A Proof of Security in O(2n) for the Xor of Two Random

Permutations
– Proof with the “Hσ technique”–
Jacques Patarin
Université de Versailles
45 avenue des Etats-Unis
78035 Versailles Cedex - France

Abstract
Xoring two permutations is a very simple way to construct pseudorandom functions from pseudo-
random permutations. The aim of this paper is to get precise security results for this construction. Since
such construction has many applications in cryptography (see [2, 3, 4, 6] for example), this problem is
interesting both from a theoretical and from a practical point of view. In [6], it was proved that Xoring
2n
two random permutations gives a secure pseudorandom function if m  2 3 . By “secure” we mean
here that the scheme will resist all adaptive chosen plaintext attacks limited to m queries (even with un-
limited computing power). More generally in [6] it is also proved that with k Xor, instead of 2, we have
kn
security when m  2 k+1 . In this paper we will prove that for k = 2, we have in fact already security
when m  O(2n ). Therefore we will obtain a proof of a similar result claimed in [2] (security when
m  O(2n /n2/3 )). Moreover our proof is very different from the proof strategy suggested in [2] (we
do not use Azuma inequality and Chernoff bounds for example, but we will use the “Hσ technique” as
we will explain), and we will get precise and explicit O functions. Another interesting point of our proof
is that we will show that this (cryptographic) problem of security is directly related to a very simple to
describe and purely combinatorial problem.

Key words: Pseudorandom functions, pseudorandom permutations, security beyond the birthday bound,
Luby-Rackoff backwards,Hσ technique, introduction to Mirror Theory.

This paper is the extended version of the paper [14] with the same title published at ICITS 2008 pp.
232-248. It can be seen as an introduction to “Mirror Theory”, i.e. evaluation of the number of solutions of
linear equalities (=) and linear non equalities (6=) in finite groups.

1 Introduction
The problem of converting pseudorandom permutations (PRP) into pseudorandom functions (PRF) named
“Luby-Rackoff backwards” was first considered in [3]. This problem is obvious if we are interested in an
asymptotic polynomial versus non polynomial security model (since a PRP is then a PRF), but not if we are
interested in achieving more optimal and concrete security bounds. More precisely, the loss of security when
regarding a PRP as a PRF comes from the “birthday attack” which can distinguish a random permutation
n n
from a random function of n bits to n bits, in 2 2 operations and 2 2 queries. Therefore different ways to build

1
 n
PRF from PRP with a security above 2 2 and by performing very few computations have been suggested
(see [2, 3, 4, 6]). One of the simplest way is simply to Xor k independent pseudorandom permutations, for
example with k = 2. In [6] (Theorem 2 p.474), it has been proved, with a simple proof, that the Xor of k
k 2
independent PRP gives a PRF with security at least in O(2 k+1 n ). (For k = 2 this gives O(2 3 n )). In [2], a
much more complex strategy (based on Azuma inequality and Chernoff bounds) is presented. It is claimed
2
that with this strategy we may prove that the Xor of two PRP gives a PRF with security at least in O(2n /n 3 )
n
and at most in O(2n ), which is much better than the birthday bound in O(2 2 ). However the authors of [2]
present a very general framework of proof and they do not give every details for this result. For example,
page 9 they wrote “we give only a very brief summary of how this works”, and page 10 they introduce
O functions that are not easy to express explicitly. In this paper we will use a completely different proof
strategy, based on the “Hσ technique” (this is part of the general “coefficient H technique”, see Section 3
below), simple counting arguments and induction. We will need a few pages, but we will get like this a self
contained proof of security in O(2n ) for the Xor of two permutations with a precise O function. In fact,
this paper can be seen as a good introduction to this “Hσ technique”. (This technique can also be used for
the proof of many other secret key schemes). Since building PRF from PRP has many applications (see
[2, 3, 4]), we think that these results are really interesting both from theoretical and from practical point of
view.
It may be also interesting to notice that there are many similarities between this problem and the security
of Feistel schemes built with random round functions (also called Luby-Rackoff constructions). In [8], it
was proved that for L-R constructions with k rounds functions we have security that tends to O(2n ) when
the number k of rounds tends to infinity. Then in [11], it was proved that security in O(2n ) was obtained
not only for k → +∞, but already for k = 7 (Later similar proofs for k = 6 and k = 5 were obtained).
Similarly, we have seen that in [6] it was proved that for the Xor of k PRP we have security that tends O(2n )
when k → +∞. In this paper, we show that security in O(2n ) is not only for k → +∞, but already for
k = 2.
Related Problems. In [15] the best know attacks on the Xor of k random permutations are studied in
various scenarios. For k = 2 the bound obtained are near our security bounds. In [7] attacks on the Xor of
two public permutations are studied (i.e. indifferentiability instead of indistinguishibility).
In [10], the same problem is analyzed with the “standard” H technique instead of the Hσ technique.

Part I
From the Xor of Two Permutations to the λi values
2 Our notation
• m and n are two integers. In = {0, 1}n . (from a cryptographic point of view, m will be the number
of queries, and n is the number of bits of the inputs and outputs of each query).

• Fn is the set of all applications from In to In .

• Bn is the set of all permutations from In to In .

• Hm (cf section 3) denotes the number of (f, g) ∈ Bn2 such that ∀i, 1 ≤ i ≤ m, (f ⊕ g)(ai ) = bi .
Hm is a compact notation for Hm (b1 , b2 , . . . , bm ).

2
 • hm (cf section 3) denotes the number of (P1 , P2 , . . . , Pm , Q1 , Q2 , . . . , Qm ) ∈ In2m such that: the
Pi are pairwise distinct, the Qi are pairwise distinct, and: ∀i, 1 ≤ i ≤ m, Pi ⊕ Qi = bi . hm is
a compact notation for hm (b1 , b2 , . . . , bm ). (Hm and hm are equal up to a multiplicative constant:
|Bn |2
Hm = hm . (2n (2n −1)...(2 n −m+1))2 , cf formula (3.2) of section 3).

• λm (cf section 5) denotes the number of sequences (fi , gi , hi ), 1 ≤ i ≤ m, fi , gi , hi ∈ In such that:

the fi are pairwise distinct, the gi are pairwise distinct, the hi are pairwise distinct, and the fi ⊕ gi ⊕ hi
are pairwise distinct, 1 ≤ i ≤ m.
(2n (2n −1)...(2n −m+1))4
• Um denotes 2nm .

• “Conditions λα ” (cf. section 5) means that the fi are pairwise distinct, the gi are pairwise distinct,
the hi are pairwise distinct, and the fi ⊕ gi ⊕ hi are pairwise distinct, 1 ≤ i ≤ α. Therefore we have
2α(α − 1) non (linear) equalities: (f1 6= f2 , f1 6= f3 , etc.).

• “Conditions βi ” (cf section 6) denotes the 4 equalities that should not be satisfied in λα+1 (in addition
of conditions λα : β1 : fα+1 = f1 , β2 : fα+1 = f2 , . . . , β4α : fα+1 ⊕ gα+1 ⊕ hα+1 = fα ⊕ gα ⊕ hα .

• Let X be an independent with a constant Ψ (Ψ = 0 or ψ 6= 0) affine equation in the fi , gi , hi variables.

(for example X is f1 ⊕ g1 = f2 ⊕ g2 ⊕ ψ where Ψ a constant). Then (cf section 7) λ0α (X) denotes
the number of fa , gb , hc with a, b, c ∈ {1, . . . , α} that satisfy the conditions λα plus the equation X.
When is fixed, we denote by (λ0α (Ψ) any value λ0α (X), and λ0α any value λ0α (0).

• Let X1 , X2 , . . . , Xd be d independent and compatible affine equations in the variables fi , gi , hi , 1 ≤

i ≤ α. Here by “compatible”, we mean that by linearity from X1 , X2 , . . . , Xd we cannot obtain an
equation fi = fj or gi = hj or hi = hj , or fi ⊕ gi ⊕ hi = fj ⊕ gj ⊕ hj , or Ψ = 0 or with Ψ a
constant 6= 0 with i 6= j. Then (cf Section 15) denotes the number of fa , gb , hc with a, b, c{1, . . . , α}
that satisfy the λα conditions plus the equations X1 , . . . , Xd .

• Let Ψ1 , . . . , Ψd be the constant of X1 , . . . , Xd . For simplicity we denote by λda (Ψ1 , . . . , Ψd ) the

values λda (X1 , . . . , Xd ) and just by λda the values λda (0, . . . , 0) (i.e. with Ψ1 = Ψ2 = . . . = 0).

• λ00α (X, Y ) denotes λ2α (X, Y ), and λ00α denotes λ2α .

<
• ∼ means ≤ or ∼.
0 (4)
• λα is a value λ0α with this equation x : fα+1 ⊕ gα+1 ⊕ hα+1 = f1 ⊕ g1 ⊕ h1 ⊕ Ψ.

3 Our general proof strategy

Aim of this paper

In all this paper we will denote In = {0, 1}n . Fn will be the set of all applications from In to In , and
n
Bn will be the set of all permutations from In to In . Therefore |In | = 2n , |Fn | = 2n·2 and |Bn | = (2n )!.
x ∈R A means that x is randomly chosen in A with a uniform distribution.
The aim of this paper is to prove the theorem below, with an explicit O function (to be determined).

3
Theorem 1 For all CPA-2 (Adaptive chosen plaintext attack) φ on a function G of Fn with m chosen
plaintext, we have: AdvPRF
φ ≤ O( 2mn ) where AdvPRF
φ denotes the advantage to distinguish f ⊕ g, with
f, g ∈R Bn from h ∈R Fn .

This theorem says that there is no way (with an adaptive chosen plaintext attack) to distinguish with a
good probability f ⊕ g when f, g ∈R Bn from h ∈R Fn when m  2n (and this even if we have access
to infinite computing power, as long as we have access to only m queries). Therefore, it implies that the
number λ of computations to distinguish f ⊕ g with f, g ∈R Bn from h ∈R Fn satisfies: λ ≥ O(2n ). We
say also that there is no generic CPA-2 attack with less than O(2n ) computations for this problem, or that
the security obtained is greater than or equal to O(2n ). Since we know (for example from [2] or Attack 1
of Appendix F) that there is an attack in O(2n ), Theorem 1 also says that O(2n ) is the exact security bound
for this problem.
Proof strategy and organization of the paper
To prove Theorem 1, we will proceed like this:

1. First we will see in section 4, that, for the Xor of two random permutations, security in CPA-2 is the
same as security in KPA.

2. We will see in section 4 and in section 5 (using “Hσ technique) our security result can be written in
term of Hm coefficients, then in term of hm coefficients, and then in term of λm coefficients. More
<
precisely, Theorem 1 can be proven for λm ∼ Um when m  2n (cf section 2 for the definitions of
<
Hm , hm , λn , Um ). We will see in section 8 (from “Orange Equations”) that λm ∼ Um when m  2n
can be proven from
0 λm 1 m
λm(4) ≤ n (1 + 0( n ) + O( 2n ))
2 2 2
0 (4) < λm
and lore generally that each better evaluation of λm ∼ 2n gives a better evaluation for our security
bound.

3. To evaluate values λ0m we will use “purple equations”. In fact, we have here two strategies: a “direct”
strategy (“Hσ with Ψ = 0, using only equations with Ψ = 0) and a “difference” strategy (Hσ δ
strategy) comparing solutions with Ψ = 0 and Ψ 6= 0. With the “difference strategy”, our aim is
0 (4) > 0 (4) >
finally to prove that λm (Ψ) ∼ λm . (the better ∼ and the better the proven security result will be).
Both strategy are successful, but the “difference” strategy gives more simple calculations. Appendix
D illustrates these difficulties when we use the “direct” strategy.

In parallel to our general proof (in m  2n ), we will

• present many examples on small values in Appendix A (with Ψ = 0) and in Appendix B (with Ψ 6= 0).
n
• Give 3 partial results to illustrate quickly the efficiency of the technique: security when m  2 2 in
5n 8n
section 7, security when m  2 6 in section 8, security when m  2 9 in section 11.

4 “Hσ technique” and the computation of E(h)

We will use this general Theorem:

4
Theorem 2 ( “Coefficient H technique”) Let α and β be real numbers, α > 0 and β > 0. Let E be a subset
of Inm such that |E| ≥ (1 − β) · 2nm . If:

1. For all sequences ai , 1 ≤ i ≤ m, of pairwise distinct elements of In and for all sequences bi ,
1 ≤ i ≤ m, of E we have:
|Bn |2
H ≥ nm (1 − α)
2
where H denotes the number of (f, g) ∈ Bn2 such that ∀i, 1 ≤ i ≤ m, (f ⊕ g)(ai ) = bi .
Then

2. For every CPA-2 with m chosen plaintexts we have: p ≤ α + β where p = AdvPRF

φ denotes the
2
advantage to distinguish f ⊕ g when (f, g) ∈R Bn from a function h ∈R Fn .

Remark. H is a simplified notation for H(a, b), or for H(b) since we can easily prove that H(a, b) does
not depend of the a = (ai , 1 ≤ i ≤ m) values (but in general depends of the b = (bi , 1 ≤ i ≤ m) values).
Since the choice of the ai values has no influence, we see that here the security in KPA and CPA-2 are
equivalent.
Proof: Let a0i , 1 ≤ i ≤ m be a sequence of pairwise distinct elements of In and let ϕ be a bijection such
that ∀i, 1 ≤ i ≤ m, ϕ(a0i ) = ai . Then: f ◦ ϕ(a0i ) ⊕ g ◦ ϕ(a0i ) = bi ⇔ f (ai ) ⊕ g(ai ) = bi . Thus we see that
H(a0i , bi ) ≥ H(ai , bi ) and similarly H(ai , bi ) ≤ H(a0i , bi ).

Proof of Theorem 2
It is not very difficult to prove Theorem 2 with classical counting arguments. This proof technique is
sometimes called the “Coefficient H technique”. A complete proof of Theorem 2 can also be found in [13]
page 27 and a similar Theorem was used in [11] p.517. In order to have all the proofs in this paper, Theorem
2 is also proved in Appendix H.

How to get Theorem 1 from Theorem 2(“Hσ technique”)

In order to get Theorem 1 from Theorem 2, a sufficient condition is to prove that for “ most” (most since
we need β small) sequences of values bi , 1 ≤ i ≤ m, bi ∈ In , we have: the number H of (f, g) ∈ Bn2 such
|Bn |2
that ∀i, 1 ≤ i ≤ m, f (ai ) ⊕ g(ai ) = bi satisfies: H ≥ nm (1 − α) for a small value α (more precisely
2
with α  O( 2mn )). For this, in this paper, we will evaluate E(H) the mean value of H when the bi values
are randomly chosen in Inm , and σ(H) the standard deviation of H when the bi values are randomly chosen
in Inm . (Therefore we can call our general proof strategy the “Hσ technique”, since we use the coefficient
H technique plus the evaluation of σ(H)). In [10], we use a different technique; we evaluate H directly
without using σ(H), i.e. “standard H technique”.
Remark. Hσ technique in an efficient technique in KPA and CPA-1 but not in CPA-2 since in Theorem 2,
the set E do not depend on the ai values. However, here, H does not depend on the values ai and CPA-2 is
equivalent to KPA, so we can use Hσ here for CPA-2 security.

Theorem 3 (Hσ technique)

For all CPA-2, we have
 σ(H) 2/3
P RF
AdvΦ ≤2
E(H)

5
 Proof of Theorem 3
From Bienayme-Tchebichev Theorem, we have

V (H)
∀ > 0, P r(|H − E(H)| ≤ ) ≥ 1 −
2
So with  = αE(H), we get:

σ 2 (H)
∀α > 0, P r |H − E(H)| ≤ αE(H) ≥ 1 − 2 2
α E (H)

So
  σ 2 (H)
∀α > 0, P r H ≥ E(H)(1 − α) ≥ 1 − 2 2
α E (H)
Therefore with E = {bi , H(bi ) ≥ E(H)(1 − α)} from Theorem 2 we will have for all α > 0:

σ 2 (H)
AdvPRF
φ ≤α+
α2 E 2 (H)
σ(H)
2/3
With α = E(H) , this gives

σ(H)
2/3 V (H)
1/3

AdvPRF
φ ≤2 =2 2 (3.1)
E(H) E (H)
|Bn |2 |Bn |2 m 32
We will prove that E(H) = 2nm and that σ(H) = 2nm O( 2n ) , with an explicit O function, i.e. that
2
σ(H)  E(H) when m  σ(H)
2n . So if E(H) = O( 2mn )3/2 , and E(H) = |B n|
2nm , Theorem 1 comes from
Theorem 3.

Introducing h instead of H
H is (by definition) the number of (f, g) ∈ Bn2 such that ∀i, 1 ≤ i ≤ m, f (ai ) ⊕ g(ai ) = bi .
∀i, 1 ≤ i ≤ m, let xi = f (ai ). We will denote h(b), or simply by h, for simplicity (but h depends on b), be
the number of sequences xi , 1 ≤ i ≤ m, xi ∈ In , such that:

1. The xi are pairwise distinct, 1 ≤ i ≤ m.

2. The xi ⊕ bi are pairwise distinct, 1 ≤ i ≤ m.

Remark. h is also the number of P1 , P2 , . . . , Pm , Q1 , Q2 , . . . , Qm ∈ In such that the Pi are pairwise
distinct, the Qi are pairwise distinct, and ∀i, 1 ≤ i ≤ m, Pi ⊕ Qi = bi .
|Bn |2
We see that H = h ·
2 (3.2). (Since when xi is fixed, f and g are fixed on
2n (2n −1)...(2n −m+1)
exactly m pairwise distinct points by ∀i, 1 ≤ i ≤ m, f (ai ) = xi and g(ai ) = bi ⊕ xi ). (3.2) gives
another proof that H(a, b) does P not depend on the ai values). n
We also have: ∀b1 , . . . , bm , 2
bm+1 ∈In h(b1 , . . . , bm+1 ) = (2 − m) h(b1 , . . . , bm ) (3.3) since for
Pm+1 and Qm+1 we have (2n − m)2 possibilities.

