New Approach towards Generalizing Feistel Networks and Its

Research ArticleNew Approach towards Generalizing Feistel Networks and ItsProvable Security

Jiajie Liu Bing Sun and Chao Li

College of Liberal Arts and Sciences National University of Defense Technology Changsha 410073 China

Correspondence should be addressed to Jiajie Liu ljiajieyahoocom

Received 28 May 2021 Accepted 21 August 2021 Published 23 September 2021

Academic Editor Majid Khan

Copyright copy 2021 Jiajie Liu et alampis is an open access article distributed under the Creative CommonsAttribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

ampis paper proposes a new approach to generalizing Feistel networks which unifies the classical (balanced) Feistel network and theLaindashMassey structure We call the new structure extended Feistel (E-Feistel) network To justify its soundness we investigate itsindistinguishability using Patarinrsquos H-coefficient technique As a result it is proved that the 4-round key-alternating E-Feistel(KAEF) cipher with adequately derived keys and identical round functions is secure up to 2n2 queries ie birthday-boundsecurity In addition when adjacent round keys are independent and independent round functions are used the 6-round KAEF issecure up to beyond-birthday-bound 22n3 queries Our results indicate that the E-Feistel structure is secure and reliable and can beadopted in designing practical block ciphers

1 Introduction

In recent years as a result of more attention paid on privacyprotection and information security research on the designand cryptanalysis of block ciphers has become a researchhotpot ampe design of block ciphers strictly highlights effi-ciency and security which deeply rely on iterative structuresthey choose According to whether encryption is consistentwith decryption iterative structures can be divided into twocategories ampe structures that have consistent encryptionand decryption are beneficial in hardware implementationbecause decryption does not take up extra storage ampis kindof structures contains the Feistel structure the SM4 struc-ture the Mars structure and the LaindashMassey structure asspecific instances Another kind of structures mainly con-sists of the substitution-permutation networks (SPN)

ampe Feistel structure was proposed by Feistel andTuchman of IBM when designing Lucifer in the late 1960s[1] ampe Feistel structure became popular after the wide-spread use of the data encryption standard (DES) [2] ampeinput of the Feistel structure is divided into two blockswhose length is equal ampe round function is applied to onehalf using a subkey and then the output is XORed with theother half ampen two halves are exchanged with each other

As a result the diffusion of the Feistel structure is relativelyslow ampe Feistel structure has consistent encryption withdecryption which is efficiently beneficial in hardwareimplementation Several well-known block ciphers adopt theFeistel structure for example SIMON [3] and SIMECK [4]In addition there are many extensions of the Feistelstructure such as the SM4 structure [5] the Mars structure[6] and the generalized Feistel structure [7 8]

ampe LaindashMassey scheme was proposed by Lai andMasseyin the International Data Encryption Algorithm (IDEA) [9]Similar to the Feistel structure the LaindashMassey scheme takestwo equal-sized plaintexts as its input Unlike the Feistelstructure the round function is applied to the sum of the twopieces and the result is then added to both half blocksFurthermore an orthomorphism is always introduced toone of the halves to compensate the existence of a differ-ential covering any rounds with probability 1 Generally theLaindashMassey structure also has consistent encryption anddecryption ampere are several instances such as MESH [10]and FOX [11] that utilize this structure

Different from the Feistel structure and the LaindashMasseyscheme one round function of the SPN structure is composedof an invertible nonlinear function S layer controlled bya subkey and an invertible linear transformation P layer

HindawiSecurity and Communication NetworksVolume 2021 Article ID 2751797 26 pageshttpsdoiorg10115520212751797

Compared to the Feistel structure the diffusion of the SPNstructure might be faster However the decryption of an SPNstructure is usually different from that of the encryption thusmore resources might be required for the implementation Inrecent years there have been many ciphers using the SPNstructure such as AES [12] and PHOTON [13] Additionallythe SPN structure is often adopted as round functions in thedesign of Feistel ciphers such as SM4 [5] and Camellia [14]

Traditionally the security of block ciphers is defined as theindistinguishability from random permutations when the keysare random and secret ampis is known as pseudorandomnessHowever in some block cipher-based schemes such as hashfunctions the underlying block ciphersmay not have secret keysampe security arguments for these schemes thereby cannot bebased on the pseudorandomness of the underlying ciphers Toremedy this theory community usually assumes their un-derlying ciphers as ideal ciphers ie sets of independent randompermutations indexed by the keys and then argues the securityof the whole schemes By this we expect practical block ciphersto be as secure as ideal ciphers and a proof for such security isthe final goal of the theory community However given the stateof the art the only choice is to replace some of the underlyingcomponents of the block ciphers by idealized oracles and thenargue the closeness of the obtained idealized block ciphers andthe ideal ciphersampe security proved in this way cannot be usedas a guarantee for the actual security of practical block ciphersbut it is still helpful to deepen the understanding of that andpromote theoretical research to the ultimate goal

Luby and Rackoff [15] proposed LubyndashRackoff (LR)scheme in 1985 ampey also proved that the balanced Feistelstructure covering 3 rounds is a pseudorandom permutationand that covering 4 rounds is a super-pseudorandom per-mutation Later the LR scheme has attracted a lot of at-tention and become the most popular model for Feistelciphers in which the round functions are set as randomfunctions Following [15] a long series of work establishedbetter security (maybe using a larger number of rounds)[16ndash18] Significantly Gentry and Ramzan [19] proved thatthe Feistel cipher covering 4 rounds without keys is secureagainst 2n2 queries On the basis Guo and Wang [20]showed that 4-round key-alternating Feistel (KAF) using thesame round function is secure against 2n2 queries iebirthday-bound security Guo also proved that the 6-roundkey-alternating Feistel (KAF) using the independent roundfunctions and appropriate keys is secure up to 22n3 queriesie beyond-birthday-bound security

Iterative structures in block ciphers mainly adopt thethree structures the Feistel structure the SPN structure andthe LaindashMassey scheme ampe solidification of iterativestructure may bring security risks once backdoors of someiterative structures are founded a series of block ciphers thatadopt the structure would be effectively attacked and will notbe secure any more ampis promotes the diversity research ofiterative structures In this paper we extend the originalFeistel structure and propose an extended Feistel (E-Feistel)structureampis paper mainly focuses on studying the securityof the E-Feistel structure from the perspective of theoreticalsecurity of the structure using H-coefficient technique ampemain contributions are as follows

(1) We propose a new iterative structure the E-Feistelstructure which also has consistent encryption withdecryption

(2) For birthday-bound security we prove that the 4-round KAEF with the same round function is secureup to 2n2 queries

(3) For beyond-birthday-bound security we prove thatthe 6-round KAEF with independent round func-tions is secure up to 22n3 queries

ampis paper is organized as follows We introduce thenotations in Section 2 Section 3 presents the extendedFeistel structureampen Sections 4 and 5 respectively presentour results on 4-round KAESF and 6-round KAEF and theirsecurity proofs Section 6 concludes this paper

2 Notations

Let F2 denote the binary field and Fn2 denote the

nminus dimensional vector space over F2 amproughout this paper(x1 x2 xn) always corresponds to a column vector Letc (c1 c2 cn) isin Fn

2 d (d1 d2 dn) isin Fn2 ampen the

point product of two vectors c and d is calculated as

c middot d c1d1 oplus c2d2 oplus middot middot middot oplus cndn (1)

denoted as cTd

21 e H-Coefficient Technique We use Patarinrsquos H-co-efficient technique [21 22] to prove the birthday-boundsecurity of 4-round KAEF and the beyond-birthday-boundsecurity of 6-round KAEF amperefore we sum up the in-teraction between distinguisher D and its oracles in thequeries of transcripts Suppose D enquiring the ith oracle(KAEFF

k(i) or P(i)) for q times a recordQEi

(L1R1 S1T)1 (LqiRqi

SqiTqi

)1113966 1113967 can be obtainedwhere (LjRj SjTj) represents the queries and answers ofKAEF Similarly the queries made to fi are recorded asQfi

(xi1 yi1) (xip yip)1113966 1113967 denoting the answer yij

obtained by querying fi with xij Let QE (QE1 QEm

)

and QF (Qf1 Qft

) ampe transcript of the distinguisherD is denoted as τ (QEQF)

Given a set Qfiof function queries and a function fi we

say that fi extends Qfi denoted fi⊢Qfi

if fi(x) y for all(x y) isin Qfi

Similarly given a transcript of permutationqueries QEi

and a permutation P(i) we say P(i) extends QEi

denoted P(i)⊢QEi if P(i)(LR) ST for all (LR ST) isin QEi

ampe latter definition also extends to the t-round KAEF builton F and a key k(i) in that case we write KAEFF

k(i)⊢QEi

Finally for QF (Qf1 Qft

) and F (f1 ft) iff1⊢Qf1and middot middot middotandft⊢Qft

then F⊢QFWith regard to all achievable transcripts τ which rep-

resent an achievable record for queries of a series of oracles(F P(1) P(m)) or (FKAEFF

k(1) KAEFFk(m) ) the

probability that D interacts with the real world and the idealworld is denoted as Prre(τ) and Prid(τ) respectively Prre(τ)

and Prid(τ) are defined formally as follows

2 Security and Communication Networks

Prre(τ) Pr k(1)

k(m)

1113872 1113873larr$

(K)m

Flarr$ (F(n))t KAEFF

k(1)⊢QE1and middot middot middotandKAEFF

k(m)⊢QEmandF⊢QF1113876 1113877

Prid(τ) Pr P(1)

P(m)

1113872 1113873larr$

(P(2n))m

Flarr$ (F(n))t P

(1)⊢QE1and middot middot middotandP(m)⊢QEm

andF⊢QF1113876 1113877

(2)

We can estimate the distinguishing advantage by cal-culating Prre(τ) and Prid(τ) ampe lemma is stated as follows

Lemma 1 (see [23]) Assume that there exists a functionε(qf qe)gt 0 such that for every achievable transcript τ withqe and qf queries of two types the following equation holds

Prid(τ) minus Prre(τ)lePrid(τ) middot ε qf qe1113872 1113873 (3)

en the following equation holds

AdvKAEF qf qe1113872 1113873le ε qf qe1113872 1113873 (4)

Lemma 2 (see [23]) Fix a transcript with Prid(τ)gt 0 As-sume that (i) Pr[k isinKbad]le δ and (ii) there is a functiong K⟶ [0 tinfin) such that for all k isinKgood the followingequation holds Prre(τ k)Prid(τ k)ge 1 minus g(k) en we have

Prid(τ) minus Prre(τ)le Prid(τ) middot δ + EkisinK[g(k)]( 1113857 (5)

3 The Extended Feistel Structure

ampe extended Feistel structure (E-Feistel structure) denotedas FAB is defined in the following

ampe round function and the branch have the same lengthdenoted as n Let A [A1 A2] and B [B1 B2] whereAi Bj isin Fntimesn

