rt rt rt - PowerPoint PPT Presentation

❧❛r❣❡ ❡♥♦✉❣❤✿ ❜✐rt❤❞❛②✲❜♦✉♥❞ s❡❝✉r✐t② ✐s ♦❦❛② P❡r♠✉t❛t✐♦♥✲❜❛s❡❞ ❝♦♥str✉❝t✐♦♥s t♦♦ s♠❛❧❧✿ ❜✐rt❤❞❛②✲❜♦✉♥❞ s❡❝✉r✐t② ❝♦✉❧❞ ❜❡ ❜♦❣✉s ▲✐❣❤t✇❡✐❣❤t ❜❧♦❝❦❝✐♣❤❡rs ❛t r✐s❦ ❇❡②♦♥❞ ❜✐rt❤❞❛②✲❜♦✉♥❞✿ r❡❧❡✈❛♥t ✐❢ ✐s ♦♥ t❤❡ ❡❞❣❡ � � ❉✐s❝❧❛✐♠❡r ⇐ = ❇❡②♦♥❞ ❜✐rt❤❞❛②✲❜♦✉♥❞ ⇒ ❇❡tt❡r s❡❝✉r✐t② = ✾ ✴ ✸✷

❇❡②♦♥❞ ❜✐rt❤❞❛②✲❜♦✉♥❞✿ r❡❧❡✈❛♥t ✐❢ ✐s ♦♥ t❤❡ ❡❞❣❡ � � ❉✐s❝❧❛✐♠❡r ⇐ = ❇❡②♦♥❞ ❜✐rt❤❞❛②✲❜♦✉♥❞ ⇒ ❇❡tt❡r s❡❝✉r✐t② = • n ❧❛r❣❡ ❡♥♦✉❣❤✿ ❜✐rt❤❞❛②✲❜♦✉♥❞ s❡❝✉r✐t② ✐s ♦❦❛② − → P❡r♠✉t❛t✐♦♥✲❜❛s❡❞ ❝♦♥str✉❝t✐♦♥s • n t♦♦ s♠❛❧❧✿ ❜✐rt❤❞❛②✲❜♦✉♥❞ s❡❝✉r✐t② ❝♦✉❧❞ ❜❡ ❜♦❣✉s − → ▲✐❣❤t✇❡✐❣❤t ❜❧♦❝❦❝✐♣❤❡rs ❛t r✐s❦ ✾ ✴ ✸✷

� � ❉✐s❝❧❛✐♠❡r ⇐ = ❇❡②♦♥❞ ❜✐rt❤❞❛②✲❜♦✉♥❞ ⇒ ❇❡tt❡r s❡❝✉r✐t② = • n ❧❛r❣❡ ❡♥♦✉❣❤✿ ❜✐rt❤❞❛②✲❜♦✉♥❞ s❡❝✉r✐t② ✐s ♦❦❛② − → P❡r♠✉t❛t✐♦♥✲❜❛s❡❞ ❝♦♥str✉❝t✐♦♥s • n t♦♦ s♠❛❧❧✿ ❜✐rt❤❞❛②✲❜♦✉♥❞ s❡❝✉r✐t② ❝♦✉❧❞ ❜❡ ❜♦❣✉s − → ▲✐❣❤t✇❡✐❣❤t ❜❧♦❝❦❝✐♣❤❡rs ❛t r✐s❦ • ❇❡②♦♥❞ ❜✐rt❤❞❛②✲❜♦✉♥❞✿ r❡❧❡✈❛♥t ✐❢ n/ 2 ✐s ♦♥ t❤❡ ❡❞❣❡ ✾ ✴ ✸✷

❙✇❡❡t✸✷ ❆tt❛❝❦ ❖♥ t❤❡ Pr❛❝t✐❝❛❧ ✭■♥✲✮❙❡❝✉r✐t② ♦❢ ✻✹✲❜✐t ❇❧♦❝❦ ❈✐♣❤❡rs✿ ❈♦❧❧✐s✐♦♥ ❆tt❛❝❦s ♦♥ ❍❚❚P ♦✈❡r ❚▲❙ ❛♥❞ ❖♣❡♥❱P◆ ❇❤❛r❣❛✈❛♥✱ ▲❡✉r❡♥t✱ ❆❈▼ ❈❈❙ ✷✵✶✻ • ❚▲❙ s✉♣♣♦rt❡❞ ❚r✐♣❧❡✲❉❊❙ • ❖♣❡♥❱P◆ ✉s❡❞ ❇❧♦✇✜s❤ • ❇♦t❤ ❇❧♦✇✜s❤ ❛♥❞ ❚r✐♣❧❡✲❉❊❙ ❤❛✈❡ ✻✹✲❜✐t st❛t❡ • Pr❛❝t✐❝❛❧ ❜✐rt❤❞❛②✲❜♦✉♥❞ ❛tt❛❝❦ ♦♥ ❡♥❝r②♣t✐♦♥ ♠♦❞❡ ✶✵ ✴ ✸✷

❖✉t❧✐♥❡ P❘P✲P❘❋ ❈♦♥✈❡rs✐♦♥ ❈♦♥❝❧✉s✐♦♥ ✶✶ ✴ ✸✷

❖✉t❧✐♥❡ P❘P✲P❘❋ ❈♦♥✈❡rs✐♦♥ ❈♦♥❝❧✉s✐♦♥ ✶✷ ✴ ✸✷

▲✉❜②✲❘❛❝❦♦✛ ✴ ❋❡✐st❡❧ ◆♦✇ P❘P✲P❘❋ ❈♦♥✈❡rs✐♦♥ P❘P P❘❋ ✶✸ ✴ ✸✷

◆♦✇ P❘P✲P❘❋ ❈♦♥✈❡rs✐♦♥ ▲✉❜②✲❘❛❝❦♦✛ ✴ ❋❡✐st❡❧ P❘P P❘❋ ✶✸ ✴ ✸✷

P❘P✲P❘❋ ❈♦♥✈❡rs✐♦♥ ▲✉❜②✲❘❛❝❦♦✛ ✴ ❋❡✐st❡❧ P❘P P❘❋ ◆♦✇ ✶✸ ✴ ✸✷

❞♦❡s ♥♦t ❡①♣♦s❡ ❝♦❧❧✐s✐♦♥s ❜✉t ❞♦❡s ❝❛♥ ❜❡ ❞✐st✐♥❣✉✐s❤❡❞ ❢r♦♠ ✐♥ q✉❡r✐❡s ◆❛✐✈❡ P❘P✲P❘❋ ❈♦♥✈❡rs✐♦♥ IC F k = E k f blockcipher random function distinguisher D P❘P✲P❘❋ ❙✇✐t❝❤ • ❙✐♠♣❧② ✈✐❡✇ E k ❛s ❛ P❘❋ ✶✹ ✴ ✸✷

◆❛✐✈❡ P❘P✲P❘❋ ❈♦♥✈❡rs✐♦♥ IC F k = E k f blockcipher random function distinguisher D P❘P✲P❘❋ ❙✇✐t❝❤ • ❙✐♠♣❧② ✈✐❡✇ E k ❛s ❛ P❘❋ • E k ❞♦❡s ♥♦t ❡①♣♦s❡ ❝♦❧❧✐s✐♦♥s ❜✉t f ❞♦❡s • E k ❝❛♥ ❜❡ ❞✐st✐♥❣✉✐s❤❡❞ ❢r♦♠ f ✐♥ ≈ 2 n/ 2 q✉❡r✐❡s � q � � q � / 2 n � Adv prf E ( q ) ≤ Adv prp / 2 n E ( q ) + 2 2 ✶✹ ✴ ✸✷

▲✉❝❦s ❬▲✉❝✵✵❪ ✿ ❇❡❧❧❛r❡ ❛♥❞ ■♠♣❛❣❧✐❛③③♦ ❬❇■✾✾❪ ✿ P❛t❛r✐♥ ❬P❛t✵✽❪ ✿ ❳♦r ♦❢ P❡r♠✉t❛t✐♦♥s p 1 p 2 y x • ❋✐rst s✉❣❣❡st❡❞ ❜② ❇❡❧❧❛r❡ ❡t ❛❧✳ ❬❇❑❘✾✽❪ ✶✺ ✴ ✸✷

▲✉❝❦s ❬▲✉❝✵✵❪ ✿ ❇❡❧❧❛r❡ ❛♥❞ ■♠♣❛❣❧✐❛③③♦ ❬❇■✾✾❪ ✿ P❛t❛r✐♥ ❬P❛t✵✽❪ ✿ ❳♦r ♦❢ P❡r♠✉t❛t✐♦♥s p 0 �· p y x 1 �· • ❋✐rst s✉❣❣❡st❡❞ ❜② ❇❡❧❧❛r❡ ❡t ❛❧✳ ❬❇❑❘✾✽❪ ✶✺ ✴ ✸✷

❳♦r ♦❢ P❡r♠✉t❛t✐♦♥s p 0 �· p y x 1 �· • ❋✐rst s✉❣❣❡st❡❞ ❜② ❇❡❧❧❛r❡ ❡t ❛❧✳ ❬❇❑❘✾✽❪ • ▲✉❝❦s ❬▲✉❝✵✵❪ ✿ 2 2 n/ 3 • ❇❡❧❧❛r❡ ❛♥❞ ■♠♣❛❣❧✐❛③③♦ ❬❇■✾✾❪ ✿ 2 n /n 2 / 3 • P❛t❛r✐♥ ❬P❛t✵✽❪ ✿ 2 n ✶✺ ✴ ✸✷

