, \mathsf{V}^{2}=v^{2}) &&= \mathbf{P}(\mathsf{V}^{4}=v^{4}| \mathsf{V}_{1}+\mathsf{V}_{2} \neq x_2= \mathsf{V}_{3} +\mathsf{V}_{4})\\ &&= {N(N-4)\over N(N-1)(N-2)(N-3)} \\ &&= {N-4 \over (N-1)(N-2)(N-3)}. \end{array} $$

Therefore,

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \sum\limits_{{v^{2}}} \sum\limits_{{x_2 \in [N]^* \atop x_2 \neq v_1+v_2}} {\mathbf{P}(\mathsf{X}_{2}=x_2, \mathsf{V}^{2}=v^{2})^{2} \over \mathbf{P}(\mathsf{V}^{2}=v^{2})} &={(N-4)^{2} \over (N-2)(N-3)^{2}}. \end{array} \end{array} $$
(23)

From (22) and (23) we get

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \underset{\mathsf{V}^{2}}{\mathbf{Ex}}[\sum\limits_{x_2 \in [N]^*}\mathbf{P}(\mathsf{X}_{2}= x_2| \mathsf{V}^{2})^{2}] &= {1 \over (N-3)^{2}}+{(N-4)^{2} \over (N-2)(N-3)^{2}}. \end{array} \end{array} $$
(24)

The theorem follows by comparing (20) and (24).

So we have shown that our assumption is valid for i = 2 (in fact these are equal). Now we show that the assumption is still valid for i = 3. Here we have strict inequality.

Theorem 5

$$\begin{array}{@{}rcl@{}} \underset{\mathsf{X}^{2}}{\mathbf{Ex}}[\sum\limits_{x_3 \in [N]^*}\mathbf{P}(\mathsf{X}_{3}=x_3|\mathsf{X}^{2})^{2}] < \underset{\mathsf{V}^{4}}{\mathbf{Ex}}[\sum\limits_{x_3 \in [N]^*}\mathbf{P}(\mathsf{X}_{3}=x_3| \mathsf{V}^{4})^{2}]. \end{array} $$
(25)

Proof

As in the proof of the previous theorem, we consider the two sides of (25) separately. However, in this proof, the calculations are more involved. In order to help the reader follow the steps of the proof, we show the proof structure in Fig. 1. In the figure, the root node corresponds to (25), and its two children correspond to calculation of the two sides of (25). In the remaining nodes, we show the conditions corresponding to the subcases.

Fig. 1
figure 1

Proof structure of Theorem 5

Full size image

L.H.S. of (25): Expanding the l.h.s. of (25) we get

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \underset{\mathsf{X}^{2}}{\mathbf{Ex}}[\sum\limits_{x_3 \in [N]^*}\mathbf{P}(\mathsf{X}_{3}=x_3|\mathsf{X}^{2})^{2}] &= \sum\limits_{x^{2}} \sum\limits_{x_3 \in [N]^*} {\textbf{P}(\mathsf{X}_{3}=x_{3},\mathsf{X}^{2}=x^{2})^{2} \over \textbf{P}(\mathsf{X}^{2}=x^{2})}. \end{array} \end{array} $$
(26)

We split the outer sum in the r.h.s. of (26) depending on the conditions (i) x1 = x2 (Case 1.1), and (ii) x1x2 (Case 1.2). For each of these subcases and subcases of these subcases, we determine the number of tuples (x3,x2) and the probability P(X3 = x3,X2 = x2) of a particular tuple satisfying the conditions of the subcase.

Case 1.1: (x1 = x2).

In this case, we have

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \mathbf{P}(\mathsf{X}^{2}=x^{2}) &= \mathbf{P}(\mathsf{V}^{4}=v^{4}| \mathsf{V}_{1}+ \mathsf{V}_{2} =x_1 =x_2= \mathsf{V}_{3}+ \mathsf{V}_{4} )\\ &= {N(N-2)\over N(N-1)(N-2)(N-3)}\\ &= {1 \over (N-1)(N-3)}. \end{array} \end{array} $$

Next, we consider the following two subcases of this case: (i) Case 1.1.1, where we consider the condition x3 = x1, and (ii) Case 1.1.2, where we consider the condition x3x1.

