Efficient parallelizable hashing using small non-compressing primitives

Abstract

A well-established method of constructing hash functions is to base them on non-compressing primitives, such as one-way functions or permutations. In this work, we present \(S^r\), an \(rn\)-to-\(n\)-bit compression function (for \(r\ge 1\)) making \(2r-1\) calls to \(n\)-to-\(n\)-bit primitives (random functions or permutations). \(S^r\) compresses its inputs at a rate (the amount of message blocks per primitive call) up to almost 1/2, and it outperforms all existing schemes with respect to rate and/or the size of underlying primitives. For instance, instantiated with the \(1600\)-bit permutation of NIST’s SHA-3 hash function standard, it offers about \(800\)-bit security at a rate of almost 1/2, while SHA-3-512 itself achieves only \(512\)-bit security at a rate of about \(1/3\). We prove that \(S^r\) achieves asymptotically optimal collision security against semi-adaptive adversaries up to almost \(2^{n/2}\) queries and that it can be made preimage secure up to \(2^n\) queries using a simple tweak.

Appendices

Appendix 1: Comparison of \(S^r\) with known permutation-based hash functions

We present technical support for Table 1 of Sect. 1. In more detail, we compute the rates and primitive sizes of sponge functions, Grøstl, and MD6, and of \(S^r\) when in a Merkle–Damgård mode of operation or in a Merkle tree. As these functions are all defined for different modes of operation and different parameters, separate treatments are required. In our comparison, we target hash functions \(\mathcal {H}{:}\;\{0,1\}^{*}\rightarrow \{0,1\}^{n}\) with \(n/2\)-bit security; we adopt the parameters for the specific designs alike and derive the rates and the primitive sizes.

Note that for \(\mathcal {H}\), we can define the rate similarly as in Sect. 1, namely as \(\frac{M}{ds}\), where \(M\) denotes the total length of the message in bits, and \(d\) denotes the number of calls to the underlying \(s\)-bit non-compressing primitive \(f\). We simplify the analysis by assuming that the message is always of full length (ignoring additional primitive calls due to padding, length strengthening, and final transformations). In the remainder of this section, we derive the rates and primitive sizes for the above-mentioned functions. A further comparison is given in Sect. 1.

Sponge functions Sponge functions [9] have a state of \(c+m\) bits, where \(c\) is the capacity and \(m\) the message block size (see footnote 1). Sponge functions are collision resistant up to \(2^{c/2}\) queries [6]. Hence, \(n/2\)-bit security means that we take \(c=n\). Its compression function \(F{:}\;\{0,1\}^{n+2m}\rightarrow \{0,1\}^{n+m}\) makes one primitive call to a \((n+m)\)-bit permutation. On input of a message of \(M\) blocks of \(m\) bits, it makes \(M\) primitive calls and thus has rate \(\frac{m}{n+m}\) using primitives on \(n+m\) bits. The same reasoning applies to Keccak (as it is a sponge function) [8], Grindahl [27], JH [50], and parazoa functions [4].

Grøstl Grøstl [21] is a Merkle–Damgård function. It has a state size of \(l\) bits, and collision security is proven up to \(2^{l/4}\) queries [3] (hence, we consider \(l=2n\)). It employs a compression function \(F{:}\;\{0,1\}^{2l}\rightarrow \{0,1\}^{l}\) making two primitive calls to two distinct \(l\)-bit permutations. On input of a message of \(M\) blocks of \(l\) bits, it makes \(2M\) primitive calls and thus has a rate of 1/2 using primitives on \(2n\) bits.

MD6 MD6 [39] is a tree-based hash function with output size \(16\) words of \(w=64\) bits (we write the output size as \(n=16w\)). Collision security is proven up to \(2^{n/2}\) queries [18]. It employs a compression function \(F{:}\;\{0,1\}^{4n}\rightarrow \{0,1\}^{n}\) making one primitive call to a \(4n\)-bit permutation. (In fact, \(F\) and its underlying permutation get \(25\) additional words of input, but these are ignored for the sake of simplicity. Taking these into account leads to a worse rate.) On input of a message of \(M\) blocks of \(n\) bits (w.l.o.g. \(M=4^\alpha \) for some \(\alpha \)), it makes \(\frac{M-1}{3}\) primitive calls and thus has a rate of \(3/4\frac{M}{M-1}\) using primitives on \(4n\) bits.