6
From (3.1) and (3.2) we have

σ(H)
2/3 σ(h)
2/3

AdvPRF
φ ≤2 =2 (3.4)
E(H) E(h)

Therefore, instead of evaluating E(H) and σ(H), we can evaluate E(h) and σ(h), and our aim is to prove
that
(2n (2n − 1) . . . (2n − m + 1))2 |Bn |2
E(h) = (this means thatE(h) = from (3.2))
2nm 2nm
and that
σ(h)  E(h) when m  2n
As we will see, the most difficult part will be the evaluation of σ(h). (We will see in Section 5 that this
evaluation of σ(h) leads us to a purely combinatorial problem: the evaluation of values that we will call
λα ).
Remark: We will not do it, nor need it, in this paper, but it is possible to improve slightly the bounds by
using a more precise evaluation than the Bienayme-Tchebichev Theorem: instead of
1
P r(|h − E(h)| ≥ tσ(h)) ≤ ,
t2
it is possible to prove that for our variables h, and for t >> 1, we have something like this:
1
P r(|h − E(h)| ≥ tσ(h)) ≤
et
(For this we would have to analyze more precisely the law of distribution of h: it follows almost a Gaussian
and this gives a better evaluation than just the general t12 ).
Computation of E(h)
Let b = (b1 , . . . , bn ), and x = (x1 , . . . , xn ). For x ∈ Inm , let

The xi are pairwise distinct, 1≤i≤m
δx = 1 ⇔
The xi ⊕ bi are pairwise distinct, 1 ≤ i ≤ m

and δx = 0 ⇔ δx 6= 1. Let Jnm be the set of all sequences P Pdistinct, 1 ≤

xi such that all the xi are pairwise
m n n n
i ≤ m. Then |Jn | = 2 (2 − 1) . . . (2 − m + 1) and h = x∈Jnm δx . So we have E(h) = x∈Jnm E(δx ).
For x ∈ Jnm ,

2n (2n − 1) . . . (2n − m + 1)
E(δx ) = P rb∈R Inm (All the xi ⊕ bi are pairwise distinct) =
2nm
Therefore
2n (2n − 1) . . . (2n − m + 1) (2n (2n − 1) . . . (2n − m + 1))2
E(h) = |Jnm | · =
2nm 2nm
as expected.

7
5 First results on V (h)
We denote by V (h) the variance of h when b ∈R Inm . We have seen that our aim (cf(3.1)) is to prove that
n n n −m+1))4
V (h)  E 2 (h) whenPm  2n (with E 2 (h) = (2 (2 −1)...(222nm
). With the same notations as in
Section 4 above, h = x∈Jnm δx . Since the variance of a sum is the sum of the variances plus the sum of all
covariances we have: X  
V (h) = E(δx δx0 ) − E(δx ) E(δx0 ) (5.1)
x,x0 ∈Jnm

We will now study the 2 terms in (5.1), i.e. the terms in E(δx δx0 ) and the terms in E(δx ) E(δx0 ).

Terms in E(δx ) E(δx0 )

(2n (2n − 1) . . . (2n − m + 1))2

E(δx ) E(δx0 ) =
22nm
X (2n (2n − 1) . . . (2n − m + 1))4
So E(δx )E(δx0 ) = = E 2 (N ) (5.3)
22nm
x,x0 ∈Jnm

Terms in E(δx δx0 )

Therefore the last term Am that we have to evaluate in (5.1) is
X

Am =def E(δx δx0 =
x,x0 ∈Jnm

 The xi are pairwise distinct, 1≤i≤m !
The x0i are pairwise distinct,

1≤i≤m
X 
P rb∈R Inm
 The xi ⊕ bi are pairwise distinct, 1≤i≤m
x,x0 ∈Jnm 
The x0i ⊕ bi are pairwise distinct, 1≤i≤m


Let λm =def the number of sequences (xi , x0i , bi ), 1 ≤ i ≤ m such that

1. The xi are pairwise distinct, 1 ≤ i ≤ m.

2. The x0i are pairwise distinct, 1 ≤ i ≤ m.

3. The xi ⊕ bi are pairwise distinct, 1 ≤ i ≤ m.

4. The x0i ⊕ bi are pairwise distinct, 1 ≤ i ≤ m.

λm
We have Am = 2nm (5.4). We also have
X
λm = [ Number of sequences xi , 1 ≤ i ≤ m, such that the xi are pairwise distinct,
b∈Inm

and the xi ⊕ bi are pairwise distinct ]2

n n n 4
Let Um = (2 (2 −1)...(2
2nm
−m+1))
= E 2 (h) · 2nm .
From (5.1), (5.2), (5.3), (5.4), we have obtained:
λm λm − Um
V (h) = − E 2 (h) = (5.5)
2nm 2nm

8
Moreover, from (3.4), we have
λm
AdvφP RF ≤ 2( − 1)1/3 (5.6)
Um
<
Therefore, our aim is to prove that λm ∼ Um

< (2n (2n − 1) . . . (2n − m + 1))4

i.e. λm ∼ 2nm · E 2 (h) = (5.7)
2nm
<
where a ∼ b means a ≤ b or a ' b.
Remark. Since V (h) ≥ 0, we necessarily have from (5.5):

λm ≥ Um , i.e. λm ≥ E 2 (h) · 2nm (5.8)

<
Unfortunately our aim is to prove the other direction: λm ∼ E 2 (h)·2nm (it is more difficult). However since
<
we have (5.8) we can notice that proving λm ∼ Um is in fact equivalent to prove λm ' Um . It is interesting
to notice that the cryptographic property that we want to prove is “just” equivalent to λm ' E 2 (h) · 2nm
where the λm values do not depend on a or b but only on m. It is also interesting to notice that in
“standard ” coefficients H theorems we usually want to prove that H ≥ something, while here we want to
prove that λm ≤ something (by using σ(H) instead of H).

Change of variables
Let fi = xi and gi = x0i , hi = xi ⊕ bi . We see that λm is also the number of sequences (fi , gi , hi ),
1 ≤ i ≤ m, fi ∈ In , gi ∈ In , hi ∈ In , such that
1. The fi are pairwise distinct, 1 ≤ i ≤ m.
2. The gi are pairwise distinct, 1 ≤ i ≤ m.
3. The hi are pairwise distinct, 1 ≤ i ≤ m.
4. The fi ⊕ gi ⊕ hi are pairwise distinct, 1 ≤ i ≤ m.
(With this representation we can express λm without introducing the bi values).
We will call these conditions 1.2.3.4. the “conditions λm ”. Examples of λm values are given in Appendix
A. In order to get (5.7), we see that a sufficient condition is finally to prove that
(2n (2n − 1) . . . (2n − m + 1))4 m

λm ≤ nm
1 + O( n ) (5.9)
2 2
(or = instead of ≤ here) with an explicit O function. So we have transformed our security proof against all
CPA-2 for f ⊕ g, f, g ∈R Bn , to this purely combinatorial problem (5.9) on the λm values. (We can notice
that in E(h) and σ(h) we evaluate the values when the bi values are randomly chosen, while here, on the
λm values, we do not have such bi values anymore). The proof of this combinatorial property is given below
and in the Appendices. (Unfortunately the proof of this combinatorial property (5.9) is not obvious: we will
need a few pages. However, fortunately, the mathematics that we will use are simple).
Notation. We will sometime use the notation: zi = fi ⊕ gi ⊕ hi . Then we can notice that in all our systems
the variables fi , gi , hi and zi are symmetrical, i.e. they have the same properties. Moreover, we can notice
that if we remove the equation zi = fi ⊕ gi ⊕ hi but keep the fact that zi 6= zj if i 6= j, then we get exactly
(2n (2n − 1) . . . (2n − m + 1))4 solutions.

9
 √
6 First Approximation in λα : security when m  2n
The values λα have been introduced in Section 5. Our aim is to prove (5.9), (or something similar, for
k+1
example with O( m2nk ) for any integer k) with explicit O functions. For this, we will proceed like this: in
this Section 6 we will give a first evaluation of the values λα . Then, in Section 7, we will prove an induction
formula (7.2) on λα . Finally, we will use this induction formula (7.2) to get our property on λα .
[2n (2n − 1) . . . (2n − α + 1)]4 n 4
We have defined above: Uα = nα
. We have Uα+1 = (2 2−α)
n Uα .
2
4α 6α2 4α3 α4

Uα+1 = 23n 1 − + − + Uα (6.1)
2n 22n 23n 24n
λα+1
Similarly, we want to obtain an induction formula on λα , i.e. we want to evaluate λα . More precisely our
aim is to prove something like this:

λα+1 Uα+1 1 α

= 1 + O( n ) + O( 2n ) (6.2)
λα Uα 2 2
Notice that here we have O( 2α2n ) and not O( 2αn ). Therefore we want something like this:

λα+1 4α 6α2 4α3 α4
1 α

3n
= 1 − n
+ 2n
− 3n
+ 4n
1 + O( n ) + O( 2n ) (6.3)
2 · λα 2 2 2 2 2 2

(with some specific O functions)

Then, from (6.2) used for all 1 ≤ i ≤ α and since λ1 = U1 = 23n , we will get

λα
λα−1
λ2
1 α
α
λα = ... λ1 = Uα 1 + O( n ) + O( 2n )
λα−1 λα−2 λ1 2 2

From this we will get:

α

λα = Uα 1 + O( )
2n
and therefore we will get property (5.9):
α
λα ≤ Uα (1 + O( ))
2n
as wanted. Notice that to get here O( 2αn ) we have used O( 2α2n ) in (6.2).
By definition λα+1 is the number of sequences (fi , gi , hi ), 1 ≤ i ≤ α + 1 such that we have:

1. The conditions λα

2. fα+1 ∈
/ {f1 , . . . , fα }

3. gα+1 ∈
/ {g1 , . . . , gα }

4. hα+1 ∈
/ {h1 , . . . , hα }

5. fα+1 ⊕ gα+1 ⊕ hα+1 ∈

/ {f1 ⊕ g1 ⊕ h1 , . . . , fα ⊕ gα ⊕ hα }

10
We will denote by β1 , . . . , β4α the 4α equalities that should not be satisfied here: β1 : fα+1 = f1 , β2 :
fα+1 = f2 , . . ., β4α : fα+1 ⊕ gα+1 ⊕ hα+1 = fα ⊕ gα ⊕ hα .
First evaluation
When fi , gi , hi values are fixed, 1 ≤ i ≤ α, such that they satisfy conditions λα , for fα+1 that satisfy
2), we have 2n − α solutions and for gα+1 that satisfy 3) we have 2n − α solutions. Now when fi , gi , hi ,
1 ≤ i ≤ α, and fα+1 , gα+1 are fixed such that they satisfy 1), 2), 3), for hα+1 that satisfy 4) and 5) we have
between 2n − α and 2n − 2α possibilities. Therefore (first evaluation for λλα+1 α
) we have:

λα (2n − α)2 (2n − 2α) ≤ λα+1 ≤ λα (2n − α)2 (2n − α)

Therefore :
4α 5α2 2α3 λα+1 3α 3α2 α3
1− + − ≤ ≤ 1 − + − ≤1 (6.4)
2n 22n 23n 23n · λα 2n 22n 23n
or simply
4α λα+1
1− ≤ 3n ≤1
2n 2 λα
This is an approximation in O( 2αn ). From (6.1) we have found:

Uα+1 4α 6α2 4α3 α4

= 1 − + − +
23n Uα 2n 22n 23n 24n
λα
Let µα = Uα . From (6.1) and (6.4), we get:
2 3
µα+1 1 − 3α 3α
2n + 22n − 23n
α
≤ 6α2 4α3 α4
µα 1 − 4α
2n + 22n − 23n + 24n
µα µα−1
Now, since µ1 = 1 and µα = µα−1 . µα−2 . . . µµ12 .µ1 , we get

3α 3α2 α3
 1− 2n + 22n
− 23n
α
λ α ≤ Uα 4α 6α2 4α3 α4
1− 2n + 22n
− 23n
+ 24n

2n
If we assume α < 4 , we get
α 3α2 3α3 α4

2n − 22n
+ 23n
− 24n
α α α
λα ≤ Uα 1 + 4α ≤ Uα (1 + 4α )
1− 2n 2n (1 − 2n )
 α3 
In the other direction, we get similarly: λα ≥ Uα 1 − 4α , or from (5.8): λα ≥ Uα (but we
2n (1 − 2n )
do not need this direction).
 α α
Uα ≤ λα ≤ Uα 1 + 4α (6.5) (“First Approximation of λ00α )
2n (1 − 2n )

Now from (5.6):

h α α i1/3
Advα ≤ 2 1 + 4α −1 “First Approximation of Advα00 )
2n (1 − 2n )

11
 α < 2
When α2  2n this shows that Advα ∼ 2( 2n (1− 4α )
)
1/3 . We have proved here security when α2  2n ,
√ 2n √
i.e. when α  2n . However we want security until α  2n and not only α  2n , so we want a better
evaluation for 2λ3n
α+1
λα
(i.e. we want something like (6.3) instead of (6.4)).
Remark. We do not really need it, but there are various simple explicit expressions that show that (1+x)m '
1 + xm when mx  1.
For example:

Lemma 1 For all integer m and for all x > 0 we have:

m2 x2
(1 + x)m ≤ 1 + mx +
2(1 − mx)
<
This shows that when mx  1, (1 + x)m − 1 ∼ mx. Moreover, if mx ≤ 32 , we have: (1 + x)m ≤ 1 + 2mx.

Proof.
(1 + x)m = 1 + m m 2 m m




1 x + 2 x + ... + m x
≤ 1 + mx + 21 (m2 x2 + m3 x3 + . . .)
m 2 x2
≤ 1 + mx + 2(1−mx)
as claimed.
m 2 x2
Moreover 2(1−mx) ≤ mx if mx ≤ 23 .

Part II
Orange Equations and First Purple Equations on λα
and λ0α
7 An induction formula on λα (“Orange Equations”)
A more precise evaluation
For each i, 1 ≤ i ≤ 4α, we will denote by Bi the set of (f1 , . . . , fα+1 , g1 , . . . , gα+1 , h1 , . . . , hα+1 ), that
satisfy the condition λα and the condition βi . Therefore we have:

λα+1 = 23n λα − | ∪4α

i=1 Bi |

We know that for any set Ai and any integer µ, we have:

µ
| ∪µi=1
X X X
Ai | = |Ai | − |Ai1 ∩ Ai2 | + |Ai1 ∩ Ai2 ∩ Ai3 | + . . . + (−1)µ+1 |A1 ∩ A2 ∩ . . . ∩ Aµ |
i=1 i1 <i2 i1 <i2 <i3

Moreover, each set of 5 (or more) equations βi is in contradiction with the conditions λα because we will
have at least two equations in f , or two in g, or two in h, or two in f ⊕ g ⊕ h (and fα+1 = fi and fα+1 = fj
gives fi = fj with i 6= j and 1 ≤ α, j ≤ α, in contradiction with λα ).