Case 1.1.1: (x3 = x1 = x2).

$$\begin{array}{@{}rcl@{}}\lvert\{(x_3, x_1, x_2)| x_3 = x_1 =x_2 \}\rvert = N-1. \end{array} $$
$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \mathbf{P}(\mathsf{X}_{3}=x_3,\mathsf{X}_{1}=x_1, \mathsf{X}_{2}=x_2) &= \mathbf{P}(\mathsf{V}^{6}=v^{6}|\mathsf{V}_{1}+ \mathsf{V}_{2} =\mathsf{V}_{3}+ \mathsf{V}_{4} = \mathsf{V}_{5}+\mathsf{V}_{6}=x_3)\\ &= {N(N-2)(N-4)\over N(N-1)(N-2)(N-3)(N-4)(N-5)}\\ &= {1 \over (N-1)(N-3)(N-5)}. \end{array} \end{array} $$

Case 1.1.2:(x3x1 = x2)

$$\begin{array}{@{}rcl@{}}\lvert\{(x_3,x^{2})| x_3 \neq x_1 =x_2 \}\rvert = (N-1)(N-2). \end{array} $$
$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \mathbf{P}(\mathsf{X}_{3}=x_3,\mathsf{X}^{2}=x^{2}) = \mathbf{P}(&\mathsf{V}^{6}=v^{6}|x_1=\mathsf{V}_{1}+ \mathsf{V}_{2} =\mathsf{V}_{3}+ \mathsf{V}_{4}=x_2 \neq x_3= \mathsf{V}_{5}+\\ &\mathsf{V}_{6} ). \end{array} \end{array} $$
(27)

In order to calculate the probability on the r.h.s. of (112), we first observe that for fixed x1, number of possible choices for (v1,v2) = N. Since v3,v4∉{v1,v2}, so, number of possible choices for (v3,v4) = N − 2. Further, we also require v5,v6∉{v1,v2,v3,v4}. This is equivalent to the condition that v5S = {v1,v2,v3,v4}∪{v1 + x3,v2 + x3,v3 + x3,v4 + x3}. Therefore, in order to determine the number of possible choices of (v5,v6) we need to calculate the cardinality of the set S.

Here, we observe that in order to calculate the cardinality of S, it is enough to determine |{v1}∩{v1 + x3,v2 + x3,v3 + x3,v4 + x3}|. It is clear that v1∉{v1 + x3,v2 + x3}. Hence, we are left with the following two subcases: Case 1.1.2.a and Case 1.1.2.b.

  • Case 1.1.2.a:(v1 ∈{v3 + x3,v4 + x3}). We have the following two possibilities.

    1. 1.

      v1 = v3 + x3: In this case,it also follows that v2 = v4 + x3. So, |S| = 4.

    2. 2.

      v1 = v4 + x3: Similar to the above subcase. Hence, |S| = 4.

  • Case 1.1.2.b:(v1∉{v3 + x3,v4 + x3}). In this case, |S| = 8.

Therefore, out of total N(N − 2) choices of v4, for 2N choices , we have that v1 ∈{v3 + x3,v4 + x3}. For these 2N choices of v4, number of possible choices of (v5,v6) = N − 4. For the remaining N(N − 4) choices of v4, number of possible choices of (v5,v6) = N − 8. Hence,

$$\begin{array}{@{}rcl@{}}\begin{array}{ll} \mathbf{P}(\mathsf{X}_{3}=x_3,\mathsf{X}^{2}=x^{2}) &= {2N(N-4)+N(N-4)(N-8) \over N(N-1)(N-2)(N-3)(N-4)(N-5)}\\ &= {N-6\over (N-1)(N-2)(N-3)(N-5)}. \end{array} \end{array} $$

Summing up the cases 1.1.1 and 1.1.2, we get

$$\begin{array}{@{}rcl@{}} \sum\limits_{{x^{2}\atop{x_1 = x_2}}} \sum\limits_{x_3 \in [N]^*} {\mathbf{P}(\mathsf{X}_{3}=x_3,\mathsf{X}^{2}=x^{2})^{2} \over \mathbf{P}(\mathsf{X}^{2}=x^{2})} &=&{(N-1)^{2}(N-3) \over ((N-1)(N-3)(N-5))^{2}} \\ &&+{(N-1)^{2}(N-2)(N-3)(N-6)^{2}\over ((N-1)(N-2)(N-3)(N-5))^{2}} \\ &=&{1 \over (N-3)(N-5)^{2}} \\ &&+{(N-6)^{2} \over (N-2)(N-3)(N-5)^{2}}. \end{array} $$
(28)

