Tight Multi-User Security Bound of DbHtS

. In CRYPTO’21, Shen et al. proved that Two-Keyed-DbHtS construction is secure up to 2 2 n/ 3 queries in the multi-user setting independent of the number of users. Here the underlying double-block hash function H of the construction is realized as the concatenation of two independent n -bit keyed hash functions ( H K h , 1 , H K h , 2 ), and the security holds under the assumption that each of the n -bit keyed hash function is universal and regular. The authors have also demonstrated the applicability of their result to the key-reduced variants of DbHtS MACs, including 2K-SUM-ECBC , 2K-PMAC_Plus and 2K-LightMAC_Plus without requiring domain separation technique and proved 2 n/ 3-bit multi-user security of these constructions in the ideal cipher model. Recently, Guo and Wang have invalidated the security claim of Shen et al.’s result by exhibiting three constructions, which are instantiations of the Two-Keyed-DbHtS framework, such that each of their n -bit keyed hash functions are O (2 − n ) universal and regular, while the constructions themselves are secure only up to the birthday bound. In this work, we show a suﬃcient condition on the underlying Double-block Hash ( DbH ) function, under which we prove an improved 3 n/ 4-bit multi-user security of the Two-Keyed-DbHtS construction in the ideal-cipher model. To be more precise, we show that if each of the n -bit keyed hash function is universal, regular, and cross-collision resistant then it achieves the desired security. As an instantiation, we show that two-keyed Polyhash-based DbHtS construction is multi-user secure up to 2 3 n/ 4 queries in the ideal-cipher model. Furthermore, due to the generic attack on DbHtS constructions by Leurent et al. in CRYPTO’18, our derived bound for the construction is tight.


Introduction
Hash-then-PRF [34] (or HtP) is a well-known paradigm for designing variable input-length PRFs, in which an input message of arbitrary length is hashed and the hash value is encrypted through a PRF to obtain a short tag. Most popular MACs including the CBC-MAC [3], PMAC [10], OMAC [20] and LightMAC [24] are designed using the HtP paradigm. Although the method is simple, in particular being deterministic and stateless, the security of MACs following the HtP paradigm is capped at the birthday bound due to the collision probability of the hash function. Birthday bound-secure constructions are acceptable in practice when any of these MACs are instantiated with a block cipher of moderately large block size. For example, instantiating PMAC with AES-128 permits roughly 2 48 queries (using 5 q 2 /2 n [31] bound) when the longest message size is 2 16 blocks, and the success probability of breaking the scheme is restricted to 2 −10 . However, the same construction becomes vulnerable if instantiated with some lightweight (smaller block size) block ciphers, whose number has grown tremendously in recent years, e.g. PRESENT [11], GIFT [1], LED [16], etc. For example, PMAC, when instantiated with the PRESENT block cipher (a 64-bit block cipher), permits only about 2 16 queries when the longest message size is 2 16 blocks, and the probability of breaking the scheme is 2 −10 . Therefore, it becomes risky to use birthday bound-secure constructions instantiated with lightweight block ciphers. In fact, in a large number of financial sectors, web browsers still widely use 64-bit block ciphers 3-DES instead of AES in their legacy applications with backward compatibility feature, as using the latter in corporate mainframe computers is more expensive. However, it does not give adequate security if the mode in which 3-DES is used provides only birthday bound security, and hence a beyond birthday secure mode solves the issue. Although many secure practical applications use the standard AES-128, which provides 64-bit security in a birthday bound-secure mode, which is adequate for the current technology, it may not remain so in the near future. In such a situation, using a mode with beyond the birthday bound security instead of replacing the cipher with a larger block size is a better option. 1 Double-Block Hash-then-Sum. Many studies tried to tweak the HtP design paradigm to obtain beyond the birthday bound secure MACs; while they possess a similar structural design, the internal state of the hash function is doubled and the two n-bit hash values are first encrypted and then xored together to produce the output. In [36], Yasuda proposed a beyond the birthday bound secure deterministic MAC called SUM-ECBC, a rate-1/2 sequential mode of construction with four block cipher keys. Followed by this work, Yasuda [37] came up with another deterministic MAC called PMAC_Plus, but unlike SUM-ECBC, PMAC_Plus is a rate-1 parallel mode of construction with three block cipher keys. Zhang et al. [38] proposed another rate-1 beyond the birthday bound secure deterministic MAC called 3kf9 with three block cipher keys. In [30], Naito proposed LightMAC_Plus, a rate (1 − s/n) parallel mode of operation, where s is the size of the block counter. The structural design of all these constructions first applies a 2n-bit hash function on the message, then the two n-bit output values are encrypted and xored together to produce the tag, where n is the block size of the block cipher. Moreover, all of them also give 2n/3-bit security. In FSE 2019, Datta et al. [14] proposed a generic design paradigm dubbed as the double-block hash-then-sum or DbHtS, defined as follows: where H K h is a double-block hash function that maps an arbitrary-length string to a 2n-bit string. Within this unified framework, they revisited the security proof of existing DbHtS constructions, including PolyMAC [21], SUM-ECBC [36], PMAC_Plus [37], 3kf9 [38] and LightMAC_Plus [30] and also their two-keyed versions [14] and confirmed that all the constructions are secure up to 2 2n/3 queries when they are instantiated with an n-bit block cipher. In CRYPTO 2018, Leurent et al. [22] proposed a generic attack on all these constructions using 2 3n/4 (short message) queries, leaving a gap between the upper and the lower bounds for the provable security of DbHtS constructions. Recently, Kim et al. [21] have improved the bound of DbHtS constructions from 2 2n/3 to 2 3n/4 . They have shown that if the underlying 2n-bit hash function is the concatenation of two independent n-bit-universal hash functions 2 , then the resulting DbHtS paradigm is secure up to 2 3n/4 queries. They have also improved the security bound of PMAC_Plus, 3kf9 and LightMAC_Plus from 2 2n/3 to 2 3n/4 and hence closed the gap between the upper and the lower bounds of the provable security of DbHtS constructions.
Multi-user security of DbHtS. We have so far discussed the security bounds of DbHtS constructions in which adversaries are given access to some keyed oracles for a single unknown randomly sampled key. Such a model is known as the single-user security model, i.e. when the adversary interacts with one specific machine in which the cryptographic algorithm is deployed and tries to compromise its security. However, in practice, cryptographic algorithms are usually deployed in more than one machine. For example, AES-GCM [25,26] is now widely used in the TLS protocol to protect web traffic and is currently used by billions of users daily. Thus, the security of DbHtS constructions in the multi-key setting is worth investigating; in other words, we ask to what extent the number of users will affect the security of DbHtS constructions, where adversaries are successful if they compromise the security of one out of many users. That means the adversary's winning condition is a disjunction of single-key winning conditions. The notion of multi-user (mu) security was introduced by Biham [8] in symmetric cryptanalysis and by Bellare, Boldyreva, and Micali [2] in the context of public-key encryption. In the multi-user setting, attackers have access to multiple machines such that a particular cryptographic algorithm F is deployed in each machine with independent secret keys. An attacker can adaptively distribute its queries across multiple machines with independent keys. Multi-user security considers attackers that succeed in compromising the security of at least one machine, among others. Multi-user security for block ciphers is different from multi-user security for modes. In the single-key setting, the best attacks against block cipher such as AES do not improve with increased data complexity. However, in the multi-key environment, they do, as first observed by Biham [8] and later refined as a time-memory-data trade-off by Biryukov et al. [9]. These results demonstrate how one can take advantage of the fact that recovering a block cipher key out of a large group of keys is much easier than targeting a specific key. The same observation can be applied to any deterministic symmetric-key algorithm, as done for MACs by Chatterjee et al. [13]. A more general result guarantees that the multi-user advantage of an adversary for a cryptographic algorithm is at most u times its single user advantage. Therefore, for any cryptographic algorithm, a multi-user security bound involving a factor u is easily established using a hybrid argument that shows the upper bound of the adversarial success probability to be roughly u times its single-user security advantage. Bellare and Tackmann [5] first formalized a multi-user secure authenticated encryption scheme and also analyzed countermeasures against multi-key attacks in the context of TLS 1.3. However, they derived a security bound that also contained the factor u. Such a bound implies a significant security drop of the construction when the number of users is large, and in fact, this is precisely the situation faced in large-scale deployments of AES-GCM such as TLS. As evident from [4,5,12,18,19,23,29], it is a challenging problem to study the security degradation of cryptographic primitives with the number of users, even when its security is known in the single-user setting. Studies of multi-user security of MACs are somewhat scarce in the literature except for the work of Chatterjee et al. [13], and a very recent work of Morgan et al. [28], and Bellare et al. [6]. The first two consider a generic reduction for MACs, in which the security of the primitive in the multi-user setting is derived by multiplying the number of users u by the single-user security. In CRYPTO'21, Shen et al. [33] have analyzed the security of DbHtS in the multi-user setting. It is worth noting here that by applying the generic reduction from the single-user to the multi-user setting, the security bound of DbHtS would have capped at worse than the birthday bound, i.e. uq 4/3 /2 n , when each user made a single query and the number of users reached q. Thus, a direct analysis was needed for deriving the multi-user bound of the construction. Shen et al. [33] have shown that in the multi-user setting, the two-keyed 3 DbHtS paradigm, 3 two-keyed stands for one hash key and one block cipher key.
is secure up to 2 2n/3 queries in the ideal-cipher model when the 2n-bit double-block hash function is the concatenation of two independent n-bit keyed hash functions H K h ,1 and H K h ,2 . In particular, they have shown that if both H K h ,1 and H K h ,2 are O(2 −n )-regular and O(2 −n )-universal 4 , then the multi-user security bound of the two-keyed DbHtS is of the order of qp where q is the total number of MAC queries across all u users, p is the total number of ideal-cipher queries, is the maximum number of message blocks among all queries and n, k are the block size and the key size of the block cipher respectively. Note that the above bound is independent of the number of users u, which can be adaptively chosen by the adversary and grows as large as q.