12
 Therefore, we have:
4α
X X X X
λα+1 = 23n λα − |Bi | + |Bi ∩ Bj | − |Bi ∩ Bj ∩ Bk | + |Bi ∩ Bj ∩ Bk ∩ Bl |
i=1 i<j i<j<k i<j<k<l

• 1 equation.
In Bi , we have the conditions λα plus the equation βi , and βi will fix fα+1 , or gα+1 , or hα+1 from the
other values. Therefore:
4α
X
2n
|Bi | = 2 λα and − |Bi | = −4α · 22n λα
i=1

• 2 equations.
First Case: βi and βj are two equations in f (or two in g, or two in h, or two in f ⊕ g ⊕ h. ( For
example: fα+1 = f1 and fα+2 = f2 ). Then these equations are not compatible with the conditions λα ,
therefore |Bi ∩ Bj | = 0.
Second Case: we are not in the first case.PThen two variables (for example fα and
gα ) are fixed from
the others. Therefore: |Bi ∩ Bj | = 2n λα and i<j |Bi ∩ Bj | = 6α2 · 2n λα . (6 = 42 is here the choice of
2 variables between f , g, h and f ⊕ g ⊕ h).
• 3 equations.
If we have two equations in f , or in g, or in h, or in f ⊕ g ⊕ h, we have |Bi ∩ Bj ∩ Bk | = 0. If we are
not in these cases, then fα+1 , gα+1 and hα+1 P are fixed by the three equations from the other variables, and
then |Bi ∩ Bj ∩ Bk | = λα . Therefore: − i<j<k |Bi ∩ Bj ∩ Bk | = −4α3 λα . (4 comes from the fact we
do not have an equation in f , g, h or in f ⊕ g ⊕ h).
• 4 equations.
This value is different from 0 only if we have one equation fα+1 = fi , one equation gα+1 = gj , one
equation hα+1 = hk and one equation fα+1 ⊕gα+1 ⊕hα+1 = fl ⊕gl ⊕hl . Then |Bi ∩Bj ∩Bk ∩Bl | = number
of fa , gb , hc , with a, b, c ∈ {1, . . . , α}, that satisfy the conditions λα plus the equation X: fi ⊕ gj ⊕ hk =
fl ⊕ gl ⊕ hl . We will denote by λ0α (X) this number, and by λ0α any value λ0α (X) when X is linearly
independent with the 4α conditions βi .
Case 1. i, j, k, l are pairwise distinct. Here we have α(α − 1)(α − 2)(α − 3) = α4 − 6α3 + 11α2 − 6α
possibilities for i, j, k, l and from the symmetries of all indexes in the conditions λα , all the λ0α (X) of this
0 (4)
case 1 are equal. We denote by λα this value of λ0α (X). (The (4) here is to remember that we have exactly
4 indexes i, j, k, l). Typical equation X: f1 ⊕ g2 ⊕ h3 = f4 ⊕ g4 ⊕ h4 .
Case 2. In {i, j, k, l}, we have exactly 3 indexes. Here we have 6α(α − 1)(α − 2) = 6α3 − 18α2 + 12α
possibilities for i, j, k, l (since there are 6 possibilities to choose an equality). From the symmetries in the
0 (3)
conditions λα , all the λ0α (X) of this case 2 are equal. We denote by λα this value of λ0α (X). Typical
equation X: f1 ⊕ g1 = f2 ⊕ g3 or f1 ⊕ g1 ⊕ h2 = f3 ⊕ g3 ⊕ h3 .
Case 3. In {i, j, k, l}, 3 indexes have the same value (example i = j = k) and the other one has a
different value. Then X is not compatible with the conditions λα .
Case 4. In i, j, k, l, we have 2 indexes and we are not in the Case 3 (for example i = j and k = l).
Here we have 3α(α − 1) = 3α2 − 3α possibilities for i, j, k, l. From the symmetries in the conditions
0 (2)
λα all the λ0α (X) of this case 4 are equal. We denote by λα this value of λ0α (X). Typical equation X:
f1 ⊕ g1 = f2 ⊕ g2 .

13
 Case 5. We have i = j = k = l. Here we have α possibilities for i, j, k, l. Here X is always true, and
λ0α (X) = λα .
From these 5 cases we get:
0 0 0
X
|Bi ∩ Bj ∩ Bk ∩ Bl | = α(α − 1)(α − 2)(α − 3)λα(4) + 6α(α − 1)(α − 2)λα(3) + 3α(α − 1)λα(2) + αλα
i<j<k<l

Therefore (Exact “Orange Equations”):

0
λα+1 = (23n − 4α · 22n + 6α2 · 2n − 4α3 + α)λα + (α4 − 6α3 + 11α2 − 6α)λα(4) +
0 0
(6α3 − 18α2 + 12α)λα(3) + (3α2 − 3α)λα(2) (7.1)
As said above, we denote by λ0α any value of λ0α (X) such that X is linearly independent with the 4α
conditions βi . Then, from (7.1) we write (“Orange Equations”):

λα+1 = (23n − 4α · 22n + 6α2 · 2n − 4α3 + α)λα + (α4 − 4α2 + 3α)λ0α (7.2)

where A · λ0α is just a notation to mean that we have A terms λ0α but each of these λ0α may have different
values. It is interesting to compare (6.1) on Uα+1 with (7.2) on λα+1 . Our aim is to get (6.3) from (7.2).
For this we see that we have to prove that

λα 1 α
λ0α = (1 + O( n ) + O( 2n )) (7.3)
2n 2 2
0 (4)
for “most” values λ0α or for the values λα . This is what we will do.
Remark.

1. In fact, in (7.3), we only need

λα 1 α
λ0α ≤ n
(1 + O( n ) + O( 2n ))
2 2 2
for our results.

2. The terms “Orange Equations” or “Purple Equations” are here to remember these equations easily,
and also to point out analogies of these equations with similar equations used in Mirror Theory in
other papers (such [10] or [12] for example).

Strong λ0α

Definition 1 We will say that an equation X is “strong”, when X is not the Xor of a constant and of one or
two equations of this type:

fi = fj , gi = gj , hi = hj , or fi ⊕ gi ⊕ hi = fj ⊕ gj ⊕ hj

Similarly we will say that a coefficient λ0α is “strong”, and we denote it by Λ0α when the equation X of λ0α
is strong.

14
 0 (4) 0 (3)
For example here, λα (with typical X : f1 ⊕ g2 ⊕ h3 = f4 ⊕ g4 ⊕ h4 ) is “strong”, but λα (with typical
0 (2)
X : f1 ⊕ g1 = f2 ⊕ g3 or f1 ⊕ g1 ⊕ h2 = f3 ⊕ g3 ⊕ h3 ) and λα (with typical X : f1 ⊕ g1 = f2 ⊕ g2 ) are
not strong since when f1 = f2 , from f1 ⊕ g1 = f2 ⊕ g3 , we get g1 = g3 .
Therefore we can write (“Orange Equations” with strong λ0α ):

λα+1 = (23n − 4α · 22n + 6α2 · 2n − 4α3 + α)λα

+(α4 − 6α3 + 11α2 − 6α)Λ0α + (6α3 − 15α2 + 9α)λ0α (7.4)

5n
8 From the values α to Advα and security when m  2 6
(4) (3) (2)
Theorem 4 Let α , α and α be real values positive or negative) such that
0 (4) (4)
λα
λα ≤ 2n (1 + α )
0 (3) (3)
λα
λα ≤ 2n (1 + α )
0 (2) (2)
λα
λα ≤ 2n (1 + α )
Then
Advm ≤
(−4α2 +3α) 4 3 2 −6α (4) 6α3 −18α2 +12α (3) 3α2 −3α (2)
α
+ + α −6α +11α α + α + α
2[ m−1 23n 24n 24n 24n 24n
] − 1]1/3
Q
α=1 [1 + (1− 2αn )4

Proof From (7.1) we have:

h α4 − 4α2 + 3α α4 − 6α3 + 11α2 − 6α (4)
λα+1 ≤ λα 23n − 4α22n + 6α2 2n − 4α3 + α + + α
2n 2n
6α3 − 18α2 + 12α (3) 3α2 − 3α (2) i
+ α + α
2n 2n
From (6.1) we have:
Uα+1 α
3n
= Uα (1 − n )4
2 2
Therefore:
(−4α2 +3α) α4 −6α3 +11α2 −6α (4) 3 2 +12α (3) 3α2 −3α (2) i
λα+1 λα h α
23n
+ 24n
+ 24n
α + 6α −18α
24n
α + 24n
α
≤ 1+ α 4 (1)
Uα+1 Uα (1 − 2n )

From (5.6), we have: Advm ≤ 2( Uλm

m
− 1)1/3 (2)
λα
Let µα = Uα . From
µα µα−1 µ2
µα = . . . . .µ1
µα−1 µα−2 µ1
and µ1 = 1, we get:
m−1
Y µα+1 m−1
λm Y λα+1 .Uα
= = (3)
Um µα Uα+1 .λα
α=1 α=1
Now from (1), (2) and (3), we get Theorem 4 as claimed.

15
 (4)
Theorem 5 If α is a positive value such that
0 λα
λα(4) ≤ (1 + (4)
α )
2n
then "" !#α #1/3
(4)
1 α 48α4 α4 α
Advα ≤ 2 1+ + + −1
1 − 4α
2n
23n 25n (1 − 8α
2n )
24n
Therefore when α  2n , we have
!1/3
(4)
< α2 48α5 α5 α
Advα ∼ 2 + + 4n
23n 25n 2

Remark. This Theorem 5 shows that in order to prove that Advα  1 when α  2n , we just have to
(4)
evaluate α . However Theorem 4 will give us a better evaluation of Advα .

8α (4) (3)
Proof From Theorem 12 (Appendix E), we have to show that α ≤ (1− 28α n where α can be α , α or
n ).2
(2)
α . Therefore Theorem 5 comes from Theorem 4.
Theorem 6 (Second Approximation for Advα , Security when m  25n/6 )
h 1 α 8α5 α i1/3
Advα ≤ 2 1+ ( + ) −1
1 − 4α
2n
23n 25n (1 − 8α
2n )
< 2 8α6 1/3
Therefore when α6  25n we have: Advα ∼ 2( 2α3n + 25n
) .

(4) 8α
Proof From Theorem 12 (Appendix E), we know that we can take α ≤ (1− 28α n. From this, Theorem
n )2
5 gives immediately Theorem 6.
5n
Theorem 6 shows that Advα is small when α6  25n , i.e. we have proved security when α  2 6 .

8n
9 Proof of security when m  2 9 from Appendix D (with Ψ = 0 and Ψ 6= 0)
We present here our step 3 evaluations, method 2. (Later in next section 13, we will see how to avoid most
of the computations done in Appendix D).
From the end of Appendix D we know that
0 (4) 0 (4) 0 0
λα+1 − λα+1 (ψ) = δα + tα(4) + tα(6) + t0α + t00α (12.1)

with
0 ∗(2) 0 (4) 0 (3) 00
δα = −λα + (3α − 3)λα (ψ) + (α − 3)λα + 3λα − (3α2 − 3α − 6)λα∗ (ψ)
0 (4) 0 (4) 0 (4)
tα = (−α.22n + 3.22n + 3α2 .2n − 9α.2n − 3α3 + 9α2 − 3α + 9)(λα − λα (ψ))
0 (6) 0 (6) 0 (6)
tα = (−α3 + 12α2 − 47α + 60)(λα − λα (ψ))
t0α = (−3.22n + 9α.2n − 21α2 + 54α − 71)(λ0α − λ0α (ψ))
t00α = (α4 − 7α2 + 5α)(λ00α − λ00α (ψ))

16
From Theorem 3 of section 8 (first approximation) we know that when α  2n :

8α 2n λ0α (ψ) < 8α

1− n
≤ ∼1+ n
2 λα 2
(valid when ψ = 0 and ψ 6= 0) and
< λα 16α
λ00α (ψ) ∼ 2n
(1 + n )
2 2
(valid when ψ = 0 and ψ 6= 0)
λα+1
From (7.1) (orange equation) and Theorem 3 of section 8 we know that when α  2n : 2n ' λα .22n .
Therefore
< 3α2
|δα | ∼ λα+1 1 4α
2n ( 22n − 33n + 24n )
0 (4) < 8α2
|tα | ∼ λα+12n ( 22n )
0 (6) < 8α4
|tα | ∼ λα+12n ( 24n )
<
|t0α | ∼ λα+1 24α
2n ( 22n )
< 16α5
|t00α | ∼ λα+1
2n ( 25n )

then from (12.1) we get:

0 (4) 0 (4) < λα+1 1 8α2 8α4 24α 16α5

|λα+1 − λα+1 (ψ)| ∼ ( + + 4n + 2n + 5n )
2n 22n 22n 2 2 2
0 (4) λα+1 8α2
0 (4) <
|λα+1 − λα+1 (ψ)| ∼ ( ) (12.2)
2n 22n
Now from Theorem 4 (Stabilization formula in λ0α (ψ)) and (12.2) we get:

0 (4) < λα+1 8α2

λα+1 ∼ (1 + ) (12.3)
2n 22n
0 (4) 2
We have obtained here an evaluation of λα+1 in O( 2α2n ) instead of O( 2αn ) before.
Moreover if we re-inject (12.2), we obtain:

0 < λα 8α2 2n < λα+1 8α

3
tα(4) ∼ ( )(α.2 ) ∼ ( )
2n 22n 2n 23n
0 (4) 0 (4) < λα+1 8α3
|λα+1 − λα+1 (ψ)| ∼ ( ) (12.4)
2n 23n
0 (4) < λα+1 8α3
λα+1 ∼ (1 + ) (12.5)
2n 23n
If we re-inject again, we obtain:
0 < λα+1 8α4
tα(4) ∼ ( )
2n 24n
0 (4) 0 (4) < λα+1 8α4
|λα+1 − λα+1 (ψ)| ∼ ( ) (12.6)
2n 24n
0 (4) < λα+1 8α4
λα+1 ∼ (1 + ) (12.7)
2n 24n

17
 (4) < 8α4
Here since |α+1 | ∼ 24n
, we get from (10.3):

< α2 48α5 8α9 1/3

Advα ∼ 2( + + 8n )
23n 25n 2
8n
i.e. we have obtained security when α  2 9 . If we want even better evaluation we need a better evaluation
0 (6) 9n
of the λα (it gives security when α  2 10 ) and a better evaluation of the λ00α : this what we will do in
part III.

8n
10 Simplified proof of security when m  2 9 (without Appendix D)
We can notice that in section 9 most of the term obtained from Appendix D are not used. In fact, the most
important thing is the evaluation of δα , in order to show that this term will be sufficiently small. We will
show in this section how this term δα can be directly computed in order to avoid Appendix D.
Here the equation X is: fα+1 ⊕ gα+1 ⊕ hα+1 = f1 ⊕ g2 ⊕ h3 ⊕ ψ and here the term in δα will be also
(4) 0 (4) 0 (4)
denoted as δα , or δ(hα+1 − hα+1 (ψ)). In δα we look for the cases where when we combine X with 1, 2,
3 or 4 equations βi we obtain an impossibility or a dependency when ψ = 0 and not when ψ 6= 0, or when
ψ 6= 0 and not when ψ = 0. More precisely, this means that we will obtain ψ = 0 or an equation of type
fi = fj ⊕ ψ (this means fi = fj ⊕ ψ or gi = gj ⊕ ψ or hi = hj ⊕ ψ or fi ⊕ gi ⊕ hi = fj ⊕ gj ⊕ hj ⊕ ψ)
with i 6= j, i 6= α + 1 and j 6= α + 1. (13.1)
In order to obtain this, an equation in fα+1 ⊕ gα+1 ⊕ hα+1 = fl ⊕ gl ⊕ hl is not useful since we obtain
Y : fl ⊕ gl ⊕ hl = f1 ⊕ g2 ⊕ h3 ⊕ ψ and this is not of type (13.1) and other equations βi (with variables in
α + 1) cannot change Y .
Therefore, if we want to obtain one of the equations (13.1) we will need at least 3 equations βi .
• X + 3 equations.

• Type 0 = ψ
Here the 3 equations βi must be fα+1 = f1 , gα+1 = g2 , hα+1 = h3 and we obtain λα solutions if
ψ = 0, and 0 solutions if ψ 6= 0. Therefore, in δα we have a term (−1)3 .(λα − 0) = −λα .

• Type fi = fj ⊕ ψ with i 6= j, i 6= α + 1 and j 6= α + 1

Here the 3 equations βi must be gα+1 = g2 , hα+1 = h3 and fα+1 = fi with i ≤ α and i = 6 1. If
0 ∗(2)
0
ψ = 0 we obtain 0 solutions, and if ψ 6= 0 we obtain λα (ψ) solutions (i.e.the term λα with an
equation of type fi = fj ⊕ ψ).
Similarly for type gi = gj ⊕ ψ or hi = hj ⊕ ψ.
0 ∗(2) 0 ∗(2)
Therefore, in δα we have here a term (−1)3 .3.(α − 1)(0 − λα (ψ)) = 3(α − 1)λα (ψ)

• X + 4 equations.
With X + 4 equations we just add an equation fα+1 ⊕ ⊕gα+1 ⊕ hα+1 = fl ⊕ gl ⊕ hl to what we have
obtained with X + 3 equations.

• Type 0 = ψ
We have here ψ = 0 = fl ⊕ gl ⊕ hl ⊕ f1 ⊕ g2 ⊕ h3 . If ψ 6= 0, we have 0 solutions. If ψ = 0 and
0 (4) 0 (3)
l∈/ {1, 2, 3} we have λα solutions. If ψ = 0 and l ∈ {1, 2, 3} we have λα solutions. Therefore, in
0 (4) 0 (3)
δα , we have here a term (−1)4 .[(α − 3)λα + 3λα ].

18
 • Type fi = fj ⊕ ψ with i 6= j, i 6= α + 1 and j 6= α + 1
We have here: ψ = fi ⊕ f1 = fl ⊕ gl ⊕ hl ⊕ f1 ⊕ g2 ⊕ h3 (with i 6= 1). If ψ = 0 we have
00
no solutions. If ψ 6= 0 we have here a term λα∗ (ψ) (with different terms like this) except when
fi ⊕ fl ⊕ g2 ⊕ gl ⊕ h3 ⊕ hl = 0 creates g2 = gl (when i = l = 3) or h3 = hl (when i = l = 2).
00
Therefore, in δα , we have here a term −(−1)4 .3.[(α − 1)α − 2]λα∗ (ψ). Finally we have obtained
0 ∗(2) 0 (4) 0 (3) 00
δα = −λα + 3(α − 1)λα (ψ) + (α − 3)λα + 3λα − (3α2 − 3α − 6)λα∗ (ψ) and we can proceed
as in section 9 without the need of Appendix D.

