Permutation Based EDM: An Inverse Free BBB Secure PRF

. In CRYPTO 2019, Chen et al. have initiated an interesting research direction in designing PRF based on public permutations. They have proposed two beyond the birthday bound secure n -bit to n -bit PRF constructions, i.e., SoEM22 and SoKAC21 , which are built on public permutations, where n is the size of the permutation. However, both of their constructions require two independent instances of public permutations. In FSE 2020, Chakraborti et al. have proposed a single public permutation based n -bit to n -bit beyond the birthday bound secure PRF, which they refer to as PDMMAC . Although the construction is minimal in the number of permutations, it requires the inverse call of its underlying permutation in their design. Coming up with a beyond the birthday bound secure public permutation based n -bit to n -bit PRF with a single permutation and two forward calls was left as an open problem in their paper. In this work, we propose pEDM , a single permutation based n -bit to n -bit PRF with two calls that do not require invertibility of the permutation. We have shown that our construction is secured against all adaptive information-theoretic distinguishers that make roughly up to 2 2 n/ 3 construction and primitive queries. Moreover, we have also shown a matching attack with similar query complexity that establishes the tightness of our security bound.


Introduction
Luby and Rackoff [44], in their seminal work, have shown how to construct a keyed pseudorandom permutation (PRP) or, in other words, block cipher from secret keyed pseudorandom functions (PRF).Their work was a theoretical model for formally arguing the security of DES block cipher, which consists of r rounds of Feistel constructions invoking independent instances of keyed functions.However, it was soon realized the necessity of designing PRFs out of PRPs as primitives of cryptographic designs [5].Because we usually seek PRF security from a mode of operation and it is generally easier to design PRPs than PRFs.One of the biggest challenges in designing PRFs is to design a secure non-invertible round function that can be iterated multiple times to produce a secure PRF.However, iterating the non-invertible round function multiple times is hard to get right, as collision probabilities are amplified with each iteration [12,49].Nevertheless, Mennink and Neves [49] designed a dedicated PRF called FastPRF from scratch, even though their design is based on grouping the round functions of a PRP.Moreover, there are plenty of cryptographic modes that do not require the invertibility of its underlying primitives [47,14,43,54,17,10,32,29,30,24,46].Hence, in such cases, for realizing the PRF security of a mode of operation, it is a better and economical choice to use PRFs as the underlying primitive of the mode over PRPs, which are designed to be efficient in both forward and inverse direction.In fact, as substantial evidence of our argument, counter mode of encryption generally offers a better security guarantee when instantiated with a PRF over a PRP because one can distinguish counter mode with PRP from the random encryption with 2 n/2 queries, where n is the block size of the PRP.On the other hand, the counter mode with PRF behaves identically with the random encryption scheme modulo the PRF advantage of the keyed function.
Due to the classical result of PRF-PRP switching lemma [20,4,6], a PRP E k can be replaced with a PRF F k until the number of invocations to the primitive exceeds 2 n/2 , where n is the block size of the permutation.Such a solution is adequate when the block size of the permutation is large, (e.g., AES 128).However, the solution may not be good enough when the block size is small (e.g., block size of 64 bits).This is paricularly relevant when one instantiate cryptographic schemes using lightweight block ciphers like PRESENT [16], GIFT [2] etc.The block size of such lightweight block ciphers is typically 64 bits.As a result, if one uses these block ciphers as PRF in cryptographic designs, it can ensure only 32 bits of security, which is not practical in today's world of computational power.As a remedy of this, exploring the cryptographic designs, which retains security even after invoking the primitive more than 2 n/2 times, started to begin.Such designs are popularly known as beyond birthday bound (BBB) secure designs.In this direction, Hall et al. [41] have proposed a BBB secure PRF, called Truncation that takes an n-bit block cipher E k and truncates the result to a bits.This construction was later proven to be secured upto 2 n−a/2 queries [3,37].Bellare et al. [5] have proposed the Sum of Permutations (SoP) constructions which returns the xor of the outputs of two n-bit independent permutations.SoP P1,P2 (x) This construction was proven to be secured upto 2 2n/3 queries [45] and recently it has been shown to be secured upto 2 n queries [28].Cogliati and Seurin [24] have proposed another candidate of beyond birthday bound secure PRF which they call Encrpted Davis Meyer (EDM) construction and they have shown that EDM achieves 2n/3 bit security.EDM P1,P2 (x) ∆ = P 2 (P 1 (x) ⊕ x).
Later in [48], Mennink and Neves showed an optimal security of the consruction.In the same paper, they also proposed a dual variant of EDM which he referred to as EDMD EDMD P1,P2 (x) ∆ = P 2 (P 1 (x)) ⊕ P 1 (x), and showed its optimal PRF security.However, the proof of both the constructions are inherently based on a debated result of Mirror theory for general ξ max [35].Guo et al. [39] have proposed SUMPIP, a contender of SoP construction In contrast to the single permutation variant of SoP which takes n − 1 bit input, SUMPIP is the first single permutation based PRF that takes n-bit input and returns n-bit output.In the same paper, authors have also shown that single permutation variant of EDM and EDMD achieves 2n/3-bit security.Concurrent to this, Cogliati and Seurin [25] have also shown 2n/3 bit security for the single-keyed EDM construction.Very recently, Gunsing and Mennink [38] proposed a new approach to design a block cipher based PRF which they refer to as Summation-Truncation Hybrid (STH) technique.STH takes an (n − 1)-bit input x, truncates the leftmost a bits of E(x 0), E(x 1), and sums the discarded n − a bits of E(x 0) and E(x 1) to produce an (n + a)-bit output.They showed the construction provides 2 n−a/2 bits of security, where n − a is the number of discarded bits.

