Improved Security Analyses for CBC MACs

Transcription

1 prelmnary veron of th paper appear n dvance n Cryptology CRYPTO 05, Lecture Note n Computer Scence Vol., V. Shoup ed., Sprnger-Verlag, Th the full veron. Improved Securty nalye for CC MC M. ellare K. Petrzak P. Rogaway July 2005 btract We preent an mproved bound on the advantage of any q-query adverary at dtnguhng between the CC MC over a random n-bt permutaton and a random functon outputtng n bt. The reult aume that no meage quered a prefx of any other, a the cae when all meage to be MCed have the ame length. We go on to gve an mproved analy of the encrypted CC MC, where there no retrcton on quered meage. Lettng l be the block length of the longet query, our bound are about lq 2 /2 n for the bac CC MC and l o(1) q 2 /2 n for the encrypted CC MC, mprovng pror bound of l 2 q 2 /2 n. The new bound tranlate nto mproved guarantee on the probablty of forgng thee MC. Keyword: CC MC, meage authentcaton, provable ecurty. Dept. of Computer Scence & Engneerng, Unverty of Calforna at San Dego, 9500 Glman Drve, La Jolla, Calforna US. E-mal: mhr@c.ucd.edu; WWW: Supported by NSF grant NR and CCR , and by an IM Faculty Partnerhp Development ward. Dept. of Computer Scence, ETH Zürch, CH-8092 Zürch Swtzerland, E-mal: petrzak@nf.ethz.ch Dept. of Computer Scence, Unverty of Calforna, Dav, Calforna, 95616, US; and Dept. of Computer Scence, Faculty of Scence, Chang Ma Unverty, Chang Ma 50200, Thaland. E-mal: rogaway@c.ucdav.edu; WWW: rogaway/. Mot of th work carred out whle hoted by the Department of Computer Scence, Faculty of Scence, Chang Ma Unverty, Thaland. Currently hoted by the School of Informaton Technology, Mae Fah Luang Unverty, Thaland. Supported n part by NSF grant CCR and a gft from Intel Corp. 1

2 Content 1 Introducton 3 2 Defnton 5 3 Reult on the CC MC 6 4 Reult on the Encrypted CC MC 7 5 oundng FCP ound CC (Proof of Lemma??) 7 6 Graph-aed Repreentaton of CC 10 7 oundng CP any n,m (Proof of Lemma??) 14 8 oundng FCP pf (Proof of Lemma??) 16 Reference 20 Proof of Lemma?? 21 Proof of Lemma?? 21 2

3 Contruct atk Prevou bound Our bound CC pf l 2 q 2 /2 n [2, 13, 15] lq 2 /2 n ( l 3 /2 n ) ECC any 2.5 l 2 q 2 /2 n [7] q 2 /2 n (d (l) + 32l 4 /2 n ) Fgure 1: ound on dv pf CC (q, n, l) and dvany ECC (q, n, l). 1 Introducton Some defnton. The CC functon CC π aocated to a key π: {0, 1} n {0, 1} n take a nput a meage M = M 1 M m that a equence of n-bt block and return the n-bt trng C m computed by ettng C = π(c 1 M ) for each [1..m], where C 0 = 0 n. Conder three type of attack for an adverary gven an oracle: atk = eq mean all quere are exactly l block long; atk = pf mean they have at mot l block and no query a prefx of any another; atk = any mean the quere are arbtrary dtnct trng of at mot l block. Let dv atk CC (q, n, l) denote the maxmum advantage attanable by any q-query adverary, mountng an atk attack, n dtnguhng whether t oracle CC π n for a random permutaton π on n bt, or a random functon that output n bt. We am to upper bound th quantty a a functon of n, l, q. Pat work and our reult on CC. ellare, Klan and Rogaway [2] howed that dv eq CC (q, n, l) 2l 2 q 2 /2 n. Maurer reduced the contant 2 to 1 and provded a ubtantally dfferent proof [13]. Petrank and Rackoff [15] howed that the ame bound hold (up to a contant) for dv pf CC (q, n, l). In th paper we how that dv pf CC (q, n, l) 20lq2 /2 n for l 2 n/3. (The reult actually a lttle tronger. See Fgure 1.) Th mple the ame bound hold for dv eq CC (q, n, l). Context and dcuon. When π = E(K, ), where K K a random key for blockcpher E: K {0, 1} n {0, 1} n, the functon CC π a popular meage authentcaton code (MC). umng E a good peudorandom permutaton (PRP), the domnant term n a bound on the probablty of forgery n an atk-type choen-meage attack dv atk CC (q, n, l), where q the um of the number of MC-generaton and MC-verfcaton quere made by the adverary (cf. [1]). Thu the qualty of guarantee we get on the ecurty of the MC a functon of how good an upper bound we can prove on dv atk CC (q, n, l). It well known that the CC MC necure when the meage MCed have varyng length (pecfcally, t forgeable under an any-attack that ue jut one MC-generaton and one MCverfcaton query, each of at mot two block) o the cae atk = any not of nteret for CC. The cae where all meage MCed have the ame length (atk = eq) the mot bac one, and where potve reult were frt obtaned [2]. The cae atk = pf nteretng becaue one way to get a ecure MC for varyng-length nput to apply a prefx-free encodng to the data before MCng t. The mot common uch encodng to nclude n the frt block of each meage an encodng of t length. We emphaze that our reult are about CC π for a random permutaton π: {0, 1} n {0, 1} n, and not about CC ρ for a random functon ρ: {0, 1} n {0, 1} n. Snce our bound are better than the cot to convert between a random n-bt functon and a random n-bt permutaton ung the wtchng lemma [2], the dtncton gnfcant. Indeed for the prefx-free cae, applyng CC over a random functon on n bt known to admt an attack more effectve than that whch ruled out by our bound [6]. Encrypted CC. The ECC functon ECC π1,π 2 aocated to permutaton π 1, π 2 on n bt 3

4 take a meage M that a multple of n bt and return π 2 (CC π1 (M)). Defne dv atk ECC (q, n, l) analogouly to the CC cae above (atk {any, eq, pf}). Petrank and Rackoff [15] howed that dv any ECC (q, n, l) 2.5 l2 q 2 /2 n. better bound, dv eq ECC (q, n, l) q2 /2 n (1 + cl 2 /2 n + cl 6 /2 2n ) for ome contant c, poble for the atk = eq cae baed on a lemma of Dod et al. [9], but the pont of the ECC contructon to acheve any-ecurty. We mprove on the reult of Petrank and Rackoff to how that dv any ECC (q, n, l) q2 /2 n (d (l) + 4l 4 /2 n ) where d (l) the maxmum, over all l l, of the number of dvor of l. (Once agan ee Fgure 1.) Note that the functon d (l) l 1/ ln ln(l) grow lowly. The MC correpondng to ECC (namely ECC π1,π 2 when π 1 = E(K 1, ) and π 2 = E(K 2, ) for random key K 1, K 2 K of a blockcpher E: K {0, 1} n {0, 1} n ) wa developed by the RCE project [5]. Th MC nteretng a a natural and practcal varant of the CC MC that correctly handle meage of varyng length. varant of ECC called CMC wa recently adopted a a NIST-recommended mode of operaton [14]. wth the CC MC, our reult mply mproved guarantee on the forgery probablty of the ECC MC under a choen-meage attack, but th tme of type any rather than merely pf, and wth the mprovement beng numercally more ubtantal. More defnton. The collon-probablty CP atk of the CC MC the maxmum, over all par of meage (M 1, M 2 ) n an approprate atk-dependent range, of the probablty, over random π, that CC π (M 1 ) = CC π (M 2 ). For atk = any the range any par of dtnct trng of length a potve multple of n but at mot ln; for atk = pf t any uch par where nether trng a prefx of the other; and for atk = eq t any par of dtnct trng of exactly ln bt. The full collon probablty FCP atk mlar except that the probablty of the event C m 2 2 {C1 1,..., Cm 1 1, C2 1,..., Cm } where, for each b {1, 2}, we have Cb = π(c 1 b Mb ) for m b = M b /n and [1..m b ] and Cb 0 = 0n. Note that thee defnton do not nvolve an adverary and n th ene are mpler than the advantage functon condered above. Reducton to FCP and CP. y vewng ECC a an ntance of the Carter-Wegman paradgm [18], one can reduce boundng dv atk ECC (q, n, l) (for atk {any, eq, pf}) to boundng CPatk (ee [7], tated here a Lemma 4). Th mplfe the analy becaue one now faced wth a combnatoral problem rather than conderaton of a dynamc, adaptve adverary. The frt tep n our analy of the CC MC to provde an analogou reducton (Lemma 1) that reduce boundng dv pf CC (q, n, l) to boundng FCPpf. Unlke the cae of ECC, the reducton not mmedate and doe not rely on the Carter-Wegman paradgm. Rather t proved drectly ung the game-playng approach [4, 16]. ound on FCP and CP. lack and Rogaway [7] how that CP any 2(l 2 + l)/2 n. Dod, Gennaro, Håtad, Krawczyk, and Rabn [9] how that CP eq 2 n + cl 2 /2 2n + cl 3 /2 3n for ome abolute contant c. (The above-mentoned bound on dv eq ECC (q, n, l) obtaned va th.) We buld on ther technque to how (cf. Lemma 5) that CP any 2d (l)/2 n + 64l 4 /2 2n. Our bound on dv any ECC (q, n, l) then follow. We alo how that FCPpf 8l/2n + 64l 4 /2 2n. Our bound on dv pf CC (q, n, l) then follow. We remark that the ecurty proof of RMC [11] had tated and ued a clam that mple CP any 12l/2n, but the publhed proof wa wrong. Our Lemma 5 both fxe and mprove that reult. Further related work. Other approache to the analy of the CC MC and the encrypted CC MC nclude thoe of Maurer [13] and Vaudenay [17], but they only obtan bound of l 2 q 2 /2 n. 4

