Building PRFs from TPRPs: Beyond the Block and the Tweak Length Bounds

. A secure n -bit tweakable block cipher (TBC) using t -bit tweaks can be modeled as a tweakable uniform random permutation, where each tweak defines an independent random n -bit permutation. When an input to this tweakable permutation is fixed, it can be viewed as a perfectly secure t -bit random function. On the other hand, when a tweak is fixed, it can be viewed as a perfectly secure n -bit random permutation, and it is well known that the sum of two random permutations is pseudorandom up to 2 n queries. A natural question is whether one can construct a pseudorandom function (PRF) beyond the block and the tweak length bounds using a small number of calls to the underlying tweakable permutations. A straightforward way of constructing a PRF from tweakable permutations is to xor the outputs from two tweakable permutations with c bits of the input to each permutation fixed. Using the multi-user security of the sum of two permutations, one can prove that the ( t + n − c )-to- n bit PRF is secure up to 2 n + c queries. In this paper, we propose a family of PRF constructions based on tweakable per-mutations, dubbed XoTP c , achieving stronger security than the straightforward construction. XoTP c is parameterized by c , giving a ( t + n − c )-to- n bit PRF. When t < 3 n and c = t 3 , XoTP t 3 becomes an ( n + 2 t 3 )-to- n bit pseudorandom function, which is secure up to 2 n + 2 t 3 queries. It provides security beyond the block and the tweak length bounds, making two calls to the underlying tweakable permutations. In order to prove the security of XoTP c , we extend Mirror theory to q ≫ 2 n , where q is the number of equations. From a practical point of view, our construction can be used to construct TBC-based MAC finalization functions and CTR-type encryption modes with stronger provable security compared to existing schemes.


