rt ttt rt - - PowerPoint PPT Presentation
rt ttt rt s rt rst trs
❙❡❝✉r✐t② ♦❢ ❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥ ▼♦❞❡s
❇❛rt ▼❡♥♥✐♥❦ ❘❛❞❜♦✉❞ ❯♥✐✈❡rs✐t② ✭❚❤❡ ◆❡t❤❡r❧❛♥❞s✮
❈❖❙❚ ❚r❛✐♥✐♥❣ ❙❝❤♦♦❧ ♦♥ ❙②♠♠❡tr✐❝ ❈r②♣t♦❣r❛♣❤② ❛♥❞ ❇❧♦❝❦❝❤❛✐♥ ❋❡❜r✉❛r② ✷✷✱ ✷✵✶✽
✶ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥
← − − − − − − − − − − − − − − − − − − − − − − − − − − − − → ❇ ❊♥❝r②♣t✐♦♥ ◆♦ ♦✉ts✐❞❡r ❝❛♥ ❧❡❛r♥ ❛♥②t❤✐♥❣ ❛❜♦✉t ❞❛t❛ ❆✉t❤❡♥t✐❝❛t✐♦♥ ◆♦ ♦✉ts✐❞❡r ❝❛♥ ♠❛♥✐♣✉❧❛t❡ ❞❛t❛
✷ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥
← − − − − − − − − − − − − − − − − − − − − − − − − − − − − → ❇ − − − − − → ← − − − − − ❊♥❝r②♣t✐♦♥ ◆♦ ♦✉ts✐❞❡r ❝❛♥ ❧❡❛r♥ ❛♥②t❤✐♥❣ ❛❜♦✉t ❞❛t❛ ❆✉t❤❡♥t✐❝❛t✐♦♥ ◆♦ ♦✉ts✐❞❡r ❝❛♥ ♠❛♥✐♣✉❧❛t❡ ❞❛t❛
✷ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥
← − − − − − − − − − − − − − − − − − − − − − − − − − − − − → ❇ − − − − − → ← − − − − − ❊♥❝r②♣t✐♦♥
❆✉t❤❡♥t✐❝❛t✐♦♥ ◆♦ ♦✉ts✐❞❡r ❝❛♥ ♠❛♥✐♣✉❧❛t❡ ❞❛t❛
✷ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥
← − − − − − − − − − − − − − − − − − − − − − − − − − − − − → ❇ − − − − − → ← − − − − − ❊♥❝r②♣t✐♦♥
❆✉t❤❡♥t✐❝❛t✐♦♥
✷ ✴ ✺✼
❈❆❊❙❆❘ ❈♦♠♣❡t✐t✐♦♥
✸ ✴ ✺✼
❈❆❊❙❆❘ ❈♦♠♣❡t✐t✐♦♥ ❈♦♠♣❡t✐t✐♦♥ ❢♦r ❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥✿ ❙❡❝✉r✐t②✱ ❆♣♣❧✐❝❛❜✐❧✐t②✱ ❛♥❞ ❘♦❜✉st♥❡ss
▼❛r ✶✺✱ ✷✵✶✹✿ ✺✼ ✜rst r♦✉♥❞ ❝❛♥❞✐❞❛t❡s ❏✉❧ ✼✱ ✷✵✶✺✿ ✷✾✳✺ s❡❝♦♥❞ r♦✉♥❞ ❝❛♥❞✐❞❛t❡s ❆✉❣ ✶✺✱ ✷✵✶✻✿ ✶✻ t❤✐r❞ r♦✉♥❞ ❝❛♥❞✐❞❛t❡s ❄❄✿ ❛♥♥♦✉♥❝❡♠❡♥t ♦❢ ✜♥❛❧✐sts ❄❄✿ ❛♥♥♦✉♥❝❡♠❡♥t ♦❢ ✜♥❛❧ ♣♦rt❢♦❧✐♦
✹ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥
A, M N C, T
AE
k
◆♦♥❝❡ r❛♥❞♦♠✐③❡s t❤❡ s❝❤❡♠❡
✺ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥
A, M N C, T
AE
k
✺ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❉❡❝r②♣t✐♦♥
A, C, T N
⊥ otherwise
AD
k
❈♦rr❡❝t♥❡ss✿
✻ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❉❡❝r②♣t✐♦♥
A, C, T N
⊥ otherwise
AD
k
❈♦rr❡❝t♥❡ss✿
✻ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❉❡❝r②♣t✐♦♥
A, C, T N
⊥ otherwise
AD
k
✻ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥ ❙❡❝✉r✐t②
IC
AE k, ADk $, ⊥
distinguisher D
AE scheme random cipher, ⊥ function
❉✐st✐♥❣✉✐s❤❡r ❤❛s q✉❡r② ❛❝❝❡ss t♦ ♦♥❡ ♦❢ t❤❡s❡ ✉♥✐q✉❡ ♥♦♥❝❡ ❢♦r ❡❛❝❤ ❡♥❝r②♣t✐♦♥ q✉❡r② tr✐❡s t♦ ❞❡t❡r♠✐♥❡ ✇❤✐❝❤ ♦r❛❝❧❡ ✐t ❝♦♠♠✉♥✐❝❛t❡s ✇✐t❤
✼ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥ ❙❡❝✉r✐t②
IC
AE k, ADk $, ⊥
distinguisher D
AE scheme random cipher, ⊥ function
→ ✉♥✐q✉❡ ♥♦♥❝❡ ❢♦r ❡❛❝❤ ❡♥❝r②♣t✐♦♥ q✉❡r② tr✐❡s t♦ ❞❡t❡r♠✐♥❡ ✇❤✐❝❤ ♦r❛❝❧❡ ✐t ❝♦♠♠✉♥✐❝❛t❡s ✇✐t❤
✼ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥ ❙❡❝✉r✐t②
IC
AE k, ADk $, ⊥
distinguisher D
AE scheme random cipher, ⊥ function
→ ✉♥✐q✉❡ ♥♦♥❝❡ ❢♦r ❡❛❝❤ ❡♥❝r②♣t✐♦♥ q✉❡r②
✼ ✴ ✺✼
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥ ❙❡❝✉r✐t②
IC
AE k, ADk $, ⊥
distinguisher D
AE scheme random cipher, ⊥ function
→ ✉♥✐q✉❡ ♥♦♥❝❡ ❢♦r ❡❛❝❤ ❡♥❝r②♣t✐♦♥ q✉❡r②
Advae
AE(D) =
✶✵✵✪ ❙❡❝✉r✐t② ✐s ■♠♣r❛❝t✐❝❛❧
✽ ✴ ✺✼
❖✉t❧✐♥❡
▲✐♥❦ ❲✐t❤ ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❇❛s❡❞ ♦♥ ▼❛s❦✐♥❣ ◆♦♥❝❡✲❘❡✉s❡ ❈♦♥❝❧✉s✐♦♥
✾ ✴ ✺✼
❖✉t❧✐♥❡
▲✐♥❦ ❲✐t❤ ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❇❛s❡❞ ♦♥ ▼❛s❦✐♥❣ ◆♦♥❝❡✲❘❡✉s❡ ❈♦♥❝❧✉s✐♦♥
✶✵ ✴ ✺✼
❇❡❧❧❛r❡ ❛♥❞ ◆❛♠♣r❡♠♣r❡ ✭✷✵✵✵✮✿ ✸ ❜❛s✐❝ ❛♣♣r♦❛❝❤❡s ❊✫▼ ▼t❊ ❊t▼ ❯s❡❞ ✐♥ ❙❙❍
▼❆❈
❯s❡❞ ✐♥ ❚▲❙ ▼✐❧❞❧② ✐♥s❡❝✉r❡ P❛❞❞✐♥❣ ♦r❛❝❧❡ ❛tt❛❝❦ ❯s❡❞ ✐♥ ■P❙❡❝ ▼♦st s❡❝✉r❡ ✈❛r✐❛♥t ❈✐♣❤❡rt❡①t ✐♥t❡❣r✐t②
✶✶ ✴ ✺✼
❊✫▼ ▼t❊ ❊t▼
Enck Enck Enck MACl MACl MACl m m m c c c t t t
▼❆❈
▼✐❧❞❧② ✐♥s❡❝✉r❡ P❛❞❞✐♥❣ ♦r❛❝❧❡ ❛tt❛❝❦
▼♦st s❡❝✉r❡ ✈❛r✐❛♥t ❈✐♣❤❡rt❡①t ✐♥t❡❣r✐t②
✶✶ ✴ ✺✼
❊✫▼ ▼t❊ ❊t▼
Enck Enck Enck MACl MACl MACl m m m c c c t t t
▼✐❧❞❧② ✐♥s❡❝✉r❡ P❛❞❞✐♥❣ ♦r❛❝❧❡ ❛tt❛❝❦
▼♦st s❡❝✉r❡ ✈❛r✐❛♥t ❈✐♣❤❡rt❡①t ✐♥t❡❣r✐t②
✶✶ ✴ ✺✼
❊✫▼ ▼t❊ ❊t▼
Enck Enck Enck MACl MACl MACl m m m c c c t t t
❛tt❛❝❦
▼♦st s❡❝✉r❡ ✈❛r✐❛♥t ❈✐♣❤❡rt❡①t ✐♥t❡❣r✐t②
✶✶ ✴ ✺✼
❊✫▼ ▼t❊ ❊t▼
Enck Enck Enck MACl MACl MACl m m m c c c t t t
❛tt❛❝❦
✶✶ ✴ ✺✼
N1 N2 N3 N(m + 1)
M1 M2 Mm
C1 C2 Cm
A
T EK EK EK EK GHASHL ENC MAC
P❛r❛❧❧❡❧✐③❛❜❧❡ ❊✈❛❧✉❛t❡s ♦♥❧② ✭♥♦ ✮ Pr♦✈❛❜❧② s❡❝✉r❡ ✭✐❢ ✐s P❘P✮ ❱❡r② ❡✣❝✐❡♥t ✐♥ ❍❲ ❘❡❛s♦♥❛❜❧② ❡✣❝✐❡♥t ✐♥ ❙❲
❲❤❛t ❤❛♣♣❡♥s ✐❢ ♥♦♥❝❡ ✐s r❡✲✉s❡❞❄
✶✷ ✴ ✺✼
N1 N2 N3 N(m + 1)
M1 M2 Mm
C1 C2 Cm
A
T EK EK EK EK GHASHL ENC MAC
✭✐❢ E ✐s P❘P✮
❲❤❛t ❤❛♣♣❡♥s ✐❢ ♥♦♥❝❡ ✐s r❡✲✉s❡❞❄
✶✷ ✴ ✺✼
N1 N2 N3 N(m + 1)
M1 M2 Mm
C1 C2 Cm
A
T EK EK EK EK GHASHL ENC MAC
✭✐❢ E ✐s P❘P✮
❲❤❛t ❤❛♣♣❡♥s ✐❢ ♥♦♥❝❡ ✐s r❡✲✉s❡❞❄
✶✷ ✴ ✺✼
N
N
(K, L) T +0 T +1 T +(m−1) M1 M2 Mm
C1 C2 Cm A
T EK EK EK EK GHASHL KeyGenEk KEY ENC MAC
✭■❊❚❋ ❘❋❈✮
■♥❤❡r✐ts ●❈▼ ❢❡❛t✉r❡s ❙❡❝✉r❡ ❛❣❛✐♥st ♥♦♥❝❡✲r❡✉s❡ Pr♦♦❢✿ ■✇❛t❛ ❛♥❞ ❙❡✉r✐♥ ✭✷✵✶✼✮
✶✸ ✴ ✺✼
N
N
(K, L) T +0 T +1 T +(m−1) M1 M2 Mm
C1 C2 Cm A
T EK EK EK EK GHASHL KeyGenEk KEY ENC MAC
✭■❊❚❋ ❘❋❈✮
✭✷✵✶✼✮
✶✸ ✴ ✺✼
❖✉t❧✐♥❡
▲✐♥❦ ❲✐t❤ ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❇❛s❡❞ ♦♥ ▼❛s❦✐♥❣ ◆♦♥❝❡✲❘❡✉s❡ ❈♦♥❝❧✉s✐♦♥
✶✹ ✴ ✺✼
❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs
m c
E
k ❚✇❡❛❦✿ ✢❡①✐❜✐❧✐t② t♦ t❤❡ ❝✐♣❤❡r ❊❛❝❤ t✇❡❛❦ ❣✐✈❡s ❞✐✛❡r❡♥t ♣❡r♠✉t❛t✐♦♥
✶✺ ✴ ✺✼
❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs
m t c k
✶✺ ✴ ✺✼
❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡r ❙❡❝✉r✐t②
IC
distinguisher D
tweakable blockcipher random tweakable permutation
Ek s❤♦✉❧❞ ❧♦♦❦ ❧✐❦❡ r❛♥❞♦♠ ♣❡r♠✉t❛t✐♦♥ ❢♦r ❡✈❡r② t
→ ♣s❡✉❞♦✲✐♥❞❡♣❡♥❞❡♥t ♣❡r♠✉t❛t✐♦♥s tr✐❡s t♦ ❞❡t❡r♠✐♥❡ ✇❤✐❝❤ ♦r❛❝❧❡ ✐t ❝♦♠♠✉♥✐❝❛t❡s ✇✐t❤
✶✻ ✴ ✺✼
❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡r ❙❡❝✉r✐t②
IC
distinguisher D
tweakable blockcipher random tweakable permutation
Ek s❤♦✉❧❞ ❧♦♦❦ ❧✐❦❡ r❛♥❞♦♠ ♣❡r♠✉t❛t✐♦♥ ❢♦r ❡✈❡r② t
→ ♣s❡✉❞♦✲✐♥❞❡♣❡♥❞❡♥t ♣❡r♠✉t❛t✐♦♥s
Advstprp
(D) =
E−1
k
= 1
π, π−1 = 1
❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡r ❉❡s✐❣♥s ✐♥ ❈❆❊❙❆❘
t
E
P
❉❡❞✐❝❛t❡❞ ❇❧♦❝❦❝✐♣❤❡r✲❇❛s❡❞ P❡r♠✉t❛t✐♦♥✲❇❛s❡❞ ❑■❆❙❯✱ ❈❇❆✱ ❈❖❇❘❆✱ ✐❋❡❡❞✱ Prøst✱ ❏♦❧t✐❦✱ ▼❛r❜❧❡✱ ❖▼❉✱ P❖❊❚✱ ▼✐♥❛❧♣❤❡r ❙❈❘❊❆▼✱ ❙❍❊▲▲✱ ❆❊❩✱ ❈❖P❆✴ ❉❡♦①②s ❊▲♠❉✱ ❖❈❇✱ ❖❚❘
✶✼ ✴ ✺✼
✜rst r♦✉♥❞✱ s❡❝♦♥❞ r♦✉♥❞✱ t❤✐r❞ r♦✉♥❞
❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡r ❉❡s✐❣♥s ✐♥ ❈❆❊❙❆❘
t
E
P
❉❡❞✐❝❛t❡❞ ❇❧♦❝❦❝✐♣❤❡r✲❇❛s❡❞ P❡r♠✉t❛t✐♦♥✲❇❛s❡❞ ❑■❆❙❯✱ ❈❇❆✱ ❈❖❇❘❆✱ ✐❋❡❡❞✱ Prøst✱ ❏♦❧t✐❦✱ ▼❛r❜❧❡✱ ❖▼❉✱ P❖❊❚✱ ▼✐♥❛❧♣❤❡r ❙❈❘❊❆▼✱ ❙❍❊▲▲✱ ❆❊❩✱ ❈❖P❆✴ ❉❡♦①②s ❊▲♠❉✱ ❖❈❇✱ ❖❚❘
✶✼ ✴ ✺✼
✜rst r♦✉♥❞✱ s❡❝♦♥❞ r♦✉♥❞✱ t❤✐r❞ r♦✉♥❞
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✶✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ E
N,tA1 k
˜ E
N,tA2 k
˜ E
N,tAa k
˜ E
N,tM⊕ k
˜ E
N,tM1 k
˜ E
N,tM2 k
˜ E
N,tMd k
■♥t❡r♥❛❧❧② ❜❛s❡❞ ♦♥ t✇❡❛❦❛❜❧❡ ❜❧♦❝❦❝✐♣❤❡r
❚✇❡❛❦ ✐s ✉♥✐q✉❡ ❢♦r ❡✈❡r② ❡✈❛❧✉❛t✐♦♥ ❉✐✛❡r❡♥t ❜❧♦❝❦s ❛❧✇❛②s tr❛♥s❢♦r♠❡❞ ✉♥❞❡r ❞✐✛❡r❡♥t t✇❡❛❦
❚r✐❛♥❣❧❡ ✐♥❡q✉❛❧✐t②✿
✶✽ ✴ ✺✼
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✶✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ E
N,tA1 k
˜ E
N,tA2 k
˜ E
N,tAa k
˜ E
N,tM⊕ k
˜ E
N,tM1 k
˜ E
N,tM2 k
˜ E
N,tMd k
E
❚r✐❛♥❣❧❡ ✐♥❡q✉❛❧✐t②✿
✶✽ ✴ ✺✼
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✶✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ E
N,tA1 k
˜ E
N,tA2 k
˜ E
N,tAa k
˜ E
N,tM⊕ k
˜ E
N,tM1 k
˜ E
N,tM2 k
˜ E
N,tMd k
E
❚r✐❛♥❣❧❡ ✐♥❡q✉❛❧✐t②✿ Advae
AE[ Ek](σ)
✶✽ ✴ ✺✼
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✶✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ π
N,tA1
˜ π
N,tA2
˜ π
N,tAa
˜ π
N,tM⊕
˜ π
N,tM1
˜ π
N,tM2
˜ π
N,tMd
E
Advae
AE[ Ek](σ) ≤ Advae AE[ π](σ)
✶✽ ✴ ✺✼
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✶✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ π
N,tA1
˜ π
N,tA2
˜ π
N,tAa
˜ π
N,tM⊕
˜ π
N,tM1
˜ π
N,tM2
˜ π
N,tMd
E
Advae
AE[ Ek](σ) ≤ Advae AE[ π](σ) + Advstprp
(σ)
✶✽ ✴ ✺✼
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✷✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ π
N,tA1
˜ π
N,tA2
˜ π
N,tAa
˜ π
N,tM⊕
˜ π
N,tM1
˜ π
N,tM2
˜ π
N,tMd
◆♦♥❝❡ ✉♥✐q✉❡♥❡ss t✇❡❛❦ ✉♥✐q✉❡♥❡ss ❊♥❝r②♣t✐♦♥ ❝❛❧❧s ❜❡❤❛✈❡ ❧✐❦❡ r❛♥❞♦♠ ❢✉♥❝t✐♦♥s✿ ❆✉t❤❡♥t✐❝❛t✐♦♥ ❜❡❤❛✈❡s ❧✐❦❡ r❛♥❞♦♠ ❢✉♥❝t✐♦♥
❚❛❣ ❢♦r❣❡❞ ✇✐t❤ ♣r♦❜❛❜✐❧✐t② ❛t ♠♦st
✶✾ ✴ ✺✼
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✷✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ π
N,tA1
˜ π
N,tA2
˜ π
N,tAa
˜ π
N,tM⊕
˜ π
N,tM1
˜ π
N,tM2
˜ π
N,tMd
❊♥❝r②♣t✐♦♥ ❝❛❧❧s ❜❡❤❛✈❡ ❧✐❦❡ r❛♥❞♦♠ ❢✉♥❝t✐♦♥s✿ ❆✉t❤❡♥t✐❝❛t✐♦♥ ❜❡❤❛✈❡s ❧✐❦❡ r❛♥❞♦♠ ❢✉♥❝t✐♦♥
❚❛❣ ❢♦r❣❡❞ ✇✐t❤ ♣r♦❜❛❜✐❧✐t② ❛t ♠♦st
✶✾ ✴ ✺✼
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✷✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ π
N,tA1
˜ π
N,tA2
˜ π
N,tAa
˜ π
N,tM⊕
˜ π
N,tM1
˜ π
N,tM2
˜ π
N,tMd
π] = $ ❆✉t❤❡♥t✐❝❛t✐♦♥ ❜❡❤❛✈❡s ❧✐❦❡ r❛♥❞♦♠ ❢✉♥❝t✐♦♥
❚❛❣ ❢♦r❣❡❞ ✇✐t❤ ♣r♦❜❛❜✐❧✐t② ❛t ♠♦st
✶✾ ✴ ✺✼
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✷✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ π
N,tA1
˜ π
N,tA2
˜ π
N,tAa
˜ π
N,tM⊕
˜ π
N,tM1
˜ π
N,tM2
˜ π
N,tMd
π] = $
❚❛❣ ❢♦r❣❡❞ ✇✐t❤ ♣r♦❜❛❜✐❧✐t② ❛t ♠♦st
✶✾ ✴ ✺✼
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✷✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ π
N,tA1
˜ π
N,tA2
˜ π
N,tAa
˜ π
N,tM⊕
˜ π
N,tM1
˜ π
N,tM2
˜ π
N,tMd
π] = $
✶✾ ✴ ✺✼
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✷✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ π
N,tA1
˜ π
N,tA2
˜ π
N,tAa
˜ π
N,tM⊕
˜ π
N,tM1
˜ π
N,tM2
˜ π
N,tMd
π] = $
Advae
AE[ π](σ) ≤ 1/(2n − 1)
✶✾ ✴ ✺✼
❊①❛♠♣❧❡ ❯s❡ ✐♥ ❖❈❇① ✭✷✴✷✮
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ π
N,tA1
˜ π
N,tA2
˜ π
N,tAa
˜ π
N,tM⊕
˜ π
N,tM1
˜ π
N,tM2
˜ π
N,tMd
π] = $
Advae
AE[ π](σ) ≤ 1/(2n − 1)
✶✾ ✴ ✺✼
❉❡❞✐❝❛t❡❞ ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs
✷✵ ✴ ✺✼
❚❲❊❆❑❊❨ ❋r❛♠❡✇♦r❦
(k, t) m c
· · · · · · · · · · · ·
f f f g g g g h h h
❙❡❝✉r✐t② ♠❡❛s✉r❡❞ t❤r♦✉❣❤ ❝r②♣t❛♥❛❧②s✐s ❖✉r ❢♦❝✉s✿ ♠♦❞✉❧❛r ❞❡s✐❣♥
✷✶ ✴ ✺✼
❚❲❊❆❑❊❨ ❋r❛♠❡✇♦r❦
(k, t) m c
· · · · · · · · · · · ·
f f f g g g g h h h
✷✶ ✴ ✺✼
❖✉t❧✐♥❡
▲✐♥❦ ❲✐t❤ ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❇❛s❡❞ ♦♥ ▼❛s❦✐♥❣
◆♦♥❝❡✲❘❡✉s❡ ❈♦♥❝❧✉s✐♦♥
✷✷ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k t ?
❍♦✇ t♦ ♠✐♥❣❧❡ t❤❡ t✇❡❛❦ ✐♥t♦ t❤❡ ❡✈❛❧✉❛t✐♦♥❄ ❜❧❡♥❞ ✐t ✇✐t❤ t❤❡ ❦❡② ❜❧❡♥❞ ✐t ✇✐t❤ t❤❡ st❛t❡
✷✸ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k t ?