5 2 Defnton Notaton. The empty trng denoted ε. If x a trng then x denote t length. We let n = {0, 1} n. If x n then x n = x /n denote the number of n-bt block n t. If X {0, 1} then X m denote the et of all non-empty trng formed by concatenatng m or fewer trng from X and X + denote the et of all trng formed by concatenatng one or more trng from X. If M n then M denote t -th n-bt block and M j denote the trng M M j, for 1 j M n. If S a et equpped wth ome probablty dtrbuton then $ S denote the operaton of pckng from S accordng to th dtrbuton. If no dtrbuton explctly pecfed, t undertood to be unform. We denote by Perm(n) the et of all permutaton over {0, 1} n, and by Func(n) the et of all functon mappng {0, 1} to {0, 1} n. (oth thee et are vewed a equpped wth the unform dtrbuton.) blockcpher E (wth blocklength n and key-pace K) dentfed wth the et of permutaton {E K : K K} where E K : {0, 1} n {0, 1} n denote the map pecfed by key K K. The dtrbuton that nduced by a random choce of K from K, o f $ E the ame a K $ K, f E K. Securty. n adverary a randomzed algorthm that alway halt. Let atk q, denote the cla of adverare that make at mot q oracle quere, where f atk = eq, then each query n n; l f atk = pf, then each query n n l and no query a prefx of another; and f atk = any then each query n n l. We remark that the adverare condered here are computatonally unbounded. In th paper we alway conder determntc, tatele oracle and thu we wll aume that an adverary never repeat an oracle query. We alo aume that an adverary never ak a query outde of the mplctly undertood doman of nteret. Let F : D {0, 1} n be a et of functon and let atk q, be an adverary, where atk {eq, pf, any}. y f 1 we denote the event that output 1 wth oracle f. The advantage of (n dtnguhng an ntance of F from a random functon outputtng n bt) and the advantage of F are defned, repectvely, a dv F () = Pr[f $ F : f 1] Pr[f $ Func(n) : f 1] and dv atk F (q, n, l) = max { dv F () }. atk q, Note that nce eq q, pf q, any q,, we have dv eq F (q, n, l) dvpf F (q, n, l) dvany F (q, n, l). (1) Cbc and Ecbc. Fx n 1. For M n m and π: n n then defne CC M π [] nductvely for [0..m] va CC M π [0] = 0 n and CC M π [] = π(cc M π M ) for [1..m]. We aocate to π the CC MC functon CC π : n + n defned by CC π (M) = CC M π [m] where m = M n. We let CC = {CC π : π Perm(n)}. Th et of functon ha the dtrbuton nduced by pckng π unformly from Perm(n). To functon π 1, π 2 : n n we aocate the encrypted CC MC functon ECC π1,π 2 : n + n defned by ECC π1,π 2 (M) = π 2 (CC π1 (M)) for all M + n. We let ECC = {ECC π1,π 2 : π 1, π 2 Perm(n)}. Th et of functon ha the dtrbuton nduced by pckng π 1, π 2 ndependently and unformly at random from Perm(n). Collon. For M 1, M 2 n we defne the prefx predcate pf(m 1, M 2 ) to be true f ether M 1 a prefx of M 2 or M 2 a prefx of M 1, and fale otherwe. Note that pf(m, M) = true for any 5

6 M n. Let M eq = {(M 1, M 2 ) l n l n : M 1 M 2 }, M pf = {(M 1, M 2 ) n l n l : pf(m 1, M 2 ) = fale}, and M any = {(M 1, M 2 ) n l n l : M 1 M 2 }. For M 1, M 2 + n and atk {eq, pf, any} we then let CP n (M 1, M 2 ) = Pr[π $ Perm(n) : CC π (M 1 ) = CC π (M 2 )] CP atk = max { CP n (M 1, M 2 ) }. (M 1,M 2 ) M atk For M 1, M 2 n + we let FCP n (M 1, M 2 ) (the full collon probablty) be the probablty, over π $ Perm(n), that CC π (M 2 ) n the et {CC M 1 π [1],..., CC M 1 π [m 1 ], CC M 2 π [1],..., CC M 2 π [m 2 1]} where m b = M b n for b = 1, 2. For atk {eq, pf, any} we then let 3 Reult on the CC MC FCP atk = max { FCP n (M 1, M 2 ) }. (M 1,M 2 ) M atk We tate reult only for the atk = pf cae; reult for atk = eq follow due to (1). To bound dv pf CC (q, n, l) we mut conder a dynamc adverary that adaptvely quere t oracle. Our frt lemma reduce th problem to that of boundng a more tatc quantty whoe defnton doe not nvolve an adverary, namely the full collon probablty of the CC MC. The proof n Secton 5. Lemma 1 For any n, l, q dv pf CC (q, n, l) q2 FCP pf + 4lq2 2 n. The next lemma bound the full collon probablty of the CC MC. The proof gven n Secton 8. Lemma 2 For any n, l FCP pf 8l 2 n + 64l4 2 2n. Combnng the above two lemma we bound dv pf CC (q, n, l): Theorem 3 For any n, l, q dv pf lq2 CC (q, n, l) 2 n ) ( l3 2 n. 6

7 4 Reult on the Encrypted CC MC Followng [7], we vew ECC a an ntance of the Carter-Wegman paradgm [18]. Th enable u to reduce the problem of boundng dv atk ECC (q, n, l) to boundng the collon probablty of the CC MC, a tated n the next lemma. proof of the followng provded n ppendx. Lemma 4 For any n, l, q and any atk {eq, pf, any}, dv atk ECC(q, n, l) Petrank and Rackoff [15] how that q(q 1) 2 ( CP atk + 1 ) 2 n dv any ECC (q, n, l) 2.5 l2 q 2 /2 n. (2) Dod et al. [9] how that CP eq 2 n + cl 2 2 2n + cl 6 2 3n for ome abolute contant c. Combnng th wth Lemma 4 lead to dv eq q2 ECC (q, n, l) 2 n ) (1 + cl2 2 n + cl6 2 2n However, the cae of atk = eq not nteretng here, nce the pont of ECC to gan ecurty even for atk = any. To obtan an mprovement for th, we how the followng, whoe proof n Secton 7: Lemma 5 For any n, l CP any 2d (l) 2 n + 64l4 2 2n where d (l) the maxmum, over all l l, of the number of potve number that dvde l. The functon d (l) grow lowly; n partcular, d (l) < l 0.7/ln ln(l) for all uffcently large l [10, Theorem 317]. We have verfed that d (l) l 1.07/ ln ln l for all l 2 64 (and we aume for all l), and alo that d (l) lg 2 l for all l Combnng the above wth Lemma 4 lead to the followng: Theorem 6 For any n, l, q dv any q2 ECC (q, n, l) 2 n ) (d (l) + 32l4 2 n 5 oundng FCP ound CC (Proof of Lemma 1) The proof by the game-playng technque [2, 4]. Let be an adverary that ak exactly q quere, M 1,..., M q n l, where no quere M r and M, for r, hare a prefx n n +. We mut how that dv CC () q 2 FCP pf + 4lq2 /2 n. Refer to game D0 D7 a defned n Fgure 2. Set Dom(π) and Ran(π) tart off a empty and automatcally grow a pont are added to the doman and range of the partal functon π. Set Dom(π) and Ran(π) are the complement of thee et relatve to {0, 1} n. They automatcally hrnk a pont jon the doman and range of π. We wrte boolean value a 0 (fale) and 1 (true),... 7