Introduction
Constructing PRFs from PRPs.A block cipher is typically modeled as a pseudorandom permutation (PRP) in a provable security setting: any adversary should not be able to distinguish the block cipher from a truly random permutation by making a certain number of encryption and decryption queries in a black-box manner.However, for some modes of operation, one might want the block cipher to behave like a pseudorandom function (PRF).For example, a counter mode generates a keystream E K (N ∥ 0), E K (N ∥ 1), E K (N ∥ 2), . . .using a block cipher E with a secret key K and a nonce N .In this mode of operation, all the blocks are pairwise distinct, allowing an adversary to distinguish it from a truly random keystream.For this reason, the counter mode is proved to be secure only up to the birthday bound (in the assumption that E is a pseudorandom permutation).This observation motivates the problem of constructing a pseudorandom function from pseudorandom permutations.Sometimes this problem is called "Luby-Rackoff backward" [BKR98]: the Feistel network transforms a set of (not necessarily one-to-one) functions into a permutation, and this problem considers its opposite direction.
A natural way of building a PRF by using PRPs is to xor two independent pseudorandom permutations.Given two n-bit (keyed) PRPs P and P ′ , their sum, denoted XoP, maps X ∈ {0, 1} n to XoP(X) def = P(X) ⊕ P ′ (X).
Alternatively, one can simply truncate outputs from a single permutation.This construction, denoted TRP, maps X ∈ {0, 1} n to where m is a positive integer such that m < n, and Tr m is a truncation function that takes an n-bit string and returns leftmost m bits of the input.There has been a significant amount of research on these constructions [BI99, BKR98, BN18, CLL19, DHT17, GGM18, GM20, HWKS98, Lee17, Pat08a, Pat10a].
Tweakable Block Ciphers.Tweakable block ciphers (TBC), first introduced in [LRW02], are a generalization of standard block ciphers that accept extra inputs called tweaks.The tweak, providing inherent variability to the block cipher, makes it easy to design various higher level cryptographic schemes such as message authentication codes and modes of operation.
Tweakable block ciphers can either be designed from scratch [Cro00, FLS + 10, SO98], or be built upon off-the-shelf cryptographic primitives such as block ciphers and (public) permutations [CLS15,LST12,Men16,Nai17]. Recently, a unified vision for the tweak and key inputs has been proposed within the TWEAKEY framework [JNP14].Skinny [BJK + 16] and Deoxys-BC [JNPS16] follow this framework.Theoretically, a secure TBC is modeled as a tweakable pseudorandom permutation (TPRP); when a key is chosen uniformly at random and kept secret, the keyed TBC should behave like an independent random permutation for each tweak.The ideal counterpart of a TPRP is called a tweakable uniform random permutation (TURP).
Building PRFs from TPRPs.As tweakable block ciphers are widely used and studied, it is natural to ask how to efficiently construct a PRF on top of a tweakable block cipher.The underlying tweakable block cipher being modeled as an n-bit TURP using t-bit tweaks, denoted P, a straightforward construction is to fix a message input to P, obtaining a t-to-n bit function.Then such a construction is perfectly secure for every possible query; it is secure up to 2 t queries.On the other hand, one can obtain a perfectly random n-bit permutation by fixing a tweak input to P. This construction is secure only up to the birthday bound.By summing two distinct permutations (using different tweaks), one can obtain a pseudorandom function that is secure up to 2 n queries [Pat08a].
Our research is motivated by the following question: how can one construct pseudorandom functions that make a small number of calls to the underlying TPRPs, providing security beyond the block and the tweak length bounds?We note that a TBC-based Feistel cipher provides such a strong security bound with at least 10 rounds, using that many tweakable block cipher calls [SGW20].
We will consider two PRF constructions using only two calls to the underlying TPRPs where P and Q can be seen as TURPs up to their TPRP-security.Given a (public) constant C ∈ {0, 1} c for an integer c such that 0 ≤ c ≤ n, we might consider the sum of TPRPs, dubbed MXoP c , is defined as follows.
MXoP c (X, Y ) for X ∈ {0, 1} n−c and Y ∈ {0, 1} t (see Figure 1).One can view MXoP as XoP in the multi-user setting, where the number of users is 2 t and each user is allowed to make at most 2 n−c queries.Note that MXoP c is parameterized by c (instead of C) since its security depends only on the length of the constant.Since the construction is mathematically identical to the multiple instances of XoP, we can use previous analyses.As far as we know, the best-known result about multi-user security of XoP is by Hoang and Shen [HS20], which gives (n/ log n)-bit security for the standard multi-user assumption, i.e., when an adversary can always freely choose an instance for its next query.They left its n-bit security proof as an open problem.Since security of MXoP c is easily proved by Mirror theory, we do not claim the contribution of full multi-user security proof of XoP, while there is no literature that explicitly states its optimal security in the multi-user setting, so we will give a complete proof for MXoP c that the adversarial advantage in breaking the PRF-security of MXoP c is upper bounded by O q 2 n+c .In particular, when t < 2n, MXoP t 2 is secure up to 2 n+ t 2 queries.When t ≥ 2n, MXoP n is secure up to 2 t queries.
It is noteworthy that recently there has been a new approach to proving multi-user security by fixing the number of queries made to each instance [BN21, CKLL22, CCL23, CHWZ23], and those works parameterized security bounds by the maximum number of queries per instance.This line of research shows that, with the assumption they used, one may obtain stronger security with respect to the number of instances.1On the other hand, in this paper, we focus on a more generalized setting without any limit on the number of queries per instance.