2 and A1B1 oplusA2B2 0 Let f be a map over Fn2

ampe input and output of FABf are denoted asx (x1 x2) isin Fntimes2

2 and y (y1 y2) isin Fntimes22 respectively

ampen the map FABf Fntimes22 ⟶ Fntimes2

2 is defined as

y1 y2( 1113857 x2 x1( 1113857oplus B2f(g) B1f(g)( 1113857 (6)

where g A1x1 oplusA2x2 as illustrated in Figure 1Denote by Mn all the maps from Fn

2 to Fn2 ampen the

structure FAB is defined as FAB FABf|f isinMn1113966 1113967 FAB

has similar procedures of decryption and encryptionLet Alowast [AT

1 AT2 ] and Blowast [BT

1 BT2 ] We further as-

sociate A andB and branch swapping with the following twomatrices

A A1 A2

A2 A11113890 1113891

B B

T1 B

T2

BT2 B

T1

⎡⎢⎣ ⎤⎥⎦

(7)

4 Four Rounds for Birthday-Bound Security

As seen in Figure 2 we assume that the 4-round idealizedKAEF cipher uses the same random round function f and 4independent random round keys k (k1 k2 k3 k4)

Firstly we give the definition of round-key vectors in the4-round key-alternating extended Feistel using the sameround function (KAEFSF) ampe constraint on round keysdoes not need the round key to satisfy the condition ofcomplete independence and randomness

Definition 1 (suitable round-key vector for 4 rounds) Around-key vector k (k1 k2 k3 k4) is suitable if it satisfiesthe following conditions

(i) k1 and k4 are uniform in 0 1 n (but they need not tobe independent)

(ii) k1 oplus k4 is also uniformly distributed in 0 1 n

Proposition 1 For FAB assumerank(A) rank(B) 2n and A1B2 oplusA2B1 is a nonsingularmatrix

Proof Since rank(A) rank(B) 2n A and B are bothnonsingular matrices So

A middot BT

0 A1B2 oplusA2B1

A2B1 oplusA1B2 01113890 1113891 (8)

is a nonsingular matrix As a result A1B2 oplusA2B1 is a non-singular matrix For convenience A1B2 oplusA2B1 is denoted asO

Theorem 1 Assuming rank(A) rank(B) 2n for the 4-round idealized KAEFSF the following equation holds

AdvKAEFSF qf qe1113872 1113873le9q

2e + 4qeqf

N (9)

Proof According to Lemma 2 we can translate the proof ofequation (9) into the proof of the following equation

Prid(τ) minus Prre(τ)lePrid(τ) middot9q

2e + 4qeqf

N (10)

For a fixed transcript τ (QE QF) with |QE| qe and|QF| qf key vectors can be distinguished whether good orbad concerning τ ampen the probability Prre(τ k) for goodkey k can be estimated For conveniencersquos sake for anyx isin 0 1 n x isin DomF (x notin DomF otherwise) denoteswhether there exists a corresponding record (x y) in QF ornot

Bad keys are now defined as follows

Definition 2 (bad round-key vector for 4 rounds) In regardof τ (QE QF) a suitable round-key vector k is bad as longas either of the two following conditions is satisfied

Security and Communication Networks 3

(B-1) there exists (LR ST) isin QE that satisfies eitherA1LoplusA2Roplus k1 isin DomF or A1ToplusA2Soplus k4 isin DomF

(B-2) there exist two (not necessarily different)(LR ST) and (LprimeRprime SprimeTprime) in QE that satisfiesA1LoplusA2Roplus k1 A1Tprime oplusA2Sprime oplus k4

ampe other transcripts are defined as good round-keyvectors denoted by Kgood

For each of the qe records (LR ST) since both k1 and k4are uniformly distributed in 0 1 n and since |DomF|

|QF| qf the probability that it satisfies (B-1) does notexceed 2qfN On the contrary for each of the q2e pairs ofrecords (LR ST) and (LprimeRprime SprimeTprime) since k1 oplus k4 is uniformthe probability that the pair satisfies (B-2) does not exceed1N amperefore

Pr klarr$ K k isinKbad1113876 1113877le2qeqf + q

2e

N (11)

41 Lowering Bounding the Probability for Good Keys Wenow lower bound the probability Prre(τ k) for an arbitrarygood round-key vector k For this we follow a cleanldquopredicaterdquo approach from [24] We define a ldquobadrdquo predicateBad(F) on F When conditions of Bad(F) are not fulfilledthe event KAEFSFF

k⊢QE occurs if and only if 2qe new anddistinct equations on the random round function F aresatisfied For conveniencersquos sake we first define

ExtF def x isin 0 1

n (LR ST) isin QE forA1LoplusA2R k1 oplus x and some S T or

(LR ST) isin QE forA1ToplusA2S k4 oplusx and some L R1113896 1113897 (12)

Clearly |ExtF|le 2qe ampen for any nminus to minus n bit functionf⊢QF the predicate Bad(F) holds if one of the followingconditions is fulfilled

(C-1) exist(LR ST) isin QE such that k2 oplusA1R oplusA2L

oplus OF (A1LoplusA2Roplus k1) isin DomFcupExtF or k3 oplusA1SoplusA2Toplus OF (A1ToplusA2Soplus k4) isin DomFcupExtF(C-2) there exist two (not necessarily different)(LR ST) and (LprimeRprime SprimeTprime) in QE such that k2 oplusA1RoplusA2 Loplus OF (A1LoplusA2Roplus k1) k3 oplusA1Sprime oplusA2Tprime oplus OF (A1Tprime oplusA2Sprime oplus k4)

(C-3) there exist two different (LR ST) isin QE and(LprimeRprime SprimeTprime) isin QE such that A1RoplusA2Loplus OF (A1L

oplusA2Roplus k1)) A1Rprime oplusA2Lprime oplus OF (A1Lprime oplusA2Rprime oplus k1)

or A1SoplusA2Toplus OF (A1ToplusA2Soplus k4) A1Sprime oplusA2Tprime oplus OF (A1Tprime oplusA2Sprime oplus k4)

To compute Pr[Flarr$ F(n) Bad(F)|F⊢QF] we considerthe conditions in turn First as k is good for any(LR ST) isin QE we have k1 oplusA1LoplusA2R notin DomF andk4 oplusA1ToplusA2S notin DomF ampus based on f⊢QF the valuesF(k1 oplusA1LoplusA2R) and F(k4 oplusA1ToplusA2S) remain uni-formly distributed and thus

minus Pr k2 oplusA1RoplusA2Loplus OF A1LoplusA2Roplus k1( 1113857 isin DomFcupExtF1113858 1113859leqf + 2qe

N

minus Pr k3 oplusA1SoplusA2Toplus OF A1ToplusA2Soplus k4( 1113857 isin DomFcupExtF1113858 1113859leqf + 2qe

N

(13)

So Pr[(C minus 1)]le 2qe(qf + 2qe)N Second for any twotuples (LR ST) and (LprimeRprime SprimeTprime) from QE the two function

values F(A1LoplusA2Roplus k1) and F(A1Tprime oplusA2Sprime oplus k4) are in-dependent by (B minus 2) ampen as argued we have

minus Pr k2 oplusA1RoplusA2Loplus OF A1LoplusA2Roplus k1( 1113857 k3 oplusA1Sprime oplusA2Tprime oplus OF A1Tprime oplusA2Sprime oplus k4( 11138571113858 1113859 1N

(14)

and thus Pr[(C minus 2)]le q2eNampird for any tuples (LR ST) and (LprimeRprime SprimeTprime) if

A1LoplusA2R A1Lprime oplusA2Rprime then A1RoplusA2Loplus OF (A1L

oplusA2Roplus k1) A1Rprime oplusA2Lprime oplus OF (A1Lprime oplusA2Rprime oplus k1) is notpossible Otherwise since F(A1LoplusA2Roplus k1) is uniform (asargued before) the probability to have A1RoplusA2Loplus OF

A1 A2

B1 B2

f

Figure 1 ampe extended feistel structure


(A1LoplusA2Roplus k1) A1Rprime oplusA2Lprime oplus OF (A1Lprime oplusA2Rprime oplus k1) is1N It is similar for the other condition A1SoplusA2Toplus OF(A1ToplusA2Soplus k4) A1Sprime oplusA2Tprime oplus OF (A1Tprime oplusA2Sprime oplus k4)

thus Pr[(C minus 3)]le q2eN and

Pr Flarr$ F(n) Bad(F)|F⊢QF1113876 1113877le2qe qf + 2qe1113872 1113873

N+

q2e

N+2q

2e

N

le7q

2e + 2qeqf

N

(15)

Using an arbitrary order write QE

(L1R1 S1T)1 (LqeRqe

SqeTqe

)1113966 1113967 and for a given F let

x(1)2 k2 oplusA1R1 oplusA2L1 oplusOF A1L1 oplusA2R1 oplus k1( 1113857

⋮

xqe( )

2 k2 oplusA1RqeoplusA2LqeoplusOF A1Lqe

oplusA2Rqeoplus k11113872 1113873

x(1)3 k3 oplusA1S1 oplusA2T1 oplusOF A1T1 oplusA2S1 oplus k4( 1113857

⋮

xqe( )

3 k3 oplusA1SqeoplusA2Tqe

oplusOF A1TqeoplusA2Sqeoplus k41113872 1113873

(16)

For each (LiRi SiTi) isin QE we assume that the outputs ofF in the 2 and 3 rounds are denoted as Xi and Yirespectively

Pr FAEFSFFk LiRi( 1113857 SiTi1113960 1113961 Pr F x

(i)21113872 1113873 XiandF x

(i)31113872 1113873 Yi1113960 1113961

(17)

Additionally conditioned on F⊢QF and Bad(F) (a) theinduced values x

(1)2 x

(qe)2 x

(1)3 x

(qe)3 are 2qe distinct

ones (otherwise if x(i)2 x

(j)2 or x

(i)3 x

(j)3 for some ine j

then (C-3) is fulfilled if x(i)2 x

(j)3 then (C-2) is fulfilled)

and (b) the 2qe images F(x(1)2 )

F(x(qe)2 ) F(x

(1)3 ) F(x

(qe)3 ) remain fully undetermined

and thus uniform otherwise (C-1) is fulfilled amperefore foreach i isin 1 qe1113864 1113865 we have

Pr F x(i)21113872 1113873 XiandF x

(i)31113872 1113873 Yi1113960 1113961

1N

21113888 1113889 (18)

and for any k isinKgood

Prre(τ k)

Prid(τ k)

1|K| middot Nqf( 1113857 middot Pr KAEFSFF

k⊢QF|F⊢QF1113960 11139611113872 1113873

1 middot |K|Nqf( 1113857 middot 1113937

qe minus 1i0 1N2

minus i1113872 1113873

gePr KAEFSFF

k⊢QF|F⊢QFandBad(F)1113960 1113961 middot 1 minus Pr Bad(F)|F⊢QF1113858 1113859( 1113857

1113937qe minus 1i0 1N2

minus i

ge 1 minus7q

2e + 2qeqfN1113872 1113873 1N2qe1113872 1113873

1113937qe minus 1i0 1N2

minus i1113872 1113873

ge 1 minus7q

2e + 2qeqf

N⎛⎝ ⎞⎠ 1 minus

q2e

N21113888 1113889ge 1 minus

7q2e + 2qeqf

Nminus

q2e

N2

(19)