8 On the th query F (M ) 100 m M n, C 0 0 n Game D1 101 for 1 to m 1 do 102 X C 1 M 103 f X Dom(π) then C π(x) 104 ele π(x) C Ran(π) 105 X m C m 1 M m 106 C b m C m $ {0, 1} n Ran(π): bad 1, C m $ 107 f C m 108 f X m 109 π(x m Ran(π) Dom(π): bad 1, C m π(x m ) C m 110 f bad then return C m 111 return b C m On the th query F (M ) 300 m M n, C 0 0 n $ ) Game D3 301 for 1 to m 1 do 302 X C 1 M 303 f ( r < )(X = Xr mr ): bad f X Dom(π) then C π(x) 305 ele π(x) C Ran(π), 306 f ( r <)(C =Cr mr ): bad 1 C m 1 M m 307 X m 308 C m 309 f X m $ {0, 1} n 310 ( r <)(X m 311 then bad return C m Dom(π) C m =X mr r $ Ran(π) C m =Cr mr ) 500 for 1 to q do Game D5 501 C 0 0 n 502 for 1 to m 1 do 503 X C 1 M 504 f ( r < )(X = Xr mr ): bad f X Dom(π) then C π(x) 506 ele π(x) C C m 1 M m 507 X m 508 f ( r < ) (X m = X mr 509 X m $ Ran(π) Dom(π) r ) then bad 1 On the th query F (M ) 200 m M n, C 0 0 n Game D2 201 for 1 to m 1 do 202 X C 1 M 203 f X Dom(π) then C π(x) 204 ele π(x) C Ran(π) 205 X m C m 1 M m 206 C m $ {0, 1} n Dom(π) C m 207 f X m 208 then bad π(x m ) C m 210 return C m On the th query F (M ) 400 m M n, C 0 0 n $ Ran(π) Game D4 401 for 1 to m 1 do 402 X C 1 M 403 f ( r <)(X = Xr mr ): bad f X Dom(π) then C π(x) 405 ele π(x) C Ran(π) 406 X m C m 1 M m 407 f X m Dom(π) 408 ( r <)(X m =Xr mr ) then bad C m $ {0, 1} n 410 return C m 600 π $ Perm(n) Game D6 601 for [1.. q] do 602 C 0 0 n 603 for 1 to m 1 do 604 X C 1 M 605 C π(x) 606 X m C m 1 M m 607 bad ( (r, ) (, m )) [Xr = X m $ ] 700 π $ Perm(n) Game D7 701 C 0 1 C n 702 for 1 to m 1 do 703 X1 C 1 1 M 1, C1 π(x1) 704 for 1 to m 2 do 705 X2 C 1 2 M 2, C2 π(x2) 706 bad X m 2 2 {X1 1,..., X m 1 1, 707 X2 1,..., X m } Fgure 2: Game D0 D7 ued n the proof of Lemma 1. 8

9 and we ometme wrte then a a colon. The flag bad ntalzed to 0 and the map π ntalzed a everywhere undefned. We now brefly explan the equence. D1: Game D1 fathfully mulate the CC MC contructon. Intead of choong a random permutaton π up front, we fll n t value a-needed, o a to not to create a conflct. Oberve that f bad = 0 followng lne then Ĉm = C m and o game D1 alway return C m, regardle of bad. Th make clear that Pr[ D1 1] = Pr[π $ Perm(n) : CCπ 1]. D0: Game D0 obtaned from game D1 by omttng lne 110 and the tatement that mmedately follow the ettng of bad at lne 107 and 108. Thu th game return the random n-bt trng C m n repone = Ĉm to each query M, o Pr[ D0 1] = Pr[ρ $ Func(n) : ρ 1]. Now game D1 and D0 have been defned o a to be yntactcally dentcal except on tatement that mmedately follow the ettng of bad to true or the checkng f bad true, o the fundamental lemma of game-playng [4] ay u that Pr[ D1 1] Pr[ D0 1] Pr[ D0 et bad ]. dv CC () = Pr[ CCπ 1] Pr[ ρ 1] = Pr[ D1 1] Pr[ D0 1], the ret of the proof bound dv CC () by boundng Pr[ D0 et bad ]. D0 D2: We rewrte game D0 a game D2 by droppng the varable Ĉm and ung varable C m n t place, a thee are alway equal. We have that Pr[ D0 et bad ] = Pr[ D2 et bad ]. D2 D3: Next we elmnate lne 209 and then, to compenate, we et bad any tme the value X m or C m would have been acceed. Th account for the new lne 303 and the new djunct on lne 310. To compenate for the removal of lne 209 we mut alo et bad whenever C, choen at lne 204, happen to be a pror value Cr mr. Th done at lne 306. We have that Pr[ D2 et bad ] Pr[ D3 et bad ]. D3 D4: Next we remove the tet ( r < )(C = Cr mr ) at lne 306, the tet f C m Ran(π) at lne 309, and the tet for C m = Cr mr at lne 310, boundng the probablty that bad get et due to any of thee three tet. To bound the probablty of bad gettng et at lne 306: total of at mot lq tme we elect at lne 305 a random ample C from a et of ze at leat 2 n lq 2 n 1. (We may aume that lq 2 n 1 nce the probablty bound gven by our lemma exceed 1 f lq > 2 n 1.) The chance that one of thee pont equal to any of the at mot q pont Cr mr thu at mot 2lq 2 /2 n. To bound the probablty of bad gettng et by the C m Ran(π) tet at lne 309: ealy een to be at mot lq 2 /2 n. To bound the probablty of bad gettng et by the C m = Cr mr tet at lne 310: ealy een to be at mot q 2 /2 n. Overall then, Pr[ D3 et bad ] Pr[ D4 et bad ] + 4lq 2 /2 n. D4 D5: The value C m returned to the adverary n repone to a query n game D4 never referred to agan n the code and ha no nfluence on the game and the ettng of bad. ccordngly, we may thnk of thee value a beng choen up-front by the adverary who, correpondngly, make an optmal choce of meage quere M 1,..., M q o a to maxmze the probablty that bad get et n game D4. Quere M 1,..., M q n m are prefx-free (meanng that no two trng from th lt hare a prefx P n + ) and the trng have block length of m 1,..., m q, repectvely, where each m m. We fx uch an optmal vector of meage and meage length n pang to game D5, o that Pr[ D4 et bad ] Pr[D5 et bad ]. The adverary ha effectvely been elmnated at th pont. D5 D6: Next we potpone the evaluaton of bad and undo the lazy defnng of π to arrve at game D6. We have Pr[D5 et bad ] Pr[D6 et bad ]. D6 D7: Next we oberve that n game D6, ome par r, mut contrbute at leat an average amount to the probablty that bad get et. Namely, for any r, [1.. q] where r defne bad r, a (X m = X r for ome [1.. m r ]) (X m = X for ome [1.. m 1]) and note that bad et at lne 607 ff bad r, = 1 for ome r, and o there mut be an r uch that Pr[D6 et bad r, ] (1/q(q 1)) Pr[D6 et bad ]. Fxng uch an r, and renamng M 1 = M r, 9