❍♦✇ t♦ ♠✐♥❣❧❡ t❤❡ t✇❡❛❦ ✐♥t♦ t❤❡ ❡✈❛❧✉❛t✐♦♥❄
← − − − ← − − −
❜❧❡♥❞ ✐t ✇✐t❤ t❤❡ ❦❡② ❜❧❡♥❞ ✐t ✇✐t❤ t❤❡ st❛t❡
✷✸ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k t
❋♦r ✲♠✐①✐♥❣✱ ❦❡② ❝❛♥ ❜❡ r❡❝♦✈❡r❡❞ ✐♥ ❡✈❛❧✉❛t✐♦♥s ❙❝❤❡♠❡ ✐s ✐♥s❡❝✉r❡ ✐❢ ✐s ❊✈❡♥✲▼❛♥s♦✉r ❚❲❊❆❑❊❨ ❜❧❡♥❞✐♥❣ ❬❏◆P✶✹❪ ✐s ♠♦r❡ ❛❞✈❛♥❝❡❞
✷✹ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k t
❚❲❊❆❑❊❨ ❜❧❡♥❞✐♥❣ ❬❏◆P✶✹❪ ✐s ♠♦r❡ ❛❞✈❛♥❝❡❞
✷✹ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k t
✷✹ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k t
❙♦♠❡ s❡❝r❡❝② r❡q✉✐r❡❞✿ ❙t✐❧❧ ❞♦❡s ♥♦t ✇♦r❦ ✐❢ ❛❞✈❡rs❛r② ❤❛s ❛❝❝❡ss t♦
❚✇♦✲s✐❞❡❞ ♠❛s❦✐♥❣ ♥❡❝❡ss❛r②
✷✺ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k t
Ek(t, m) = Ek(t ⊕ C, m ⊕ C)
❙♦♠❡ s❡❝r❡❝② r❡q✉✐r❡❞✿ ❙t✐❧❧ ❞♦❡s ♥♦t ✇♦r❦ ✐❢ ❛❞✈❡rs❛r② ❤❛s ❛❝❝❡ss t♦
❚✇♦✲s✐❞❡❞ ♠❛s❦✐♥❣ ♥❡❝❡ss❛r②
✷✺ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k h ⊗ t
Ek(t, m) = Ek(t ⊕ C, m ⊕ C)
❙t✐❧❧ ❞♦❡s ♥♦t ✇♦r❦ ✐❢ ❛❞✈❡rs❛r② ❤❛s ❛❝❝❡ss t♦
❚✇♦✲s✐❞❡❞ ♠❛s❦✐♥❣ ♥❡❝❡ss❛r②
✷✺ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k h ⊗ t
Ek(t, m) = Ek(t ⊕ C, m ⊕ C)
E−1
k
❚✇♦✲s✐❞❡❞ ♠❛s❦✐♥❣ ♥❡❝❡ss❛r②
✷✺ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k h ⊗ t
Ek(t, m) = Ek(t ⊕ C, m ⊕ C)
E−1
k
E−1
k (t, c) ⊕
E−1
k (t ⊕ C, c) = h ⊗ C
❚✇♦✲s✐❞❡❞ ♠❛s❦✐♥❣ ♥❡❝❡ss❛r②
✷✺ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k h ⊗ t h ⊗ t
Ek(t, m) = Ek(t ⊕ C, m ⊕ C)
E−1
k
E−1
k (t, c) ⊕
E−1
k (t ⊕ C, c) = h ⊗ C
✷✺ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k h ⊗ t h ⊗ t
❱❛r✐❛t✐♦♥ ✐♥ ♠❛s❦✐♥❣❄ ❉❡♣❡♥❞s ♦♥ ❢✉♥❝t✐♦♥s ❘❡❧❡❛s✐♥❣ s❡❝r❡❝② ✐♥ ❄ ❯s✉❛❧❧② ♥♦ ♣r♦❜❧❡♠
✷✻ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k f(t) f(t)
❱❛r✐❛t✐♦♥ ✐♥ ♠❛s❦✐♥❣❄ ❉❡♣❡♥❞s ♦♥ ❢✉♥❝t✐♦♥s ❘❡❧❡❛s✐♥❣ s❡❝r❡❝② ✐♥ ❄ ❯s✉❛❧❧② ♥♦ ♣r♦❜❧❡♠
✷✻ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
E
k f1(t) f2(t)
❘❡❧❡❛s✐♥❣ s❡❝r❡❝② ✐♥ ❄ ❯s✉❛❧❧② ♥♦ ♣r♦❜❧❡♠
✷✻ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
P
f1(t) f2(t)
✷✻ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❉❡s✐❣♥
m c
P
f1(t) f2(t)
✷✻ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❆♥❛❧②s✐s
m c
Ek/P
f1(t) f2(t)
Ek s❤♦✉❧❞ ✏❧♦♦❦ ❧✐❦❡✑ r❛♥❞♦♠ ♣❡r♠✉t❛t✐♦♥ ❢♦r ❡✈❡r② t
Ek ❙t❡♣ ✶✿
❍♦✇ ♠❛♥② ❡✈❛❧✉❛t✐♦♥s ❞♦❡s ♥❡❡❞ ❛t ♠♦st❄
❙t❡♣ ✶✿
❇♦✐❧s ❞♦✇♥ t♦ ✜♥❞✐♥❣ ❣❡♥❡r✐❝ ❛tt❛❝❦s
❙t❡♣ ✷✿
❍♦✇ ♠❛♥② ❡✈❛❧✉❛t✐♦♥s ❞♦❡s ♥❡❡❞ ❛t ❧❡❛st❄
❙t❡♣ ✷✿
❇♦✐❧s ❞♦✇♥ t♦ ♣r♦✈❛❜❧❡ s❡❝✉r✐t②
✷✼ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❆♥❛❧②s✐s
m c
Ek/P
f1(t) f2(t)
Ek s❤♦✉❧❞ ✏❧♦♦❦ ❧✐❦❡✑ r❛♥❞♦♠ ♣❡r♠✉t❛t✐♦♥ ❢♦r ❡✈❡r② t
Ek
❙t❡♣ ✶✿ • ❇♦✐❧s ❞♦✇♥ t♦ ✜♥❞✐♥❣ ❣❡♥❡r✐❝ ❛tt❛❝❦s ❙t❡♣ ✷✿
❍♦✇ ♠❛♥② ❡✈❛❧✉❛t✐♦♥s ❞♦❡s ♥❡❡❞ ❛t ❧❡❛st❄
❙t❡♣ ✷✿
❇♦✐❧s ❞♦✇♥ t♦ ♣r♦✈❛❜❧❡ s❡❝✉r✐t②
✷✼ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❆♥❛❧②s✐s
m c
Ek/P
f1(t) f2(t)
Ek s❤♦✉❧❞ ✏❧♦♦❦ ❧✐❦❡✑ r❛♥❞♦♠ ♣❡r♠✉t❛t✐♦♥ ❢♦r ❡✈❡r② t
Ek
❙t❡♣ ✶✿ • ❇♦✐❧s ❞♦✇♥ t♦ ✜♥❞✐♥❣ ❣❡♥❡r✐❝ ❛tt❛❝❦s
❙t❡♣ ✷✿ • ❇♦✐❧s ❞♦✇♥ t♦ ♣r♦✈❛❜❧❡ s❡❝✉r✐t②
✷✼ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❆♥❛❧②s✐s
m c
Ek/P
f1(t) f2(t) ❋♦r ❛♥② t✇♦ q✉❡r✐❡s ✱ ✿ ❯♥❧✐❦❡❧② t♦ ❤❛♣♣❡♥ ❢♦r r❛♥❞♦♠ ❢❛♠✐❧② ♦❢ ♣❡r♠✉t❛t✐♦♥s ■♠♣❧✐❝❛t✐♦♥ st✐❧❧ ❤♦❧❞s ✇✐t❤ ❞✐✛❡r❡♥❝❡ ①♦r❡❞ t♦
❙❝❤❡♠❡ ❝❛♥ ❜❡ ❜r♦❦❡♥ ✐♥ ❡✈❛❧✉❛t✐♦♥s
✷✽ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❆♥❛❧②s✐s
m c
Ek/P
f1(t) f2(t)
m ⊕ f1(t) = m′ ⊕ f1(t′) = ⇒ c ⊕ f2(t) = c′ ⊕ f2(t′) ❯♥❧✐❦❡❧② t♦ ❤❛♣♣❡♥ ❢♦r r❛♥❞♦♠ ❢❛♠✐❧② ♦❢ ♣❡r♠✉t❛t✐♦♥s ■♠♣❧✐❝❛t✐♦♥ st✐❧❧ ❤♦❧❞s ✇✐t❤ ❞✐✛❡r❡♥❝❡ ①♦r❡❞ t♦
❙❝❤❡♠❡ ❝❛♥ ❜❡ ❜r♦❦❡♥ ✐♥ ❡✈❛❧✉❛t✐♦♥s
✷✽ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❆♥❛❧②s✐s
m c
Ek/P
f1(t) f2(t)
m ⊕ f1(t) = m′ ⊕ f1(t′) = ⇒ c ⊕ f2(t) = c′ ⊕ f2(t′)
■♠♣❧✐❝❛t✐♦♥ st✐❧❧ ❤♦❧❞s ✇✐t❤ ❞✐✛❡r❡♥❝❡ ①♦r❡❞ t♦
❙❝❤❡♠❡ ❝❛♥ ❜❡ ❜r♦❦❡♥ ✐♥ ❡✈❛❧✉❛t✐♦♥s
✷✽ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❆♥❛❧②s✐s
m c
Ek/P
f1(t) f2(t)
m ⊕ f1(t) = m′ ⊕ f1(t′) = ⇒ c ⊕ f2(t) = c′ ⊕ f2(t′)
❙❝❤❡♠❡ ❝❛♥ ❜❡ ❜r♦❦❡♥ ✐♥ ❡✈❛❧✉❛t✐♦♥s
✷✽ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❆♥❛❧②s✐s
m c
Ek/P
f1(t) f2(t)
m ⊕ f1(t) = m′ ⊕ f1(t′) = ⇒ c ⊕ f2(t) = c′ ⊕ f2(t′)
❙❝❤❡♠❡ ❝❛♥ ❜❡ ❜r♦❦❡♥ ✐♥ ≈ 2n/2 ❡✈❛❧✉❛t✐♦♥s
✷✽ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❆♥❛❧②s✐s
m c
Ek/P
f1(t) f2(t)
❚②♣✐❝❛❧ ❛♣♣r♦❛❝❤✿
❈♦♥s✐❞❡r ❛♥② tr❛♥s❝r✐♣t ❛♥ ❛❞✈❡rs❛r② ♠❛② s❡❡ ▼♦st ✬s s❤♦✉❧❞ ❜❡ ❡q✉❛❧❧② ❧✐❦❡❧② ✐♥ ❜♦t❤ ✇♦r❧❞s ❖❞❞ ♦♥❡s s❤♦✉❧❞ ❤❛♣♣❡♥ ✇✐t❤ ✈❡r② s♠❛❧❧ ♣r♦❜❛❜✐❧✐t②
❆❧❧ ❝♦♥str✉❝t✐♦♥s ✐♥ t❤✐s ♣r❡s❡♥t❛t✐♦♥✿ s❡❝✉r❡ ✉♣ t♦ ❡✈❛❧✉❛t✐♦♥s