Gathering this and equation (11) and Lemma 2 yields theclaim of equation (10)

5 Six Rounds for Beyond-Birthday-Bound Security

As seen in Figure 3 we assume that the 6-round idealizedKAEF cipher uses the 6 independent random round func-tions F (F1 F2 F3 F4 F5 F6) and 6 random round keysk (k1 k2 k3 k4 k5 k6)

Similarly we first define suitable round-key vectors

Definition 3 (suitable round-key vector for 6 rounds) Around-key vector k (k1 k2 k3 k4 k5 k6) is suitable if itsatisfies the following conditions

(i) k1 k3 and k5 are uniformly distributed in 0 1 n

(ii) k2 k4 and k6 are uniformly distributed in 2nminus r

possibilities(iii) For (i j) isin (1 2) (2 3) (4 5) (5 6) (1 6) ki and

kj are independent

Different from the proof of birthday-bound security theupper bound of probability of various collisions should besmall enough As a result all of key vectors need to beuniform It is the same for the independence of key vectorsBeyond-birthday-bound security of KAEF can be provedunder the instantiation with suitable round-key vectors

Theorem 2 For the 6-round idealized cipher KAEF with thesuitable round-key vector the following equation holds


AdvKAEF qf qe1113872 1113873le7q

3e + 13qeq

2f + 22q

2eqf

N2 +

2r 8qeq2f + 2q

2eqf1113872 1113873

N2 (20)

It is worth noting that when rlt n2 the security isbeyond-birthday security For example when r 0 thebound is of ldquotypicalrdquo beyond-birthday form O(q3N2)

Similarly we can translate the proof into the proof of theresult for any transcript τ the following equation holds

Prid(τ) minus Prre(τ)le Prid(τ) middot7q

3e + 13qeq

2f + 22q

2eqf + 2r 8qeq

2f + 2q

2eqf1113872 1113873

N2 (21)

For a fixed a transcript τ (QE QF) withQF (QF1

QF2 QF3

QF4 QF5

QF6) |QE| qe and

|QFi| qfi

for i 1 6 we follow similar procedures inSection 4 to complete the proof

51 Bad Round-Key Vectors and Probability For conve-nience xi isin DomFi (and xi notin DomFi otherwise) denotesfor any xi isin 0 1 n whether there exists a correspondingrecord (xi yi) in QFi

or not Additionally ImgFi(xi) de-notes the corresponding yi ampe bad round-key vector isdefined as follows

Definition 4 (bad round-key vector for 6 rounds) Withrespect to τ (QE QF) a suitable key vector k is bad if itsatisfies one of the following conditions

(B-1) there exist (LR ST) isin QE (x1 y1) isin QF1 and

(x6 y6) isin QF6such that k1 A1LoplusA2Roplusx1 and

k6 A1ToplusA2Soplusx6



k2 A1RoplusA2LoplusOy1 oplusx2


(x6 y6) isin QF6such that k6 A1ToplusA2Soplus x6 and

k5 A1SoplusA2ToplusOy6 oplusx5

ampese bad key vectors are denoted asKbadampe other keyvectors are defined as good key vectors denoted by Kgood

Because there are at most qeq2f choices for

(LR ST) isin QE (x1 y1) isin QF1 and (x6 y6) isin QF6

and sincek1 resp k6 is uniform in 2n resp 2nminus r possibilities andfurthermore since k1 and k6 are independent the followingequation holds Pr[(B minus 1)]le qeq

2f2

2nminus r le 2rqeq2fN

2

Similarly we have Pr[(B minus 2)]le 2rqeq2fN

2 By sym-metry Pr[(B minus 3)]le 2rqeq

2fN

2 As a result

Pr klarr$K k isinKbad1113960 1113961le

3 middot 2rmiddot qeq

2f

N2 (22)

52 Analysis for Good Keys For a fixed good round-keyvector k we would get a lower bound for the probabilityPr[Flarr$ (F(n))6 KAEFF

k⊢QE|F⊢QF] Inspired by Cogliatiet al [25 26] it takes two steps Firstly through definingcertain ldquobadrdquo functions on (F1 F6) we would lower boundthe probability under the condition Secondly under theassumption of ldquogoodrdquo functions (F1 F6) the outer tworounds are removed we only need to analyze the induced 4-round transcript to yield the final bounds

For a fixed pair of (F1 F6) such that F1⊢QF1and F6⊢QF6

and for each (LR ST) isin QE we setXlarrA1RoplusA2LoplusOF1(A1LoplusA2Roplus k1) andUlarrA1SoplusA2ToplusOF6(A1ToplusA2Soplus k6) ampen qe tuples(LRX UST) are obtained ampe induced tuples are denotedby QlowastE(F1 F6) For convenience εQ(x) is used to denote alltuples (LRX UST) whose third coordinate equals X Sim-ilarly we define εQ(U)

minus εQ(X) (LRX UST) (LRX UST) isin QlowastE F1 F6( 11138571113864 1113865

minus εQ(U) (LRX UST) (LRX UST) isin QlowastE F1 F6( 11138571113864 1113865

(23)

Additionally we define several key-independent quan-tities characterizing τ

α1(k) def

(LR ST) x1 y1( 1113857( 1113857 isin QE times QF1 k1 A1LoplusA2Roplusx1

11138681113868111386811138681113868

11138681113868111386811138681113868

α2(k) def

(LR ST) x6 y6( 1113857( 1113857 isin QE times QF6 k6 A1ToplusA2Soplusx6

11138681113868111386811138681113868

11138681113868111386811138681113868

α23(k) def

(LR ST) x2 y2( 1113857 x3 y3( 1113857( 1113857 isin QE times QF2times QF3

k3 A1LoplusA2RoplusOy2 oplusx3

11138681113868111386811138681113868

11138681113868111386811138681113868

α45(k) def


k4 A1ToplusA2SoplusOy5 oplusx4

11138681113868111386811138681113868

11138681113868111386811138681113868

(24)


ampe predicate Bad(F1 F6) holds if the induced setQlowastE(F1 F6) satisfies one of the following conditions

(C-1) there exist three records(LRX UST) isin QlowastE(F1 F6) (x2 y2) isin QF2

and(x5 y5) isin QF5

such that k2 Xoplus x2 and k5 Uoplusx5

(C-2) there exist three records (LRX UST)

isin QlowastE(F1 F6) (x2 y2) isin QF2 and (x3 y3) isin QF3

suchthat k2 Xoplus x2 and k3 A1LoplusA2RoplusOy2 oplus x3



suchthat k5 Aoplus x5 and k4 A1ToplusA2SoplusOy5 oplus x4

(C-4) there exist two distinct (LRX UST) and(LprimeRprimeXprime UprimeSprimeTprime) in QlowastE(F1 F6) and a pair (x2 y2) inQF2

such that X Xprime and k2 Xoplus x2 or symmetri-cally two distinct (LRX UST) and (LprimeRprimeXprime AprimeSprimeTprime) inQlowastE(F1 F6) and a pair (x5 y5) in QF5

such that A Aprimeand k5 Aoplus x5

A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1

B1

B2

B2

B1 B2

L R

S T

k1

k2

k3

k4

k5

k6

F1

F2

F3

F4

F5

F6

Figure 3 ampe 6-round KAEF with independent round functions

A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1 B2

L R

S T

k1

k2

k3

k4

F

F

F

F

Figure 2 ampe 4-round KAEF with the same round function



such that U Uprime and k2 Xoplusx2 or symmetri-cally two distinct (LRX UST) and (LprimeRprimeXprime UprimeSprimeTprime) inQlowastE(F1 F6) and a pair (x5 y5) in QF5

such that X Xprimeand k5 Uoplus x5

(F1 F6) is defined as good if Bad(F1 F6) does not hold

Lemma 3 We have

PrF1 F6Bad F1 F6( 1113857|F1⊢QF1

andF6⊢QF61113960 1113961le

qeq2f

N2 +

4q2eqf

N2 +

α23(k) + α45(k)

N+

qf α1(k) + α2(k)( 1113857

N (25)

Proof Due to page limits see Appendix A 521 Analyzing the Inner Four Rounds LetFlowast (F2 F3 F4 F5) We denote

p τ F1 F6( 1113857 Pr Flowastlarr$ (F)

n KAEFlowastE⊢Q

lowastE F1 F6( 1113857|Fi⊢QFi

i 1 2 3 4 5 61113876 1113877 (26)

ampis captures the probability that the inner four roundsof KAEF ldquoextendrdquo the tuples in QlowastE(F1 F6) ampe probabilityPrre(τ k) can be related to it

Lemma 4 (see [17]) Assume that there exists a functionε (F(n))2 times K⟶ [0infin] such that for any good (F1 F6)the following equation holds

p τ F1 F6( 1113857

1113937qeminus 1i0 1N2

minus ige 1 minus ε F1 F6 k( 1113857 (27)

ampen we have

Prre(τ k)

Prid(τ k)ge 1 minus Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 minus EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 1113961 (28)

Now we prove the assumption of Lemma 4

Lemma 5 For any fixed good tuple (F1 F6) there existsa function ε(F1 F6 k) of the function pair and the round-key

vector k such that inequality (20) mentioned in Lemma 4holds Moreover

EF1 F6 k ε F1 F6 k( 11138571113858 1113859le7q

3e + 10qeq

2f + 18q

2eqf + 3 middot 2r

middot qeq2f + 2 middot 2r

middot q2eqf

N2 (29)

Proof ampe general expression of ε(F1 F6 k) is a function ofseveral variables defined before which suffers from a badreadabilityamperefore we directly establish (and present) thebound on its expectation However due to space constraintsfor the full proof refer to Appendix B

Below we present a sketch and the core resultsAccording to the type of the involved collisions we dividethe tuples in QlowastE(F1 F6) into four groups

minus G1 (LRX UST) isin QlowastE F1 F6( 1113857 |εQ(X)| |εQ(U)| 1 k2 oplusX notin DomF2andk5 oplusU notin DomF51113864 1113865

minus G2 (LRX UST) isin QlowastE F1 F6( 1113857 k2 oplusX isin DomF21113864 1113865

minus G3 (LRX UST) isin QlowastE F1 F6( 1113857 k5 oplusU isin DomF51113864 1113865

minus G4 (LRX UST) isin QlowastE F1 F6( 1113857 |εQ(X)|ge 2 or |εQ(U)|ge 21113864 1113865

(30)


Let β1 |G2| β2 |G3| and β3 |G4| Note that bydefinition these sets form a partition of QlowastE(F1 F6)

minus G1 capG2 G1 capG3 G1 capG4 empty by definitionminus G2 capG3 empty since otherwise QlowastE(F1 F6) would sat-isfy (C-1)minus G2 capG4 empty since for any(LRX UST) isin G3 |εQ(X)|ge 2 would implyQlowastE(F1 F6)

fulfilling (C-4) while |εQ(U)|ge 2 would imply (C-5)minus G3 capG4 empty since for any (LRX UST) isin G3

|εQ(X)|ge 2 would imply (C-5) while |εQ(U)|ge 2would imply (C-4)