\(S^r\) in MD or MT For the comparison with sponge functions and Grøstl, we consider \(S^r\) in a Merkle–Damgård mode of operation (MD-\(S^r\)) [16, 33], and for the comparison with MD6 we consider it in a Merkle tree (MT-\(S^r\)) [32]. Both MD-\(S^r\) and MT-\(S^r\) preserve collision resistance [7, 16, 18, 33] when correctly padded and have about \(2^{n/2}\) collision resistance. First consider MD-\(S^r\). On input of a message of \(M\) blocks of \(n\) bits [w.l.o.g. \(M=(r-1)\alpha \) for some \(\alpha \)], it makes \(\frac{(2r-1)M}{r-1}\) primitive calls and thus has a rate of \(\frac{r-1}{2r-1}\) using primitives on \(n\) bits. Next consider MT-\(S^r\). On input of a message of \(M\) blocks of \(n\) bits (w.l.o.g. \(M=r^\alpha \) for some \(\alpha \)), it makes \(\frac{M-1}{r-1}\) primitive calls and thus has a rate of \(\frac{r-1}{2r-1}\frac{M}{M-1}\) using primitives on \(n\) bits.

Appendix 2: Proof of Theorem 5

We consider the security of \(S^r{:}\;\{0,1\}^{rn}\rightarrow \{0,1\}^{n}\), for \(r=2^\ell \) with \(\ell \ge 0\), based on \(2\ell +1\) functions \(\big \{ \pi _{j,b}\;\mid \;(j,b)\in (\{0,\ldots ,\ell -1\}\times \{0,1\})\cup \{(\ell ,0)\}\big \}\) randomly drawn from \(\mathsf {Perm}(n)\). See Fig. 6. In the proof, we consider adversaries that make all queries to \(\pi _{j-1,b}\) before all queries to \(\pi _{j,b'}\).

The proof shows similarities with the proof of Theorem 1 but is more technical. As before, we associate with each query \((x_{j,b},y_{j,b})\) a multiset \(\mathcal {Z}_{j,b}\) of all possible feed-forward values \(z_{j,b}\) occurring for this query. The only difference is that now for queries \((x_{0,b},y_{0,b})\), we have \(\mathcal {Z}_{0,b}=\{x_{0,b}\}\). We recall that \((x_{j,b},y_{j,b},\mathcal {Z}_{j,b})=(x,y,\mathcal {Z})_{j,b}\) and again write \((y\,\oplus \,z)_{j,b}=y_{j,b}\,\oplus \,z_{j,b}\) and similarly \((x\,\oplus \,y)_{j,b}=x_{j,b}\,\oplus \,y_{j,b}\).

In the proof, we employ four helping events. Here, let \(\tau \ge 3\) be any integer value.

$$\begin{aligned}&\mathsf {eA}(\mathcal {Q})_{j,b}{:}\; \exists \;(x,y,\mathcal {Z})_{j,b},(x',y',\mathcal {Z}')_{j,b}\in \mathcal {Q}_q\;\text {such that} \\&\quad x_{j,b}\ne x_{j,b}' \wedge y_{j,b}\,\oplus \,y_{j,b}' \in \mathcal {Z}_{j,b}\,\oplus \,\mathcal {Z}_{j,b}'; \\ \end{aligned}$$

