EME : extending EME to handle arbitrary-length messages with associated data

Transcription

1 EME : extending EME to handle arbitrary-length meage with aociated data (Preliminary Report) Shai Halevi May 27, 2004 Abtract Thi work decribe a mode of operation, EME, that turn a regular block cipher into a length-preerving enciphering cheme for meage of (almot) arbitrary length. Specifically, the reulting cheme can handle any bit-length, not horter than the block ize of the underlying cipher, and it alo handle aociated data of arbitrary bit-length. Such a cheme can either be ued directly in application that need encryption but cannot afford length expanion, or erve a a convenient building block for higher-level mode. The mode EME i a refinement of the EME mode of Halevi and Rogaway, and it inherit the efficiency and parallelim from the original EME. 1 Introduction Adding ecrecy protection to exiting (legacy) protocol and application raie ome unique problem. One of thee problem i that exiting protocol ometime require that the encryption be tranparent, and in particular preclude length-expanion. One example i encryption of torage data at the ector level, where both the higher-level operating ytem and the lower-level dik expect the data to be tored in block of 512 byte, and o any encryption method would have to accept 512-byte plaintext and produce 512-byte ciphertext. Clearly, initing on a length-preerving (and hence determinitic) tranformation ha many drawback. Indeed, even the weaket acceptable notion of ecure encryption (i.e., emantic ecurity [5]) cannot be achieved by determinitic encryption. Still, there may be cae where lengthpreervation i a hard requirement (due to technical, economical or even political contrain), and in uch cae one may want to ue ome encryption cheme that give better protection than no encryption at all. The tronget notion of ecurity for a length-preerving tranformation i trong peudo-random permutation (SPRP) a defined by Luby and Rackoff [10], and it extenion to tweakable SPRP by Likov et al. [9]. A tweak i an additional input to the enciphering and deciphering procedure that need not be kept ecret. Thi report ue the term tweak and aociated data pretty much interchangeably, except that aociated data hint that it can be of arbitrary length, wherea tweak i ometime thought of a a fixed-length quantity. IBM T.J. Waton Reearch Center, P.O. Box 704, Yorktown Height, NY 10598, USA, haih@waton.ibm.com 1

2 Motivated by the application for ector level encryption, ome efficient mode of operation that implement tweakable SPRP on large block were recently decribed by Halevi and Rogaway [6, 7]. A general purpoe mode, however, thee mode are omewhat limited, in that they can only be applied to input meage whoe ize i a multiple of n, the block-ize of the underlying cipher. Alo, the mode CMC from [6] i inherently equential (and it wa only proven ecure againt attack model where all the meage are of the ame length), and the mode EME from [7] i limited to meage of at mot n 2 bit. The current work i aimed at eliminating thee limitation. The mode EME, preented below, take a tandard cipher with n-bit block and turn it into a tweakable enciphering cheme with meage pace M = {0, 1} n+ (i.e., any tring of at leat n bit) and tweak pace T = {0, 1}. The key for EME conit of one key of the underlying cipher and two additional n-bit block. The mode EME ha imilar tructure to the mode EME from [7]. Roughly, it conit of two layer of maked ECB encryption, with a layer of lightweight mixing in between. A a conequence, EME i highly parallelizeable, 1 and alo quite work-efficient. Proceing an m- block query with l block of aociated data take at mot l + 2m + m/n block encryption (or decryption). (We note that another mode for arbitrary-length meage, following the Luby- Rackoff approach, wa recently propoed by McGrew and Viaga [11].) 1.1 What about very hort block? The mode EME can handle block of any bit-length but not le that the block ize of the underlying cipher. The underlying tructure of EME, being baed on ECB encryption, doe not lend itelf to handling horter block. In fact, in my opinion there i no good olution today for handling arbitrary hort block. The olution that I am aware of are the following: For block that are not too hort (ay, at leat 64 bit), one can imply witch to uing a different block cipher. For example, one could ue EME [AES] to proce block that are 128 bit or more, and ue a eparately keyed EME [3DES] to handle block of length between 64 and 127 bit. Thi olution, however, i quite expenive, a it mandate the implementation of two different cipher. (Of coure, one could ue EME [3DES] alo to handle longer meage, but then the ecurity parameter would be much reduced.) Moreover thi olution doe not addre block horter than 64 bit. For very hort block (e.g., one byte) it i poible to pre-compute a peudorandom permutation and tore it in a table. Thi approach, however, clearly run out of team for block longer than two byte, and it i extremely wateful of pace even before that. (Alo, it i not clear how to incorporate a tweak into thi approach.) Alternatively, one could apply the Luby-Rackoff contruction to implement the narrow-block cipher, uing the underlying cipher for the peudorandom function. (Indeed, the ABL mode of McGrew and Viaga [11] doe jut that.) Thi olution extend to handle meage of any length, but at a price of a everely reduced ecurity-parameter. For example, although 128-bit block may enjoy 128 bit of ecurity, 127-bit block only enjoy 63 bit of ecurity. Even wore, 64-bit block have to make due with a pathetic 32 bit of ecurity. 1 In EME, the longet execution path for any input conit of at mot five block encryption. If the input length i a multiple of the block length then only longet path ha only four encryption, and only three if in addition the input i horter than n block. 2

3 It i poible to ue ix or more round of the Luby-Rackoff contruction to make the ecurity parameter a little le mierable (cf. Patarin work [12]), but the price i an extremely low mode for mall block. Another approach i to ue a parameterizable cipher (e.g., RC5 [13]) a the underlying block cipher. Parameterizable cipher can be intantiated to handle variou block ize, o in particular they can be ued in their narrow-block intantiation to handle the mall block. However, to the bet of my knowledge there i a fairly mall number of uch cipher, and they were never eriouly analyzed for mall block. So it unlikely that they provide very good ecurity, epecially in the very mall block ize. Wore till, it i likely that uing the ame key for different block ize would have diatrou conequence. I view the problem of handling arbitrary mall block a wide open. The two plauible approache for addreing it are either to deign a mode of operation with good ecurity-performance tradeoff for mall block, or to deign an efficient block cipher that can handle mall block ecurely. I believe that a good cipher i more likely to be poible than a good mode of operation (but perhap thi i only becaue I know more about mode of operation than about block cipher.) Organization Section 2 recall ome tandard definition (thi ection i taken almot verbatim from [7]). Section 3 decribe the EME mode with a brief dicuion of the extenion of EME over EME. The ecurity of EME i tated in Section 4 and proven in the appendix. Acknowledgment I thank John Viaga for howing me hi ABL mode of operation. I alo thank Eli Biham for a dicuion about the tate of block cipher for very hort block. 2 Preliminarie Baic. A tweakable enciphering cheme i a function E: K T M M where M = i I {0, 1}i i the meage pace (for ome nonempty index et I N) and K i the key pace and T i the tweak pace. We require that for every K K and T T we have that E(K, T, ) = E T K ( ) i a length-preerving permutation on M. The invere of an enciphering cheme E i the enciphering cheme D = E 1 where X = D T K (Y ) if and only if ET K (X) = Y. A block cipher i the pecial cae of a tweakable enciphering cheme where the meage pace i M = {0, 1} n (for ome n 1) and the tweak pace i T = {ε} (the empty tring). The number n i called the blockize. By Perm(n) we mean the et of all permutation on {0, 1} n. By Perm T (M) we mean the et of all function π: T M M where π(t, ) i a length-preerving permutation. An adverary A i a (poibly probabilitic) algorithm with acce to ome oracle. Oracle are written a upercript. By convention, the running time of an algorithm include it decription ize. The notation A 1 decribe the event that the adverary A output the bit one. Security meaure. For a tweakable enciphering cheme E: K T M M we conider the advantage that the adverary A ha in ditinguihing E and it invere from a random tweakable 3