Our Contribution
In this paper, we propose a new construction for a TPRP-based PRF enjoying stronger security than MXoP c (for a certain range of parameters) and provide a new way of analyzing its security even when message and tweak inputs are correlated (which is not the case for MXoP c ).Our new construction, dubbed XoTP c , is defined as follows: when t ≥ n − c, for X, Y ∈ {0, 1} n−c and W ∈ {0, 1} t−n+c , and when t < n − c, for X, Y ∈ {0, 1} t and W ∈ {0, 1} n−t−c (see Figure 2).In this way, XoTP c becomes a (t + n − c)-to-n bit pseudorandom function.
We prove that when t ≥ n − c (resp.t < n − c), the adversarial advantage in breaking the PRF-security of XoTP c is upper bounded by O min{ q 2 n+2c , q 2 2 3n } (resp.O max{ q 2 n+t+c , q 2 n+2c } ).In particular, when c < t, the adversarial distinguishing advantage is upper bounded by O q 2 n+2c .Since the input size of XoTP c is (t + n − c) bits, the threshold number of queries is maximized when c = t 3 (assuming t ≤ 3n).Then XoTP t 3 is secure up to 2 n+ 2t 3 queries.Figure 3 shows the threshold number of queries q as a function of tweak size t for MXoP min{ t 2 ,n} and XoTP t 3 .We see that XoTP t 3 enjoys security beyond the block and the tweak length bounds when t < 3n.Application.First, We note that high provable security allows us to use a small input size of the primitive in the trade-off of tweak size while maintaining the same security level.We notice that a longer tweak size t performs better than a larger input size n when n + t is the same, e.g., SKINNY TBC families.Many deterministic MAC schemes can be viewed as an instance of the Hash-then-PRF paradigm; a variable-length message is first mapped onto a fixed-length value through a universal hash function, and then a PRF is applied to the hashed message, obtaining a tag.When it comes to TBC-based constructions using two TBC calls at the finalization step, most of such schemes provide at most n-bit security; PMAC-TBC1k [Nai15] provides n-bit security and ZMAC [IMPS17] provides min n, n+t 2 -bit security.If XoTP c is combined with any birthday bound-secure (t + n − c)-bit hash function that has collision-resistant property (though constructing such a nice hash function is an independent open question), then one might expect min{ t+n−c 2 , max{n + 2c, 3n 2 }}-bit security for the resulting MAC scheme when XoTP c is instantiated as a PRF.When n < t < 6n, it will provide 2t+3n 5 -bit security with c = t−n 5 , which is stronger than existing TBC-based MAC schemes such as [CLS17] (providing n-bit security) or using a trivial t-to-n bit PRF with a single TBC call.Note that if one uses t-to-n bit PRF as a finalization function of the given hash, the security is upper bounded by min{n, t 2 }.If a TBC is used to construct a CTR-type encryption mode of rate 1 with a nonce as a tweak input and a block counter as a block cipher input, then the adversarial distinguishing advantage against this mode will be tightly upper bounded by σl 2 n where l is the maximum message length and σ is the total number of message blocks.This security bound might not be sufficient, in particular when n is small.
In order to achieve stronger security (at the cost of worse efficiency), one might use an (n + t − c)-to-n bit PRF XoTP c to construct a CTR-type encryption mode of rate 1 2 .When c = t 3 , n + 2t 3 bits are available for nonces and counters, while the adversarial distinguishing advantage against this mode is upper bounded by As a numerical example, consider the SKINNY-64-192 tweakable block cipher operating on 64-bit blocks using 192-bit tweakeys.If 128 bits are used as a key, then one can use 64-bit tweaks.In this case, one can use 107 input bits to XoTP 21 as nonces and counters (say, 67-bit nonces and 40-bit counters), and the resulting encryption mode will be secure as long as the total number of message blocks is small in front of 2 106 .If n + 2t 3 bits are not sufficient for nonces and counters, one can simply take a small constant c so that the input size of the resulting PRF is almost n + t bits.For the encryption mode using this PRF, the adversarial distinguishing advantage is still upper bounded by Proof Technique.Our proof is based on the standard H-coefficient technique, where Patarin's Mirror theory [Pat10b] is used for the counting arguments.Mirror theory allows one to sharply lower bound the number of solutions to a certain type of system of equations and non-equations.In our security proof, we will consider the following system of equations; for two sets of unknowns V P = {P 1 , . . ., P q } and V Q = {Q 1 , . . ., Q q }, and for constants This system of equations can be represented by a simple graph G = (V, E), where V = V P ⊔ V Q and P i and Q i are connected by a Z i -weighted edge for i = 1, . . ., q.This graph consists of q isolated edges, so the size of the largest component in this graph, denoted ξ max , is two.The system of equations with ξ max = 2 appears in the security proof of the sum of two independent random permutations, where all the unknowns in V P (resp. V Q ) should be distinct since they are supposed to be outputs from a fixed permutation.These additional constraints can be viewed as non-equations between the unknowns.The resulting system of equations and non-equations has been studied in [Pat10b], and later revisited with more complete and detailed arguments [CP20,DNS22].
When it comes to a tweakable permutation, all the outputs are not necessarily distinct, in particular, when they are defined with distinct tweaks.With this observation, we relax the constraints of non-equations by defining partitions of V P and V Q ; if P i and P j (resp.Q i and Q j ) are contained in the same block, then , which implies evaluations of a tweakable permutation of i-th and j-th query share the same tweak input.In this way, we generalize Mirror theory for ξ max = 2, and it leads to the security proof of XoTP.Most notable related works are probably Mirror theory for proving an ideal tweakable permutation model [MN17,JN20].This type of Mirror theory aims to provide a more rigorous analysis of the number of solutions considering duplications among Z i -values when Z i -values serve as a tweak value in their ideal world.On the other hand, our Mirror theory uses tweakable permutations in the real world to construct an ideal random function.Mirror theory for ideal tweakable permutation model [MN17,JN20] studies more deeply the relation between the number of solutions and the distribution of Z i -values.It is an interesting theoretical question to merge their idea with our relaxation on the output restriction; however, then it uses tweakable permutations to build a tweakable permutation, making it hard to find practical implications.
History.Tweakable permutation-related Mirror theory was also studied by Mennink et al. [MN17], while they use permutations to construct an ideal tweakable permutation.It was based on the original Mirror theory [Pat10b], which has been controversial due to some mistakes and gaps in the paper.Nandi [Nan20] also pointed out a flaw in [MN17].Many researchers have revisited Mirror theory in more verifiable ways, while newly established Mirror theory takes more limited conditions for q and ξ max .Datta et al. [DDNY18] studied Mirror theory for q = O 2 2n 3 and ξ max = 3 to prove the security of the DWCDM nonce-based MAC scheme.Dutta et al. [DNT19] extended it to q and ξ max such that and q • ξ max ≤ 2 n−2 , and proved the security of the CWC+ AEAD mode.Jha and Nandi [JN20] further extended it to q and ξ max such that q = O 2 3n 4 and q • ξ max ≤ 2 n−1 to tightly prove the security of CLRW2.Kim et al. [KLL20] studied Mirror theory for q = O 2 3n 4 assuming that the number of components of size ≥ 3 is smaller than 2 n 2 , and it was sufficient to tightly prove the security of DbHtS MAC schemes.Recently, Dutta et al. [DNS22] and Cogliati and Patarin [CP20] independently revisited Mirror theory for q = O (2 n ), giving clearer and verifiable proofs, while both assume ξ max = 2. Recently, Cogliati et al. [CDN + 23] improved the result by relaxing the restriction of ξ max with an assumption q • ξ 2 max ≪ 2 n .In this line of research, we firstly establish Mirror theory for q ≫ 2 n .
Open Problems.First of all, the exact security of the MXoP and XoTP constructions still remains open.Secondly, one can consider an alternative approach to constructing PRFs using a single call to the underlying primitive: to truncate outputs from a tweakable permutation.Fix two positive integers c and m such that c, m ≤ n as well as a constant C ∈ {0, 1} c , and let for X ∈ {0, 1} n−c and Y ∈ {0, 1} t .Since TRP m permits an attack using 2 n− m 2 queries, we need to fix a part of the input, so that an adversary is not able to make that many queries for a single tweak.We leave the (exact) security of TTRP c,m as an open problem.
When it comes to Mirror theory, relaxing the constraint ξ max = 2 seems to be an important open question from both theoretical and practical point of view.If one can improve Mirror theory in this direction, many practical constructions based on a tweakable block cipher could be proposed.For example, one would be able to construct CENC-like encryption modes [Iwa06] of stronger provable security.