$$\begin{aligned}&\mathsf {eB}(\mathcal {Q})_{j,b}{:}\; \max _{z\in \{0,1\}^{n}}\\&\quad \times \bigg |\bigg \{ \begin{array}{l} (x,y,\mathcal {Z})_{j-1,0},(x,y,\mathcal {Z})_{j,b}\in \mathcal {Q}_q \;\big |\;\\ \quad y_{j,b}\ne z \wedge y_{j,b}\,\oplus \,y_{j-1,0}\,\oplus \,z \in \mathcal {Z}_{j,b}\,\oplus \,\mathcal {Z}_{j-1,0} \end{array}\bigg \} \bigg |\\&\quad > \tau ^{j+1/2};\\&\mathsf {eC}(\mathcal {Q})_j {:}\; \max _{z\in \{0,1\}^{n}\backslash \{0\}}\\&\quad \times \bigg |\bigg \{ \begin{array}{l} (x,y,\mathcal {Z})_{j-1,0},(x',y',\mathcal {Z}')_{j-1,0}\in \mathcal {Q}_q \;\big |\; \\ \quad y_{j-1,0} \,\oplus \,y_{j-1,0}'\,\oplus \,z \in \mathcal {Z}_{j-1,0} \,\oplus \,\mathcal {Z}_{j-1,0}' \end{array}\bigg \} \bigg |\\&\quad > \tau ^j;\\&\mathsf {eD}(\mathcal {Q})_j {:}\; \max _{z\in \{0,1\}^{n}}\\&\quad \times \bigg |\bigg \{ \begin{array}{l} (x,y,\mathcal {Z})_{j-1,0},(x,y,\mathcal {Z})_{j-1,1}\in \mathcal {Q}_q \;\big |\; \\ \quad y_{j-1,0} \,\oplus \,y_{j-1,1}\,\oplus \,z \in \mathcal {Z}_{j-1,0} \,\oplus \,\mathcal {Z}_{j-1,1} \end{array}\bigg \} \bigg |> \tau ^j. \end{aligned}$$

For \(\mathsf {X},\mathsf {Y}\in \{\mathsf {A},\ldots ,\mathsf {D}\}\), we simply write \(\mathsf {eX}(\mathcal {Q})_j=\mathsf {eX}(\mathcal {Q})_{j,0}\cup \mathsf {eX}(\mathcal {Q})_{j,1}\), \(\mathsf {eX}(\mathcal {Q})=\bigcup _j\mathsf {eX}(\mathcal {Q})_j\), and \(\mathsf {eXY}(\mathcal {Q})=\mathsf {eX}(\mathcal {Q})\cup \mathsf {eY}(\mathcal {Q})\). We furthermore write \(\mathsf {e}(\mathcal {Q})=\mathsf {eA\cdots D}(\mathcal {Q})\). Note that \(\mathsf {eA}(\mathcal {Q})_{j,b}\) is as in Theorem 1, and \(\mathsf {eD}(\mathcal {Q})_j\) replaces \(\mathsf {eB}(\mathcal {Q})_j\).

The threshold values for \(\mathsf {eB}(\mathcal {Q})_{j,b}\) on one hand and \(\mathsf {eCD}(\mathcal {Q})_j\) on the other hand differ. This has a technical origin, and we present a brief and informal explanation. Write the two bounds as \(\tau \mathsf {B}_j\) and \(\tau \mathsf {CD}_j\). As will become clear in the proof of Lemma 7, any adversarial query adds at most \(\tau \mathsf {B}_{j-1}\) solutions to \(\mathsf {eC}(\mathcal {Q})_j\) and \(\mathsf {eD}(\mathcal {Q})_j\) and at most \(\tau \mathsf {CD}_j\) solutions to \(\mathsf {eB}(\mathcal {Q})_{j,b}\). Hence, in order for our proof to make sense, we require \(\tau \mathsf {B}_j>\tau \mathsf {CD}_j>\tau \mathsf {B}_{j-1}\), which justifies the choice of \(\tau \mathsf {B}_j=\tau ^{j+1/2}\) and \(\tau \mathsf {CD}_j=\tau ^j\).

The definition \(\mathsf {col}{S^r}(\mathcal {Q}_{q})\) of the proof of Theorem 1 carries over to the permutation-based setting, as well as Lemma 2. We obtain:

$$\begin{aligned} \mathsf {Adv}_{S^r}^{\mathsf {col}}[A] = \mathbb {P}\left[ \mathsf {col}{S^r}(\mathcal {Q}_{q})\right] \le \mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})\right] \le \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right] . \end{aligned}$$

A bound on this probability is derived in Lemma 7.