10 M 2 = M, m 1 = m r, and m 2 = m, we arrve at game D7 knowng that Pr[D6 et bad ] q 2 Pr[D7 et bad ]. (3) Now Pr[D7 et bad ] = FCP n (M 1, M 2 ) FCP pf n,m by the defnton of FCP and the fact that π a permutaton. Puttng all the above together we are done. 6 Graph-aed Repreentaton of CC In th ecton we decrbe a graph-baed vew of CC computaton and provde ome lemma that wll then allow u to reduce the problem of upper boundng the collon probablte CP any and FCP pf to combnatoral countng problem. We fx for the ret of th ecton a blocklength n 1, the number of meage t 1 and t dtnct meage M 1,..., M t, where for 1 t we denote wth m 1 the length (n block) of the th meage M = M 1 M m m n. 1 Let M = {M 1,..., M t } be the ordered et of all meage, for 1 j t let m j = j =1 m be the length of the frt j meage. It convenent to et m 0 = 0 and m = m t to be the total length. Let M = M 1 M 2 M t = M 1 M m denote the concatenaton of all meage. Structure graph. To M and any π Perm(n) we aocate the tructure graph G M π, whch a drected graph (V, E) where V {0,..., m} together wth a edge labellng functon L : E {M 1,..., M m }. The tructure graph G M π = 1,..., m we defne = G = (V, E, L) defned a follow: We et C 0 = 0 n and for { π(c 1 M C = ) f / {m 0 + 1,..., m t 1 + 1} π(m ) otherwe From th C we defne the mappng [.] G : {0,..., m} {0,..., m} a [] G = mn{j : C j = C }. It convenent to defne a mappng [.] G a [] G = [] G f / {m 0,..., m t 1 } and [] G = 0 otherwe. Now the tructure graph GM π = G = (V, E, L) gven by V = {[] G : 1 m} E = {([ 1] G, [] G ) : 1 m} L(([ 1] G, [] G )) = M From th defnton t clear that the mappng [.] G defne G unquely and vce vera. Throughout we wll refer to ([ 1] G, [] G) a the th edge of G. If the C are all dtnct, then G mply a tree wth t path leavng the root 0, the th path beng 0 m 1 m m 1 + m = m. In general G the graph one get by tartng wth the tree jut decrbed and dong the followng whle poble: f there are two vertce, j where j and C = C j then collape and j nto one vertex and label t mn{, j}. Let G(M) = {G π : π Perm(n)} denote the et of all tructure graph aocated to meage M. Th et ha the probablty dtrbuton nduced by pckng π at random from Perm(n). For G G(M), G = (V, E, L) we denote wth G = (V, E, L ) the ubgraph of G gven by the frt edge,.e. V = {v V : v }, E = {(u, v) E : u, v V } and L L wth the doman retrcted to E. Collon. Suppoe a tructure graph G = G M π G(M) expoed edge by edge (.e. n tep the value [] G hown to u). We ay that G ha a collon tep f the edge expoed n tep 1 To bound CP any and FCPpf t uffcent to only conder the cae t = 2, but a th retrcton doe not mplfy thng we prove all our lemma for general t. 10

11 pont to a vertex whch already n the graph. Wth Col(G) we denote all collon,.e. all par (, j) where n tep there wa a collon whch ht the vertex computed n tep j < : or equvalently for G 1 = (V 1, E 1, L 1 ) Col(G) = {(, [] G ) : [] G } Col(G) = {(, [] G ) : [] G V 1 } (4) We dtnguh two type of collon, nduced collon and accdent. Informally, an nduced collon n tep a collon whch mpled by the collon n the frt 1 tep, wherea an accdent a urprng collon. Induced Collon. ume that after tep 1 we ee that for ome a < the a th edge ([a 1] G, [a] G) ha the ame label (M a = M ) and the ame tal ([a 1] G = [ 1] G ) a the next ( th) edge to be expoed. Then we know that the head of the th edge mut alo be [a] G a [a 1] G = [ 1] G mean C [a 1]G = C [ 1]G, and a π mut produce the ame output on the ame nput alo C [a]g = π(c [a 1] G M a ) = π(c [ 1] G M ) = C []G. More generally one can how that G ha an nduced collon tep f the edge added n tep (or, that would be added f t wa not already there) cloe a cycle wth alternatng edge drecton, moreover then the label of all the edge of that cycle XOR to 0 n (note that two parallel edge a condered before are exactly uch a cycle of length two and of coure the label M, M a of the edge on that cycle XOR to 0 n = M M a a we aw that M = M a ). It not eay to ee that ndeed all nduced collon are of h type, th wll follow from the proof of Lemma 8. To make that more formal, we defne a functon ltcyc, whch take a nput a partal tructure graph G = (V, E, L ), a vertex v and a label X a follow j = v 2k ltcyc(g = (V, E, L ), v, X) = f k 1, {v 1,..., v 2k } V, {e 1,..., e 2k } E where e = (v, v +1 ) for odd, and e = (v, v +1 ) for even, and v 1 = v, and X L ((u 1, v 1 ))... L ((u 2k, v 2k )) = 0 n. otherwe Now the nduced collon are are the collon (, j) where the th edge ([ 1] G, j) can (and thu mut) be added to G 1 uch that we cloe a cycle wth alternatng edge drecton where the label on the cycle XOR to 0 n,.e. IndCol(G) = {(, j) : 1 m, j = ltcyc(g 1, [ 1] G, M ) and j } ccdent. The accdent are all the non-nduced collon: cc(g) = Col(G) \ IndCol(G) (5) Lemma 7 G G(M) unquely determned by cc(g) and M alone. Proof: We leave the reader to verfy that the algorthm gven n fgure 6 output G = (V, E, L) on nput cc(g) and M. The labellng functon L gven by a et of par where (e, j) L mean L(e) = j. 11

12 algorthm cc2graph(, M) // = {( 1, j 1),..., ( t, j t)} V {0},E, L, tal 0 for 1 to m do f {m 1,..., m t 1 } then tal 0 //potcondton: tal = [ 1] G,.e. the tal of the th edge. f j.t. (, j) then e (tal, j), tal j //ccdent ele f ltcyc((v, E, L), M ) = j then e (tal, j), tal j //Induced Collon ele V V, e (tal, ), tal // No collon, add vertex E E e, L L (e, M ) //dd edge e and defne label for e. return G (V, E, L) Fgure 3: Let G a (M) = {G : G G(M), cc(g) = a) denote all tructure graph wth exactly a accdent. y the prevou lemma every G G a (M) determned by t accdent,.e. a tuple (, j) where 0 j < m, thu ( ) (m + 1)m a G a (M) (6) 2 The followng lemma tate that the probablty that a randomly ampled tructure graph wll be ome partcular graph H exponentally mall n cc(h). Lemma 8 Let n 1, t 1,M = {M 1,..., M t } where M m n for any tructure graph H G(M): Pr[G $ G(M) : G = H] (2 n m) cc(h) and m = m m t. Then The lemma buld on an unpublhed technque from [8, 9]. proof gven n ppendx. Lemma 9 Wth M, m a n the prevou lemma Pr[G $ G(M) : cc(g) 2] 4m4 2 2n Proof: Pr[G $ G(M) : cc(g) 2] = Pr[G $ G(M) : cc(g) = ] =2 =2 H G (M) =2 Pr[G $ G(M) : G = H] G (M) (2 n m) (7) =2 ( ) (m + 1)m 2(2 n (8) m) 4m4 2 2n (9) 12