4 permutation and it invere: Adv ± prp E (A) = Pr [K $ K : A E K(, ) E 1 K (, ) 1 ] [ ] Pr π $ Perm T (M) : A π(, ) π 1 (, ) 1 The notation how, in the bracket, an experiment to the left of the colon and an event to the right of the colon. We are looking at the probability of the indicated event after performing the pecified experiment. By X $ X we mean to chooe X at random from the finite et X. In writing ± prp the tilde erve a a reminder that the PRP i tweakable and the ± ymbol i a reminder that thi i the trong (choen plaintext/ciphertext attack) notion of ecurity. For a block cipher, we omit the tilde. Without lo of generality we aume that an adverary never repeat an encipher query, never repeat a decipher query, never querie it deciphering oracle with (T, C) if it got C in repone to ome (T, M) encipher query, and never querie it enciphering oracle with (T, M) if it earlier got M in repone to ome (T, C) decipher query. We call uch querie pointle becaue the adverary know the anwer that it hould receive. When R i a lit of reource and Adv xxx Π (A) ha been defined, we write Advxxx Π (R) for the maximal value of Adv xxx Π (A) over all adverarie A that ue reource at mot R. Reource of interet are the running time t and the number of oracle querie q and the query complexity σ n (where n 1 i a number). The query complexity σ n i jut the total number of n-bit block in all the querie that the adverary make (including both the data and the aociated data). Namely, the query complexity of any one call (T, P ) i T /n + P /n, and the query complexity of an attack i the um of the query complexity of all the call. The name of an argument (e.g., t, q, or σ n ) will be enough to make clear what reource it refer to. Finite field. We interchangeably view an n-bit tring a: a tring; a nonnegative integer le than 2 n (mb firt); a formal polynomial over GF(2) (with the coefficient of x n 1 firt and the free term lat); and an abtract point in the finite field GF(2 n ). To do addition on field point, one xor their tring repreentation. To do multiplication on field point, one mut fix a degree-n irreducible polynomial. We chooe to ue the lexicographically firt primitive polynomial of minimum weight. For n = 128 thi i the polynomial x x 7 + x 2 + x + 1. See [3] for a lit of the indicated polynomial. We note that with thi choice of field-point repreentation, the point x = 0 n 2 10 = 2 will alway have order 2 n 1 in the multiplicative group of GF(2 n ), meaning that 2, 2 2, 2 3,..., 2 2n 1 are all ditinct. Finally, we note that given L = L n 1 L 1 L 0 {0, 1} n it i eay to compute 2L. We illutrate the procedure for n = 128, in which cae 2L = L <1 if firtbit(l) = 0, and 2L = (L <1) Cont87 if firtbit(l) = 1. Here Cont87 = and firtbit(l) mean L n 1 and L <1 mean L n 2 L n 3 L 1 L Specification of EME Mode Conider a block cipher E: K {0, 1} n {0, 1} n. Then EME [E]: (K {0, 1} 2n ) T M M i an enciphering cheme with aociated data, where K i the ame a the underlying cipher, T = {0, 1} 0..n(2n 3), and M = {0, 1} n..n(2n 2). In word, the key for EME [E] conit of one key K of the underlying block cipher E and two n-bit block, L and R. EME [E] accept meage of any bit length grater than or equal to n (but no more than n(2 n 2)), and aociated data of arbitrary bit-length (but no more than n(2 n 3)). Obviouly, in practical term the upper limit are no limitation at all. 4

5 function H K,R (T 1 T l 1, T l ): 01 if T i empty return E K (R) 10 for i [1..l 1] do TTT i E K (2 i R T i ) 2 i R 11 if T l = n then TTT l E K (2 l R T l ) 2 l R 12 ele TTT l E K (2 l+1 R (T l 10..0)) 2 l+1 R 13 return T T T 1 T T T l Algorithm E K,L,R (T ; P 1 P m ) // P 1 = = P m 1 = n, 0 < P m n 101 if P m = n then latfull m 102 ele latfull m PPP m P m padded with for i 1 to latfull do 111 PP i 2 i 1 L P i 112 PPP i E K (PP i ) 120 SP PPP 2 PPP m 121 MP 1 PPP 1 SP H K,R (T ) 122 if P m = n then MC 1 E K (MP 1 ) 123 ele MM E K (MP 1 ) 124 MC 1 E K (MM ) 125 C m P m (MM truncated) 126 CCC m C m padded with M 1 MP 1 MC for i = 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M MC j E K (MP j ) 135 M j MP j MC j 136 CCC i MC j M ele CCC i PPP i 2 k M j // T 1 = = T l 1 = n, 0 < T l n Algorithm D K,L,R (T ; C 1 C m ) // C 1 = = C m 1 = n, 0 < C m n 201 if C m = n then latfull m 202 ele latfull m CCC m C m padded with for i 1 to latfull do 211 CC i 2 i 1 L C i 212 CCC i E 1 K (CC i) 220 SC CCC 2 CCC m 221 MC 1 CCC 1 SC H K,R (T ) 222 if C m = n then MP 1 E 1 K (MC 1) 223 ele MM E 1 K (MC 1) 224 MP 1 E 1 K (MM ) 225 P m C m (MM truncated) 226 PPP m P m padded with M 1 MP 1 MC for i = 2 to latfull do 231 j = i/n, k = (i 1) mod n 232 if k = 0 then 233 MC j CCC i M MP j E 1 K (MC j) 235 M j MP j MC j 236 PPP i MP j M ele PPP i CCC i 2 k M j 140 SC CCC 2 CCC m 141 CCC 1 MC 1 SC H K,R (T ) 142 for i 1 to latfull do 143 CC i E K (CCC i ) 144 C i CC i 2 i 1 L 150 return C 1... C m 240 SP PPP 2 PPP m 241 PPP 1 MP 1 SP H K,R (T ) 242 for i 1 to latfull do 243 PP i E 1 K (PPP i) 244 P i PP i 2 i 1 L 250 return P 1... P m Figure 1: Enciphering and deciphering under E = EME [E], where E: K {0, 1} n {0, 1} n i a block cipher. The aociated data i T {0, 1}, the plaintext i P = P 1 P m and the ciphertext i C = C 1 C m. 5

