Beyond-birthday security for permutation-based Feistel networks

Abstract

Initiated by Luby and Rackoff (SIAM J. Computing, ’88), the information theoretic security of Feistel networks built upon random functions has been extensively studied. In sharp contrast, the exact security of Feistel networks built upon invertible random permutations remains largely unknown, particularly in the regime of beyond-birthday-bound. To bridge this gap, we reduce the problem to counting solutions to systems of linear equations and non-equations, and then derive lower bounds for the number of such solutions via a technical lemma. These yield known-plaintext security against \(2^{2n/3}\) adversarial queries at 3 rounds, \(2^{2n/3}\) chosen-plaintext security at 5 rounds, and \(2^{2n/3}\) chosen-ciphertext security at 7 rounds. To our knowledge, these are the first beyond-birthday bounds for permutation-based Feistel. As potential applications, these give rise to beyond-birthday secure domain extenders for blockciphers with efficiency among the best known.

Appendices

A Proof for Theorem 1

Since this appendix is rather independent, and has little interaction with all the other arguments in this paper, we abuse some notations.

Assume that the total number of blocks is \(\theta \), and the number of equations in the i-th block (following any fixed order) is \(s _i\). Recall from Eq. (2) that in our (specific) setting, equations inherently appear in pairs, and such a pair of equations \(P_{\varphi (a_i)}\oplus P_{\varphi (b_i)}=\lambda _i,P_{\varphi (b_i)}\oplus P_{\varphi (c_i)}=\lambda _i'\) are in the same block since \(P_{\varphi (b_i)}\) appears in both. Consequently, \(s _i\) has to be even for every i.

We consider the \(\theta \) blocks in turn. First, consider the 1st block of equations. As per Eq. (2), assume that these equations are

$$\begin{aligned}&\bigg \{ P_{\varphi (a_1)}\oplus P_{\varphi (b_1)}=\lambda _1,P_{\varphi (b_1)} \oplus P_{\varphi (c_1)}=\lambda _1',\ldots ,\\&\qquad P_{\varphi (a_{s _1/2})}\oplus P_{\varphi (b_{s _1/2})} =\lambda _{s _1/2},P_{\varphi (b_{s _1/2})} \oplus P_{\varphi (c_{s _1/2})}=\lambda _{s _1/2}'\bigg \}. \end{aligned}$$

This assumption is wlog since we can always reorder the 2q equations to have this property. Now, the number of choices for the unknown \(P_{\varphi (a_1)}\) is clearly N. Once \(P_{\varphi (a_1)}\) is fixed, all the other unknowns in this block are fixed via the equations, and these values never contradict due to the circle-freeness and non-degeneracy conditions. Therefore, the number of solutions to the 1st block of equations is exactly N.

Next, consider the \(\ell \)-th block of equations, let \(S _{\ell -1}=\sum _{i=1}^{\ell -1}s _i\), and assume that:

• The \(s _\ell \) equations are \(P_{\varphi (a_{S _{\ell -1}/2+1})}\oplus P_{\varphi (b_{S _{\ell -1}/2+1})} =\lambda _{S _{\ell -1}/2+1},P_{\varphi (b_{S _{\ell -1}/2+1})}\oplus P_{\varphi (c_{S _{\ell -1}/2+1})} =\lambda _{S _{\ell -1}/2+1}',\ldots \), \(P_{\varphi (a_{S _{\ell -1}/2+s _\ell /2})}\oplus P_{\varphi (b_{S _{\ell -1}/2+s _\ell /2})} =\lambda _{S _{\ell -1}/2+s _\ell /2}\), \(P_{\varphi (b_{S _{\ell -1}/2+s _\ell /2})}\oplus P_{\varphi (c_{S _{\ell -1}/2+s _\ell /2})} =\lambda _{S _{\ell -1}/2+s _\ell /2}'\);

• The numbers of the three types of unknowns in this block are \(\alpha _{\ell },\beta _{\ell }\), and \(\gamma _{\ell }\) resp. Formally,

  • The number of distinct values in \(\{\varphi (a_{S _{\ell -1}/2+1}), \ldots ,\varphi (a_{S _{\ell -1}/2+s _\ell /2})\}\) is \(\alpha _{\ell }\);

  • The number of distinct values in \(\{\varphi (b_{S _{\ell -1}/2+1}), \ldots ,\varphi (b_{S _{\ell -1}/2+s _\ell /2})\}\) is \(\beta _{\ell }\);

  • The number of distinct values in \(\{\varphi (c_{S _{\ell -1}/2+1}), \ldots ,\varphi (c_{S _{\ell -1}/2+s _\ell /2})\}\) is \(\gamma _{\ell }\).

• The numbers of the three types of unknowns in all the previous \(\ell -1\) blocks are \(A_{\ell },B_{\ell }\), and \(C_{\ell }\) resp. Formally,

  • The number of distinct values in \(\{\varphi (a_1),\ldots ,\varphi (a_{S _{\ell -1}/2})\}\) is \(A_{\ell }\);

  • The number of distinct values in \(\{\varphi (b_1),\ldots ,\varphi (b_{S _{\ell -1}/2})\}\) is \(B_{\ell }\);

  • The number of distinct values in \(\{\varphi (c_1),\ldots ,\varphi (c_{S _{\ell -1}/2})\}\) is \(C_{\ell }\).