Lemma 7

\(\displaystyle \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right] \le \frac{4(\tau ^\ell q)^2}{N-q} + 8N\left( \frac{e(\tau ^\ell q)^2}{N-q}\right) ^{\tau ^{1/2}-1}\).

Proof

By basic probability theory:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right] \le \sum _{j=0}^\ell \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] , \end{aligned}$$

(6)

where \(\lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}=\lnot \mathsf {e}(\mathcal {Q}_q)_{j-2}\cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-1}\), and \(\mathsf {eBCD}(\mathcal {Q}_{q})_0\) is false by construction. We further split up this probability as follows:

$$\begin{aligned}&\mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \nonumber \\&\quad \le \;\mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {eBCD}(\mathcal {Q}_q)_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \, \nonumber \\&\quad \quad + \;\mathbb {P}\left[ \mathsf {eBCD}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \nonumber \\&\quad \le \;\mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {eBCD}(\mathcal {Q}_q)_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \, \nonumber \\&\quad \quad + \;\mathbb {P}\left[ \mathsf {eB}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {eCD}(\mathcal {Q}_q)_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \, \nonumber \\&\quad \quad +\;\mathbb {P}\left[ \mathsf {eCD}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \nonumber \\&\quad \le \;\mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {eBD}(\mathcal {Q}_q)_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \, \nonumber \\&\quad \quad + \;\mathbb {P}\left[ \mathsf {eB}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {eCD}(\mathcal {Q}_q)_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \, \nonumber \\&\quad \quad + \;\mathbb {P}\left[ \mathsf {eC}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \nonumber \\&\quad \quad \times \;\mathbb {P}\left[ \mathsf {eD}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] , \end{aligned}$$

(7)

We consider these probabilities separately. Recall that \(A\) makes all queries to \(\pi _{j-1,b}\) before all queries to \(\pi _{j,b'}\) (for \(j=1,\ldots ,\ell \) and \(b,b'\) arbitrary). Throughout the proof, by “for any \((x,y,z)_{j,b}\)”, we mean “for any \((x,y,\mathcal {Z})_{j,b}\) and any \(z_{j,b}\in \mathcal {Z}_{j,b}\).” Hence, any tuple \((x,y,\mathcal {Z})_{j,b}\) corresponds to \(|\mathcal {Z}_{j,b}|\) tuples \((x,y,z)_{j,b}\).

\(\mathsf {eA}(\mathcal {Q}_{q})_j\). Assume \(\lnot \mathsf {eBD}(\mathcal {Q}_q)_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\) holds. Consider any \(b\). The analysis depends on whether the query is forward or inverse. First, consider a forward query \(y_{j,b}\leftarrow \pi _{j,b}(x_{j,b})\). We say that it renders a solution if it makes \(y_{j,b}\,\oplus \,y_{j,b}' \in \mathcal {Z}_{j,b}\,\oplus \,\mathcal {Z}_{j,b}'\) satisfied for any existing query \((x',y',\mathcal {Z}')_{j,b}\). By \(\lnot \mathsf {eD}(\mathcal {Q}_q)_j\), we have \(|\mathcal {Z}_{j,b}|,|\mathcal {Z}_{j,b}'|\le \tau ^j\) (these sets are fixed once \(x_{j,b}\) is fixed). Consequently, the query completes a collision with probability at most \(\frac{\tau ^{2j}q}{N-q}\). Next, consider an inverse query \(x_{j,b}\leftarrow \pi _{j,b}^{-1}(y_{j,b})\). It renders a solution if for some \((x,y,z)_{j-1,0}\), \((x,y,z)_{j-1,1}\), and \((x',y',z')_{j,b}\):

$$\begin{aligned} x_{j,b}&= (y\,\oplus \,z)_{j-1,0} \,\oplus \,(y\,\oplus \,z)_{j-1,1},\\ y_{j,b}&= (y\,\oplus \,z)_{j-1,0} \,\oplus \,(y\,\oplus \,z)_{j,b}'. \end{aligned}$$