Case 1.2:(x1x2).

$$\begin{array}{@{}rcl@{}}\begin{array}{ll} \mathbf{P}(\mathsf{X}^{2}=x^{2}) &= \mathbf{P}(\mathsf{V}^{4}=v^{4}|\mathsf{V}_{1}+ \mathsf{V}_{2}= x_1 \neq x_2= \mathsf{V}_{3}+ \mathsf{V}_{4}). \end{array} \end{array} $$

Here, we have that for fixed x1 the number of possible choices of (v1,v2) = N. Now, v3∉{v1,v2}∪{v1 + x2,v2 + x2}. Also, {v1,v2}∩{v1 + x2,v2 + x2} = . Therefore, the number of possible choices of (v3,v4) is N − 4. So,

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \mathbf{P}(\mathsf{X}^{2}=x^{2}) &= {N-4 \over (N-1)(N-2)(N-3)}. \end{array} \end{array} $$

Next, we consider the following three subcases depending on (i) x3 = x1 (Case 1.2.1), (ii) x3 = x2 (Case 1.2.2), and (iii) x3∉{x1,x2} (Case 1.2.3).

Case 1.2.1: (x3 = x1)

$$\begin{array}{@{}rcl@{}}\lvert\{(x_3,x^{2}) | x_3 = x_1 \neq x_2 \}\rvert = (N-1)(N-2). \end{array} $$

By following the same argument as in Case 1.1.2, we get

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{X}_{3}=x_3,\mathsf{X}^{2}=x^{2}) &= {N-6\over (N-1)(N-2)(N-3)(N-5)}. \end{array} $$

Case 1.2.2:(x3 = x2) This subcase is same as the previous case, i.e., the Case 1.2.1.Case 1.2.3: (x3∉{x1,x2}) Here, we have the following subcases to consider depending on (i) x3 = x1 + x2 (Case 1.2.3.a) and (ii) x3x1 + x2 (Case 1.2.3.b).

Case 1.2.3.a:(x3 = x1 + x2).

$$\begin{array}{@{}rcl@{}}\lvert\{(x_3,x^{2})| x_3 , x_1, x_2 \ \text{unequal}, x_3 = x_1+x_2 \}\rvert = (N-1)(N-2). \end{array} $$
$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \mathbf{P}(\mathsf{X}_{3}=x_3,\mathsf{X}^{2}=x^{2}) = &\mathbf{P}(\mathsf{V}^{6}=v^{6}|\mathsf{V}_{1}+ \mathsf{V}_{2} = x_1,\mathsf{V}_{3}+ \mathsf{V}_{4} = x_2, \mathsf{V}_{5}+\mathsf{V}_{6}=x_1+\\ &x_2). \end{array} \end{array} $$

Following an analysis similar to Case 1.1.2 we obtain

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{X}_{3}=x_3,\mathsf{X}^{2}=x^{2}) &= {N-8\over (N-1)(N-2)(N-3)(N-5)}. \end{array} $$

Case 1.2.3.b:(x3x1 + x2).

$$ \begin{array}{@{}rcl@{}}\lvert\{(x_3,x^{2})| x_3 , x_1, x_2 \ \text{unequal}, x_3 \neq x_1+x_2 \}\rvert = (N-1)(N-2)(N-4). \end{array} $$
$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \mathbf{P}(\mathsf{X}_{3}=x_3,\mathsf{X}^{2}=x^{2}) = &\mathbf{P}(\mathsf{V}^{6}=v^{6}|\mathsf{V}_{1}+ \mathsf{V}_{2} = x_1,\mathsf{V}_{3}+ \mathsf{V}_{4} = x_2, \mathsf{V}_{5}+\mathsf{V}_{6}\neq x_1+\\ &x_2). \end{array} \end{array} $$

In this case also, we follow an analysis similar to Case 1.1.2 to obtain

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \mathbf{P}(\mathsf{X}_{3}=x_3,\mathsf{X}^{2}=x^{2}) &= {N(N-8)(N-8)+ 4N(N-6) \over N(N-1)(N-2)(N-3)(N-4)(N-5)}\\ & = {N^{2}-12N + 40 \over (N-1)(N-2)(N-3)(N-4)(N-5)}. \end{array} \end{array} $$