Part III
General Security results with purple equations
11 The dominant term in the “purple equations”
In Part I (sections 3,4,5), by the analysis of E(H) and σ(H) (i.e. “Hσ technique”) we have proved that for
all CPA-2 attacks φ with m queries:

λm
AdvφP RF ≤ 2( − 1)1/3 cf (5.6)
Um
Therefore, the general proof strategy used in this paper was to study the λm values and to show that: when
m  2n , λm ' Um (C1). (In [10]; a slightly different proof strategy called “standard H technique” is
used, with similar, but slightly different results).
In order to prove (C1), we proceed in this paper with what we call the “usual proof strategy in Mirror
Theory” or the “colored proof strategy”. (“Mirror Theory” is the theory that analyses the number of solutions
of sets of affine equalities (=) and affine non equalities (6=) in finite fields). Essentially the main ideas of
this “colored proof strategy” are:
λα+1 Uα+1
1. To compare λα with Uα and to use

λα λα−1 λα−2 λ2
λα = . . . . . λ1
λα−1 λα−2 λα−3 λ1

instead of studying λα globally.

λα+1
2. To look carefully if the affine equations that will appear in the analysis of λα are independent,
consequences, or in contradiction with the linear equalities in λα .

More precisely, here, with λα values, this “colored proof strategy” is this one:

1. We get an equation (called the “orange equation”) that evaluates λα+1 from λα and λ0α (where λ0α (X)
denotes the number of solutions that satisfy the conditions λα plus one equality X: fi ⊕ gj ⊕ hk =
fl ⊕ gl ⊕ hl , and where λ0α denotes any value of λ0α (X) when this equality X is linearly independent
with the non equalities of λα ). This was done in section 7 of this paper (cf “Orange equations” (7.1)
and (7.2)).

19
 Figure 1: General view of the “colored proof strategy” used in this paper
λα+1 λα λα−1 λα−2 λα−3 : orange equations

λ0α λ0α−1 λ0α−2 λ0α−3 : first purple equations

λ00α−1 λ00α−2 λ00α−3 : general purple equations

(3) (3)
λα−2 λα−3 : general purple equations

(4)
λα−3

2. We get an equation (called the “first purple equation”) that evaluates λ0α from λα−1 , λ0α−1 and λ00α−1
(where in λ00α−1 we have introduced two extra and independent affine equations from the λα−1 condi-
tions). It is sometimes interesting (since it sometimes simplifies the analysis) to introduce a constant
ψ in the affine equations X.
(d) (d−1) (d) (d+1)
3. We get the equations (called “all purple equations”) that evaluate λα from λα−1 , λα−1 , and λα−1 ,
(d)
(where in λα−1 , we have introduced d extra and independent affine equations from the λα−1 equa-
tions).

4. Now, from these evaluations we are able to compare λλα+1

α
with UUα+1
α
and therefore λα from Uα . This
can be done either with the constant ψ (by looking for the possible deviation) or with ψ = 0 (by
evaluating λα ).

We have seen that in order to evaluate precisely λα+1 from λα we need to evaluate λ0α from λα . More
0 (4)
precisely, we have seen that only one term in λ0α was dominant: the term that we denoted λα with 4 indices
(typical X : f1 ⊕ g2 ⊕ h3 = f4 ⊕ g4 ⊕ h4 ).
Similarly, when we want to evaluate precisely λ0α , we have seen a formula (“first purple equation”) that
gives λ0α from λα−1 , λ0α−1 and λ00α−1 . In this formula 2 terms in λ0α−1 will be dominant (with X with 4 or 6
indices) and one term in λ00α−1 will be dominant (with XY with 7 indices). This process will continue, with
more precise evaluation at each level. The process, and the dominant terms that appear are shown in the array
below. The generalization of the “first purple equation” is the “general purple equation” that evaluate(for
any integer d) λd+1 d
α+1 from λα , λα
d+1 and λd+2 . (This shown for example with the arrow in Table 1 for λ00
α α−2 ).
In this figure we see that for the term λdα−i we need at most (3i + 4) − (i + 1 − d) indices = 2i + d + 3
indices, and that we need only values d such that d ≤ i + 1. Therefore, if we denote by χ the number of
indices in the equation (i.e. in X or XY or XY Z etc) of these terms, we always have: χ ≤ 3i + 4. We can
also notice that all these dominant terms λdα−i are strong.

20
 Table 1: Array of dominant terms
λα+1 λα λα−1 λα−2 λα−3 ...
λ0α λ0α−1 λ0α−2 λ0α−3 ...
X: 4 indices X: 4 or 6 indices X: 4,6 or 8 indices X: 4,6,8 or 10 indices ...
00
λα−1 00
λα−2 λ00α−3 ...
XY : 7 indices XY : 7 or 9 indices XY : 7,9 or 11 indices ...
λ000
α−2 λ000
α−3 ...
XY Z: 10 indices XY Z: 10 or 12 indices ...
λ4α−3 ...
XY ZT : 13 indices ...

12 The first purple equations on general equation X

0 (4)
The first purple for λα (i.e. with equation X : fα+1 ⊕ gα+1 ⊕ hα+1 = f1 ⊕ g2 ⊕ h3 ⊕ Ψ, with 4 indices)
was studied in Appendix D and have seen in Section 10 how to simplify the analysis done. Here, in section
12, we will study the first purple equations on more general equations X. In fact, in section 11, we have
seen that in order to prove security when m  2n , first purple equations with 4 indices, 6 indices, 8 indices,
10 indices etc. will appear. Therefore we will need this section 12. Essentially, the analysis with these more
0 (4)
general equation X will be the same as for λα . Let X be an affine equation in fi , gi , hi such that X is not
one of the βi equations. (As before we denote by β1 , . . . , β4α , the 4α equations not compatible with λα+1 ,
i.e. β1 is fα+1 = f1 . . ., β4α is fα+1 ⊕ gα+1 ⊕ hα+1 = fα ⊕ gα ⊕ hα .
Without loosing generality (just by changing the name of the indices) we can assume that X use fα+1
or gα+1 or hα+1 . λ0α is the number of sequences (fi , gi , hi ), 1 ≤ i ≤ α, that satisfy the condition λα plus
the equation X.
Let Bi0 be the set of solutions that satisfy the conditions λ0α plus the equation X and condition βi . We
have
λ0α+1 = 22n λα − | ∪4α 0
i=1 Bi | (1)

Since (as before) 5 equations in βi cannot be compatible with the conditions λα , we obtain from (1):
4α
X X
λ0α+1 = 22n λα − |Bi0 | + |Bi0 ∩ Bj0 |
i=1 i<j
X X
− |Bi0 ∩ Bj0 ∩ Bk0 | + |Bi0 ∩ Bj0 ∩ Bk0 ∩ Bl0 | (2)
i<j<k i<j<k<l

To analyze (2) in order to get our “first purple equations”, we can proceed directly (as in Appendix D) or by
differences between X and equations X ⊕ Ψ where Ψ is constant.

12.1 Method 1: we proceed directly

Let χ be the number of indices i used in the equation X in the variables fi ,gi , hi .

Theorem 7 (First purple equations)

There is a value δ1 , δ1 = 0 or δ1 = 1 depending of the equation X, and there are real values 1 , 2 , 3 , 4 , 5 , 6

21
such that: ∀i, 1 ≤ i ≤ 6, 0 ≤ i ≤ 1 and

λ0α+1 = 22n + (−3 − δ1 )α.2n + (3 + δ1 )α2 + 2.2n 2 + (8 − 2δ1 5 )α − 5 λα

 

+[(−1 + δ1 )α22n + (3 − δ1 )α2 2n − 4α3 + (2α2 + 2α)7

+1 χ22n − 4αχ3 2n + 12(χ + 2)4 α2 ]λ0α
+ α4 + (−4χ − 12)6 α3 λ00α
 

Proof Theorem 7 can be proved from (2) in a similar way as we did in Appendix D (i.e. by looking for
X + 1 equations βi , X + 2 equations βi , X + 3 equations βi , and X + 4 equations βi ). We do not give the
details here since we can avoid Theorem 7 by looking only for differences between Ψ 6= 0 and Ψ = 0.

12.2 Method 2: Looking for differences between Equation X and Equation X + Ψ (“Hσδ
method”)
We want to prove that all the values λ0α (or all the “dominant” values λ0α as seen in section 11) are very near
λα
2n . For this we can imagine:

1. To evaluate all this values λ0α (X) directly: this is what was done with Method 1.

2. To evaluate |λ0α (X) − λ0α (Y )| for any two (dominant) equations X and Y .

3. To evaluate only |λ0α (X) − λ0α (X ⊕ Ψ)|: this is what will be done here.

From 3) we will get 2) easily thanks to the “stabilization formula in λ0α (Ψ)”: for all equation X we have:
X
λ0α (X ⊕ Ψ) = λα
Ψ∈In

(If Ψ 6= 0, this also gives: (2n − 1)λ0α (Ψ) + λ0α = λα , since all the values λ0α (Ψ) with Ψ 6= 0 are equal).
So we just have to analyze |λ0α (X) − λ0α (X ⊕ Ψ)|, i.e. |λ0α − λ0α (Ψ)| with simplified notation where X is
fixed. As in section 10 (or Appendix D, equation D6), from (2) we will obtain:

λ0α+1 − λ0α+1 (Ψ) = δα (X) + A + B

where δα (X) is the only term not in (λ0α − λ0α (Ψ)) or (λ00 α − λ00 α (Ψ)), A is the terms in (λ0α − λ0α (Ψ))
and B is the terms in (λ00 α − λ00 α (Ψ)). Since α  2n , the coefficients in A are decreasing (i.e. “the part
is quickly vanishing”). The term in B will be analyzed in the next section (in a similar way). Finally, when
0 (4)
α  2n , the terms in δα (X) will be quickly dominant (if δα (X) 6= 0). For λα we have seen (cf section
10 or Appendix D) that
0 0 0 0 00
δα (λα(4) ) = −λα + 3(α − 1)λα∗(2) (Ψ) + (α − 3)λα(4) + 3λα(3) − (3α2 − 3α − 6)λα∗ (Ψ).

Let evaluate the other main δα in the same way. For all dominant equation X (cf section 10) with ≥ 6
variables, we have: δα (X) = 0 (since with 1,2,3 or 4 equations in βi we cannot obtain 0 = Ψ or an equation
incompatible with the βi ).

22
13 The second purple equations
Let X and Y be two independent and compatible affine equations in fi , gi , hi , 1 ≤ i ≤ α. Here by
“compatible” we mean that from X, Y or X ⊕ Y we cannot obtain an equation fi = fj , or gi = gj , or
hi = hj , or fi ⊕ gi ⊕ hi = fj ⊕ gj ⊕ hk , or 0 = Ψ with Ψ a constant 6= 0 with i 6= j.
λ00α is the number of sequences (fi , gi , hi ), 1 ≤ i ≤ α, fi ∈ In , gi ∈ In , hi ∈ In that satisfy the conditions
λα plus the equations X and Y . We will proceed in a way similar to section 12 in order to get an induction
formula that gives λ00α+1 from λ00α , λ0α and λ000 000 3
α (we will also denote λα = λα ). As before, we denote by
0
β1 , β2 , . . . , β4α , the 4α equations not compatible with λα+1 . Let Bi be the set of solutions that satisfy the
conditions λ00α plus the equations X and Y and the condition βi . Without losing generality (by the symmetry
of the hypotheses in f, g, h and f ⊕ g ⊕ h) we can assume that X is of this type:
X : gα+1 = ⊕ of terms of indices ≤ α in fi , gi , hi .
We have:
λ00α+1 = 22n λ0α − | ∪4α 0
i=1 Bi | (1)

Since (as before) 5 equations in βi cannot be compatible, we obtain from (1):

4α
X X
λ00α = 22n λ0α − |Bi0 | + |Bi0 ∩ Bj0 |
i=1 i<j
X X
− |Bi0 ∩ Bj0 ∩ Bk0 | + |Bi0 ∩ Bj0 ∩ Bk0 ∩ Bl0 | (2)
i<j<k i<j<k<l

We want to prove that all the values λ00α (or all the “dominant” values λ00α as seen in section 11) are very near
λα
22n
.
For this we can imagine:

1. To evaluate λ00α (X, Y ) directly. This can be obtained from Theorem 8 or Theorem 9 of next section
14, but we can avoid these theorems as we will see now.

2. To evaluate |λ00α (X, Y ) − λ00α (Z, T )| for any two couples of (dominant) equations (X, Y ) and (Z, T ).

3. To evaluate |λ00α (X, Y ) − λ00α (X, T )| and to use |λ00α (X, Y ) − λ00α (Z, T )| ≤ |λ00α (X, Y ) − λ00α (X, T )| +
|λ00α (X, T ) − λ00α (Z, T )|.

4. To evaluate only |λ00α (X, Y ) − λ00α (X ⊕ Ψ, Y )|, where Ψ is a constant: this is what we will do here.

From 4) weP will get 3) (and then 2)) easily thanks to the “Stabilization formula in λ00α (Ψ)”: for all equation
X we have Ψ∈In λ00α (X ⊕ Ψ, Y ) = λ0α (Y ), and from section 12 we know that λ0α (Y ) is near λ2nα . So if we
can prove that for given equations X and Y , we have: ∀Ψ ∈ In , |λ00α (X, Y ) − λ00α (X ⊕ Ψ, Y )| is small, then
we get λ00α (X, Y ) is near λ0α (Y ), i.e. near 2λ2n
α
. As in section 12, from (2), we will obtain:

λ00α+1 (X, Y ) − λ00α+1 (X ⊕ Ψ, Y ) = δα (X, Y ) + A + B

where A is the term in (λ00α − λ00α (Ψ)), B is the term in (λ000 000
α − λα (Ψ)), and δα (X, Y ) are the terms not
n
in A or B. When α  2 , from (2) we will get that the terms in δα (X, Y ) will be quickly dominant (if
δα (X, Y ) 6= 0).

23
14 The general purple equations
Notations
Let α and β be two integers. We write λdα (X1 , X − 2, . . . , Xd ), or simply λdα for simplicity, the number of
sequences (fi , gi , hi ), 1 ≤ i ≤ α, fi ∈ In , gi ∈ In , hi ∈ In such that:

1. The fi are pairwise distinct, 1 ≤ i ≤ α.

2. The gi are pairwise distinct, 1 ≤ i ≤ α.

3. The hi are pairwise distinct, 1 ≤ i ≤ α.

4. The fi ⊕ gi ⊕ hi are pairwise distinct, 1 ≤ i ≤ α.

5. We have d independent and compatible affine equations X1 , X2 , . . . , Xd in the variables fi , gi , hi ,

1 ≤ i ≤ α. Here by “compatible” we mean that by linearity from X1 , X2 , . . . , Xd , we cannot obtain
an equation fi = fj , or gi = gj , or hi = hj , or fi ⊕ gi ⊕ hi = fj ⊕ gj ⊕ hj , or 0 = ψ with ψ a
constant 6= 0, with i 6= j.

Therefore λdα is the number of sequences that satisfy the conditions λα plus the d equations X1 , X2 , . . . , Xd .
By definition, we will say that λdα is “strong” when all these equations Xk , 1 ≤ k ≤ d can be written like
this:
fk (or gk or hk or fk ⊕ gk ⊕ hk ) = ⊕ of terms of indices ≤ k − 1 in fi , gi , hi ⊕ ψ, where ψ is a constant
of In . (We need ψ = 0 for our final results, but it is sometimes useful in some proofs to obtain some results
with ψ 6= 0 as well).
Remark.
λdα is a simple notation for λdα (X1 , X2 , . . . , Xd ), i.e. the values λdα generally depend on X1 , X2 , . . . , Xd .
However, as we will see, all these values λdα are often very near.
Notation: χ
We will denote by χ the number of indices i used in the d equations X1 , X2 , . . . , Xd in the variables fi , gi ,
hi .
Remark.
This value χ will help us to evaluate the number of new indices in new equations. Often in our systems
we will have χ  α (typically we can have α  2n and χ  n). This value will help us to evaluate the
number of new indices in new equations, and therefore when the new systems will be strong.