With these notations, consider the unknown \(P_{\varphi (a_{S _{\ell -1}/2+1})}\). As the other unknowns in this block can be determined once \(P_{\varphi (a_{S _{\ell -1}/2+1})}\) is fixed, its value characterizes a candidate solution. A right solution of \(P_{\varphi (a_{S _{\ell -1}/2+1})}=r\) should avoid three types of collision. Formally, we consider \(N(\ell )\) the number of r values such that, for any \(i\in \{S _{\ell -1}/2+1, \ldots ,S _{\ell -1}/2+s _\ell /2\}\) and any \(j\in \{1,\ldots ,S _{\ell -1}/2\}\), it holds:

• \(P_{\varphi (a_{i})}(r)\ne P_{\varphi (a_{j})}\), where \(P_{\varphi (a_{i})}(r)\) is the concrete value of \(P_{\varphi (a_{i})}\) decided by \(P_{\varphi (a_{S _{\ell -1}/2+1})}=r\) and the other equations in this block. This excludes at most \(A_{\ell }\alpha _{\ell }\) possible candidates;

• \(P_{\varphi (b_{i})}(r)\ne P_{\varphi (b_{j})}\). This excludes at most \(B_{\ell }\beta _{\ell }\) possible candidates;

• \(P_{\varphi (c_{i})}(r)\ne P_{\varphi (c_{j})}\). This excludes at most \(C_{\ell }\gamma _{\ell }\) possible candidates.

We thus have \(N(\ell )\ge N-A_{\ell }\alpha _{\ell } -B_{\ell }\beta _{\ell }-C_{\ell }\gamma _{\ell }\). As such, the total number of solutions for the 2q equations is at least

$$\begin{aligned} \prod _{\ell =1}^{\theta }N(\ell )\ge \prod _{\ell =1}^{\theta } (N-A_{\ell }\alpha _{\ell }-B_{\ell }\beta _{\ell }-C_{\ell }\gamma _{\ell }). \end{aligned}$$

As per Eq. (3), we need to compare \(\prod _{\ell =1}^{\theta }N(\ell )\) with the term \(\frac{(N)_{|{\mathcal {I}}_1|} (N)_{|{\mathcal {I}}_2|}(N)_{|{\mathcal {I}}_3|}}{N^{2q}}\). For this we make a useful observation: recall that by our assumption, the number of distinct unknowns in the \(\ell \)-th block is \(\alpha _\ell +\beta _\ell +\gamma _\ell \). This means the number of equations in the \(\ell \)-th block is \(\alpha _\ell +\beta _\ell +\gamma _\ell -1\) since the system is circle-free. As the total number of equations is 2q, we have the following decomposition

$$\begin{aligned} 2q=\sum _{\ell =1}^{\theta }\big (\alpha _\ell +\beta _\ell +\gamma _\ell -1\big ). \end{aligned}$$

In addition, we have \(\sum _{\ell =1}^{\theta }\alpha _\ell =|{\mathcal {I}}_1|\), \(\sum _{\ell =1}^{\theta }\beta _\ell =|{\mathcal {I}}_2|\), and \(\sum _{\ell =1}^{\theta }\gamma _\ell =|{\mathcal {I}}_3|\) by definitions. We thus have

$$\begin{aligned}&\frac{N^{2q}\prod _{\ell =1}^{\theta }(N-A_{\ell }\alpha _{\ell } -B_{\ell }\beta _{\ell }-C_{\ell }\gamma _{\ell })}{(N)_{|{\mathcal {I}}_1|} (N)_{|{\mathcal {I}}_2|}(N)_{|{\mathcal {I}}_3|}} \nonumber \\&\quad = \prod _{\ell =1}^{\theta }\frac{N^{\alpha _\ell +\beta _\ell +\gamma _\ell -1}(N-A_{\ell }\alpha _{\ell }-B_{\ell }\beta _{\ell } -C_{\ell }\gamma _{\ell })}{(N-A_{\ell })_{\alpha _{\ell }} (N-B_{\ell })_{\beta _{\ell }}(N-C_{\ell })_{\gamma _{\ell }}} \nonumber \\&\quad \ge \prod _{\ell =1}^{\theta }\frac{N^{\alpha _\ell +\beta _\ell +\gamma _\ell -1}(N-A_{\ell }\alpha _{\ell }-B_{\ell }\beta _{\ell }-C_{\ell } \gamma _{\ell })}{(N-A_{\ell })^{\alpha _{\ell }}(N-B_{\ell })^{\beta _{\ell }} (N-C_{\ell })^{\gamma _{\ell }}}. \end{aligned}$$

(25)

For the \(\ell \)-th denominator, we have

$$\begin{aligned}&(N-A_{\ell })^{\alpha _{\ell }}(N-B_{\ell })^{\beta _{\ell }} (N-C_{\ell })^{\gamma _{\ell }} \nonumber \\&\quad \le \big (N^{\alpha _{\ell }}-A_{\ell }\alpha _{\ell } N^{\alpha _{\ell }-1}+A_{\ell }^2\alpha _{\ell }^2N^{\alpha _{\ell }-2}\big ) \nonumber \\&\qquad \cdot \big (N^{\beta _{\ell }}-B_{\ell }\beta _{\ell }N^{\beta _{\ell }-1} +B_{\ell }^2\beta _{\ell }^2N^{\beta _{\ell }-2}\big ) \cdot \big (N^{\gamma _{\ell }}-C_{\ell }\gamma _{\ell } N^{\gamma _{\ell }-1}+C_{\ell }^2\gamma _{\ell }^2N^{\gamma _{\ell }-2}\big ) \end{aligned}$$

(26)

$$\begin{aligned}&\quad \le N^{\alpha _{\ell }+\beta _{\ell }+\gamma _{\ell }} - (A_{\ell }\alpha _{\ell } +B_{\ell }\beta _{\ell }+C_{\ell }\gamma _{\ell })\cdot N^{\alpha _{\ell }+\beta _{\ell } +\gamma _{\ell }-1} +M_{\ell }\cdot N^{\alpha _{\ell }+\beta _{\ell }+\gamma _{\ell }-2}, \end{aligned}$$