Issue with the CRYPTO'21 Paper [33]
In this section, we discuss three issues with [33]. The first two issues examine flaws in the security analysis of the construction and the last issue points out a flawed security claim of the construction. We begin by identifying the first issue.
1. The Two-Keyed-DbHtS framework was proven to be multi-user secure up to 2 2n/3 queries in the ideal-cipher model [33] under the assumption that each of the underlying n-bit independent keyed hash functions is O(2 −n )-universal and regular. As an instantiation of the framework, authors have proven 2n/3-bit multi-user security of 2K-SUM-ECBC, 2K-LightMAC_Plus and 2K-PMAC_Plus in the ideal-cipher model, where the underlying DbH function of the each of the above three constructions is based on block ciphers. In the security proof of these instantiated constructions, authors have bounded the regular and the universal advantages of their corresponding DbH functions (i.e., the DbH of 2K-SUM-ECBC, 2K-LightMAC_Plus and 2K-PMAC_Plus) up to O( /2 n ), where is the maximum number of message blocks among all queries. Now, one of the natural assumptions in the PRF-security proof of block cipher based DbHtS constructions in the ideal-cipher model is that the adversary should be allowed to query to the underlying block cipher used in the DbH function of the DbHtS construction. However, in [33], authors have proved the security of 2K-SUM-ECBC, 2K-LightMAC_Plus and 2K-PMAC_Plus constructions without considering this assumption. In particular, they derived bounds of the regular and universal advantages of the underlying double block hash functions of 2K-SUM-ECBC, 2K-LightMAC_Plus and 2K-PMAC_Plus in the setting where the adversary did not make any primitive query to the underlying block ciphers of the corresponding hash function. This is different from the fact that one shows a bound on the regular and universal advantage of a double block hash function with the assumption that an adversary is allowed to make primitive queries to the underlying block cipher of the double block hash function. This is because, the definition of the conventional universal (resp. regular) advantage of a keyed hash function is that no computationally bounded adversary, without knowing the hash key, can output a pair of messages (resp. a message M and an arbitrary value Y from the range of the hash function) such that their hash value collides (resp. such that the hash function maps M to the designated value Y ) except with small probability. On the other hand, the definition of the universal (resp. regular) advantage of a block cipher based keyed hash function in the ideal-ciphr model is the following where E is the underlying block cipher of the block cipher based keyed hash function H E . The above definition of regular advantage (resp. universal advantage) says that after the adversary interacts with the block cipher E, E −1 with some chosen keys, commits to (M, Y ) (resp. commits to a pair of message (M, M )) such that the probability that the hash function maps M to Y is small (resp. probability that the hash value for M, M collides is small). To illustrate the flaw in the analysis of [33], considering the example of 2K-LightMAC_Plus, while bounding the probability of the event , the authors have simply assumed that at least one of variables Y in the above equation will be fresh, thus providing sufficient entropy for bounding the event. However, the authors have missed the fact that existence of such a variable Y may not always be guaranteed in the ideal-cipher model. For example, suppose an adversary makes the following three forward primitive queries with a chosen ideal-cipher key J: 1. forward query with (x 1 s ) and obtains y 1 2. forward query with (x 1 s ) and obtains y 2 3. forward query with (x 2 s ) and obtains y 3 Let us assume that the (albeit probabilistic) event y 1 ⊕ y 2 ⊕ y 3 = 0 occurs. Suppose the adversary makes two more construction queries: the first construction query with (x) and the second, a construction query with (x x ). Then, if the block cipher key K used in the construction collides with the chosen ideal-cipher key J, then one cannot find any fresh variable Y in the following equations: Therefore, to prove the security of such block cipher-based DbHtS constructions in the ideal-cipher model, one needs to consider the fact that the regular or universal advantage of the underlying double block hash functions must be bounded under the assumption that the adversary makes primitive queries to the underlying block cipher. We therefore believe that to prove the security of the constructions in the ideal-cipher model for the block cipher-based DbH function, one needs to provide a generalized definition of the universal and regular advantages in the ideal-cipher model and prove their security under this model, which was missing in [33]. 2. The second issue is regarding the good transcript analysis of the Two-Keyed-DbHtS construction. In Fig. 4 of [33], the authors have first identified the following set: a , Θ i a do not collide with the input of any forward ideal cipher queries such that the chosen ideal cipher key of that forward query collides with the i-th user key. They have also defined a set S(J), where |Ran(Φ j )| ≥ 1. Then for all (i, a) ∈ F (J), (W i a , X i a ) is sampled from S(J) and is set as the permutation output of Σ i a and Θ i a , respectively, i.e., P(Σ i a ) ← W i a , P(Θ i a ) ← X i a . Note that such an assigment is sound and satisfies P(Σ i a ) ⊕ P(Θ i a ) = T i a for all (i, a) ∈ F (J). Finally, they have provided a lower bound on the cardinality of the set S(J) using Lemma 2, where Lemma 2 provides the following lower bound on the cardinality of the set Finally, authors have used ∆ as a lower bound on |S(J)|, reveals a fallacy as the two sets S and S(J) are not of same size.
3. The third issue is regarding the flawed security claim of the Two-Keyed-DbHtS construction in [33]. In Theorem 1 of [33], Shen et al. have shown that when the underlying double block hash function of the Two-Keyed-DbHtS construction is the concatenation of two independent n-bit keyed hash functions such that each of them is O(2 −n )-universal and O(2 −n )-regular, Two-Keyed-DbHtS achieves 2n/3-bit multi-user security in the ideal-cipher model. This claim has been falsified in a recent work by Guo and Wang [17], where the authors came up with three concrete double-block hash functions, each of the which is the concatenation of two independent n-bit keyed hash functions and each of the n-bit keyed hash functions meets O(2 −n )-universal and O(2 −n )-regular advantages. However, plugging-in these hash functions into the Two-Keyed-DbHtS framework yields a birthday bound distinguishing attack. As a consequence, the security bound of the Two-Keyed-DbHtS construction, as proven in Theorem 1 of [33], stands flawed. We would like to mention here that the attack holds only for those instances of Two-Keyed-DbHtS construction where the underlying DbH function is the concatenation of two independent n-bit hash functions and it does not have any domain separation. In fact, authors of [17] were not able to show any birthday bound attack on 2K-PMAC_Plus and 2K-LightMAC_Plus as the underlying DbH function of these two constructions are not merely the concatenation of two independent n-bit keyed hash functions. However, it is to be noted that as the double block hash function for 2K-SUM-ECBC is the concatenation of two independent n-bit CBC functions, the attack of [17] holds for it.