Preliminaries
Notation.Throughout this work, we fix positive integers n, t, and q.We denote 0 n (i.e., n-bit string of all zeros) by 0. For integers a and b such that 0 ≤ a < b, we write [a, b] = def {a, . . ., b} and [b] = def {1, . . ., b}.Given a non-empty set X , x ← $ X denotes that x is chosen uniformly at random from X .The set of all functions from X to Y is denoted Func(X , Y).We use an indicator function, denoted 1, such that for a statement E, 1(E) = 1 if a statement E is true, and 1(E) = 0 otherwise.When two sets X and Y are disjoint, their (disjoint) union is denoted X ⊔ Y.
Tweakable Block Cipher.A tweakable block cipher (TBC) is a keyed function E : K × T × X → X , where K is the key space, T = {0, 1} t is the tweak space, and X = {0, 1} n is the message space, such that for any (K, T ) ∈ K × T , E(K, T, •) is a permutation over X .
A tweakable permutation is the mapping P : T × X → X such that P(T, •) is a permutation of X for any tweak T ∈ T .When a tweakable permutation is chosen uniformly at random from the set of all possible tweakable permutations, such an ideal object is called a tweakable uniform random permutation (TURP).A secure tweakable block cipher should behave like a tweakable uniform random permutation with the same message and tweak spaces (when the key is chosen uniformly at random from the key space and kept secret), and hence it is viewed as a tweakable pseudorandom permutation (TPRP).
Pseudorandom Function.Let C : K × X → Y be a keyed function with key space K, domain X , and range Y.We will consider an information theoretic distinguisher D that makes oracle queries to C, and returns a single bit.The advantage of D in breaking the PRF-security of C, i.e., in distinguishing C from a uniformly chosen function F ← $ Func(X , Y), is defined as We define Adv prf C (q) as the maximum of Adv prf C (D) over all the distinguishers against C making at most q queries.[Pat08b].Consider a PRF construction C[ P, Q] : X → Y based on two TURPs P and Q.In this case, P and Q can be viewed as keys.Suppose that an information-theoretic distinguisher D adaptively makes q queries to the construction oracle, which is either C[ P, Q] (in the real world) or a truly random function F (in the ideal world), recording all the queries (X i , Y i ) 1≤i≤q .So according to the instantiation, it would imply either C