6 Aociated data P 1 P 2 P n P n+1 P n+2 P n+3 L 2L 2 n 1 L 2 n L 2 n+1 L H PP 1 PP 2... PP n PP n+1 PP n+2 pad T PPP 1 PPP 2 PPP n PPP n+1 PPP n+2 PPP n+3 SP T MP 1 M 1 MM 2M 1 2 n 1 M 1 MP 2 2M 2 MM MC 2 M 1 MC 1 SC T CCC 1 CCC 2... CCC n CCC n+1 CCC n+2 CCC n+3 pad L CC 1 2L CC 2 CC n 2 n 1 L 2 n L CC n+1 2 n+1 L CC n+2 C 1 C 2 C n C n+1 C n+2 C n+3 Figure 2: Enciphering under EME a buffer with n + 2 full block and one partial block. The boxe repreent E K. We et the mak a SP = PPP 2 PPP n+3, M i = MP i MC i, and SC = CCC 2 CCC n+3. 6

7 The cheme EME [E] follow the ame general principle of the tweakable cheme EME from [7]. Roughly, it conit of two layer of maked ECB encryption, with a layer of lightweight mixing in between. A complete pecification of the enciphering cheme EME [E] i given in Figure 1, and an illutration (for a meage of n + 2 full block and one partial block) i provided in Figure 2. For thoe familiar with EME, the difference between EME and EME are a follow: Hahing the tweak. The original EME cheme require that the tweak value be an n-bit tring, wherea here we allow aociated data of any length. For thi purpoe, we hah the aociated data to an n-bit tring. The hah function need only be xor-univeral, yet I choe to implement it uing the underlying block cipher in a PMAC-like mode [2]. More than one mak. The EME cheme ue (multiple of) a ingle mak value M in the lightweight making layer. It wa hown in [7], however, that thi making technique with jut one mak cannot be ued for meage longer than n 2 bit. Longer meage are handled in EME uing the approach that wa propoed in the appendix of [7]. The meage i broken to chunk of at mot n 2 bit each, and a different mak value i ued for every chunk. To handle the lat partial block (if any), yet another mak i computed and xor-ed into the lat partial plaintext block, thu getting the lat partial ciphertext block. We comment that it i poible to derive the two key block L, R from the cipher key K, ay by etting L = 2E K (0) and R = 3E K (0). 2 The proof below doe not prove thi variant, ince proving it would mean adding a few more page to a proof that i already way too long. 4 Security of EME The following theorem relate the advantage of an adverary in attacking EME [E] to the advantage an adverary in attacking the block cipher E. Theorem 1 [EME ecurity] Any adverary that trie to ditinguih EME [Perm(n)] from a truly random tweakable length-preerving permutation, uing at mot q querie totaling at mot σ n block (ome of which may be partial), ha advantage at mot (2.5σ n + 3q) 2 /2 n+1. Uing the notation from Section 2, we have Adv ± prp EME [Perm(n)] (q, σ n) (2.5σ n + 3q) 2 2 n+1 (1) Corollary 1 Fix n, t, q, σ n N and a block cipher E: K {0, 1} n {0, 1} n. Then Adv ± prp EME [E] (t, q, σ n) (2.5σ n + 3q) 2 ( 2 n Adv ±prp E t, 2q + (2 + 1 ) n )σ n where t = t + O(nσ n ). Note that the theorem and corollary do not retrict meage to one particular length: proven ecurity i for a variable-input-length (VIL) cipher, not jut fixed-input-length (FIL) one. The proof of Theorem 1 i given in Appendix A. Corollary 1 embodie the tandard way to pa from the information-theoretic etting to the complexity-theoretic one. 2 The maximum length of meage and aociated input would have to be omewhat reduced for thi to work. But for n = 128 we can till prove ecurity for meage and aociated data a long a, ay, block. (The upper bound i actually min(log 2 3, 2 n 1 log 2 3). With the repreentation of F G(2 128 ) a above, we have log See [14].) 7

8 Reference [1] J. Black and P. Rogaway. CBC MAC for arbitrary-length meage: The three-key contruction. In Advance in Cryptology CRYPTO 2000, volume 1880 of Lecture Note in Computer Science, page Springer-Verlag, [2] J. Black and P. Rogaway. A block-cipher mode of operation for parallelizable meage authentication. In L. Knuden, editor, Advance in Cryptology EUROCRYPT 02, volume 2332 of Lecture Note in Computer Science, page Springer-Verlag, [3] S. Duplichan. A primitive polynomial earch program. Web document. Available at duplichan/primitivepolynomial/primivitepolynomial.htm, [4] S. Even and Y. Manour. A contruction of a cipher from a ingle peudorandom permutation. Journal of Cryptology, 10(3): , [5] S. Goldwaer and S. Micali. Probabilitic encryption. J. of Computer and Sytem Science, 28, April [6] S. Halevi and P. Rogaway. A tweakable enciphering mode. In D. Boneh, editor, Advance in Cryptology CRYPTO 03, volume 2729 of Lecture Note in Computer Science, page Springer-Verlag, Full verion available on the eprint archive, [7] S. Halevi and P. Rogaway. A parallelizable enciphering mode. In The RSA conference Cryptographer track, RSA-CT 04, volume 2964 of Lecture Note in Computer Science, page Springer-Velrag, Full verion available on the eprint archive, [8] J. Kilian and P. Rogaway. How to protect DES againt exhautive key earch. Journal of Cryptology, 14(1):17 35, Earlier verion in CRYPTO rogaway. [9] M. Likov, R. Rivet, and D. Wagner. Tweakable block cipher. In Advance in Cryptology CRYPTO 02, volume 2442 of Lecture Note in Computer Science, page Springer- Verlag, daw/. [10] M. Luby and C. Rackoff. How to contruct peudorandom permutation from peudorandom function. SIAM J. of Computation, 17(2), April [11] D. A. McGrew and J. Viega. ABL mode: ecurity without data expanion. Private communication, [12] J. Patarin. Luby-Rackoff: 7 round are enough for 2 n(1 ε) ecurity. In Advance in Cryptology CRYPTO 2003, volume 2729 of Lecture Note in Computer Science, page Springer- Verlag, [13] R. L. Rivet. The RC5 encryption algorithm. In Fat Software Encryption (FSE 94), volume 1008 of Lecture Note in Computer Science, page Springer, [14] P. Rogaway. Efficient intantiation of tweakable block cipher and refinement to mode OCB and PMAC. Available on-line from rogaway/paper/,