✷✾ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❆♥❛❧②s✐s
m c
Ek/P
f1(t) f2(t)
❆❧❧ ❝♦♥str✉❝t✐♦♥s ✐♥ t❤✐s ♣r❡s❡♥t❛t✐♦♥✿ s❡❝✉r❡ ✉♣ t♦ ❡✈❛❧✉❛t✐♦♥s
✷✾ ✴ ✺✼
■♥t✉✐t✐♦♥✿ ❆♥❛❧②s✐s
m c
Ek/P
f1(t) f2(t)
❆❧❧ ❝♦♥str✉❝t✐♦♥s ✐♥ t❤✐s ♣r❡s❡♥t❛t✐♦♥✿ s❡❝✉r❡ ✉♣ t♦ ≈ 2n/2 ❡✈❛❧✉❛t✐♦♥s
✷✾ ✴ ✺✼
❖✉t❧✐♥❡
▲✐♥❦ ❲✐t❤ ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❇❛s❡❞ ♦♥ ▼❛s❦✐♥❣
◆♦♥❝❡✲❘❡✉s❡ ❈♦♥❝❧✉s✐♦♥
✸✵ ✴ ✺✼
❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❇❛s❡❞ ♦♥ ▼❛s❦✐♥❣
❇❧♦❝❦❝✐♣❤❡r✲❇❛s❡❞✳
m c tweak-based mask
Ek
t②♣✐❝❛❧❧② ✶✷✽ ❜✐ts
♣P❡r♠✉t❛t✐♦♥✲❇❛s❡❞✳♣
m c tweak-based mask
P
♠✉❝❤ ❧❛r❣❡r✿ ✷✺✻✲✶✻✵✵ ❜✐ts
✸✶ ✴ ✺✼
❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❇❛s❡❞ ♦♥ ▼❛s❦✐♥❣
❇❧♦❝❦❝✐♣❤❡r✲❇❛s❡❞✳
m c tweak-based mask
Ek
t②♣✐❝❛❧❧② ✶✷✽ ❜✐ts
♣P❡r♠✉t❛t✐♦♥✲❇❛s❡❞✳♣
m c tweak-based mask
P
♠✉❝❤ ❧❛r❣❡r✿ ✷✺✻✲✶✻✵✵ ❜✐ts
✸✶ ✴ ✺✼
❖r✐❣✐♥❛❧ ❈♦♥str✉❝t✐♦♥s
m c t
Ek Ek
m c h(t)
Ek
✸✷ ✴ ✺✼
P♦✇❡r✐♥❣✲❯♣ ▼❛s❦✐♥❣ ✭❳❊❳✮
m c 2α3β7γ · Ek(N)
Ek
❯s❡❞ ✐♥ ❖❈❇✷ ❛♥❞ ✶✹ ❈❆❊❙❆❘ ❝❛♥❞✐❞❛t❡s P❡r♠✉t❛t✐♦♥✲❜❛s❡❞ ✈❛r✐❛♥ts ✐♥ ▼✐♥❛❧♣❤❡r ❛♥❞ Prøst ✭❣❡♥❡r❛❧✐③❡❞ ❜② ❈♦❣❧✐❛t✐ ❡t ❛❧✳ ❬❈▲❙✶✺❪✮
✸✸ ✴ ✺✼
P♦✇❡r✐♥❣✲❯♣ ▼❛s❦✐♥❣ ✭❳❊❳✮
m c 2α3β7γ · Ek(N)
Ek
P❡r♠✉t❛t✐♦♥✲❜❛s❡❞ ✈❛r✐❛♥ts ✐♥ ▼✐♥❛❧♣❤❡r ❛♥❞ Prøst ✭❣❡♥❡r❛❧✐③❡❞ ❜② ❈♦❣❧✐❛t✐ ❡t ❛❧✳ ❬❈▲❙✶✺❪✮
✸✸ ✴ ✺✼
P♦✇❡r✐♥❣✲❯♣ ▼❛s❦✐♥❣ ✭❳❊❳✮
m c 2α3β7γ · Ek(N)
Ek
m c 2α3β7γ · (kN ⊕ P(kN))
P
✭❣❡♥❡r❛❧✐③❡❞ ❜② ❈♦❣❧✐❛t✐ ❡t ❛❧✳ ❬❈▲❙✶✺❪✮
✸✸ ✴ ✺✼
P♦✇❡r✐♥❣✲❯♣ ▼❛s❦✐♥❣ ✐♥ ❖❈❇✷
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T ˜ E
N,tA1 k
˜ E
N,tA2 k
˜ E
N,tAa k
˜ E
N,tM⊕ k
˜ E
N,tM1 k
˜ E
N,tM2 k
˜ E
N,tMd k
❯♣❞❛t❡ ♦❢ ♠❛s❦✿
❙❤✐❢t ❛♥❞ ❝♦♥❞✐t✐♦♥❛❧ ❳❖❘
❱❛r✐❛❜❧❡ t✐♠❡ ❝♦♠♣✉t❛t✐♦♥ ❊①♣❡♥s✐✈❡ ♦♥ ❝❡rt❛✐♥ ♣❧❛t❢♦r♠s
✸✹ ✴ ✺✼
L = Ek(N)
P♦✇❡r✐♥❣✲❯♣ ▼❛s❦✐♥❣ ✐♥ ❖❈❇✷
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL 2L 22L 2dL
Ek Ek Ek Ek Ek Ek Ek
❯♣❞❛t❡ ♦❢ ♠❛s❦✿
❙❤✐❢t ❛♥❞ ❝♦♥❞✐t✐♦♥❛❧ ❳❖❘
❱❛r✐❛❜❧❡ t✐♠❡ ❝♦♠♣✉t❛t✐♦♥ ❊①♣❡♥s✐✈❡ ♦♥ ❝❡rt❛✐♥ ♣❧❛t❢♦r♠s
✸✹ ✴ ✺✼
L = Ek(N)
P♦✇❡r✐♥❣✲❯♣ ▼❛s❦✐♥❣ ✐♥ ❖❈❇✷
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL 2L 22L 2dL
Ek Ek Ek Ek Ek Ek Ek
❯♣❞❛t❡ ♦❢ ♠❛s❦✿
❙❤✐❢t ❛♥❞ ❝♦♥❞✐t✐♦♥❛❧ ❳❖❘
❱❛r✐❛❜❧❡ t✐♠❡ ❝♦♠♣✉t❛t✐♦♥ ❊①♣❡♥s✐✈❡ ♦♥ ❝❡rt❛✐♥ ♣❧❛t❢♦r♠s
✸✹ ✴ ✺✼
L = Ek(N)
P♦✇❡r✐♥❣✲❯♣ ▼❛s❦✐♥❣ ✐♥ ❖❈❇✷
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL 2L 22L 2dL
Ek Ek Ek Ek Ek Ek Ek
❯♣❞❛t❡ ♦❢ ♠❛s❦✿
❙❤✐❢t ❛♥❞ ❝♦♥❞✐t✐♦♥❛❧ ❳❖❘
❱❛r✐❛❜❧❡ t✐♠❡ ❝♦♠♣✉t❛t✐♦♥ ❊①♣❡♥s✐✈❡ ♦♥ ❝❡rt❛✐♥ ♣❧❛t❢♦r♠s
✸✹ ✴ ✺✼
L = Ek(N)
P♦✇❡r✐♥❣✲❯♣ ▼❛s❦✐♥❣ ✐♥ ❖❈❇✷
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL 2L 22L 2dL
Ek Ek Ek Ek Ek Ek Ek
❯♣❞❛t❡ ♦❢ ♠❛s❦✿
❙❤✐❢t ❛♥❞ ❝♦♥❞✐t✐♦♥❛❧ ❳❖❘
❱❛r✐❛❜❧❡ t✐♠❡ ❝♦♠♣✉t❛t✐♦♥ ❊①♣❡♥s✐✈❡ ♦♥ ❝❡rt❛✐♥ ♣❧❛t❢♦r♠s
✸✹ ✴ ✺✼
L = Ek(N)
P♦✇❡r✐♥❣✲❯♣ ▼❛s❦✐♥❣ ✐♥ ❖❈❇✷
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL 2L 22L 2dL
Ek Ek Ek Ek Ek Ek Ek
❯♣❞❛t❡ ♦❢ ♠❛s❦✿
❙❤✐❢t ❛♥❞ ❝♦♥❞✐t✐♦♥❛❧ ❳❖❘
❱❛r✐❛❜❧❡ t✐♠❡ ❝♦♠♣✉t❛t✐♦♥ ❊①♣❡♥s✐✈❡ ♦♥ ❝❡rt❛✐♥ ♣❧❛t❢♦r♠s
✸✹ ✴ ✺✼
L = Ek(N)
P♦✇❡r✐♥❣✲❯♣ ▼❛s❦✐♥❣ ✐♥ ❖❈❇✷
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL 2L 22L 2dL
Ek Ek Ek Ek Ek Ek Ek
✸✹ ✴ ✺✼
L = Ek(N)
■♥t❡r♠❡③③♦✿ ❲❤② ❙t❛rt ❛t 2 · Ek(N)❄
A1 A2 Aa M1 M2 Md ⊕Mi C1 C2 Cd T
2·32L 2232L 2a32L 2d3L 2L 22L 2dL 2L 22L 2dL
Ek Ek Ek Ek Ek Ek Ek
✸✺ ✴ ✺✼
L = Ek(N)
■♥t❡r♠❡③③♦✿ ❲❤② ❙t❛rt ❛t 2 · Ek(N)❄
m c Ek(N)
Ek
❉✐st✐♥❣✉✐s❤❡r ❝❛♥ ♠❛❦❡ ✐♥✈❡rs❡ q✉❡r✐❡s P✉tt✐♥❣ ❣✐✈❡s ❉✐st✐♥❣✉✐s❤❡r ❦♥♦✇s s♦ ❧❡❛r♥s ✏s✉❜❦❡②✑
✸✻ ✴ ✺✼
■♥t❡r♠❡③③♦✿ ❲❤② ❙t❛rt ❛t 2 · Ek(N)❄
m c Ek(N)
E−1
k
P✉tt✐♥❣ ❣✐✈❡s ❉✐st✐♥❣✉✐s❤❡r ❦♥♦✇s s♦ ❧❡❛r♥s ✏s✉❜❦❡②✑
✸✻ ✴ ✺✼
■♥t❡r♠❡③③♦✿ ❲❤② ❙t❛rt ❛t 2 · Ek(N)❄
Ek(N)
E−1
k N ⊕ Ek(N)
❉✐st✐♥❣✉✐s❤❡r ❦♥♦✇s s♦ ❧❡❛r♥s ✏s✉❜❦❡②✑
✸✻ ✴ ✺✼
■♥t❡r♠❡③③♦✿ ❲❤② ❙t❛rt ❛t 2 · Ek(N)❄
Ek(N)
E−1
k N ⊕ Ek(N)
✸✻ ✴ ✺✼
m c
Ek
❙✐♥❣❧❡ ❳❖❘ ▲♦❣❛r✐t❤♠✐❝ ❛♠♦✉♥t ♦❢ ✜❡❧❞ ❞♦✉❜❧✐♥❣s ✭♣r❡❝♦♠♣✉t❡❞✮
▼♦r❡ ❡✣❝✐❡♥t t❤❛♥ ♣♦✇❡r✐♥❣✲✉♣ ❬❑❘✶✶❪
✸✼ ✴ ✺✼
m c
Ek
✸✼ ✴ ✺✼
❖✉t❧✐♥❡
▲✐♥❦ ❲✐t❤ ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❇❛s❡❞ ♦♥ ▼❛s❦✐♥❣
◆♦♥❝❡✲❘❡✉s❡ ❈♦♥❝❧✉s✐♦♥
✸✽ ✴ ✺✼
▼❛s❦❡❞ ❊✈❡♥✲▼❛♥s♦✉r ✭MEM✮
m c ϕγ
2 ◦ ϕβ 1 ◦ ϕα 0 ◦ P(Nk)
P
❈♦♠❜✐♥❡s ❛❞✈❛♥t❛❣❡s ♦❢✿
P♦✇❡r✐♥❣✲✉♣ ♠❛s❦✐♥❣ ❲♦r❞✲❜❛s❡❞ ▲❋❙❘s
❙✐♠♣❧❡r✱ ❝♦♥st❛♥t✲t✐♠❡ ✭❜② ❞❡❢❛✉❧t✮✱ ♠♦r❡ ❡✣❝✐❡♥t
✸✾ ✴ ✺✼
▼❛s❦❡❞ ❊✈❡♥✲▼❛♥s♦✉r ✭MEM✮
m c ϕγ
2 ◦ ϕβ 1 ◦ ϕα 0 ◦ P(Nk)
P
❙✐♠♣❧❡r✱ ❝♦♥st❛♥t✲t✐♠❡ ✭❜② ❞❡❢❛✉❧t✮✱ ♠♦r❡ ❡✣❝✐❡♥t
✸✾ ✴ ✺✼
▼❛s❦❡❞ ❊✈❡♥✲▼❛♥s♦✉r ✭MEM✮
m c ϕγ
2 ◦ ϕβ 1 ◦ ϕα 0 ◦ P(Nk)
P
✸✾ ✴ ✺✼
MEM✿ ❉❡s✐❣♥ ❈♦♥s✐❞❡r❛t✐♦♥s