By adding the cases 1.2.1, 1.2.2, 1.2.3.a, and 1.2.3.b, we obtain

$$\begin{array}{@{}rcl@{}} \sum\limits_{{x^{2}\atop{x_1 \neq x_2}}} \sum\limits_{x_3 \in [N]^*} {\mathbf{P}(\mathsf{X}_{3}=x_3,\mathsf{X}^{2}=x^{2})^{2} \over \mathbf{P}(\mathsf{X}^{2}=x^{2})} &= &{2(N-6)^{2}\over (N-3)(N-4)(N-5)^{2}} \\ &&+ {(N-8)^{2} \over (N-3)(N-4)(N-5)^{2}}\\ &&+{(N^{2}-12N + 40)^{2}\over (N-3)(N-4)^{2}(N-5)^{2}}. \end{array} $$
(29)

Finally, by adding (211) and (212), we get the following expression for the l.h.s. of (25).

$$\begin{array}{@{}rcl@{}} \underset{\mathsf{X}^{2}}{\mathbf{Ex}}\left[\sum\limits_{x_3 \in [N]^*}\mathbf{P}(\mathsf{X}_{3}=x_3|\mathsf{X}^{2}=x^{2})^{2}\right] &=& {1 \over (N-3)(N-5)^{2}}\\&&+ {(N-6)^{2} \over (N-2)(N-3)(N-5)^{2}}\\&&+ {2(N-6)^{2}\over (N-3)(N-4)(N-5)^{2}}\\&&+ {(N-8)^{2} \over (N-3)(N-4)(N-5)^{2}}\\&&+ {(N^{2}-12N + 40)^{2}\over (N-3)(N-4)^{2}(N-5)^{2}}\\ &=& {\texttt{NUM} \over \texttt{DEN}}, \end{array} $$
(30)

where = N5 − 22N4 + 195N3 − 870N2 + 1936N − 1568 and = N6 − 23N5 + 217N4 − 1073N3 + 2926N2 − 4160N + 2400.

R.H.S. of (16): Next, we obtain the expression for the r.h.s. of (25). As in the case of l.h.s., we expand the sum under expectation as follows.

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \underset{\mathsf{V}^{4}}{\mathbf{Ex}}\left[\sum\limits_{x_3 \in [N]^*}\mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3 | \mathsf{V}^{4})^{2}\right] &=\sum\limits_{{v^{4}}}\sum\limits_{x_3 \in [N]^*}{\mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3 | \mathsf{V}^{4})^{2} \over \mathbf{P}(\mathsf{V}^{4}=v^{4})} \end{array} \end{array} $$
(31)

Clearly, we have

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{V}^{4}= v^{4}) = {1 \over N(N-1)(N-2)(N-3)}. \end{array} $$

Similar to Case 1, we split the outer sum in the r.h.s. of (31) in two subcases: (i) in case 2.1 we consider the condition v1 + v2 = v3 + v4, and (ii) in Case 2.2, we consider the condition v1 + v2v3 + v4. For each of these subcases and subcases of these subcases we determine the number of tuples (x3,v4) and the probability P(V5 +V6 = x3,V4 = v4) of a particular tuple satisfying the conditions of the subcase.Case 2.1:(v1 + v2 = v3 + v4). We further divide this subcase according to the conditions (i) x3 = v1 + v2 = v3 + v4 (Case 2.1.1), and (ii) x3v1 + v2 = v3 + v4 (Case 2.1.2).