Permutation Based Cryptography
All the above-discussed PRFs are built using block cipher as their underlying primitive and even stronger in most constructions this primitive is evaluated only in the forward direction.As block ciphers are designed to be efficient in both the forward and the inverse direction, block ciphers are thus over-engineered primitives for such purpose [22].On the other extreme, cryptographic public permutations are particularly designed to be fast in the forward direction, but not necessarily in the inverse.Examples of such permutations include Keccak [8], Gimli [7], SPONGENT [15] etc.Moreover, in most of the cases evaluating an unkeyed public permutation is faster than evaluating a keyed block cipher, as the latter involves evaluating the underlying key scheduling algorithm each time the block cipher is invoked in the design. 1Moreover, we do not need to store the round keys in permutation based designs, and designing permutation is usually simple over designing a block cipher.In this regard, we would like to quote the following statements of Bertoni et al. [9] " . . . the inverse mapping of block ciphers imposes a separation of the processing of the n + k bits of the input.The key is processed in a key schedule and the data in the data path, and there can be no diffusion from the data path to the key schedule, which strongly limits the potential diffusion . . .Such a restriction is not present in the design of cryptographic permutations as they do not make a distinction between the processing of key and data input as there is no specific key input." With the advent of public permutation based designs and the efficiencies of evaluating it in the forward direction, numerous public permutation based inverse-free hash and authenticated encryption designs have been proposed [53,17,50,32,7,31,19,26].The use of cryptographic permutation gained momentum during SHA-3 competition [53].Furthermore, the selection of the permutation based Keccak sponge function as the SHA-3 standard has given a high level of confidence in using this primitive in the community.Today, the permutation based sponge construction has become a successful and full-fledged alternative to the block cipher based modes.In fact, in the first round of the ongoing NIST lightweight competition [52], 24 out of 57 submissions are based on cryptographic permutations, and out of 24, 16 permutation based proposals have qualified for the second round.These statistics depict the wide adoption of permutation based designs [17,7,10,19,26,32] in the community.However, most of the permutation based cryptographic schemes generally provide lower security bound with respect to the permutation state size.For example, most of the spongebased modes, in general, provides c/2 bits of security (exceptions are [17,27]), where c < b is the capacity part of the permutation, and b is its total state size.Nevertheless, the state size of a permutation is typically larger than the block size of a message (e.g., state size of KECCAK is 1600 bits), allowing the adequacy of the birthday bound in practice.However, the state size of lightweight permutations such as SPONGENT [15] and PHOTON [40] go as low as 88 and 100 bits, respectively.For these types of permutations, birthday bound solutions are inadequate.Thus, it can be highly interesting to design public permutation based cryptographic schemes that provide beyond the birthday bound security with respect to the permutation state size.This line of research was initiated by Chen et al. in [23] where they proposed two fixed-input and fixed-output length beyond birthday bound secure PRFs based on public permutations -one is in the parallel mode and the other is in the sequential mode.(i) For the parallel mode, they have shown that the sum of two independent instances of Even-Mansour [36] cipher, which they refer to as SoEM22, SoEM22 P1,P2 k1,k2 (x) provides a tight 2n/3-bit security.This construction was later extended by Bhattacharya et al. [11], where they showed the beyond birthday bound security of the domain separated variant of SoEM22.They have also proved that one cannot reduce the number of keys of SoEM22 without degrading the security bound to the birthday limit.(ii) For the sequential mode, Chen et al. proposed SoKAC21, which was proven to have a tight 2n/3-bit security.However, later in [51], Nandi exhibited a birthday bound attack on SoKAC21 and hence falsifying the security claim of the construction.In [18] PDM MAC requires an n-bit key k and an n-bit public permutation P to generate the output as follows: They extended the construction towards designing a BBB secure single permutation and single keyed variant of nonce based MAC 2 .Although, minimally structured, PDM MAC and its related MAC constructions, i.e., PDM * MAC [18] and 1K-PDM * MAC [18] require the invertiblity of the permutation P (similar to the design of DWCDM [30]).However, inverse call in PDM MAC somewhat brings down one of the advantages of using cryptographic permutations in a mode, i.e, the efficiency of evaluating the permutation in forward direction.In fact, it was stated as an open problem [18] to design a BBB secure single permuation based PRF with two forward calls.Not only this, inverse-free designs become one of the important design aspects in today's cryptography as designs that rely solely on the forward call of the permutation makes a very low footprint in a combined implementation of the mode [13].Therefore, until now we do not have any beyond birthday bound secure single permutation based fixed input and fixed output length PRF that opearates in sequential mode with two forward calls 3 .

Our Contribution
In this paper, we propose pEDM, the first fixed-input and fixed-output length single permutation based beyond the birthday bound secure PRF that operates in a sequential mode without requiring the inverse call of the permutation.Our design is motivated by the EDM construction.In particular, pEDM with 2n-bit keys and n-bit public permutation, takes an n-bit input and returns an n-bit output as follows: 2 Single permutation based nonce based MAC was also proposed in [34] that does not require invertibility of the permutation 3 Chen et al. [23] shown a n/2-bit attack on SoKAC1 construction, However, Chakraborti et al. [18] claimed that the attack is possibly wrong and shown a 2n/3-bit attack on it.They also conjectured that this attack bound is indeed tight.
We have shown that pEDM is secured against all adaptive information-theoretic distinguishers that make roughly up to 2 2n/3 construction and primitive queries.We also show a matching attack of the same complexity and establish the tightness of the security bound.Note that we could directly realize a permutation based PRF by instantiating the block cipher of the single-keyed variant of the EDM construction with 2-round Even-Mansour cipher.But that leads to having 4 permutation calls in total with 6n-bit keys.Compared to such a straightforward solution, our construction altogether saves 2 permutation calls and 4n-bit keys.Although pEDM uses a single permutation call with no inverse functionality, the number of keys required is one more than the number of keys required in PDM MAC.Currently, we do not know whether our construction is prone to the birthday attack with a single key.However, we believe that it can be proven secure beyond the birthday bound with only an n-bit key.We show the PRF advantage of this construction through an extended distinguishing game and apply the expectation method to bound its distinguishing advantage.In table 1, we compare the structures of several public permutation based PRFs with single-block input, single-block output and multi-block input, multi-block output designs.= n − log(w + 1), where w ≥ 1, is the size of chunk in CENC based construction.The last three constructions require a keyed hash function with at most blocks input.The number of keys for those constructions includes the hash keys as well.All the constructions except CENCPP * and DS-CENCPP * requires two permutation calls.Although SoKAC1 has been shown to have a birthday bound attack and SoKAC21 is beyond the birthday bound secure [23], Chakraborti et al. [18] believed that the birthday bound attack on SoKAC1 is possibly wrong and shown an attack on it with 2 2n/3 query complexity.Moreover, Nandi [51] has shown a birthday bound attack on SoKAC21.