We denote EG1 EG2

EG3 and EG4

the eventKAEFFlowast

k ⊢G1G2G3 and G4 It can be seen that

p τ F1 F6( 1113857 Pr EG1andEG2andEG3andEG4

|F⊢QF1113960 1113961 (31)

We next analyze the four groups in turn ampe first oneie Pr[EG1

|F⊢QF] involves the most complicated analysisBriefly for each tuple (LRX UST) in G1 it consists of threecases

In the first case neither of the two corresponding in-termediate values Y and Z derived from F2 and F5 collides

with values that have been in the historyampe probability thatKAEFF

k extends (LRX UST) in this case is roughly at least

1 minusqf + qe + β1

N1113888 1113889 1 minus

qf + qe + β2N

1113888 11138891

N2 (32)

In the second case the corresponding intermediate valueY collides with some ldquoexistingrdquo values yet the further de-rived Z is ldquofreerdquo ampe probability that KAEFF

k extends(LRX UST) in this case is roughly at least

qf + qe

Nminus O

2rmiddot q

2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (33)

ampe third case is symmetrical to the second one Zcollides with ldquoexistingrdquo values yet Y is ldquofreerdquoampe probabilityis roughly at least

qf + qe

Nminus O

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (34)

Summing over the above we obtain

Pr EG1|F⊢QF1113960 1113961ge 1113945

G1| |

l11 minus

β1N

minusβ2N

minus O2r

middot q2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (35)

ampe concrete bound is

Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1 minus

2rmiddot qeq

2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qf + 2qe1113872 1113873 β1 + β2( 1113857

N⎛⎝ ⎞⎠

1N

2|G1| (36)

To analyze EG2 EG3

and EG4 we again apply the bad

predicate approach ampese groups involve collisions andhave relatively small sizes |EG2

| |EG3| |EG4

| O(2r middot q2N)

(will be proved later) amperefore any collisions betweentuples in these groups and values related to QF or EG1

can be

included in the bad predicates for each tuple in these threegroups the probability would be O(qN) withq max(qe qf) yet it remains O(qN) middot O(2r middot q2N)

O(2r middot q3N) in total In all the results are

Pr EG2andEG3|EG1

andF⊢QF1113960 1113961ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

Pr EG4|EG1andEG2andEG3andF⊢QF1113960 1113961ge 1 minus

2β3 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G4| |

(37)

Proof It is analyzes for G2G3 and G4


Lowering bounding Pr[EG2andEG3|EG1

andF⊢QF] ConsiderEG2

first we lower bound that probability that is equivalentto F4 and F5 satisfying 2|G2| new and distinct equations Tothis end again we define a predicate Bad1(F3) which holdsif there exists (LRX UST) isin G2 that fulfills one of thefollowing conditions

(i) ampe x4 value derived using F3 is in DomF4 iek4 oplusOF3(x3) isin DomF4 wherex3 k3 oplusA1LoplusA2RoplusOImgF2(k2 oplusX)

(ii) ampe Z value derived using F3 collides with Zprime valueof another tuple in G2 ie there exists(LprimeRprimeXprime UprimeSprimeTprime) isin G2 such thatXoplusOF3(x3) Xprime oplusOF3(x3prime) wherex3prime k3 oplusA1Lprime oplusA2Rprime oplusOImgF2(k2 oplusXprime)

(iii) ampe Z value derived using F3 collides with Zprime valueof another tuple in G2 or G3 ie there exists(LlowastRlowastXlowast UlowastSlowastTlowast) isin G1 cupG3 such thatXoplusOF3(x3) A1T

lowast oplusA2Slowast oplusOF5(k5 oplusUlowast)

We note that for each (LRX UST) isin G2 letx3 k3 oplusA1LoplusA2RoplusOImgF2(k2 oplusX) then the followingequation holds x3 notin DomF3(otherwise fulfilling (C-2)) andx3 isin ExtF

(|G1|)3 (according to the analysis of EG1

) ampusconditioned on EG1

andF3⊢QF3 the value F3(x3) remains

uniform amperefore for this (LRX UST)

(i) ampe probability that condition (i) is fulfilled at mostqfN

(ii) For each (LprimeRprimeXprime UprimeSprimeTprime) isin G2 if the corre-sponding x3prime does not equal x3 then the probabilityof XoplusOF3(x3) Xprime oplusOF3(x3prime) is at most 1Notherwise since the two tuples are distinct it has tobe XneXprime and thus XoplusOF3(x3)neXprime oplusOF3(x3prime)

(iii) For each (LlowastRlowastXlowast UlowastSlowastTlowast) isin G1 cupG3 the prob-ability ofXoplusOF3(x3) A1T

lowast oplusA2Slowast oplusOF5(k5 oplusUlowast) is at

most 1N

Summing over the above yields

Pr Bad1 F3( 1113857|EG1andF⊢QF1113960 1113961le

G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 middot qf + qe1113872 1113873

N (38)

It is not hard to see that conditioned on Bad1(F3) the|G2| tuples in G2 indeed give rise to |G2| distinct valuesZ1 Z|G2| (otherwise condition (ii) is fulfilled) for whichF4(Z1 oplus k4) F4(Z|G2|oplus k4) all remain undetermined(otherwise condition (i) or (iii) is fulfilled)) Furthermore atthe ldquoright siderdquo they also give rise to |G2| distinct valuesU1 U|G2| with F5(U1 oplus k5) F5(U|G2|oplus k5) all re-main undetermined

(i) U1 U|G2| are also distinct otherwise fulfilling(C-5)

(ii) None of U1 oplus k5 U|G2|oplus k5 is in DomF5 oth-erwise fulfilling (C-1)

(iii) Conditioned on EG1

F5(U1 oplus k5) F5(U|G2|oplus k5) all remain un-determined otherwise some Ui is shared betweentuples in G1 and G2

ampus in this case the event EG2is equivalent to F4 and F5

satisfying 2|G2| new and distinct equations and the prob-ability does not exceed 1N2|G2|

We then consider EG3 ampe analysis is similar to EG2

bysymmetry we define a predicate Bad1(F4) on F4 whichholds if there exists (LRX UST) isin G3 such that one of thefollowing conditions is fulfilled

(i) ampe induced value x3 is in DomF3 iek3 oplusOF4(x4) isin DomF3 wherex4 k4 oplusA1ToplusA2SoplusOImgF5(k5 oplusU) ampe prob-ability is at most qfN in total

(ii) ampe induced value Y collides with the Yprime value ofanother tuple in G3 ie there exists(LprimeRprimeXprime UprimeSprimeTprime) isin G3 such thatUoplusOF4(x4) Uprime oplusOF4(x4prime) wherex4prime k4 oplusA1Tprime oplusA2Sprime oplusOImgF5(k5 oplusUprime) ampeprobability is at most |G3|N

(iii) ampe induced value Y collides with Yprime value of an-other tuple in G1 or G2 ie there exists(LlowastRlowastXlowast UlowastSlowastTlowast) isin G1 cupG2 such thatUoplusOF4(x4) A1L

lowast oplusA2Rlowast oplusOF2(k2 oplusXlowast) ampe

probability is at most |G1| + |G2|N in total

Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (39)

And conditioned on Bad1(F4) tuples in G3 give rise to|G3| distinct values Y1 Y|G3| while the assumptionBad1(F1 F6) ensures that they give rise to |G3| distinct

values X1 X|G3| ampus the event EG3is equivalent to F2

and F3 satisfying 2|G3| new and distinct equations ampere-fore conditioned on EG1

andF⊢QF we have


Pr EG2andEG3

|EG1andF⊢QF1113960 1113961ge 1 minus Pr Bad1 F2( 11138571113858 1113859 minus Pr Bad1 F3( 11138571113858 1113859( 1113857 middot Pr EG2

andEG3|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(40)

Lower bounding Pr[EG4|EG1andEG2andEG3andF⊢QF] by def-

inition for any tuple (LRX UST) isin G4 let x2 k2 oplusX andx5 k5 oplusU then we have both x2 notin DomF2 andx5 notin DomF5 Moreover conditioned on EG1

andEG2andEG3

thetwo values F2(x2) and F5(x5) remain ldquoundeterminedrdquo anduniform (otherwise if EG1

EG2 and EG3

imply F2(x2) beingfixed then a tuple in G1G2 or G3 would share the same X

value with a tuple inG4 contradicting the definition ofG1 orfulfilling (C-4) or (C-5) respectively)

For these tuples we would lower bound the probabilitythat they induce 2|G4| new and distinct equations on F3 andF4 To this end we define a predicate Bad3(F2 F5) on F2 andF5 which holds if there exists a tuple (LRX UST) isin G4 suchthat if we let x2 k2 oplusX and x5 k5 oplusU then one of thefollowing conditions is fulfilled

At the ldquoleft siderdquo concerning F2(x2)

(i) ampe induced x3 value falls in DomF3 iek3 oplusA1LoplusA2RoplusOF2(x2) isin DomF3 As dis-cussed F2(x2) remains random thus the proba-bility is clearly at most qfN

(ii) ampe induced Y value collides with some ldquopreviouslydeterminedrdquo Yprime ie there exists another tuple(LprimeRprimeXprime UprimeSprimeTprime) isin G1 cupG2 cupG3 such thatA1LoplusA2RoplusOF2(x2) A1Lprime oplusA2Rprime oplusOF2(x2prime) Itnecessarily is XneXprime again using the randomnessof F2(x2) we obtain the upper bound|G1| + |G2| + |G3|Nle qeN for each(LRX UST) isin G4

At the ldquoright siderdquo concerning F5(x5) similar to theabove symmetry

(i) k4 oplusA1ToplusA2SoplusHF5(x5) isin DomF4 the proba-bility is clearly at most qfN

(ii) ampere exists another tuple(LprimeRprimeXprime UprimeSprimeTprime) isin G1 cupG2 cupG3 such thatA1ToplusA2SoplusOF5(x5) A1Tprime oplusA2Sprime oplusOF5(x5prime)ampe upper bound is |G1| + |G2| + |G3|Nle qeNfor each (LRX UST) isin G4

ampus using |G4| β3 we obtain

Pr Bad3 F2 F5( 1113857|EG1andEG2andEG3

andF⊢QF1113960 1113961le 2G4

11138681113868111386811138681113868111386811138681113868 middot qf + qe1113872 1113873

Nle2β3 middot qf + qe1113872 1113873

N (41)

Similar to the analysis for EG2and EG3

conditioned onBad3(F2 F5) the event EG4

is equivalent to F3 and F4satisfying 2|G4| new and distinct equations amperefore

Pr EG4|EG1andEG2andEG3andF⊢QF1113960 1113961ge 1 minus Pr Bad3 F2 F5( 11138571113858 1113859( 1113857 middot

1

N2 G4| |ge 1 minus

2β3 qf + qe1113872 1113873

N⎛⎝ ⎞⎠ middot

1

N2 G4| |

(42)

Summing up would yield a lower bound of the form


|F⊢QF1113960 1113961ge 1 minus ε1( 1113857 1 minus ε2( 1113857 1 minus ε3( 11138571