13 We ued Lemma 8 for (7) and eq.(6) for (8). For (9) we aumed that n > 1 and m < 2 n/2. We can do o a f ether n = 1 or m 2 n/2 the lemma trvally hold a then the 4m4 1 and 1 a 2 2n trval bound for any probablty. Conventon for Secton 7 and 8. In the next two ecton we wll only conder the two accdent cae M = {M 1, M 2 }. G G(M 1, M 2 ) cont of two path, the M 1 -path whch pae through the vertce 0, [1] G,..., [m 1 ] G and the M 2 -path 0, [m 1 + 1] G,..., [m 1 + m 2 ] G. Wth Vj (G) we denote the th vertex on the M j-path,.e. for 1 m 1 : V1 def (G) = [] G, for 1 m 2 : V2 def (G) = [ + m 1 ] G and V1 0(G) = V 2 0(G) = 0. l m 1, m 2 wll alway denote an upper bound on the meage length. Further f P a predcate on tructure graph. Then φ M1,M 2 [P ] wll denote the et of tructure graph G havng exactly one accdent and atfyng the predcate P : φ M1,M 2 [P ] = {G G 1 (M 1, M 2 ) : G atfe P }. For example, predcate P mght be V m 1 1 ( ) = V m 2 2 ( ) and n that cae φ M1,M 2 [V m 1 2 ] {G G 1 (M 1, M 2 ) : V m 1 1 (G) = V m 2 2 (G)}. Recall that n our graph vew an accdent correpond to a collon whch doe not cloe a cycle wth alternatng edge drecton. Th not a very convenent defnton to work wth. ut a n the followng two ecton we wll only conder the two meage cae and tructure graph wth at mot one accdent we can take on a mpler vew, for th we defne truecol(g) to denote all collon n G except thoe whch are due to parallel edge. Or equvalently, the true collon are the collon whch ncreae the ndegree of ome vertex. For G 1 = (V 1, E 1, L 1 ) (compare th to eq. (4)) the true collon are truecol(g) = {(, [] G ) : [] G V 1 ([ 1] G, [] G ) E 1 } Clearly truecol(g) Col(G) and acc(g) truecol(g), but what make th concept ueful for u that n the two meage cae the frt two true collon are alway accdent Lemma 10 For G G(M 1, M 2 ) f truecol(g ) 2 then cc(g ) = truecol(g ) corollare we get that the G G(M 1, M 2 ) wth exactly one accdent alo have exactly one true collon cc(g) = 1 truecol(g) = 1 and further that whenever we have two or more true collon we alo have at leat tow accdent truecol(g) 2 cc(g) 2. So to exclude tructure graph whch have two or more accdent t uffcent to exclude thoe graph whch have more that two true collon. To ee that the lemma hold t enough to how that there no way to draw two path, both tartng at the ame pont uch that the reultng graph ha only one true collon and a cycle wth alternatng edge drecton of length at leat four, we leave the verfcaton of that to the reader. Lemma 10 tght n the ene that we can t replace the 2 wth a 3 there. In fgure 4 a tructure graph G G G( C, D E F ) hown wth three true collon (4, 3), (5, 2), (6, 1) (the edge D, E, F account for thoe collon) but only two 13

14 PSfrag replacement C 2 E F C C 1 D C 3 C 0 Fgure 4: G G G( C, D E F ) wth three true collon but only two accdent. accdent a the collon (6, 1) nduced: the F -edge cloe a cycle C 0 C1 F C2 C C3 D C0 wth alternatng edge drecton. Lke on every cycle wth alternatng edge drecton the label of the edge mut XOR to 0 n, o here F C D = 0 n mut hold. Th can be derved from the followng equalte mpled by the graph: C 0 = C 2 F, C 0 D = C 2 C. 7 oundng CP any n,m (Proof of Lemma 5) In th ecton we prove Lemma 5, howng that CP any 2d (l)/2 n + 64l 4 /2 2n for any n, l, thereby provng Lemma 5. Lemma 11 Let n 1 and 1 m 1, m 2 l. Let M 1 m 1 n and M 2 m 2 n Then CP any (M 1, M 2 ) 2 φ M 1,M 2 [V m 1 2 ] 2 n + 64l4 2 2n. Proof: Wth the probablty over G $ G(M 1, M 2 ), we have: CP n (M 1, M 2 ) be dtnct meage. = Pr [ V m 1 2 ] = Pr [ V m 1 2 cc(g) = 1 ] + Pr [ V m 1 2 cc(g) 2 ] (10) φ M 1,M 2 [V m 1 2 ] 2 n m 1 m 2 + 4(m 1 + m 2 ) 4 2 2n (11) φ M 1,M 2 [V m 1 2 ] 2 n + 64l4 2l 2 2n 2 φ M 1,M 2 [V m 1 2 ] 2 n + 64l4. (12) 22n In (10) above we ued that Pr [ V m 1 2 cc(g) = 0 ] = 0 a V m 1 2 wth M 1 M 2 mple that there at leat one accdent. In (11) we frt ued Lemma 8, and then ued Lemma 9. In (12) we aumed that l 2 n/2 1.5, whch we can do a otherwe 64l 4 /2 2n 1. Next we bound the ze of the et that are above: Lemma 12 Let n, l 1 and 1 m 2 m 1 l. Let M 1 m 1 n and M 2 m 2 n meage. Then φ M1,M 2 [V m 1 2 ] d (l). 14 be dtnct

15 Puttng together Lemma 11 and 12 complete the proof of Lemma 5. Proof of Lemma 12: Let k 0 be the larget nteger uch that M 1, M 2 have a common uffx of k block. Note that V m 1 2 ff V m 1 k k 2. Thu, we may conder M 1 to be replaced by M 1 m 1 k 1 and M 2 to be replaced by M 1 m 2 k 2, wth m 1, m 2 correpondngly replaced by m 1 k, m 2 k repectvely. We now have dtnct meage M 1, M 2 of at mot l block each uch that ether m 2 = 0 or M m 1 1 M m 2 2. (Note that now m 2 could be 0, whch wa not true before our tranformaton.) Now conder three cae. The frt that m 2 1 and M 2 a prefx of M 1. Th cae covered by Lemma 13. (Note n th cae t mut be that m 1 > m 2 nce M 1, M 2 are dtnct and ther lat block are dfferent.) The econd cae that m 2 = 0 and covered by Lemma 14. (In th cae, m 1 1 nce M 1, M 2 are dtnct.) The thrd cae that m 2 1 and M 2 not a prefx of M 1. Th cae covered by Lemma 15. Lemma 13 Let n 1 and 1 m 2 < m 1 l. Let M 1 m 1 n, M 2 m 2 n. ume M 2 a prefx of M 1 and M m 1 1 M m 2 2. Then φ M1,M 2 [V m 1 2 ] d (l). Proof: ecaue M 2 a prefx of M 1 we have that V m 2 2 = V m 2 1, and thu φ M1,M 2 [V m 1 2 ] = φ M1,M 2 [V m 2 1 = V m 1 1 ]. We now bound the latter. Let G G 1 (M 1, M 2 ). Then we clam that V m 1 1 (G) = V m 2 1 (G) mple that there ext a t > m 2 uch that 1. The (only) accdent n G a (t, V m 2 1 )-accdent. 2. t m 2 dvde m 1 m 2. efore we prove the two pont we ll how why they mply the lemma. Frt note that here V m 2 1 [m 2 ] G = m 2 a the frt accdent happen after tep m 2 and thu [m 2 ] G = m 2. Further, by Lemma 7 every G φ M1,M 2 [V m 2 1 = V m 1 1 ] correpond to a par (t, V m 2 1 ) = (t, m 2 ) where t atfe the econd pont. Now there are exactly d(m 1 m 2 ) d (l) dfferent t whch atfy the econd pont. To ee the frt pont we oberve that n G (V m 2 1 (G)) = 2 a by V m 1 1 (G) = V m 2 1 (G) the vertex V m 2 1 (G) ha ngong edge wth dtnct label M m 1 1 M m 2 1 and edge wth dtnct label cannot be parallel. 2 So there wa an accdent (t, V m 2 1 (G)) for ome t m 2. We now prove the econd pont. We jut aw that G t (the ubgraph of G buld by the t frt edge) a ρ-haped graph where the cycle ha length t m 2. Now ether t = m 1 (then the econd pont atfed), or the remanng m 1 t > 0 edge of the M 1 path mut be drawn uch that we come back to the vertex m 2. we already ued up or only accdent, the only poblty to go along the cycle (note that f we leave the ρ then there no way to come back wthout a econd accdent 3 ). ut then we ll only end up n m 2 (and thu atfy V m 1 1 (G) = V m 2 1 (G)) f the remanng m 1 m 2 edge are a multple of the cycle length t m 2. def = Lemma 14 Let n 1 and 1 m 1 l. Let M 1 m 1 n, let M 2 = ε and let m 2 = 0. Then φ M1,M 2 [V m 1 2 ] d (l). 2 th would mean that the permutaton whch generated the tructure-graph produce the ame output on dfferent nput. Th one of the argument where t crucal that we only conder permutaton and not general functon. 3 Recall that here accdent are equvalent to true collon. 15