❳♦r ♦❢ P❡r♠✉t❛t✐♦♥s p 0 �· p y x 1 �· • ❋✐rst s✉❣❣❡st❡❞ ❜② ❇❡❧❧❛r❡ ❡t ❛❧✳ ❬❇❑❘✾✽❪ • ▲✉❝❦s ❬▲✉❝✵✵❪ ✿ 2 2 n/ 3 • ❇❡❧❧❛r❡ ❛♥❞ ■♠♣❛❣❧✐❛③③♦ ❬❇■✾✾❪ ✿ 2 n /n 2 / 3 • P❛t❛r✐♥ ❬P❛t✵✽❪ ✿ 2 n Adv prf XoP ( q ) ≤ Adv prp E (2 q ) + q/ 2 n ✶✺ ✴ ✸✷

❇❡②♦♥❞ ❜✐rt❤❞❛②✲❜♦✉♥❞ ❜✉t ✷① ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘ ❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ ❳♦P 0 � n +1 1 � n +1 0 � n +2 1 � n +2 0 � n + ℓ 1 � n + ℓ E k E k · · · · · · E k E k E k E k m 1 m 2 m ℓ c 2 c ℓ c 1 • ❙❡❝✉r✐t② ❜♦✉♥❞✿ Adv cpa CTR [ XoP ] ( σ ) ≤ Adv prf XoP ( σ ) ✶✻ ✴ ✸✷

❇❡②♦♥❞ ❜✐rt❤❞❛②✲❜♦✉♥❞ ❜✉t ✷① ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘ ❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ ❳♦P 0 � n +1 1 � n +1 0 � n +2 1 � n +2 0 � n + ℓ 1 � n + ℓ E k E k · · · · · · E k E k E k E k m 1 m 2 m ℓ c 2 c ℓ c 1 • ❙❡❝✉r✐t② ❜♦✉♥❞✿ Adv cpa CTR [ XoP ] ( σ ) ≤ Adv prf XoP ( σ ) ≤ Adv prp E (2 σ ) + σ/ 2 n ✶✻ ✴ ✸✷

❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ ❳♦P 0 � n +1 1 � n +1 0 � n +2 1 � n +2 0 � n + ℓ 1 � n + ℓ E k E k · · · · · · E k E k E k E k m 1 m 2 m ℓ c 2 c ℓ c 1 • ❙❡❝✉r✐t② ❜♦✉♥❞✿ Adv cpa CTR [ XoP ] ( σ ) ≤ Adv prf XoP ( σ ) ≤ Adv prp E (2 σ ) + σ/ 2 n • ❇❡②♦♥❞ ❜✐rt❤❞❛②✲❜♦✉♥❞ ❜✉t ✷① ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘ [ E ] ✶✻ ✴ ✸✷

❲❡❧❧✱ ✇❡ ❞✐❞ ♥♦t r❡❛❧❧② ♣r♦✈❡ ✐t ♦✉rs❡❧✈❡s ■♠♠❡❞✐❛t❡ ❝♦♥s❡q✉❡♥❝❡ ♦❢ ♠✐rr♦r t❤❡♦r② ❢r♦♠ ✷✵✵✺ ❆❧♠♦st ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘ ✷✵✵✻✿ s❡❝✉r✐t②✱ ❝♦♥❥❡❝t✉r❡❞ ❬■✇❛✵✻❪ ✷✵✶✻✿ s❡❝✉r✐t② ❬■▼❱✶✻❪ ❈❊◆❈ ❜② ■✇❛t❛ ❬■✇❛✵✻❪ 0 � n +1 1 � n +1 0 � n +1 1 � n +2 0 � n +1 1 � n + w 0 � n +2 1 � n + w +1 E k E k · · · · · · E k E k E k E k · · · E k E k m 1 m 2 m w m w +1 c 2 c w c 1 c w +1 • ❖♥❡ s✉❜❦❡② ✉s❡❞ ❢♦r w ≥ 1 ❡♥❝r②♣t✐♦♥s ✶✼ ✴ ✸✷

❲❡❧❧✱ ✇❡ ❞✐❞ ♥♦t r❡❛❧❧② ♣r♦✈❡ ✐t ♦✉rs❡❧✈❡s ■♠♠❡❞✐❛t❡ ❝♦♥s❡q✉❡♥❝❡ ♦❢ ♠✐rr♦r t❤❡♦r② ❢r♦♠ ✷✵✵✺ ✷✵✵✻✿ s❡❝✉r✐t②✱ ❝♦♥❥❡❝t✉r❡❞ ❬■✇❛✵✻❪ ✷✵✶✻✿ s❡❝✉r✐t② ❬■▼❱✶✻❪ ❈❊◆❈ ❜② ■✇❛t❛ ❬■✇❛✵✻❪ 0 � n +1 1 � n +1 0 � n +1 1 � n +2 0 � n +1 1 � n + w 0 � n +2 1 � n + w +1 E k E k · · · · · · E k E k E k E k · · · E k E k m 1 m 2 m w m w +1 c 2 c w c 1 c w +1 • ❖♥❡ s✉❜❦❡② ✉s❡❞ ❢♦r w ≥ 1 ❡♥❝r②♣t✐♦♥s • ❆❧♠♦st ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘ [ E ] ✶✼ ✴ ✸✷

❲❡❧❧✱ ✇❡ ❞✐❞ ♥♦t r❡❛❧❧② ♣r♦✈❡ ✐t ♦✉rs❡❧✈❡s ■♠♠❡❞✐❛t❡ ❝♦♥s❡q✉❡♥❝❡ ♦❢ ♠✐rr♦r t❤❡♦r② ❢r♦♠ ✷✵✵✺ ✷✵✶✻✿ s❡❝✉r✐t② ❬■▼❱✶✻❪ ❈❊◆❈ ❜② ■✇❛t❛ ❬■✇❛✵✻❪ 0 � n +1 1 � n +1 0 � n +1 1 � n +2 0 � n +1 1 � n + w 0 � n +2 1 � n + w +1 E k E k · · · · · · E k E k E k E k · · · E k E k m 1 m 2 m w m w +1 c 2 c w c 1 c w +1 • ❖♥❡ s✉❜❦❡② ✉s❡❞ ❢♦r w ≥ 1 ❡♥❝r②♣t✐♦♥s • ❆❧♠♦st ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘ [ E ] • ✷✵✵✻✿ 2 2 n/ 3 s❡❝✉r✐t②✱ 2 n /w ❝♦♥❥❡❝t✉r❡❞ ❬■✇❛✵✻❪ ✶✼ ✴ ✸✷

❲❡❧❧✱ ✇❡ ❞✐❞ ♥♦t r❡❛❧❧② ♣r♦✈❡ ✐t ♦✉rs❡❧✈❡s ■♠♠❡❞✐❛t❡ ❝♦♥s❡q✉❡♥❝❡ ♦❢ ♠✐rr♦r t❤❡♦r② ❢r♦♠ ✷✵✵✺ ❈❊◆❈ ❜② ■✇❛t❛ ❬■✇❛✵✻❪ 0 � n +1 1 � n +1 0 � n +1 1 � n +2 0 � n +1 1 � n + w 0 � n +2 1 � n + w +1 E k E k · · · · · · E k E k E k E k · · · E k E k m 1 m 2 m w m w +1 c 2 c w c 1 c w +1 • ❖♥❡ s✉❜❦❡② ✉s❡❞ ❢♦r w ≥ 1 ❡♥❝r②♣t✐♦♥s • ❆❧♠♦st ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘ [ E ] • ✷✵✵✻✿ 2 2 n/ 3 s❡❝✉r✐t②✱ 2 n /w ❝♦♥❥❡❝t✉r❡❞ ❬■✇❛✵✻❪ • ✷✵✶✻✿ 2 n /w s❡❝✉r✐t② ❬■▼❱✶✻❪ ✶✼ ✴ ✸✷

❈❊◆❈ ❜② ■✇❛t❛ ❬■✇❛✵✻❪ 0 � n +1 1 � n +1 0 � n +1 1 � n +2 0 � n +1 1 � n + w 0 � n +2 1 � n + w +1 E k E k · · · · · · E k E k E k E k · · · E k E k m 1 m 2 m w m w +1 c 2 c w c 1 c w +1 • ❖♥❡ s✉❜❦❡② ✉s❡❞ ❢♦r w ≥ 1 ❡♥❝r②♣t✐♦♥s • ❆❧♠♦st ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘ [ E ] • ✷✵✵✻✿ 2 2 n/ 3 s❡❝✉r✐t②✱ 2 n /w ❝♦♥❥❡❝t✉r❡❞ ❬■✇❛✵✻❪ • ✷✵✶✻✿ 2 n /w s❡❝✉r✐t② ❬■▼❱✶✻❪ • ❲❡❧❧✱ ✇❡ ❞✐❞ ♥♦t r❡❛❧❧② ♣r♦✈❡ ✐t ♦✉rs❡❧✈❡s • ■♠♠❡❞✐❛t❡ ❝♦♥s❡q✉❡♥❝❡ ♦❢ ♠✐rr♦r t❤❡♦r② ❢r♦♠ ✷✵✵✺ ✶✼ ✴ ✸✷