Preliminaries
Basic Notations.For a set X , x ←$ X denotes that x is sampled uniformly at random from X and is independent to all other random variables defined so far.We write x ← y to denote that y is assigned in variable x.For any natural number q, [q] denotes the set {1, . . ., q}.We denote an empty set as ∅.We say two sets X and Y are disjoint if X ∩ Y = ∅.We denote their union as X Y (which we refer to as disjoint union).Let X = (X 1 , . . ., X s ) be a finite collection of finite sets.We say X is a disjoint collection if for each j = j ∈ [s], X j and X j are disjoint.The size of X, denoted as For a disjoint collection X = (X 1 , . . ., X s , X s+1 ), we write X \ X s+1 to denote the collection (X 1 , . . ., X s ).For two disjoint collections X = (X 1 , . . ., X s ) and Y = (Y 1 , . . ., Y s ), we say If X is inter disjoint with Y, then we denote their union as X Y.Moreover, |X Y| = |X| + |Y|.For a set S and for a finite disjoint collection of finite sets X = (X 1 , . . ., X s ), we write S \ X to denote S \ (X 1 . . .X s ).For a finite set X ⊆ {0, 1} n and for an arbitrary non-zero element a ∈ {0, 1} n , X ⊕ a denotes the set {x ⊕ a : x ∈ X }.
For any natural number n, {0, 1} n denotes the set of all binary strings of length n.We denote |{0, 1} n | as N = 2 n througout the paper.For integers 1 ≤ b ≤ a, (a) b denotes a(a − 1) . . .(a − b + 1), where (a) 0 = 1 by convention.We denote the set of all n-bit permutations P as P(n).Let Z 1 = (z 1 1 , . . ., z 1 q ) and Z 2 = (z 2 1 , . . ., z 2 q ) be two finite tuples of length q such that for each i ∈ [q], z 1 i , z 2 i ∈ {0, 1} n .We say an n bit permutation For a given tuple of ordered pairs Q = ((x 1 , y 1 ), . . ., (x q , y q )), where the x i 's and the y i 's are pairwise distinct n-bit strings, we define the following two sets: We say that an n-bit permutation P ∈ P(n) extends Q, which we denote as P → Q, if for all i ∈ [q], P(x i ) = y i .We say that Q is extendable if there exists at least one P ∈ P(n) such that P → Q.
We generalize this notion for more than one tuple of ordered pairs.Let Q = (Q 1 , . . ., Q s ) such that for each j ∈ [s], Q j is defined as Q j = ((x j 1 , y j 1 ), . . ., (x j qj , y j qj )), where the x j i 's and the y j i 's are pairwise distinct n-bit strings.Now, for each j ∈ [s], we define the following two sets: ) and Y = (Ran(Q 1 ), . . ., Ran(Q s )) becomes two disjoint collection of finite sets.We say that an n-bit permutation P ∈ P(n) extends Q, which we denote as P → Q, if for all j ∈ [s], P → Q j .As an alternative notation of P → Q, we also write

A Simple Result on Probability
In this section, we recall two simple probability results from [33] that will be used while proving the security of the construction.
1 , y j 1 ), . . ., (x j qj , y j qj )).Moreover, for each j, j By setting s = 1 in the above proposition gives the following simple corollary:

Public Permutation Based Pseudorandom Functions
Let F : K × X → Y be a keyed function where K, X and Y are the key space, input space and the output space respectively.We assume that F makes internal calls to the public random permutations P = (P 1 , . . ., P d ) for d ≥ 1, where all of the d permutations are independent and uniformly sampled from P(n) for some n ∈ N. Similarly, we write P −1 = (P −1 1 , . . ., P −1 d ) to denote the d tuple of inverse permutations.For simplicity, we write F P k to denote F with uniform k and uniform P.
A distinguisher D is given access to either of the oracle F P k to denote F with uniform k and uniform P in the real world or a random function RF that maps elements from X to Y in the ideal world.Apart from making query to either of these two oracles, D can also make queries to the permutations P and P −1 in both of these worlds.Query of the former type, where the distinguisher is interacting with either F P k or RF is called construction query and the query of the later type is called primitive query.A primitive query to the permutation is called forward primitive query and to the inverse of the permutation is called inverse primitive query.The prf advantage of D against F in the public permutation model is defined as where (i) D O ⇒ 1 denotes that the distinguisher D is given access to the oracle O to which it interacts with and after the interaction it outputs 1 and (ii) the above probability is defined over the randomness of k ←$ K, P 1 , . . ., P d ←$ P(n) and the randomness of the distinguisher (if any).We say D is a (q, p, t) distinguisher if D makes total q construction queries, p primitive queries and runs in at most t steps.We write where the maximum is taken over all (q, p, t)-distinguishers D. In this paper, we skip the time parameter of the distinguisher as we will assume throughout the paper that the distinguisher is computationally unbounded, and hence it is deterministic.

Sum Capture Lemma
In this section, we state a variant of the sum capture lemma [1] used in [21].Informally, the results states that when choosing a random subset A of GF(2 n ) (or more generally any abelian group) of size q, the value is at most q|B||C|/N , except with negligible probabilty.Chen et al. [21] proved the result for a different setting where A arises from the interaction of an adversary with a random permutation P, namely A = x ⊕ y : (x, y) ∈ Q, where Q is the transcript of the interaction between the adversary and the permutation.We employ the similar result in our setting which is stated as follows: Lemma 1.Let RF be a random function that maps elements from {0, 1} n to {0, 1} n .Let D be some probabilitistic distinguisher that makes q adaptive queries to RF.Let Q = ((x 1 , y 1 ), . . ., (x q , y q )) denotes the transcript of the interaction with RF to D. For any two subsets U and V of {0, 1} n , let Then assuming 9n ≤ q ≤ N/2, we have where the probability is taken over the random choices of RF and the random coins ω of D.
As most part of its proof is similar to that of [21], we defer the proof of the above lemma in Supplementary Sect.7.

pEDM: Permutation Based Encrypted Davis Meyer Construction
In this section, we propose pEDM, the first permutation based sequential beyond birthday bound secure pseudorandom function with two forward permutation calls.Our construction is permutation variant of the Encrypted Davis-Meyer (EDM) construction with 2n bit masking keys.pEDM takes an n-bit input x which is masked with an n-bit round key k 1 to generate the input of the first permutation call.Let this input be x = x ⊕ k 1 .The permutation output P (x ) is then masked with k 2 ⊕ x to generate the input for the second permutation call, which we denote as x , where k 1 and k 2 are two independent n-bit round keys.Then the second permutation output P(x ) is masked with the round key k 1 to generate the final output y.Schematic diagram of the construction is shown in Fig. 3.In .1: pEDM Construction with k 1 and k 2 indepedent keys and P is an n-bit permutation.
the following, we prove that pEDM is 2n/3-bit secure in the public permutation model, where n is the state size of the permutation.

Security of pEDM
We show that pEDM is secure against all adversaries that make roughly N 2/3 construction and primitive queries in the random permutation model, where N = 2 n .In the following, we state the security result of pEDM, proof of which is deferred in Sect. 4.
Theorem 1.Let P ←$ P(n) be an n-bit public random permutation and let k 1 , k 2 ←$ {0, 1} n be two independent n-bit keys.Then the PRF advantage for any (q, p)-distinguisher against the construction pEDM P k1,k2 that makes at most q construction queries and p primitive queries, is given by Remarks 1.1.We would like to mention here that one can realize a construction by omitting the involvement of key k 1 in the feed-forward connection of pEDM.In other words, y is an another valid construction with similar level of security.Viewed in another way, our proposed construction can be viewed as a 2-round key-alternating cipher based on permutation based Davis-Meyer construction and a permutation, whereas the construction y can be equivalently viewed as Even-Mansour cipher based Davies-Meyer construction followed by an application of permutation.We believe that both are similar in performance and results to the similar security bound.