(Indeed, in this case \(z_{j,b}=(y\,\oplus \,z)_{j-1,0}\).) By \(\lnot \mathsf {eB}(\mathcal {Q}_q)_j\) for \(z:=y_{j,b}\) (by condition, we have \(y_{j,b}'\ne y_{j,b}\)), there are at most \(\tau ^{j+1/2}\) solutions \((x,y,z)_{j-1,0}\) and \((x',y',z')_{j,b}\) to the second equation (using \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-1}\)). By \(\lnot \mathsf {eD}(\mathcal {Q}_q)_{j-1}\), there are also at most \(\tau ^{j-1}q\) solutions for \((x,y,z)_{j-1,1}\), and a collision is thus triggered with probability at most \(\frac{\tau ^{2j-1/2}q}{N-q}\). Summing over all forward and inverse queries to \(\pi _{j,b}\), and both choices of \(b\), we obtain:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {eBD}(\mathcal {Q}_q)_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \le \frac{2(\tau ^jq)^2}{N-q}. \end{aligned}$$

\(\mathsf {eB}(\mathcal {Q}_{q})_j\). Assume \(\lnot \mathsf {eCD}(\mathcal {Q}_q)_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\) holds. Consider any \(z\in \{0,1\}^{n}\) and any \(b\). By the layer-wise character of \(A\), \(\mathsf {eB}(\mathcal {Q}_{q})_{j,b}\) can only be satisfied by queries to \(\pi _{j,b}\). The analysis depends on whether the query is forward or inverse. First, consider a forward query \(y_{j,b}\leftarrow \pi _{j,b}(x_{j,b})\). There exists at most \(q\) queries \((x,y,\mathcal {Z})_{j-1,0}\). By \(\lnot \mathsf {eD}(\mathcal {Q}_q)_{j-1}\), we have \(|\mathcal {Z}_{j-1,0}|\le \tau ^{j-1}\). Additionally, by \(\lnot \mathsf {eD}(\mathcal {Q}_q)_j\), we have \(|\mathcal {Z}_{j,b}|\le \tau ^j\) (this set is fixed once \(x_{j,b}\) is fixed). Therefore, the query adds a solution to \(\mathsf {eB}(\mathcal {Q}_{q})_{j,b}\) with probability at most \(\frac{\tau ^{2j-1}q}{N-q}\), and any hit adds at most \(\tau ^j\) values (by \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-1}\)). Next, consider an inverse query \(x_{j,b}\leftarrow \pi _{j,b}^{-1}(y_{j,b})\) (and assume \(y_{j,b}\ne z\)). It renders a solution if for some \((x,y,z)_{j-1,0}\), \((x,y,z)_{j-1,1}\), and \((x',y',z')_{j-1,0}\):

$$\begin{aligned} x_{j,b}&= (y\,\oplus \,z)_{j-1,0} \,\oplus \,(y\,\oplus \,z)_{j-1,1},\\ y_{j,b}&= (y\,\oplus \,z)_{j-1,0} \,\oplus \,(y'\,\oplus \,z')_{j-1,0} \,\oplus \,z. \end{aligned}$$

(Indeed, in this case \(z_{j,b}=(y\,\oplus \,z)_{j-1,0}\).) By \(\lnot \mathsf {eC}(\mathcal {Q}_q)_j\) for \(\overline{z}:=y_{j,b}\,\oplus \,z\ne 0\), there are at most \(\tau ^j\) solutions \((x,y,z)_{j-1,0}\) and \((x',y',z')_{j-1,0}\) to the second equation (using \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-2}\)). By \(\lnot \mathsf {eD}(\mathcal {Q}_q)_{j-1}\), there are also at most \(\tau ^{j-1}q\) solutions for \((x,y,z)_{j-1,1}\), and a solution is thus obtained with probability at most \(\frac{\tau ^{2j-1}q}{N-q}\). Any hit adds at most \(\tau ^j\) values (by \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-1}\)).