●♦❛❧ ▲♦✇❡r ❜♦✉♥❞ ♦♥ t❤❡ ♥✉♠❜❡r ♦❢ s♦❧✉t✐♦♥s t♦ s✉❝❤ t❤❛t ❢♦r ❛❧❧ ❞✐st✐♥❝t ▼✐rr♦r ❚❤❡♦r② ❙②st❡♠ ♦❢ ❊q✉❛t✐♦♥s • ❈♦♥s✐❞❡r r ❞✐st✐♥❝t ✉♥❦♥♦✇♥s P = { P 1 , . . . , P r } • ❈♦♥s✐❞❡r ❛ s②st❡♠ ♦❢ q ❡q✉❛t✐♦♥s ♦❢ t❤❡ ❢♦r♠✿ P a 1 ⊕ P b 1 = λ 1 P a 2 ⊕ P b 2 = λ 2 ✳ ✳ ✳ P a q ⊕ P b q = λ q ❢♦r s♦♠❡ s✉r❥❡❝t✐♦♥ ϕ : { a 1 , b 1 , . . . , a q , b q } → { 1 , . . . , r } ✶✽ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r② ❙②st❡♠ ♦❢ ❊q✉❛t✐♦♥s • ❈♦♥s✐❞❡r r ❞✐st✐♥❝t ✉♥❦♥♦✇♥s P = { P 1 , . . . , P r } • ❈♦♥s✐❞❡r ❛ s②st❡♠ ♦❢ q ❡q✉❛t✐♦♥s ♦❢ t❤❡ ❢♦r♠✿ P a 1 ⊕ P b 1 = λ 1 P a 2 ⊕ P b 2 = λ 2 ✳ ✳ ✳ P a q ⊕ P b q = λ q ❢♦r s♦♠❡ s✉r❥❡❝t✐♦♥ ϕ : { a 1 , b 1 , . . . , a q , b q } → { 1 , . . . , r } ●♦❛❧ • ▲♦✇❡r ❜♦✉♥❞ ♦♥ t❤❡ ♥✉♠❜❡r ♦❢ s♦❧✉t✐♦♥s t♦ P s✉❝❤ t❤❛t P a � = P b ❢♦r ❛❧❧ ❞✐st✐♥❝t a, b ∈ { 1 , . . . , r } ✶✽ ✴ ✸✷

❍❛s r❡♠❛✐♥❡❞ r❛t❤❡r ✉♥❦♥♦✇♥ s✐♥❝❡ ✐♥tr♦❞✉❝t✐♦♥ ✭✷✵✵✸✮ ❆✉t❤♦rs P✉❜❧✐❝❛t✐♦♥ ❆♣♣❧✐❝❛t✐♦♥ ▼✐rr♦r ❇♦✉♥❞ P❛t❛r✐♥ ❈❘❨P❚❖ ✷✵✵✸ ❋❡✐st❡❧ s✉❜♦♣t✐♠❛❧ P❛t❛r✐♥ ❈❘❨P❚❖ ✷✵✵✹ ❋❡✐st❡❧ P❛t❛r✐♥ ■❈■❙❈ ✷✵✵✺ ❋❡✐st❡❧ ♦♣t✐♠❛❧ ✐♥ P❛t❛r✐♥✱ ▼♦♥tr❡✉✐❧ ■❈■❙❈ ✷✵✵✺ ❇❡♥❡s P❛t❛r✐♥ ■❈■❚❙ ✷✵✵✽ ❳♦P P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✵✴✷✽✼ ❳♦P ❝♦♥❝r❡t❡ ❜♦✉♥❞ P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✵✴✷✾✸ ❋❡✐st❡❧ P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✸✴✸✻✽ ❳♦P ❈♦❣❧✐❛t✐✱ ▲❛♠♣❡✱ P❛t❛r✐♥ ❋❙❊ ✷✵✶✹ ❳♦P ❱♦❧t❡✱ ◆❛❝❤❡❢✱ ▼❛rr✐èr❡ ❡Pr✐♥t ✷✵✶✻✴✶✸✻ ❋❡✐st❡❧ ■✇❛t❛✱ ▼❡♥♥✐♥❦✱ ❱✐③ár ❡Pr✐♥t ✷✵✶✻✴✶✵✽✼ ❈❊◆❈ ▼✐rr♦r ❚❤❡♦r② P❛t❛r✐♥✬s ❘❡s✉❧t • ❊①tr❡♠❡❧② ♣♦✇❡r❢✉❧ ❧♦✇❡r ❜♦✉♥❞ ✶✾ ✴ ✸✷

❆✉t❤♦rs P✉❜❧✐❝❛t✐♦♥ ❆♣♣❧✐❝❛t✐♦♥ ▼✐rr♦r ❇♦✉♥❞ P❛t❛r✐♥ ❈❘❨P❚❖ ✷✵✵✸ ❋❡✐st❡❧ s✉❜♦♣t✐♠❛❧ P❛t❛r✐♥ ❈❘❨P❚❖ ✷✵✵✹ ❋❡✐st❡❧ P❛t❛r✐♥ ■❈■❙❈ ✷✵✵✺ ❋❡✐st❡❧ ♦♣t✐♠❛❧ ✐♥ P❛t❛r✐♥✱ ▼♦♥tr❡✉✐❧ ■❈■❙❈ ✷✵✵✺ ❇❡♥❡s P❛t❛r✐♥ ■❈■❚❙ ✷✵✵✽ ❳♦P P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✵✴✷✽✼ ❳♦P ❝♦♥❝r❡t❡ ❜♦✉♥❞ P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✵✴✷✾✸ ❋❡✐st❡❧ P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✸✴✸✻✽ ❳♦P ❈♦❣❧✐❛t✐✱ ▲❛♠♣❡✱ P❛t❛r✐♥ ❋❙❊ ✷✵✶✹ ❳♦P ❱♦❧t❡✱ ◆❛❝❤❡❢✱ ▼❛rr✐èr❡ ❡Pr✐♥t ✷✵✶✻✴✶✸✻ ❋❡✐st❡❧ ■✇❛t❛✱ ▼❡♥♥✐♥❦✱ ❱✐③ár ❡Pr✐♥t ✷✵✶✻✴✶✵✽✼ ❈❊◆❈ ▼✐rr♦r ❚❤❡♦r② P❛t❛r✐♥✬s ❘❡s✉❧t • ❊①tr❡♠❡❧② ♣♦✇❡r❢✉❧ ❧♦✇❡r ❜♦✉♥❞ • ❍❛s r❡♠❛✐♥❡❞ r❛t❤❡r ✉♥❦♥♦✇♥ s✐♥❝❡ ✐♥tr♦❞✉❝t✐♦♥ ✭✷✵✵✸✮ ✶✾ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r② P❛t❛r✐♥✬s ❘❡s✉❧t • ❊①tr❡♠❡❧② ♣♦✇❡r❢✉❧ ❧♦✇❡r ❜♦✉♥❞ • ❍❛s r❡♠❛✐♥❡❞ r❛t❤❡r ✉♥❦♥♦✇♥ s✐♥❝❡ ✐♥tr♦❞✉❝t✐♦♥ ✭✷✵✵✸✮ ❆✉t❤♦rs P✉❜❧✐❝❛t✐♦♥ ❆♣♣❧✐❝❛t✐♦♥ ▼✐rr♦r ❇♦✉♥❞ P❛t❛r✐♥ ❈❘❨P❚❖ ✷✵✵✸ ❋❡✐st❡❧ s✉❜♦♣t✐♠❛❧ P❛t❛r✐♥ ❈❘❨P❚❖ ✷✵✵✹ ❋❡✐st❡❧ P❛t❛r✐♥ ■❈■❙❈ ✷✵✵✺ ❋❡✐st❡❧ ♦♣t✐♠❛❧ ✐♥ O ( · ) P❛t❛r✐♥✱ ▼♦♥tr❡✉✐❧ ■❈■❙❈ ✷✵✵✺ ❇❡♥❡s P❛t❛r✐♥ ■❈■❚❙ ✷✵✵✽ ❳♦P P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✵✴✷✽✼ ❳♦P ❝♦♥❝r❡t❡ ❜♦✉♥❞ P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✵✴✷✾✸ ❋❡✐st❡❧ P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✸✴✸✻✽ ❳♦P ❳♦P d ❈♦❣❧✐❛t✐✱ ▲❛♠♣❡✱ P❛t❛r✐♥ ❋❙❊ ✷✵✶✹ ❱♦❧t❡✱ ◆❛❝❤❡❢✱ ▼❛rr✐èr❡ ❡Pr✐♥t ✷✵✶✻✴✶✸✻ ❋❡✐st❡❧ ■✇❛t❛✱ ▼❡♥♥✐♥❦✱ ❱✐③ár ❡Pr✐♥t ✷✵✶✻✴✶✵✽✼ ❈❊◆❈ ✶✾ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r② P❛t❛r✐♥✬s ❘❡s✉❧t • ❊①tr❡♠❡❧② ♣♦✇❡r❢✉❧ ❧♦✇❡r ❜♦✉♥❞ • ❍❛s r❡♠❛✐♥❡❞ r❛t❤❡r ✉♥❦♥♦✇♥ s✐♥❝❡ ✐♥tr♦❞✉❝t✐♦♥ ✭✷✵✵✸✮ ❆✉t❤♦rs P✉❜❧✐❝❛t✐♦♥ ❆♣♣❧✐❝❛t✐♦♥ ▼✐rr♦r ❇♦✉♥❞ P❛t❛r✐♥ ❈❘❨P❚❖ ✷✵✵✸ ❋❡✐st❡❧ s✉❜♦♣t✐♠❛❧ P❛t❛r✐♥ ❈❘❨P❚❖ ✷✵✵✹ ❋❡✐st❡❧ P❛t❛r✐♥ ■❈■❙❈ ✷✵✵✺ ❋❡✐st❡❧ ♦♣t✐♠❛❧ ✐♥ O ( · ) P❛t❛r✐♥✱ ▼♦♥tr❡✉✐❧ ■❈■❙❈ ✷✵✵✺ ❇❡♥❡s P❛t❛r✐♥ ■❈■❚❙ ✷✵✵✽ ❳♦P P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✵✴✷✽✼ ❳♦P ❝♦♥❝r❡t❡ ❜♦✉♥❞ P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✵✴✷✾✸ ❋❡✐st❡❧ P❛t❛r✐♥ ❡Pr✐♥t ✷✵✶✸✴✸✻✽ ❳♦P ❳♦P d ❈♦❣❧✐❛t✐✱ ▲❛♠♣❡✱ P❛t❛r✐♥ ❋❙❊ ✷✵✶✹ ❱♦❧t❡✱ ◆❛❝❤❡❢✱ ▼❛rr✐èr❡ ❡Pr✐♥t ✷✵✶✻✴✶✸✻ ❋❡✐st❡❧ ■✇❛t❛✱ ▼❡♥♥✐♥❦✱ ❱✐③ár ❡Pr✐♥t ✷✵✶✻✴✶✵✽✼ ❈❊◆❈ ✶✾ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r② ❙②st❡♠ ♦❢ ❊q✉❛t✐♦♥s • r ❞✐st✐♥❝t ✉♥❦♥♦✇♥s P = { P 1 , . . . , P r } • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s P a i ⊕ P b i = λ i • ❙✉r❥❡❝t✐♦♥ ϕ : { a 1 , b 1 , . . . , a q , b q } → { 1 , . . . , r } ●r❛♣❤ ❇❛s❡❞ ❱✐❡✇ P b 1 λ 1 P b 3 P a 8 P a 9 P a 1 = P a 2 P a 6 λ 8 λ 3 λ 9 λ 2 P b 8 = P b 9 = P b 10 = P a 11 λ 6 λ 4 P b 2 = P a 3 = P b 4 P a 4 = P a 5 λ 11 λ 10 P b 6 P a 10 λ 5 P b 5 P b 11 λ 7 P b 7 P a 7 ✷✵ ✴ ✸✷