Case 2.1.1:(x3 = v1 + v2 = v3 + v4).

$$\begin{array}{@{}rcl@{}}\lvert\{(x_3, v^{4})| x_3 = v_1+v_2=v_3+v_4 \}\rvert = N(N-1)(N-2). \end{array} $$
$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3, \mathsf{V}^{4} = v^{4}) &=& \sum\limits_{{(v_5, v_6),v_5 \neq v_6, v_5+ v_6 =x_3 \atop \{v_5, v_6\} \cap \{v_1,v_2, v_3,v_4\} = \emptyset}} (\mathbf{P}(\mathsf{V}_{5}=v_5, \mathsf{V}_{6}=v_6| \mathsf{V}^{4}=v^{4})\\ &&\times \mathbf{P}(\mathsf{V}^{4}=v^{4}))\\ &=& \sum\limits_{{(v_5, v_6),v_5 \neq v_6, v_5+ v_6 =x_3 \atop \{v_5, v_6\} \cap \{v_1,v_2, v_3, v_4\} = \emptyset}} {\mathbf{P}(\mathsf{V}_{5}=v_5, \mathsf{V}_{6}=v_6| \mathsf{V}^{4}=v^{4})\over N(N-1)(N-2)(N-3)}. \end{array} $$

Clearly, we have

$$\begin{array}{@{}rcl@{}} \lvert \{(v_5, v_6)|v_5 \neq v_6, v_5+ v_6 =x_3, \{v_5, v_6\} \cap \{v_1,v_2, v_3, v_4\} = \emptyset\} \rvert = N-4. \end{array} $$

And for fixed (v5,v6) and v4,

$$\begin{array}{@{}rcl@{}} \mathbf{P}((\mathsf{V}_{5}=v_5, \mathsf{V}_{6}=v_6)| \mathsf{V}^{4}=v^{4})& = {1 \over (N-4)(N-5)}. \end{array} $$

So,

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3, \mathsf{V}^{4} = v^{4}) & = {1 \over N(N-1)(N-2)(N-3)(N-5)}. \end{array} $$

Case 2.1.2:(x3v1 + v2 = v3 + v4). By following an argument similar to the Case 1.1.2 we arrive at the following two subcases depending on the conditions (i) v1 ∈{v3 + x3,v4 + x3} (Case 2.1.2.a), and (ii) v1∉{v3 + x3,v4 + x3} (Case 2.1.2.b).Case 2.1.2.a:(v1 ∈{v3 + x3,v4 + x3}).

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \lvert \{(x_3, v^{4})|x_3\neq v_1+v_2, x_3\in \{v_1+v_3 , v_1+v_4\}\}\rvert &= 2N(N-1)(N-2). \end{array} \end{array} $$

The number of possible choices of the pair (v5,v6) is N − 4. Therefore,

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3, \mathsf{V}^{4} = v^{4}) &= {1\over N(N-1)(N-2)(N-3)(N-5)}. \end{array} $$

Case 2.1.2.b:(v1∉{v3 + x3,v4 + x3}).

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \lvert \{(x_3, v^{4})|x_3\notin \{v_1+v_2, v_1+v_3, v_1+v_4\}\}\rvert &=N(N-1)(N-2)(N-4). \end{array} \end{array} $$

Also, the number of possible choices of the pair (v5,v6) is N − 8. So, in this case we have

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3, \mathsf{V}^{4} = v^{4}) = {(N-8)\over N(N-1)(N-2)(N-3)(N-4)(N-5)}. \end{array} $$

So, summing up the cases 2.1.1, 2.1.2.a and 2.1.2.b, we get

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \sum\limits_{{v^{4} \atop v_1+v_2=v_3+v_4}}\sum\limits_{x_3 \in [N]^*}{\mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3, \mathsf{V}^{4} = v^{4})^{2} \over \mathbf{P}(\mathsf{V}^{4} = v^{4})} =&{1\over (N-3)(N-5)^{2}}\\ &+{2\over (N-3)(N-5)^{2}}\\ &+{(N-8)^{2}\over (N-3)(N-4)(N-5)^{2}}. \end{array} \end{array} $$
(32)

Case 2.2:(v1 + v2v3 + v4) We split this case according to the conditions (i) x3 ∈{v1 + v2,v3 + v4} (Case 2.2.1), (ii) x i i = v1 + v2 + v3 + v4 (Case 2.2.2), and (iii) x3∉{v1 + v2,v3 + v4,v1 + v2 + v3 + v4} (Case 2.2.3).Case 2.2.1:(x3 ∈{v1 + v2,v3 + v4})

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \lvert \{(x_3, v^{4})|x_3 \in \{v_1+v_2, v_3+v_4\}\}\rvert &= 2N(N-1)(N-2)(N-4). \end{array} \end{array} $$

In this case, possible number of choices for the pair (v5,v6) is N − 6. So, we have