16 ??? Fgure 5: Some hape where the M 1 -path (old lne) make a loop. In the frt three cae the M 1 -path pae only once through V p 1 (the dot), and we ee that we cannot draw the M 2-path uch that V m 2 2 {V p+1 1 } wthout a econd accdent n any of thoe cae. In the lat graph V m 2 2 {V p+1 1 }, but there alo V p 1 {V 1 0,..., V p 1 1, V p+1 1 }. Proof: Ue an argument mlar to that of Lemma 13, notng that Vm 0 1 (G) = V1 0 (G) mple that n G (V1 0 (G)) 1. Lemma 15 Let n 1 and 1 m 2 m 1 l. Let M 1 m 1 n, M 2 m 2 n. ume M 2 not a prefx of M 1 and M m 1 1 M m 2 2. Then φ M1,M 2 [V m 1 2 ] 1. Proof: Let p [0..m 2 1] be the larget nteger uch that M1 1 = M2 1 for all [1..p]. Then V1 = V 2 p+1 for [1..p] and V1 V p+1 2. Now to have V m 1 2 we need an accdent. Snce M m 1 1 M m 2 2 and there only one accdent, the only poblty that th a (m 1, m 1 + m 2 )- accdent. Thu, there only one way to draw the graph. 8 oundng FCP pf (Proof of Lemma 2) In th ecton we how that FCP pf 8l/2n + 64l 4 /2 2n thereby provng Lemma 2. Recall that pf(m 1, M 2 ) = fale ff M 1 not a prefx of M 2 and M 2 not a prefx of M 1. The proof of the followng mlar to the proof of Lemma 11 and omtted. Lemma 16 Let n 1 and 1 m 1, m 2 l. Let M 1 m 1 n, M 2 m 2 n Then FCP pf (M 1, M 2 ) Next we bound the ze of the et that are above: 2 φ M1,M 2 [V m 2 2 {V1 1,..., V m 1 1, V2 1,..., V m }] wth pf(m 1, M 2 ) = fale. 2 n + 64l4 2 2n. Lemma 17 Let n, l 1 and 1 m 1, m 2 l. Let M 1 m 1 n, M 2 m 2 n wth pf(m 1, M 2 ) = fale. Then φ M1,M 2 [V m 2 2 {V1 1, V2 1,..., V m }] 4l. Puttng together Lemma 16 and 17 complete the proof of Lemma 2. We denote by cpl(m 1, M 2 ) the number of block n the longet common block-prefx of M 1, M 2. That, cpl(m 1, M 2 ) the larget nteger p uch that M1 = M 2 for all [1..p]. Defne the predcate NoLoop(G) to be true for tructure graph G G2 1(M 1, M 2 ) ff V1 0(G),..., V m 1 1 (G) are all dtnct and alo V2 0(G),..., V m 2 2 (G) are all dtnct. Let Loop be the negaton of NoLoop. Proof of Lemma 17: Let p = cpl(m 1, M 2 ). Snce pf(m 1, M 2 ) = fale, t mut be that p < m 1, m 2 and M p+1 1 M p+1 2. Note then that V1 = V 2 p+1 for all [0..p] but V1 V p+1 2. Now we break up 16

17 Fgure 6: n example for the proof of Lemma 18 wth m 1 = 5 and M 1 = for dtnct, {0, 1} n. Here we have N 5 = 5 µ 1 (M1 5) + 1 = 5 µ 1() + 1 = = 3 and N 4 = µ 1 (M1 5) µ 1(M1 4 5 ) = µ 1 () µ 1 ( ) = 3 2 = 1 and N 3 = µ 1 (M1 4 5 ) µ 1 (M1 3 5 ) = µ 1 ( ) µ 1 ( ) = 2 1 = 1 and N 2 = N 1 = 0. The frt three graph how the N 5 cae, the fourth and the ffth graph how the ngle cae for N 4 and N 3. the et n whch we are ntereted a φ M1,M 2 [V m 2 2 {V 1 1, V 1 2,..., V m }] = φ M1,M 2 [V m 2 2 {V 1 2,..., V m }] φ M1,M 2 [V m 2 2 {V p+1 1 }]. Lemma 18 mple that φ M1,M 2 [V m 2 2 {V2 1,..., V m }] m 2 and Lemma 20 ay that φ M1,M 2 [V m 2 {V p+1 1 } NoLoop] m 1. It reman to bound φ M1,M 2 [V m 2 2 {V p+1 1 } Loop]. We ue a cae analy, whch llutrated n Fgure 5. The condton Loop mean that ether the M 1 - or the M 2 -path (or both) mut make a loop. If the M 1 -path make a loop then we can only draw the M 2 -path uch that V m 2 2 {V p+1 1 } f the loop goe twce through V p 1. The ame argument work f only the M 2 -path make a loop. Thu φ M1,M 2 [V m 2 2 {V p+1 1 } Loop] S 1 S 2 where S 1 = φ M1,M 2 [V p 1 {V 0 1,..., V p 1 1, V p+1 1 }] S 2 = φ M1,M 2 [V p 2 {V 0 2,..., V p 1 2, V p+1 2,..., V m 2 2 }]. Lemma 19 ay that S 1 m 1 and S 2 m 2. Puttng everythng together, the lemma follow a 2(m 1 + m 2 ) 4l. Lemma 18 Let n, m 1, m 2 1. Let M 1 m 1 n, M 2 m 2 n then for b {1, 2}, φ M1,M 2 [V m b b {Vb 0, V b 1,..., V m b 1 b }] = m b Proof: We prove only the clam for b = 1, and then brefly dcu how to extend the proof to b = 2. If V m 1 1 {V1 0,..., V m } then there mut be a (j, V1 )-accdent for ome [0..m 1 1] and j [ + 1..m 1 ] and then nduced collon n tep j + 1 to m 1. Thu V j+k 1 = V1 +k for all k [0..m 1 j]. For j [1..m 1 ] let N j be the number of tructure graph G G 1 (M 1, M 2 ) uch that V m 1 1 (G) {V1 0(G),..., V m (G)} and there a (V1 (G), j)-accdent for ome [0..j 1]. Then φ M1,M 2 [V m 1 1 {V1 0,..., V m 1 1 m 1 1 }] = N j. 17 j=1 2