■❢ ♦r ♦r ❈♦♥tr❛❞✐❝t✐♦♥✿ ♦r ♦r ❙❝❤❡♠❡ ✐s ❞❡❣❡♥❡r❛t❡ ■❢ ❛♥❞ ❝❤♦✐❝❡s ❢♦r ❋✐①❡s ✭✇❤✐❝❤ ✐s ❛s ❞❡s✐r❡❞✮ ❋✐①❡s ✭✇❤✐❝❤ ✐s ❛s ❞❡s✐r❡❞✮ ▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✶ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 P b ⊕ P c = λ 2 λ 2 P c ✷✶ ✴ ✸✷

■❢ ❛♥❞ ❝❤♦✐❝❡s ❢♦r ❋✐①❡s ✭✇❤✐❝❤ ✐s ❛s ❞❡s✐r❡❞✮ ❋✐①❡s ✭✇❤✐❝❤ ✐s ❛s ❞❡s✐r❡❞✮ ▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✶ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 P b ⊕ P c = λ 2 λ 2 P c ■❢ λ 1 = 0 ♦r λ 2 = 0 ♦r λ 1 = λ 2 • ❈♦♥tr❛❞✐❝t✐♦♥✿ P a = P b ♦r P b = P c ♦r P a = P c • ❙❝❤❡♠❡ ✐s ❞❡❣❡♥❡r❛t❡ ✷✶ ✴ ✸✷

❋✐①❡s ✭✇❤✐❝❤ ✐s ❛s ❞❡s✐r❡❞✮ ❋✐①❡s ✭✇❤✐❝❤ ✐s ❛s ❞❡s✐r❡❞✮ ▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✶ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 P b ⊕ P c = λ 2 λ 2 P c ■❢ λ 1 = 0 ♦r λ 2 = 0 ♦r λ 1 = λ 2 • ❈♦♥tr❛❞✐❝t✐♦♥✿ P a = P b ♦r P b = P c ♦r P a = P c • ❙❝❤❡♠❡ ✐s ❞❡❣❡♥❡r❛t❡ ■❢ λ 1 , λ 2 � = 0 ❛♥❞ λ 1 � = λ 2 • 2 n ❝❤♦✐❝❡s ❢♦r P a ✷✶ ✴ ✸✷

❋✐①❡s ✭✇❤✐❝❤ ✐s ❛s ❞❡s✐r❡❞✮ ▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✶ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 P b ⊕ P c = λ 2 λ 2 P c ■❢ λ 1 = 0 ♦r λ 2 = 0 ♦r λ 1 = λ 2 • ❈♦♥tr❛❞✐❝t✐♦♥✿ P a = P b ♦r P b = P c ♦r P a = P c • ❙❝❤❡♠❡ ✐s ❞❡❣❡♥❡r❛t❡ ■❢ λ 1 , λ 2 � = 0 ❛♥❞ λ 1 � = λ 2 • 2 n ❝❤♦✐❝❡s ❢♦r P a • ❋✐①❡s P b = λ 1 ⊕ P a ✭✇❤✐❝❤ ✐s � = P a ❛s ❞❡s✐r❡❞✮ ✷✶ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✶ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 P b ⊕ P c = λ 2 λ 2 P c ■❢ λ 1 = 0 ♦r λ 2 = 0 ♦r λ 1 = λ 2 • ❈♦♥tr❛❞✐❝t✐♦♥✿ P a = P b ♦r P b = P c ♦r P a = P c • ❙❝❤❡♠❡ ✐s ❞❡❣❡♥❡r❛t❡ ■❢ λ 1 , λ 2 � = 0 ❛♥❞ λ 1 � = λ 2 • 2 n ❝❤♦✐❝❡s ❢♦r P a • ❋✐①❡s P b = λ 1 ⊕ P a ✭✇❤✐❝❤ ✐s � = P a ❛s ❞❡s✐r❡❞✮ • ❋✐①❡s P c = λ 2 ⊕ P b ✭✇❤✐❝❤ ✐s � = P a , P b ❛s ❞❡s✐r❡❞✮ ✷✶ ✴ ✸✷

■❢ ♦r ❈♦♥tr❛❞✐❝t✐♦♥✿ ♦r ❙❝❤❡♠❡ ✐s ❞❡❣❡♥❡r❛t❡ ■❢ ❝❤♦✐❝❡s ❢♦r ✭✇❤✐❝❤ ✜①❡s ✮ ❋♦r ❛♥❞ ✇❡ r❡q✉✐r❡ ❆t ❧❡❛st ❝❤♦✐❝❡s ❢♦r ✭✇❤✐❝❤ ✜①❡s ✮ ▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✷ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 λ 2 P c P d P c ⊕ P d = λ 2 ✷✷ ✴ ✸✷

■❢ ❝❤♦✐❝❡s ❢♦r ✭✇❤✐❝❤ ✜①❡s ✮ ❋♦r ❛♥❞ ✇❡ r❡q✉✐r❡ ❆t ❧❡❛st ❝❤♦✐❝❡s ❢♦r ✭✇❤✐❝❤ ✜①❡s ✮ ▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✷ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 λ 2 P c P d P c ⊕ P d = λ 2 ■❢ λ 1 = 0 ♦r λ 2 = 0 • ❈♦♥tr❛❞✐❝t✐♦♥✿ P a = P b ♦r P b = P c • ❙❝❤❡♠❡ ✐s ❞❡❣❡♥❡r❛t❡ ✷✷ ✴ ✸✷

❋♦r ❛♥❞ ✇❡ r❡q✉✐r❡ ❆t ❧❡❛st ❝❤♦✐❝❡s ❢♦r ✭✇❤✐❝❤ ✜①❡s ✮ ▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✷ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 λ 2 P c P d P c ⊕ P d = λ 2 ■❢ λ 1 = 0 ♦r λ 2 = 0 • ❈♦♥tr❛❞✐❝t✐♦♥✿ P a = P b ♦r P b = P c • ❙❝❤❡♠❡ ✐s ❞❡❣❡♥❡r❛t❡ ■❢ λ 1 , λ 2 � = 0 • 2 n ❝❤♦✐❝❡s ❢♦r P a ✭✇❤✐❝❤ ✜①❡s P b ✮ ✷✷ ✴ ✸✷

❆t ❧❡❛st ❝❤♦✐❝❡s ❢♦r ✭✇❤✐❝❤ ✜①❡s ✮ ▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✷ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 λ 2 P c P d P c ⊕ P d = λ 2 ■❢ λ 1 = 0 ♦r λ 2 = 0 • ❈♦♥tr❛❞✐❝t✐♦♥✿ P a = P b ♦r P b = P c • ❙❝❤❡♠❡ ✐s ❞❡❣❡♥❡r❛t❡ ■❢ λ 1 , λ 2 � = 0 • 2 n ❝❤♦✐❝❡s ❢♦r P a ✭✇❤✐❝❤ ✜①❡s P b ✮ • ❋♦r P c ❛♥❞ P d ✇❡ r❡q✉✐r❡ • P c � = P a , P b • P d = λ 2 ⊕ P c � = P a , P b ✷✷ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✷ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 λ 2 P c P d P c ⊕ P d = λ 2 ■❢ λ 1 = 0 ♦r λ 2 = 0 • ❈♦♥tr❛❞✐❝t✐♦♥✿ P a = P b ♦r P b = P c • ❙❝❤❡♠❡ ✐s ❞❡❣❡♥❡r❛t❡ ■❢ λ 1 , λ 2 � = 0 • 2 n ❝❤♦✐❝❡s ❢♦r P a ✭✇❤✐❝❤ ✜①❡s P b ✮ • ❋♦r P c ❛♥❞ P d ✇❡ r❡q✉✐r❡ • P c � = P a , P b • P d = λ 2 ⊕ P c � = P a , P b • ❆t ❧❡❛st 2 n − 4 ❝❤♦✐❝❡s ❢♦r P c ✭✇❤✐❝❤ ✜①❡s P d ✮ ✷✷ ✴ ✸✷