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3, \mathsf{V}^{4} = v^{4}) &= {N-6\over N(N-1)(N-2)(N-3)(N-4)(N-5)}. \end{array} $$

Case 2.2.2:(x3 = v1 + v2 + v3 + v4)

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \lvert \{(x_3, v^{4})|x_3 = v_1+v_2 +v_3+v_4\}\}\rvert &=N(N-1)(N-2)(N-4). \end{array} \end{array} $$

The number of possible choices for the pair (v5,v6) is N − 8. Hence,

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3, \mathsf{V}^{4} = v^{4}) &= {N-8\over N(N-1)(N-2)(N-3)(N-4)(N-5)}. \end{array} $$

Case 2.2.3:(x3∉{v1 + v2,v3 + v4,v1 + v2 + v3 + v4}) We further divide this case into the following two subcases depending on (i) v1 ∈{v2 + x3,v4 + x3} (Case 2.2.3.a), and (ii) v1∉{v3 + x3,v4 + x3} (Case 2.2.3.b).Case 2.2.3.a:(v1 ∈{v3 + x3,v4 + x3}).

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \lvert \{(x_3, v^{4})|x_3 \in \{v_3+v_1, v_4+v_1\}\}\}\rvert &= 4N(N-1)(N-2)(N-4). \end{array} \end{array} $$

Possible number of choices for the pair (v4,v5) is N − 6. Therefore,

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3, \mathsf{V}^{4} = v^{4}) &= {N-6\over N(N-1)(N-2)(N-3)(N-5)}. \end{array} $$

Case 2.2.3.b: (v1∉{v3 + x3,v4 + x3}).

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \lvert \{(x_3, v^{4})|x_3 \notin \{v_3+v_1, v_4+v_1\}\}\}\rvert &=N(N-1)(N-2)(N-4)(N-8). \end{array} \end{array} $$

The number of possible choices of the pair (v5,v6) is N − 8. So, in this case, we have

$$\begin{array}{@{}rcl@{}} \mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3, \mathsf{V}^{4} = v^{4}) &= {N-8\over N(N-1)(N-2)(N-3)(N-4)(N-5)}. \end{array} $$

So, summing up the subcases 2.2.1, 2.2.2, 2.2.3.a, and 2.2.3.b, we get

$$\begin{array}{@{}rcl@{}} \begin{array}{ll} \sum\limits_{{v^{4}\atop v_1+v_2 \neq v_3+v_4}}\sum\limits_{x_3 \in [N]^*}{\mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3, \mathsf{V}^{4} = v^{4})^{2} \over \mathbf{P}(\mathsf{V}^{4} = v^{4})} =&{2(N-6)^{2} \over (N-3)(N-4)(N-5)^{2}}\\ &+{(N-8)^{2}\over (N-3)(N-4)(N-5)^{2}}\\ &+{4(N-6)^{2} \over (N-3)(N-4)(N-5)^{2}}\\ &+{(N-8)^{3}\over (N-3)(N-4)(N-5)^{2}}. \end{array} \end{array} $$
(33)

Finally, adding (32) and (33) we get

$$\begin{array}{@{}rcl@{}} \underset{\mathsf{V}^{4}}{\mathbf{Ex}}[\sum\limits_{x_3 \in [N]^*}\mathbf{P}(\mathsf{V}_{5}+\mathsf{V}_{6}=x_3 | \mathsf{V}^{4})^{2}]= {(N^{2} - 11N + 36)\over (N-3)(N-4)(N-5)}. \end{array} $$
(34)

The theorem follows by comparing (21) and (22) (difference between the two being \(16(N^{2} - 8N + 8)\over (N-2)(N-3)(N-4)^{2}(N-5)^{2}\) which is > 0 for N ≥ 8).

6 Concluding remarks

In the concluding part of their paper [7], the authors consider XOR of two independent random permutations construction which is a variant of the XOR of two random permutations construction. Given two independent random permutations π1,π2 of {0,1}n, the construction creates a function g : {0,1}n↦{0,1}n as g(x) = π1(x) ⊕ π2(x). The authors show full security of the construction as well. Steps of the proof are quite similar to the previous one. We mention that the same gap exists (in the same step as (8) in this paper) in this proof as well, which can be demonstrated in similar manner as our proofs in this note. To avoid repetition we do not show this part.