(27)

where \(M_{\ell }=A_{\ell }^2\alpha _{\ell }^2+B_{\ell }^2\beta _{\ell }^2 +C_{\ell }^2\gamma _{\ell }^2+A_{\ell }\alpha _{\ell }B_{\ell }\beta _{\ell }+A_{\ell } \alpha _{\ell }C_{\ell }\gamma _{\ell }+B_{\ell }\beta _{\ell }C_{\ell }\gamma _{\ell }\). The proofs of Eqs. (26) and (27) are purely algebraic and deferred to the end for cleanness. By this, Eq. (25) has a lower bound as

$$\begin{aligned}&\ge \prod _{\ell =1}^{\theta }\bigg (1- \frac{ M_{\ell }\cdot N^{\alpha _{\ell } +\beta _{\ell }+\gamma _{\ell }-2}}{(N-A_{\ell })^{\alpha _{\ell }} (N-B_{\ell })^{\beta _{\ell }}(N-C_{\ell })^{\gamma _{\ell }}}\bigg )\nonumber \\&\ge \prod _{\ell =1}^{\theta }\bigg (1- \frac{ (A_{\ell }\alpha _{\ell } +B_{\ell }\beta _{\ell }+C_{\ell }\gamma _{\ell })^2\cdot N^{\alpha _{\ell } +\beta _{\ell }+\gamma _{\ell }-2}}{(N-\omega )^{\alpha _{\ell }+\beta _{\ell } +\gamma _{\ell }}}\bigg ). \end{aligned}$$

(28)

Denote \(v_\ell =\alpha _{\ell }+\beta _{\ell }+\gamma _{\ell }\le \xi \) for simplicity. Since \(\omega \le N/\xi \le N/v_\ell \), we have

$$\begin{aligned} \frac{1}{(N-\omega )^{v_\ell }}\le \Big (\frac{v_\ell }{v_\ell -1}\Big )^{v_\ell } \cdot \frac{1}{N^{v_\ell }}=\Big (1+\frac{1}{v_\ell -1}\Big ) \cdot \Big (1+\frac{1}{v_\ell -1}\Big )^{v_\ell -1}\cdot \frac{1}{N^{v_\ell }} \le \frac{2e}{N^{v_\ell }}\le \frac{6}{N^{v_\ell }}. \end{aligned}$$

Thus Eq. (28) has a lower bound as (note that \(\sum _{\ell =1}^{\theta } v_\ell =\omega \))

$$\begin{aligned} \ge \prod _{\ell =1}^{\theta }\bigg (1- \frac{ 6v_\ell ^2(A_{\ell } +B_{\ell }+C_{\ell })^2\cdot N^{v_\ell -2}}{N^{v_\ell }}\bigg )&\ge \prod _{\ell =1}^{\theta }\bigg (1- \frac{ 6v_\ell ^2\omega ^2}{N^2}\bigg )\\&\ge 1-\frac{ 6\xi \omega ^2\sum _{\ell =1}^{\theta } v_\ell }{N^2} \\&\ge 1-\frac{ 6\xi \omega ^3}{N^2}, \end{aligned}$$

which finally implies Eq. (3).

1.1 A.1 Justifying Eq. (26)

We show \((N-A_{\ell })^{\alpha _{\ell }}\le N^{\alpha _{\ell }} -A_{\ell }\alpha _{\ell }N^{\alpha _{\ell }-1}+A_{\ell }^2 \alpha _{\ell }^2N^{\alpha _{\ell }-2}\), and proofs of the other two follow similarly. It’s easy to verify the correctness when \(\alpha _{\ell }=1\), 2, or 3. When \(\alpha _{\ell }\ge 4\), we have

$$\begin{aligned} (N-A_{\ell })^{\alpha _{\ell }}&= N^{\alpha _{\ell }}-A_{\ell }\alpha _{\ell } N^{\alpha _{\ell }-1}+{\alpha _{\ell }\atopwithdelims ()2}A_{\ell }^2N^{\alpha _{\ell }-2} \nonumber \\&\quad -{\alpha _{\ell }\atopwithdelims ()3}A_{\ell }^3N^{\alpha _{\ell }-3} +{\alpha _{\ell }\atopwithdelims ()4}A_{\ell }^4N^{\alpha _{\ell }-4}-\ldots . \end{aligned}$$

(29)

For any i odd, it holds

$$\begin{aligned} \frac{{\alpha _{\ell }\atopwithdelims ()i+1}A_{\ell }^{i+1}N^{\alpha _{\ell }-i-1}}{{\alpha _{\ell }\atopwithdelims ()i}A_{\ell }^iN^{\alpha _{\ell }-i}} = \frac{(\alpha _{\ell }-i)\cdot A_{\ell }}{(i+1)N}\le \frac{\xi \omega }{N}\le 1 \end{aligned}$$

by the assumption \(\omega \le N/\xi \). This means

$$\begin{aligned} -{\alpha _{\ell }\atopwithdelims ()i}A_{\ell }^iN^{\alpha _{\ell }-i} +{\alpha _{\ell }\atopwithdelims ()i+1}A_{\ell }^{i+1}N^{\alpha _{\ell }-i-1}\le 0, \end{aligned}$$

i.e., in Eq. (29), all the terms after \({\alpha _{\ell }\atopwithdelims ()2}A_{\ell }^2N^{\alpha _{\ell }-2}\) result in negative. By this and \({\alpha _{\ell }\atopwithdelims ()2}A_{\ell }^2 N^{\alpha _{\ell }-2}\le \alpha _{\ell }^2A_{\ell }^2N^{\alpha _{\ell }-2}\), we reach \((N-A_{\ell })^{\alpha _{\ell }}\le N^{\alpha _{\ell }} -A_{\ell } \alpha _{\ell }N^{\alpha _{\ell }-1}+A_{\ell }^2 \alpha _{\ell }^2N^{\alpha _{\ell }-2}\) as desired.