9 A Proof of Theorem 1 Security of EME A peronal comment. The proof below pan more than 23 page, and a much a I tried to implify and to explain clearly, it i quite a pain to read. Frankly, I don t believe that anyone will ever go through the trouble of reading and verifying it. Auming thi i the cae, one can till get ome aurance in the correctne of the mode, even from a proof that no one read: At leat it implie that the author went carefully through all the different cae and wa convinced that they all work. Indeed, the proof below ue the ame mechanim that wa ued to prove CMC [6] and EME [7], and thi mechanim in effect force one to cover all the cae. Alo, the mode EME i cloe enough to the original mode EME, o that one who verified the proof for EME (which i horter) may be able to be convinced of the correctne of EME jut by inpection. A ueful lemma. The proof of ecurity i divided into two part: in Section A.1 we carry out a game-ubtitution argument, reducing the analyi of EME to the analyi of a impler probabilitic game. In Section A.2 we analyze that impler game. Before we begin we firt recall a little lemma, aying that a (tweakable) truly random permutation look very much like an oracle that jut return random bit (a long a you never ak pointle querie). So intead of analyzing inditinguihability from a random permutation we can analyze inditinguihability from random bit. Let E: K T M M be a tweaked block-cipher and let D be it invere. Define the advantage of ditinguihing E from random bit, Adv ± rnd E, by Adv ± rnd E (A) = Pr[K $ K : A E K(, ) D K (, ) 1 ] Pr[ A $(, ) $(, ) 1 ] where $(T, M) return a random tring of length M. We init that A make no pointle querie, regardle of oracle repone, and A ak no query (T, M) outide of T M. We extend the definition above in the uual way to it reource-bounded verion. We have the following lemma, whoe (tandard) proof can be found, for example, in the full verion of [6]. Lemma 2 [± prp-ecurity ± rnd-ecurity] Let E: K T M M be a tweaked block-cipher and let q 1 be a number. Then Adv ± prp E (q) Adv ± rnd E (q) q(q 1)/2 N+1 where N i the length of a hortet tring in the meage pace M. A.1 The game-ubtitution equence Fix n, σ n, and q. Let A be an adverary that ak q oracle querie (none pointle) totaling σ n block (of both data and aociated data, potentially ome of them partial block). Our goal in thi part i to tie the advantage Adv ± rnd EME[Perm(n)] (A) to the probability Pr[ N2 et bad ], where N2 i ome probability pace and N2 et bad i an event defined there. Later we bound Pr[ N2 et bad ], and, putting that together with Lemma 2, we get Eq. (1) of Theorem 1. Game N2 i obtained by a game-ubtitution argument, a carried out in work like [8]. The goal i to implify the rather complicated etting of A adaptively querying it oracle, and to arrive at a impler etting where there i no adverary and no interaction jut a program that flip coin and a flag bad that doe or doe not get et. 9

10 Abtracting the function H K,R : The analyi below turn out to be quite complicated. We omewhat implify it by replacing the function H K,R by an abtract function h : {0, 1} {0, 1} n, choen from a pairwie independent family H. The propertie of h that we ue in the analyi are: (i) For a fixed T {0, 1}, h(t) i uniform in {0, 1} n when h i choen at random from H. (ii) For fixed T T {0, 1}, h(t) h(t ) i uniform in {0, 1} n when h $ H. (iii) The choice h $ H i independent of all the other random choice in the game. We can jutify thee aumption on h by replacing the computation of E K (T jr) jr (with j a contant) in line 10, 11, and 12 of Figure 1, by the computation f j (T ) where for each j we have an independent random function f j : {0, 1} n {0, 1} n. It i known that replacing a maked random permutation by a collection of random function thi way entail only a negligible difference on the view of the adverary. Specifically, one could prove the following: Fix ome integer n, q p, q f N and an adverary with three oracle A E( ),D( ),F (, ), and conider the two following experiment. In the firt experiment (Expr1), we chooe at random a permutation π over {0, 1} n and a tring R {0, 1} n. Then for x, y, j {0, 1} n with j 0, an oracle-query E(x) i anwered by π(x), an oracle query D(y) i anwered by π 1 (y), and an oracle query F (j, x) i anwered by π(x jr) jr (where the multiplication jr i over GF (2 n )). In the econd experiment (Expr2), we chooe at random a permutation π over {0, 1} n, and 2 n function {f j : {0, 1} n {0, 1} n } j {0,1} n. Then for x, y, j {0, 1} n, with j 0, the oracle-querie E(x) and D(y) are anwered a before by π(x) and π 1 (y), repectively, but an oracle query F (j, x) i anwered by f j (x). Lemma 3 Fix ome n, q p, q f N. For any adverary A E( ),D( ),F (, ) a above that make at mot q p querie to E and D, and at mot q f querie to F, it hold that Pr [ Expr1 AE,D,F 1 ] Pr [ Expr2 AE,D,F 1 ] q f (q f + 2q p )/2 n Thi lemma i pretty much folklore by now, although I could not find a reference where it i proven. A imilar reult we proven by by Even and Manour [4] (but the mak there are completely independent, rather than pairwie independent). A proof for a pecial cae of thi lemma can be found in [1, Lemma 4], and that proof can eaily be extended to prove Lemma 3 itelf. Uing Lemma 3, we can replace the function H K,R from Figure 1 by the following function h (that depend on the 2 n random function f j ). In the code below, the contant 2 i are computed in the finite field GF (2 n ). function h(t 1 T l 1, T l ): 01 if T i empty return f 1 (0) 10 for i [1..l 1] do TTT i f 2 i(t i ) 11 if T l = n then TTT l f 2 l(t l ) 12 ele TTT l f 2 l+1(t l 10..0)) 13 return T T T 1 T T T l // T 1 = = T l 1 = n, 0 < T l n Divide the total number of block σ n in an attack on EME into σ n = σ d n + σ a n where σ d n i the number of block in the data itelf, and σ a n i the number of block in the aociated data. Let N be 10