We will proceed like in section 12 in order to get an induction formula that gives λd+1 d
α+1 from λα , λα
d+1

and λd+2
α As before, we denote by β1 , β2 , . . . , β4α , the 4α equations not compatible with λα+1 : i.e. β1 :
fα+1 = f1 , β2 : fα+1 = f2 , . . . , β4α : fα+1 ⊕ gα+1 ⊕ hα+1 = fα ⊕ gα ⊕ hα . Let Bi0 be the set of solutions
that satisfy the conditions λdα plus the equations X1 , X2 , . . . , Xd+1 and the condition βi . We denote by X
the equation Xd+1 . Without losing generality (by the symmetry of the hypotheses in f, g, h and f ⊕ g ⊕ h)
we can assume that X is of this type:
X : gα+1 = ⊕ of terms of indices ≤ α in fi , gi , hi .
We have:
0
λd+1 2n d 4α
α+1 = 2 λα − | ∪i=1 Bi | (1)

24
Since (as before) 5 equations in βi cannot be compatible (because then at least 2 comes from f, g, h or
f ⊕ g ⊕ h and therefore are not compatible with the conditions λα ), we obtain from (1):
4α
X X
λd+1
α = 22n λdα − |Bi0 | + |Bi0 ∩ Bj0 |
i=1 i<j
X X
− |Bi0 ∩ Bj0 ∩ Bk0 | + |Bi0 ∩ Bj0 ∩ Bk0 ∩ Bl0 | (2)
i<j<k i<j<k<l

Theorem 8 (“General purple equations on strong” λdα ; i.e. on Λdα )

There are some real values 1 , 2 , 3 , 4 , such that ∀i ∈ {1, 2, 3, 4}, 0 ≤ i ≤ 1, and:
Λd+1 2n d n d 2n d+1
α+1 = 2 Λα − 3α.2 Λα − 2 (α − χ)Λα − 22n χλd+1
α

+3α2 Λdα + 2α(α − χ)2n Λd+1

α + (3αχ).2n λd+1
α
−4(α − χ − 2)3 Λd+1
α − (4α3 − 4(α − χ − 2)3 − 1 χ3 )λd+1
α
−1 χ3 λdα + 2 (12αχ2 )λd+1
α
+(α − χ − 3)4 Λd+2
α + (α4 − (α − χ − 3)4 − 3 α(χ3 + 1) − α(χ3 + 5))λd+2
α
+3 α(χ3 + 1)λd+1
α − 4 (4χ2 α2 + 4α)λd+2
α

Proof Theorem 8 can be proven in a similar way as we did in Appendix D. However, we do not give the
details here since we can avoid this Theorem 8 by using constants Ψ 6= 0 and looking for differences.
Theorem 9 (“General purple equations on usual λdα ”)
There are some real values 1 , 2 , 3 , 4 , 5 , 6 , such that ∀i ∈ {1, 2, 3, 4, 5, 6}, 0 ≤ i ≤ 1, and:
λd+1 2n d
α+1 = 2 λα

−3α · 2n λdα − 22n αλd+1

α + 1 · χ · 22n λd+1
α
+3α2 λdα + 3α2 · 2n λd+1
α − 2 · 3χα · 2n λd+1
α
−(4α3 − 3 χ3 )λd+1
α − 3 χ3 λdα + 4 (12αχ2 )λd+1
α
+(α4 − 5 · α(χ3 + 1))λd+2
α
+5 · α · (χ3 + 1)λd+1
α − 6 (6χ2 α2 + α3 χ + 4α)λd+2
α

Proof of Theorem 9 Theorem 9 can be proven in a similar way as we did in Appendix D. However, we do
not give the give the details here since we can avoid this Theorem 9 by using constants Ψ 6= 0 and looking
for differences.

15 Our security results

Theorem 10
hm−1
Y α(1 + σ(1)) i1/3
Advm ≤ 2 [1 + ] − 1
23n (1 − 2αn )4
α=1
m
with σ(1) → 0 when 2n → 0.

25
Proof This comes immediately from Theorem 4 and the fact that we have seen in Part III. that
−1
(4)
α ≤ (1 + σ(1)) (1)
22n
(3) (2)
and that the term in α3 α and α2 α , even if they are ≥ 0 are in absolute value smaller than the absolute
(4) 4 (4)
value of the term in α4 α . Moreover, 2α3n + 2α4n α = 2α3n (1 + σ(1)) from (1).

Theorem 11 If m  2n , then
m2/3 m2/3
Advm ≤ 2 + σ( )
2n 2n

Proof When m  2n Theorem 15.1 gives

h m(1 + σ(1)) m i1/3
Advm ≤ 2 (1 + ) − 1
23n
 m2 (1 + σ(1)) 1/3
Advm ≤ 2 )m
23n
m2/3 m2/3
Advm ≤ 2 + σ( )
2n 2n

Part IV
Variants and Conclusion
16 A simple variant of the schemes with only one permutation
Instead of G = f1 ⊕f2 , f1 , f2 ∈R Bn , we can study G0 (x) = f (xk0)⊕f (xk1), with f ∈R Bn and x ∈ In−1 .

3/2
This variant was already introduced in [2] and it is for this that in [2] p.9 the security in 2mn + O(n) 2mn
is presented. In fact, from a theoretical point of view, this variant G0 is very similar to G, and it is possible
to prove that our analysis can be modified to obtain a similar proof of security for G0 . In [12], I also studied
this problem (with standard coefficient H technique, not Hσ techniques).

17 A simple property about the Xor of two permutations and a new conjec-
ture
I have conjectured this property:
M
∀f ∈ Fn , if f (x) = 0, then ∃(g, h) ∈ Bn2 , such that f = g ⊕ h.
x∈In

Just one day after this paper was put on eprint, J.F. Dillon pointed to us that in fact this was proved in
1952 in [5]. We thank him a lot for this information. (This property was proved again independently in 1979
in [17]).

26
 A new conjecture. However I conjecture a stronger property. Conjecture:
M
∀f ∈ Fn , if f (x) = 0, then the number H of (g, h) ∈ Bn2 ,
x∈In

|Bn |2
such that f = g ⊕ h satisfies H ≥ .
2n2n
Variant: I also conjecture that this property is true in any group, not only with Xor.
In [16] and [10], we give some results about this conjecture.
Remark: in this paper, I have proved weaker results involving m equations with m  O(2n ) (or
3n
m ≤ 2n − 2 7 ) instead of all the 2n equations. These weaker results were sufficient for the cryptographic
security wanted.

18 Conclusion
The results in this paper improve our understanding of the PRF-security of the Xor of two random permu-
tations. More precisely in this paper we have proved that the Adaptive Chosen Plaintext security for this
problem is in O(2n ), and we have obtained an explicit O function. These results belong to the field of
finding security proofs for cryptographic designs above the “birthday bound”. (In [1, 8, 11], some results
“above the birthday bound” on completely different cryptographic designs are also given). Since building
PRF from PRP has many practical applications,we believe that these results are of real interest both from
a theoretical point of view and a practical point of view. Our proofs need a few pages, so are a bit hard
to read, but the results obtained are very easy to use and the mathematics used are elementary (essentially
combinatorial and induction arguments). Moreover, we have proved (in Section 5) that this cryptographic
problem of security is directly related to a very simple to describe and purely combinatorial problem. We
have obtained this transformation by using the “Hσ technique”, i.e. combining the “coefficient H technique”
of [13, 11] and a specific computation of the standard deviation of H. (In a way, from a cryptographic point
of view, this is maybe the most important result, and all the analysis after Section 5 can be seen as combina-
torial mathematics and not cryptography anymore). It is also interesting to notice that in our proof with have
proceeded with “necessary and sufficient” conditions, i.e. that the Hσ property that we proved is exactly
equivalent to the cryptographic property that we wanted. Moreover, as we have seen, less strong results of
security are quickly obtained.

References
[1] William Aiello and Ramarathnam Venkatesan. Foiling Birthday Attacks in Length-Doubling Trans-
formations - Benes: A Non-Reversible Alternative to Feistel. In Ueli M. Maurer, editor, Advances in
Cryptology – EUROCRYPT ’96, volume 1070 of Lecture Notes in Computer Science, pages 307–320.
Springer-Verlag, 1996.

[2] Mihir Bellare and Russell Impagliazzo. A Tool for Obtaining Tighter Security Analyses of Pseudo-
random Function Based Constructions, with Applications to PRP to PRF Conversion. ePrint Archive
1999/024: Listing for 1999.

27
 [3] Mihir Bellare, Ted Krovetz, and Phillip Rogaway. Luby-Rackoff Backwards: Increasing Security by
Making Block Ciphers Non-invertible. In Kaisa Nyberg, editor, Advances in cryptology – EURO-
CRYPT 1998, volume 1403 of Lecture Notes in Computer Science, pages 266–280. Springer-Verlag,
1998.

[4] Chris Hall, David Wagner, John Kelsey, and Bruce Schneier. Building PRFs from PRPs. In Hugo
Krawczyk, editor, Advances in Cryptology – CRYPTO 1998, volume 1462 of Lecture Notes in Com-
puter Science, pages 370–389. Springer-Verlag, 1998.

[5] Marshall Hall Jr. A Combinatorial Problem on Abelian Groups. Proceedings of the Americal Mathe-
matical Society, 3(4):584–587, 1952.

[6] Stefan Lucks. The Sum of PRPs Is a Secure PRF. In Bart Preneel, editor, Advances in Cryptology –
EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 470–487. Springer-
Verlag, 2000.

[7] Avradip Mandal, Jacques Patarin, and Valérie Nachef. Indifferentiability beyond the Birthday Bound
for the Xor of Two Public Random Permutations. In Guang Gong and Kishan Chand Gupta, editors,
Progress in Cryptology – INDOCRYPT 2010, volume 6948 of Lecture Notes in Computer Science,
pages 69–81. Springer-Verlag, 2010.

[8] Ueli Maurer and Krzysztof Pietrzak. The Security of Many-Round Luby-Rackoff Pseudo-Random
Permutations. In Eli Biham, editor, Advances in Cryptology – EUROCRYPT 2003, volume 2656 of
Lecture Notes in Computer Science, pages 544–561. Springer-Verlag, 2003.

[9] Jacques Patarin. Introduction to Mirror Theory: Analysis of Systems of Linear Equalities and Linear
Non Equalitites for Cryptography. Cryptology ePrint archive: 2010/287: Listing for 2010.

[10] Jacques Patarin. Security in 0(2n ) for the Xor of Two Random Permutations - Proof with the standard
H technique. Cryptology ePrint archive: 2013/368: Listing for 2013.

[11] Jacques Patarin. Luby-Rackoff: 7 Rounds are Enough for 2n(1−) Security. In Dan Boneh, editor,
Advances in Cryptology – CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages
513–529. Springer-Verlag, 2003.

[12] Jacques Patarin. On linear systems of equations with distinct variables and Small block size. In
Dongho Wan and Seungjoo Kim, editors, ICISC 2005, volume 3935 of Lecture Notes in Computer
Science, pages 299–321. Springer-Verlag, 2006.

[13] Jacques Patarin. The ”Coefficients H” Technique. In Roberto Maria Avanzi, Liam Keliher, and
Francesco Sica, editors, Selected Areas in Cryptography, volume 5381 of Lecture Notes in Computer
Science, pages 328–345. Springer, 2008.

[14] Jacques Patarin. A Proof of Security in O(2n ) for the Xor of Two Random Permutations . In Reihaneh
Safavi-Naini, editor, ICITS 2008, volume 5155 of Lecture Notes in Computer Science, pages 232–248.
Springer-Verlag, 2008. An extended version is also on eprint.

[15] Jacques Patarin. Generic Attacks for the Xor of k Random Permutations. In Michael J. Jacobson Jr.,
Michael E. Locasto, Payman Mohassel, and Reihaneh Safavi-Naini, editors, ACNS, volume 7954 of
Lecture Notes in Computer Science, pages 154–169–529. Springer-Verlag, 2013.

28
 Table 2: Summary of the results on λm for m = 1, 2, 3
λ1 = 23n λ2 = 23n (2n − 1)(22n − 3.2n + 3) λ3 = 23n .(2n − 1)(2n − 2)
.(2 − 9.23n + 33.22n − 60.2n + 48)
4n

↓
0 (3)
λ1
U1 = 1 and λ3 = 23n (2n − 1)(2n − 2)(2n − 3)
Adv1 = 0 .(22n − 5.2n + 8)
0 (2) 0 (2)
λ2 = λ02 = 23n .(2n − 1)2 λ3 = 23n (2n − 1)(2n − 2)
.(23n − 7.22n + 18.2n − 16)
00 (2) 00 00
λ2 = λ2 = 23n .(2n − 1) various λ3 values
↓ ↓
λ2 1 λ3 3 16
U2 = 1 + (2n −1) 3 and U3 = 1 + (2n −1) 3 + (2n −1)3 (2n −2)3
and
2 2[3.23n −18.22n +36.2n −8]1/3
Adv2 ≤ 2n −1 Adv3 ≤ (2n −1)(2n −2)
<
Adv3 ∼ 2,88 2n

[16] Jacques Patarin, Emmanuel Volte, and Valérie Nachef. Mirror Theory: Theorems and Conjectures,
Applications to Cryptography. Available from the authors.

[17] F. Salzborn and G. Szekeres. A Problem in Combinatorial Group Theory. Ars Combinatoria, 7:3–5,
1979.

Appendices
0
(2)
A Examples with ψ = 0: λ1 , λ2 , λ3 , λ2
As examples, we present here the exact values for λ1 , λ2 , λ3 . We will see that they follow the values given
in table 3. From λm we get a majoration for Advm by using the inequality (5.6): Advm ≤ 2( Uλm m
− 1)1/3 ,
with Um = (2n (2n − 1) . . . (2n − m + 1))4 /2nm .

A.1 Computation of λ1
λ1 =def Number of (f1 , g1 , h1 ) with f1 , g1 , h1 ∈ In
λ1
Therefore λ1 = 23n . Here U1 = 1 and from (5.6): Avdm = 0.

A.2 Computation of λ2
Computation of λ2 from (7.2)

λ2 =def Number of (f1 , g1 , h1 ), (f2 , g2 , h2 ) such that f2 6= f1 , g2 6= g1 , h2 6= h1 , f2 ⊕g2 ⊕h2 6= f1 ⊕g1 ⊕h1

From the general formula (7.1) or (7.2) of Section 7, we have (with α = 1):

λ2 = [23n − 4 · 22n + 6 · 2n − 3]λ1 + 0

29
(here [λ01 ] = 0 since we have only one indice and in X we must have at least two indices).

λ2 = [23n − 4 · 22n + 6 · 2n − 3] · 23n (= 23n .(2n − 1)(22n − 3.2n + 3))

λ2 1 2
Here U2 =1+ (2n −1)3
and from (5.6): Adv2 ≤ 2n −1

Computations of λ2 from the βi equations

4
X X X X
3n
λ2 = 2 λ1 − |Bi | + |Bi ∩ Bj | − |Bi ∩ Bj ∩ Bk | + |Bi ∩ Bj ∩ Bk ∩ Bl |
i=1 i<j i<j<k i<j<k<l

1 equation: P4i=1 |Bi | = 4 · 22n λ1 .

P
2 equations: Pi<j |Bi ∩ Bj | = 6 · 2n λ1 .
3 equations: Pi<j<k |Bi ∩ Bj ∩ Bk | = 4λ1 .
4 equations: i<j<k<l |Bi ∩ Bj ∩ Bk ∩ Bl | = λ1 .
Therefore λ2 = (23n − 4 · 22n + 6 · 2n − 3)λ1 (as expected we obtain the same result as above).

0 (2)
A.3 Computation of λ3 and λ2
Computation of λ3 from (7.2)
From the general formulas (7.1) and (7.2) (Orange Equations), we have (with α = 2):
0 (2)
λ3 = (23n − 8 · 22n + 24 · 2n − 30)λ2 + 6λ2
0 (3) 0 (4) 0 (2)
(here λ2 = 0 and λ2 = 0 since we have here only 2 indices) where λ2 is the number of (f1 , g1 , h1 ), (f2 , g2 , h2 )
such that f2 6= f1 , g2 6= g1 , h2 6= h1 , f2 ⊕ g2 ⊕ h2 6= f1 ⊕ g1 ⊕ h1 and f1 ⊕ g1 = f2 ⊕ g2 (all the
0 (2) 0 (2)
other equations X of the type λ2 give the same value λ2 ). When f1 , g1 , h1 are fixed (we have 23n
possibilities) then we will choose f2 6= f1 , h2 6= h1 , and g2 = f1 ⊕ f2 ⊕ g1 (so we have g2 6= g1 and
0 (2)
f2 ⊕ g2 ⊕ h2 6= f1 ⊕ g1 ⊕ h1 ). Therefore λ2 = 23n · (2n − 1)2 and the exact value of λ3 is:

λ3 = (23n − 8 · 22n + 24 · 2n − 30)λ2 + 6 · 23n · (2n − 1)2

(with λ2 = (23n − 4 · 22n + 6 · 2n − 3) · 23n as seen above).

This gives

λ3 = 29n − 12 · 28n + 62 · 27n − 177 · 26n + 294 · 25n − 264 · 24n + 96 · 23n

Therefore λ3 = 23n .(2n − 1)(2n − 2)(24n − 9.23n + 33.22n − 60.2n + 48). Here

λ3 3.23n − 18.22n + 36.2n − 8 3 16

=1+ n 3 n 3
=1+ n 3
+ n
U3 (2 − 1) (2 − 2) (2 − 1) (2 − 1)3 (2n − 2)3

2
 16
1/3 2,88
and from (5.6): Adv3 ≤ 2n −1 3+ (2n −2)3
' 2n .
0 (2) 0 (2)
Computation of λ2 from the βi equations (“First purple equations” on λ2 )
0 (2)
The βi equations have been defined in section 6. (We proceed here as in Appendix D but on λ2 instead of

30
 0 (4)
λα+1 ).
Here we have only 4 equations βi : β1 : f1 = f2 , β2 : g1 = g2 , β3 : h1 = h2 and β4 : f1 ⊕ g1 ⊕ h1 =
f2 ⊕ g2 ⊕ h2 . Bi0 is the set of (f1 , f2 , g1 , g2 , h1 , h2 ) that satisfy (the condition λ1 ) the equation βi and the
equation X.
4
X X X X
λ02 2n
= 2 λ1 − |Bi0 | + |Bi0 ∩ Bj0 | − |Bi0 ∩ Bj0 ∩ Bk0 | + |Bi0 ∩ Bj0 ∩ Bk0 ∩ Bl0 |
i=1 i<j i<j<k i<j<k<l

Here X is: f1 ⊕ f2 = g1 ⊕ g2
• X + 1 equation.
4
X
|Bi0 | = 4 · 2n λ1
i=1
• X + 2 equations. If the 2 equations βi are (f1 = f2 and g1 = g2 ), or (h1 = h2 and f1 ⊕ g1 ⊕ h1 =
f2 ⊕ g2 ⊕ h2 ), then X is the Xor of these equations. Therefore
X
|Bi0 ∩ Bj0 | = 4 · λ1 + 2 · 2n λ1
i<j

X is always a consequence of the 3 equations, i<j<k |Bi0 ∩ Bj0 ∩ Bk0 | = 4λ1 .