1.2 A.2 Justifying Eq (27)

First, we have

$$\begin{aligned}&\big (N^{\alpha _{\ell }}-A_{\ell }\alpha _{\ell }N^{\alpha _{\ell }-1} +A_{\ell }^2\alpha _{\ell }^2N^{\alpha _{\ell }-2}\big ) \big (N^{\beta _{\ell }} -B_{\ell }\beta _{\ell }N^{\beta _{\ell }-1}+B_{\ell }^2\beta _{\ell }^2 N^{\beta _{\ell }-2}\big ) \\&\quad =N^{\alpha _{\ell }+\beta _{\ell }} - (A_{\ell }\alpha _{\ell } +B_{\ell }\beta _{\ell })\cdot N^{\alpha _{\ell }+\beta _{\ell }-1} + (A_{\ell }^2\alpha _{\ell }^2+A_{\ell }\alpha _{\ell }B_{\ell } \beta _{\ell }+B_{\ell }^2\beta _{\ell }^2)N^{\alpha _{\ell }+\beta _{\ell }-2} \\&\qquad \underbrace{ - (A_{\ell }^2\alpha _{\ell }^2B_{\ell }\beta _{\ell } +A_{\ell }\alpha _{\ell }B_{\ell }^2\beta _{\ell }^2)N^{\alpha _{\ell }+\beta _{\ell }-3} +A_{\ell }^2\alpha _{\ell }^2B_{\ell }^2\beta _{\ell }^2N^{\alpha _{\ell } +\beta _{\ell }-4} }_{\le 0}, \end{aligned}$$

since

$$\begin{aligned} \frac{(A_{\ell }^2\alpha _{\ell }^2B_{\ell }\beta _{\ell } +A_{\ell }\alpha _{\ell }B_{\ell }^2\beta _{\ell }^2)N^{\alpha _{\ell } +\beta _{\ell }-3}}{A_{\ell }^2\alpha _{\ell }^2B_{\ell }^2\beta _{\ell }^2 N^{\alpha _{\ell }+\beta _{\ell }-4}} =\frac{N}{A_{\ell }\alpha _{\ell }} +\frac{N}{B_{\ell }\beta _{\ell }} \ge 2 \frac{N}{\xi \omega }\gg 1. \end{aligned}$$

Then, with \(M_{\ell }=A_{\ell }^2\alpha _{\ell }^2+B_{\ell }^2 \beta _{\ell }^2 +C_{\ell }^2\gamma _{\ell }^2+A_{\ell }\alpha _{\ell } B_{\ell }\beta _{\ell }+A_{\ell }\alpha _{\ell }C_{\ell }\gamma _{\ell } +B_{\ell }\beta _{\ell }C_{\ell }\gamma _{\ell }\), we have

$$\begin{aligned}&\Big ( N^{\alpha _{\ell }+\beta _{\ell }} - (A_{\ell }\alpha _{\ell } +B_{\ell }\beta _{\ell })\cdot N^{\alpha _{\ell }+\beta _{\ell }-1} +(A_{\ell }^2\alpha _{\ell }^2+A_{\ell }\alpha _{\ell }B_{\ell } \beta _{\ell }+B_{\ell }^2\beta _{\ell }^2)N^{\alpha _{\ell }+\beta _{\ell }-2} \Big )\\&\qquad \cdot \big (N^{\gamma _{\ell }}-C_{\ell }\gamma _{\ell }N^{\gamma _{\ell }-1} +C_{\ell }^2\gamma _{\ell }^2N^{\gamma _{\ell }-2}\big )\\&\quad =N^{\alpha _{\ell }+\beta _{\ell }+\gamma _{\ell }} - (A_{\ell }\alpha _{\ell }+B_{\ell }\beta _{\ell }+C_{\ell } \gamma _{\ell })\cdot N^{\alpha _{\ell }+\beta _{\ell }+\gamma _{\ell }-1} +M_{\ell }\cdot N^{\alpha _{\ell }+\beta _{\ell }+\gamma _{\ell }-2}\\&\qquad - \Big ( C_{\ell }^2\gamma _{\ell }^2(A_{\ell }\alpha _{\ell } +B_{\ell }\beta _{\ell })+C_{\ell }\gamma _{\ell }(A_{\ell }^2\alpha _{\ell }^2 +A_{\ell }\alpha _{\ell }B_{\ell }\beta _{\ell }+B_{\ell }^2\beta _{\ell }^2) \Big ) N^{\alpha _{\ell }+\beta _{\ell }+\gamma _{\ell }-3} \\&\qquad + C_{\ell }^2\gamma _{\ell }^2(A_{\ell }^2\alpha _{\ell }^2 +A_{\ell }\alpha _{\ell }B_{\ell }\beta _{\ell }+B_{\ell }^2\beta _{\ell }^2) \cdot N^{\alpha _{\ell }+\beta _{\ell }+\gamma _{\ell }-4} \end{aligned}$$

which implies Eq (27), since

$$\begin{aligned}&\frac{C_{\ell }^2\gamma _{\ell }^2(A_{\ell }\alpha _{\ell }+B_{\ell }\beta _{\ell }) +C_{\ell }\gamma _{\ell }(A_{\ell }^2\alpha _{\ell }^2+A_{\ell }\alpha _{\ell } B_{\ell }\beta _{\ell }+B_{\ell }^2\beta _{\ell }^2)\cdot N^{\alpha _{\ell }+\beta _{\ell } +\gamma _{\ell }-3}}{C_{\ell }^2\gamma _{\ell }^2(A_{\ell }^2\alpha _{\ell }^2 +A_{\ell }\alpha _{\ell }B_{\ell }\beta _{\ell }+B_{\ell }^2\beta _{\ell }^2) \cdot N^{\alpha _{\ell }+\beta _{\ell }+\gamma _{\ell }-4}} \\&\quad = \frac{(A_{\ell }\alpha _{\ell }+B_{\ell }\beta _{\ell })\cdot N}{A_{\ell }^2 \alpha _{\ell }^2+A_{\ell }\alpha _{\ell }B_{\ell }\beta _{\ell }+B_{\ell }^2\beta _{\ell }^2 } +\frac{N}{C_{\ell }\gamma _{\ell }}\\&\quad \ge \frac{N}{A_{\ell }\alpha _{\ell }+B_{\ell }\beta _{\ell }} +\frac{N}{C_{\ell } \gamma _{\ell }} \ge 2 \frac{N}{\xi \omega }\gg 1. \end{aligned}$$