■❢ ❈♦♥tr❛❞✐❝t✐♦♥✿ ❡q✉❛t✐♦♥s s✉♠ t♦ ❙❝❤❡♠❡ ❝♦♥t❛✐♥s ❛ ❝✐r❝❧❡ ■❢ ❖♥❡ r❡❞✉♥❞❛♥t ❡q✉❛t✐♦♥✱ ♥♦ ❝♦♥tr❛❞✐❝t✐♦♥ ❙t✐❧❧ ❝♦✉♥t❡❞ ❛s ❝✐r❝❧❡ ▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✸ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 P b ⊕ P c = λ 2 λ 3 λ 2 P c ⊕ P a = λ 3 P c • ❆ss✉♠❡ λ i � = 0 ❛♥❞ λ i � = λ j ✷✸ ✴ ✸✷

■❢ ❖♥❡ r❡❞✉♥❞❛♥t ❡q✉❛t✐♦♥✱ ♥♦ ❝♦♥tr❛❞✐❝t✐♦♥ ❙t✐❧❧ ❝♦✉♥t❡❞ ❛s ❝✐r❝❧❡ ▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✸ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 P b ⊕ P c = λ 2 λ 3 λ 2 P c ⊕ P a = λ 3 P c • ❆ss✉♠❡ λ i � = 0 ❛♥❞ λ i � = λ j ■❢ λ 1 ⊕ λ 2 ⊕ λ 3 � = 0 • ❈♦♥tr❛❞✐❝t✐♦♥✿ ❡q✉❛t✐♦♥s s✉♠ t♦ 0 = λ 1 ⊕ λ 2 ⊕ λ 3 • ❙❝❤❡♠❡ ❝♦♥t❛✐♥s ❛ ❝✐r❝❧❡ ✷✸ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r②✿ ❚♦② ❊①❛♠♣❧❡ ✸ λ 1 • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s✿ P a P b P a ⊕ P b = λ 1 P b ⊕ P c = λ 2 λ 3 λ 2 P c ⊕ P a = λ 3 P c • ❆ss✉♠❡ λ i � = 0 ❛♥❞ λ i � = λ j ■❢ λ 1 ⊕ λ 2 ⊕ λ 3 � = 0 • ❈♦♥tr❛❞✐❝t✐♦♥✿ ❡q✉❛t✐♦♥s s✉♠ t♦ 0 = λ 1 ⊕ λ 2 ⊕ λ 3 • ❙❝❤❡♠❡ ❝♦♥t❛✐♥s ❛ ❝✐r❝❧❡ ■❢ λ 1 ⊕ λ 2 ⊕ λ 3 = 0 • ❖♥❡ r❡❞✉♥❞❛♥t ❡q✉❛t✐♦♥✱ ♥♦ ❝♦♥tr❛❞✐❝t✐♦♥ • ❙t✐❧❧ ❝♦✉♥t❡❞ ❛s ❝✐r❝❧❡ ✷✸ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r②✿ ❚✇♦ Pr♦❜❧❡♠❛t✐❝ ❈❛s❡s ❈✐r❝❧❡ ❉❡❣❡♥❡r❛❝② λ 1 P b 1 P b 1 = P a 2 P a 1 = P a 2 P a 8 λ 2 λ 1 P b 2 = P a 3 λ 2 λ 1 ⊕ λ 2 ⊕ · · · ⊕ λ 7 λ 3 P b 2 = P b 3 P a 3 = P a 4 P a 1 = P b 5 λ 3 P b 7 = P b 8 P b 3 = P a 4 λ 7 λ 5 λ 4 λ 4 P b 4 = P a 5 P b 4 = P a 5 λ 5 λ 6 P b 6 = P b 7 P b 5 = P a 6 ✷✹ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r②✿ ▼❛✐♥ ❘❡s✉❧t ❙②st❡♠ ♦❢ ❊q✉❛t✐♦♥s • r ❞✐st✐♥❝t ✉♥❦♥♦✇♥s P = { P 1 , . . . , P r } • ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s P a i ⊕ P b i = λ i • ❙✉r❥❡❝t✐♦♥ ϕ : { a 1 , b 1 , . . . , a q , b q } → { 1 , . . . , r } ▼❛✐♥ ❘❡s✉❧t ■❢ t❤❡ s②st❡♠ ♦❢ ❡q✉❛t✐♦♥s ✐s ❝✐r❝❧❡✲❢r❡❡ ❛♥❞ ♥♦♥✲❞❡❣❡♥❡r❛t❡✱ t❤❡ ♥✉♠❜❡r ♦❢ s♦❧✉t✐♦♥s t♦ P s✉❝❤ t❤❛t P a � = P b ❢♦r ❛❧❧ ❞✐st✐♥❝t a, b ∈ { 1 , . . . , r } ✐s ❛t ❧❡❛st (2 n ) r 2 nq ♣r♦✈✐❞❡❞ t❤❡ ♠❛①✐♠✉♠ tr❡❡ s✐③❡ ξ s❛t✐s✜❡s ( ξ − 1) 2 · r ≤ 2 n / 67 ✷✺ ✴ ✸✷

❊❛❝❤ t✉♣❧❡ ❝♦rr❡s♣♦♥❞s t♦ ❛♥❞ ❊❛❝❤ t✉♣❧❡ ❝♦rr❡s♣♦♥❞s t♦ ❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s ■♥♣✉ts t♦ ❛r❡ ❛❧❧ ❞✐st✐♥❝t✿ ✉♥❦♥♦✇♥s ▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P p 0 �· p y x 1 �· ●❡♥❡r❛❧ ❙❡tt✐♥❣ • ❆❞✈❡rs❛r② ❣❡ts tr❛♥s❝r✐♣t τ = { ( x 1 , y 1 ) , . . . , ( x q , y q ) } ✷✻ ✴ ✸✷

❙②st❡♠ ♦❢ ❡q✉❛t✐♦♥s ■♥♣✉ts t♦ ❛r❡ ❛❧❧ ❞✐st✐♥❝t✿ ✉♥❦♥♦✇♥s ▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P p 0 �· p y x 1 �· ●❡♥❡r❛❧ ❙❡tt✐♥❣ • ❆❞✈❡rs❛r② ❣❡ts tr❛♥s❝r✐♣t τ = { ( x 1 , y 1 ) , . . . , ( x q , y q ) } • ❊❛❝❤ t✉♣❧❡ ❝♦rr❡s♣♦♥❞s t♦ x i �→ p (0 � x i ) =: P a i ❛♥❞ ❊❛❝❤ t✉♣❧❡ ❝♦rr❡s♣♦♥❞s t♦ x i �→ p (1 � x i ) =: P b i ✷✻ ✴ ✸✷

■♥♣✉ts t♦ ❛r❡ ❛❧❧ ❞✐st✐♥❝t✿ ✉♥❦♥♦✇♥s ▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P p 0 �· p y x 1 �· ●❡♥❡r❛❧ ❙❡tt✐♥❣ • ❆❞✈❡rs❛r② ❣❡ts tr❛♥s❝r✐♣t τ = { ( x 1 , y 1 ) , . . . , ( x q , y q ) } • ❊❛❝❤ t✉♣❧❡ ❝♦rr❡s♣♦♥❞s t♦ x i �→ p (0 � x i ) =: P a i ❛♥❞ ❊❛❝❤ t✉♣❧❡ ❝♦rr❡s♣♦♥❞s t♦ x i �→ p (1 � x i ) =: P b i • ❙②st❡♠ ♦❢ q ❡q✉❛t✐♦♥s P a i ⊕ P b i = y i ✷✻ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P p 0 �· p y x 1 �· ●❡♥❡r❛❧ ❙❡tt✐♥❣ • ❆❞✈❡rs❛r② ❣❡ts tr❛♥s❝r✐♣t τ = { ( x 1 , y 1 ) , . . . , ( x q , y q ) } • ❊❛❝❤ t✉♣❧❡ ❝♦rr❡s♣♦♥❞s t♦ x i �→ p (0 � x i ) =: P a i ❛♥❞ ❊❛❝❤ t✉♣❧❡ ❝♦rr❡s♣♦♥❞s t♦ x i �→ p (1 � x i ) =: P b i • ❙②st❡♠ ♦❢ q ❡q✉❛t✐♦♥s P a i ⊕ P b i = y i • ■♥♣✉ts t♦ p ❛r❡ ❛❧❧ ❞✐st✐♥❝t✿ 2 q ✉♥❦♥♦✇♥s ✷✻ ✴ ✸✷

■❢ ✿ ❛t ❧❡❛st s♦❧✉t✐♦♥s t♦ ✉♥❦♥♦✇♥s ❆♣♣❧②✐♥❣ ▼✐rr♦r ❚❤❡♦r② ❈✐r❝❧❡✲❢r❡❡✿ ♥♦ ❝♦❧❧✐s✐♦♥s ✐♥ ✐♥♣✉ts t♦ ◆♦♥✲❞❡❣❡♥❡r❛t❡✿ ♣r♦✈✐❞❡❞ t❤❛t ❢♦r ❛❧❧ ❈❛❧❧ t❤✐s ❛ ❜❛❞ tr❛♥s❝r✐♣t ▼❛①✐♠✉♠ tr❡❡ s✐③❡ ▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P P a 1 P a 2 P a q y q y 1 y 2 · · · P b q P b 1 P b 2 ✷✼ ✴ ✸✷

