Proof of Mirror Theory for a Wide Range of ξmax

In CRYPTO’03, Patarin conjectured a lower bound on the number of distinct solutions ( P 1 , … , P q ) ∈ ( { 0 , 1 } n ) q satisfying a system of equations of the form X i ⊕ X j = λ i , j such that P 1 , P 2 , … , P q are pairwise distinct. This result is known as “ P i ⊕ P j Theorem for any ξ max ” or alternatively as Mirror Theory for general ξ max , which was later proved by Patarin in ICISC’05. Mirror theory for general ξ max stands as a powerful tool to provide a high-security guarantee for many blockcipher-(or even ideal permutation-) based designs. Unfortunately, the proof of the result contains gaps that are non-trivial to fix. In this work, we present the first complete proof of the P i ⊕ P j theorem for a wide range of ξ max , typically up to order O ( 2 n / 4 / n ) . Furthermore, our proof approach is made simpler by using a new type of equation, dubbed link-deletion equation, that roughly corresponds to half of the so-called orange equations from earlier works. As an illustration of our result, we also revisit the security proofs of two optimally secure blockcipher-based pseudorandom functions, and n -bit security proof for six round Feistel cipher, and provide updated security bounds.