In CRYPTO’03, Patarin conjectured a lower bound on the number of distinct solutions (P1,…,Pq)∈({0,1}n)q satisfying a system of equations of the form Xi⊕ Xj= λi,j such that P1, P2, …, Pq are pairwise distinct. This result is known as “ Pi⊕ Pj Theorem for any ξmax ” or alternatively as Mirror Theory for general ξmax, which was later proved by Patarin in ICISC’05. Mirror theory for general ξmax stands as a powerful tool to provide a high-security guarantee for many blockcipher-(or even ideal permutation-) based designs. Unfortunately, the proof of the result contains gaps that are non-trivial to fix. In this work, we present the first complete proof of the Pi⊕ Pj theorem for a wide range of ξmax, typically up to order O(2n/4/n). Furthermore, our proof approach is made simpler by using a new type of equation, dubbed link-deletion equation, that roughly corresponds to half of the so-called orange equations from earlier works. As an illustration of our result, we also revisit the security proofs of two optimally secure blockcipher-based pseudorandom functions, and n-bit security proof for six round Feistel cipher, and provide updated security bounds.
CITATION STYLE
Cogliati, B., Dutta, A., Nandi, M., Patarin, J., & Saha, A. (2023). Proof of Mirror Theory for a Wide Range of ξmax. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 14007 LNCS, pp. 470–501). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-30634-1_16
Mendeley helps you to discover research relevant for your work.