Matching Attack on pEDM
In this section, we show a matching key-recovery attack on pEDM with a total of 2 2n/3+1 construction queries and 2 2n/3+2 primitive queries.The idea of the attack is to collect a triplet of query indices (i, j, k) is the number of construction queries and p = 2 2n/3+1 is the number of primitive queries that distinguisher will make to the permutation P, such that We consider k 1 to be a potential candidate key if the number of triplets (i, j, k) in S k1 is at least two such that holds.We show that the true key belongs to the set of potential candidate keys with high probability and the size of the set of the candidate keys is not very large.We construct a deterministic adversary A that recovers the key of pEDM by making a total of 2 2n/3+1 construction queries and 2 2n/3+2 primitive queries as follows: Notation: For a tuple (x 1 , x 2 , . . ., x s ) of length s, where each Attack Algorithm: 3. A creates two lists: U 1 that stores u j for j ∈ [2 2n/3+1 ] and another list U 2 that stores u j for j ∈ [2 2n/3+1 + 1, 2 2n/3+2 ].We denote the elements of U 1 as u 1 j , i.e., u 1 j ← u j for 1 ≤ j ≤ 2 2n/3+1 and denote the elements of U 2 as u 2 k , i.e., u 2 k ← u k+2 2n/3+1 for 1 ≤ k ≤ 2 2n/3+1 .4. Then A makes queries to the primitive P with u 1 j for j ∈ [2 2n/3+1 ] and obtains the responses v 1 j ← P(u 1 j ).A makes another set of queries to the primitive P with u 2 k for k ∈ [2 2n/3+1 + 1, 2 2n/3+2 ] and obtains the corresponding responses v 2 k ← P(u 2 k ).

For each k
We initialize K to the empty set ∅, which we call the set of candidate keys.
2 ) be the true key, i.e., the pair of keys used in the construction.Then, we have We defer the proof of the claim in the following section.However, the first equation of the claim says that the true key k * 1 belongs to the set of candidate keys with high probability, and the second equation says that the probability of the number of candidate keys is at least 128 is at most 1/2.Before proceeding with the analysis of the attack, we recall the Chernoff-bound for the sum of independent Bernoulli trial as follows: Lemma 2. Let X 1 , X 2 , . . ., X n be independent random variables following the bernoulli distribution such that X i takes the value 1 with probability p i and 0 with probability

Analysis of the Key-Recovery Advantage
In this section, we prove Claim 1.In particular, we carry out the above two probability analysis of Claim 1 in the following two steps: Step I: True key belongs to the set of candidate keys.According to step (6) of the algorithm, an element k 1 gets included in the set K if the following two conditions hold: where S k1 is the set of all triplets (i, j, k) ∈ ([2 2n/3+1 ]) 3 , as defined in step (5) of the algorithm such that the following holds: For the true key (k * 1 , k * 2 ), Let z i be the input variable of the second permutation call of the construction, i.e., . Note that all the x i 's are without replacement variables and so are x i ⊕ k * 1 .Moreover, the variables P(x i ⊕ k * 1 ) are again sampled in without replacement manner and indepenent to variables x i ⊕ k * 1 .Therefore, each z i is a sum of two independently sampled without replacement random variables and due to the result of the sum of two independent permutations [35,28], distribution of all z i 's are uniform.Now note that, for the first part k * 1 of the true key pair (k * 1 , k * 2 ), if it happens that for some (i, j, k) ∈ ([2 2n/3+1 ]) 3 , ( §) holds, where k 1 in ( §) is replaced by the true key k * 1 , then one can reveal the second part k * 2 of the true key pair As a result, for the true key k * 1 and for (i, j, k), (i , j , k gets automatically satisfied.Therefore, to bound Eqn.(3), it is enough to bound the probability that there exists at least two distinct tuples (i, j, k), (i , j , k) exists such that Again, for the first part k * 1 of the true key pair (k * 1 , k * 2 ), if it happens that for some (i, j, k), (i , j , k ) ∈ ([2 2n/3+1 ]) 3 , the following equations are satisfied, namely then it also satisfies ( ).As a result, it is enough to bound the probability that there exists at least two distinct tuples (i, j, k), (i , j , k ) such that ( †) is satisfied.We bound the probability in two stages.In the first stage, we bound the number of i such that z i ∈ U 2 and we store such i in list L 1 .Let L x be the set of all In the second stage, we lower bound the probability that the number of j such that u 1 j ∈ L x is at least 2.
Stage-I: Let Z i be the indicator random variable that takes the value 1 if z i ∈ U 2 .It is easy to see that Z i are indepedent bernoulli random variables with success probability 2/2 n/3 .Let Z = (Z 1 + . . .+ Z 2 2n/3+1 ).Then Z ∼ Bin(2 2n/3+1 , 2/2 n/3 ) and therefore, 3 .By applying the Chernoff-bound as stated in Lemma (2) with δ = 1/2, we have (5) Therefore, Eqn.(5) says that the size of list L 1 and in turn the size of list L x is at least 2 n/3 + 1 holds with high probability.
Stage-II: Let L x be the list of all x i ⊕ k * 1 such that i ∈ L 1 .Therefore, to bound the probability that there exists at least two distinct tuples (i, j, k), (i , j , k) exists such that such that ( ) holds, we bound the following: We write Eqn. ( 6) as .

(7)
Bounding A: To bound A, we would like to note here that u 1 1 , . . ., u 1 2 2n/3+1 are without replacement samples of {0, 1} n .Moreover, |L x | = 2 n/3+1 .By using a simple algebra, we have Bounding B: Bounding B is similar to that of A.
where the last inequality follows from ) ≤ 2 as n ≥ 3. Therefore, from Eqn. (7), Eqn.(8), Eqn. ( 9) and by plug-in the value of e ≤ 3, we have Step-II: Bounding the cardinality of K \ {k * 1 }.To upper bound the probability that |K \ {k * 1 }| ≥ 128, we use the Markov's inequality.In particular, we have Therefore, it is enough to upper bound the expected size of the set of candidate keys K \ {k * 1 }.For each k 1 ∈ {0, 1} n , let I k1 be the indicator random variable that takes the value 1 if there exists (i, j, k), (i , j , k ) such that the following holds: Otherwise, the indicator random variable I k1 takes the value 0. It is easy to see using the linearity of expectation that Therefore, it boils down to upper bound the probability that I k1 takes the value 1.For a fixed choice of indices i, j, k and i , j , k , the above system of equations hold with probability at most 2 −5n as all the random variables are independent to each other.The number of choices of indices is at most (2 n/3+1 ) 6 .Therefore, we have From Eqn. (12) and Eqn. ( 13), we have the expected size of the set of candidate keys is at most 8.By plug-in this value into Eqn.(11), we have which concludes the proof of Claim 1.
Note that in the above attack, the distinguisher is information theoretically bounded.The run time of the attack 4 is more than 2 n .In particular, for each key k 1 , the number of steps required to populate set S k1 is roughly 2 2n .Therefore, altogether step (5) of the algorithm takes at most 2 4n operations.For each key k 1 in step (6), algorithm takes at least one checking operation for Eqn.(2) in each set S k1 .Therefore, altogether step (5) of the algorithm takes 2 n operations.Therefore, the overall time complexity of the algorithm is roughly O (2 4n ).Nevertheless, the number of construction queries is 2 2n/3+1 , and the total number of primitive queries is 2 2n/3+2 .