B Proof of Lemma 2

Wlog, consider \(P_{\varphi (a_{i^\circ })}\) and \(P_{\varphi (a_{i^{\circ \circ }})}\). Consider the forward direction of the proposition first. By the definition of “block”, there exists a subset \(I\subseteq \{1,...,2q\}\) such that \(P_{\varphi (a_{i^\circ })}\) and \(P_{\varphi (a_{i^{\circ \circ }})}\) are the only two elements in the multiset \({\mathcal {M}}_I\) that have odd multiplicities, where

$$\begin{aligned} {\mathcal {M}}_I=\Big (\bigcup _{j\in I,j\text { odd},j=2i-1} \big \{\varphi (a_i),\varphi (b_i)\big \}\Big )\bigcup \Big (\bigcup _{j\in I,j\text { even},j=2i}\big \{\varphi (b_i), \varphi (c_i)\big \}\Big ). \end{aligned}$$

Consider such a minimal set I, i.e., \({\mathcal {M}} _{I'}\) contains more than two odd multiplicity elements for any \(I'\subset I\). This means there exist two indices \(j_1,j_\theta \) in I such that \(\varphi (a_{i^\circ })=\varphi (a_{(j_1+1)/2})\) and \(\varphi (a_{i^{\circ \circ }})=\varphi (a_{(j_\theta +1)/2})\) (as a side remark, it does not necessarily hold \(i^\circ =(j_1+1)/2\) nor \(i^{\circ \circ }=(j_\theta +1)/2\)).

We first show that the indices in I can be listed in a sequence \(j_1,j_2,...,j_\theta \) such that every pair of indices \((j_\ell ,j_{\ell +1})\) share a common unknown. Formally, let

$$\begin{aligned} Set (j):= {\left\{ \begin{array}{ll} \{\varphi (a_{\frac{j+1}{2}}),\varphi (b_{\frac{j+1}{2}})\} &{} \text { when } j \text { is odd}\\ \{\varphi (b_{\frac{j}{2}}),\varphi (c_{\frac{j}{2}})\} &{} \text { when } j \text { is even}. \end{array}\right. } \end{aligned}$$

Then \(Set (j_\ell )\cap Set (j_{\ell +1})\ne \emptyset \) for any \(\ell \in \{1,...,\theta -1\}\). To this end, consider the starting point \(j_1\) first. As per our assumption, the index \(\varphi (b_{(j_1+1)/2})\in Set (j_1)\) is of even multiplicity. Therefore, there exists \(j_2\in I\) such that \(\varphi (b_{(j_1+1)/2})\in Set (j_2)\). This pinpoints the initial index \(j_2\).

We then proceed to identify \(j_3,...\) in a similar vein. In detail, for every \(2\le \ell \le \theta -1\), consider the (already identified) index \(j_\ell \in I\). Note that \(Set (j_\ell )\cap Set (j_{\ell -1}) \ne \emptyset \) has been ensured. We consider the unknown index \(k^\circ \in Set (j_\ell )\backslash Set (j_{\ell -1})\). Since the multiplicity of \(k^\circ \) is also even, there exists \(j_{\ell +1}\in I\) such that \(k^\circ \in Set (j_{\ell +1})\). Moreover, it cannot be \(j_{\ell +1}=j_{\ell '}\) for some \(1\le \ell '\le \ell \), as otherwise the set \({}_{{\mathcal {I}}'}\) for \(I'=\{j_{\ell '},j_{\ell '+1},..., j_{\ell }\}\subset I\) has even multiplicity elements only, which contradicts our assumption of minimal set I.

By the above, we eventually obtain a sequence \(j_1,...,j_{\theta -1}\) with \(Set (j_\ell )\cap Set (j_{\ell +1})\ne \emptyset \) for \(1\le \ell \le \theta -2\). Since the index \(\varphi (b_{(j_\theta +1)/2})\in Set (j_\theta )\) is of even multiplicity, there exists \(j^*\in \{j_1,...,j_{\theta -1}\}\) such that \(\varphi (b_{(j_\theta +1)/2})\in Set (j^*)\). It necessarily be \(j^*=j_{\theta -1}\), as otherwise either \({\mathcal {M}}_I\) have more than two odd multiplicity elements, or I is not minimal. Therefore, \(Set (j_{\theta -1})\cap Set (j_{\theta })\ne \emptyset \). The above thus established the existence of such a list \(j_1,j_2,...,j_\theta \), \(\theta =|I|\).

We then construct a sequence of query indices from I to complete the argument. Initially, the sequence consists of only one query index \(i_1\):

• If \(j_1\) is odd, then \(i_1=(j_1+1)/2\);

• Else, i.e., \(j_1\) is even, then \(i_1=j_1/2\).

Then, for \(\ell \in \{1,...,\theta -1\}\), depending on the relation between \(j_\ell \) and \(j_{\ell +1}\), we distinguish two cases as follows.

Case 1: there exists a query index i that is not already in the sequence and such that \(\{j_\ell ,j_{\ell +1}\}=\{2i-1,2i\}\). Wlog assume that \(j_\ell =2i-1\) and \(j_{\ell +1}=2i\). Then we append i to the sequence if i has not been included.

Case 2: contrary to case 1. We further distinguish several subcases.

• Subcase 2.1: \(j_\ell \) is odd, while \(j_{\ell +1}\) is even. Then it has to be \(\varphi (b_{(j_\ell +1)/2})=\varphi (b_{j_{\ell +1}/2})\), i.e., \(X_{(j_\ell +1)/2}=X_{j_{\ell +1}/2}\). Note that this means \(x_{(j_\ell +1)/2}=x_{j_{\ell +1}/2}\) and further \(R_{(j_\ell +1)/2}\oplus S_{(j_\ell +1)/2}=R_{j_{\ell +1}/2}\oplus S_{j_{\ell +1}/2}\). In this case, we append \(j_{\ell +1}/2\) to the sequence.