11 Subroutine Chooe-π(X): 010 Y $ {0, 1} n ; if Y Range then bad true, Y $ Range 011 if X Domain then bad true, Y π(x) 012 π(x) Y, Domain Domain {X}, Range Range {Y }; return Y Subroutine Chooe-π 1 (Y ): 020 X $ {0, 1} n ; if X Domain then bad true, X $ Domain 021 if Y Range then bad true, X π 1 (Y ) 022 π(x) Y, Domain Domain {X}, Range Range {Y }; return X Figure 3: The procedure that are ued in game E1 and R1. The haded tatement are executed in Game E1 but not in Game R1. denote the total number of block encryption that are ued throughout the attack (not counting the computation of H), and we can bound it by N be < (2 + 1 n )σd n + 2q (2) Then from Lemma 3 it follow that the tatitical ditance in the view of the adverary due to the replacement of H K,R by h i bounded by σ a n(σ a n + 2N be )/2 n. Once we made that replacement, it i clear that the choice of h i now independent of all the other random choice in the attack, o we only need to prove the propertie (i) and (ii). Thi i done next: Claim 2 When 2 n function {f j : {0, 1} n {0, 1} n } j {0,1} n are choen at random and h i defined a above, it hold that: (i) For any fixed T {0, 1} 0..n(2n 3), h(t ) i uniform in {0, 1} n. (ii) For any fixed T T {0, 1} 0..n(2n 3), h(t ) h(t ) i uniform in {0, 1} n. Proof: Property (i) i obviou, ince the output of h at any point T depend on at leat one application of one of the function f j, and thee are all random function. To prove Property (ii), fix ome T T, and denote T = T 1... T l and imilarly T = T 1... T l, where l = T /n and l = T /n. (The proof below ue the fact that 2 i a primitive element in GF (2 n ) and l 2 n 3, o for any i i l + 1 we have 2 i 2 i in GF (2 n ).) If l = l then there mut be at leat one index i l uch that T i T i. If T i and T i are full block then h(t ) h(t ) = omething-independent-of-f 2 i f 2 i(t i ) f 2 i(t i ), which i uniform ince f 2 i i a random function. If they are both partial block (o i = l) then we get h(t ) h(t ) = omething-independent-of-f 2 l+1 f 2 l+1(t i 10..0) f 2 l+1(t i 10..0), which i again uniform ince T i T i implie that alo T i10..0 T i and f 2 l+1 i a random function. If T i i a full block and T i i partial, then we imilarly get h(t ) h(t ) = omething-independent-of-f 2 l+1 f 2 l+1(t i 10..0). If l l, then aume that l > l. If T i i a partial block then a before we get h(t ) h(t ) = omething-independent-of-f 2 l +1 f 2 l +1(T i 10..0). Similarly if T i i a full block and either l > l+1 or T l i a full block, then h(t ) h(t ) = omething-independent-of-f 2 l f 2l (T i ). The lat cae i when l = l + 1 and T l i a full block and T l i a partial block. In thi cae h(t ) include the term f 2 l(t l ) but h(t ) i independent of f 2 l, o again h(t ) h(t ) i uniform. 11

12 Initialization: 050 Domain Range ; for all X {0, 1} n do π(x) undef 051 bad fale; L $ {0, 1} n ; h H Repond to the -th adverary query a follow: An encipher query, Enc(T ; P 1 P m ): 102 if P m = n then latfull m 103 ele latfull m PPP m P m padded with for i 1 to latfull do 111 r = r[, i] i the 1t index.t. P i = P r i 112 if r < then PP i PP r i 113 PPP i PPP r i 114 ele PP i Pi 2i 1 L 115 PPP i Chooe-π(PP i ) 120 MP 1 PPP 1 PPP m h(t ) 121 if Pm = n then MC 1 Chooe-π(MP 1) 122 ele MM Chooe-π(MP 1) 123 MC 1 Chooe-π(MM ) 124 Cm P m (MM truncated) 125 CCC m C m padded with M 1 MP 1 MC for i 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M1 134 MC j Chooe-π(MP j) 135 M j MP j MC j 136 CCC i MC j M ele CCC i PPP i 2 k Mj 138 CCC 1 MC 1 CCC 2 CCC m h(t ) 140 for i 1 to latfull do 141 CC i Chooe-π(CCC i ) 142 Ci CC i 2 i 1 L 150 return C 1 C m A decipher query, Dec(T ; C 1 C m ): 202 if C m = n then latfull m 203 ele latfull m CCC m C m padded with for i 1 to latfull do 211 r = r[, i] i the 1t index.t. C i = Cr i 212 if r < then CC i CC r i 213 CCC i CCC r i 214 ele CC i Ci 2i 1 L 215 CCC i Chooe-π 1 (CC i ) 220 MC 1 CCC 1 CCC m h(t ) 221 if Cm = n then MP 1 Chooe-π 1 (MC 1) 222 ele MM Chooe-π 1 (MC 1) 223 MP 1 Chooe-π 1 (MM ) 224 Pm C m (MM truncated) 225 PPP m P m padded with M 1 MP 1 MC for i 2 to latfull do 231 j = i/n, k = (i 1) mod n 232 if k = 0 then 233 MC j CCC i M1 234 MP j Chooe-π 1 (MC j) 235 M j MP j MC j 236 PPP i MP j M ele PPP i CCC i 2 k Mj 238 PPP 1 MP 1 PPP 2 PPP m h(t ) 240 for i 1 to latfull do 241 PP i Chooe-π 1 (PPP i ) 242 Pi PP i 2 i 1 L 250 return P 1 P m Figure 4: Game E1 decribe the attack of A on EME[Perm(n)], where the permutation π i choen on the fly a needed. Game R1 i the ame a game E1, except we do not execute the haded tatement in the procedure from Figure 3. 12

13 The game E1. We decribe the attack cenario of A againt EME[Perm(n)] (with the abtraction of h a above) a a probabilitic game in which the permutation π i choen on the fly, a needed to anwer the querie of A. Initially, the partial function π: {0, 1} n {0, 1} n i everywhere undefined. When we need π(x) and π in t yet defined at X we chooe thi value randomly among the available range value. When we need π 1 (Y ) and there i no X for which π(x) ha been et to Y we likewie chooe X at random from the available domain value. A we fill in π it domain and it range thu grow. In the game we keep track of the domain and range of π by maintaining two et, Domain and Range, that include all the point for which π i already defined. We let Domain and Range be the complement of thee et relative to {0, 1} n. The game, denoted E1, i hown in Figure 3 and 4. Since game E1 accurately repreent the attack cenario, we have that Pr[ A Eπ Dπ 1 ] Pr[ A E1 1 ] + σa n(σ a n + 2N be ) 2 n (3) (where the additive factor i due to the abtraction of h). Looking ahead to the game-ubtitution equence, we tructured the code in Figure 3 and 4 in a way that make it eaier to preent the following game. In particular, here are ome thing to note about thi code: Notation. We denote all the quantitie that are encountered during the proceing of query with a upercript. For example, the number of block in the query i denoted m, and the plaintext i denoted P = P1 P m (where P i = n for i < m and Pm n). The notation r[, i]. When handling the -th adverary query, we look for each block of the query to ee if it i a new block : if thi i an encipher query P = (P1 P m ) we look for an earlier plaintext P r = (P1 r P m r r) with the ame i th block P i = Pi r. Since we ue maked ECB encryption, we only expect to chooe a new value for π when there i no uch prior plaintext. If thi i a decipher query then for any i we likewie look for an earlier ciphertext C r with the ame i th block, Ci = Cr i. We define r[, i] to be the index of the firt uch plaintext or ciphertext. Namely, we define r[, i] def = { min{ r : P r i = Pi } min{ r : Ci r = C i } if query i an encipher query if query i a decipher query Filling in π and π 1 value. When we need to define π on what i likely to be a new domain point X, etting π(x) Y for ome Y, we do the following: We firt ample Y from {0, 1} n ; then re-ample, thi time from Range, if the initially choen ample Y wa already in the range of π; finally, if π already had a value at X, then we forget about the newly choen value Y and ue the previou value of π(x). We behave analogouly for π 1 (Y ) value. In Figure 3 we highlight the place where we have to reet a choice we tentatively made. Whenever we do o we et a flag bad. The flag bad i never een by the adverary A that interact with the E1 game it i only preent to facilitate the ubequent analyi. Game R1. We next modify game E1 by omitting the tatement that immediately follow the etting of bad to true. (Thi i the uual trick under the game-ubtitution approach.) Namely, before we were making ome conitency check after each random choice π(x) = Y $ {0, 1} n to ee if thi value of Y wa already in ue, or if π wa already defined at X, and we reet out choice 13