Proof of Theorem 1
Let us consider k = (k 1 , k 2 ) ∈ {0, 1} 2n be a pair of n-bit keys.We consider any information theoretic deterministic distinghisher D that interacts with the following oracles in either the real world or in the ideal world: in the real world it interacts with (pEDM P k , P) and in the ideal world it interacts with (RF, P), where RF is the random function over {0, 1} n to {0, 1} n .We call the first oracle as construction oracle and the second one as primitive oracle.Query to the construction oracle is called the construction query and to that of the primitive oracle is called the primitive query.We summarize the construction queries in a transcript τ c , where τ c = {(x 1 , y 1 ), . . ., (x q , y q )} and the primitives queries in transcript τ p = {(u 1 , v 1 ), . . ., (u p , v p )}, where we assume that D makes total q construction and p primitive queries.For primitive queries, D can either make forward query u to its primitive P and receives response v or can make inverse query v to P −1 and receives response u.Since, we assume that D never makes pointless queries, none of the transcripts contain any duplicate elements.
We modify the experiment by releasing internal information to D after it has finished the interaction but has not output yet the decision bit.In the real world, we reveal the key k which is used in the construction and in the ideal world, we sample a pair of n-bit dummy keys k = (k 1 , k 2 ) uniformly at random from the keyspace {0, 1} n and reveal it to the distinguisher.In all the following, the complete transcript is τ = (τ c , τ p , k).Note that, the modified experiment only makes the distinguisher more powerful and hence the distinguishing advantage of D in this experiment is no way less than its distinguishing advantage in the former one.Let X re denotes the random variable that takes a transcript τ realized in the real world.Similarly, X id denotes the random variable that takes a transcript τ realized in the ideal world.The probability of realizing a transcript τ = (τ c , τ p , k) in the ideal (resp.real) world is called ideal (resp.real) interpolation probability.A transcript τ is said to be attainable with respect to D if its ideal interpolation probability is non-zero.Let Θ denotes the set of all attainable transcripts and φ : Θ → [0, ∞) be a non-negative function that maps any attainable transcripts to a non-negative real value.Following these notations, we state the main theorem of the Expectation Method [42] as follows: Theorem 2 (Expectation Method).Let Θ = GoodT BadT be some partition of the set of attainable transcripts.Let τ = (τ c , τ p , k) ∈ GoodT be an arbitrary good transcript such that p re (τ ) and there exists bad ≥ 0 such that Pr[X id ∈ BadT] ≤ bad .Then, Note that, the expectation method trivially boils down to the H-Coefficient technique if φ becomes a constant function such that for any attainable good transcripts τ , φ(τ ) = c for 0 ≤ c ≤ 1.Having explained the Expectation Method in the view of our construction, we now state the following result.Recall that pEDM P k → τ c denotes pEDM P k (x i ) = y i for all (x i , y i ) ∈ τ c , i.e., for all (x i , y i ) ∈ τ c , it must hold that P(P( Proof of this lemma is trivial to follow as the ideal interpolation probability for a good transcript is 1 (N )pN q , as the random function RF always outputs uniform random n-bit strings on each input query.