❙❛♠♣❧❡ ▲❋❙❘s ✭st❛t❡ s✐③❡ ❛s ✇♦r❞s ♦❢ ❜✐ts✮✿
✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳
❲♦r❦ ❡①❝❡♣t✐♦♥❛❧❧② ✇❡❧❧ ❢♦r ❆❘❳ ♣r✐♠✐t✐✈❡s
✹✵ ✴ ✺✼
MEM✿ ❉❡s✐❣♥ ❈♦♥s✐❞❡r❛t✐♦♥s
b w n ϕ 128 8 16 (x1, . . . , x15, (x0 ≪ 1) ⊕ (x9 ≫ 1) ⊕ (x10 ≪ 1)) 128 32 4 (x1, . . . , x3, (x0 ≪ 5) ⊕ x1 ⊕ (x1 ≪ 13)) 128 64 2 (x1, (x0 ≪ 11) ⊕ x1 ⊕ (x1 ≪ 13)) 256 64 4 (x1, . . . , x3, (x0 ≪ 3) ⊕ (x3 ≫ 5)) 512 32 16 (x1, . . . , x15, (x0 ≪ 5) ⊕ (x3 ≫ 7)) 512 64 8 (x1, . . . , x7, (x0 ≪ 29) ⊕ (x1 ≪ 9)) 1024 64 16 (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13)) 1600 32 50 (x1, . . . , x49, (x0 ≪ 3) ⊕ (x23 ≫ 3)) ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳
❲♦r❦ ❡①❝❡♣t✐♦♥❛❧❧② ✇❡❧❧ ❢♦r ❆❘❳ ♣r✐♠✐t✐✈❡s
✹✵ ✴ ✺✼
MEM✿ ❉❡s✐❣♥ ❈♦♥s✐❞❡r❛t✐♦♥s
b w n ϕ 128 8 16 (x1, . . . , x15, (x0 ≪ 1) ⊕ (x9 ≫ 1) ⊕ (x10 ≪ 1)) 128 32 4 (x1, . . . , x3, (x0 ≪ 5) ⊕ x1 ⊕ (x1 ≪ 13)) 128 64 2 (x1, (x0 ≪ 11) ⊕ x1 ⊕ (x1 ≪ 13)) 256 64 4 (x1, . . . , x3, (x0 ≪ 3) ⊕ (x3 ≫ 5)) 512 32 16 (x1, . . . , x15, (x0 ≪ 5) ⊕ (x3 ≫ 7)) 512 64 8 (x1, . . . , x7, (x0 ≪ 29) ⊕ (x1 ≪ 9)) 1024 64 16 (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13)) 1600 32 50 (x1, . . . , x49, (x0 ≪ 3) ⊕ (x23 ≫ 3)) ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳ ✳
✹✵ ✴ ✺✼
MEM✿ ❯♥✐q✉❡♥❡ss ♦❢ ▼❛s❦✐♥❣
ϕγ
2 ◦ ϕβ 1 ◦ ϕα 0 = ϕγ′ 2 ◦ ϕβ′ 1 ◦ ϕα′
❢♦r ❛♥② (α, β, γ) = (α′, β′, γ′)
✻✹ ✶✷✽ ✷✺✻ ✺✶✷ ✶✵✷✹
s♦❧✈❡❞ ❜② ❘♦❣❛✇❛② ❬❘♦❣✵✹❪ r❡s✉❧ts ✐♠♣❧✐❝✐t❧② ✉s❡❞✱ ❡✳❣✳✱ ❜② Prøst ✭✷✵✶✹✮ s♦❧✈❡❞ ❜② ●r❛♥❣❡r ❡t ❛❧✳ ❬●❏▼◆✶✻❪
✹✶ ✴ ✺✼
MEM✿ ❯♥✐q✉❡♥❡ss ♦❢ ▼❛s❦✐♥❣
ϕγ
2 ◦ ϕβ 1 ◦ ϕα 0 = ϕγ′ 2 ◦ ϕβ′ 1 ◦ ϕα′
❢♦r ❛♥② (α, β, γ) = (α′, β′, γ′)
✻✹ ✶✷✽ ✷✺✻ ✺✶✷ ✶✵✷✹
s♦❧✈❡❞ ❜② ❘♦❣❛✇❛② ❬❘♦❣✵✹❪ r❡s✉❧ts ✐♠♣❧✐❝✐t❧② ✉s❡❞✱ ❡✳❣✳✱ ❜② Prøst ✭✷✵✶✹✮ s♦❧✈❡❞ ❜② ●r❛♥❣❡r ❡t ❛❧✳ ❬●❏▼◆✶✻❪
✹✶ ✴ ✺✼
MEM✿ ❯♥✐q✉❡♥❡ss ♦❢ ▼❛s❦✐♥❣
ϕγ
2 ◦ ϕβ 1 ◦ ϕα 0 = ϕγ′ 2 ◦ ϕβ′ 1 ◦ ϕα′
❢♦r ❛♥② (α, β, γ) = (α′, β′, γ′)
✻✹ ✶✷✽ ✷✺✻ ✺✶✷ ✶✵✷✹
s♦❧✈❡❞ ❜② ❘♦❣❛✇❛② ❬❘♦❣✵✹❪ r❡s✉❧ts ✐♠♣❧✐❝✐t❧② ✉s❡❞✱ ❡✳❣✳✱ ❜② Prøst ✭✷✵✶✹✮ s♦❧✈❡❞ ❜② ●r❛♥❣❡r ❡t ❛❧✳ ❬●❏▼◆✶✻❪
✹✶ ✴ ✺✼
MEM✿ ❯♥✐q✉❡♥❡ss ♦❢ ▼❛s❦✐♥❣
ϕγ
2 ◦ ϕβ 1 ◦ ϕα 0 = ϕγ′ 2 ◦ ϕβ′ 1 ◦ ϕα′
❢♦r ❛♥② (α, β, γ) = (α′, β′, γ′)
✻✹ ✶✷✽ ✷✺✻ ✺✶✷ ✶✵✷✹
s♦❧✈❡❞ ❜② ❘♦❣❛✇❛② ❬❘♦❣✵✹❪
❡✳❣✳✱ ❜② Prøst ✭✷✵✶✹✮ s♦❧✈❡❞ ❜② ●r❛♥❣❡r ❡t ❛❧✳ ❬●❏▼◆✶✻❪
✹✶ ✴ ✺✼
MEM✿ ❯♥✐q✉❡♥❡ss ♦❢ ▼❛s❦✐♥❣
ϕγ
2 ◦ ϕβ 1 ◦ ϕα 0 = ϕγ′ 2 ◦ ϕβ′ 1 ◦ ϕα′
❢♦r ❛♥② (α, β, γ) = (α′, β′, γ′)
✻✹ ✶✷✽ ✷✺✻ ✺✶✷ ✶✵✷✹
s♦❧✈❡❞ ❜② ❘♦❣❛✇❛② ❬❘♦❣✵✹❪
❡✳❣✳✱ ❜② Prøst ✭✷✵✶✹✮
✹✶ ✴ ✺✼
❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ❖PP
A0 A1 Aa–1 M0 M1 Md–1 ⊕Mi C1 C2 Cd T
ϕ0(L) ϕ0(L) ϕ1(L) ϕ1(L) ϕa–1(L) ϕa–1(L) ϕ2◦ϕ2
1◦ϕd–1(L)
ϕ2◦ϕ2
1◦ϕd–1(L)
ϕ2◦ϕ0(L) ϕ2◦ϕ1(L) ϕ2◦ϕd–1(L) ϕ2◦ϕ0(L) ϕ2◦ϕ1(L) ϕ2◦ϕd–1(L)
P P P P P P P
✹✷ ✴ ✺✼
L = P(Nk) ϕ1 = ϕ ⊕ id, ϕ2 = ϕ2 ⊕ ϕ ⊕ id
❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ▼❘❖
A0 Aa–1 T0 Td–1 M0 Md–1
|A||M|
C1 Cd T
ϕ0(L) ϕ0(L) ϕa–1(L) ϕa–1(L) ϕ1◦ϕ0(L) ϕ1◦ϕ0(L) ϕ1◦ϕd–1(L) ϕ1◦ϕd–1(L) ϕ2
1(L)
ϕ2
1(L)
ϕ2(L) ϕ2(L) ϕ2(L)⊕M0 ϕ2(L)⊕Md–1
P P P P P P P
✹✸ ✴ ✺✼
L = P(Nk) ϕ1 = ϕ ⊕ id, ϕ2 = ϕ2 ⊕ ϕ ⊕ id
❖✉t❧✐♥❡
▲✐♥❦ ❲✐t❤ ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❇❛s❡❞ ♦♥ ▼❛s❦✐♥❣
◆♦♥❝❡✲❘❡✉s❡ ❈♦♥❝❧✉s✐♦♥
✹✹ ✴ ✺✼
❳P❳
m c t11k ⊕ t12P(k) t21k ⊕ t22P(k)
P
❙❡❝✉r✐t② ♦❢ str♦♥❣❧② ❞❡♣❡♥❞s ♦♥ ❝❤♦✐❝❡ ♦❢
✶ ✏❲❡❛❦✑
✐♥s❡❝✉r❡
✷ ✏◆♦r♠❛❧✑
s✐♥❣❧❡✲❦❡② s❡❝✉r❡
✸ ✏❙tr♦♥❣✑
r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✺ ✴ ✺✼
❳P❳
m c t11k ⊕ t12P(k) t21k ⊕ t22P(k)
P
✶ ✏❲❡❛❦✑
✐♥s❡❝✉r❡
✷ ✏◆♦r♠❛❧✑
s✐♥❣❧❡✲❦❡② s❡❝✉r❡
✸ ✏❙tr♦♥❣✑
r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✺ ✴ ✺✼
❳P❳
m c t11k ⊕ t12P(k) t21k ⊕ t22P(k)
P
✶ ✏❲❡❛❦✑ T
− → ✐♥s❡❝✉r❡
✷ ✏◆♦r♠❛❧✑
s✐♥❣❧❡✲❦❡② s❡❝✉r❡
✸ ✏❙tr♦♥❣✑
r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✺ ✴ ✺✼
❳P❳
m c t11k ⊕ t12P(k) t21k ⊕ t22P(k)
P
✶ ✏❲❡❛❦✑ T
− → ✐♥s❡❝✉r❡
✷ ✏◆♦r♠❛❧✑ T
− → s✐♥❣❧❡✲❦❡② s❡❝✉r❡
✸ ✏❙tr♦♥❣✑
r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✺ ✴ ✺✼
❳P❳
m c t11k ⊕ t12P(k) t21k ⊕ t22P(k)
P
✶ ✏❲❡❛❦✑ T
− → ✐♥s❡❝✉r❡
✷ ✏◆♦r♠❛❧✑ T
− → s✐♥❣❧❡✲❦❡② s❡❝✉r❡
✸ ✏❙tr♦♥❣✑ T
− → r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✺ ✴ ✺✼
❳P❳✿ ❲❡❛❦ ❚✇❡❛❦s
m c t11k ⊕ t12P(k) t21k ⊕ t22P(k)
P
✏❱❛❧✐❞✑ ❚✇❡❛❦ ❙❡ts ❚❡❝❤♥✐❝❛❧ ❞❡✜♥✐t✐♦♥ t♦ ❡❧✐♠✐♥❛t❡ ✇❡❛❦ ❝❛s❡s ✐♥✈❛❧✐❞ ✐♥s❡❝✉r❡ ✈❛❧✐❞ s✐♥❣❧❡✲ ♦r r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✻ ✴ ✺✼
❳P❳✿ ❲❡❛❦ ❚✇❡❛❦s
m 0k ⊕ 0P(k) 0k ⊕ 0P(k)
P
(0, 0, 0, 0) ∈ T