• Subcase 2.2: \(j_\ell \) is even, while \(j_{\ell +1}\) is odd. Then it has to be \(\varphi (b_{j_\ell /2})=\varphi (b_{(j_{\ell +1}+1)/2})\). This means \(R_{j_\ell /2}\oplus S_{j_\ell /2}=R_{(j_{\ell +1}+1)/2}\oplus S_{(j_{\ell +1}+1)/2}\) which resembles subcase 2.1, whereas we append \((j_{\ell +1}+1)/2\) to the sequence.

• Subcase 2.3: both \(j_\ell \) and \(j_{\ell +1}\) are odd. Then it has to be \(\varphi (a_{(j_\ell +1)/2})=\varphi (a_{(j_{\ell +1}+1)/2})\) or \(\varphi (b_{(j_\ell +1)/2})=\varphi (b_{(j_{\ell +1}+1)/2})\). These imply \(R_{(j_\ell +1)/2}=R_{(j_{\ell +1}+1)/2}\) or \(R_{(j_\ell +1)/2}\oplus S_{(j_\ell +1)/2}=R_{(j_{\ell +1}+1)/2}\oplus S_{(j_{\ell +1}+1)/2}\) respectively. In either case, we append \((j_{\ell +1}+1)/2\) to the sequence.

• Subcase 2.4: both \(j_\ell \) and \(j_{\ell +1}\) are even. Then it has to be \(\varphi (b_{j_\ell /2})=\varphi (b_{j_{\ell +1}/2})\) or \(\varphi (c_{j_\ell /2})=\varphi (c_{j_{\ell +1}/2})\). The former implies \(R_{j_\ell /2}\oplus S_{j_\ell /2}=R_{j_{\ell +1}/2}\oplus S_{j_{\ell +1}/2}\), while the latter implies \(S_{j_\ell /2}=S_{j_{\ell +1}/2}\). In either case, we append \(j_{\ell +1}/2\) to the sequence.

In all, using the above rules, a sequence of indices \(i_1,...,i_k\) meeting the conditions can be built. These establish the forward direction of the proposition.

The backward direction is obvious. Briefly, consider such k query indices \(i_1,\ldots ,i_k\in \{1,\ldots ,q\}\), and consider the relation between the \(i_{\ell }\)-th and \(i_{\ell +1}\)-th queries:

• If \(R_{i_{\ell }}=R_{i_{\ell +1}}\), then \(r_{i_{\ell }}=r_{i_{\ell +1}}\), and \(P_{\varphi (a_{i_{\ell }})}=r_{i_{\ell }},P_{\varphi (b_{i_{\ell }})} =X_{i_{\ell }},P_{\varphi (c_{i_{\ell }})}=s_{i_{\ell }}\) and \(P_{\varphi (a_{i_{\ell +1}})}=r_{i_{\ell +1}},P_{\varphi (b_{i_{\ell +1}})} =X_{i_{\ell +1}},P_{\varphi (c_{i_{\ell +1}})}=s_{i_{\ell +1}}\) are all in the same block.

• If \(S_{i_{\ell }}=S_{i_{\ell +1}}\), then \(s_{i_{\ell }}=s_{i_{\ell +1}}\), which means \(r_{i_{\ell }},X_{i_{\ell }},s_{i_{\ell }}\) and \(r_{i_{\ell +1}},X_{i_{\ell +1}},s_{i_{\ell +1}}\) are all in the same block.

• If \(R_{i_{\ell }}\oplus S_{i_{\ell }}=R_{i_{\ell +1}}\oplus S_{i_{\ell +1}}\), then \(X_{i_{\ell }}=X_{i_{\ell +1}}\), which also means \(r_{i_{\ell }},X_{i_{\ell }},s_{i_{\ell }}\) and \(r_{i_{\ell +1}},X_{i_{\ell +1}},s_{i_{\ell +1}}\) are all in the same block.

By the above, the 3k (not necessarily distinct) unknowns \(\{r_{i_{\ell }},X_{i_{\ell }},s_{i_{\ell }}\}_{1\le \ell \le k}\) are all in the same block. These complete the proof.

C Proof of Lemma 3

The backward direction is also obvious, and we focus on the forward direction. By definition, there exists a set \(I\subseteq \{1,...,2q\}\) such the multiset \({\mathcal {M}} _I\) has even multiplicity elements only. Consider such a minimal set I, i.e., \({\mathcal {M}} _{I'}\) contains odd multiplicity elements for any \(I'\subset I\). We show that the indices in I can be listed as \(j_1,j_2,...,j_\theta \), \(\theta =|I|\), such that

• \(Set (j_\ell )\cap Set (j_{\ell +1})\ne \emptyset \) for \(1\le \ell \le \theta -1\), and

• \(Set (j_\theta )\cap Set (j_1)\ne \emptyset \).

To this end, let \(j_1\) be an arbitrary element in I, and let \(\{k_1,k_2\}:=Set (j_1)\). Since \(k_1\) is of even multiplicity, there exists \(j_2\in I\) such that \(k_1\in Set (j_2)\). This pinpoints the two initial indices \(j_1\) and \(j_2\). Then, in the same vein as the proof of Lemma 2, a sequence of indices \(j_1,j_2,...,j_\theta \) with \(Set (j_\ell )\cap Set (j_{\ell +1}) \ne \emptyset \) for \(1\le \ell \le \theta -1\) could be identified. Moreover, it cannot be \(j_{\ell +1}=j_{\ell '}\) for any \(1\le \ell '\le \ell \le \theta \), as otherwise the set \({}_{{\mathcal {I}}'}\) for \(I'=\{j_{\ell '},j_{\ell '+1},...,j_{\ell }\}\subset I\) has even multiplicity elements only, which contradicts our assumption of minimal set I.