Definition and Probability of Bad Transcripts
In this section, we define and bound the probability of bad transcripts in the ideal world.For a transcript τ = (τ c , τ p , k 1 , k 2 ), we define the following sets: We say that a construction query (x, y) ∈ τ c is non-colliding if ∀(x , y ) ∈ τ c , y = y .Now, we characterize the set of bad transcripts as follows.The main crux of identifying bad events is to identify the two-fold collisions, as depicted in Fig. 4.1 Definition 1.An attainable transcript τ = (τ c , τ p , k) is called a bad transcript if any one of the following holds: 1. Inputs (resp.outputs) to the two consecutive permutation calls for a particular construction query are not fresh.
2. Both the input and output of a construction query are not fresh. -B.5:
Recall that BadT ⊆ Θ be the set of all attainable bad transcripts and GoodT = Θ \ BadT be the set of all attainable good transcripts.We bound the probability of bad transcripts in the ideal world as follows.
Lemma 4. Let τ = (τ c , τ p , k) be any attainable transcript.Let X id and Θ b be defined as above.Then Proof.Let τ = (τ c , τ p , k 1 , k 2 ) be any attainable transcript.Recall that, in the ideal world k 1 and k 2 are sampled uniformly and independently from the keyspace.Using the union bound, we have In the following, we bound the probabilities of all the bad events individually.The lemma will then follow by adding the individual bounds.
Bounding B.1.We consider the event B.1.For a fixed (x, y) ∈ τ c and for a fixed (u, v), (u , v ) ∈ τ p , the probability that is N −2 due to the randomness of the key k 1 and k 2 .By summing over all possible choices of (x, y) ∈ τ c , (u, v), (u , v ) ∈ τ p , we have Bounding B.2.We consider the event B.2.For a fixed (x, y) ∈ τ c and for a fixed (u, v), (u , v ) ∈ τ p , the probability that is N −2 by using the randomness of k 1 and k 2 .By summing over all possible choices of (x, y) ∈ τ c , (u, v), (u , v ) ∈ τ p , we have Bounding B.3.We consider the event B.3.For a fixed (x, y), (x , y ) ∈ τ c and for a fixed (u, v) ∈ τ p , the probability that is N −2 by using the randomness of k 1 and k 2 .By summing over all possible choices of (x, y), (x , y ) ∈ τ c , (u, v) ∈ τ p , we have Bounding B.4.Using the similar reasoning as that of B.3, we have Bounding B.5.We consider the event B.5.To bound the event we consider the following set Therefore, for any ∆ > 0, we have, Now, it is easy to see that To bound the probability of the event B.13, we define an indicator random variable Now, for a fixed i, j, we have Pr[I ij = 1] = N −1 .This is due to the fact that either both of (u i , v i ), (u j , v j ) are backward queries in which u i , u j are random values or at least one of them is a forward query (w.l.og we assume (u j , v j ) is a forward query) in which v j is random.Hence, using the linearity of expectation, we have Therefore, using Markov's inequality, we have where (1) follows from Eqn. (23).Now, we bound the probability of B.6 ∧ B.13.To bound the event, for a fixed pair of (x, y), (x , y ) ∈ τ c and for a fixed pair of (u, v), (u , v ) ∈ τ p the probability that Note that as u = u , the probability of the event is well defined.Since, we consider the probability of the conditional event B.6 conditioned on the event B.13, the number of such pairs of (u, v), (u , v ) ∈ τ p satisfies the the event is at most √ p.Moreover, the number of choices for (x, y) ∈ τ c is q which makes the choice for (x , y ) ∈ τ c is at most 1, as choosing an (x, y) determines (x , y ), namely, x = u ⊕ u ⊕ x.Hence, By combining Eqn. ( 22), Eqn.(24) and Eqn. ( 25), we have Bounding B.7.To bound the event B.7 we need to bound the event For a fixed pair of (x, y), (x , y ) ∈ τ c and (u, v), (u , v ) ∈ τ p , the above event holds with probability N −2 due to the independence of y and y .Now, the number of choice for (x, y), (x , y ) is at most q 2 and the number of choice for (u, v) is at most p which makes the number of choice for (u , v ) is at most 1.Hence, by varying over all possible choices of (x, y), (x , y ) ∈ τ c and (u, v), (u , v ) ∈ τ p , we have Bounding B.8.To bound the event B.8, we fix (x, y), (x , y ) ∈ τ c and (u, v) ∈ τ p , the probability that By summing over all possible choices of (x, y), (x , y ) ∈ τ c , (u, v) ∈ τ p , we have Bounding B.9.To bound the event B.9, we define an indicator random variable I ijk which is set to 1 if and only if (x i , y i ), (x j , y j ), (x k , y k ) ∈ τ c such that Therefore, we have σ = i,j,k Now, for a fixed i, j and k, we have Pr[I ijk = 1] = N −1 by using the randomness of k 1 .
Using the linearity of expectation, we have Therefore, using Markov's inequality, we have where ( 2) follows from Eqn. (29).Bounding B.10.To bound the event B.10, we define an indicator random variable I ij which is set to 1 if and only if (x i , y i ), (x j , y j ) ∈ τ c such that y i = y j .Therefore, we have Now, for a fixed i, j, we have Pr[I ij = 1] = N −1 by using the independence of y i and y j .
Using the linearity of expectation, we have Therefore, where (3) follows from Eqn. (31).Bounding B.11.To bound the event B.11, we define an indicator random variable Now, for a fixed i, j, we have Pr[I ij = 1] = N −1 by using the randomness of k 1 .Using the linearity of expectation, we have pEDM: An Inverse Free BBB Secure PRF Therefore, using Markov's inequality, we have where ( 4) follows from Eqn. (33).Bounding B.12.To bound the event B.12, we define an indicator random variable I ij which is set to 1 if and only if (x i , y i ) ∈ τ c , (u j , v j ) ∈ τ p such that y i ⊕ k 1 = v j .Therefore, we have Now, for a fixed i, j, we have Pr[I ij = 1] = N −1 by using the randomness of k 1 .Using the linearity of expectation, we have Therefore, using Markov's inequality, we have where ( 5) follows from Eqn. (35).Using the Eqn.( 15)-Eqn.( 36), the result follows.

Analysis of Good Transcripts
In this section, we state that for a good transcript τ = (τ c , τ p , k), realizing τ is almost as likely in the real world as in the ideal world.More formally, Lemma 5 (Good Lemma).Let τ = (τ c , τ p , k) ∈ GoodT be a good transcript.Let X re and X id be defined as above.For some positive integer 0 ≤ t ≤ q/N 1/3 , we have Proof of this lemma is the most difficult part of the paper.Hence, we devote the following separate section for proving it.Therefore, by applying H-Coefficient technique (i.e., Theorem 2) with Lemma 4 and Lemma 5, the result follows.

Proof of Good Lemma
In this section, we prove that for a good transcript τ = (τ c , τ p , k), realizing it in the real world is as likely as realizing it in the ideal world.Note that, we have shown in Lemma 3 that to compute the ratio of real to ideal interpolation probability for a good transcript τ , one needs to compare with N q .Therefore, it is enough to establish a lower bound of p(τ ).

Establishing Lower bound on p(τ )
First of all, for a good transcript τ = (τ c , τ p , k) recall that U is the set of all domain points of primitive queries and V is the set of all range points of it.Since, τ = (τ c , τ p , k 1 , k 2 ) is a good transcript, we can partition the set of construction queries τ c ∈ τ into a finite number of disjoint groups as follows: Having defined the sets, we claim that the sets are disjoint and they exhaust the entire set of attainable good transcripts.By the definition of bad transcripts, we have and by definition we have Hence, we have the following result: Note that, since τ is a good transcript, we have, Similarly, E V denote the event pEDM P k → Q V and finally, E 0 denote the event pEDM P k → Q 0 .Now, it is easy to see that Thus, it is enough to establish a good lower bound on p 1 (τ ) and p 2 (τ ) for a good transcript τ .

Lower Bound of p 1 (τ )
To lower bound p 1 (τ ), we define the following sets: Conditioned on P → τ p , P is fixed on exactly p input-output pairs.For each (x, y) ∈ Q U , there is a unique is well defined, which is equal to u.This leads us to define the following two additional sets: In the following we state that every element of D 1 is distinct and does not collide with any primitive query output.Similarly, every element of S 2 is distinct and does not collide with any primitive query input.
Proposition 3. Every element of D 1 is distinct and does not collide with any primitive query output.Similarly, every element of S 2 is distinct and does not collide with any primitive query input.
Proof.The distinct property of D 1 follows from ¬B.6.Moreover, if any elements of D 1 collides with any primitive query output then it would satisfy condition B.2.This says that By definition every element of S 2 is unique and does not collide with any primitive query input (otherwise satifies condition B.2). Hence, However, the above result says that |D 1 | = α and |S 2 | = β.Now, we have the following proposition which states that every element of X 1 and X 2 are distinct and X 1 is pairwise disjoint with S 1 and S 2 .Similarly, every element of X 2 is distinct and pairiwise disjoint with D 1 and D 2 .
Proposition 4. Every element of X 1 is distinct and Proof.For the sake of contradiction, let us assume that P( But this implies the condition B.7 to hold, which implies that τ is not a good transcript.Thus, every element of X 1 is distinct.Moreover, none of the elements of X 1 collides with any primitive query input, othwerwise it would satisfy condition B.1.This implies that X 1 ∩ S 1 = ∅.Moreover, X 1 ∩ S 2 = ∅ which follows due to ¬B.4.Thus, we have, For the second part of the proof, for the sake of contradiction, let us assume that But this implies the condition B.8 to hold, which implies that τ is not a good transcript.Thus, every element of X 2 is distinct.Moreover, none of the elements of X 2 collides with any primitive query output, otherwise it would satisfy condition B.3.This implies that X 2 ∩ D 2 = ∅.Moreover, X 2 ∩ D 1 = ∅ which follows due to ¬B.5.Thus, we have, From Proposition 3 and Proposition 4, it follows that the domain of Q 1 is disjoint with the domain of Q 2 .Moreover, they are individually disjoint with U. Similarly, the range of Q 1 is disjoint with the range of Q 2 and they are individually disjoint with V. Therefore, we have X = (U, X 1 , S 2 ) and Y = (V, D 1 , X 2 ) are disjoint collections.Thus, from Proposition 2 one has,