■❢ ✿ ❛t ❧❡❛st s♦❧✉t✐♦♥s t♦ ✉♥❦♥♦✇♥s ▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P P a 1 P a 2 P a q y q y 1 y 2 · · · P b q P b 1 P b 2 ❆♣♣❧②✐♥❣ ▼✐rr♦r ❚❤❡♦r② • ❈✐r❝❧❡✲❢r❡❡✿ ♥♦ ❝♦❧❧✐s✐♦♥s ✐♥ ✐♥♣✉ts t♦ p • ◆♦♥✲❞❡❣❡♥❡r❛t❡✿ ♣r♦✈✐❞❡❞ t❤❛t y i � = 0 ❢♦r ❛❧❧ i − → ❈❛❧❧ t❤✐s ❛ ❜❛❞ tr❛♥s❝r✐♣t • ▼❛①✐♠✉♠ tr❡❡ s✐③❡ 2 ✷✼ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P P a 1 P a 2 P a q y q y 1 y 2 · · · P b q P b 1 P b 2 ❆♣♣❧②✐♥❣ ▼✐rr♦r ❚❤❡♦r② • ❈✐r❝❧❡✲❢r❡❡✿ ♥♦ ❝♦❧❧✐s✐♦♥s ✐♥ ✐♥♣✉ts t♦ p • ◆♦♥✲❞❡❣❡♥❡r❛t❡✿ ♣r♦✈✐❞❡❞ t❤❛t y i � = 0 ❢♦r ❛❧❧ i − → ❈❛❧❧ t❤✐s ❛ ❜❛❞ tr❛♥s❝r✐♣t • ▼❛①✐♠✉♠ tr❡❡ s✐③❡ 2 • ■❢ 2 q ≤ 2 n / 67 ✿ ❛t ❧❡❛st (2 n ) 2 q s♦❧✉t✐♦♥s t♦ ✉♥❦♥♦✇♥s 2 nq ✷✼ ✴ ✸✷

❣✐✈❡s ❋♦r ❛♥② ❣♦♦❞ tr❛♥s❝r✐♣t✿ ❣✐✈❡s ❇❛❞ tr❛♥s❝r✐♣t✿ ✐❢ ❢♦r s♦♠❡ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r ▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P ❍✲❈♦❡✣❝✐❡♥t ❚❡❝❤♥✐q✉❡ ❬P❛t✾✶✱P❛t✵✽✱❈❙✶✹❪ ▲❡t ε ≥ 0 ❜❡ s✉❝❤ t❤❛t ❢♦r ❛❧❧ ❣♦♦❞ tr❛♥s❝r✐♣ts τ ✿ Pr [ XoP ❣✐✈❡s τ ] ≥ 1 − ε Pr [ f ❣✐✈❡s τ ] ❚❤❡♥✱ Adv prf XoP ( q ) ≤ ε + Pr [ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r f ] ✷✽ ✴ ✸✷

❣✐✈❡s ❋♦r ❛♥② ❣♦♦❞ tr❛♥s❝r✐♣t✿ ❣✐✈❡s ▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P ❍✲❈♦❡✣❝✐❡♥t ❚❡❝❤♥✐q✉❡ ❬P❛t✾✶✱P❛t✵✽✱❈❙✶✹❪ ▲❡t ε ≥ 0 ❜❡ s✉❝❤ t❤❛t ❢♦r ❛❧❧ ❣♦♦❞ tr❛♥s❝r✐♣ts τ ✿ Pr [ XoP ❣✐✈❡s τ ] ≥ 1 − ε Pr [ f ❣✐✈❡s τ ] ❚❤❡♥✱ Adv prf XoP ( q ) ≤ ε + Pr [ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r f ] • ❇❛❞ tr❛♥s❝r✐♣t✿ ✐❢ y i = 0 ❢♦r s♦♠❡ i • Pr [ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r f ] = q/ 2 n ✷✽ ✴ ✸✷

❣✐✈❡s ▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P ❍✲❈♦❡✣❝✐❡♥t ❚❡❝❤♥✐q✉❡ ❬P❛t✾✶✱P❛t✵✽✱❈❙✶✹❪ ▲❡t ε ≥ 0 ❜❡ s✉❝❤ t❤❛t ❢♦r ❛❧❧ ❣♦♦❞ tr❛♥s❝r✐♣ts τ ✿ Pr [ XoP ❣✐✈❡s τ ] ≥ 1 − ε Pr [ f ❣✐✈❡s τ ] ❚❤❡♥✱ Adv prf XoP ( q ) ≤ ε + Pr [ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r f ] • ❇❛❞ tr❛♥s❝r✐♣t✿ ✐❢ y i = 0 ❢♦r s♦♠❡ i • Pr [ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r f ] = q/ 2 n • ❋♦r ❛♥② ❣♦♦❞ tr❛♥s❝r✐♣t✿ • Pr [ XoP ❣✐✈❡s τ ] ≥ (2 n ) 2 q 1 · 2 nq (2 n ) 2 q ✷✽ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P ❍✲❈♦❡✣❝✐❡♥t ❚❡❝❤♥✐q✉❡ ❬P❛t✾✶✱P❛t✵✽✱❈❙✶✹❪ ▲❡t ε ≥ 0 ❜❡ s✉❝❤ t❤❛t ❢♦r ❛❧❧ ❣♦♦❞ tr❛♥s❝r✐♣ts τ ✿ Pr [ XoP ❣✐✈❡s τ ] ≥ 1 − ε Pr [ f ❣✐✈❡s τ ] ❚❤❡♥✱ Adv prf XoP ( q ) ≤ ε + Pr [ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r f ] • ❇❛❞ tr❛♥s❝r✐♣t✿ ✐❢ y i = 0 ❢♦r s♦♠❡ i • Pr [ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r f ] = q/ 2 n • ❋♦r ❛♥② ❣♦♦❞ tr❛♥s❝r✐♣t✿ • Pr [ XoP ❣✐✈❡s τ ] ≥ (2 n ) 2 q 1 · 2 nq (2 n ) 2 q 1 • Pr [ f ❣✐✈❡s τ ] = 2 nq ✷✽ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P ❍✲❈♦❡✣❝✐❡♥t ❚❡❝❤♥✐q✉❡ ❬P❛t✾✶✱P❛t✵✽✱❈❙✶✹❪ ▲❡t ε ≥ 0 ❜❡ s✉❝❤ t❤❛t ❢♦r ❛❧❧ ❣♦♦❞ tr❛♥s❝r✐♣ts τ ✿ Pr [ XoP ❣✐✈❡s τ ] ≥ 1 − ε Pr [ f ❣✐✈❡s τ ] ❚❤❡♥✱ Adv prf XoP ( q ) ≤ ε + Pr [ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r f ] • ❇❛❞ tr❛♥s❝r✐♣t✿ ✐❢ y i = 0 ❢♦r s♦♠❡ i • Pr [ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r f ] = q/ 2 n • ❋♦r ❛♥② ❣♦♦❞ tr❛♥s❝r✐♣t✿ � • Pr [ XoP ❣✐✈❡s τ ] ≥ (2 n ) 2 q 1 · ε = 0 2 nq (2 n ) 2 q 1 • Pr [ f ❣✐✈❡s τ ] = 2 nq ✷✽ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❳♦P ❍✲❈♦❡✣❝✐❡♥t ❚❡❝❤♥✐q✉❡ ❬P❛t✾✶✱P❛t✵✽✱❈❙✶✹❪ ▲❡t ε ≥ 0 ❜❡ s✉❝❤ t❤❛t ❢♦r ❛❧❧ ❣♦♦❞ tr❛♥s❝r✐♣ts τ ✿ Pr [ XoP ❣✐✈❡s τ ] ≥ 1 − ε Pr [ f ❣✐✈❡s τ ] ❚❤❡♥✱ Adv prf XoP ( q ) ≤ ε + Pr [ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r f ] • ❇❛❞ tr❛♥s❝r✐♣t✿ ✐❢ y i = 0 ❢♦r s♦♠❡ i • Pr [ ❜❛❞ tr❛♥s❝r✐♣t ❢♦r f ] = q/ 2 n • ❋♦r ❛♥② ❣♦♦❞ tr❛♥s❝r✐♣t✿ � • Pr [ XoP ❣✐✈❡s τ ] ≥ (2 n ) 2 q 1 · ε = 0 2 nq (2 n ) 2 q 1 • Pr [ f ❣✐✈❡s τ ] = 2 nq Adv prf XoP ( q ) ≤ q/ 2 n ✷✽ ✴ ✸✷

■❢ ✿ ❛t ❧❡❛st s♦❧✉t✐♦♥s t♦ ✉♥❦♥♦✇♥s ❍✲❝♦❡✣❝✐❡♥t t❡❝❤♥✐q✉❡✿ ❆♣♣❧②✐♥❣ ▼✐rr♦r ❚❤❡♦r② ❈✐r❝❧❡✲❢r❡❡✿ ♥♦ ❝♦❧❧✐s✐♦♥s ✐♥ ✐♥♣✉ts t♦ ◆♦♥✲❞❡❣❡♥❡r❛t❡✿ ♣r♦✈✐❞❡❞ t❤❛t ❢♦r ❛❧❧ ◆♦♥✲❞❡❣❡♥❡r❛t❡✿ ❛♥❞ ✇✐t❤✐♥ ❛❧❧ ✲❜❧♦❝❦s ❈❛❧❧ t❤✐s ❛ ❜❛❞ tr❛♥s❝r✐♣t ▼❛①✐♠✉♠ tr❡❡ s✐③❡ ▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❈❊◆❈ P b q ✕ w +1 P b 1 P b w +1 y q ✕ w +1 y w +1 y 1 P b q ✕ w +2 P b 2 P b w +2 y q ✕ w +2 y w +2 y 2 y 3 y w +3 y q ✕ w +3 P a q/w P b q ✕ w +3 P a 1 P b 3 P a 2 P b w +3 · · · y y y 2 w w q P b w P b 2 w P b q ✷✾ ✴ ✸✷