Our Contribution
In this paper we prove that the Two-Keyed-DbHtS construction is multi-user secure up to 2 3n/4 queries in the ideal-cipher model 5 . To prove it, we first define the notion of a good double-block hash function, which informally means that the concatenation of two independent n-bit keyed hash functions is "good" if each has negligible universal and regular advantages, and there is no cross-collision, i.e., the probability that the outputs of two hash function colliding for any pair of messages M, M is zero. We prove that if the underlying 2n-bit DbH function of the Two-Keyed-DbHtS construction is good, such that each of the n-bit keyed hash functions is reg -regular and univ -universal, then the multi-user security of our construction in the ideal-cipher model is of the order, assuming q 4/3 ≤ 2 n , p ≤ 2 3k/4 , k ≥ n, where q is the total number of MAC queries across all u users, p is the total number of ideal-cipher queries, n is the block size of the block cipher, k h is the size of the hash key and k is the key size of the block cipher of the construction. As an instantiation of the Two-Keyed-DbHtS framework, we have proved that C 2 [PH-DbH, E], the Polyhash-based Two-Keyed-DbHtS construction which was proposed in [14] and proven to be secure up to 2 2n/3 queries in the single-user setting, is multi-user secure up to 2 3n/4 queries in the ideal-cipher model. The security proof of the construction crucially depends on a refined result of mirror theory over an abelian group ({0, 1} n , ⊕), where one systematically estimates the number of solutions to a system of equations to prove the security of the finalization function of the construction up to 2 3n/4 queries. Due to the attack result of Leurent et al. [22] on the DbHtS paradigm with 2 3n/4 queries, the multi-user security bound of our construction is tight.
How this paper departs from [33]. Our work departs from the result of Shen et al. [33] in two aspects: (i) Unlike the result shown in [17], the birthday bound attack of [17] is not valid for our choice of double block hash function by the virtue of the definition of the good double block hash function. (ii) Unlike [33] where the DbH function of the Two-Keyed-DbHtS was instantiated with block cipher based DbH function, we have instantiated the construction with an algebraic type double block hash function. The merit of our choice of instantiation follows from the fact that the design of algebraic type DbH function does not require any block cipher and hence the adversary can get away with ideal cipher queries to the DbH function while bounding its regular and universal advantage.

Organization.
We have developed the required notations and security definitions of cryptographic primitives in Sect. 2. We demonstrate the construction and present its security bound in Sect. 3 and in Sect. 4, we prove the security of the construction. We instantiate the framework along with its security result in Sect. 5.

Preliminaries
General Notations. For a positive integer q, [q] denotes the set {1, . . . q}, and for two natural numbers q 1 , q 2 such that q 2 > q 1 , [q 1 , q 2 ] denotes the set {q 1 , . . . , q 2 }. For a fixed positive integer n, we write {0, 1} n to denote the set of all binary strings of length n and {0, 1} * = ∪ i≥0 {0, 1} i to denote the set of all binary strings with arbitrary finite length. We refer to the elements of {0, 1} n as blocks. For a pair of blocks to denote x and right(x) to denote x r . For any element x ∈ {0, 1} * , |x| denotes the number of bits in x and for x, y ∈ {0, 1} * , x y denotes the concatenation of x followed by y. We denote the bitwise xor operation of x, y ∈ {0, 1} n by x ⊕ y.
We where lsb(x) is fixed to bit b. Given a tuple x = (x 1 , x 2 , . . . , x q ) of n-bit binary strings, an element x i of the tuple x is said to be non-fresh, if there exists at least one j = i such that Given a finite set S and a random variable X, we write X ←$ S to denote that X is sampled uniformly at random from S. We say that X 1 , X 2 , . . . , X q are sampled with replacement (wr) from S, which we denote as X 1 , X 2 , . . . X q ←$ S, if for each i ∈ [q], X i ←$ S. We also use this notation to denote that these random variables are sampled uniformly and independently from S. For a finite subset S of N, max S denotes the maximum-valued element of S. ∅ denotes the empty set. We write S ← ∅ to denote that S is defined to be an empty set. We also use the same notation Φ ← ∅ to denote that the function Φ is undefined at every point of its domain. Moreover, the notation Y ← X is used to denote the assigment of variable X to Y .
The set of all functions from X to Y is denoted by Func(X , Y). Similarly, the set of all permutations over X is represented by Perm(X ). When X = {0, 1} n , then we write Perm(X ) as Perm. A function Φ is said to be a block function if it maps elements from an arbitrary domain to {0, 1} n . The set of all block functions with domain X is denoted as Func(X ). 6 We call Φ to be a double-block function if it maps elements from an arbitrary set X to . For a finite set X and an integer q, we write X (q) to denote the set