14 Initialization: 050 Domain Range ; bad fale; L $ {0, 1} n ; h H Repond to the -th adverary query a follow: An encipher query, Enc(T ; P 1 P m ): 101 if P m = n then latfull m 102 ele latfull m PPP m P m padded with for i 1 to latfull do 111 r = r[, i] i the 1t index.t. P i = P r i 112 if r < then PP i PP r i ; PPP i PPP r i 113 ele PP i Pi 2i 1 L; PPP $ i {0, 1} n 114 if PP i Domain or PPP i Range then bad true 115 Domain Domain {PP i }; Range Range {PPP i } 120 MP 1 PPP 1 PPP m h(t ) 121 if Pm = n then MC $ 1 {0, 1} n ; M1 MP 1 MC if MP 1 Domain or MC 1 Range then bad true 123 Domain Domain {MP 1}; Range Range {MC 1} 124 ele MM $ {0, 1} n ; MC $ 1 {0, 1} n ; M1 MP 1 MC if MP 1 Domain or MM Range then bad true 126 if MM Domain {MP 1} or MC 1 Range {MM } then bad true 127 Domain Domain {MP 1, MM }; Range Range {MM, MC 1} 128 Cm P m (MM truncated); CCC m C m padded with for i 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M1 ; MC $ j {0, 1} n ; Mj MP j MC j 134 if MP j Domain or MC j Range then bad true 135 Domain Domain {MP j}; Range Range {MC j} 136 CCC i MC j M ele CCC i PPP i 2 k Mj 138 CCC 1 MC 1 CCC 2 CCC m h(t ) 140 for i 1 to latfull do 141 CC $ i {0, 1} n ; Ci CC i 2 i 1 L 142 if CCC i Domain or CC i Range then bad true 143 Domain Domain {CCC i }; Range Range {CC i } 150 return C 1 C m A decipher query, Dec(T ; C1 Cm ), i treated ymmetrically Figure 5: Game R1 i imilar to E1, but doe not reet the random choice. 14

15 of Y a needed. Now we till make thee check and et the flag bad, but we do not reet the choen value of Y. The game R1 i decribed in Figure 5. (In thi figure we omitted the function π from the code, ince it i never ued anymore.) Thee change mean that π may end up not being a permutation, and moreover we may reet it value on previouly choen point. Still, the game E1 and R1 are yntactically identical apart from what happen after the etting of the flag bad to true. Once the flag bad i et to true the ubequent behavior of the game doe not impact the probability that an adverary A interacting with the game can et the flag bad to true. Thi i exactly the etup ued in the game-ubtitution method to conclude that Pr[ A E1 1 ] Pr[ A R1 1 ] Pr[ A R1 et bad ] (4) Game R2. We now make everal change to the order in which variable are choen in game R1. Specifically, we make the following change to the code: Intead of chooing CC $ i {0, 1} n and then etting Ci CC i 2 i L (in line 141), we chooe $ {0, 1} n and then et CC i Ci 2i L. C i Similarly, intead of chooing MC $ j {0, 1} n and etting Mj MP j MC j (line 121, 124 and 133), we chooe Mj $ {0, 1} n and et MC j MP j M Intead of chooing MM $ {0, 1} n and etting Cm P m (MM truncated) (line 124 and 128) we chooe C $ {0, 1} n and et Cm (C truncated) and MM (Pm 10..0) C. We replace the aignment CCC i MC j M1 in line 136 by the equivalent aignment CCC i PPP i Mj. Thi i equivalent ince MC j = MP j Mj = PPP i M1 M j. We replace the aignment CCC 1 MC 1 CCC 2 CCC m h(t ) in line 138 by the equivalent aignment CCC 1 PPP 1 M 1 (PPP 2 CCC 2) (PPP m CCC m ). Thi i indeed equivalent ince MC 1 = MP 1 M 1 = PPP 1 PPP m h(t ) M 1. Clearly, thee change preerve the ditribution of all thoe variable, and we make the ymmetric change alo for decryption querie. In addition to thee change, we alo lightly implify the logic of the game by aigning value to MM and adding it to Domain and Range even in the cae that Pm i a full block ( P m = n). Thi ha no effect on the anwer that are returned to the adverary, but it may increae the probability of the flag bad being et (ince we may introduce colliion that were not preent before). The reulting game R2 i decribed in Figure 6. It i clear that the change we made do ha no effect on the probability that A return one (a they do not change anything in the interaction between A and it oracle), and they can only increae the probability of etting flag bad. Hence we conclude that Pr[ A R1 1 ] = Pr[ A R2 1 ] and Pr[ A R1 et bad ] Pr[ A R2 et bad ] (5) We note that in game R2 we repond to any encipher query P by returning P random bit, and imilarly, we repond to any decipher query C by returning C random bit. Thu R2 provide an adverary with an identical view to a pair of random-bit oracle, Pr[ A R2 1 ] = Pr[ A ± rnd 1 ] (6) j. 15

16 Initialization: 050 Domain Range ; bad fale; L $ {0, 1} n ; h H Repond to the -th adverary query a follow: An encipher query, Enc(T ; P 1 P m ): 101 if P m = n then latfull m 102 ele latfull m PPP m P m padded with for i 1 to latfull do 111 r = r[, i] i the 1t index.t. P i = P r i 112 if r < then PP i PP r i ; PPP i PPP r i 113 ele PP i Pi 2i 1 L; PPP $ i {0, 1} n 114 if PP i Domain or PPP i Range then bad true 115 Domain Domain {PP i }; Range Range {PPP i } 120 C $ {0, 1} n ; M1 $ {0, 1} n 121 MP 1 PPP 1 PPP m h(t ); MC 1 MP 1 M1 ; MM PPP m C 122 if MP 1 Domain or MM Range then bad true 123 if MM Domain {MP 1} or MC 1 Range {MM } then bad true 124 Domain Domain {MP 1, MM }; Range Range {MM, MC 1} 125 if Pm = n then 126 Cm (C truncated); CCC m C m padded with for i 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M1 ; Mj $ {0, 1} n ; MC j MP j Mj 134 if MP j Domain or MC j Range then bad true 135 Domain Domain {MP j}; Range Range {MC j} 136 CCC i PPP i 2 k Mj 137 CCC 1 PPP 1 M1 (PPP 2 CCC 2) (PPP m CCC m ) 140 for i 1 to latfull do 141 Ci $ {0, 1} n ; CC i Ci 2i 1 L 142 if CCC i Domain or CC i Range then bad true 143 Domain Domain {CCC i }; Range Range {CC i } 150 return C 1 C m A decipher query, Dec(T ; C1 Cm ), i treated ymmetrically Figure 6: Game R2 i inditinguihable from Game R1 but chooe ome of it variable in different order. 16