■❢ ✿ ❛t ❧❡❛st s♦❧✉t✐♦♥s t♦ ✉♥❦♥♦✇♥s ❍✲❝♦❡✣❝✐❡♥t t❡❝❤♥✐q✉❡✿ ▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❈❊◆❈ P b q ✕ w +1 P b 1 P b w +1 y q ✕ w +1 y w +1 y 1 P b q ✕ w +2 P b 2 P b w +2 y q ✕ w +2 y w +2 y 2 y 3 y w +3 y q ✕ w +3 P a q/w P b q ✕ w +3 P a 1 P b 3 P a 2 P b w +3 · · · y y y 2 w w q P b w P b 2 w P b q ❆♣♣❧②✐♥❣ ▼✐rr♦r ❚❤❡♦r② • ❈✐r❝❧❡✲❢r❡❡✿ ♥♦ ❝♦❧❧✐s✐♦♥s ✐♥ ✐♥♣✉ts t♦ p • ◆♦♥✲❞❡❣❡♥❡r❛t❡✿ ♣r♦✈✐❞❡❞ t❤❛t y i � = 0 ❢♦r ❛❧❧ i ◆♦♥✲❞❡❣❡♥❡r❛t❡✿ ❛♥❞ y i � = y j ✇✐t❤✐♥ ❛❧❧ w ✲❜❧♦❝❦s − → ❈❛❧❧ t❤✐s ❛ ❜❛❞ tr❛♥s❝r✐♣t • ▼❛①✐♠✉♠ tr❡❡ s✐③❡ w + 1 ✷✾ ✴ ✸✷

❍✲❝♦❡✣❝✐❡♥t t❡❝❤♥✐q✉❡✿ ▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❈❊◆❈ P b q ✕ w +1 P b 1 P b w +1 y q ✕ w +1 y w +1 y 1 P b q ✕ w +2 P b 2 P b w +2 y q ✕ w +2 y w +2 y 2 y 3 y w +3 y q ✕ w +3 P a q/w P b q ✕ w +3 P a 1 P b 3 P a 2 P b w +3 · · · y y y 2 w w q P b w P b 2 w P b q ❆♣♣❧②✐♥❣ ▼✐rr♦r ❚❤❡♦r② • ❈✐r❝❧❡✲❢r❡❡✿ ♥♦ ❝♦❧❧✐s✐♦♥s ✐♥ ✐♥♣✉ts t♦ p • ◆♦♥✲❞❡❣❡♥❡r❛t❡✿ ♣r♦✈✐❞❡❞ t❤❛t y i � = 0 ❢♦r ❛❧❧ i ◆♦♥✲❞❡❣❡♥❡r❛t❡✿ ❛♥❞ y i � = y j ✇✐t❤✐♥ ❛❧❧ w ✲❜❧♦❝❦s − → ❈❛❧❧ t❤✐s ❛ ❜❛❞ tr❛♥s❝r✐♣t • ▼❛①✐♠✉♠ tr❡❡ s✐③❡ w + 1 • ■❢ 2 w 2 q ≤ 2 n / 67 ✿ ❛t ❧❡❛st (2 n ) r s♦❧✉t✐♦♥s t♦ ✉♥❦♥♦✇♥s 2 nq ✷✾ ✴ ✸✷

▼✐rr♦r ❚❤❡♦r② ❆♣♣❧✐❡❞ t♦ ❈❊◆❈ P b q ✕ w +1 P b 1 P b w +1 y q ✕ w +1 y w +1 y 1 P b q ✕ w +2 P b 2 P b w +2 y q ✕ w +2 y w +2 y 2 y 3 y w +3 y q ✕ w +3 P a q/w P b q ✕ w +3 P a 1 P b 3 P a 2 P b w +3 · · · y y y 2 w w q P b w P b 2 w P b q ❆♣♣❧②✐♥❣ ▼✐rr♦r ❚❤❡♦r② • ❈✐r❝❧❡✲❢r❡❡✿ ♥♦ ❝♦❧❧✐s✐♦♥s ✐♥ ✐♥♣✉ts t♦ p • ◆♦♥✲❞❡❣❡♥❡r❛t❡✿ ♣r♦✈✐❞❡❞ t❤❛t y i � = 0 ❢♦r ❛❧❧ i ◆♦♥✲❞❡❣❡♥❡r❛t❡✿ ❛♥❞ y i � = y j ✇✐t❤✐♥ ❛❧❧ w ✲❜❧♦❝❦s − → ❈❛❧❧ t❤✐s ❛ ❜❛❞ tr❛♥s❝r✐♣t • ▼❛①✐♠✉♠ tr❡❡ s✐③❡ w + 1 • ■❢ 2 w 2 q ≤ 2 n / 67 ✿ ❛t ❧❡❛st (2 n ) r s♦❧✉t✐♦♥s t♦ ✉♥❦♥♦✇♥s 2 nq CENC ( q ) ≤ q/ 2 n + wq/ 2 n +1 • ❍✲❝♦❡✣❝✐❡♥t t❡❝❤♥✐q✉❡✿ Adv cpa ✷✾ ✴ ✸✷

◆❡✇ ▲♦♦❦ ❛t ▼✐rr♦r ❚❤❡♦r② ❊♥❝r②♣t❡❞ ❉❛✈✐❡s✲▼❡②❡r ❛♥❞ ■ts ❉✉❛❧✿ ❚♦✇❛r❞s ❖♣t✐♠❛❧ ❙❡❝✉r✐t② ❯s✐♥❣ ▼✐rr♦r ❚❤❡♦r② ▼❡♥♥✐♥❦✱ ◆❡✈❡s✱ ❈❘❨P❚❖ ✷✵✶✼ • ❘❡❢✉r❜✐s❤ ❛♥❞ ♠♦❞❡r♥✐③❡ ♠✐rr♦r t❤❡♦r② • Pr♦✈❡ ♦♣t✐♠❛❧ P❘❋ s❡❝✉r✐t② ♦❢✿ ❊❉▼❉ ❊✭❲❈✮❉▼ ❬❈❙✶✻❪ p 1 p 2 y p 1 p 2 y x x h ( m ) • Pr♦♦❢s ❛r❡ ♠♦r❡ ✐♥✈♦❧✈❡❞ ❛♥❞ ❜❡②♦♥❞ s❝♦♣❡ ♦❢ ♣r❡s❡♥t❛t✐♦♥ ✸✵ ✴ ✸✷

❖✉t❧✐♥❡ P❘P✲P❘❋ ❈♦♥✈❡rs✐♦♥ ❈♦♥❝❧✉s✐♦♥ ✸✶ ✴ ✸✷

❈♦♥❝❧✉s✐♦♥ ❇❡②♦♥❞ ❇✐rt❤❞❛②✲❇♦✉♥❞ ❙❡❝✉r✐t② • ◆♦t t❤❡ ❤♦❧② ❣r❛✐❧ • ❘❡❧❡✈❛♥t ❢♦r ❝❡rt❛✐♥ ❛♣♣❧✐❝❛t✐♦♥s • ❖❢t❡♥ ❛❝❤✐❡✈❡❞ ✉s✐♥❣ • ❊①tr❛ r❛♥❞♦♠♥❡ss • ❊①tr❛ st❛t❡ s✐③❡ ❈❤❛❧❧❡♥❣❡s • ❚r❛❞❡✲♦✛ ❜❡t✇❡❡♥ s❡❝✉r✐t② ❛♥❞ ❡✣❝✐❡♥❝② • ▼❛♥② ♦♣❡♥ ♣r♦❜❧❡♠s ✐♥ ❇❇❇ s❡❝✉r✐t② • ❊①✐st✐♥❣ ❛♥❛❧②s❡s ♥♦t ❛❧✇❛②s t✐❣❤t ❚❤❛♥❦ ②♦✉ ❢♦r ②♦✉r ❛tt❡♥t✐♦♥✦ ✸✷ ✴ ✸✷

❙❯PP❖❘❚■◆● ❙▲■❉❊❙ ✸✸ ✴ ✸✷

●❛♠❡✲♣❧❛②✐♥❣ t❡❝❤♥✐q✉❡ ❍✲❝♦❡✣❝✐❡♥t t❡❝❤♥✐q✉❡ ❍♦✇ t♦ Pr♦✈❡ t❤❛t ✐s ❙♠❛❧❧❄ ■♥❞✐st✐♥❣✉✐s❤❛❜✐❧✐t② ■♥❞✐st✐♥❣✉✐s❤❛❜✐❧✐t② ♦❢ ❘❛♥❞♦♠ ❙②st❡♠s IC O P distinguisher D � � D O = 1 � � D P = 1 �� Adv ind ( D ) = � = ∆ D ( O ; P ) � Pr − Pr ✸✹ ✴ ✸✷

●❛♠❡✲♣❧❛②✐♥❣ t❡❝❤♥✐q✉❡ ❍✲❝♦❡✣❝✐❡♥t t❡❝❤♥✐q✉❡ ■♥❞✐st✐♥❣✉✐s❤❛❜✐❧✐t② ■♥❞✐st✐♥❣✉✐s❤❛❜✐❧✐t② ♦❢ ❘❛♥❞♦♠ ❙②st❡♠s IC O P distinguisher D � � D O = 1 � � D P = 1 �� Adv ind ( D ) = � = ∆ D ( O ; P ) � Pr − Pr ❍♦✇ t♦ Pr♦✈❡ t❤❛t Adv ind ( D ) ✐s ❙♠❛❧❧❄ ✸✹ ✴ ✸✷

■♥❞✐st✐♥❣✉✐s❤❛❜✐❧✐t② ■♥❞✐st✐♥❣✉✐s❤❛❜✐❧✐t② ♦❢ ❘❛♥❞♦♠ ❙②st❡♠s IC O P distinguisher D � � D O = 1 � � D P = 1 �� Adv ind ( D ) = � = ∆ D ( O ; P ) � Pr − Pr ❍♦✇ t♦ Pr♦✈❡ t❤❛t Adv ind ( D ) ✐s ❙♠❛❧❧❄ • ●❛♠❡✲♣❧❛②✐♥❣ t❡❝❤♥✐q✉❡ • ❍✲❝♦❡✣❝✐❡♥t t❡❝❤♥✐q✉❡ ✸✹ ✴ ✸✷