18 D D D D Fgure 7: n example for the proof of Lemma 19 wth m 1 = 5, M 1 = D and r = 1, where,, D {0, 1} n are dtnct. (The large dot V1 r = V 1 1.) Here we have N r = m r = µ 2 (M1 1) = N 1 = m 1 1 µ 2 (M1 1) = 5 1 µ 2() = = 3. Thoe cae correpond to the frt three graph n the fgure. The fourth graph correpond to N r 1 = N 0 = µ 2 ( M1 1 r ) = µ 2 ( ) = 1. Let µ 1 (S) denote the number of block-algned occurrence of the ubtrng S n M 1. (For example, µ 1 ( ) = 2 f M 1 = for ome dtnct, {0, 1} n.) It poble to have a (m 1, V1 )-accdent for any [0..m 1 1] for whch M1 M m 1 1 (cf. Fgure 6) and thu N m1 = m 1 µ 1 (M m 1 1 ) + 1. It poble to have a (V1, m 1 1)-accdent and alo have V m {V 0 and thu N m1 1 = µ 1 (M m 1 1 ) µ 1 (M m 1 1 m 1 µ 1 (M j+1 m 1 1 ) µ 1 (M j m 1 1 } for any [0..m 1 2] for whch M1 M m and M1 +1 = M m ). In general for j [1..m 1 1] we have N j = 1 ). Ung cancellaton of term n the um we have m 1 N j = m µ 1 (M 1 m 1 1 ) = m 1 j=1 whch prove the lemma for the cae b = 1. The cae for b = 2 follow by ymmetry, more precely φ M1,M 2 [V m b b {Vb 0, V b 1,..., V m b 1 b }] nvarant under exchangng M 1 wth M 2 and changng b (from 1 to 2 or 2 to 1) multaneouly. In fact, all predcate whch do not make ue of the repreentaton of the vertce have th property (o for example V1 5 = 5 not ymmetrc n the above ene but V 5 1 {V 1 0,..., V 1 4} ). Next we have a generalzaton of Lemma 18. Lemma 19 Let n, m 1, m 2 1. Let M 1 m 1 n, M 2 m 2 n then for b {1, 2} and any r [0..m b ], φ M1,M 2 [Vb r {V b 0,..., V r 1 b, V r+1 b,..., V m b b }] m b. Proof: We prove t for the cae b = 1. (The cae b = 2 analogou.) y Lemma 18 we have φ M1,M 2 [V1 r {V 1 0,..., V 1 r 1 }) = r. It reman to how that φ M1,M 2 [V1 r {V1 r+ 1 } V1 r {V1 0,..., V1 r }] m 1 r. We may aume that V1 V j 1 for all 0 < j r 1, a otherwe we have already ued up our accdent and there no way to get V1 r r+1 {V 1 } any more. If Vr {V1 r+ 1 } then there a (, V j 1 )-accdent for ome 0 j r <. For j [0..r] let N j be the number of tructure graph G G 1 (M 1, M 2 ) uch that V1 r r+1 (G) {V1 (G),..., V m 1 1 (G)}, V1 r (G) {V 0 1 (G),..., V 1 r(g)} and there a (, V j 1 )-accdent for ome [r + 1..m 1]. Then φ M1,M 2 [V1 r {V1 r+ 1 } V1 r {V1 0,..., V1 r }] r = N j. j=0 18

19 Fgure 8: n example for the proof of Lemma 20 wth M 1 = and M 2 =, thu m 1 = 5, m 2 = 6, p = 1. Here µ 3 (S) the number of block-algned occurrence of S n M p+1 m 1 =. The old lne correpond to M 1 and the dotted lne to M 2. We get N m2 = N 6 = m 1 p µ 3 (M m 2 2 ) = 5 1 µ 3 () = = 3, the three cae correpond to the frt three graph n the fgure. Furthermore, N 5 = µ 3 ( ) µ 3 ( ) = 1 1 = 0 and N 4 = µ 3 ( ) µ 3 ( ) = 1 0 = 1, th lat cae correpondng to the lat graph n the fgure. Let µ 2 (S) be the number of block-algned occurrence of the ubtrng S n M r+1 m 1 1, and adopt the conventon that µ 2 (M1 0) = 0. Snce we can only have an (j, V r 1 )-accdent when M j 1 M 1 r we have N r = m r µ 2 (M1 r ). For > r, a (, V r 1 )-accdent poble and wll reult n V r 1 {V1 r+ 1 } only f M1 +1 = X M r for ome X M1 r 1. Now wth beng a wldcard tandng for an arbtrary block we have N r 1 = µ 2 ( M1 r) µ 2(M1 r 1 r ). In general, for j [1..r 1] we have N j = µ 2 ( M j+1 r 1 ) µ 2 (M j r 1 ) and N 0 = µ 2 ( M1 1 r ). Now, a µ 2 ( S) µ 2 (S) for any S, we get r N j m 1 r. j=0 Lemma 20 Let n, m 1, m 2 1. Let M 1 m 1 n, M 2 m 2 n wth pf(m 1, M 2 ) = fale. Let p = cpl(m 1, M 2 ). Then φ M1,M 2 [V m 2 2 {V p+1 1 } NoLoop] m 1. Proof of Lemma 20: The condton that NoLoop true mean that the nether the M 1 - nor the M 2 -path make a loop. Thu the only poblty to get V m 2 2 {V p+1 1 } here to have an (j, )-accdent for ome p < m 1 and m 1 + p < j where M +m j 1 = X M j+1 m 2 2 for an X M j 2. Let N j denote the number of thoe cae. Let µ 3 (S) denote the number of block-algned occurrence of the ubtrng S n M p+1 m 1. Then for j = m 2 we have and for j = m 2 1 we get and n general for p + 1 j < m 2 N m2 = m p µ 3 (M m 2 2 ) N m 1 = µ 3 ( M m 2 2 ) µ 3 (M m 2 1 m 2 2 ) N j = µ 3 ( M j+1 m 2 2 ) µ 3 (M j m 2 2 ) 19

20 Now a µ 3 ( S) µ 3 (S), we get φ M1,M 2 (V m 2 2 {V p+1 1 } NoLoop) = m 2 j=p+1 N j m p. cknowledgment art Preneel wa the frt we heard to ak, back n 1994, f the m 2 term can be mproved n the CC MC bound of m 2 q 2 /2 n. Reference [1] M. ellare, O. Goldrech, and. Mtyagn. The power of verfcaton quere n meage authentcaton and authentcated encrypton. Cryptology eprnt rchve: Report 2004/309. [2] M. ellare, J. Klan, and P. Rogaway. The ecurty of the cpher block channg meage authentcaton code. Journal of Computer and Sytem Scence (JCSS), vol. 61, no. 3, pp , Earler veron n Crypto 94. [3] M. ellare, K. Petrzak, and P. Rogaway. Improved ecurty analye for CC MC. Prelmnary veron of th paper, dvance n Cryptology CRYPTO 05, Lecture Note n Computer Scence Vol., V. Shoup ed., Sprnger-Verlag, [4] M. ellare and P. Rogaway. The game-playng technque. Cryptology eprnt rchve: Report 2004/331. [5]. erendchot,. den oer, J. oly,. oelaer, J. randt, D. Chaum, I. Damgård, M. Dchtl, W. Fumy, M. van der Ham, C. Janen, P. Landrock,. Preneel, G. Roelofen, P. de Rooj, and J. Vandewalle. Fnal Report of Race Integrty Prmtve. Lecture Note n Computer Scence, vol. 1007, Sprnger-Verlag, 1995 [6] R. erke. On the ecurty of terated MC. Dploma The, ETH Zürch, ugut [7] J. lack and P. Rogaway. CC MC for arbtrary-length meage: the three-key contructon. dvance n Cryptology CRYPTO 00, Lecture Note n Computer Scence Vol. 1880, M. ellare ed., Sprnger-Verlag, [8] Y. Dod. Peronal communcaton to K. Petrzak [9] Y. Dod, R. Gennaro, J. Håtad, H. Krawczyk, and T. Rabn. Randomne extracton and key dervaton ung the CC, Cacade, and HMC mode. dvance n Cryptology CRYPTO 04, Lecture Note n Computer Scence Vol. 3152, M. Frankln ed., Sprnger-Verlag, [10] G. Hardy and E. Wrght. n Introducton to the Theory of Number. Oxford Unverty Pre, [11] E. Jaulme,. Joux, and F. Valette. On the ecurty of randomzed CC-MC beyond the brthday paradox lmt: a new contructon. Fat Software Encrypton 02, Lecture Note n Computer Scence Vol. 2365, J. Daemen, V. Rjmen ed., Sprnger-Verlag,