17 Combining Equation 3, 4, 5, and 6, we thu have that Adv ± rnd EME[Perm(n)] (A) = Pr[ AE1 1 ] + σa n(σ a n + 2N be ) 2 n Pr[ A R2 1 ] Our tak i thu to bound Pr[ A R2 et bad ]. = Pr[ A E1 1 ] Pr[ A R1 1 ] + σa n(σ a n + 2N be ) 2 n Pr[ A R1 et bad ] + σa n(σ a n + 2N be 2 n Pr[ A R2 et bad ] + σa n(σ a n + 2N be ) 2 n (7) Game R3. Next we reorganize game R2 o a to eparate out (i) chooing random value to return to the adverary, (ii) defining intermediate variable, and (iii) etting the flag bad. We remarked before that game R2 replie to any z-bit query with z random bit. Now, in game R3, hown in Figure 7, we make that even more clear by chooing the block C1 C m 1 C or P1 P m 1 P jut a oon a the th query i made. Nothing ele i done at that point except for recording if the adverary made an Enc query or a Dec query, and returning the anwer to the adverary. When the adverary finihe all of it oracle querie and halt, we execute the finalization tep of game R3. Firt, we go over all the variable of the game and determine their value, jut a we do in game R2. While doing o, we collect all the value in the et Domain and Range, thi time viewing them a multiet D and R, repectively. When we are done etting value to all the variable, we go back and look at D and R. The flag bad i et if (and only if) any of thee multiet contain ome value more than once. Thi procedure i deigned to et bad under exactly the ame condition a in game R2. The following i thu clear: Pr[ A R2 et bad ] = Pr[ A R3 et bad ] (8) Game N1. So far we have not changed the tructure of the game at all: it ha remained an adverary aking q quetion to an oracle, our anwering thoe quetion, and the internal variable bad either ending up true or fale. The next tep, however, actually get rid of the adverary, a well a all interaction in the game. We want to bound the probability that bad get et to true in game R3. We may aume that the adverary i determinitic, and o the probability i over the random choice that are made while anwering the querie (in line 011 and 021), and the random choice in the finalization phae of the game (line 050, 113, 120, 133, 213, 220, and 233). We will now eliminate the coin aociated to line 011 and 021. Recall that the adverary ak no pointle querie. We would like to make the tronger tatement that for any et of value that might be choen in line 011 and 021, and for any et of querie (none pointle) aociated to them, the finalization tep of game R3 rarely et bad. However, thi tatement in t quite true. For example, aume that querie r and (r < ) are both encipher querie, and that the random choice in line 011 pecify that the i th ciphertext block in the two anwer i the ame, Ci r = C i. Then the flag bad i ure to be et, ince we will have a colliion between CC r i and CC i. Formally, ince in line

18 Repond to the -th adverary query a follow: An encipher query, Enc(T ; P 1 P m ): 010 ty Enc 011 (C 1 C m 1 C ) $ {0, 1} nm A decipher query, Dec(T ; C 1 C m ): 020 ty Dec 021 (P 1 P m 1 P ) $ {0, 1} nm 012 C m 1t P m bit of C 013 return C = C 1 C m 022 P m 1t C m bit of P 023 return P = P 1 P m Finalization: Firt phae 050 D R ; L $ {0, 1} n ; h $ H / D, R are multiet 051 repeat the following for all [1..q]: 100 if ty = Enc then 101 if Pm = n then latfull m 102 ele latfull m PPP m P m padded with 10..0; CCC m C m padded with for i 1 to latfull do 111 r = r[, i] i the 1t index.t. Pi = P i r 112 if r < then PP i PP r i ; PPP i PPP r i 113 ele PP i Pi 2i 1 L; PPP $ i {0, 1} n ; D D {PP i }; R R {PPP i } 120 M 1 $ {0, 1} n 121 MP 1 PPP 1 PPP m h(t ); MC 1 MP 1 M1 ; MM PPP m C 122 D D {MP 1, MM }; R R {MM, MC 1} 130 for i 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M1 ; Mj $ {0, 1} n ; MC j MP j Mj 134 D D {MP j}; R R {MC j} 135 CCC i PPP i 2 k Mj 136 CCC 1 PPP 1 M1 (PPP 2 CCC 2) (PPP m CCC m ) 140 for i 1 to latfull do 141 CC i Ci 2i 1 L; D D {CCC i }; R R {CC i } 200 The cae ty = Dec i treated ymmetrically Second phae 300 bad (ome value appear more than once in D) or (ome value appear more than once in R) Figure 7: Game R3 i adverarially inditinguihable from game RND2 but defer the etting of bad. 18

19 050 D R ; L $ {0, 1} n ; h $ H / D, R are multiet 051 for 1 to q do 100 if ty = Enc then 101 C m 1t P m bit of C 102 if P m = n then latfull m 103 ele latfull m 1; PPP m P m padded with 10..0; CCC m C m padded with for i 1 to latfull do 111 r = r[, i] i the 1t index.t. P i = Pr i 112 if r < then PP i PP r i ; PPP i PPP r i 113 ele PP i P i 2i 1 L; PPP $ i {0, 1} n ; D D {PP i }; R R {PPP i } 120 M 1 $ {0, 1} n 121 MP 1 PPP 1 PPP m h(t ); MC 1 MP 1 M1 ; MM PPP m C 122 D D {MP 1, MM }; R R {MM, MC 1} 130 for i 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M1 ; Mj $ {0, 1} n ; MC j MP j Mj 134 D D {MP j}; R R {MC j} 135 CCC i PPP i 2 k Mj 136 CCC 1 PPP 1 M1 (PPP 2 CCC 2) (PPP m CCC m ) 140 for i 1 to latfull do 141 CC i C i 2i 1 L; D D {CCC i }; R R {CC i } 200 ele / ty = Dec 201 P m 1t C m bit of P 202 if C m = n then latfull m 203 ele latfull m 1; PPP m P m padded with 10..0; CCC m C m padded with for i 1 to latfull do 211 r = r[, i] i the 1t index.t. C i = Cr i 212 if r < then CC i CC r i ; CCC i CCC r i 213 ele CC i C i 2i 1 L; CCC $ i {0, 1} n ; D D {CCC i }; R R {CC i } 220 M 1 $ {0, 1} n 221 MC 1 CCC 1 CCC m h(t ); MP 1 MC 1 M1 ; MM CCC m P 222 D D {MP 1, MM }; R R {MM, MC 1} 230 for i 2 to latfull do 231 j = i/n, k = (i 1) mod n 232 if k = 0 then 233 MC j CCC i M1 ; Mj $ {0, 1} n ; MP j MC j Mj 234 D D {MP j}; R R {MC j} 235 PPP i CCC i 2 k Mj 236 PPP 1 CCC 1 M1 (PPP 2 CCC 2) (PPP m CCC m ) 240 for i 1 to latfull do 241 PP i C i 2i 1 L; D D {PP i }; R R {PPP i } 300 bad (ome value appear more than once in D) or (ome value appear more than once in R) Figure 8: Game N1 i baed on game R3 but now τ = (ty, T, P, C) i a fixed, allowed trancript. 19