■♥t❡r♠❡❞✐❛t❡ st❡♣s ✭♣r❡s✉♠❛❜❧②✮ ❡❛s② t♦ ❛♥❛❧②③❡ ❇❛s✐❝ ✐❞❡❛✿ ❋r♦♠ t♦ ✐♥ s♠❛❧❧ st❡♣s ●❛♠❡✲P❧❛②✐♥❣ ❚❡❝❤♥✐q✉❡ • ❇❡❧❧❛r❡ ❛♥❞ ❘♦❣❛✇❛② ❬❇❘✵✻❪ • ❙✐♠✐❧❛r t♦ ▼❛✉r❡r✬s ♠❡t❤♦❞♦❧♦❣② ❬▼❛✉✵✷❪ ✸✺ ✴ ✸✷

■♥t❡r♠❡❞✐❛t❡ st❡♣s ✭♣r❡s✉♠❛❜❧②✮ ❡❛s② t♦ ❛♥❛❧②③❡ ❇❛s✐❝ ✐❞❡❛✿ ❋r♦♠ t♦ ✐♥ s♠❛❧❧ st❡♣s ●❛♠❡✲P❧❛②✐♥❣ ❚❡❝❤♥✐q✉❡ • ❇❡❧❧❛r❡ ❛♥❞ ❘♦❣❛✇❛② ❬❇❘✵✻❪ • ❙✐♠✐❧❛r t♦ ▼❛✉r❡r✬s ♠❡t❤♦❞♦❧♦❣② ❬▼❛✉✵✷❪ IC O P distinguisher D ✸✺ ✴ ✸✷

■♥t❡r♠❡❞✐❛t❡ st❡♣s ✭♣r❡s✉♠❛❜❧②✮ ❡❛s② t♦ ❛♥❛❧②③❡ ●❛♠❡✲P❧❛②✐♥❣ ❚❡❝❤♥✐q✉❡ • ❇❡❧❧❛r❡ ❛♥❞ ❘♦❣❛✇❛② ❬❇❘✵✻❪ • ❙✐♠✐❧❛r t♦ ▼❛✉r❡r✬s ♠❡t❤♦❞♦❧♦❣② ❬▼❛✉✵✷❪ IC O P distinguisher D • ❇❛s✐❝ ✐❞❡❛✿ • ❋r♦♠ O t♦ P ✐♥ s♠❛❧❧ st❡♣s ✸✺ ✴ ✸✷

●❛♠❡✲P❧❛②✐♥❣ ❚❡❝❤♥✐q✉❡ • ❇❡❧❧❛r❡ ❛♥❞ ❘♦❣❛✇❛② ❬❇❘✵✻❪ • ❙✐♠✐❧❛r t♦ ▼❛✉r❡r✬s ♠❡t❤♦❞♦❧♦❣② ❬▼❛✉✵✷❪ IC O P distinguisher D • ❇❛s✐❝ ✐❞❡❛✿ • ❋r♦♠ O t♦ P ✐♥ s♠❛❧❧ st❡♣s • ■♥t❡r♠❡❞✐❛t❡ st❡♣s ✭♣r❡s✉♠❛❜❧②✮ ❡❛s② t♦ ❛♥❛❧②③❡ ✸✺ ✴ ✸✷

■❢ ❛♥❞ ❛r❡ ✐❞❡♥t✐❝❛❧ ✉♥t✐❧ ❜❛❞✱ t❤❡♥✿ s❡ts ❜❛❞ ●❛♠❡✲P❧❛②✐♥❣ ❚❡❝❤♥✐q✉❡ ❚r✐❛♥❣❧❡ ■♥❡q✉❛❧✐t② ❋✉♥❞❛♠❡♥t❛❧ ▲❡♠♠❛ ✸✻ ✴ ✸✷

■❢ ❛♥❞ ❛r❡ ✐❞❡♥t✐❝❛❧ ✉♥t✐❧ ❜❛❞✱ t❤❡♥✿ s❡ts ❜❛❞ ●❛♠❡✲P❧❛②✐♥❣ ❚❡❝❤♥✐q✉❡ ❚r✐❛♥❣❧❡ ■♥❡q✉❛❧✐t② ∆( O ; P ) ≤ ∆( O ; R ) + ∆( R ; P ) ❋✉♥❞❛♠❡♥t❛❧ ▲❡♠♠❛ ✸✻ ✴ ✸✷

●❛♠❡✲P❧❛②✐♥❣ ❚❡❝❤♥✐q✉❡ ❚r✐❛♥❣❧❡ ■♥❡q✉❛❧✐t② ∆( O ; P ) ≤ ∆( O ; R ) + ∆( R ; P ) ❋✉♥❞❛♠❡♥t❛❧ ▲❡♠♠❛ ■❢ O ❛♥❞ P ❛r❡ ✐❞❡♥t✐❝❛❧ ✉♥t✐❧ ❜❛❞✱ t❤❡♥✿ ∆( O ; P ) ≤ Pr [ P s❡ts ❜❛❞ ] ✸✻ ✴ ✸✷

❊①❛♠♣❧❡✿ P❘P✲P❘❋ ❙✇✐t❝❤ ✭✶✴✹✮ IC F k = E k f blockcipher random function distinguisher D ❚❤❡♦r❡♠ ❋♦r ❛♥② ❞✐st✐♥❣✉✐s❤❡r D ♠❛❦✐♥❣ Q q✉❡r✐❡s t♦ E k /p ❛♥❞ T ♦✤✐♥❡ ❡✈❛❧✉❛t✐♦♥s � Q � ∆ D ( E k ; f ) ≤ Adv prp 2 E ( D ) + 2 n ✸✼ ✴ ✸✷

❙t❡♣ ✶✳ ✏❘❡♣❧❛❝❡✑ ❜② ❘❛♥❞♦♠ P❡r♠✉t❛t✐♦♥ ❚r✐❛♥❣❧❡ ✐♥❡q✉❛❧✐t②✿ ❜② ❞❡✜♥✐t✐♦♥ ✐s ♣❛r❛♠❡tr✐③❡❞ ❜② q✉❡r✐❡s t♦ ❊①❛♠♣❧❡✿ P❘P✲P❘❋ ❙✇✐t❝❤ ✭✷✴✹✮ ∆ D ( E k ; f ) ✸✽ ✴ ✸✷

❚r✐❛♥❣❧❡ ✐♥❡q✉❛❧✐t②✿ ❜② ❞❡✜♥✐t✐♦♥ ✐s ♣❛r❛♠❡tr✐③❡❞ ❜② q✉❡r✐❡s t♦ ❊①❛♠♣❧❡✿ P❘P✲P❘❋ ❙✇✐t❝❤ ✭✷✴✹✮ ❙t❡♣ ✶✳ ✏❘❡♣❧❛❝❡✑ E k ❜② ❘❛♥❞♦♠ P❡r♠✉t❛t✐♦♥ p ∆ D ( E k ; f ) ✸✽ ✴ ✸✷

❜② ❞❡✜♥✐t✐♦♥ ✐s ♣❛r❛♠❡tr✐③❡❞ ❜② q✉❡r✐❡s t♦ ❊①❛♠♣❧❡✿ P❘P✲P❘❋ ❙✇✐t❝❤ ✭✷✴✹✮ ❙t❡♣ ✶✳ ✏❘❡♣❧❛❝❡✑ E k ❜② ❘❛♥❞♦♠ P❡r♠✉t❛t✐♦♥ p • ❚r✐❛♥❣❧❡ ✐♥❡q✉❛❧✐t②✿ ∆ D ( E k ; f ) ≤ ∆ D ( E k ; p ) + ∆ D ( p ; f ) ✸✽ ✴ ✸✷

✐s ♣❛r❛♠❡tr✐③❡❞ ❜② q✉❡r✐❡s t♦ ❊①❛♠♣❧❡✿ P❘P✲P❘❋ ❙✇✐t❝❤ ✭✷✴✹✮ ❙t❡♣ ✶✳ ✏❘❡♣❧❛❝❡✑ E k ❜② ❘❛♥❞♦♠ P❡r♠✉t❛t✐♦♥ p • ❚r✐❛♥❣❧❡ ✐♥❡q✉❛❧✐t②✿ ∆ D ( E k ; f ) ≤ ∆ D ( E k ; p ) + ∆ D ( p ; f ) • ∆ D ( E k ; p ) = Adv prp E ( D ) ❜② ❞❡✜♥✐t✐♦♥ ✸✽ ✴ ✸✷

❊①❛♠♣❧❡✿ P❘P✲P❘❋ ❙✇✐t❝❤ ✭✷✴✹✮ ❙t❡♣ ✶✳ ✏❘❡♣❧❛❝❡✑ E k ❜② ❘❛♥❞♦♠ P❡r♠✉t❛t✐♦♥ p • ❚r✐❛♥❣❧❡ ✐♥❡q✉❛❧✐t②✿ ∆ D ( E k ; f ) ≤ ∆ D ( E k ; p ) + ∆ D ( p ; f ) • ∆ D ( E k ; p ) = Adv prp E ( D ) ❜② ❞❡✜♥✐t✐♦♥ • ∆ D ( p ; f ) • D ✐s ♣❛r❛♠❡tr✐③❡❞ ❜② Q q✉❡r✐❡s t♦ p/f ✸✽ ✴ ✸✷