Distinguishing Advantage
An adversary A is modeled as a randomized algorithm with access to an external oracle O. Such an adversary is called an oracle adversary. An oracle O is an algorithm that may be a cryptographic scheme being analyzed. The interaction between A and O, denoted by A O , generates a transcript τ = {(x 1 , y 1 ), (x 2 , y 2 ), . . . , (x q , y q )}, where x 1 , x 2 , . . . , x q are q queries of A to oracle O and y 1 , y 2 , . . . , y q be the corresponding responses, where We assume that A is adaptive, which means that x i is dependent on the previous i − 1 responses.
Distinguishing Game. Let F and G be two random systems and an adversary A is given oracle access to either of F or G. After interaction with an oracle O ∈ {F, G}, A outputs 1, which is denoted as A O ⇒ 1. Such an adversary is called a distinguisher and the game is called a distinguishing game. The task of the distinguisher in a distinguishing game is to tell with which of the two systems it has interacted. The advantage of the distinguisher A in distinguishing the random system F from G is defined as where the above probability is defined over the probability spaces of A and O. One can easily generalize this setting when the distinguisher interacts with multiple oracles, which are separated by commas. For example, Adv F1,...,Fm G1,...,Gm (A) denotes the advantage of A in distinguishing the oracles (F 1 , . . . , F m ) from the oracles (G 1 , . . . , G m ), i.e., where the above probability is defined over the probability spaces of A and the oracle

Block Cipher
A block cipher E : K × {0, 1} n → {0, 1} n is a function that takes a key k ∈ K and an n-bit input data x ∈ {0, 1} n and produces an n-bit output y such that for each key k ∈ K, E(k, ·) is a permutation over {0, 1} n . K is called the key space of the block cipher and {0, 1} n is its input-output space. In shorthand notation, we write E k (x) to represent E(k, x). Let BC(K, {0, 1} n ) denote the set of all n-bit block ciphers with key space K. We say that a block cipher E is an (q, , t)-secure strong pseudorandom permutation (SPRP), if for all distinguishers A that make a total of q queries to its oracles with run time at most t, the following holds: where the probability is defined over K ←$ K, Π ←$ Perm, and the randomness of the adversary A (if any).

PRF Security in the Ideal-Cipher Model
A keyed function family with the key space K, domain X and range Y is a function . We define the pseudorandom security of F under the ideal-cipher model. We assume that F makes internal calls to a publicly evaluated block cipher E with more than one key. Typically, F would be keyed with some key K and derive block cipher keys K 1 , K 2 , . . . , K m as a function of K and other inputs (F can make internal calls to multiple block ciphers when all of them are independently and uniformly distributed over the set BC(K, {0, 1} n )). For simplicity, we write F E K to denote F with a uniformly sampled block cipher E ←$ BC(K, {0, 1} n ), which is keyed by a randomly sampled key K ←$ K. The distinguisher A is given access to either is a uniformly sampled n-bit block cipher such that A can make forward or inverse queries to E, which is denoted as E ± . We define the prf-advantage of A against the keyed function family F in the ideal cipher model as 1} n ) and the randomness of the adversary A (if any). We say that F is a (q, p, , t)-PRF in the ideal cipher model if Adv PRF-ICM F (A) ≤ for all adversaries A that make q queries to F, p forward and inverse offline queries to E and run for time at most t.

Multi-User PRF Security in the Ideal-Cipher Model
We assume there are u users in the multi-user setting, such that the i-th user executes F E Ki . Furthermore, the i-th user key K i is independent of the keys of all other users. An adversary A has access to all the u users as oracles. A make queries to the oracles in the form of (i, M ) to the i-th user and obtains T ← F E Ki (M ). We call these construction queries. For i ∈ [u], we assume A makes q i queries to the i-th oracle, where we assume that A is the deterministic adversary that achieves the maximum distinguishing advantage and we bound the distinguishing advantage of our construction with respect to this adversary 7 .
We also assume that A make queries to the underlying block cipher E and its inverse with some chosen keys k j . We call these primitive queries. Suppose A chooses s distinct block cipher keys (k 1 , . . . , k s ) and makes p j primitive queries to the block cipher E with chosen keys k j for 1 ≤ j ≤ s. We call A to be a (u, q, p, t)-adversary against the multi-user PRF security of F in the ideal cipher model, where q = q 1 + . . . + q u is the total number of construction queries across all u users and p = p 1 + . . . + p s is the total number of primitive queries to the block cipher E with the total running time of A being at most t. We assume that for any i ∈ [u], A does not repeat any construction query to the i-th user. Similarly, A does not repeat any primitive query for any chosen block cipher key k j to the block cipher E.
for the u tuple of independently sampled keys , a randomly chosen block cipher E ←$ BC(K, {0, 1} n ) from the set of all block ciphers with k-bit key and n-bit input, and the randomness of the adversary (if any). We write where the maximum is over all (u, q, p, t)-adversaries A. In this paper, we skip the time parameter of the adversary as we shall assume that the adversary is computationally unbounded. This also leads to the assumption that the adversary is deterministic. When u = 1, Adv muPRF-ICM F (1, q, p, t) boils down to the PRF distinguishing advantage of the keyed function family F in the ideal-cipher model as defined in Eqn. (1).

Security of a Keyed Hash Function
Let K h and X be two non-empty finite sets. A keyed function H : K h × X → {0, 1} n is axu -almost-xor universal (axu) if for any distinct x, x ∈ X and for any ∆ ∈ {0, 1} n , Moreover, H is an univ -universal hash function if for any distinct x, x ∈ X , A keyed hash function is said to be reg -regular if for any x ∈ X and for any ∆ ∈ {0, 1} n , Remark 2. We would like to note here that the above two definitions of keyed hash functions are defined in the standard model, in which there is no need of any interaction with the adversary. However, the above two definitions would require the involvement of the adversary, if the keyed hash functions are build on the top of block ciphers and the security is analyzed in the ideal-cipher model.

Mirror Theory
Mirror theory is a collection of combinatorial results that give a lower bound on the number of solutions to a system of bivariate affine equations E over an abelian group ({0, 1} n , ⊕). We represent a system of equations by a simple graph G = (V, E) containing no loops or multiple edges, where each vertex denotes an n-bit unknown (for a fixed n), and we connect vertices P and Q with an edge labeled λ ∈ {0, 1} n if P ⊕ Q = λ ∈ E. For a path In this work, we focus on a graph G = (V, E) with certain properties as listed below: 1. G contains no isolated vertex, i.e., every vertex is incident with at least one edge.
2. The vertex set V is partitioned into two disjoint sets denoted by P and Q, where there are no edges within the vertex set in partition P or in partition Q. All edges connect a vertex in P to a vertex in Q. We call such graphs bipartition graphs.
3. G contains no cycle.
4. λ(L) = 0 n for any path L in G.
Any bipartition graph G satisfying the above properties shall be called a good graph.
Note that a good bipartition graph G contains no cycle. Therefore, G can be decomposed into its connected components, all of which are trees; let for some α, β ≥ 0, where C i denotes a component of size greater than 2, and D i denotes a componenent size of 2. We write For a given good bipartite graph, we define an associated system of bivariate equations as follows: each vertices of the graph represents a variable in the associated system of equations. If there is an edge {P i , Q i } ∈ E with label being λ ij , then we include the equation P i ⊕ Q j = λ ij into the associated system of equations.