20 we et CC r i = Ci r 2i 1 L = Ci 2i 1 L = CC 1, and ince both CC r i and CC i are added to R we would et bad when we examine their value in line 300. Another example i when encipher querie r, have lat block Pm r r, P m, repectively, that are partial (namely Pm r r, P m < n), and the block C, C r that are choen at random in line 11 atify (Pm r r10..0) Cr = (Pm 10..0) C. In thi cae, we would have MM r = MM and ince both are added to D in line 122 we would et bad when we examine their value in line 300. Similar example can be hown for decipher querie. We call uch colliion immediate colliion. Formally, an immediate colliion on encipher happen whenever i an encipher query and for ome r < we have either Ci = Ci r for ome i latfull, or C = (Pm 10..0) (P m r r10..0) Cr when Pm r r, P m < n. An immediate colliion on decipher happen whenever i an decipher query and for ome r < we have either Pi = Pi r for ome i latfull, or P = (Cm 10..0) (Cr m r10..0) P r when Cm r r, C m < n. The probability of an immediate colliion (on either encipher or decipher) in game R3 i at mot q =1 m ( 1) 2 n < q 2 n q =1 m = qσd n 2 n We make from the Finalization part of game R3 a new game, game N1 (for noninteractive ). Thi game ilently depend on a fixed trancript τ = ty, T, P, C with ty the type of query (ty {Enc, Dec}) and T {0, 1} the aociated data to query. Alo for an encipher query we have P = P 1 P m and C = C 1 C m 1, C, and for a decipher query we have P = P 1 P m 1 P and C = C 1 C m. Below we let latfull denote either m if the lat block in query i full or m 1 if it i partial. Alo, for an encipher query we denote by P the padding of P m, P = P m10..0, and by C m we denote the firt P m bit of C. Similarly, for a decipher query we denote C = C m 10..0, and denote by P m the firt C m bit of P. Since the trancript τ i fixed, then alo all thee quantitie are fixed. Thi fixed trancript τ may not pecify any immediate colliion or pointle querie; we call uch a trancript allowed. Thu aying that τ i allowed mean that for all r < we have the following: if ty = Enc then (i) (T, P ) (T r, P r ), (ii) C i Cr i for any i [1.. latfull ], (iii) If P m, Pr m r < n then C (P m 10..0) (Pr m r10..0) Cr ; while if ty = Dec then (i) (T, C ) (T r, C r ) and (ii) P i Pr i for any i [1.. latfull ], (iii) If C m, Cr m r < n then P (C m 10..0) (Cr m r10..0) Pr. Now fix an allowed trancript τ that maximize the probability of the flag bad being et. Thi one trancript τ i hardwired into game N1. We have that Pr[ A R3 et bad ] Pr[ N1 et bad ] + qσd n 2 n (9) Thi tep can be viewed a conditioning on the abence of an immediate colliion, followed by the uual argument that an average of a collection of real number i at mot the maximum of thoe number. One can alo view the tranition from game R3 to game N1 a augmenting the adverary, letting it pecify not only the querie to the game, but alo the anwer to thee querie 20

21 (a long a it doe not pecify immediate colliion or pointle querie). In term of game R3, intead of having the oracle chooe the anwer to the querie at random in line 011 and 021, we let the adverary upply both the querie and the anwer. The oracle jut record thee querie and anwer. When the adverary i done, we execute the finalization tep a before to determine the bad flag. Clearly uch an augmented adverary doe not interact with the oracle at all, it jut determine the entire trancript, giving it a input to the oracle. Now maximizing the probability of etting bad over all uch augmented adverarie i the ame a maximizing thi probability over all allowed trancript. Game N2. Before we move to analyze the non-interactive game, we make one lat change, aimed at reducing the number of cae that we need to handle in the analyi. We oberve that due to the complete ymmetry between D and R, it i ufficient to analyze the colliion probability in jut one of them. Specifically, becaue of thi ymmetry we can aume w.l.o.g. that in game N1 Pr[ome value appear more than once in D] Pr[ome value appear more than once in R] and therefore Pr[ N1 et bad ] 2 Pr[ome value appear more than once in D]. We therefore replace the game N1 by game N2, in which we only et the flag bad if there i a colliion in D. We now can drop the code that handle R, a well a anything ele that doen t affect the multiet D. Specifically, we make the following change in the code of the game N1: We drop the multiet R from the code. We replace the aignment MP 1 MC 1 M1 from line 221 in game N1 by the equivalent aignment MP 1 CCC 1 CCC m h(t ) M1. Similarly, we replace the aignment MP j MC j Mj from line 233 by the equivalent aignment MP j CCC i M1 M j. Now the variable CC i and MC j are never ued in the code, o we drop them altogether. The reulting game i decribed in Figure 9, and we have A.2 Analyi of the non-interactive game Pr[ N1 et bad ] 2 Pr[ N2 et bad ] (10) We are now ready to analyze the reulting game N2, howing that the event N2 et bad only happen with mall probability. In the analyi we view the multiet D a a et of formal variable (rather than a multiet containing the value that thee variable aume). Namely, whenever we et D D {X} for ome variable X we think of it a etting D D { X } where X i the name of that formal variable. Viewed in thi light, our goal now i to bound the probability that two formal variable in D aume the ame value in the execution of N2. We oberve that the formal variable in D are uniquely determined by τ they don t depend on the random choice made in the game N2; pecifically, D = {MM q} {MP j q, j latfull /n } {PP i ty = Dec, i latfull } {PP i ty = Enc, i latfull, = r[, i]} {CCC i ty = Enc, i latfull } {CCC i ty = Dec, i latfull, = r[, i]} 21