✏❱❛❧✐❞✑ ❚✇❡❛❦ ❙❡ts ❚❡❝❤♥✐❝❛❧ ❞❡✜♥✐t✐♦♥ t♦ ❡❧✐♠✐♥❛t❡ ✇❡❛❦ ❝❛s❡s ✐♥✈❛❧✐❞ ✐♥s❡❝✉r❡ ✈❛❧✐❞ s✐♥❣❧❡✲ ♦r r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✻ ✴ ✺✼
❳P❳✿ ❲❡❛❦ ❚✇❡❛❦s
m P(m) 0k ⊕ 0P(k) 0k ⊕ 0P(k)
P
(0, 0, 0, 0) ∈ T = ⇒ XPXk((0, 0, 0, 0), m) = P(m)
✏❱❛❧✐❞✑ ❚✇❡❛❦ ❙❡ts ❚❡❝❤♥✐❝❛❧ ❞❡✜♥✐t✐♦♥ t♦ ❡❧✐♠✐♥❛t❡ ✇❡❛❦ ❝❛s❡s ✐♥✈❛❧✐❞ ✐♥s❡❝✉r❡ ✈❛❧✐❞ s✐♥❣❧❡✲ ♦r r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✻ ✴ ✺✼
❳P❳✿ ❲❡❛❦ ❚✇❡❛❦s
k 1k ⊕ 0P(k) 1k ⊕ 1P(k)
P
(0, 0, 0, 0) ∈ T = ⇒ XPXk((0, 0, 0, 0), m) = P(m) (1, 0, 1, 1) ∈ T = ⇒ XPXk((1, 0, 1, 1), 0) = k
✏❱❛❧✐❞✑ ❚✇❡❛❦ ❙❡ts ❚❡❝❤♥✐❝❛❧ ❞❡✜♥✐t✐♦♥ t♦ ❡❧✐♠✐♥❛t❡ ✇❡❛❦ ❝❛s❡s ✐♥✈❛❧✐❞ ✐♥s❡❝✉r❡ ✈❛❧✐❞ s✐♥❣❧❡✲ ♦r r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✻ ✴ ✺✼
❳P❳✿ ❲❡❛❦ ❚✇❡❛❦s
3P(k) 1k ⊕ 0P(k) 0k ⊕ 2P(k)
P
(0, 0, 0, 0) ∈ T = ⇒ XPXk((0, 0, 0, 0), m) = P(m) (1, 0, 1, 1) ∈ T = ⇒ XPXk((1, 0, 1, 1), 0) = k (1, 0, 0, 2) ∈ T = ⇒ XPXk((1, 0, 0, 2), 0) = 3P(k)
✏❱❛❧✐❞✑ ❚✇❡❛❦ ❙❡ts ❚❡❝❤♥✐❝❛❧ ❞❡✜♥✐t✐♦♥ t♦ ❡❧✐♠✐♥❛t❡ ✇❡❛❦ ❝❛s❡s ✐♥✈❛❧✐❞ ✐♥s❡❝✉r❡ ✈❛❧✐❞ s✐♥❣❧❡✲ ♦r r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✻ ✴ ✺✼
❳P❳✿ ❲❡❛❦ ❚✇❡❛❦s
3P(k) 1k ⊕ 0P(k) 0k ⊕ 2P(k)
P
(0, 0, 0, 0) ∈ T = ⇒ XPXk((0, 0, 0, 0), m) = P(m) (1, 0, 1, 1) ∈ T = ⇒ XPXk((1, 0, 1, 1), 0) = k (1, 0, 0, 2) ∈ T = ⇒ XPXk((1, 0, 0, 2), 0) = 3P(k) · · · · · · · · ·
✏❱❛❧✐❞✑ ❚✇❡❛❦ ❙❡ts ❚❡❝❤♥✐❝❛❧ ❞❡✜♥✐t✐♦♥ t♦ ❡❧✐♠✐♥❛t❡ ✇❡❛❦ ❝❛s❡s ✐♥✈❛❧✐❞ ✐♥s❡❝✉r❡ ✈❛❧✐❞ s✐♥❣❧❡✲ ♦r r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✻ ✴ ✺✼
❳P❳✿ ❲❡❛❦ ❚✇❡❛❦s
3P(k) 1k ⊕ 0P(k) 0k ⊕ 2P(k)
P
(0, 0, 0, 0) ∈ T = ⇒ XPXk((0, 0, 0, 0), m) = P(m) (1, 0, 1, 1) ∈ T = ⇒ XPXk((1, 0, 1, 1), 0) = k (1, 0, 0, 2) ∈ T = ⇒ XPXk((1, 0, 0, 2), 0) = 3P(k) · · · · · · · · ·
✏❱❛❧✐❞✑ ❚✇❡❛❦ ❙❡ts
✐♥✈❛❧✐❞ ✐♥s❡❝✉r❡ ✈❛❧✐❞ s✐♥❣❧❡✲ ♦r r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✻ ✴ ✺✼
❳P❳✿ ❲❡❛❦ ❚✇❡❛❦s
3P(k) 1k ⊕ 0P(k) 0k ⊕ 2P(k)
P
(0, 0, 0, 0) ∈ T = ⇒ XPXk((0, 0, 0, 0), m) = P(m) (1, 0, 1, 1) ∈ T = ⇒ XPXk((1, 0, 1, 1), 0) = k (1, 0, 0, 2) ∈ T = ⇒ XPXk((1, 0, 0, 2), 0) = 3P(k) · · · · · · · · ·
✏❱❛❧✐❞✑ ❚✇❡❛❦ ❙❡ts
⇒ XPX ✐♥s❡❝✉r❡
⇒ XPX s✐♥❣❧❡✲ ♦r r❡❧❛t❡❞✲❦❡② s❡❝✉r❡
✹✻ ✴ ✺✼
❳P❳ ❈♦✈❡rs ❊✈❡♥✲▼❛♥s♦✉r
m c t11k ⊕ t12P(k) t21k ⊕ t22P(k)
P
m c k k
P
❢♦r T = {(1, 0, 1, 0)} ❙✐♥❣❧❡✲❦❡② ❙❚P❘P s❡❝✉r❡ ✭s✉r♣r✐s❡❄✮
✱ ✐s ❛ ♥♦r♠❛❧ ❜❧♦❝❦❝✐♣❤❡r
✹✼ ✴ ✺✼
❳P❳ ❈♦✈❡rs ❊✈❡♥✲▼❛♥s♦✉r
m c t11k ⊕ t12P(k) t21k ⊕ t22P(k)
P
m c k k
P
❢♦r T = {(1, 0, 1, 0)}
✱ ✐s ❛ ♥♦r♠❛❧ ❜❧♦❝❦❝✐♣❤❡r
✹✼ ✴ ✺✼
❳P❳ ❈♦✈❡rs ❊✈❡♥✲▼❛♥s♦✉r
m c t11k ⊕ t12P(k) t21k ⊕ t22P(k)
P
m c k k
P
❢♦r T = {(1, 0, 1, 0)}
✹✼ ✴ ✺✼
❳P❳ ❈♦✈❡rs ❳❊❳ ❲✐t❤ ❊✈❡♥✲▼❛♥s♦✉r
m c t11k ⊕ t12P(k) t21k ⊕ t22P(k)
P
m c (2α3β7γ ⊕ 1)k ⊕ 2α3β7γP(k)
P
❢♦r T = ( 2α3β7γ ⊕ 1 , 2α3β7γ , ( 2α3β7γ ⊕ 1 , 2α3β7γ )
❘❡❧❛t❡❞✲❦❡② ❙❚P❘P s❡❝✉r❡ ✭✐❢ ✮
✹✽ ✴ ✺✼
❳P❳ ❈♦✈❡rs ❳❊❳ ❲✐t❤ ❊✈❡♥✲▼❛♥s♦✉r
m c t11k ⊕ t12P(k) t21k ⊕ t22P(k)
P
m c (2α3β7γ ⊕ 1)k ⊕ 2α3β7γP(k)
P
❢♦r T = ( 2α3β7γ ⊕ 1 , 2α3β7γ , ( 2α3β7γ ⊕ 1 , 2α3β7γ )
✹✽ ✴ ✺✼
❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ❈❖P❆ ❛♥❞ Prøst✲❈❖P❆
A1 A2 Aa−1 Aa M1 M2 Md M1⊕···⊕Md C1 C2 Cd T
33L 2·33L 2a-233L 2a-134L L 3L 2·3L 2d-13L 2d-132L 2L 22L 2dL 2d-17L
Ek Ek Ek Ek Ek Ek Ek Ek Ek Ek Ek Ek
Prøst✲❈❖P❆ ❜② ❑❛✈✉♥ ❡t ❛❧✳ ✭✷✵✶✹✮✿ ❈❖P❆ ❜❛s❡❞ ♦♥ ❳❊❳ ❜❛s❡❞ ♦♥ ❊✈❡♥✲▼❛♥s♦✉r
✹✾ ✴ ✺✼
L = Ek(0)
❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ❈❖P❆ ❛♥❞ Prøst✲❈❖P❆
A1 A2 Aa−1 Aa M1 M2 Md M1⊕···⊕Md C1 C2 Cd T
33L 2·33L 2a-233L 2a-134L L 3L 2·3L 2d-13L 2d-132L 2L 22L 2dL 2d-17L
Ek Ek Ek Ek Ek Ek Ek Ek Ek Ek Ek Ek
❈❖P❆ ❜❛s❡❞ ♦♥ ❳❊❳ ❜❛s❡❞ ♦♥ ❊✈❡♥✲▼❛♥s♦✉r
✹✾ ✴ ✺✼
L = Ek(0)
❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ❈❖P❆ ❛♥❞ Prøst✲❈❖P❆
❙✐♥❣❧❡✲❑❡② ❙❡❝✉r✐t② ♦❢ ❈❖P❆ ✳ ✳ ❈❖P❆
O
2n
− − − →
s❦
✳ ✳ XEX
O
2n
− − − →
s❦
✳ ✳ E
s❦
✳ ✳ ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t② ♦❢ ❊①✐st✐♥❣ ♣r♦♦❢ ❣❡♥❡r❛❧✐③❡s ✳ ✳ ❈❖P❆
r❦
✳ ✳
r❦
✳ ✳
r❦
✳ ✳
✺✵ ✴ ✺✼
r❦
❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ❈❖P❆ ❛♥❞ Prøst✲❈❖P❆
❙✐♥❣❧❡✲❑❡② ❙❡❝✉r✐t② ♦❢ Prøst✲❈❖P❆ ✳ ✳ ❈❖P❆
O
2n
− − − →
s❦
✳ ✳ XEX
O
2n
− − − →
s❦
✳ ✳ E
s❦
✳ ✳ P ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t② ♦❢ ❊①✐st✐♥❣ ♣r♦♦❢ ❣❡♥❡r❛❧✐③❡s ✳ ✳ ❈❖P❆
r❦
✳ ✳
r❦
✳ ✳
r❦
✳ ✳
✺✵ ✴ ✺✼
r❦
❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ❈❖P❆ ❛♥❞ Prøst✲❈❖P❆
❙✐♥❣❧❡✲❑❡② ❙❡❝✉r✐t② ♦❢ Prøst✲❈❖P❆ ✳ ✳ ❈❖P❆
O
2n
− − − →
s❦
✳ ✳ XEX
O
2n
− − − →
s❦
✳ ✳ E
O
2n
− − − →
s❦