P
• X + 3 equations. P
• X + 4 equations. i<j<k<l |Bi0 ∩ Bj0 ∩ Bk0 ∩ Bl0 | = λ1 .
Therefore 0 (2)
λ2 = (22n − 4 · 2n + 4 − 2 · 2n − 4 + 1)λ1
0 (2)
λ2 = (22n − 2 · 2n + 1)λ1
(as expected we obtain the same result as above).
Remark. Here
0 (2)
2 1
2n λ 2 1− 2n + 22n 2 3 1
= 4 6 3 =1+ + + O( 3n )
λ2 1− 2n + 22n
− 23n
2n 22n 2

2 3 1 2n λ0α
and here 2 = 2n + 22n
+ O( 23n , we have sometimes a term in O( 21n ).
). Therefore we see that in
λα
However this is exceptional: here f1 ⊕ g1 = f2 ⊕ g2 is the Xor of the conditions f1 6= f2 and g1 6= g2 , or
of the conditions h1 6= h2 and f2 ⊕ g2 ⊕ h2 6= f1 ⊕ g1 ⊕ h1 . (or, this equation X is not strong, with the
definition of “strong” given in section 7). Moreover here we have only 2 indices.

B Examples with ψ 6= 0
B.1 First Computation of λ0α (ψ)
Let ψ ∈ In , ψ 6= 0. From Theorem 4 of section 8 (i.e. the “Stabilization formula in λ0α (ψ)), we have:
(2n − 1)λ0α (ψ) + λ0α = λα . Therefore the value λ0α (ψ) can be directly obtained from λ0α and λα . However
in this paper we proceed generally differently: we evaluate |λ0α (ψ) − λ0α | and then from the “stabilization
formula” we can evaluate |λ0α − λ2nα |.
Remark. With a group law different from ⊕, our proof (based on the evaluation of |λ0α (ψ) − λ0α |) will still
hold, but different values λ0α (ψ) may exist when ψ 6= 0.

31
 0 (2)
B.2 Computation of λ2 (ψ)
0 (2)
Let ψ ∈ In , λ2 (ψ) is by definition the number of (f1 , g1 , h1 ), (f2 , g2 , h2 ) such that f2 6= f1 , g2 6=
g1 , h1 6= h2 , f2 ⊕ g2 ⊕ h2 6= f1 ⊕ g1 ⊕ h1 , and this equation X is satisfied:
X : f1 ⊕ g1 = f2 ⊕ g2 ⊕ ψ.
0 (2) 0 (2)
When ψ = 0, λ2 (ψ) is simply denoted λ2 and this value is given above (in A.3). We will assume here
that ψ 6= 0.
First Computation
0 (2)
From the “Stabilization formula” (i.e. Theorem 5 of section 8) we have: (2n − 1)λ2 (ψ) + λ02 = λ2 .
0 (2)
Therefore, from Appendix A: (2n − 1)λ2 (ψ) + 23n (2n − 2)2 = 23n (2n − 1)(22n − 3.2n + 3).
0 (2)
λ2 (ψ) = 23n (22n − 4.2n + 4)

Second Computation
For f1 , g1 , h1 we have 23n possibilities. Now from X, f1 6= f2 and g1 6= g2 , we see that f2 ∈
/ {f1 , f1 ⊕ ψ}
0 (2)
and g2 ∈ 3n n
/ {g1 , g1 ⊕ ψ}. Therefore, if ψ 6= 0, we have: λ2 (ψ) = 2 · (2 − 2) . 2

Third Computation
With the same notations as in (A.3) we have:
4
X X X
λ02 (ψ) 2n
= 2 λ1 − |Bi0 | + |Bi0 ∩ Bj0 | − |Bi0 ∩ Bj0 ∩ Bk0 |
i=1 i<j i<j<k
X
+ |Bi0 ∩ Bj0 ∩ Bk0 ∩ Bl0 |
i<j<k<l
P4 0 n
• X + 1 equation: P i=1 |Bi | = 4 · 2 λ1 since 2 variables (among f2 , g2 , h2 ) are fixed.
0 0
• X + 2 equations: i<j |Bi ∩ Bj | = 4 · λ1 if ψ 6= 0 since among the 6 possibilities, 4 fix the variables
and 2 are impossible (they give ψ = 0).
• X + 3 equations and X + 4 equations: 0 solutions, since by Xoring we get ψ = 0.
0 (2)
Therefore: if ψ 6= 0, we have: λ2 (ψ) = (22n − 4 · 2n + 4)λ1 . As expected, we obtain the same value with
the first, the second and the third computations. We see that
0 (2) λ2 2 3
λ2 ' n
(1 + n + 2n )
2 2 2
0 (2)
λ2 2
and if ψ 6= 0, λ2 (ψ) ' 2n (1 − 22n
) (no term in O( 21n )).

C λα as a polynomial in 2n
We have seen above that λ1 , λ2 and λ3 are polynomials in 2n . We will see now that this is the case for any
λα .
λα is by definition the number of (f1 , g1 , h1 , . . . , fα , gα , hα ) ∈ In3α such that

∀i, j, 1 ≤ i < j ≤ α : fi 6= fj , gi 6= gj hi 6= hj , fi ⊕ gi ⊕ hi 6= fj ⊕ gj ⊕ hj
α(α−1)
We have here 4 · 2 = 2α2 − 2α conditions. Let β1 , β2 , . . . , β2α2 −2α be these equalities (for example
β1 is f1 = f2 ).

32
 Table 3: Summary of the results with ψ 6= 0 for m = 1, 2, 3
λ1 = 23n λ2 = 23n (2n − 1)(22n − 3.2n + 3) λ3 = 23n .(2n − 1)(2n − 2)
(2 − 9.23n + 33.22n − 60.2n + 48)
4n
0 (3)
λ3 (ψ) = 23n (2n − 2)
[24n − 10.23n + 41.22n − 83.2n + 72]
0 (2) 0 (2)
λ2 (ψ) = λ02 (ψ) = 23n .(2n − 2)2 λ3 (ψ) = 23n (2n − 2)
[24n − 10.23n + 40.22n − 78.2n + 64]
↓ ↓
0 (2) 0 (3)
λ2 (0) 2 1 λ3 (0) 1 5
λ02 (ψ)
=1+ 2n −2 + (2n −2)2 0 (3) '1+ 2n − 23n
λ3 (ψ)
0 (2)
λ3 (0) 2 5
0 (2) '1+ 2n + 22n
λ3 (ψ)

∀i, 1 ≤ i ≤ 2α2 − 2α, let Bi = the set of all (f1 , g1 , h1 , . . . , fα , gα , hα ) ∈ In3α such that the equation βi is
2 −2α
satisfied. Then λα = 23αn − | ∪2α
i=1 Bi | (1).
For any sets we have:
k
X X X
| ∪ki=1 Bi | = |Bi | − |Bi ∩ Bj | + |Bi ∩ Bj ∩ Bk | + . . . + (−1)k+1 |Bi ∩ B2 ∩ . . . ∩ Bk | (2)
i=1 i<j i<j<k

Moreover |Bi1 ∩ Bi2 ∩ . . . ∩ Bil | is the number of (f1 , g1 , h1 , . . . , fα , gα , hα ) ∈ In3α such that l linear equal-
ities are satisfied. If these equalities are not compatible, then |Bi1 ∩ Bi2 ∩ . . . ∩ Bil | = 0. If these equalities
are compatible, and if at most µ of them are independent, then |Bi1 ∩ Bi2 ∩ . . . ∩ Bil | = 2(3α−µ)n (3).
(Since µ variables are fixed and the other are independent here). Therefore, from (1), (2) and (3) we see
that λα is a polynomial in 2n . We also see that this polynomial is of degree 3α, and that it has alternatively
the sign + and the sign − when the monomials are ordered with decreasing degrees.
6

0 -

Figure 2: Representation of λα as a polynomial in 2n .

33
 0 0
(4) (4)
D An induction formula on λα and λα (ψ) (“First purple equations on
0
(4)
λα ”)
This Appendix D is both very important and not at all important for our proofs. Not at all important because
with the “Hσ method” that we will use (section 10 and Part III) we can avoid completely this Appendix D.
Very important (and equation (D6) is particularly very important) since this Appendix illustrates what we
will do: we need something like (D6) but we will be able to obtain something like (D6) more easily just by
analyzing differences between Ψ = 0 and Ψ 6= 0.
0 (4) 0 (4) 0 (4)
The values λα and λα have been introduced in section 7 and section 8. By definition, λα+1 (ψ) is the
number of sequences (fi , gi , hi ), 1 ≤ i ≤ α + 1, such that

1. The conditions λα+1 (ψ) are satisfied.

2. This equation X is satisfied:

X : fα+1 ⊕ gα+1 ⊕ hα+1 = f1 ⊕ g2 ⊕ h3 ⊕ ψ

(there we have chosen the indices α + 1, 1, 2, 3 but all other choices of 4 distinct indices give the
0 (4)
same result λα+1 (ψ) due to the symmetries of the conditions λα+1 . For example with X : hα+1 =
0 (4) 0 (4)
f1 ⊕ g1 ⊕ h1 ⊕ f2 ⊕ g3 ⊕ ψ, we would get exactly the same value λα+1 (ψ)). When ψ = 0, λα+1 (ψ)
0 (4)
is simply λα+1
0 (4)
In this section, we will compute λα+1 (ψ) from λα and other values with indices less than or equal to α.
For each i, 1 ≤ i ≤ 4α, we will denote by Bi0 the set of

(f1 , . . . , fα+1 , g1 , . . . , gα+1 , h1 , . . . , hα+1 )

that satisfy the conditions λα and that satisfy the equation βi , and the equation X. The βi equations have
been defined in Section 6. We have 4α such equations βi They are:

β1 : f1 = fα+1 , β2 : f2 = fα+1 , . . . , βα : fα = fα+1

βα+1 : g1 = gα+1 , . . . , β2α : gα = gα+1

β2α+1 : h1 = hα+1 , . . . , β3α : hα = hα+1
β3α+1 : f1 ⊕ g1 ⊕ h1 = fα+1 ⊕ gα+1 ⊕ hα+1 , . . .
β4α : fα ⊕ gα ⊕ hα = fα+1 ⊕ gα+1 ⊕ hα+1
Therefore we have: 0 (4)
0
λα+1 (ψ) = 22n λα − | ∪4α
i=1 Bi |

We will proceed here exactly as in section 6, but with the sets Bi0 instead of the sets Bi . Since 5 equations
βi are always incompatible with the conditions λα , we have (with Ψ = 0 or Ψ 6= 0):
4α
0 (4) X X X X
λα+1 (Ψ) = 22n λα − |Bi0 | + |Bi0 ∩ Bj0 | − |Bi0 ∩ Bj0 ∩ Bk0 | + |Bi0 ∩ Bj0 ∩ Bk0 ∩ Bl0 |
i=1 i<j i<j<k i<j<k<l

34
 • X + 1 equation.
Case 1: βi is not an equation in fα+1 ⊕ gα+1 ⊕ hα+1 (we have 3α such equations βi ). Then X and βi
will fix two variables among fα+1 , gα+1 , hα+1 from the other variables fi , gi , hi . Therefore:

|Bi0 | = 2n λα

Case 2: βi is fα+1 ⊕ gα+1 ⊕ hα+1 = fl ⊕ gl ⊕ hl , for a value l ≤ α. Then |Bi0 | = 22n λ0α (ψ), where
λ0α (ψ) denotes the number of (fi , gi , hi ), 1 ≤ i ≤ α, that satisfy the conditions λα plus the equation Y :
0 (4)
fl ⊕ gl ⊕ hl = f1 ⊕ g2 ⊕ h3 ⊕ ψ. When l ∈ / {1, 2, 3}, λ0α (ψ) is λα (ψ), and if l ∈ {1, 2, 3}, we will denote
0 (3)
λ0α (ψ) = λα (ψ). From Cases 1 and 2, we get:
4α
0 0
X
− |Bi0 | = −3α · 2n λα − (α − 3) · 22n λα(4) (ψ) − 3 · 22n λα(3) (ψ)
i=1

• X + 2 equations.
Let βi and βj be these two equations.
Case 1: βi and βj are two equations in f , or in g, or in h, or in f ⊕ g ⊕ h. Then |Bi0 ∩ Bj0 | = 0.
Remark. This value is not a problem since in the analog term for Uα , we get also 0 here.
Case 2: βi and βj are not in f ⊕ g ⊕ h and we are not in Case 1. Then |Bi0 ∩ Bj0 | = λα and here we have
3α2 possibilities for the indices. (Remark: we can sometimes obtain here fα+1 = f1 ⊕ ψ, or gα+1 = g2 ⊕ ψ,
or hα+1 = h3 ⊕ ψ by Xoring X, βi and βj ).
Case 3: βi is in f ⊕ g ⊕ h, but not βj (or the opposite). (Here we have 3α2 possibilities for the indices).
For example βi is
fα+1 ⊕ gα+1 ⊕ hα+1 = fl ⊕ gl ⊕ hl
for a value l ≤ α. Then X ⊕ βi is: fl ⊕ gl ⊕ hl = f1 ⊕ g2 ⊕ h3 ⊕ ψ. With the same notation as above for
0 (4) 0 (3)
X + 1 equations, |Bi0 ∩ Bj0 | = 2n λ0α (ψ), where λ0α (ψ) = λα (ψ) if l ∈
/ {1, 2, 3} and λ0α (ψ) = λα (ψ) if
l ∈ {1, 2, 3}. (Remark: if l = 1 for example, we get g1 ⊕ h1 = g2 ⊕ h3 ⊕ ψ and from βj we cannot get here
g1 = g2 or h1 = h3 since in βj we have the index α + 1). Then from Cases 1, 2, 3, we get:
0 0
X
|Bi0 ∩ Bj0 | = 3α2 λα + (3α2 − 9α)2n λα(4) (ψ) + 9α · 2n λα(3) (ψ)
i<j
.
• X + 3 equations.
Let βi , βj and βk be these three equations.
Case 1: If we have with βi , βj , βk , two conditions in f , or two conditions in g, or two conditions in h,
or two conditions in f ⊕ g ⊕ h, then |Bi0 ∩ Bj0 ∩ Bk0 | = 0.
Case 2: X, or X ⊕ ψ is a linear dependency of βi , βj , βk . Then βi , βj , βk are: [fα+1 = f1 , gα+1 = g2 ,
hα+1 = h3 ] and we have here if Ψ = 0: |Bi0 ∩ Bj0 ∩ Bk0 | = λα and if ψ 6= 0 : |Bi0 ∩ Bj0 ∩ Bk0 | = 0. (Remark:
here [fα+1 ⊕ gα+1 ⊕ hα+1 = f1 ⊕ g1 ⊕ h1 , g1 = g2 , and h1 = h3 ] is not a solution since g1 = g2 and
h1 = h3 are not equations in βi , i.e. they do not have the index α + 1).
Case 3: X, or X ⊕ ψ, with βi , βj , βk create an impossibility (for example fi = fj or fi = fj ⊕ ψ with
0 ∗(2)
i 6= j). Here we have: if ψ = 0, |Bi0 ∩ Bj0 ∩ Bk0 | = 0 and if ψ 6= 0 : |Bi0 ∩ Bj0 ∩ Bk0 | = λα (ψ) where
0 ∗(2) 0 ∗(2)
λα (ψ) denotes a term λ0α where X is of type: X : hi = hj ⊕ ψ with i 6= j. This type λα (ψ) never
appears when ψ 6= 0. We have 3(α − 1) possibilities for the indices. (Here it is easy to check that in βi , βj ,
βk we have no equation in f ⊕ g ⊕ h since in the equations βi we always have the index α + 1).