N2 G1| |+G2| |+G3| |+G4| |( )

ge 1 minus ε1 + ε2 + ε3( 1113857( 11138571

N2qe

Since G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

1113868111386811138681113868 + G41113868111386811138681113868

1113868111386811138681113868 qe1113872 1113873

(43)


We note 1N2qe 1113937qeminus 1i0 1N2 minus ige (1 minus (qe

N2))qe ge 1 minus (q2eN2)ge 1 minus (q3eN

2) ampus using(1 minus A)(1 minus B)ge 1 minus (A + B) we obtain

p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which

Ek ε F1 F6 k( 11138571113858 1113859le2qf + 3qe1113872 1113873 β1 + β2( 1113857 + 2β3 qf + qe1113872 1113873

N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)

We now derive EF1 F6[Ek[ε(F1 F6 k)]|F1⊢QF1

F6⊢QF6]

To this end note that by definition β1 β2 and β3 arequantities that depend on (F1 F6)

β1 (LRX UST) isin QlowastE F1 F6( 1113857 k2 oplusX k2 oplusA1RoplusA2LoplusOF1 k1 oplusA1LoplusA2R( 1113857 isin DomF21113864 11138651113868111386811138681113868

1113868111386811138681113868

β2 (LRX UST) isin QlowastE F1 F6( 1113857 k5 oplusU k5 oplusA1SoplusA2ToplusOF6 k6 oplusA1ToplusA2S( 1113857 isin DomF51113864 11138651113868111386811138681113868

1113868111386811138681113868

β3 (LRX UST) isin QlowastE F1 F6( 1113857 exist LprimeRprimeXprime UprimeSprimeTprime( 1113857 such thatX Xprime or exist LprimeRprimeXprime UprimeSprimeTprime( 1113857 isin QlowastE F1 F6( 1113857 such thatU Uprime1113864 11138651113868111386811138681113868

1113868111386811138681113868

(46)

We consider β1 first For each (LRX UST) isin QlowastE(F1 F6)if k1 oplusA1LoplusA2R isin DomF1 then k2 oplusX notin DomF2 by(B minus 2) ampus conditioned on F1⊢QF1

F1(k1 oplusR) remainsuniform and Pr[k2 oplusA1RoplusA2LoplusOF1(k1 oplusA1LoplusA2R) isinDomF2]le qfN amperefore

Ek β11113858 1113859leqeqf

N (47)

Similarly by symmetry using the randomness suppliedby F6 Ek[β2]le qeqfN

ampen we consider β3 We fix a record (LR ST) such thatk1 oplusA1LoplusA2R notin DomF1 and consider another(LprimeRprime SprimeTprime) If A1LoplusA2R A1Lprime oplusA2Rprime then it has to be2n and thus X Xprime Otherwise ask1 oplusA1LoplusA2R notin DomF1 F1(k1 oplusA1LoplusA2R) remainsrandom conditioned on F1⊢QF1

and

Pr X Xprime1113858 1113859 Pr OF1 k1 oplusA1LoplusA2R( 1113857oplusOF1 k1 oplusA1Lprime oplusA2Rprime( 1113857 A1RoplusA2LoplusA1Rprime oplusA2Lprime1113858 1113859 1N

(48)

ampe number of distinct pairs of such tuples is at most q2e ampus we know the expectation of the number of pairs

Ek (LRX UST) k1 oplusA1LoplusA2R notin DomF1exist LprimeRprimeXprime UprimeSprimeTprime( 1113857 st X Xprime1113864 1113865|1113858 1113859leq2e

N (49)

As the number of (LR ST) such thatk1 oplusA1LoplusA2R isin DomF1 is α1(k) we obtain

Ek (LRX UST) exist LprimeRprimeXprime UprimeSprimeTprime( 1113857 st X Xprime1113864 1113865|1113858 1113859leq2e

N+ α1(k) (50)

Symmetrically Ek[ (LRX UST) exist(LprimeRprimeXprime UprimeSprimeTprime)1113864

st U Uprime|]le q2eN + α2(k) ampus Ek[β3]le (2q2eN)+

α1(k) + α2(k) Finally since k1 and resp k6 are uniform in2n and resp 2nminus r possibilities


Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1

Pr k1 A1LoplusA2Roplusx11113858 1113859leqeqf

N

(51)

and Ek[α2(k)]le 2r middot qeqfN Gathering all the above yields

EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)

as claimed in (8) 53 Concluding the Pointwise Proximity Proof GatheringLemma 2 Lemma 4 and equation (22) we obtain

Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)

where ε(F1 F6 k) is the function specified in equation (44)Note that its expectation has been bounded in Lemma 5

For Ek[Pr[Bad(F1 F6)|F1⊢QF1 F6⊢QF6

] since k3 andresp k4 are both uniformly distributed in 2n and resp 2nminus r

possibilities we have

Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)

At the end of previous section we have shownEk[α1(k)]le qeqfN and Ek[α1(k)]le 2rqeqfN Injectingthem into the bound of Lemma 3 yields

Ek Pr Bad F1 F6( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)

Gathering all the above eventually establishes equation(21)

6 Conclusion

For diversity of iterative structures we propose an extendedFeistel structure ampe new iterative structure also has similarencryption with decryption ampis paper mainly investigatesthe security of the new structure from studying the dis-tinguishability between the ideal cipher adopting thisstructure and a random permutation Results show that forbirthday-bound security the 4-round KAEF is secureagainst 2n2 queries and for beyond-birthday-bound securitythe 6-round KAEF is secure against 22n3 queries As a resultthe new iterative is a reliable structure and can provide morechoices for cipher designing

Appendix

A Proof of Lemma 3

We upper bound the probabilities of the bad conditions inturn

A1 Condition (C-1) For any (LRX AST) isin QlowastE(F1 F6) ifthere exist (x2 y2) isin QF2

and (x5 y5) isin QF5such that k2

Xoplus x2 and k5 Aoplus x5 then we would haveA1RoplusA2LoplusOF1(A1LoplusA2Roplus k1) k2 oplus x2 and A1SoplusA2T

oplusOF6(A1ToplusA2Soplus k6) k5 oplusx5 for the corresponding(LR ST) isin QE It cannot be A1LoplusA2Roplus k1 isin DomF1 asotherwise A1LoplusA2Roplus k1 isin DomF1 along with fulfilling (B-2) in Definition 3 similarly it cannot beA1ToplusA2Soplus k6 isin DomF6 ampus conditioned on F1⊢QF1and F6⊢QF6

the two values F1(A1LoplusA2Roplus k1) andF6(A1ToplusA2Soplus k6) remain uniform ampus for each 3-tuple((LR ST) (x2 y2) (x5 y5)) the probability that the case ofboth A1RoplusA2LoplusOF1(A1LoplusA2Roplus k1) k2 oplusx2 andA1SoplusA2ToplusOF6(A1ToplusA2Soplus k6) k5 oplus x5 hold is at most1N2 Since we have at most qeq

2f such 3-tuples the total

probability does not exceed qeq2fN

2

A2 Conditions (C-2) and (C-3) Consider (C-2) first Bydefinitions the number of triplets((LRX AST) (x2 y2) (x3 y3)) such thatk3 A1LoplusA2RoplusOy2 oplusx3 is α23(k) where (LRX AST) isa ldquomergedrdquo notation for (LR ST) and the correspondinginduced X and A On the contrary k2 Xoplus x2 would implyA1RoplusA2LoplusOF1(A1LoplusA2Roplus k1) k2 oplus x2 Now ifA1LoplusA2Roplus k1 isin DomF1 then it cannot beA1RoplusA2LoplusOImgF1(A1LoplusA2Roplus k1) k2 oplus x2 otherwise(B-2) is fulfilled Whereas when A1LoplusA2Roplus k1 notin DomF1


then conditioned on F1⊢QF1 the value F1(A1LoplusA2Roplus k1)

is uniform and thusPr[A1RoplusA2LoplusOF1(A1LoplusA2Roplus k1) k2 oplus x2] 1N Asa result we have Pr[(C minus 2)]le α23(k)N For condition (C-3) it is similar by symmetry resulting inPr[(C minus 3)]le α45(k)N

A3 Condition (C-4) Consider the first half of (C-4) firstand consider such two tuples (LRX AST) and(LprimeRprimeXprime AprimeSprimeTprime) We note that neither A1LoplusA2Roplus k1 norA1Lprime oplusA2Rprime oplus k1 can be in DomF1 as otherwise it satisfies(B-2) ampus conditioned on F1⊢QF1

bothF1(A1LoplusA2Roplus k1) and F1(A1Lprime oplusA2Rprime oplus k1) remain uni-form ampus

Pr X Xprimeandk2 oplusX x21113858 1113859lePr OF1 A1LoplusA2Roplus k1( 1113857 OF1 A1Lprime oplusA2Rprime oplus k1( 1113857oplusA1 RoplusRprime( 1113857oplusA2 Loplus Lprime( 11138571113858 1113859

middot Pr OF1 A1LoplusA2Roplus k1( 1113857 A1RoplusA2Loplus k2 oplus x21113858 1113859le1

N2

(A1)

ampe number of choices of(LRX AST) (LprimeRprimeXprime AprimeSprimeTprime) and (x2 y2) is at most q2eqfthus the probability of the first half is at most q2eqfN2 intotal For the second half it is similar by symmetry leadingto the same bound q2eqfN2 ampus Pr[(C minus 4)]le 2q2eqfN2

A4Condition (C-5) Consider the first half of the conditionand consider such three tuples (LRX AST)

(LprimeRprimeXprime AprimeSprimeTprime) and (x2 y2) isin QF2 respectively By

(B minus 2) A1LoplusA2Roplus k1 notin DomF1 depending on the stateof S andT we distinguish two cases

(i) Case 1 A1ToplusA2Soplus k6 notin DomF6 ampen we have atmost qe choices for (LRX AST) and at most qe

choices for (LprimeRprimeXprime AprimeSprimeTprime) Conditioned onF6⊢QF6

F6(A1ToplusA2Soplus k6) remains random thus

Pr A Aprime1113858 1113859 Pr A1SoplusA2ToplusOF6 A1ToplusA2Soplus k6( 1113857 A1Sprime oplusA2Tprime oplusOF6 A1Tprime oplusA2Sprime oplus k6( 11138571113858 1113859le1N

(A2)

Conditioned on F1⊢QF1 the value

F1(A1LoplusA2Roplus k1) is also random thus we simi-larly have Pr[A1RoplusA2LoplusOF1(A1LoplusA2Roplus k1)

oplus k2 isin DomF2]le qfN ampus the probability is atmost q2eqfN2 in total

(ii) Case 2 A1ToplusA2Soplus k6 isin DomF6 ampen we haveα2(k) choices for (LRX AST) Similar to Case 1Pr[A1R oplusA2LoplusOF1(A1LoplusA2Roplus k1)oplus k2 isin DomF2]le qfN ampus the probability that there exists atleast one such tuple (LRX AST) is at mostqfα2(k)N

Summing over the two cases results inq2eqfN2 + qfα2(k)N the analysis for the second half issimilar by symmetry giving q2eqfN2 + qfα1(k)N ampusPr[(C minus 5)]le 2q2eqfN2 + qf(α2(k) + α1(k))N