Lower Bound on p 2 (τ )
In the last section, we have seen that P has been fixed on α + β input-output (apart from p input-output primitive pairs).Moreover, the collection of input and output sets of P that have been explored in the last section is X = (U, X 1 , S 2 ) and Y = (V, D 1 , X 2 ).Recall that, we have defined the set For the sake of simplicity, we rename the elements of Q 0 as Q 0 = {(x 1 , y 1 ), (x 2 , y 2 ), . . ., (x q , y q ).It is easy to see that , where Y is the set of the distinct number of responses.Let r = |Y| and let us denote be the set of non-colliding queries of Q 0 and s = |S|.Since, τ is a good transcript, s ≥ q − M where M = q/N 1/3 , otherwise B.10 would be satisfied.Now, we bound the probability that a permutation P realizes Q 0 , i.e., we need to lower bound the number of permutations P which are already fixed on α + β input-output pairs such that holds.Note that the equations in Eqn.(39) are not independent as two permutations are identical.For example, if there exists two queries (x, y) and (x , y ) in Q 0 such that Similarly, if P(x⊕k 1 ) = y ⊕k 1 , then one must have P(x ⊕k 1 )⊕x ⊕k 1 ⊕k 2 = x⊕k 1 .For simplicity, one could count only permutations P which are already fixed on α + β input-output pairs, such that for any query (x, y) , however this only leads to a birthday bound.Hence, to get a bound beyond the birthday, we need to allow collisions and a more precise counting.For doing this, we will be considering permutations P which are already fixed on α + β input-output pairs, such that for t pairs of ((x, y), (x , y )) of distinct non-colliding queries, where t is some sufficiently large value.However, we must be careful in choosing the t-pairs of distinct non-colliding queries that do not create any incompatibility with other queries.

Counting Collisions
To this end, we define an index set I = {i ∈ [q ] : (x i , y i ) ∈ S} and I (2) denotes the set of all ordered pairs of distinct elements of I, i.e., I (2) = {(i, j) : i, j ∈ I, i = j}.Definition 2. For a fixed positive integer t, an unordered set of t ordered pair of indices I t = {(i 1 , j 1 ), (i 2 , j 2 ), . . ., (i t , j t )} ⊆ I (2) , is good if it satisfies the following conditions: for some permutations P which are already fixed on α + β input-output pairs.Such a dependency pair is said to be of length 1.Now, from (a) and (b), we have the following two equalities: Both these equalities impose the distinctness of the permutation output, i.e., x i l ⊕ x j l ⊕ k 2 as its input, i.e, x i l ⊕ k 1 or x j l ⊕ k 1 are distinct which justifies condition (1) of Defn. 2. Similarly, (a) and (b) also imposes that the permutation outputs should not collide with any primitive output (i.e., the elements of V), as their corresponding input does not collide with any primitive input (i.e., elements of U), which justifies condition (3) of Defn. 2. Similarly, x i l ⊕ x j l ⊕ k 2 should not collide with any elements of Y ⊕ k 1 , which justifies condition (6) of Defn. 2.Moreover, x i l ⊕ x j l ⊕ k 2 should not collide with any elements of X 2 , as (x i l , y i l ), (x j l ,yj l ) / ∈ Q V .This justifies conditions (7) of Defn. 2. Note that Eqn.(a) also imposes the following equality: Now, we require that P(x j l ⊕ k 1 ) ⊕ (x j l ⊕ k 1 ⊕ k 2 ) or equivalently y i l ⊕ x j l ⊕ k 2 should be distinct, which justifies condition (2) of Defn. 2.Moreover, it should not collide with any other elements of X ⊕ k 1 , otherwise that would extend the length of the dependency pair by 1.This phenomena justifies the condition (5) of the definition.Similarly y i l ⊕ x j l ⊕ k 2 should not collide with any primitive inputs, as y j l ⊕ k 1 does not collide with any primitive output.This justifies condition (4) of the definition.We also require that y i l ⊕ x j l ⊕ k 2 should not collide with any elements of X 2 , otherwise y j l ⊕ k 1 ∈ D 1 which is not possible as (x j l , y j l ) / ∈ Q U .This justifies the condition (8) of Defn. 2.
Lemma 6. Fix a positive integer t such that 0 ≤ t ≤ M .Then the number of good sets I t of t pairs of non-colliding queries is at least Proof.First, observe that among the s (s − 1) possible pairs of non-colliding query indices (i 1 , j 1 ), at most (2σ + 2p + α + β) of them do not satisfy conditions (3)- (8).Indeed, by definition of a good transcript (more precisely, condition (B.9)), there cannot be more than σ pairs ((x i l , y i l ), (x j l , y j l )) such that y i l ⊕ x j l ⊕ k 2 ∈ X ⊕ k 1 and there cannot be more than σ pairs ((x i l , y i l ), (x j l , y j l )) such that Similarly, by condition (B.11), there cannot be more than α pairs such that y i l ⊕ x j l ⊕ k 2 ∈ X 1 .By condition (B.12), there cannot be more than β pairs such that x j l ⊕ x i l ⊕ k 2 ∈ X 2 .Hence, we can lower bound I t as follows: -we can choose (i 1 , j 1 ) among at least s (s − 1) − 2σ − 2p − α − β possibilities -once (i 1 , j 1 ) is fixed, we can choose i 2 freely from the remaining (s − 2) possibilities; then, j 2 must be different from i 1 , j 1 and i 2 .Moreover, we also have x j2 ⊕ x i2 = x j1 ⊕ x i1 and y i2 ⊕ x j2 = y i1 ⊕ x j1 .Hence, the choice for j 2 is (s − 5); after removing the at most 2σ + 2p + α + β pairs of queries not satisfying (3)- (8), there remains at least (s − 2)(s − 5) − 2σ − 2p − α − β possibilities for the pair (i 2 , j 2 ) -assume (i 1 , j 1 ), (i 2 , j 2 ), (i l−1 , j l−1 ) have been chosen, we can choose i l freely from the (s −2l+2) remaining possibilities; then, j l must be different from i 1 , j 1 , . . ., i l−1 , j l−1 , i l .
From now on we fix a positive integer t such that 0 ≤ t ≤ M and a good set I t = {(i 1 , j 1 ), . . ., (i t , j t )}.Now, for a good set I t , we define the following set We are now interested to lower bound the number of permutations P that are already fixed on α + β input output pairs and satisfying the following such that for any l ∈ [t], P(x i l ⊕k 1 )⊕x i l ⊕k 1 ⊕k 2 = x j l ⊕k 1 .Note that such a permutation P which is already fixed on α + β input output pairs and satisfying Eqn.(40) for the 2t queries appearing in I t if and only if ∀l ∈ [t] we have the following: Note that this set of 3t equalities is input-output compatible as I t is a good set.Now, it is easy to see that the collection of the following sets are pairwise disjoint: Similarly, all the sets in the following collection are pairwise disjoint: Thus, we define the following sets: It is easy to see that |X | = q + p + α + t and |Y | = r + 2t + p + β, where recall that r = |Y|.Now, it remains to consider the remaining q − 2t queries (x, y) ∈ Q 0 such that (x, y) / ∈ Q It .To this end, let q = q − 2t = q − α − β − 2t be the number of remaining queries in Q 0 \ Q It , s = s − 2t be the number of non-colliding queries in Q 0 \ Q It and r = r − 2t be the numbr of distinct oracle responses appearing in these queries.By following the approach of [25], we regroup the elements of Q 0 \ Q It such that all queries with the same output becomes consecutive.We write the queries as follows: where y 1 , . . ., y r are distinct.Moreover, we also have (q 1 + . . .+ q r ) = q .For the ease of later computations, we assume that in these grouping all the non-colliding queries appear first followed by colliding quries, i.e., q i = 1 for i ∈ [s ] and q i > 1 for i ∈ {s + 1, . . ., r }.Now, our goal is to lower bound the number of permutations P ∈ P(n) which are already fixed on α + β input output pairs and in addition to satisfying above 3t equalities, also satisfies the following.
For this, we sample all intermediate values z = P −1 (y ⊕ k 1 ), which leads us to the second step of the proof.