35
 Case 4: In βi , βj , βk , we have one equation in f , one equation in g and one equation in h (none in
f ⊕ g ⊕ h) and we are not in Case 2 or Case 3 (we have here α3 − 3α + 2 possibilities for the indices). Then
0 (6)
|Bi0 ∩ Bj0 ∩ Bk0 | = λ0α (ψ), and in most of the cases, we have λ0α (ψ) = λα (ψ) (i.e. 6 different indices).
Remark. We will not need it for the main results , but we give more details here. Let us consider that βi , βj , βk are
fα+1 = fi , gα+1 = gj , hα+1 = hk , so with X we get:

f1 ⊕ g2 ⊕ h3 ⊕ ψ = fi ⊕ gj ⊕ hk (∗) with 1 ≤ i ≤ α, 1 ≤ j ≤ α, 1 ≤ k ≤ α

We have α3 possibilities for i, j, k. If we look what kind of equation (∗) all these α3 possibilities give, we can show
that we will obtain:
0
(6)
• With 6 indices: (α − 3)(α − 4)(α − 5) = α3 − 12α2 + 47α − 60 equations denoted λα (ψ) of Type:
f1 ⊕ f2 ⊕ g3 ⊕ g4 ⊕ h5 ⊕ h6 = ψ (the Type f1 ⊕ g1 ⊕ h1 ⊕ f2 ⊕ g2 ⊕ h2 ⊕ g3 ⊕ g4 ⊕ h5 ⊕ h6 = ψ gives the
0
[6]
same λα (ψ)).
0
[5]
• With 5 indices: 9(α − 3)(α − 4) = 9α2 − 63α + 108 equations noted λα (ψ) of Type: f1 ⊕ f2 ⊕ g1 ⊕ g3 ⊕
h4 ⊕ h5 = ψ.
• With 4 indices: we will have here 4 families of equations:
0 0
[4,a] [4,a]
- (3α2 − 15α + 18) equations λα (ψ) of Type: f1 ⊕ f2 ⊕ g3 ⊕ g4 = ψ (we also obtain the same λα (ψ)
value for the Type: f1 ⊕ f2 ⊕ g1 ⊕ g2 ⊕ g3 ⊕ g4 ⊕ h1 ⊕ h2 = ψ).
0
[4,b]
- (12α − 36) equations λα (ψ) of Type: f1 ⊕ f2 ⊕ g1 ⊕ g3 ⊕ h2 ⊕ h4 = ψ.
0 0
[4,c] [4,c]
- (3α−9) equations λα (ψ) of Type: f1 ⊕f2 ⊕g1 ⊕g2 ⊕h3 ⊕h4 = ψ (we also obtain the same value λα (ψ)
for the Type: f1 ⊕f2 ⊕h1 ⊕h2 ⊕h3 ⊕h4 = ψ or for the Type: f1 ⊕f2 ⊕f3 ⊕f4 ⊕g1 ⊕g2 ⊕g3 ⊕g4 ⊕h3 ⊕h4 = ψ).
0 0
[4,d] [4,d]
- (4α − 12) equations λα (ψ) of Type f1 ⊕ g1 ⊕ h1 ⊕ f2 ⊕ g3 ⊕ h4 = ψ. (This case is simply λα (ψ) =
0
(4)
λα (ψ) as before).
• With 3 indices: We will have here 2 families of equations:
0
[3,a]
- (9α − 12) equations λα (ψ) of Type: f1 ⊕ f2 ⊕ g1 ⊕ g3 = ψ, or of Type f1 ⊕ f2 ⊕ g1 ⊕ g2 ⊕ h1 ⊕ h3 = ψ
(same value as we can see by using the fact that f and f ⊕ g ⊕ h play the same properties). This case is simply
0 0
[3,a] (3)
λα (ψ) = λα (ψ) as before.
0
[3,b]
- 2 equations λα (ψ) of Type: f1 ⊕ f2 ⊕ g1 ⊕ g3 ⊕ h2 ⊕ h3 = ψ.
0
[2]
• With 2 indices: 3 equations λα (ψ) of Type: f1 ⊕ f2 = g1 ⊕ g2 ⊕ ψ
• Special cases
- (3α − 3) impossibility of Type: f1 = f2 ⊕ ψ (impossible if ψ = 0).
- 1 equation of Type: 0 = ψ (impossible if ψ 6= 0).
If we add all these terms, we obtain α3 terms as expected.
Case 5: In βi , βj , βk , we have one f ⊕ g ⊕ h and we are not in Case 1. (We have here 3α3 possibilities for
the indices and we cannot be in Case 2 or Case 3). Then |Bi0 ∩ Bj0 ∩ Bk0 | = λ0α (ψ), and in most of the cases,
0 (4)
we have here λ0α (ψ) = λα (ψ) (i.e. 4 different indices).
Remark. Similarly, we can give more details here. Let us consider all the equations

fl ⊕ gl ⊕ hl = f1 ⊕ g2 ⊕ h3

We also have the equations fα+1 = fi and gα+1 = gj , but they just fix fα+1 and gα+1 . We have 1 ≤ i ≤ α,
1 ≤ j ≤ α and 1 ≤ l ≤ α. If we look all the 3α3 possibilities for these equations (the coefficient 3 comes here from
no hα+1 = hk , no fα+1 = fi , or no gα+1 = gj ), we obtain:
0 0
[4,d] (4)
• With 4 indices: 3(α − 3)α2 = 3α3 − 9α2 equations λα (ψ)(= λα (ψ))

36
 0 0
[3,a] (3)
• With 3 indices: 9α2 equations λα (ψ)(= λα (ψ))
Then from cases 1, 2, 3, 4, 5 we get:
X
If ψ = 0 : − |Bi0 ∩ Bj0 ∩ Bk0 | = −λα − (4α3 − 3α + 2)λ0α
i<j<k

0
X
If ψ 6= 0 : − |Bi0 ∩ Bj0 ∩ Bk0 | = −(4α3 − 3α + 2)λ0α (ψ) − (3α − 3)λα∗(2) (ψ)
i<j<k
0 (6) 0 (4)
where most of the λ0α (ψ) are λα (ψ) or λα (ψ). More precisely, the term in −(4α3 − 3α + 2)λ0α (ψ),
with ψ = 0 or ψ 6= 0, is here:
0 0 0
−(3α3 − 9α2 + 4α − 12)λα(4) (ψ) − (α3 − 12α2 + 47α − 60)λα(6) (ψ) − (9α2 − 63α + 108)λα[5] (ψ)
0 0 0
−(3α2 − 15α + 18)λα[4,a] (ψ) − (12α − 36)λα[4,b] (ψ) − (3α − 9)λα[4,c] (ψ)
0 0 0
−(9α2 + 9α − 12)λα(3) (ψ) − 2λα[3,b] (ψ) − 3λα(2 (ψ)
• X + 4 equations.
If |Bi0 ∩ Bj0 ∩ Bk0 ∩ Bl0 | 6= 0, we need to have one equation fα+1 = fi , one gα+1 = gj , one hα+1 = hk
and one fα+1 ⊕ gα+1 ⊕ hα+1 = fl ⊕ gl ⊕ hl . Then, with X, we obtain:

Y and Z : fl ⊕ gl ⊕ hl = fi ⊕ gj ⊕ hk = f1 ⊕ g2 ⊕ h3 ⊕ ψ

Case 1: i = 1, j = 2 and k = 3.
If ψ 6= 0, we have 0 solution.
0 (4) 0 (3)
If ψ = 0, then Y and Z: fl ⊕ gl ⊕ hl = f1 ⊕ g2 ⊕ h3 and here we have (α − 3)λα + 3λα solutions.
Case 2: i = l, j = l and k = l

Y and Z : fl ⊕ gl ⊕ hl == f1 ⊕ g2 ⊕ h3 ⊕ ψ
0 (4) 0 (3) 0 (4) 0 (3)
If ψ = 0, we have (α − 3)λα + 3λα solutions. If ψ 6= 0, we have (α − 3)λα (ψ) + 3λα (ψ) solutions.
Case 3: (i = l, j = l, k 6= l) or (j = l, k = l, i 6= l) or (i = l, k = l, j 6= l)
Here Y is hl = hk (k 6= l), or fl = fi (l 6= i), or gl = gj (l 6= j) and therefore there is no solution.
Case 4: (j = 2, k = 3, i 6= 1) or (i = 1, k = 3, j 6= 2) or (i = 1, j = 2, k 6= 3)
Let assume for example: (j = 2, k = 3, i 6= 1).
Then Y and Z give:
fl ⊕ gl ⊕ hl = fi ⊕ g2 ⊕ h3
ψ = f1 ⊕ fi
If ψ = 0, we have 0 solution.
If ψ 6= 0, we have here a term λ00α (ψ) solutions except when fi ⊕ fl ⊕ g2 ⊕ gl ⊕ h3 ⊕ hl = 0 creates g2 = gl
(when i = l = 3) or h3 = hl (when i = l = 2).
00
We will also denote here by λα∗ (ψ) the terms λ00α (ψ): where the symbol ∗ means that we have here equations
Y and Z that give a value λ00α (ψ) only when ψ 6= 0.
h cases (i = 1,i k00= 3, j 6= 2) and (i = 1, j = 2, k 6= 3) are similar by symmetry. Therefore we
The two other
have here 3 (α − 1)α − 2 λα∗ (ψ) solutions.
Case 5: (i = j = k 6= l)

37
 Here we have 0 solution.
Case 6: we are not in Cases 1,2,3,4,5
Then |Bi0 ∩Bj0 ∩Bk0 ∩Bl0 | = λ00α (ψ) where λ00α (ψ) denotes the number the number of (fi , gi , hi ), 1 ≤ i ≤ α
that satisfy the conditions λα plus the equations Y and Z. We have here (α4 − 7α(α − 1) − 2α)λ00α (ψ)
solutions (since for the indices (i, j, k, l), α possibilities are in Case 1, α in case 2, 3α(α − 1) in Case 3,
3α(α − 1) in Case 4, α(α − 1) in Case 5).
Then from Cases 1, 2, 3, 4, 5, 6, we get:
0 0 00
X
If ψ = 0 : |Bi0 ∩ Bj0 ∩ Bk0 ∩ Bl0 | = (2α − 6)λα(4) + 6λα(3) + (α4 − 7α2 + 5α)λα
i<j<k<l

If ψ 6= 0 :
0 0 00 00
X
|Bi0 ∩Bj0 ∩Bk0 ∩Bl0 | = (α−3)λα(4) (ψ)+3λα(3) (ψ)+(3α2 −3α−6)λα∗ (ψ)+(α4 −7α2 +5α)λα (ψ)
i<j<k<l

0 (4) 0 (4)
Finally, when ψ = 0, the induction formula for λα+1 gives (“First purple equation on λα ) :
0 (4)
λα+1 = (22n − 3α · 2n + 3α2 − 1)λα + (−α · 22n + 3α2 · 2n − 4α3 + 5α − 2)λ0α

+(α4 − 7α2 + 5α)λ00α (C1)

In this formula: 00 (7)
• The only term in O(α4 ) in λ00α is λα , i.e. is for i, j, k, l, 1, 2, 3 pairwise distinct with equations:
fl ⊕ gl ⊕ hl = fi ⊕ gj ⊕ hk = f1 ⊕ g2 ⊕ h3 .
0 (4) 0 (6)
• The terms in O(α · 22n ) or O(α2 · 2n ) or O(α3 ) in λ0α are λα or λα . (From X + 3 equations we
have two kinds of dominant terms).
00 (7) 0 (4) 0 (6) 0 (6)
So λα , λα and λα are needed. (We want something like: λα = λ2nα (1 + O( 21n ) + O( 2α2n )) and
00 (7) 0 (4)
λα
λα = 2n (1 + O( 21n ) + O( 2α2n )). Now by induction from these terms, more general terms will appears.
0 (4)
This is why we will establish properties on more general equations than λα and λα . When ψ 6= 0, we
have:
0
λα(4) = (22n − 3α.2n + 3α2 )λα + (−α.22n + 3α2 .2n − 4α3 + α + 1)λ0α (ψ)
00
+(α4 − 4α2 + 2α − 6)λα (ψ) (D2)
0 (4) 0 (4) 00
λα (ψ) − λα = λα + (−4α + 3)λ0α + (3α2 − 3α − 6)λα (ψ)
00 00
+(−α.22n + 3α2 .2n − 4α3 + α + 1)(λ0α (ψ) − λ0α ) + (α4 − 7α2 + 5α)[λα (ψ) − λα ] (D3)
From the details given in this Appendix D in the proof of (D1) we can also specify the various values λ0α of
(D1). This gives:
0 (4)
λα+1 = (22n − 3α.2n + 3α2 − 1)λα
0 (4)
+(−α.22n + 3.22n + 3α2 .2n − 9α.2n − 3α3 + 9α2 − 2α + 6)λα
0 (6) 0 (5)
+(−α3 + 12α2 − 47α + 60)λα + (−9α2 + 63α − 108)λα
0 [4,a] 0 [4,b] 0 [4,c]
+(−3α2 + 15α − 18)λα + (−12α + 36)λα + (−3α + 9)λα
0 (3)
+(−3.22n + 9α.2n − 9α2 − 9α + 18)λα
0 [3,b] 0 (2)
−2λα − 3λα + (α4 − 7α2 + 5α)λ00α (D4)

38
 0 (6) 0 (4)
In this formula, as mentioned above, the main terms in λ0α are in λα or λα .
When ψ 6= 0 we have:
0 (4)
λα+1 (ψ) = (22n − 3α.2n + 3α2 )λα
0 (4)
+(−α.22n + 3.22n + 3α2 .2n − 9α.2n − 3α3 + 9α2 − 3α + 9)λα (ψ)
0 (6) 0 (5)
+(−α3 + 12α2 − 47α + 60)λα (ψ) + (−9α2 + 63α − 108)λα (ψ)
0 [4,a] 0 [4,b] 0 [4,c]
+(−3α2 + 15α − 18)λα (ψ) + (−12α + 36)λα (ψ) + (−3α + 9)λα (ψ)
0 (3)
+(−3.22n + 9α.2n − 9α2 − 9α + 15)λα (ψ)
0 [3,b] 0 (2) 0 ∗(2)
−2λα (ψ) − 3λα (ψ) + (−3α + 3)λα (ψ) + (α4 − 4α2 + 2α − 6)λ00α (ψ) (D5)

From (D4) and (D5) we have:

0 (4) 0 (4)
λα+1 − λα+1 (ψ) = δα + A + B + C (D6)

with
0 0 0
δα = −λα + (α − 3)λα(4) + 3λα(3) + (3α − 3)λα∗(2) (ψ)
00
−(3α2 − 3α − 6)λα∗ (ψ)

0 0
A = [λα(4) − λα(4) (ψ)](−α.22n + 3.22n + 3α2 .2n − 9α.2n − 3α3 + 9α2 − 3α + 9)
0 0
+[λα(6) − λα(6) (ψ)](−α3 + 12α2 − 47α + 60)
0 0 0 0
B = [λα(5) − λα(5) (ψ)](−9α2 + 63α − 108) + [λα[4,a] − λα[4,a] (ψ)](−3α2 + 15α − 18)
0 0 0 0
+[λα[4,b] − λα[4,b] (ψ)](−12α + 36) + [λα[4,c] − λα[4,c] (ψ)](−3α + 9)
0 0
+[λα(3) − λα(3) (ψ)](−3.22n + 9α.2n − 9α2 − 9α + 15)
0 0 0
−2[λ0α − λα[3,b] (ψ)] − 3[λα(2) − λα(2) (ψ)]
00 00
C = (λα − λα (ψ))(α4 − 7α2 + 5α)
δα is the “difference term”. The analysis of such terms (for various X, Y, . . . equations) will be the main
0 (4) 0 (6)
subject of the end of this paper. A is the term for the “dominant terms” λα and λα (cf Table 1 of section
14). B is the “non dominant terms” in (λ0α − λ0α (ψ) and C is the term in (λ00 α − λ00 α (ψ)).

0 (4) 0 (4)
λα+1 (4) (4)
2n (α+1 − α+1 (ψ)) = λα+1 − λα+1 (ψ)
0 ∗(2) 0 (4) 0 (3) 00
−λα + (3α − 3)λα (ψ) + (α − 3)λα (ψ) + 3λα − (3α2 − 3α − 6)λα∗ (ψ)
0 (4) 0 (4)
+(−α.22n + 3.22n + 3α2 .2n − 9α.2n − 3α3 + +9α2 − 2α + 6)(λα − λα (ψ))
0 (6) 0 (6)
+(−α3 + 12α2 − 47α + 60)(λα − λα (ψ))
+(−3.22n + 9α.2n − 21α2 + 54α − 74)(λ0α − λ0α (ψ))
+(α4 − 7α2 + 5α)(λ00α − λ00α (ψ)) (D7)
8n
From (D4) in section 11 we obtain security when m  2 9 . From (D6) in section 12, we obtain also
8n 00 000
security when m  2 9 . Moreover this method can be extended to m  2n (by analyzing λα , λα , . . .) as
we will see in this paper.

39
E First Approximation of λ0α : Evaluations of λ0α /λα in O( 2αn )
This Appendix is useful to obtain quickly an evaluation of Advm when m  25n/6 or m  28n/9 . For
m  2n , it possible to avoid it as we wee in this paper. Let ψ ∈ In . We will denote by λ0α (X, ψ), or simply
by λ0α (ψ) the number of
(f1 , . . . , fα , g1 , . . . , gα , h1 , . . . , hα ) of In3α
that satisfy the conditions λα plus an equation X of the type:

fj ⊕ gj ⊕ hj = fk ⊕ gl ⊕ hi ⊕ ψ

with i, j, k, l ∈ {1, . . . , α} such that X is compatible with the conditions λα and such that X is not 0 = 0
(i.e. we do not have i = j = k = l). When ψ = 0, we have λ0α (ψ) = λ0α (i.e. the value λ0α defined in
0 (4)
section 7). We have seen in Section 7 that λ0α is not a fixed value: it can be λα (by symmetries of the
0 (3)
hypothesis for this case we can assume X to be: fα ⊕ gα ⊕ hα = hα−1 ⊕ gα−2 ⊕ fα−3 ) or λα (for this
0 (2)
case we can assume X to be: fα ⊕ gα = fα−1 ⊕ gα−2 ) or λα (for this case we can assume X to be:
fα ⊕ gα = fα−1 ⊕ gα−1 ). However, as we will see all these three values λ0α are very near, and they are very
near λ2nα .
Remarks:
0 (4)
λα
1. We are mainly interested in λα very near 2n since in formula (7.1) of Section 7 we have a term in
0 (4)
α4 λ α .