B Proof of Lemma 5

Lower bounding the probability is Pr[EG1|F⊢QF] We write

G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966

A|G1|S|G1|T|G1|) using some arbitrary order Let El be theevent that KAEFF

k extends the lth tuple (LlRlXl AlSlTl)ampen EG1

E|G1|and middot middot middotandE1We next focus on lower bounding

Pr[El+1|Eland middot middot middotandE1andF⊢QF] for the (l+ 1)th tuple(Ll+1Rl+1Xl+1 Al+1Sl+1Tl+1) ampe approach is to lower boundthe probability that El+1 is equivalent to 2 new and distinctequations on F2 F3 F4 and F5 For this we define four setsfor positions ldquooccupied by previous tuplesrdquo

ExtF(l)3

def x3 exist LiRiXi AiSiTi( 1113857 isin G1 ile l

st x3 k3 oplusA1Li oplusA2Ri oplusOF2 k2 oplusXi( 11138571113896 1113897

G2F3 def

x3 exist(LRX AST) isin G2 st x3 k3 oplusA1LoplusA2RoplusOImgF2 k2 oplusX( 11138571113864 1113865

ExtF(l)4


st x4 k4 oplusA1Ti oplusA2Si oplusOF5 k5 oplusAi( 11138571113896 1113897

G3F4 def

x4 exist(LRX AST) isin G3 st x4 k4 oplusA1ToplusA2SoplusOImgF5 k5 oplusA( 11138571113864 1113865

(B1)


We note that for any x3 isin ExtF(l)3 conditioned on

Eland middot middot middotandE1 the value F3(x3) has been ldquofixedrdquo according toa corresponding tuple and cannot be deemed random forF4(x4) with x4 isin ExtF

(l)4

Let x(l+1)2 k2 oplusXl+1 and x

(l+1)5 k5 oplusAl+1 ampen given

the round functions F2 F3 F4 andF5 the two intermediatevalues Yl+1 and Zl+1 would be determined Depending ontheir state the event El+1 consists of at least three cases

(i) Case 1 (ldquono collisionrdquo) the two induced valuesYl+1 A1Ll+1 oplusA2Rl+1 oplusOF2(x

(l+1)2 ) and

Zl+1 A1Tl+1 oplusA2Sl+1 oplusOF5(x(l+1)5 ) satisfy

k3 oplusYl+1 notin DomF3 cupExtF(l)3 cupG2F3

k4 oplusZl+1 notin DomF4 cupExtF(l)4 cupG3F4

(B2)

ampen the following equation holds F3(k3 oplusYl+1)

Ominus 1(Xl+1 oplusZl+1) andF4(k4 oplusZl+1) Ominus 1(Yl+1 oplusAl+1)

(ii) Case 2 (ldquoleft collisionrdquo) the inducedYl+1 A1Ll+1 oplusA2Rl+1 oplusOF2(x

(l+1)2 ) satisfies

k3 oplusYl+1 isin DomF3 cupExtF(l)3 (B3)

but the further induced valueZl+1 Xl+1 oplusOF3(k3 oplusYl+1) satisfies

k4 oplusZl+1 notin DomF4 cupExtF(l)4 cupG3F4 (B4)

ampen the following equation holds F4(k4 oplusZl+1)

Ominus 1(Yl+1 oplusAl+1) andF5(x

(l+1)5 ) Ominus 1(A1Tl+1 oplusA2Sl+1 oplusZl+1)

(iii) Case 3 (ldquoright collisionrdquo) similar to Case 2 bysymmetry the induced valueZl+1 A1Tl+1 oplusA2Sl+1 oplusOF5(x

(l+1)5 ) satisfies

k4 oplusZl+1 isin DomF4 cupExtF(l)4 but the further in-

duced Yl+1 Al+1 oplusOF4(k4 oplusZl+1) satisfiesk3 oplusYl+1 notin DomF3 cupExtF

(l)3 cupG2F3 ampen the

following equation holdsF2(x

(l+1)2 ) Ominus 1(A1Ll+1 oplusA2Rl+1 oplusYl+1) and

F3(k3 oplusYl+1) Ominus 1(Xl+1 oplusZl+1)

By these we have

Pr El+1|Eland middot middot middotandE1andF⊢QF1113858 1113859 1113944i123

Pr El+1andCASEi|Eland middot middot middotandE1andF⊢QF1113858 1113859 (B5)

Let e(l)3 |ExtF(l)

3 DomF| and e(l)4 |ExtF(l)

4 DomF4|We use three sections to bound each probability in turn

B1 Case 1 As (Ll+1Rl+1Xl+1 Al+1Sl+1Tl+1) is in G1 we havex

(l+1)2 k2 oplusXl+1 notin DomF2 Furthermore Xl+1 does not

collide with any other tuples in QlowastE(F1 F6) sinceεQ(Xl+1) 1 So conditioned on Eland middot middot middotandE1andE1andF⊢QFF2(x

(l+1)2 ) remains random and

Pr k3 oplusYl+1 isin DomF3 cupExtF(l)3 cupG2F31113960 1113961le

qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry

Pr k4 oplusZl+1 isin DomF4 cupExtF(l)4 cupG3F41113960 1113961le

qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)

ampen it can be seen the two equations F3(k3 oplusYl+1)

Ominus 1(Xl+1 oplusZl+1) and F4(k4 oplusZl+1) Ominus 1(Yl+1 oplusAl+1) arefulfilled with probability 1N2 and thus

Pr El+1andCASE1|Eland middot middot middotandE1andF⊢QF1113858 1113859ge 1 minusqf + e

(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)

One may notice that if we only consider this Case 1 thenwe would end up with an undesired birthday-type boundsince |G4| O(qe)

However this gap is filled in by the other two casesanalyzed below

B2 Case 2 Recall that in this case

k3 oplusYl+1 x3 isin DomF3 cupExtF(l)3 while k4 oplusZl+1 x4 notin DomF4 cupExtF

(l)4 cupG3F4 (B9)


Instead of lower boundingPr[El+1andCASE2|Eland middot middot middotandE1andF⊢QF] we upper bound theprobability of the opposite case It can be seen that Yl+1

colliding with the involved (x3 x4) implies thatXl+1 oplusOy3 (k4 oplusx4) where y3 F3(x3) amperefore weproceed to upper bound

pcoll Pr existx3 isin DomF3 cupExtF(l)3 existx4 isin DomF4 cupExtF

(l)4 cupG3F4 Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113960 1113961 (B10)

where Coll(x3 x4) stands for the event

Xl+1 oplusOy3 k4 oplusx4( 1113857andA1Ll+1 oplusA2Rl+1 oplusOF2 x(l+1)21113872 1113873 k3 oplusx3( 1113857 (B11)

where x(l+1)2 k2 oplusXl+1 In detail the to-be-bounded probability could be written

as

pcoll 1113944

x3isinDomF3 cupExtF(l)3

x4isinDomF4 cupExtF(l)4 cupG3F4

Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859(B12)

Let x(l+1)2 k2 oplusXl+1 In the following we distinguish

five subcases and derive bound for each in turn

B21 Subcase 21 x3 isin DomF3 cupExtF(l)3 and x4 isin G3F4

Define Numl3(y3) as the number of preimages of y3 under

the map defined by DomF3 cupExtF(l)3 ie

Numl3 y3( 1113857 x3 isin DomF3 cupExtF

(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)

By this and by the constraint that Xl+1 oplusOy3 k4 oplusx4for each x4 isin G3F4 the number of x3 isin DomF3 cupExtF

(l)3

such that Xl+1 oplusOy3 k4 oplusx4 is Num(l)3 (XL+1 oplus k4 oplus x4)

amperefore the number of such ldquobadrdquo pair is1113936x4isinG3F4

Num(l)3 (Xl+1 oplus k4 oplus x4) in total On the contrary

similar to Case 1 F2(x(l+1)2 ) can still be deemed random

thus

Pr F2 x(l+1)21113872 1113873 O

minus 1A1Ll+1 oplusA2Rl+1 oplus k3 oplus x3( 11138571113960 1113961le

1N

(B14)

and

1113944


x4isinG3F4

Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859leΣx4isinG3F4

Num(l)3 Xl+1 oplus k4 oplusx4( 1113857

N

(B15)

B22 Subcase 22 x3 isin DomF3 and x4 isin DomF4 Forthis we introduce a new $k-$dependent quantity

α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3

times QF4 k4 XoplusOy3 oplusx41113966

11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)

ampus the number of such pairs (x3 x4) withXl+1 oplusOy3 k4 oplusx4 is α+

34(k Xl+1) We also havePr[F2(x

(l+1)2 ) Ominus 1(A1Ll+1 oplusA2Rl+1 oplus k3 oplus x3)]le 1N

amperefore

1113944x3isinDomF3 x4isinDomF4

Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859leα+34 k Xl+1( 1113857

N (B17)


Since k4 is uniform in 2nminus r values it can be seenE[α+

34(k Xl+1)]le 2r middot q2fN amperefore the expectation ofthe probability is at most 2r middot q2fN

2

B23 Subcase 23 x3 isin DomF3 and x4 isin ExtF(l)4 DomF4

By definition we have

1113944

x3isinDomF3x4isinExtF(l)

4 DomF

Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859 1113944x3isinDomF3 i1l

sgn(i) middot Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859

(B18)

where x(i)4 k4 oplusZi Zi A1Ti oplusA2Si oplusOF5(k5 oplusAi) are

derived from the ith tuple (LiRiXi AiSiTi) isin G4 andsgn(i) 1 if and only if i is the smallest index satisfying theseconditions (ie x

(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and

x(i)4 notin DomF4We focus on Pr[Coll(x3 x

(i)4 )|Eland middot middot middotandE1andF⊢QF] For

convenience we let y3 ImgF3(x3) and writeYi A1Li oplusA2Ri oplusOF2(k2 oplusXi) We consider the condi-tional probabilities

Pr[Coll(x3 x(i)4 )|Ei fits into CASE jandEland middot middot middotandE1andF⊢QF] for

j 1 2 3 It can be seen if Ei fits into Case 3 thenx

(i)4 isin DomF4 and this x

(i)4 is the discussion of subcase 23

So we consider j 1 or 2

(i) When Ei fits into Case 1 according to the corre-sponding analysis Zi was derived viaZi A1Ti oplusA2Si oplusOF5(k5 oplusAi) and F5(k5 oplusAi)

was uniform ampus

Pr Xl+1 oplusOy3 k4 oplusx(i)41113872 11138731113960 1113961 Pr Xl+1 oplusOy3 Zi1113858 1113859

Pr F5 k5 oplusAi( 1113857 Ominus 1

Xl+1 oplusOy3 oplusA1Ti oplusA2Si( 11138571113960 1113961le1N

(B19)

Since we further have Pr[F2(k2 oplusXl+1) O

minus 1(A1Ll+1 oplusA2Rl+1 oplus k3 oplus x3)]le 1N the followingequation holds

Pr Coll x3 x(i)41113872 1113873|Ei fits into CASE 1andEland middot middot middotandE1andF⊢QF1113960 1113961

le1

N2

(B20)