Sampling Intermediate Values
Let us consider a sequence z = (z 1 , z 2 , . . ., z r ) of r many n-bit values.We say z is good if it satisfies the following conditions: Note that for any good tuple z = (z 1 , . . ., z r ), the set of the following equalities is compatible with previously defined all input output pairs.Moreover, a permutation P satisfying the equations is such that P In the following, we count the number of good tuples z.
Lemma 7. Fix a positive integer t such that 0 ≤ t ≤ M and a good set I t .Then the number of good tuples z = (z 1 , . . ., z r ) is at least Proof.To count the number of good tuples z, the number of valid choices for z 1 is at least Once the value of z 1 is fixed, z 2 can be chosen in the following way: Thus, the number of valid choices for z 2 is at least N −1−(q+p+α+t)−q 2 (r+2t+p+β+q 1 ).
In general after choosing the values for z 1 , . . ., z i−1 , we choose the value for z i .In that case, the number of valid choices for z i is at least This is because z i cannot be equal to z 1 , . . ., z i−1 which accounts for i − 1 terms in the above equation.Moreover, z i / ∈ X introduces (q + p + α + t) in the equation.For which introduces the term q i (q 1 + . . .+ q i−1 ) in the above equation.Therefore, overall the number of good tuples z is at least For the ease of the computation, we split up Eqn.(63) into two parts: the first part is comprised of s many non-colliding queries and the next part is comprised of colliding queries.Therefore, we have Computing A: To compute A, we have the following.
This completes the proof of Lemma 5. Now it only remains to compute the expectation of φ(τ ) as follows: Computing the Expectation.We now compute the expectation of φ(τ ) over the randomness of the permutation P as follows: Now, it remains to compute the expectation of the random variable t over the randomness of the permutation P. Let t i be the indicator random variable that takes the value 1 if P(x i ⊕ k 1 ) ⊕ x i ⊕ k 2 ∈ X , for 1 ≤ i ≤ M .Therefore, it is easy to see that Since, t = t 1 + . . .+ t M , due to the linearity of expectation, we have where the last inequality appears as M = q/N 1/3 and q ≤ q.Therefore, from Eqn. (59), we have The result of Theorem 1 follows from Theorem 2, Lemma 4 and Eqn.(60) which concludes the proof of the security result.

Conclusion and Future Works
This paper has proposed an inverse free single permutation based beyond the birthday bound secure PRF that requires 2n bit keys.One could also achieve the same goal using the single permutation based tweakable Even Mansour cipher [33].However, the solution comes at the cost of implementing the costly universal hash functions.Moreover, parallel modes like nEHtM p , SoEM22 or DS-SoEM also achieves the beyond birthday bound PRF security, but again the former one requires to implement a universal hash function, SoEM22 requires two independent permutations and DS-SoEM takes n − 1 bit input.However, it would be interesting to study the sequential design of an inverse free single permutation based PRF with only n bit key.We believe that pEDM can be turned to a single permutation oriented beyond the birthday bound secure nonce based MAC by xoring an almost-xor universal hash function in between the two permutation calls (similar to the flavour of EWCDM [24]).
real-valued functions f, g : {0, 1} n → R, we denote the inner product of f and g as The convolution of f and g is denoted as (f g)(x) = y∈{0,1} n f (y)g(x ⊕ y), ∀x ∈ {0, 1} n .
For a given α ∈ {0, 1} n , the character associated with α is denoted as χ α : {0, 1} n → {+1, −1}, defined as χ α (x) = (−1) α•x .χ 0 is called the principal character and all other χ = 1 for α = 0 are called non-principal character.Now, given a real-valued function f : {0, 1} → R and for α ∈ {0, 1} n , define the fourier coefficient of f corresponding to α is The coefficient corresponding to α = 0 is called the principal fourier coefficient and all other coefficients are called non-principal fourier coefficients.Note that the principal fourier coefficient for a characteristic function I S of a set S is Having defined the neccessary notations, we now recall three important results on fourier analysis holds for any functions f, g : {0, 1} n → R, any α ∈ {0, 1} n and any S ⊆ {0, 1} n as follows:

Figure 4 . 1 :
Figure 4.1: Different cases of two-fold collisions.Red edge denotes the input / output collides with prmitive input / output.Blue edge denotes that input collides with the input of some construction query or output of some construction query.Green edge denotes the collision among themselves.

Table 1 :
Comparison table for permutation based PRFs.n denotes the state size of the permutation.Inv denotes whether the construction requires an inverse call of the permutation.s }|.