2. Here we introduce λ0α (ψ) because as we will see in Part III, these values ψ can simplify some calcu-
lations, and the proof of Theorem 12 below is the same for all ψ.

3. In fact, we can notice that when X is fixed then all values λ0 (ψ) with ψ 6= 0 are equal. This comes
from the fact that in ψ, ψ ⊕ ψ, ψ ⊕ ψ ⊕ ψ etc. we have only two possible values: 0 and ψ However
we will not need this result, but the analysis of |λ0α (ψ) − λ0α (0)| will be very useful.

Theorem 12 For all values λ0α we have:

8α 2n λ0α 8α
1− ≤ ≤1+
2 n λα (1 − 8α
2n )2
n

Similarly, for all values ψ ∈ In :

8α 2n λ0α (ψ) 8α
1− ≤ ≤1+
2 n λα (1 − 8α
2n )2
n

n
Remark. As we can see this theorem can be useful only if α < 28 . When we assume α  2n , this is
n
not a problem. However, in this paper, we will also obtain security results for 28 ≤ α < 2n without using
this Appendix.

40
Proof of Theorem 12
We will present here the proof with X : fα ⊕ gα ⊕ hα = hα−1 ⊕ gα−2 ⊕ fα−3 ⊕ ψ. The proof is exactly
similar for all the other cases. From (6.4), we have:

4(α − 1) λα
1− n
≤ 3n ≤1
2 2 λα−1

and
4(α − 2) λα−1
1− ≤ 3n ≤1
2n 2 λα−2
Therefore
4(α − 1)
2
26n λα−2 1 − ≤ λα ≤ 26n λα−2 (B1)
2n
We will now evaluate λ0α (ψ) from λα−2 .
Remark: we evaluate here from λα−2 and not from λα−1 in order to have a variable hα−1 not fixed when
we will combine the conditions 8 and 9 below.
In λ0α (ψ), we have the condition λα−2 plus

1. fα−1 ∈
/ {f1 , . . . , fα−2 }

2. gα−1 ∈
/ {g1 , . . . , gα−2 }

3. hα−1 ∈
/ {h1 , . . . , hα−2 }

4. fα−1 ⊕ gα−1 ⊕ hα−1 ∈

/ {f1 ⊕ g1 ⊕ h1 , . . . , fα−2 ⊕ gα−2 ⊕ hα−2 }

5. fα ∈
/ {f1 , . . . , fα−1 }

6. gα ∈
/ {g1 , . . . , gα−1 }

7. hα ∈
/ {h1 , . . . , hα−1 }

8. fα ⊕ gα ⊕ hα ∈
/ {f1 ⊕ g1 ⊕ h1 , . . . , fα−1 ⊕ gα−1 ⊕ hα−1 }

9. (Equation X): fα ⊕ gα ⊕ hα = fα−3 ⊕ gα−2 ⊕ hα−1 ⊕ ψ

We can decide that X will fix hα from the other values: hα = fα ⊕ gα ⊕ fα−3 ⊕ gα−2 ⊕ hα−1 ⊕ ψ, and we
can decide that conditions 3., 4. and 8. (except the last 8) will be written in hα−1 and conditions 2 and the
last 8 will be written in gα−1 : 
hα−1 ∈/ h1 , . . . , hα−2 ,
f1 ⊕ g1 ⊕ h1 ⊕ fα−1 ⊕ gα−1 , . . . , fα−2 ⊕ gα−2 ⊕ hα−2 ⊕ fα−1 ⊕ gα−1 ,

f1 ⊕ g1 ⊕ h1 ⊕ fα−3 ⊕ gα−2 ⊕ ψ, . . . , fα−2 ⊕ hα−2 ⊕ fα−3 ⊕ ψ
In this set we have between α − 2 and 3(α − 2) elements when h1 , . . . , hα−2 are pairwise distinct.

gα−1 ∈/ g1 , . . . , gα−2 , fα−1 ⊕ fα−3 ⊕ gα−2 ⊕ ψ

In this set we have between α − 2 and α − 1 elements when g1 , . . . , gα−2 are pairwise distinct (gα−1 6=
fα−1 ⊕ fα−3 ⊕ gα−2 comes from the last condition 8).

41
 Similarly, we can write conditions 6 and 7 in gα :

gα ∈
/ g1 , . . . , gα−1 , h1 ⊕ fα ⊕ fα−3 ⊕ gα−2 ⊕ hα−1 ⊕ ψ, . . . , hα−1 ⊕ fα ⊕ fα−3 ⊕ gα−2 ⊕ hα−1 ⊕ ψ

In this set we have between α − 1 and 2(α − 1) elements when g1 , . . . , gα−1 are pairwise distinct. Therefore
we get:

λ0α (ψ) ≥ λα−2 (2n − (α − 2)) (2n − (α − 1)) (2n − 3(α − 2)) (2n − (α − 1)) (2n − 2(α − 1))
| {z }| {z }| {z }| {z }| {z }
fα−1 gα−1 hα−1 fα gα

and

λ0α (ψ) ≤ λα−2 (2n − (α − 2)) (2n − (α − 2)) (2n − (α − 2)) (2n − (α − 1)) (2n − (α − 1))
| {z }| {z }| {z }| {z }| {z }
fα−1 gα−1 hα−1 fα gα

So
(α − 2)
(α − 1)
2 3(α − 2)
2(α − 1)
λ0α (ψ) (α − 2)
3 (α − 1)
2
1− 1− 1− 1− ≤ ≤ 1− 1−
2n 2n 2n 2n 25n λα−2 2n 2n

So we have:
8α λ0α (ψ)
1− ≤ ≤1
2n 25n λα−2
and with (B1) this gives:

25n λα 8α
0 25n λα λα
6n
1 − n
≤ λα (ψ) ≤ 4(α−1)
≤ n 8α
2 2 26n (1 − 2n )2 2 (1 − 2n )

So
8α 2n λ0α (ψ) 8α
1− n
≤ ≤1+ n 8α (First Approximation of λ0α and λ0α (ψ))
2 λα 2 (1 − 2n )
as claimed.

Theorem 13 (“Stabilization formula in λ0α (ψ)”).

For all equation X we have: X
λ0α (ψ) = λα
ψ∈In

i.e. if ψ 6= 0: (2n − 1)λ0α (ψ) + λ0α = λα since all the values λ0α (ψ) with ψ 6= 0 are equal.

Proof of Theorem 13
This comes immediately from from the definition of λ0α (ψ) since each solution in λα goes with exactly
one value of ψ.

42
 8n
F Security in m  2 9 : proof from Appendix D with only ψ = 0
We present here our step 3 evaluations, method 1. (Later we will see how to avoid most of the computations
done in Appendix D).
0 (4)
From the “first purple equation in λα ” (cf. Appendix D, equation (D4)) and the orange equation (7.1) of
section 7, we have:
0 (4)
2n λα+1 A
=
λα+1 B
with
3α 3α2 − 1 3α 3α2 − 9α −3α3 + 9α2 − 2α + 12 0 (4)
A = (1 − + )λα + (−α + 3 + + + )λα
2n 22n 2n 2n 22n
9α −α3 − 9α2 + 7α − 14 0 α4 − 7α2 + 5α 00
+(−3 + + )λ α + λα
2n 22n 22n
and
4α 6α2 −4α3 + α α4 − 6α3 + 11α2 − 6α 0 (4) 6α3 − 15α2 + 9α 0
B = (1 − + + )λ α + λα + λα
2n 22n 23n 33n 23n
λ0α and λ00α have different values but we know from Theorem 3 that they always satisfy:

8α 2n λ0α 8α
1− ≤ ≤1+
2n λα (1 − 8α
2n )2
n

and similarly
8α 2 22n λ00α 8α
(1 − ) ≤ ≤ (1 + )2
2n λα (1 − 8α
2n )2n

So λ0α ≥ λα (1 − 8α
2n ) and
λα 8α
λ00α ≤ (1 + 8α n )
2
22n (1 − 2n )2
< λα
λ00α ∼ 22n
(1 + 16α
2n ) From (11.1) we obtain
0 (4)
2n λα+1 < A0
∼ 0
λα+1 B

with
3α 3α2 − 1 α 3α2 −4α3 + 5α − 3 α4 − 7α2 + 5α
A0 = 1 − + − + + +
2n 22n 2n 22n 23n 24n
−8α 3α2 −4α3 + 5α − 3 16α
+ 2n
(−α + n
+ 2n
) + (α4 − 7α2 + 5α). 5n
2 2 2 2
and
4α 6α2 −4α3 + α α4 − 4α2 + 3α 8α5 − 4α3 + 3α2
B0 = 1 − + 2n + + −
2n 2 23n 24n 25n

43
Therefore: 0 (4)
2n λα+1 < 8α2 16α5
∼ 1 + 2n + 5n
λα+1 2 2
0 (4)
2n λα+1 2
We have obtained here an evaluation of λα+1 in O( 2α2n ) instead of O( 2αn ) before. Moreover, if we re-inject
0 (4)
2n λα+1 3
this evaluation in (11.1), we get an evaluation of λα+1 in O( 2α3n ), and if we re-inject this one more time,
4 0 (6)
we get an evaluation in O( 2α4n ). If we want even better evaluations, we need a better evaluation of λα and
(4) < 4
of the λ00α : this is what we will do in part III. Here since |α+1 | ∼ O( 2α4n ) we get from (10.3) security when
8n
α2 9 .

G A Simplified Example
Let xn be a sequence of values such that:
∀n ∈ N, xn+1 = xxn + b, with, |a| < 1 and a < 0
We can prove easily that
b b
xn = an (x0 + )−
a−1 a−1
b <
Therefore, when n is large, if b 6= 0, xn ' − a−1 , and moreover since a < 0, if b 6= 0, |xn | ∼ |b|.
Equation (D6) of Appendix D, and its generalizations are a lot more complex than this small example.
However there are many similarities when the coefficient a becomes − 2αn , and b becomes δα (X): the is
vanishing fast and δα (X) becomes dominant of it is 6= 0.

H Proof of a “coefficients H” Theorem

We present here a proof in English of a Theorem published in French in 1991 in my PhD Thesis p.27. This
theorem can be found in [13], “The Coefficient H technique”. We present again a proof of this theorem
here, in order to have all the proofs in this paper.

Theorem 14 Let k be an integer. Let K be a set of k-uples of functions (f1 , . . . , fk ). Let G be an application
of K → Fn (Therefore G is a way to design a function of Fn from k-uples (f1 , . . . , fk ) of K). Let α and β
be real numbers, α ≥ 0 and β ≥ 0. Let E be a subset of Inm such that |E| ≥ (1 − β) · 2nm .
If:
1) For all sequences ai , 1 ≤ i ≤ m, of pairwise distinct elements of In and for all sequences bi ,
1 ≤ i ≤ m, of E we have:
|K|
|H| ≥ nm (1 − α)
2
where H denotes the number of (f1 , . . . , fk ) ∈ K such that
∀i, 1 ≤ i ≤ m, G(f1 , . . . fk )(ai ) = bi (1)
Then
2) For every CPA-2 with m chosen plaintexts we have: p ≤ α + β where p = AdvφP RF denotes the
advantage to distinguish G(f1 , . . . , fk ) when (f1 , . . . , fk ) ∈R K from a function f ∈R Fn (2).

44
 Proof of Theorem 5

(We follow here a proof, in French, of this Theorem in J.Patarin, PhD Thesis, 1991, Page 27).
Let φ be a (deterministic) algorithm which is used to test a function f of Fn . (φ can test any function
f from In → In ). φ can use f at most m times, that is to say that φ can ask for the values of some f (Ci ),
Ci ∈ In , 1 ≤ i ≤ m. (The value C1 is chosen by φ, then φ receive f (C1 ), then φ can choose any C2 6= C1 ,
then φ receive f (C2 ) etc). (Here we have adaptive chosen plaintexts). (If i 6= j, Ci is always different from
Cj ). After a finite but unbounded amount of time, φ gives an output of “1” or “0”. This output (1 or 0) is
noted φ(f ).
We will denote by P1∗ , the probability that φ gives the output 1 when f is chosen randomly in Fn .
Therefore
Number of functions f such that φ(f ) = 1
P1∗ =
|Fn |
n
where |Fn | = 2n·2 .
We will denote by P1 , the probability that φ gives the output 1 when (f1 , . . . , fk ) ∈R K and f =
G(f1 , . . . , fk ). Therefore

Number of (f1 , . . . , fk ) ∈ K such that φ(G(f1 , . . . , fk )) = 1

P1 =
|K|
We will prove:
(“Main Lemma”): For all such algorithms φ,

|P1 − P1∗ | ≤ α + β

Then Theorem 1 will be an immediate corollary of this “Main Lemma” since AdvφP RF is the best |P1 − P1∗ |
that we can get with such φ algorithms.
Proof of the “Main Lemma”
Evaluation of P1∗
Let f be a fixed function, and let C1 , . . . , Cm be the successive values that the program φ will ask for the
values of f (when φ tests the function f ). We will note σ1 = f (C1 ), . . . , σm = f (Cm ). φ(f ) depends
only of the outputs σ1 , . . . , σm . That is to say that if f 0 is another function of Fn such that ∀i, 1 ≤ i ≤ m,
f 0 (Ci ) = σi , then φ(f ) = φ(f 0 ). (Since for i < m, the choice of Ci+1 depends only of σ1 , . . . , σi . Also the
algorithm φ cannot distinguish f from f 0 , because φ will ask for f and f 0 exactly the same inputs, and will
obtain exactly the same outputs). Conversely, let σ1 , . . . , σn be m elements of In . Let C1 be the first value
that φ choose to know f (C1 ), C2 the value that φ choose when φ has obtained the answer σ1 for f (C1 ), . . .,
and Cm the mth value that φ presents to f , when φ has obtained σ1 , . . . , σm−1 for f (C1 ), . . . , f (Cm−1 ).
Let φ(σ1 , . . . , σm ) be the output of φ (0 or 1). Then
X Number of functions f such that ∀i, 1 ≤ i ≤ m, f (Ci ) = σi
P1∗ =
σ1 ,...,σn 2n·2n
φ(σ1 ,...σm )=1

Since the Ci are all distinct the number of functions f such that ∀i, 1 ≤ i ≤ m, f (Ci ) = σi is exactly
|Fn |/2nm . Therefore

Number of outputs (σ1 , . . . , σm ) such that φ(σ1 , . . . σm ) = 1

P1∗ =
2nm

45
Let N be the number of outputs σ1 , . . . , σm such that φ(σ1 , . . . σm ) = 1. Then P1∗ = N
2nm .
Evaluation of P1

With the same notation σ1 , . . . , σn , and C1 , . . . Cm :

X Number of (f1 , . . . , fk ) ∈ K such that ∀i, 1 ≤ i ≤ m, G(f1 , . . . , fk )(Ci ) = σi
P1 = (3)
σ1 ,...,σn |K|
φ(σ1 ,...σm )=1

Now (by definition of β) we have at most β·2nm sequences (σ1 , . . . , σm ) such that (σ1 , . . . , σm ) ∈
/ E. There-
nm
fore, we have at least N − β · 2 sequences (σ1 , . . . , σm ) such that φ(σ1 , . . . σm ) = 1 and (σ1 , . . . , σm ) ∈
E (4). Therefore, from (1), (3) and (4), we have
|K|
(N − β · 2nm ) · 2nm (1 − α)
P1 ≥
|K|
Therefore
N

P1 ≥ nm
− β (1 − α)
2
P1 ≥ (P1∗ − β)(1 − α)
Thus P1 ≥ P1∗ − α − β (5), as claimed.
We now have to prove the inequality in the other side. For this, let P0∗ be the probability that φ(f ) = 0
when f ∈R Fn . P0∗ = 1 − P1∗ . Similarly, let P0 be the probability that φ(f ) = 0 when (f1 , . . . , fk ) ∈R K
and f = G(f1 , . . . , fk ). P0 = 1 − P1 . We will have P0 ≥ P0∗ − α − β (since the outputs 0 and 1
have symmetrical hypothesis. Or, alternatively since we can always consider an algorithm φ0 such that
φ0 (f ) = 0 ⇔ φ(f ) = 1 and apply (5) to this algorithm φ0 ).
Therefore, 1 − P1 ≥ 1 − P1∗ − α − β, i.e. P1∗ ≥ P1 − α − β (6). Finally, from (5) and (6), we have:
|P1 − P1∗ | ≤ α + β, as claimed.

Example of Application: Xor of two permutations

With k = 2, K = |Bn |2 and G(f1 , . . . , fk ) = f1 ⊕ f2 we obtain immediately:

Theorem 15 Let α and β be real numbers, α ≥ 0 and β ≥ 0. Let E be a subset of Inm such that |E| ≥
(1 − β) · 2nm .
If:
1) For all sequences ai , 1 ≤ i ≤ m, of pairwise distinct elements of In and for all sequences bi ,
1 ≤ i ≤ m, of E we have:
|Bn |2
|H| ≥ nm (1 − α)
2
2
where H denotes the number of (f, g) ∈ Bn such that
∀i, 1 ≤ i ≤ m, f ⊕ g(ai ) = bi
Then
2) For every CPA-2 with m chosen plaintexts we have: p ≤ α + β where p = AdvφP RF denotes the
advantage to distinguish f ⊕ g when (f, g) ∈R Bn2 from a function h ∈R Fn .

46