Definition 1.
Let E G be a system of equations induced by a good biparite graph G. An injective function Φ : We remark that assigning any value to a vertex in P allows the labeled edges to uniquely determine the values of all the other vertices in the component containing P , since G contains no cycle. Moreover, the values in the same component are all distinct as λ(L) = 0 n for any path L. Let P be any path of even length , defined as follows: Without loss of generality, let us assume that the value assigned to the vertex P is collides with the value assigned to the vertex P it , where s < t. Let x be the value assigned to the vertex P is . Then, the value assigned to the vertex P it is By our assumption we have ∆ = x, which implies that contradicts to fact that the label of the path Hence, it ensures that once a value is assigned to a vertex in a component, the values assigned to all the other vertices of the same component are distinct. Therefore, the number of possible assignments of distinct values to the vertices in G is P(2 n , |P| + |Q|). One may expect that when such an assignment is chosen uniformly at random, it would satisfy all the equations in G with probability 2 −nq , where q denotes the number of edges (i.e., equations) in G. Indeed, we can prove that the number of solutions is close to P(2 n , |P| + |Q|)/2 nq , up to a certain error. Formally, we have the following result: Lemma 1. Let G be a good bipartition graph, and let q and q c denote the number of edges of G and C, respectively. Let v be the number of vertices of G. If q < 2 n /8, then the number of solutions to G, denoted h(G), satisfies We refer the reader to [21] for a proof of the lemma.

The Two-Keyed DbHtS Construction
In this section, we describe the Two-Keyed Double-block Hash-then-Sum or in short, We compose this DbH function with a very simple and efficient single-keyed xor function where E K is an n-bit block cipher and the block cipher key K is independent from the hash key (L 1 , L 2 ), to realize the two-Keyed-DbHtS construction as follows: . We use the name Two-Keyed-DbHtS construction, as we count the hash key as one key and the xor function requiring one key, which is independent of the hash key. Most of the beyond birthday bound secure variable input length PRFs like 2K-SUM-ECBC, 2K-PMAC_Plus, 2K-LightMAC_Plus are specific instantiations of the Two-Keyed-DbHtS paradigm. These constructions (with domain separation technique) have been proven secured up to 2 2n/3 queries in the standard model [14] for a single-user setting. Later, in [21], Kim et al. have improved their bound up to 2 3n/4 queries. In [33], all these three constructions (without domain separation technique) have been proven secured up to 2 2n/3 queries in the ideal-cipher model for a multi-user setting. We note here that as the xor function is not a PRF over two blocks, we can not apply the traditional Hash-then-PRF composition result directly to analyze the security of the two-keyed DbHtS. Thus, we need a different type of composition result for the security analysis of the Two-Keyed-DbHtS construction that utilizes higher security properties of its underlying DbH function instead of having only the universal or regular property. Definition 2. Let H 1 : K h ×{0, 1} * → {0, 1} n and H 2 : K h ×{0, 1} * → {0, 1} n be two n-bit keyed hash functions. We say that the double-block hash function H : (2) is good if it satisfies the following conditions: • H 1 is a family of reg -regular and univ -universal functions.
• H 2 is a family of reg -regular and univ -universal functions. The first two conditions imply that the regular and universal advantages of both the hash functions should be negligible, whereas the last condition indicates that the first hash output for any message cannot collide with the second hash output. Having defined the Two-Keyed-DbHtS construction, we now state and prove its security. For the sake of brevity, we refer to the Two-Keyed-DbHtS construction C 2 [H, E] (L1,L2,K) by simply C 2 without mentioning the underlying hash function, the block cipher and their associated keys.
Theorem 1. Let k, k h and n be three positive integers and M be a non-empty finite set.
2n be a good double-block hash function as defined in Eqn. (2). Then any computationally unbounded distinguisher making a total of q construction queries across all u users 8 and a total of p primitive queries to the block cipher E can distinguish C 2 from an n-bit uniform random function with prf advantage By assuming q 4/3 ≤ 2 n , p ≤ 2 3k/4 , and k ≥ n, we have: Remark 3. We would like to mention that the last condition of the definition of good hash function, i.e. the cross-collision condition of the hash function rules out the possibility of mounting birthday bound attacks on the Two-Keyed-DbHtS construction. As a result of Theorem 1, the attack of Guo and Wang [17] does not apply.

Proof of Theorem 1
We consider a computationally unbounded non-trivial deterministic distinghisher A that interacts with a pair of oracles in either the real world or the ideal world, described as follows: in the real world, A is given access to u independent instances of the Two-Keyed-DbHtS construction, i.e., to a tuple of u oracles ( is an ideal block cipher. Additionally, A has access to the oracle E ± , underneath the construction C 2 . In the ideal world, A is given access to (i) a tuple of u independent random functions (RF 1 , . . . , RF u ), where each RF i is the random function over {0, 1} * to {0, 1} n that can be equivalently described as a procedure that returns an n-bit uniform string on input of any arbitrary message, and (ii) the oracle E ± , where E ←$ BC(K, {0, 1} n ) is an ideal block cipher, sampled independent of the distribution of the sequence of u independent random functions. In both worlds, the first oracle is called the construction oracle and the latter, the ideal cipher oracle. Using the ideal cipher oracle, a distinguisher A can evaluate any 8 We have assumed that 'u' to be the total number of "queried" users. The total number of available users may be more than the number of queried users. However, the information of the set of non-queried users are independent over the transcript and hence the presence of the set of non-queried users do not affect the security bound of the construction. query x under its chosen key J. A query to the construction oracle is called a construction query and to that of the ideal cipher oracle is called an ideal cipher query. Note that A can make either forward (i.e., it evaluates E with a chosen key and input), or inverse ideal cipher queries (i.e., it evaluates E −1 with a chosen key and input). The ideal oracle is depicted in Fig. 4.1 and Fig. 4.2.