(ii) When Ei fits into Case 2 let x(i)3 k3 oplusYi and

y(i)3 F3(x

(i)3 ) ampen Xl+1 oplusOy3 Zi implies

Xl+1 oplusOy3 Xi oplusOy(i)3 (B21)

meaning that for each triple (Xl+1 Xi y3) thenumber of choices for such y

(i)3 is

Num(l)3 (Ominus 1Xl+1 oplusOminus 1Xi oplusy3) For each such y

(i)3

the event Coll(x3 x(i)4 ) essentially implies two col-

lisions ie

A1Li oplusA2Ri oplusOF2 k2 oplusXi( 1113857 k3 oplusx(i)3

A1Ll+1 oplusA2Rl+1 oplusOF2 k2 oplusXl+1( 1113857 k3 oplusx3(B22)

amperefore

Pr Coll x3 x(i)41113872 1113873|Ei fits into CASE 2andEland middot middot middotandE1andF⊢QF1113960 1113961le

Num(l)3 O

minus 1Xl+1 oplusy3 oplusO

minus 1Xi1113872 1113873

N2 (B23)

By the above for any j we have

Pr Coll x3 x(i)41113872 1113873|Ei fits into CASE jandEland andE1andF⊢QF1113960 1113961le

Num Ominus 1

Xl+1 oplusy3 oplusOminus 1

Xi1113872 1113873

N2 (B24)


where Num(Ominus 1Xl+1 oplusy3 oplusOminus 1Xi)N2 is denoted as B ampus

Pr Coll x3 x(i)41113872 1113873|Eland andE1andF⊢QF1113960 1113961

1113936

3j1 Pr Coll x3 x

(i)41113872 1113873andEiandEi fits into CASE j|Eland middot middot middotandEiminus 1andEi+1and middot middot middotandE1andF⊢QF1113960 1113961

Pr Ei1113858 1113859

le 11139443

j1B middot

Pr EiandEi fits into CASE j|Eland middot middot middotandEiminus 1andEi+1and middot middot middotandE1andF⊢QF1113858 1113859

Pr Ei1113858 1113859 B

(B25)

ampis means

1113944

x3isinDomF3 x4isinExtF(l)4 DomF4

Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859

le 1113944x3isinDomF3

1113944i1middotmiddotmiddotl

sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)

B24 Subcase 24 x3 isin DomF3DomF3 and x4 isin DomF4 By definition we have

1113944

x3isinExtF(l)

3 DomF3x4isinDomF4


1113944i1middotmiddotmiddotlx4isinDomF4

sgnprime(i) middot Pr Coll x(i)3 x41113872 1113873|Eland middot middot middotandE1andF⊢QF1113960 1113961

(B27)

where x(i)3 k3 oplusYi and Yi A1Li oplusA2Ri oplusOF2(k2 oplusXi)

are derived from the ith tuple (LiRiXi AiSiTi) isin G4 andsgnprime(i) 1 if and only if i is the smallest index satisfyingthese conditions (x(i)

3 notin ExtF3 We let y4 ImgF4(x4) andwrite Zi A1Ti oplusA2Si oplusOF5(k5 oplusAi) Now the followingequation holds y

(i)3 Ominus 1(Xi oplusZi) thus the collision re-

lation Xl+1 oplusOy(i)3 (k4 oplus x4) translates into

Xl+1 oplusXi Zi oplus (k4 oplus x4) Similar to subcase 23 we dis-tinguish two cases

(i) When Ei fits into CASE 1 we haveZi A1Ti oplusA2Si oplusOF5(k5 oplusAi) and F5(k5 oplusAi)

was uniform ampus

Pr Xl+1 oplusXi Zi oplus k4 oplus x4( 11138571113858 1113859 Pr F5 k5 oplusAi( 1113857 Ominus 1

Xl+1 oplusXi oplus k4 oplus x4 oplusA1Ti oplusA2Si( 11138571113960 1113961le1N

(B28)

ampis along with Pr[F2(k2 oplusXl+1)

Ominus 1(A1Ll+1 oplusA2Rl+1 oplus k3 oplus x3)]le 1N yields

Pr Coll x(i)3 x41113872 1113873|Ei fits intoCASE 1|Eland middot middot middotandE1andF⊢QF1113960 1113961le

1N

2 (B29)

(ii) When Ei fits into Case 3 let x(i)4 k4 oplusZi ampen

Xl+1 oplusXi Zi oplus k4 oplusx4 impliesXl+1 oplusXi x(i)4 oplusx4

Note that for the fixed Xl+1 Xi and x4 the numberof choices for x

(i)4 is at most 1 And for Yl+1 to collide

with x(i)3 the two collisions

A1Ti oplusA2Si oplusOF5(k5 oplusAi) k4 oplusx(i)4 and

A1Ll+1 oplusA2Rl+1 oplusOF2(k2 oplusXl+1) k3 oplusx(i)3 are re-

quired to happen


1N

2 (B30)

which follows


Using a counting similar to subcase 23 we obtain

1113944

x3isinExtF(l)

3 DomF3 x4isinDo mF4

Pr Coll x3 x4( 1113857|Eland andE1andF⊢QF1113858 1113859le 1113944i1middotmiddotmiddotlx4isinDomF4

sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)

B25 Subcase 25 x3 isin ExtF(l)3 DomF3 and

x4 isin ExtF(l)4 DomF4 By definition we have

1113944

x3isinExtF(l)

3 DomF3x4isinExtF(l)

4 DomF4

Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859 1113944i1l

sgn(i) middot sgn(j) middot Pr Coll x(i)3 x

(j)41113872 1113873|Eland middot middot middotandE1andF⊢QF1113960 1113961

(B32)

where

(1) x(i)3 k3 oplusYi and Yi A1Li oplusA2Ri oplusOF2(k2 oplusXi)

are derived from the ith tuple (LiRiXi AiSiTi) isin G4and sgn(i) 1 if and only if i is the smallest indexsatisfying these conditions and x

(i)3 notin DomF3

(2) x(j)4 k4 oplusZj and Zj A1Tj oplusA2Sj oplusOF5(k5 oplusAj)

are derived from the jth tuple (LjRjXj

AjSjTj) isin G4 and sgnprime(i) 1 if and only if j is thesmallest index satisfying these conditions andx

(j)4 notin DomF4

(i) If ilt j then we utilize the constraintXl+1 oplusOy

(i)3 Xj oplusOy

(j)3 and follow the same

line as the analysis of subcase 23 ampis shows thenumber of choices for y

(j)3 is

Num3(Ominus 1Xl+1 oplusy(i)3 oplusXj) thus the upper

bound Num3(Ominus 1Xl+1 oplusy(i)3 oplusXj)N2 for each

(x(i)3 x

(j)4 )

(ii) If igt j then we utilize the constraintXl+1 oplusOy

(i)3 Xj oplusOy


line as the analysis of subcase 24 ampen establishthe bound 1N2 for each (x

(i)3 x

(j)4 )

In all

1113944

x3isinExtF(l)3 DomF3 x4isinExtF

(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1

Xl+1 oplusy(i)3 oplusXj1113872 1113873

N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)

summing over the five cases yields

Ek[pcoll]le1113936x4isinG3F4

Num(l)3 O

minus 1Xl+1 oplus k4 oplusO

minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)

Clearly once such collisions do not happen the men-tioned requirements are met and we havex4 notin DomF4 cupExtF

(l)4 cupG3F4 Moreover as

(Ll+1Rl+1Xl+1 Al+1Sl+1Tl+1) isin G1 we have (a)x

(l+1)5 notin DomF5 and (b) |εQ(Al+1)| 1 ie the position of

x(l+1)5 cannot be ldquotakenrdquo by previous tuples By these


Ek Pr El+1andCASE 2|Eland middot middot middotandE1andF⊢QF1113858 11138591113858 1113859geqf + e

(l)3

Nminus

1113936x4isinG3F4Num(l)

3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)

B3 Case 3 In this case since x(l+1)2 notin DomF2

|εQ(Xl+1)| 1 andx3 k3 oplusYl+1 notin DomF3 cupExtF

(l)3 cupG2F3

Pr KAF extends Ll+1RL+1Xl+1 Al+1Sl+1Tl+1( 11138571113858 1113859 Pr F2 x(l+1)21113872 1113873 O

minus 1A1Ll+1 oplusA2Rl+1 oplusYl+1( 1113857andF3 x3( 1113857 O

minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)

ampus by lowering bounding the probability of collidingwith such ldquobadrdquo (x3 x4) we would derive the result for thiscase Similar to Case 2 by symmetry we write

pcoll 1113944

x3isinDo mF3 cupExtF(l)

3 cupG2F3

x4isinDo mF4 cupExtF(l)4

x3 isin DomF3 cupExtF(l)3 Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859

(B37)

Let x(l+1)5 k5 oplusAl+1 Similar to subsection B2 we also

distinguish five subcases and the arguments are similar bysymmetry

(1) x3 isin G2F3 and x4 isin DomF4 cupExtF(l)4 In this case

utilizing the constraint Al+1 oplusOy4 k3 oplusy3 we have

1113944

xisinG2F3 x4isinDomF4 cupExtF(l)4

Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859le1113936x3isinG3F3

Num(l)4 O

minus 1Al+1 oplus k3 oplusx3( 11138571113872 1113873

N (B38)

where Num(l)4 (y4) | x41113864 isin DomF4 cup

ExtF(l)4 F4(x4) y4|

(2) x3 isin DomF3 and x4 isin DomF4 Define

αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3

x3 oplusOy4 oplusA| Since k3 is uniform in 2n values wehave

Ek 1113944x3isinDomF3 x4isinDomF4

Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859⎡⎢⎢⎢⎣ ⎤⎥⎥⎥⎦leEk αminus

34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)

(3) x3 isin ExtF(l)3 DomF3 and x4 isin DomF4 By defi-

nition we have

1113944x3isinExtF3DomF3x4isinDomF4

Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859 1113944i1lx4isinDomF4


(B40)


where x(i)3 k3 oplusYi and

Yi A1Li oplusA2Ri oplusF2(k2 oplusXi) are derived from theith tuple (LiRiXi AiSiTi) isin G4 and sgnprime(i) 1 if andonly if $i$ is the smallest index satisfying theseconditions and x

(i)3 notin DomF3

ampen similarly to the analysis for the subcase 23 insubsection B2

(i) When Ei fits into Case 1 it can be shown Pr[Coll(x

(i)3 x4)|Ei fits intoCase 1andEland middot middot middotandE1 andF

⊢QF]le 1N2(ii) When Ei fits into Case 3 it can be shown

Al+1 oplusOy4 Ai oplusOy(i)4 By this

Pr Coll x(i)3 x41113872 1113873|Ei fits into CASE 2andEland middot middot middotandE1andF⊢QF1113960 1113961

Num(l)4 O

minus 1Al+1 oplusy4 oplusO

minus 1Ai1113872 1113873

N2 (B41)

By the above and a similar calculation we have

1113944x3isinExtF3DomF3 x4isinDomF4

Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859le 1113944x4isinDomF4

1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)