21 [12] J. Klan and P. Rogaway. How to protect DES agant exhautve key earch (an analy of DESX). Journal of Cryptology, vol. 14, no. 1, pp , Earler veron n Crypto 96. [13] U. Maurer. Indtnguhablty of random ytem. dvance n Cryptology EUROCRYPT 02, Lecture Note n Computer Scence Vol. 2332, L. Knuden ed., Sprnger-Verlag, [14] Natonal Inttute of Standard and Technology, U.S. Department of Commerce, M Dworkn, author. Recommendaton for block cpher mode of operaton: the CMC mode for authentcaton. NIST Specal Publcaton , May [15] E. Petrank and C. Rackoff. CC MC for real-tme data ource. Journal of Cryptology, vol. 13, no. 3, pp , [16] V. Shoup. Sequence of game: a tool for tamng complexty n ecurty proof. Cryptology eprnt report 2004/332, [17] S. Vaudenay. Decorrelaton over nfnte doman: the encrypted CC-MC cae. Communcaton n Informaton and Sytem (CIS), vol. 1, pp , [18] M. Wegman and L. Carter. New clae and applcaton of hah functon. Sympoum on Foundaton of Computer Scence (FOCS), pp , Proof of Lemma 4 Let atk q,n,m. We wh to bound dv ECC () = Pr[ ECCπ 1,π 2 1] Pr[ f 1] where $ π 1, π 2 Perm(n) and f $ Func(n). We realze ECC by the game W1 that follow th paragraph: Pr[ ECCπ 1,π 2 1] = Pr[ W1 1]. Defne game W0 from game W1 by droppng the (haded) tatement that mmedate follow the ettng of bad at lne 12 and 13. Oberve that Pr[ f 1] = Pr[ W0 1]. Thu dv ECC () = Pr[ W1 1] Pr[ W0 0] and, by the fundamental lemma of game playng, dv ECC () Pr[ W0 et bad ]. We now bound th quantty. Intalze Game W1 (a wrtten) and W0 (omt haded tatement) $ 00 π 1 Perm(n), π 2 (X) undefned for all X {0, 1} n, bad fale On query M 10 X CC π1 (M) 11 Y $ {0, 1} n 12 f Y Ran(π 2 ) then bad true, Y $ Ran(π 2 ) 13 f X Dom(π 2 ) then bad true, Y π 2 (X) 14 return π 2 (X) Y The probablty that bad get et at lne 12 of game W0 at mot ( (q 1))/2 n = 0.5q(q 1)/2 n. The probablty that bad get et at lne 13 of game W0 at mot ( q 2) δ where δ the maxmum of the probablty that ome two quere M and M collde under CC π1. Note that game W0 provde to the adverary no nformaton about π 1, and o δ CP atk n,m. Concludng, we have that Pr[ W2 et bad ] 0.5q(q 1)/2 n + 0.5q(q 1) CP atk n,m and the lemma follow. Proof of Lemma 8 Lke n ecton 6 we let n 1, t 1, M = {M 1,..., M t }, each M = M 1 M m m n. For 1 j t : m j = j =1 m and m = m t. The defnton of tructure graph G(M) and accdent 21

22 V l 3 V h 3 M 1 M 2 M 3 M 4 H V 0 V 1 V M 2 V 4 V 5 6 V0 h V1 h V2 h M 4 M 2 Ĥ V0 l V1 l V2 l V4 h V5 h M 5 M 6 V4 l V5 l Fgure 9: tructure graph H G(M 1 M 2 M 6, M 7 M 8 ) and the correpondng Ĥ (the econd meage M 7 M 8 drawn by the dotted lne). To llutrate the proof of the lemma, note that here we have I H = {0, 1, 2, 4, 5} and CoCo(Ĥ) = 3. Thoe component are gven by the ubgraph nduced by the vertex et {V0 h }, {V0 l, V1 h, V2 l, V5 h, V4 l } and {V1 l, V2 h, V5 l, V4 h }. Let P 1 and P 2 denote the latter two component repectvely, then I 1 = {0, 2, 4}, I 2 = {1, 5} and I1 = {2, 4}, I 2 = {5}, o I = {2, 4, 5}. For example n tep 5 I (ndcated by the thnk lne) the value C 5 (correpondng to the vertex V5 l ) revealed to u, and there only one poblty for C 5 to tay content wth Ĥ (.e. t mut atfy C 1 M 4 = C 5 M 6 ). acc are n ecton 6. We need ome new defnton for th ecton. From G G(M) we get the undrected bpartte graph Ĝ by plttng each V (G) nto two vertce V l and V h uch that the vertex V l keep the outgong edge and V h keep the ngong edge (cf. fgure ). So the drected edge (V, V j ) E(G) map to the undrected edge (V l, V j h) E(Ĝ). For a graph G we denote wth CoCo(G) the number of connected component of G. The number of accdent of a graph G G(M), denoted acc(g), We ll later how that th ndeed the number of accden.e. acc(g) = V (G) CoCo(Ĝ) + 1 (13) Clam 21 For any G G(M), acc a defned above and cc a defned n eq.(5) Wth the above Clam we can tate Lemma 8 a Proof of Lemma 8: of the bpartte graph Ĥ. acc(g) = cc(g) Pr[G $ G(M) : G = H] (2 n m) acc(h) (14) Let V l = {V l : I H } and V h = {V h : I H } denote the two partton 22

23 The vertex V 0 V (H) omewhat pecal, and we mut conder the two cae where n H (V 0 ), the ndegree of V 0, 0 and when t > 0 eparately. We frt prove the cae where n H (V 0 ) = 0. t the end of the proof we wll decrbe how to adapt the proof for H where n H (V 0 ) > 0. Let c = CoCo(Ĥ) 1 and P 1,..., P c denote the connected component of Ĥ wthout the component buld by the olated vertex V0 h (V 0 h olated a n H(V 0 ) = 0). Let I = {j : Vj l P } (o the I 1,..., I c are a partton of I H ) and I = I \ mn{, I }. We now upper bound the probablty that Pr[G $ G(M) : G = H], or equvalently Pr[π $ Perm(n) : G M π = H] whch agan equvalent to Pr[π $ Perm(n) : Ĝ M π = Ĥ]. ume a π $ Perm(n) ampled (but not hown to u). Now n m tep the value C 1,..., C m are revealed to u, we ay that we are content after tep f Pr[ĜM π = Ĥ C 0,..., C ] > 0.e. gven the value C 0,..., C there a non-zero probablty that fnally ĜM 1,...,M t π = Ĥ. Now we clam the followng, for each I the followng true: the probablty that we are content after tep, condtoned on beng content after tep 1, at mot (2 n m) 1. The lemma then follow a I = I1 I c = I H c = V (H) (CoCo(Ĥ) 1) = acc(h). (15) We prove the above clam. Conder any Ij I and C 0,..., C 1 whch are content wth Ĥ. ume that π ndeed uch that ĜM π = Ĥ, then ĜM π ha a connected component P j lke Ĥ. In tep at leat one C k where k I j (namely {k} = I j \ Ij ) already determned, and th C k unquely determne all other C x where x I j (and n partcular = x). So we know the value C = π(c 1 M ) whch wll be expoed to u n th th tep, let X denote th value. ut wthout the aumpton that ĜM π = Ĥ we have two poblte 1. If C 1 M = C j 1 M j for ome j < then alo C = C j. ut th mean that [] bg M π = [j] bg M π but a a I H we have [] H = > j [j] H and thu ĜM π Ĥ. 2. If for all j < we have C 1 M C j 1 M j then the value π(c 1 M ) jut unformly random over {0, 1} n \{C 1,..., C 1 }, and the probablty that C = π(c 1 M ) = X, whch a we jut howed the only poblty not to become ncontent, at mot (2 n ) 1. Th conclude the proof for the cae n H (V 0 ) = 0, we now decrbe how to adapt the proof for the cae n H (V 0 ) > 0. Now let c = CoCo(Ĥ) (not CoCo(Ĥ) 1 a before) and P 1,..., P c denote all the connected component of Ĥ. Let the I, I and I be defned a before except that we add a value z to I where z = mn{j : j > 0, V j = V 0 } the frt tep n whch we come back to the vertex V 0 (note that (15),.e. I = acc(h), tll atfed). We now how that lke for all other value n I alo for z t true that aumng that we are content after tep z 1, we wll be content after tep z (whch hold ff π(c z 1 M z) = C 0 = 0 n ) wth probablty at mot (2 n z) 1. The reaon for th that although after the tep z 1 the vertex V 0 (whch ha alway the value C 0 = 0 n ) already there, t ha no ngong edge, o π 1 (C 0 ) not determned (.e. t unformly random over {0, 1} n \ {π 1 (C 1 ),..., π 1 (C z 1 )}), thu Pr[π(C z 1 M z) = 0 n ] < (2 n z) 1. Proof of Clam 21: Recall that for G G(M) we denote by G the ubgraph of G contanng the frt edge. We how acc(g) = cc(g) by nducton on for acc(g ) = cc(g ) (recall that G m = G). We leave t to the reader to verfy the anchor acc(g 1 ) = cc(g 1 ). Now aume acc(g 1 ) = cc(g 1 ) and recall that acc(g ) = V (G ) CoCo(Ĝ)