Description of the Ideal World
The ideal world consists of two phases: (i) the online and (ii) the offline phase. Before the game begins, we sample u independent functions f 1 , f 2 , . . . , f u uniformly at random from the set of all functions Func({0, 1} * , {0, 1} n ) that map an arbitrary-length string to an n-bit string. We also sample an n-bit block cipher E from the set of all block ciphers with a k-bit key and an n-bit input. In the online phase, when the distinguisher makes the a-th construction query for the i-th user M i a to the construction oracle, it returns . Similarly, if the distinguisher makes a forward (resp. inverse) primitive query with a chosen block cipher key J and an input x to the ideal cipher oracle, it returns E(J, x) (resp. E −1 (J, x)). However, if any response of the construction queries is an all-zero string 0 n , then the bad flag Bad-Tag is set to 1 and the game is aborted 9 .
Primitive Query: 4 : On α-th forward query with chosen key J j and input u j α , return v j α ← E J j (u j α ); 5 : On α-th backward query with chosen key J j and input v j α , return u j Whenever a bad event is set to 1, the ideal oracle immediately aborts (denoted as ⊥) and returns the remaining values of the transcript in an arbitrary manner. So, if the game aborts for some bad event, then its previous bad events must not have occurred.
After this interaction is over, the offline phase begins. In this phase, we sample u pairs of dummy hash keys (L i is the left (resp. right) hash key for the i-th user and K i is its block cipher key. If the block cipher key and a left (resp. right) hash key of the i 1 -th user collides with the block cipher key and left (resp. right) hash key of the i 2 -th user, then we set the flag BadK to 1 and abort the game. If the game is not aborted, then we can compute a pair of 2n-bit hash values (Σ i a , Θ i a ) for all queries across u users, where we often refer to Σ i a ← H 1 Now, if the block cipher key of the i-th user and the left hash or right hash output for its a-th query collides with some chosen ideal cipher key and one of the corresponding inputs of the forward ideal cipher query, then we set the bad flag Bad1 to 1 and abort the game.
For the i-th user, if the left or right hash outputs for two of its queries collide and the corresponding responses also collide with each other (i.e., Σ i a = Σ i b , T i a = T i b ), then we consider it to be a bad event. Similarly, for a pair of users i 1 and i 2 , if their left or right hash outputs collide with each other and the corresponding responses also collide with each other, then we again consider it to be a bad event. If at least one of the above bad events occurs, we set Bad2 to 1 and abort the game. We also set another flag Bad3 to 1 and abort the game if for the i-th user, the number of the pairs of queries whose either left or right hash outputs collide with each other is at least q 2/3 i , where q i is the number of queries made by the i-th user.
; 5 : if one of the following holds: 7 : if one of the following holds:   Whenever a bad event is set to 1, the ideal oracle immediately aborts (denoted as ⊥) and returns the remaining values of the transcript in an arbitrary manner. So, if the game aborts for some bad event, then we may assume that the previous bad events have not occurred.
Finally, we set the flag Bad4 to 1 if at least one of the following events holds: (a) for the i-th user, two left hash outputs collide and their corresponding right hash outputs also collide, or (b) for the i-th user, there exists a tuple of four query indices a, b, c, d such that It is also to be noted here that as the hash function is good, i.e., the hash outputs of two hash functions never collide, it immediately rules out the attack of [17].
If the game is not aborted at this stage, then it follows that none of the bad events have occurred. All the query-response pairs belong to exactly one of the sets Q = or Q = as Offline Phase of O ideal , Sampling Phase 3 : / * Note that there are s − r ideal cipher keys which have not been collided with any user key * / 5 : ∀j ∈ [r] do the following steps: 6 : : fj := distinct number of elements in the tuple Σj ∪ Θj; 16 : ∀j ∈ [r ] : do the following steps: 17 : defined in lines 1 and 11 of Fig. 4.3, where Q = is the set of all construction queries across all users such that the block cipher key of the i-th user collides with an ideal cipher key, but none of its hash outputs collide with any ideal cipher query, and Q = is the set of all construction queries across all users such that the block cipher key of the i-th user does not collide with any ideal cipher key. We also define two additional sets: I = and I = for Q = and Q = , where I = (resp. I = ) is the set of all i such that (i, ) ∈ Q = (resp. (i, ) ∈ Q = ). We partition I = into r non-empty equivalence classes I = 1 , I = 2 , . . . , I = r based on the relation that the i-th user key K i collides with J j if and only if i ∈ I = j 10 . It is to be noted that we 10 A correct way of writing step 2 of Fig. 4.3 should be However, for the sake of simplicity, we assume it = t, t ∈ [r], i.e., each of the first r many chosen ideal cipher keys have been collided with at least one user key. assume that the adversary has chosen a total of s distinct ideal cipher keys J 1 , J 2 , . . . , J s during the evaluation of primitive queries and out of these s chosen keys, each of the r ≤ s keys are collided with at least one user key. Similarly, we partition I = into r equivalence classes based on the equivalence relation i ∼ j if and only if K i = K j . Now, for the j-th equivalence class of I = , we consider the tuple Note that due to the event in line number 7.(b) (resp. 7.(d)) of Fig. 4 ] and the output of Σ i a has not been sampled yet, then we sample its output Z i 1,a from outside the range of E J j and set the output of Θ i a as the xor of Z i a and T i a (see line 6 of Fig. 4.3). Otherwise, we set the output of Σ i a to the already defined element and adjust the output of the other hash value accordingly (see line 7 of Fig. 4. 3). Note that in the latter case, we do not sample the output. In the above adjustment, if the output of Θ i a happens to collide with any previously sampled output, then we set flag Bad-Samp to 1 and abort the game (see line 8 of Fig. 4.3) and abort the game. Note that this event cannot hold for the real oracle, as Θ i a is fresh in If the above flag is not set to 1, then the sampling for the output of Σ i a , where (i, a) ∈ Q = preserves permutation compatibility. Finally, for all other (i, a) ∈ Q = , we sample Z i 1,a and Z i 2,a such that Z i 1,a ⊕ Z i 2,a = T i a .

Attack Transcript
We summarize here, the interaction between the distinguisher and the challenger in a transcript. The set of all construction queries for u instances are summarized in a transcript , . . . , (M i qi , T i qi )} denotes the query-response transcript generated from the i-th instance of the construction. Moreover, we assume that A has chosen s distinct ideal cipher keys J 1 , . . . , J s such that it makes p j ideal cipher queries to the block cipher with the chosen key J j . We summarize the ideal cipher queries in a transcript τ p = τ 1 , J j } denotes the transcript of the ideal cipher queries when the chosen ideal cipher key is J j . We assume that A makes q i construction queries for the i-th instance and p j ideal cipher queries (including forward and inverse queries) with chosen ideal cipher key J j . We also assume that the total number of construction queries across u instances is q, i.e., q = (q 1 + . . . + q u ) and the total number of ideal cipher queries is p = (p 1 + . . . + p s ). Since A is non-trivial, none of the transcripts contain any duplicate elements. We modify the experiment by releasing internal information to A after it has finished its interaction but has not yet output the decision bit. In the real world, we reveal all the keys (L i 1 , L i 2 , K i ) for all u instances used in the construction. In the ideal world, we sample them uniformly at random from their respective key spaces and reveal them to the distinguisher. We also reveal the tuple is computed by the challenger of both the world, where the function Ψ j defined for the ideal world is given in Fig. 4.3, and for the real world, we define Ψ j as follows: for i ∈ I = j or i ∈ I = j . By the virtue of the definition of the function Ψ j in the real and in the ideal world, for i ∈ I = j and i ∈ I = j with j = j , Σ i . Therefore, each transcript τ c i , where i ∈ I = j or i ∈ I = j , is now modified to include the corresponding intermediate input-output values for the i-th instance of the construction. Thus, In all the following, the complete construction query transcript is τ i c and the overall transcript is τ = τ c ∪ τ p . The modified experiment only makes the distinguisher more powerful and hence the distinguishing advantage of A in this experiment is no less than its distinguishing advantage in the former. Let X re denote the random variable that takes a transcript τ realized in the real world. Similarly, X id denotes the random variable that takes a transcript τ realized in the ideal world. The probability of realizing a transcript τ in the ideal (resp. real) world is called the ideal (resp. real) interpolation probability. A transcript τ is said to be attainable with respect to A if its ideal interpolation probability is non-zero, and V denotes the set of all such attainable transcripts. Following these notations, we now state the main theorem of the H-coefficient technique [32]: BadT be a partition of the set of attainable transcripts. Suppose there exists ratio ≥ 0 such that for any τ = (τ c , τ p ) ∈ GoodT, p re (τ ) and there exists bad ≥ 0 such that Pr[X id ∈ BadT] ≤ bad . Then Therefore, to prove the security of the construction using the H-coefficient technique, we need to identify the set of bad transcripts and compute an upper bound for their probability in the ideal world. Then we find a lower bound for the ratio of the real to ideal interpolation probability for a good transcript. We have already identified the bad transcripts in Fig. 4.1 and Fig. 4.2. Therefore, it only remains to bound the probability of bad transcripts in the ideal world and provide a lower bound for the ratio of the real to ideal interpolation probability for a good transcript. Having explained the H-coefficient technique in the view of our construction, it follows that for each i ∈ [u], , for some j such that i ∈ I = j or i ∈ I = j and

