In ICISC-05, and in the ePrint 2010/287, Patarin claimed a lower bound on the number of 2q2 q tuples of nn -bit strings (P1,…,P2q)∈({0,1}n)2q(P_{1}, \ldots, P_{2q}) \in ({\{0,1\}}^{n})^{2q} satisfying P2i−1⊕P2i=λiP_{2i - 1} \oplus P_{2i} = \lambda _{i} for 1≤i≤q1 \leq i \leq q such that P1,P2,…P_{1}, P_{2}, \ldots , P2qP_{2q} are distinct and λi∈{0,1}n∖{0n}\lambda _{i} \in {\{0,1\}} ^{n} \setminus \{0^{n}\} . This result is known as Mirror theory and widely used in cryptography. It stands as a powerful tool to provide a high-security guarantee for many block cipher-(or even ideal permutation-) based designs. In particular, Mirror theory has a direct application in the security of XOR of block ciphers. Unfortunately, the proof of Mirror theory contains some unverifiable gaps and several mistakes. This paper provides a simple and verifiable proof of Mirror theory.

中文翻译：

---

镜像理论证明 尉 max = 2


在 ICISC-05 和 ePrint 2010/287 中，Patarin 声称 nn 位字符串的 2q2 q 元组数量的下界 (P1,…,P2q)ε({0,1}n)2q(P_{ 1}, \ldots, P_{2q}) \in ({\{0,1\}}^{n})^{2q} 满足 P2i−1⊕P2i=λiP_{2i - 1} \oplus P_{2i } = \lambda _{i} 对于 1≤i≤q1 \leq i \leq q 使得 P1,P2,…P_{1}, P_{2}, \ldots , P2qP_{2q} 不同且 λi∈{ 0,1}n∖{0n}\lambda _{i} \in {\{0,1\}} ^{n} \setminus \{0^{n}\} 。这一结果被称为镜像理论并广泛应用于密码学中。它是一个强大的工具，可为许多基于分组密码（甚至理想排列）的设计提供高安全性保证。特别是，镜像理论在分组密码的异或安全性方面有直接的应用。不幸的是，镜子理论的证明存在一些无法验证的漏洞和一些错误。本文为镜像理论提供了一个简单且可验证的证明。