Now, recall that \(\{k_1,k_2\}=Set (j_1)\). As \(k_2\) is also of even multiplicity, there exists \(j^\circ \in \{j_2,...,j_\theta \}\) such that \(k_2\in Set (j^\circ )\). It cannot be \(j^\circ =j_{\ell '}\) for some \(1\le \ell '\le \theta -1\), as otherwise the set \({}_{{\mathcal {I}}'}\) for \(I'=\{j_1,j_2,...,j_{\ell '}\}\subset I\) has even multiplicity elements only, which contradicts our assumption of minimal set I. Therefore, \(j^\circ =j_{\theta }\), meaning that \(Set (j_\theta )\cap Set (j_1)\ne \emptyset \). The above thus established the existence of such a list \(j_1,j_2,...,j_\theta \), \(\theta =|I|\).

Then, in the same vein as the proof of Lemma 2, a sequence of query indices \(i_1,...,i_k\) can be built from \(j_1,j_2,...,j_\theta \), such that \(R_{i_{\ell }}=R_{i_{\ell +1}}\), or \(S_{i_{\ell }}=S_{i_{\ell +1}}\), or \(R_{i_{\ell }}\oplus S_{i_{\ell }}=R_{i_{\ell +1}}\oplus S_{i_{\ell +1}}\) for all \(\forall \ell \in \{1,\ldots ,k-1\}\). Concretely, for \(\ell \in \{1,...,\theta \}\), if \(j_\ell \) is odd, then let \(i_\ell ':=(j_\ell +1)/2\); else, let \(i_\ell ':=j_\ell /2\). This yields a sequence \(i_1',i_2',...,i_{\theta }'\). Eliminating redundant indices from \(i_1',i_2',...,i_{\theta }'\), we obtain the desired \(i_1,...,i_{k-1}\). It is easy to see that, for the sequence \(i_1,...,i_{k-1},i_k=i_1\), it holds \(R_{i_{\ell }}=R_{i_{\ell +1}}\), or \(S_{i_{\ell }}=S_{i_{\ell +1}}\), or \(R_{i_{\ell }}\oplus S_{i_{\ell }}=R_{i_{\ell +1}}\oplus S_{i_{\ell +1}}\) \(\forall \ell \in \{1,\ldots ,k-1\}\): the argument is similar to the proof of Lemma 2.

Finally, it must be \(k\ge 3\). For this, assume otherwise. Then it can only be \(k=2\), and the sequence consists of only one query index \(i_1\). Then the original set \(I=\{2i_1-1,2i_1\}\), and \({\mathcal {M}} _I=\{\varphi (a_{i_1}),\varphi (b_{i_1}),\varphi (c_{i_1})\}\), in which \(\varphi (a_{i_1})\) and \(\varphi (c_{i_1})\) can only be of odd multiplicities, a contradiction. These establish the forward direction of the proposition.

D Proof of Lemma 4

We consider the case \(j,j'\in {\mathcal {I}}_1\) first. Such two unknowns \(P_{j}\) and \(P_{j'}\) correspond to two r variables. Since they are in the same block, by Lemma 2, there exists a sequence of k indices \(i_1,\ldots ,i_k\in \{1,\ldots ,q\}\) such that

• \(\varphi ^{\tau }(a_{i_1})=j\), \(\varphi ^{\tau }(a_{i_k})=j'\), and

• \(\forall \ell \in \{1,\ldots ,k-1\}\), it holds \(R_{i_{\ell }}=R_{i_{\ell +1}}\), or \(S_{i_{\ell }}=S_{i_{\ell +1}}\), or \(R_{i_{\ell }}\oplus S_{i_{\ell }}=R_{i_{\ell +1}}\oplus S_{i_{\ell +1}}\).

We could focus on the case \(R_{i_1}\ne R_{i_2}\) and \(R_{i_{k-1}}\ne R_{i_k}\): otherwise we have \(\varphi ^{\tau }(a_{i_2})=j\) and \(\varphi ^{\tau }(a_{i_{k-1}})=j'\), and we could drop the two “redundant” indices \(i_1\) and \(i_k\) and focus on the reduced sequence (and we could further drop such “redundant” indices if \(R_{i_2}=R_{i_3},\ldots \) and \(R_{i_{k-2}}=R_{i_{k-1}},\ldots \)).

Recall that our goal is to prove that there exists two sets of indices \({\mathcal {R}}_1,{\mathcal {R}}_2\subseteq \{i_1,\ldots ,i_k\}\) such that

$$\begin{aligned} r_{i_1}\oplus r_{i_k}=\Big (\bigoplus _{\ell \in {\mathcal {R}}_1}L_{\ell }\Big ) \oplus \Big (\bigoplus _{\ell \in {\mathcal {R}}_2}T_{\ell }\Big ), \end{aligned}$$

(30)

and \(i_1,i_k\in {\mathcal {R}}_1\). For this, we list the relations enforced on the r variables as follows:

1. (i)

   Collision between \(i_1\) and \(i_2\) would imply:

   • When \(R_{i_1}\oplus S_{i_1}=R_{i_2}\oplus S_{i_2}\): \(\underline{r_{i_1}\oplus r_{i_2}=L_{i_1}\oplus L_{i_2}}\);

   • When \(S_{i_1}=S_{i_2}\): \(\underline{r_{i_1}\oplus r_{i_2}=L_{i_1}\oplus T_{i_1}\oplus L_{i_2}\oplus T_{i_2}}\). (\(s_{i_1}=s_{i_2}\Rightarrow X_{i_1}\oplus X_{i_2}=T_{i_1}\oplus T_{i_2}\), and further \(r_{i_1}\oplus X_{i_1}\oplus r_{i_2}\oplus X_{i_2}=L_{i_1}\oplus L_{i_2}\))

2. (ii)

   Collision between \(i_2\) and \(i_3\) would imply:

   • When \(R_{i_2}=R_{i_3}\): \(\underline{r_{i_2}\oplus r_{i_3}=0}\);

   • When \(R_{i_2}\oplus S_{i_3}=R_{i_2}\oplus S_{i_3}\): \(\underline{r_{i_2}\oplus r_{i_3}=L_{i_2}\oplus L_{i_3}}\);

   • When \(S_{i_2}=S_{i_3}\): \(\underline{r_{i_2}\oplus r_{i_3}=L_{i_2}\oplus T_{i_2}\oplus L_{i_3}\oplus T_{i_3}}\).