Bounding the Probability of Bad Transcripts
We call a transcript τ = (τ c , τ p ) bad if at least one of the flags is set to 1 during the generation of the transcript in Fig. 4.1 and Fig. 4.2. Recall that BadT ⊆ V is the set of all attainable bad transcripts and GoodT = V \ BadT is the set of all attainable good transcripts. We bound the probability of bad transcripts in the ideal world as follows.

Lemma 2.
Let τ = (τ c , τ p ) be any attainable transcript. Let X id and BadT be defined as above. Then Proof. By abusing the notation, we refer the bad events by their corresponding flag variables as defined in Fig. 4.1, Fig. 4.2 and Fig. 4.3. That is we use Bad-Tag to refer to that event for which Bad-Tag flag has been set to 1. In other words, we say that the event Bad-Tag holds if and only if Bad-Tag flag has been set to 1. Using the union bound, we write In the following, we individually bound each bad event and then use Eqn. (4) to derive the result. In the subsequent analysis, we assume that |K h | = k h and |K| = k.

A. Bounding Event Bad-Tag.
For a fixed choice of indices, the probability of the event can be bound by 1/2 n as the outputs of the construction queries are sampled uniformly and independently of other random variables. Therefore, by summing over all possible choices of indices, we have

B. Bounding Event BadK.
For a fixed choice of indices, the probability of the event can be bound by 1/2 k h +k as the 2}. Therefore, summing over all possible choices of indices, we have C. Bounding Event Bad1 | BadK.
We say that the event Bad1 holds if either of the events defined in line 5.
Bounding B.12 | BadK: With an identical argument, one can show that the probability of the event B.12 can be bounded by qp reg 2 k , i.e., Therefore, by combining Eqn. (7) and Eqn. (8), we have Due to independence of the hash key L i 1 and T i a , the probability of this joint event can be bound by the universal property of the H 1 hash function and the randomness of T i a . Therefore, Bounding B.22 | BadK: We bound the event given BadK, i.e. even if the block cipher keys for users i 1 and i 2 collide, their corresponding hash keys, i.e., L i1 1 and L i2 2 do not collide. Given this event, for a fixed choice of indices, we bound Σ i1 a = Σ i2 b using the regular property of the hash function H 1 with the randomness of the hash key L i1 1 . Moreover, the first event is independent of the second event and can thus be bound exactly by 2 −k . Therefore, where (1) Therefore, from Eqn. (14) and Eqn. (18) Note that, Z i a ⊕ T i a hits either the output of some primitive query V j α with ideal-cipher key being J j such that K i = J j , where α ∈ [p j ]. We denote this event as BS1 i,j,a . On the other hand, Z i a ⊕ T i a hits the output of some previously sampledΣ i a orΘ i a with the corresponding block cipher key K i matches with K i which in turn collides with the ideal-cipher key J j . We denote this event as BS2 i,i ,j,a,a . Therefore, we have Now, we bound the probability of the event BS1 i,j,a,α and BS2 i,i ,j,a,a as follows: where the number of choices for (i, a) and (j, α) are at most q and p, respectively and p j is assumed to be at most 2 n−1 . Thus, summing over all possible choices of (i, j, a, α) and by assuming p j ≤ 2 n−1 , we have the result.
We bound the probability of the event separately depending on the number of queries made by a user. (i) For users with "many" queries, we will argue that the probability of having key-collision for that user is low. (ii) For users with "not many" queries, we will argue that the probability of the above event achieves the desired bound. Detail analysis is as follows: Let q i be the number of queries made by user i, where i ∈ [u] and q 1 + q 2 + . . . + q u = q. W.l.o.g. let us assume that q 1 ≥ q 2 ≥ . . . ≥ q u . We define the event Event as follows: if the keys for any of the first q 1/3 users collide with a primitive query key we call Event occurs. It is easy to see that Thus, for the first q 1/3 users, we bound the probability of the required event by q 1/3 ·p 2 k . The case for u < q 1/3 is trivial. For the remaining users, we bound the probability as follows: Here we use the fact that q i ≤ q 2/3 for all i = q 1/3 , . . . , u (as q 1 + . . . + q u = q). By combining Eqn. (25) and Eqn. (26), we have Finally, by combining Eqn. (23), Eqn. (24) and Eqn. (27), we have Finally, the result follows by combining Eqn. (5)-Eqn. (28) and by assuming k ≥ n.
Remark 4. We would like to mention here that during the probability analysis for bounding the event Bad-Samp, we considered only the case that Bad-Samp happens after line-7 of