More than \(\tau ^{j+1/2}\) solutions are added with probability at most

$$\begin{aligned} {q\atopwithdelims ()\tau ^{j+1/2}/\tau ^j } \left( \frac{\tau ^{2j-1}q}{N-q} \right) ^{\tau ^{j+1/2}/\tau ^j} \le \left( \frac{e(\tau ^jq)^2}{N-q} \right) ^{\tau ^{1/2}}. \end{aligned}$$

Summing over all \(N\) choices of \(z\), and both choices of \(b\), we obtain:

$$\begin{aligned}&\mathbb {P}\left[ \mathsf {eB}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {eCD}(\mathcal {Q}_q)_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \\&\quad \le 2N \left( \frac{e(\tau ^jq)^2}{N-q} \right) ^{\tau ^{1/2}}. \end{aligned}$$

\(\mathsf {eC}(\mathcal {Q}_{q})_j\). Assume \(\lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\) holds. Consider any \(z\in \{0,1\}^{n}\backslash \{0\}\). Note that, by \(\mathsf {eC}(\mathcal {Q}_{q})_{j-1}\), there exist at most \(\tau ^{j-1}\) solutions in case of \(y_{j-1,0}=y'_{j-1,0}\). Hence, in order to find more than \(\tau ^j\) solutions, the adversary needs to find more than \(\tau ^j-\tau ^{j-1}\) solutions with \(y_{j-1,0}\ne y'_{j-1,0}\), and we focus on this problem. The analysis depends on whether the query is forward or inverse. First, consider a forward query \(y_{j-1,0}\leftarrow \pi _{j-1,0}(x_{j-1,0})\). There exist at most \(q\) other tuples \((x',y',\mathcal {Z}')_{j-1,0}\), and by \(\lnot \mathsf {eD}(\mathcal {Q}_q)_{j-1}\) we have \(|\mathcal {Z}_{j-1,0}|,|\mathcal {Z}'_{j-1,0}|\le \tau ^{j-1}\) (these sets are fixed once \(x_{j-1,0}\) is fixed). Therefore, the query adds a solution to \(\mathsf {eC}(\mathcal {Q}_{q})_j\) with probability at most \(\frac{\tau ^{2(j-1)}q}{N-q}\), and any hit adds at most \(\tau ^{j-1}\) values (by \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-1}\)). Next, consider an inverse query \(x_{j-1,0}\leftarrow \pi _{j-1,0}^{-1}(y_{j-1,0})\). It renders a solution if for some \((x,y,z)_{j-2,0}\), \((x,y,z)_{j-2,1}\), and \((x',y',z')_{j-1,0}\):

$$\begin{aligned} x_{j-1,0}&= (y\,\oplus \,z)_{j-2,0} \,\oplus \,(y\,\oplus \,z)_{j-2,1},\\ y_{j-1,0}&= (y\,\oplus \,z)_{j-2,0} \,\oplus \,(y'\,\oplus \,z')_{j-1,0} \,\oplus \,z. \end{aligned}$$

(Indeed, in this case \(z_{j-1,0}=(y\,\oplus \,z)_{j-2,0}\).) We make a distinction between the cases \(y_{j-1,0}\,\oplus \,z=y'_{j-1,0}\) and \(y_{j-1,0}\,\oplus \,z\ne y'_{j-1,0}\); an adversary may succeed in both cases. In the former case, the values \(y_{j-1,0}\) and \(z\) fix \(y'_{j-1,0}\) (recall \(y_{j-1,0}\ne y'_{j-1,0}\)), and by \(\lnot \mathsf {eD}(\mathcal {Q}_q)_{j-1}\), we have \(|\mathcal {Z}'_{j-1,0}|\le \tau ^{j-1}\). By \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-2}\), there is one solution \((x,y,z)_{j-2,0}\) to the second equation. By \(\lnot \mathsf {eD}(\mathcal {Q}_q)_{j-2}\), there are also at most \(\tau ^{j-2}q\) solutions for \((x,y,z)_{j-2,1}\), and a solution is thus obtained with probability at most \(\frac{\tau ^{2j-3}q}{N-q}\). Any hit adds at most \(\tau ^{j-1}\) values (by \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-2}\)). Next, we consider the general case of \(y_{j-1,0}\,\oplus \,z\ne y'_{j-1,0}\). By \(\lnot \mathsf {eB}(\mathcal {Q}_q)_{j-1}\) for \(\overline{z}:=y_{j-1,0}\,\oplus \,z\) (for which we thus have \(y'_{j-1,0}\ne y_{j-1,0}\,\oplus \,z\)), there are at most \(\tau ^{j-1/2}\) solutions \((x,y,z)_{j-2,0}\) and \((x',y',z')_{j-1,0}\) to the second equation (using \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-2\cap j-1}\)). By \(\lnot \mathsf {eD}(\mathcal {Q}_q)_{j-2}\), there are also at most \(\tau ^{j-2}q\) solutions for \((x,y,z)_{j-2,1}\), and a solution is thus obtained with probability at most \(\frac{\tau ^{2j-5/2}q}{N-q}\). Any hit adds at most \(\tau ^{j-1/2}\) values (by \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-2}\)). Concluding the inverse case, a hit is found with probability at most \(\frac{\tau ^{2j-3}q}{N-q} + \frac{\tau ^{2j-5/2}q}{N-q}\le \frac{\tau ^{2(j-1)}q}{N-q}\) (where inequality holds as \(1+\tau ^{1/2}\le \tau \) for \(\tau \ge 3\)) and any hit adds at most \(\tau ^{j-1}+\tau ^{j-1/2}\) values.