H-coefficient Technique
the transcript of the attack; it contains all the information that D has obtained at the end of the attack.When we consider an information theoretic distinguisher, we can assume that the distinguisher is deterministic without making any redundant query.
Fix a transcript τ = (X i , Y i ) 1≤i≤q .If there exists a function F ∈ Func(X , Y) such that F(X i ) = Y i for every i = 1, . . ., q, then we will call the transcript τ attainable.We denote Γ the set of attainable transcripts.We also denote T re (resp.T id ) the probability distribution of the transcript τ induced by the real world (resp.the ideal world).By extension, we use the same notation to denote a random variable distributed according to each distribution.Without considering "bad events", the coefficient-H technique is summarized as follows.
Useful Lemma.Dutta et al. [DNS22] proved the following combinatorial lemma.This lemma will also be used in our Mirror theory.
for some positive constants A and C such that A < 2 n−1 .Then, for any integer r such that 1 ≤ r ≤ α 2 − 1, one has Lemma 2 is proved by mathematical induction on r.

Proof of Lemma 2
We will use induction on r.One can easily see that (1) holds when r = 1.Suppose that (1) holds for r such that r ≤ α 2 − 2. By the recurrence relation, we have for some B i , where Even for i ∈ {r, 2r, 2r + 1}, one easily sees that B i ≤ 2r+2 i+1 A i+1 .Therefore, we have Combined with the induction hypothesis, we have which completes the proof.
The original Mirror theory estimates the number of solutions with pairwise distinct P variables and pairwise distinct Q variables.However, when each variable is derived from a tweakable block cipher, only variables from the same tweak input should be distinct.Consequently, we introduce a new theory to estimate the number of solutions such that only variables from a common tweak are distinct.We will fix two partitions of [q], namely, for some positive integers a and b, where denote the size of the largest block in the two partitions.Throughout this section, we will assume We will write i ).With respect to these relations, we will put additional constraints on Γ as follows.
Those two relations are closely related to the model of our applications: the tweakable permutation model.By identifying V P (and V Q ) with outputs of a tweakable permutation, each partition of P (and Q) is matched with outputs of a tweakable permutation of the same tweak, which should be distinct to each other.On the other hand, it is possible to have the same value for two distinct random variables P i and P j if i P ∼ j.The relation implies that P i and P j are distinct outputs from two distinct inputs of a tweakable permutation.Apart from the previous Mirror theories, we do not identify P i and P j as random variables since they are from distinct outputs, and that is the reason why we call our Mirror theory ξ max = 2 even if it is possible to have P i = P j .
The goal of our Mirror theory is to sharply lower bound the number of solutions to Γ, denoted h(Γ, P ∼, Q ∼), subject to the above constraints.In order to state the main result of our Mirror theory, we need to define sets (2) for i ∈ [q].We note that P i (resp.Q i ) is a subset of the block containing i in partition P (resp.Q).If i is the smallest element in the block, then P i or Q i is an empty set.
Theorem 1.One has The proof of Theorem 1 will be given in the next section.Let Then we have the following lemma.
Lemma 3. One has Proof.Since P i (resp.Q i ) is a subset of a single block in P (resp.Q), we have V l = q − 1.
For i ∈ [q], there exists a unique pair (k, l) such that i ∈ P (k) ∩Q (l) , in which case , there are at most B indices i such that i ∈ P (k) ∩ Q (l) .Therefore, we have By (3) and (4), the proof is complete.
By Lemma 3 and since , Theorem 1 is simplified as follows.