Analysis of Good Transcripts
In this section, we compute a lower bound for the ratio of the real to ideal interpolation probability for a good transcript. We first consider the set of transcripts Q = . For each j ∈ [r] and for each i ∈ I = j , we consider the sequence From this sequence, we construct a bipartite graph G i , where the nodes in one partition represent values Σ i a and the nodes in other, Θ i a ; We put an edge between the node corresponding to Σ i a and Θ i a with the label being T i a , where Σ i a ⊕ Θ i a = T i a . If Σ i a = Σ i b , then we merge the correponding nodes into a single node, and similarly for Θ i a = Θ i b . This leads us to break the graph into w i components. As the transcript is good, it is easy to see that each component is acyclic (otherwise, B.41 would have been satisfied) and contains a path of length at most 3 (otherwise either B.42 or B.43 would have been satisfied). Due to B.31 ∧ B.32, the component size is restricted up to q 2/3 . Moreover, due to B.11 ∧ B.12, each vertex of the graph, i.e., Σ i a or Θ i a does not collide with the input of any ideal-cipher query such that the ideal-cipher key collides with the i-th user key. Hence, each vertex of the graph G i is fresh in the sense that they do not collide with the input of any ideal-cipher query. Note that, B.21 (resp. B.23) ensures the fact that if Σ i a collides with Σ i b (resp. Θ i a collides with Θ i b ), then T i a must be distinct from T i b , otherwise, bad event B.41 would have been satisfied. On the other hand, B.22 (resp. B.24) implies that there should not be any intersection between the equation variables corresponding to two different users whose keys have been collided.
Let v i be the total number of nodes of the graph G i . Similar to Q = , we consider Q = . For each j ∈ [r ] and for each i ∈ I = j , consider the sequence Similar to G i , we construct a bipartite graph H i , one of whose partitions represents the nodes corresponding to Σ i a and the other, the nodes corresponding to Θ i a . We put an edge between the node corresponding to Σ i a and Θ i a with the label being T i a , where Σ i a ⊕Θ i a = T i a . However, if two nodes represent the same values, then we merge them into a single node. Let w i be the number of components of H i and v i be the total number of vertices. Then for a good transcript τ = (τ c , τ p ), realizing τ is almost as likely in the real world as in the ideal world: Lemma 3 (Good Lemma). Let τ = (τ c , τ p ) ∈ GoodT be a good transcript. Let X re and X id be defined as above. Then Proof. We are now ready to calculate the real interpolation probability. For this, we must bound the total number of input-output pairs on which the block cipher E with different keys is executed. As the transcript releases the 2k h -bit hash keys and the k-bit block cipher key for each user, it contributes to a term 2 −(2k h +k) in the real interpolation probability calculation. Now, for each j ∈ [r], the block cipher E with key J j is evaluated on a total of input-output pairs. For the remaining ideal cipher keys, with which none of the users' block cipher keys have collided, we have p j input-output pairs, which are fixed due to the evaluation of the block cipher with those ideal cipher keys. Moreover, for each j ∈ [r ], the block cipher E is evalued on a total of i∈I = j v i input-output pairs with key K j . Summarizing the above, Ideal Interpolation Probability: The term u i=1 2 −nqi , which is contributed to the ideal interpolation probability due to the sampling of responses of the adversarial query, samples 2k h -bit hash keys and k-bit block cipher keys for all u users. For each j ∈ [r], and for each i ∈ I = j , we construct the graph G i as defined above. Now, we have the following claim: Claim 1. For each j ∈ [r] and for each i ∈ I = j , the graph G i good. Proof. First of all, note that graph G i does not have any cycle of length 2, otherwise the bad event B.41 would have been satisfied. Moreover, every component of the graph has a path of length at most three, otherwise the bad event B.43 would have been satisfied. This excludes the possibility of existence of even length cycle in the bipartite graph G i . Moreover, due to B.21 ∧ B.23, the xor of the labels of any path of length two in the graph G i is non-zero and due to B.41 ∧ B.42 ∧ B.43, it follows that the xor of the labels of any path of length three in the graph is non-zero. Hence, the graph G i good. Now, for each j ∈ [r] and for each i ∈ I = j , we sample the value of a node for each component of the graph G i . Hence, for j ∈ [r], the total number of sampled points is Moreover, for each j ∈ [s] \ [r], the total number of sample points is p j . Subsequently, we consider the set of transcripts Q = . For each j ∈ [r ], and for each i ∈ I = j , we construct the graph H i as defined above. As we reasoned about the goodness of the graph G i , the similar reasoning applies for the goodness of the graph H i too. This allows us to compute the set S j for each j ∈ [r ] as defined in line 15 of Fig. 4 Calculation of the ratio: By plugging in the value of |S j | from Lemma 1 into Eqn. (30) and then taking the ratio of Eqn. (29) to Eqn. (30), we have Therefore, we have where (1) holds due to Eqn. (31) and (2)

Tight Security Bound of Two-Keyed Polyhash based Db-HtS Construction
Two-keyed Polyhash-based DbHtS construction C 2 [PH-DbH, E], as proposed in [14], is the instantiation of the Two-Keyed-DbHtS framework which is build on the Polyhash based double block hash function PH-DbH. In [14], the PRF security of C 2 [PH-DbH, E] has been proven to be roughly in the order of q 3 2 /2 2n in the single-user setting. In this section we improve its bound up to 2 3n/4 queries in the multi-user setting. Moreover, the proof is based on the ideal cipher model. Before going to the security proof of the construction, we first revisit to the two-keyed Polyhash-based DbHtS construction.
PolyHash [15,7,35] is a very efficient algebraic hash function. For a fixed natural number n, it first samples an n-bit key L uniformly at random from {0, 1} n . To apply this function on a message M ∈ {0, 1} * , we first apply an injective padding function 10 * (i.e. append a bit 1 followed by a minimum number of zeroes to the message M so that the total number of bits in the padded message becomes a multiple of n). Let the padded message be M * = M 1 M 2 . . . M l , where l is the number of n-bit blocks in it. Then, we define the PolyHash function as follows: where l is the number of blocks of M and the multiplications are defined in the field GF(2 n ). Then Polyhash [27] is /2 n -regular, /2 n -axu and /2 n -universal, as shown in the following lemma, where is the maximum number of message blocks (the proof of the lemma is related to a result on the number of distinct roots of a polynomial): Lemma 4. Let PH be the PolyHash function as defined above. Then PH is /2 n -regular, /2 n -almost-xor universal and /2 n -universal.
Proof. We first compute the regular advantage of the hash function. Clearly, for any ∆ ∈ {0, 1} n , and any Thus, two independent instances of the Polyhash function keyed with two independent keys L 1 and L 2 are applied separately to a message M , and the least significant bit of their output is chopped and prepended with bits 0 and 1 respectively. The two-keyed PolyHash-based DbHtS construction can now be defined directly from the Two-Keyed-DbHtS construction as follows: encrypt fix 0 (PH L1 (M )) and fix 1 (PH L2 (M )) through a block cipher E K and xor the result together to produce the output. An algorithmic description of the construction is shown in Fig. 5.1. Remark 5. We would like to mention that the definition of the Polyhash function used in this paper is different from that used in [17]. Nevertheless, one can also establish the 3n/4-bit multi-user security of the two-keyed PolyHash-based DbHtS construction with the Polyhash function used in [17].

Conclusion and Future Problems
In this paper, we have shown that the Two-Keyed-DbHtS construction is multi-user secured up to 2 3n/4 queries in the ideal-cipher model. As an instantiation of the result, we have shown that Polyhash-based DbHtS provides 3n/4-bit multi-user security in the ideal-cipher model. Combining it with the generic result on the attack complexity of the DbHtS construction makes the bound tight. However, we cannot apply this result to analyze the security of 2K-SUM-ECBC, 2K-PMAC_Plus and 2K-LightMAC_Plus, as their underlying DbH functions are based on block ciphers, and our proof technique does not support their security analysis in the ideal-cipher model. This is because the underlying DbH function of these constructions is build on the top of block ciphers. We believe that proving 3n/4-bit security of the DbHtS construction based on block cipher-based double-block hash functions needs a careful study.

Road Block in the Analysis of Block Cipher Based DbH Function.
As mentioned earlier that analysing the security of DbHtS construction which is build on a block cipher based DbH function in the ideal-cipher model, one needs to assume that adversary can make primitive queries to the underlying block cipher used in the DbH function. As a result, one needs to bound the universal and the regular advantage of the underlying DbH function in the ideal-cipher model. The most non-trivial part of bounding the universal and the regular advantage of the underlying DbH function in the ideal-cipher model is when all the inputs to the block cipher are non-fresh, i.e., the adversary chooses message after all the primitive queries are done and the chosen messages are functions of the primitive query responses. We believe that this case is the major road block in establishing the desired universal and regular bound of the DbH function in the ideal-cipher model. It will be interesting to see O( /2 2n ) bound of the universal and the regular advantage of a block cipher based DbH function in the ideal-cipher model.