3. (iii)

   \(\ldots \)

4. (iv)

   Collision between \(i_{k-1}\) and \(i_k\) would imply:

   • When \(R_{i_{k-1}}\oplus S_{i_{k-1}}=R_{i_k}\oplus S_{i_k}\): \(\underline{r_{i_{k-1}}\oplus r_{i_k}=L_{i_{k-1}}\oplus L_{i_k}}\);

   • When \(S_{i_{k-1}}=S_{i_k}\): \(\underline{r_{i_{k-1}}\oplus r_{i_k}=L_{i_{k-1}}\oplus T_{i_{k-1}}\oplus L_{i_k}\oplus T_{i_k}}\).

Summing over the \(k-1\) implied equations \(r_{i_{\ell }}\oplus r_{i_{\ell +1}}=\lambda _{\ell }^*\), \(\ell =1,\ldots ,k-1\), shows the existence of the sets \({\mathcal {R}}_1\) and \({\mathcal {R}}_2\) that cinch Eq. (30). Moreover, it can be seen that among the \(k-1\) right hand side terms \(\lambda _{\ell }^*\),

• the term \(L_{i_1}\) appears and only appears in \(\lambda _1^*\), and

• the term \(L_{i_k}\) appears and only appears in \(\lambda _{k-1}^*\).

Therefore, \(L_{i_1}\) and \(L_{i_k}\) cannot be canceled, and necessarily appear in the term \(\bigoplus _{\ell \in {\mathcal {R}}_1}L_{\ell }\). This shows \(i_1,i_k\in {\mathcal {R}}_1\).

The proof for the case \(j,j'\in {\mathcal {I}}_3\) is simply similar by symmetry. For \(j,j'\in {\mathcal {I}}_2\) it’s a bit complicated, and we list the core observations to facilitate verifying. Concretely, for the sequence \(i_1,\ldots ,i_k\) with \(\varphi ^{\tau }(b_{i_1})=j\) and \(\varphi ^{\tau }(b_{i_k})=j'\), we have:

1. (i)

   Collision between \(i_1\) and \(i_2\) would imply:

   • When \(R_{i_1}=R_{i_2}\): \(\underline{X_{i_1}\oplus X_{i_2}=L_{i_1}\oplus L_{i_2}}\);

   • When \(S_{i_1}=S_{i_2}\): \(\underline{X_{i_1}\oplus X_{i_2}=T_{i_1}\oplus T_{i_2}}\).

2. (ii)

   Collision between \(i_2\) and \(i_3\) would imply:

   • When \(R_{i_2}=R_{i_3}\): \(\underline{X_{i_2}\oplus X_{i_3}=L_{i_2}\oplus L_{i_3}}\);

   • When \(R_{i_2}\oplus S_{i_3}=R_{i_2}\oplus S_{i_3}\): \(\underline{X_{i_2}\oplus X_{i_3}=0}\);

   • When \(S_{i_2}=S_{i_3}\): \(\underline{X_{i_2}\oplus X_{i_3}=T_{i_2}\oplus T_{i_3}}\).

3. (iii)

   \(\ldots \)

4. (iv)

   Collision between \(i_{k-1}\) and \(i_k\) would imply:

   • When \(R_{i_{k-1}}=R_{i_k}\): \(\underline{X_{i_{k-1}}\oplus X_{i_k}=L_{i_{k-1}}\oplus L_{i_k}}\);

   • When \(S_{i_{k-1}}=S_{i_k}\): \(\underline{X_{i_{k-1}}\oplus X_{i_k}=T_{i_{k-1}}\oplus T_{i_k}}\).

Summing over the \(k-1\) implied equations \(X_{i_{\ell }}\oplus X_{i_{\ell +1}}=\lambda _{\ell }^{**}\), \(\ell =1,\ldots ,k-1\), shows the existence of the sets \({\mathcal {R}}_1\) and \({\mathcal {R}}_2\) that cinch \(X_{i_1}\oplus X_{i_k}=\big (\bigoplus _{\ell \in {\mathcal {R}}_1}L_{\ell }\big ) \oplus \big (\bigoplus _{\ell \in {\mathcal {R}}_2}T_{\ell }\big )\). And among the \(k-1\) terms \(\lambda _{\ell }^*\),

• A term \(\textsf {val}_{i_1}\) appears and only appears in \(\lambda _1^{**}\): \(\textsf {val}_{i_1}=L_{i_1}\) when \(R_{i_1}=R_{i_2}\), and \(\textsf {val}_{i_1}=T_{i_1}\) when \(S_{i_1}=S_{i_2}\);

• Another term \(\textsf {val}_{i_k}\) appears and only appears in \(\lambda _{\ell -1}^{**}\): \(\textsf {val}_{i_k}=L_{i_k}\) when \(R_{i_{k-1}}=R_{i_k}\), and \(\textsf {val}_{i_k}=T_{i_k}\) when \(S_{i_{k-1}}=S_{i_k}\).

Thus it necessarily holds \(i_1\in {\mathcal {R}}_1\vee i_1\in {\mathcal {R}}_2\) and \(i_k\in {\mathcal {R}}_1\vee i_k\in {\mathcal {R}}_2\).