Proof of Theorem 1
Graph Representation, Definitions and Notations.Let α ∈ [q].For a set of α indices I = {i 1 , . . ., i α } ⊂ [q], we define Let l be a positive integer.For a trail of length l connecting two vertices V 0 and V 1 , say In order for G[I] ∪ F to be valid, the following conditions should be satisfied.
1.For any distinct i and j such that i P ∼ j, and for any trail T (P i , P j ) in G[I] ∪ F, w(T (P i , P j )) ̸ = 0. 2. For any distinct i and j such that i Q ∼ j, and for any trail be a sequence of distinct indices in I, and let be a sequence of n-bit weights.Then we define an edge set and a weighted graph We also define subgraphs of G[I, J , L] as follows.
When I, J and L are clear from the context, we will simply write Note that G −+ is obtained from G ++ by removing one edge, namely (P j1 , Q j2 , L 1 ), while G +− is obtained from G ++ by removing two edges that are incident with Q j β+1 .See Figure 4 for an example of G ++ , G −+ , G +− and G −− .When β = 0, we have L = ∅ and F[J , L] = ∅ by definition, in which case, G[I, J , L] = G[I].We note that if G ++ is valid for given I, J , and L, then G −+ , G +− and G −− are also valid.For an index set I ⊂ [q] and i ∈ [q], we define the following sets.
When I = [α] for some α ∈ [q], we will simply write P α , Q α , and R α to denote Orange Equation.We can recursively compute h(G α ) using the following lemma.

Lemma 4. For any positive integer
where Recurrence relation (5) is called the Orange equation in Mirror theory.The proof of Lemma 4 is given in Section 4.2.The Orange equation can be easily generalized as follows: to any set of indices I such that |I| = α and j ∈ I, Example 1.For n = 2 and q = 3, let P (1) = {1, 3}, P (2) = {2}, Q (1) = {1}, Q (2) = {2, 3}, Z 1 = 00, Z 2 = 01 and Z 3 = 10.For α = 3, we see that Hence, it follows that and therefore, Graphs G 3 and G 2 ∪ {(P 1 , Q 2 , 10)} are pictorially represented in Figure 5. Since G 2 consists of two independent equations, namely, P 1 ⊕ Q 1 = 00 and P 2 ⊕ Q 2 = 01, we have On the other hand, G 2 ∪ {(P 1 , Q 2 , 10)} consists of a single connected component, and assignment of an arbitrary value to a fixed vertex determines all the other unknowns.So, we have By (6), we have h(G 3 ) = 36.Purple Equation.In order to use Lemma 4, we need to sharply lower bound h(G α−1 ∪ E) for a certain set of edges E. We can recursively estimate h(G α−1 ∪ E) using graphs with a smaller number of connected components.
One can see that G ++ is valid and, Then we have where See Figure 6 for a pictorial representation of this example.
Size Lemma.Our next step is to estimate the size of sets L[G α ], M[G ++ ] and N[G ++ ] appearing in Lemmas 4 and 5.In order to state Lemma 6, we need to reorder the indices of G q ; any reordering of the indices does not affect the number of solutions to G q .For k = 1, . . ., q, there is a unique pair In this way, we can define an ordered multiset of q elements {(i 1 , j 1 , Z 1 ), . . ., (i q , j q , Z q )}.From this multiset, we choose as many different elements as possible, put them in a separate list, remove them from the multiset, and recursively perform the same procedure for the remaining elements.This reordering of triples obviously defines a reordering of the edges (indices) since we can associate each triple with a unique k ∈ [q].With this reordering of the indices, we have Example 3.For n = 1 and q = 6, graph G q and partitions P and Q are defined as follows.
Then we can define an ordered multiset where the k-th element is associated with index k for k ∈ [6].By the procedure described above, we can reorder the elements of the multiset as follows.
Lemma 6. Fix positive integers α, β and m such that 2 ≤ β < α ≤ m ≤ q.Then one has For an index set I ⊂ [m] such that |I| = α, a sequence of distinct indices J = (j 1 , . . ., j β+1 ) ∈ I β+1 , and a sequence of weights Lemma 6 is called the Size Lemma.Its proof is given in Section 4.4 Adding a Single Edge to G α .Fix a positive integer m such that m ≤ q.We will define a two-dimensional sequence D m α,β , where 1 ≤ α ≤ m and β is an integer, as follows.
where the maximum is taken over all possible index sets I ⊂ [m] such that |I| = α, sequences of distinct indices J ∈ I β+1 , and sequences of weights In order to upper bound D m α,β , we begin with the following lemma.
Lemma 7.For any Therefore, we have When β = 1, we have a sharper upper bound on D α α,1 as follows.Lemma 8.If 2n + 2 ≤ m < q, then one has The proof is given in Section 4.6.Lemma 5 and 7 are used to prove this lemma.Note that D m m,1 compares the number of solutions between a graph G m (=G −+ [I, J , L]) and the graph obtained by adding a single edge to G m , namely G[I, J , L], and Lemma 8 upper bounds their difference.
Proof of Theorem 1.For m ≥ 0, let On the other hand, by Lemma 4, for any m ≤ q − 1, we have by Lemma 8.So we have In the following computation, we simply write 11), ( 12) and Lemma 6, we have Therefore we have If m ≤ 2n + 1, then we have by Lemma 4. Then it follows that By combining ( 13) and ( 14), we have in (10), the proof is completed.