✳ ✳ P ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t② ♦❢ ❊①✐st✐♥❣ ♣r♦♦❢ ❣❡♥❡r❛❧✐③❡s ✳ ✳ ❈❖P❆
r❦
✳ ✳
r❦
✳ ✳
r❦
✳ ✳
✺✵ ✴ ✺✼
r❦
❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ❈❖P❆ ❛♥❞ Prøst✲❈❖P❆
❙✐♥❣❧❡✲❑❡② ❙❡❝✉r✐t② ♦❢ Prøst✲❈❖P❆ ✳ ✳ ❈❖P❆
O
2n
− − − →
s❦
✳ ✳ XEX
O
2n
− − − →
s❦
✳ ✳ E
O
2n
− − − →
s❦
✳ ✳ P ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t② ♦❢ ❈❖P❆
✳ ✳ ❈❖P❆
O
2n
− − − →
r❦
✳ ✳ XEX
O
2n
− − − →
r❦
✳ ✳ E
r❦
✳ ✳
✺✵ ✴ ✺✼
r❦
❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ❈❖P❆ ❛♥❞ Prøst✲❈❖P❆
❙✐♥❣❧❡✲❑❡② ❙❡❝✉r✐t② ♦❢ Prøst✲❈❖P❆ ✳ ✳ ❈❖P❆
O
2n
− − − →
s❦
✳ ✳ XEX
O
2n
− − − →
s❦
✳ ✳ E
O
2n
− − − →
s❦
✳ ✳ P ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t② ♦❢ Prøst✲❈❖P❆
✳ ✳ ❈❖P❆
O
2n
− − − →
r❦
✳ ✳ XEX
O
2n
− − − →
r❦
✳ ✳ E
r❦
✳ ✳ P
✺✵ ✴ ✺✼
r❦
❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ❈❖P❆ ❛♥❞ Prøst✲❈❖P❆
❙✐♥❣❧❡✲❑❡② ❙❡❝✉r✐t② ♦❢ Prøst✲❈❖P❆ ✳ ✳ ❈❖P❆
O
2n
− − − →
s❦
✳ ✳ XEX
O
2n
− − − →
s❦
✳ ✳ E
O
2n
− − − →
s❦
✳ ✳ P ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t② ♦❢ Prøst✲❈❖P❆
✳ ✳ ❈❖P❆
O
2n
− − − →
r❦
✳ ✳ XEX
O
2n
− − − →
r❦
✳ ✳ E
Ω
− − − →
r❦
✳ ✳ P
✺✵ ✴ ✺✼
r❦
❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ❈❖P❆ ❛♥❞ Prøst✲❈❖P❆
❙✐♥❣❧❡✲❑❡② ❙❡❝✉r✐t② ♦❢ Prøst✲❈❖P❆ ✳ ✳ ❈❖P❆
O
2n
− − − →
s❦
✳ ✳ XEX
O
2n
− − − →
s❦
✳ ✳ E
O
2n
− − − →
s❦
✳ ✳ P ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t② ♦❢ Prøst✲❈❖P❆
✳ ✳ ❈❖P❆
O
2n
− − − →
r❦
✳ ✳ XEX
O
2n
− − − →
r❦
✳ ✳ E
Ω
− − − →
r❦
✳ ✳ P
✺✵ ✴ ✺✼
O
2n
❖✉t❧✐♥❡
▲✐♥❦ ❲✐t❤ ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❇❛s❡❞ ♦♥ ▼❛s❦✐♥❣ ◆♦♥❝❡✲❘❡✉s❡ ❈♦♥❝❧✉s✐♦♥
✺✶ ✴ ✺✼
❝♦✉♥t❡r ♥♦♥❝❡ r❛♥❞♦♠ ♥♦♥❝❡ ✉s❡r✲❝❤♦s❡♥ ♥♦♥❝❡ ← − − − ← − − − ← − − − ■ss✉❡s ✇✐t❤ ♥♦♥❝❡ ❣❡♥❡r❛t✐♦♥✿
❈♦✉♥t❡r ♥❡❡❞s st♦r❛❣❡ ◆❡❡❞ s②♥❝❤r♦♥✐③❛t✐♦♥ ♦r tr❛♥s♠✐ss✐♦♥ ❊✣❝✐❡♥❝② ❝♦st ▲❛③✐♥❡ss ♦r ♠✐st❛❦❡ ♦❢ ✐♠♣❧❡♠❡♥t♦r ✳ ✳ ✳
❙♦♠❡t✐♠❡s✱ ❛tt❛❝❦❡r ❝❛♥ ✉s❡ s❛♠❡ ♥♦♥❝❡ ♠✉❧t✐♣❧❡ t✐♠❡s
✺✷ ✴ ✺✼
❝♦✉♥t❡r ♥♦♥❝❡ r❛♥❞♦♠ ♥♦♥❝❡ ✉s❡r✲❝❤♦s❡♥ ♥♦♥❝❡ ← − − − ← − − − ← − − −
❙♦♠❡t✐♠❡s✱ ❛tt❛❝❦❡r ❝❛♥ ✉s❡ s❛♠❡ ♥♦♥❝❡ ♠✉❧t✐♣❧❡ t✐♠❡s
✺✷ ✴ ✺✼
❝♦✉♥t❡r ♥♦♥❝❡ r❛♥❞♦♠ ♥♦♥❝❡ ✉s❡r✲❝❤♦s❡♥ ♥♦♥❝❡ ← − − − ← − − − ← − − −
✺✷ ✴ ✺✼
◆♦♥❝❡✲❘❡✉s❡ ✐♥ Pr❛❝t✐❝❡
◆♦♥❝❡✲❉✐sr❡s♣❡❝t✐♥❣ ❆❞✈❡rs❛r✐❡s✿ Pr❛❝t✐❝❛❧ ❋♦r❣❡r② ❆tt❛❝❦s ♦♥ ●❈▼ ✐♥ ❚▲❙
❇ö❝❦ ❡t ❛❧✳✱ ❯❙❊◆■❳ ❲❖❖❚ ✷✵✶✻
✺✸ ✴ ✺✼
❘❡s✐st❛♥❝❡ ❆❣❛✐♥st ◆♦♥❝❡✲❘❡✉s❡
■♥t✉✐t✐♦♥
→ ✉♥♣r❡❞✐❝t❛❜❧❡ (C, T)
✺✹ ✴ ✺✼
❇❛❝❦ t♦ ●❈▼✲❙■❱
N
N
(K, L) T +0 T +1 T +(m−1) M1 M2 Mm
C1 C2 Cm A
T EK EK EK EK GHASHL KeyGenEk KEY ENC MAC
✺✺ ✴ ✺✼
❖✉t❧✐♥❡
▲✐♥❦ ❲✐t❤ ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❇❛s❡❞ ♦♥ ▼❛s❦✐♥❣ ◆♦♥❝❡✲❘❡✉s❡ ❈♦♥❝❧✉s✐♦♥
✺✻ ✴ ✺✼
❈♦♥❝❧✉s✐♦♥
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥
❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs ❆❧❧♦✇ ❢♦r ♠♦❞✉❧❛r ❛♥❞ ❝♦♠♣❛❝t ♣r♦♦❢s ❇✐rt❤❞❛②✲❜♦✉♥❞ s❡❝✉r❡ ❚❇❈s✿ s✐♠♣❧❡ ❛♥❞ ❡✣❝✐❡♥t ❙❡❝✉r✐t② ❜❡②♦♥❞ t❤❡ ❜✐rt❤❞❛② ❜♦✉♥❞❄
❚❤❛♥❦ ②♦✉ ❢♦r ②♦✉r ❛tt❡♥t✐♦♥✦
✺✼ ✴ ✺✼
❈♦♥❝❧✉s✐♦♥
❆✉t❤❡♥t✐❝❛t❡❞ ❊♥❝r②♣t✐♦♥
❚✇❡❛❦❛❜❧❡ ❇❧♦❝❦❝✐♣❤❡rs
❚❤❛♥❦ ②♦✉ ❢♦r ②♦✉r ❛tt❡♥t✐♦♥✦
✺✼ ✴ ✺✼
❙❯PP❖❘❚■◆● ❙▲■❉❊❙
✺✽ ✴ ✺✼
❉❡t❛✐❧❡❞ P✐❝t✉r❡ ♦❢ ●❈▼
n ⊞1 n + 1 ⊞1 n + 2 Ek Ek Ek m0 c0 m1 c1 ⊗H ⊗H ad ⊗H ⊗H t
❧❡♥(ad)❧❡♥(c)
Ek H
✺✾ ✴ ✺✼
❉❡t❛✐❧❡❞ P✐❝t✉r❡ ♦❢ ●❈▼✲❙■❱
ad ⊗k1 ⊗k1 m0 ⊗k1 m1 ⊗k1
❧❡♥(ad)❧❡♥(m)
Ek2 n
✜①0
t t Ek2
✜①1
c0 ⊞1 Ek2
✜①1
c1 Ek Ek Ek Ek
⊞2 ⊞3 k1 k2
✻✵ ✴ ✺✼
▼❊▼✿ ■♠♣❧❡♠❡♥t❛t✐♦♥
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13))
▼❛✐♥ ✐♠♣❧❡♠❡♥t❛t✐♦♥ r❡s✉❧ts✿
♥♦♥❝❡✲r❡s♣❡❝t✐♥❣ ♠✐s✉s❡✲r❡s✐st❛♥t P❧❛t❢♦r♠ ❆❊❙✲●❈▼ ❖❈❇✸ ❉❡♦①②s ❖PP ❖PP
❉❡♦①②s ▼❘❖ ▼❘❖ ❈♦rt❡①✲❆✽ ✸✽✳✻ ✷✽✳✾ ✲ ✹✳✷✻ ✺✳✾✶ ✲ ✲ ✽✳✵✼ ✶✶✳✸✷ ❙❛♥❞② ❇r✐❞❣❡ ✷✳✺✺ ✵✳✾✽ ✶✳✷✾ ✶✳✷✹ ✶✳✾✶ ✲ ✷✳✺✽ ✷✳✹✶ ✸✳✺✽ ❍❛s✇❡❧❧ ✶✳✵✸ ✵✳✻✾ ✵✳✾✻ ✵✳✺✺ ✵✳✼✺ ✶✳✶✼ ✶✳✾✷ ✶✳✵✻ ✶✳✸✾
✻✶ ✴ ✺✼
▼❊▼✿ ■♠♣❧❡♠❡♥t❛t✐♦♥
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13))
♥♦♥❝❡✲r❡s♣❡❝t✐♥❣ ♠✐s✉s❡✲r❡s✐st❛♥t P❧❛t❢♦r♠ ❆❊❙✲●❈▼ ❖❈❇✸ ❉❡♦①②s= ❖PP4 ❖PP6
❉❡♦①②s ▼❘❖ ▼❘❖ ❈♦rt❡①✲❆✽ ✸✽✳✻ ✷✽✳✾ ✲ ✹✳✷✻ ✺✳✾✶ ✲ ✲ ✽✳✵✼ ✶✶✳✸✷ ❙❛♥❞② ❇r✐❞❣❡ ✷✳✺✺ ✵✳✾✽ ✶✳✷✾ ✶✳✷✹ ✶✳✾✶ ✲ ✷✳✺✽ ✷✳✹✶ ✸✳✺✽ ❍❛s✇❡❧❧ ✶✳✵✸ ✵✳✻✾ ✵✳✾✻ ✵✳✺✺ ✵✳✼✺ ✶✳✶✼ ✶✳✾✷ ✶✳✵✻ ✶✳✸✾
✻✶ ✴ ✺✼
▼❊▼✿ ■♠♣❧❡♠❡♥t❛t✐♦♥
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13))
♥♦♥❝❡✲r❡s♣❡❝t✐♥❣ ♠✐s✉s❡✲r❡s✐st❛♥t P❧❛t❢♦r♠ ❆❊❙✲●❈▼ ❖❈❇✸ ❉❡♦①②s= ❖PP4 ❖PP6
❉❡♦①②s= ▼❘❖4 ▼❘❖6 ❈♦rt❡①✲❆✽ ✸✽✳✻ ✷✽✳✾ ✲ ✹✳✷✻ ✺✳✾✶ ✲ ✲ ✽✳✵✼ ✶✶✳✸✷ ❙❛♥❞② ❇r✐❞❣❡ ✷✳✺✺ ✵✳✾✽ ✶✳✷✾ ✶✳✷✹ ✶✳✾✶ ✲ ≈ ✷✳✺✽ ✷✳✹✶ ✸✳✺✽ ❍❛s✇❡❧❧ ✶✳✵✸ ✵✳✻✾ ✵✳✾✻ ✵✳✺✺ ✵✳✼✺ ✶✳✶✼ ≈ ✶✳✾✷ ✶✳✵✻ ✶✳✸✾
✻✶ ✴ ✺✼
▼❊▼✿ P❛r❛❧❧❡❧✐③❛❜✐❧✐t②