More than \(\tau ^j-\tau ^{j-1}\) solutions are added with probability at most

$$\begin{aligned}&{q\atopwithdelims ()(\tau ^j-\tau ^{j-1})/(\tau ^{j-1}+\tau ^{j-1/2}) } \left( \frac{\tau ^{2(j-1)}q}{N-q} \right) ^{(\tau ^j-\tau ^{j-1})/(\tau ^{j-1}+\tau ^{j-1/2})} \\&\quad \le \left( \frac{e(\tau ^jq)^2}{N-q} \right) ^{\tau ^{1/2}-1}. \end{aligned}$$

Here, we again use that \(1+\tau ^{1/2}\le \tau \) and that \(\tau ^j-\tau ^{j-1} \ge \tau ^{j-1}\). Summing over all \(N-1\le N\) choices of \(z\), we obtain:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {eC}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \le N \left( \frac{e(\tau ^jq)^2}{N-q} \right) ^{\tau ^{1/2}-1}. \end{aligned}$$

\(\mathsf {eD}(\mathcal {Q}_{q})_j\). Assume \(\lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\) holds. Consider any \(z\in \{0,1\}^{n}\). Without loss of generality (by symmetry) consider a new query \((x,y,\mathcal {Z})_{j-1,0}\). The analysis depends on whether the query is forward or inverse. First, consider a forward query \(y_{j-1,0}\leftarrow \pi _{j-1,0}(x_{j-1,0})\). There exist at most \(q\) other tuples \((x,y,\mathcal {Z})_{j-1,1}\), and by \(\lnot \mathsf {eD}(\mathcal {Q}_q)_{j-1}\) we have \(|\mathcal {Z}_{j-1,0}|,|\mathcal {Z}_{j-1,1}|\le \tau ^{j-1}\) (these sets are fixed once \(x_{j-1,0}\) is fixed). Therefore, the query adds a solution to \(\mathsf {eD}(\mathcal {Q}_{q})_j\) with probability at most \(\frac{\tau ^{2(j-1)}q}{N-q}\), and any hit adds at most \(\tau ^{j-1}\) values (by \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-1}\)). Next, consider an inverse query \(x_{j-1,0}\leftarrow \pi _{j-1,0}^{-1}(y_{j-1,0})\). It renders a solution if for some \((x,y,z)_{j-2,0}\), \((x,y,z)_{j-2,1}\), and \((x,y,z)_{j-1,1}\):

$$\begin{aligned} x_{j-1,0}&= (y\,\oplus \,z)_{j-2,0} \,\oplus \,(y\,\oplus \,z)_{j-2,1},\\ y_{j-1,0}&= (y\,\oplus \,z)_{j-2,0} \,\oplus \,(y\,\oplus \,z)_{j-1,1} \,\oplus \,z. \end{aligned}$$