Proof of Lemma 4
For each solution Once S is fixed, one should choose where S denotes the set of all solutions to G α−1 .In particular, we have To summarize, we have Lemma 4 follows from (15) and (16).

Proof of Lemma 5
Without loss of generality, we assume that For this condition to hold, it should be the case that Suppose that X α−1 ∈ X , in which case X α = X k for some k ∈ P α .
1.If k ∈ P α [J ], then there exists a trail T (X k , X α ) such that To summarize, we have where There are two cases.
then there is no solution to the graph.

Proof of Lemma 6
We can prove the five (in)equalities as follows.
1.Each edge (P i , Q j , Z α ) ∈ L[G α ] falls into one of the following four cases.
• Case 1: The number of edges of this type is • Case 2: i ∈ P α ∩Q α and j ∈ Q α \P α .Equations The number of such edges is • Case 3: i ∈ P α \ Q α and j ∈ P α ∩ Q α .Similarly to Case 2, we see that the number of edges of this type is • Case 4: i, j ∈ P α ∩ Q α where i ̸ = j.It should be the case that Z i ̸ = Z α and Z j ̸ = Z α since otherwise the resulting graph is invalid.The number of such edges is Therefore, we conclude that Such an edge falls into at least one of the following three cases.
• Case 1: k = j 1 .At most two edges fall into this case.
• Case 2: The number of such edges E is at most {k ∈ P j β+1 ∩ Q j1 | Z k = Z} , where by (8) and . Such a pair (E, E ′ ) falls into at least one of the following three cases.
• Case 1: k ∈ P j β+1 [(I \ J ) ∪ {j 1 }] and l = j 1 .Since and the number of pairs of edges of this type is at most A.
• Case 2: k = j 1 and l ∈ Q j β+1 [(I \ J ) ∪ {j 1 }].Similarly to Case 1, the number of pairs of edges of this type is at most A.
(a) k The number of pairs of edges of this type is at most |R m+1 | A.
(b) l P ∼ j 1 and w(T (P l , P j1 )) = 0 for a (unique) trail T (P l , P j1 ) connecting P j1 and P l , which means The number of pairs of edges of this type is at most |R m+1 | A.

It is easy to see that |N[G
4. Suppose that β = 1.Let M ′ be the set of edges of the form either ] falls into at least one of the following three cases.
• Case 1: k = j 1 .At most two edges fall into this case.
• Case 2: The number of such edges E is at most |{k ∈ P j2 ∩ Q j1 | Z k = Z ′ }|, where by (8) Similarly to Case 2, we see that the number of edges of this type is at most |R m+1 |.
It is easy to see that |M[G ++ ]| ≤ 2A.Therefore, we conclude that 5. Suppose that β = 1.Let N ′ denote the set of pairs of edges {E, E ′ } where E = ] falls into at least one of the following three cases.
• Case 1: k ∈ P j2 [I] and l = j 1 .Since |P j2 [I]| ≤ A, the number of pairs of edges of this type is at most A.
• Case 2: k = j 1 and l ∈ Q j2 [I].Similarly to Case 1, the number of pairs of edges of this type is at most A.
• Case 3: Then at least one of the following two conditions holds: The number of pairs of edges of this type is at most |R m+1 | A.
(b) l P ∼ j 1 and w(T (P l , P j1 )) = 0 for a (unique) trail T (P l , P j1 ) connecting P j1 and P l , which means Z l = L 1 .The number of pairs of edges of this type is at most |R m+1 | A.