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13)) ❇❡❣✐♥ ✇✐t❤ st❛t❡ ♦❢ ✲❜✐t ✇♦r❞s P❛r❛❧❧❡❧✐③❛❜❧❡ ✭❆❱❳✷✮ ❛♥❞ ✇♦r❞✲s❧✐❝❡❛❜❧❡
✻✷ ✴ ✺✼
▼❊▼✿ P❛r❛❧❧❡❧✐③❛❜✐❧✐t②
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13))
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 P❛r❛❧❧❡❧✐③❛❜❧❡ ✭❆❱❳✷✮ ❛♥❞ ✇♦r❞✲s❧✐❝❡❛❜❧❡
✻✷ ✴ ✺✼
▼❊▼✿ P❛r❛❧❧❡❧✐③❛❜✐❧✐t②
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13))
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16
P❛r❛❧❧❡❧✐③❛❜❧❡ ✭❆❱❳✷✮ ❛♥❞ ✇♦r❞✲s❧✐❝❡❛❜❧❡
✻✷ ✴ ✺✼
▼❊▼✿ P❛r❛❧❧❡❧✐③❛❜✐❧✐t②
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13))
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17
P❛r❛❧❧❡❧✐③❛❜❧❡ ✭❆❱❳✷✮ ❛♥❞ ✇♦r❞✲s❧✐❝❡❛❜❧❡
✻✷ ✴ ✺✼
▼❊▼✿ P❛r❛❧❧❡❧✐③❛❜✐❧✐t②
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13))
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18
P❛r❛❧❧❡❧✐③❛❜❧❡ ✭❆❱❳✷✮ ❛♥❞ ✇♦r❞✲s❧✐❝❡❛❜❧❡
✻✷ ✴ ✺✼
▼❊▼✿ P❛r❛❧❧❡❧✐③❛❜✐❧✐t②
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13))
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19
P❛r❛❧❧❡❧✐③❛❜❧❡ ✭❆❱❳✷✮ ❛♥❞ ✇♦r❞✲s❧✐❝❡❛❜❧❡
✻✷ ✴ ✺✼
▼❊▼✿ P❛r❛❧❧❡❧✐③❛❜✐❧✐t②
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 ≪ 13))
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19
✻✷ ✴ ✺✼
❳P❳✿ ❙✐♥❣❧❡✲❑❡② ❙❡❝✉r✐t②
✭❙tr♦♥❣✮ ❚✇❡❛❦❛❜❧❡ P❘P
IC
XPX(±)
k
P ±
P ±
distinguisher D
π ✐❞❡❛❧ t✇❡❛❦❛❜❧❡ ♣❡r♠✉t❛t✐♦♥
T ✐s ✈❛❧✐❞ = ⇒ XPX ✐s ✭❙✮❚P❘P ✉♣ t♦ O q2 + qr 2n
❳P❳✿ ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t②
❘❡❧❛t❡❞✲❑❡② ✭❙tr♦♥❣✮ ❚✇❡❛❦❛❜❧❡ P❘P
IC
XPX(±)
ϕ(k)
P ±
P ±
distinguisher D
rkπ ✐❞❡❛❧ t✇❡❛❦❛❜❧❡ r❡❧❛t❡❞✲❦❡② ♣❡r♠✉t❛t✐♦♥
✻✹ ✴ ✺✼
❳P❳✿ ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t②
❑❡②✲❉❡r✐✈✐♥❣ ❋✉♥❝t✐♦♥s
✿ ❛❧❧ ❢✉♥❝t✐♦♥s ♦r ◆♦t❡✿ ♠❛s❦✐♥❣s ✐♥ ❛r❡ ❘❡s✉❧ts
✐❢ ✐s ✈❛❧✐❞✱ ❛♥❞ ❢♦r ❛❧❧ t✇❡❛❦s✿ s❡❝✉r✐t② ❚P❘P ❛♥❞ ❙❚P❘P ❚P❘P ❙❚P❘P
✻✺ ✴ ✺✼
❳P❳✿ ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t②
❑❡②✲❉❡r✐✈✐♥❣ ❋✉♥❝t✐♦♥s
◆♦t❡✿ ♠❛s❦✐♥❣s ✐♥ ❛r❡ ❘❡s✉❧ts
✐❢ ✐s ✈❛❧✐❞✱ ❛♥❞ ❢♦r ❛❧❧ t✇❡❛❦s✿ s❡❝✉r✐t② ❚P❘P ❛♥❞ ❙❚P❘P ❚P❘P ❙❚P❘P
✻✺ ✴ ✺✼
❳P❳✿ ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t②
❑❡②✲❉❡r✐✈✐♥❣ ❋✉♥❝t✐♦♥s
❘❡s✉❧ts
✐❢ ✐s ✈❛❧✐❞✱ ❛♥❞ ❢♦r ❛❧❧ t✇❡❛❦s✿ s❡❝✉r✐t② ❚P❘P ❛♥❞ ❙❚P❘P ❚P❘P ❙❚P❘P
✻✺ ✴ ✺✼
❳P❳✿ ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t②
❑❡②✲❉❡r✐✈✐♥❣ ❋✉♥❝t✐♦♥s
❘❡s✉❧ts
✐❢ T ✐s ✈❛❧✐❞✱ ❛♥❞ ❢♦r ❛❧❧ t✇❡❛❦s✿ s❡❝✉r✐t② Φ t12 = 0 ❚P❘P Φ⊕ t12, t22 = 0 ❛♥❞ (t21, t22) = (0, 1) ❙❚P❘P Φ⊕ ❚P❘P ❙❚P❘P
✻✺ ✴ ✺✼
❳P❳✿ ❘❡❧❛t❡❞✲❑❡② ❙❡❝✉r✐t②
❑❡②✲❉❡r✐✈✐♥❣ ❋✉♥❝t✐♦♥s
❘❡s✉❧ts
✐❢ T ✐s ✈❛❧✐❞✱ ❛♥❞ ❢♦r ❛❧❧ t✇❡❛❦s✿ s❡❝✉r✐t② Φ t12 = 0 ❚P❘P Φ⊕ t12, t22 = 0 ❛♥❞ (t21, t22) = (0, 1) ❙❚P❘P Φ⊕ t11, t12 = 0 ❚P❘P ΦP ⊕ t11, t12, t21, t22 = 0 ❙❚P❘P ΦP ⊕
✻✺ ✴ ✺✼
❳P❳✿ ❙❡❝✉r✐t② Pr♦♦❢ ❚❡❝❤♥✐q✉❡s
P❛t❛r✐♥✬s ❍✲❝♦❡✣❝✐❡♥t ❚❡❝❤♥✐q✉❡
✲
❜❛❞ tr❛♥s❝r✐♣t ❢♦r ♣r♦❜✳ r❛t✐♦ ❢♦r ❣♦♦❞ tr❛♥s❝r✐♣ts ❚r❛❞❡✲♦✛✿ ❞❡✜♥❡ ❜❛❞ tr❛♥s❝r✐♣ts s♠❛rt❧②✦
✻✻ ✴ ✺✼
❳P❳✿ ❙❡❝✉r✐t② Pr♦♦❢ ❚❡❝❤♥✐q✉❡s
P❛t❛r✐♥✬s ❍✲❝♦❡✣❝✐❡♥t ❚❡❝❤♥✐q✉❡
Advrk✲(s)prp
XPX
(D) ≤ ε + Pr
rkπ, P)
❚r❛❞❡✲♦✛✿ ❞❡✜♥❡ ❜❛❞ tr❛♥s❝r✐♣ts s♠❛rt❧②✦
✻✻ ✴ ✺✼
❳P❳✿ ❙❡❝✉r✐t② Pr♦♦❢ ❚❡❝❤♥✐q✉❡s
P❛t❛r✐♥✬s ❍✲❝♦❡✣❝✐❡♥t ❚❡❝❤♥✐q✉❡
Advrk✲(s)prp
XPX
(D) ≤ ε + Pr
rkπ, P)
✻✻ ✴ ✺✼
❳P❳✿ ❙❡❝✉r✐t② Pr♦♦❢ ❚❡❝❤♥✐q✉❡s
❇❡❢♦r❡ t❤❡ ■♥t❡r❛❝t✐♦♥
❆❢t❡r t❤❡ ■♥t❡r❛❝t✐♦♥
❇♦✉♥❞✐♥❣ t❤❡ ❆❞✈❛♥t❛❣❡
✻✼ ✴ ✺✼
❳P❳✿ ❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ▼✐♥❛❧♣❤❡r
A1 A2 Aa−1 Aa M1 M2 Md−1 Md C1 C2 Cd−1 Cd T
2L′ 2L′ 22L′ 22L′ 2a-1L′ 2a-1L′ 2a-13L′ 2a-13L′ 2L 2L 23L 23L 22d-3L 22d-3L 22d-1L 22d-1L 22L 22L 24L 24L 22d-2L 22d-2L 22d-13L 22d-13L
P P P P P P P P P P P P
❇❛s❡❞ ♦♥ ✇✐t❤ ✳ ✳ ▼✐♥❛❧♣❤✳
r❦
✳ ✳
r❦
✳ ✳
✻✽ ✴ ✺✼
L′ = kflag0 ⊕ P(kflag0) L = kflagN ⊕ P(kflagN)
❳P❳✿ ❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ▼✐♥❛❧♣❤❡r
A1 A2 Aa−1 Aa M1 M2 Md−1 Md C1 C2 Cd−1 Cd T
2L′ 2L′ 22L′ 22L′ 2a-1L′ 2a-1L′ 2a-13L′ 2a-13L′ 2L 2L 23L 23L 22d-3L 22d-3L 22d-1L 22d-1L 22L 22L 24L 24L 22d-2L 22d-2L 22d-13L 22d-13L
P P P P P P P P P P P P
✳ ✳ ▼✐♥❛❧♣❤✳
r❦
✳ ✳
r❦
✳ ✳
✻✽ ✴ ✺✼
L′ = kflag0 ⊕ P(kflag0) L = kflagN ⊕ P(kflagN)
❳P❳✿ ❆♣♣❧✐❝❛t✐♦♥ t♦ ❆❊✿ ▼✐♥❛❧♣❤❡r
A1 A2 Aa−1 Aa M1 M2 Md−1 Md C1 C2 Cd−1 Cd T
2L′ 2L′ 22L′ 22L′ 2a-1L′ 2a-1L′ 2a-13L′ 2a-13L′ 2L 2L 23L 23L 22d-3L 22d-3L 22d-1L 22d-1L 22L 22L 24L 24L 22d-2L 22d-2L 22d-13L 22d-13L
P P P P P P P P P P P P
✳ ✳ ▼✐♥❛❧♣❤✳
O
2n
− − − →
r❦
✳ ✳ XPX
O
2n
− − − →
r❦
✳ ✳ P
✻✽ ✴ ✺✼
L′ = kflag0 ⊕ P(kflag0) L = kflagN ⊕ P(kflagN)