(Indeed, in this case \(z_{j-1,0}=(y\,\oplus \,z)_{j-2,0}\).) We make a distinction between the cases \(y_{j-1,0}\,\oplus \,z=y_{j-1,1}\) and \(y_{j-1,0}\,\oplus \,z\ne y_{j-1,1}\); an adversary may succeed in both cases. In the former case, the values \(y_{j-1,0}\) and \(z\) fix \(y_{j-1,1}\), and by \(\lnot \mathsf {eD}(\mathcal {Q}_q)_{j-1}\), we have \(|\mathcal {Z}_{j-1,1}|\le \tau ^{j-1}\). By \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-2}\), there is one solution \((x,y,z)_{j-2,0}\) to the second equation. By \(\lnot \mathsf {eD}(\mathcal {Q}_q)_{j-2}\), there are also at most \(\tau ^{j-2}q\) solutions for \((x,y,z)_{j-2,1}\), and a solution is thus obtained with probability at most \(\frac{\tau ^{2j-3}q}{N-q}\). Any hit adds at most \(\tau ^{j-1}\) values (by \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-2}\)). Next, we consider the general case of \(y_{j-1,0}\,\oplus \,z\ne y_{j-1,1}\). By \(\lnot \mathsf {eB}(\mathcal {Q}_q)_{j-1}\) for \(\overline{z}:=y_{j-1,0}\,\oplus \,z\) (for which we thus have \(y_{j-1,1}\ne y_{j-1,0}\,\oplus \,z\)), there are at most \(\tau ^{j-1/2}\) solutions \((x,y,z)_{j-2,0}\) and \((x,y,z)_{j-1,1}\) to the second equation (using \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-2\cap j-1}\)). By \(\lnot \mathsf {eD}(\mathcal {Q}_q)_{j-2}\), there are also at most \(\tau ^{j-2}q\) solutions for \((x,y,z)_{j-2,1}\), and a solution is thus obtained with probability at most \(\frac{\tau ^{2j-5/2}q}{N-q}\). Any hit adds at most \(\tau ^{j-1/2}\) values (by \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-2}\)). Concluding the inverse case, a hit is found with probability at most \(\frac{\tau ^{2j-3}q}{N-q} + \frac{\tau ^{2j-5/2}q}{N-q}\le \frac{\tau ^{2(j-1)}q}{N-q}\) and any hit adds at most \(\tau ^{j-1}+\tau ^{j-1/2}\) values.

More than \(\tau ^j\) solutions are added with probability at most

$$\begin{aligned}&{q\atopwithdelims ()\tau ^j/(\tau ^{j-1}+\tau ^{j-1/2}) } \left( \frac{\tau ^{2(j-1)}q}{N-q} \right) ^{\tau ^j/(\tau ^{j-1}+\tau ^{j-1/2})} \\&\quad \le \left( \frac{e(\tau ^jq)^2}{N-q} \right) ^{\tau ^{1/2}-1}. \end{aligned}$$

Summing over all \(N\) choices of \(z\), we obtain:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {eD}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-2\cap j-1}\right] \le N \left( \frac{e(\tau ^jq)^2}{N-q} \right) ^{\tau ^{1/2}-1}. \end{aligned}$$

Conclusion of proof From (6) and (7), and simplifying the above bounds, we obtain:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right]&\le \sum _{j=0}^\ell \frac{2(\tau ^jq)^2}{N-q} + \sum _{j=1}^\ell 4N \left( \frac{e(\tau ^jq)^2}{N-q} \right) ^{\tau ^{1/2}-1} \\&= \frac{2q^2}{N-q}\sum _{j=0}^\ell \tau ^{2j} \nonumber \\&\quad + 4N\left( \frac{eq^2}{N-q}\right) ^{\tau ^{1/2}-1}\sum _{j=1}^\ell \tau ^{2(\tau ^{1/2}-1)j}\\&\le \frac{4(\tau ^\ell q)^2}{N-q} + 8N\left( \frac{e(\tau ^\ell q)^2}{N-q}\right) ^{\tau ^{1/2}-1}. \end{aligned}$$

Here, we use that \(\sum _{j=0}^{\ell } x^j = \frac{x^{\ell +1}-1}{x-1}\le \frac{x}{x-1}x^\ell \le 2x^\ell \) for \(x\ge 2\). \(\square \)