Proof of Lemma 7
Without loss of generality, we assume that I By repeatedly applying the above inequality, we have which completes the proof of Lemma 7 when β = 0. Suppose that β ≥ 1. Fix J = (α − β, α − β + 1, . . ., α) without loss of generality, and let Therefore, we have where S ′ denotes the set of all solutions to G ++ .By repeatedly applying the above inequality, we have The proof is complete by ( 21) and ( 22).

Proof of Lemma 8
We will prove that if 2 ≤ α ≤ m and β ≤ α − 3, then where The proof of (23) will be given at the end of this section.Then, by Lemma 2, we obtain an upper bound on D m α,1 as follows.

TPRP-based PRFs: MXoP c and XoTP c
In this section, we propose a PRF construction XoTP c , and prove the security of MXoP c and XoTP c , where each construction is based on two n-bit TPRPs P and Q using t-bit tweaks.We will assume that they are independent TURPs.

MXoP: Multiple Instances of XoP
As stated in the introduction, similar proofs may be able to be followed from previous analyses of multi-user security of XoP.However, we could not find any explicit proof for full security of XoP in the multi-user setting.Given a constant C ∈ {0, 1} c for an integer c such that 0 ≤ c ≤ n, a (t + n − c)-to-n bit pseudorandom function MXoP c is defined as follows.Security of MXoP c .Suppose that a distinguisher D makes q queries (X i , Y i ) ∈ {0, 1} n−c × {0, 1} t , obtaining the corresponding responses Z i for i = 1, . . ., q.In this way, D obtains a transcript τ = ((X 1 , Y 1 , Z 1 ), . . ., (X q , Y q , Z q )).
In the real world, P i = def P(Y i , C ∥ X i ) and Q i = def Q(Y i , C ∥ X i ) should be a solution to the following system of equations.Γ : . . .
subject to the partitions P = P (M ) M ∈{0,1} t and Q = Q (M ) M ∈{0,1} t , where ignoring repetition of the same block.Since D is allowed to make at most 2 n−c queries for each tweak,3 we have By Corollary 1, if c ≥ 4 (and hence A ≤ 2 n−4 ), then we have By Lemma 1, we obtain the following theorem.
In particular, when c = t 2 and t ≤ 2n, we have an (n +

Figure 1 :
Figure 1: MXoP c based on P and Q.

Figure 2 :Figure 3 :
Figure 2: XoTP c based on P and Q.
where (P, Q, Z) ∈ E[I] represents an edge connecting P and Q with weight Z.When I = [α], we will simply write G α to denote G[I].By definition, G 0 = ∅.We will identify G[I] with a system of equationsP i ⊕ Q i = Z i for i ∈ I.So G q becomes Γ.For a set of edges F such that every edge of F connects vertices of G[I], we will write G[I]∪F to denote (V[I], E[I]∪F).The number of solutions to G[I]∪F subject to relations P ∼ and Q

Figure 5 :
Figure 5: Graphs G 3 and G 2 ∪ {(P 1 , Q 2 , 10)} in Example 1. Vertices in the same block are represented by the same shape.

Figure 6 :
Figure 6: Graphs appearing in Example 2. Vertices in the same block are represented by the same shape.
− |P i |)(2 n − |Q i |) n − |P i |)(2 n − |Q i |) , Pr[T id = τ ] = 1 (2 n ) q , we have Pr [T re = τ ] Pr [T id = τ ] and only if X α and Y α do not violate the constraints due to the relations P∼ and Q Similarly to Case 2, we see that the number of edges of this type is at most |R m+1 |.It is easy to see that |M[G ++ ]| ≤ 2A.Therefore, we conclude that