(4) x3 isin DomF3 and x4 isin ExtF(l)4 DomF4 By defi-

nition we have

1113944x3isinDomF3 x4isinExtF4DomF4


sgn(i) middot Pr Coll x3 x(i)41113872 1113873|Eland middot middot middotandE1andF⊢QF1113960 1113961

(B43)

It also holds Pr[Coll(x3 x4(i))|Ei fits into Case 1andEland middot middot middotandE1andF⊢QF]le 1N2 On the contrary whenEi fits into CASE 2 it can be shown as

Al+1 oplusAi x(i)3 oplusx3 which helps cinch

Pr[Coll(x3 x4 (i))|Ei fits into Case 1andEland middot middot middotandE1andF⊢QF]le 1N2 amperefore

1113944


Pr Coll(x3 x4)|Eland middot middot middotandE1andF⊢QF1113858 1113859leqfe

(l)4

N2 le

qfqe

N2 (B44)

(5) x3 isin ExtF(l)3 DomF3 and x4 isin ExtF

(l)4 DomF4

Similar to the last subcase in subsection B2 it can beshown as

1113944


(l)4 DomF4

Pr Coll x3 x4( 1113857|Eland middot middot middotandE1andF⊢QF1113858 1113859le 1113944j1l

1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)


ampe above gives rise to the following bound


(l)4

Nminus


4 Al+1 oplus k3 oplusx3( 1113857

Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)

B4 Summary forEG1 Summing over the three cases results

in

Ek Pr El+1|Eland middot middot middotandE1andF⊢QF1113858 11138591113858 1113859ge 1 minusqf + e

(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

minus1113936x4isinG3F4

Num(l)3 O

minus 1Xl+1 oplus k4 oplus x4( 11138571113872 1113873 + 1113936x3isinG2F3

Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)

Note that |G2F3|le |G2| β1 |G3F4|le |G3| β2 and(b) |G1|le qe amperefore

Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠ middot1

N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)

We finally consider 1113936qeminus 1l0 Bl To this end we note that by

definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe

minus 1113944y4isin 01 n

Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O

minus 1Xl+1 oplus k4 oplus x4( 11138571113872 1113873le 1113944

x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O

minus 1Al+1 oplus k3 oplusx3( 11138571113872 1113873le qf + qe1113872 1113873 G2F

11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

B5 Analysis for G2 G3 and G4 Lower boundingPr[EG2andEG3

EG1andF⊢QF] consider EG2

first we lower boundthe probability that it is equivalent to F4 and F5 satisfying2|G2| new and distinct equations To this end again wedefine a predicate Bad1(F3) which holds if there exists(LRX AST) isin G2 that fulfills one of the followingconditions

(i) ampe x4 value derived using F3 is in DomF4 iek4 oplusXoplusOF3(x3) isin DomF4 wherex3 k3 oplusA1LoplusA2Roplus ImgF2(k2 oplusX)

(ii) ampe Z value derived using F3 collides with the Zprimevalue of another tuple in G2 ie there exists(LlowastRlowastXlowast AlowastSlowastTlowast) isin G2 such thatXoplusOF3(x3) Xprime oplusF3(x3prime) wherex3prime k3 oplusA1Lprime oplusA2Rprime oplus ImgF2(k2 oplusX)

(iii) ampe Z value derived using F3 collides with the Z

value of a tuple in G1 or G3 ie there exists(LlowastRlowastXlowast AlowastSlowastTlowast) isin G1 cupG3 such thatXoplusOF3(x3) Slowast oplusF5(k5 oplusAlowast )

We note that for each (LRX AST) isin G2 letx3 k3 oplusA1LoplusA2RoplusOImgF2(k2oplusX) then the followingequation holds x3 notin DomF3 (otherwise fulfilling (C-2)) andx3 isin ExtF




uniform amperefore for this (LRX AST)

(i) ampe probability that condition (i) is fulfilled is atmost qfN

(ii) For each (LRX AST) isin G2 if the corresponding x3primedoes not equal x3 then the probability ofXoplusOF3(x3) Xprime oplusOF3(x3prime) is at most 1N oth-erwise since the two tuples are distinct it has to beXneX and thus XoplusOF3(x3)neXprime oplusOF3(x3prime)

(iii) For each (LlowastRlowastXlowast Alowast SlowastTlowast ) isin G1 cupG3 theprobability of

XoplusOF3 x3( 1113857 A1Tlowast oplusA2Slowast oplusOF5 k5 oplusAlowast( 1113857

(B52)

is at most 1N Summing over the above yields


G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

It is not hard to see that conditioned on Bad1(F3) the |G2|

tuples inG2 indeed give rise to |G2| distinct valuesZ1 Z|G2|

(otherwise condition (ii) is fulfilled) for which F4(k4 oplusZ1) F4(k4 oplusZ|G2||) all remain undetermined (otherwisecondition (i) or (iii) fulfilled) Furthermore at the ldquoright siderdquothey also give rise to |G2| distinct values A1 middot middot middot A|G2| withF5(k5 oplusA1) F5(k5 oplusA|G2|) all undetermined

(i) A1 A|G2| are also distinct otherwise fulfilling(C-5)

(ii) None of k5 oplusA1 k5 oplusA|G2| is in DomF5 oth-erwise fulfilling (C-1)

(iii) Conditioned onEG1

F5(k5 oplusA1) F5(k5 oplusA|G2|) remain

undetermined otherwise some Ai is shared be-tween tuples in G1 and G2 and (C-5) is fulfilled


satisfying 2|G2| new equations the probability of which doesnot exceed 1N2|G2|


bysymmetry we define a predicate Bad1(F4) on F4 whichholds if there exists (LRX AST) isin G3 such that one of thefollowing conditions is fulfilled

(i) ampe induced value x3 is in DomF3 iek3 oplusAoplusOF4(x4) isin DomF3 wherex4 k4 oplusA1ToplusA2Soplus ImgF5(k5 oplusA) ampe proba-bility is at most qfN in total


(ii) ampe induced Y collides with the Yprime value of anothertuple in G3 ie there exists a tuple (LprimeRprimeXprimeAprimeSprimeTprime) isin G3 such that AoplusOF4(x4) Aprime oplusOF4(x4prime) wherex4prime k4 oplusA1Tprime oplusA2Sprime oplus ImgF5(k5 oplusAprime) ampeprobability is at most |G3|N in total

(iii) ampe induced Y collides with the Ylowast value of a tuplein G1 or G2 ie there exists(LlowastRlowastXlowast Alowast SlowastTlowast ) isin G1 cupG2 such thatAoplusOF4(x4) A1Llowast oplusA2Rlowast oplusF2(k2 oplusX) ampeprobability is at most |G1| + |G2|N in total

Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)

and conditioned on Bad1(F4) tuples in G3 give rise to |G3|

distinct values Y1 Y|G3| while the assumptionBad(F1 F6) ensures that they give rise to |G3| distinct values

X1 X|G3| ampus the event EG3is equivalent to F2 and F3

satisfying 2|G3| new equations amperefore conditioned onEG1andF⊢QF we have

Pr EG2andEG3

|EG1andF⊢QF1113960 1113961

ge 1 minus Pr Bad1 F2( 11138571113858 1113859 minus Pr Bad1 F3( 11138571113858 1113859( 1113857 middot Pr EG2andEG3

|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)


inition for any tuple (LRX AST) isin G4 let x2 k2 oplusX andx5 k5 oplusA then we have both x2 notin DomF2 andx5 notin DomF5 Moreover conditioned on EG1

andEG2andEG3


EG2 or EG3

implies F2(x2) beingfixed then a tuple in G1G2 or G3 would share the same X

value with a tuple in G4 contradicting the definition of G1or fulfilling (C-4) or (C-5) respectively)

For these tuples we would lower bound the probabilitythat they induce 2|G4| new and distinct equations on F3 andF4 To this end we define a predicate Bad3(F2 F5) on F2 andF5 which holds if there exists a tuple (LRX AST) isin G4 suchthat if we let x2 k2 oplusX and x5 k5 oplusA then one of thefollowing conditions is fulfilled

(1) At the ldquoleft siderdquo concerning F2(x2)

(i) ampe induced x3 value falls in DomF3 iek3 oplusA1LoplusA2RoplusF2(x2) isin DomF3 As dis-cussed F2(x2) remains random thus theprobability is clearly at most qfN for each(LRX AST) isin DomG4

(ii) ampe induced Y value collides with some ldquopre-viously determinedrdquo Yprime ie there exists anothertuple (LprimeRprimeXprime AprimeSprimeTprime) isin G1 cupG2 cupG3 thatA1LoplusA2RoplusF2(x2) A1Lprime oplusA2Rprime oplusF2(x2prime) Itneeds to be XneXprime again using the randomnessof F2(x2) we obtain the upper bound|G1| + |G2| + |G3|Nle qeN for each(LRX AST) isin G4

(2) At the ldquoright siderdquo concerning F5(x5) similar to theabove by symmetry

k4 oplusA1ToplusA2SoplusOF5 x5( 1113857 isin DomF4 (B56)

For each (LRX AST) isin G4 the probability is at mostqfN

(i) ampere exists another tuple(LprimeRprimeXprime AprimeSprimeTprime) isin G1 cupG2 cupG3 such thatA1ToplusA2SoplusOF5(x5) A1Tprime oplusA2Sprime oplusOF5(x5prime)ampe upper bound is |G1| + |G2| + |G3|Nle qeNfor each (LRX AST) in G4


Pr Bad3 F2 F5( 1113857|EG1andEG2andEG3andF⊢QF1113960 1113961le 2

G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)


Similar to the analysis for EG2andEG3



Pr EG4|EG1andEG2andEG3andF⊢QF1113960 1113961

ge 1 minus Pr Bad1 F2 F5( 11138571113858 1113859( 1113857 middot frac1N2 G4| | ge 1 minus

2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability

No data were used to support this study

Conflicts of Interest

ampe authors declare that they have no conflicts of interest

References

[1] A Sorkin ldquoLucifer a cryptographic algorithmrdquo Cryptologiavol 8 no 1 pp 22ndash42 1984

[2] D Coppersmith C Holloway S M Matyas and N Zunicldquoampe data encryption standardrdquo Information Security Tech-nical Report vol 2 no 2 pp 22ndash24 1997

[3] R Beaulieu D Shors J Smith S Clark and L Wingers ldquoampeSimon and Speck lightweight block ciphersrdquo in Proceedings ofthe 52nd Annual Design Automation Conference pp 1ndash6 SanFrancisco CA USA June 2015

[4] G Yang B Zhu V Suder M D Aagaard and G Gong ldquoampesimeck family of lightweight block ciphersrdquo in Proceedings ofCryptographic Hardware and Embedded Systems - CHES 2015-17th International Workshop pp 307ndash329 Saint-MaloFrance September 2015

[5] W Diffie and G Ledin ldquoSMS4 encryption algorithm forwireless networksrdquo IACR Cryptol ePrint Archvol 329 2008

[6] G Bose e 128-bit block cipher MARS Masterrsquos thesisFlorida International University Miami FL USA 2003

[7] K Nyberg ldquoGeneralized feistel networksrdquo in Proceedings ofAdvances in Cryptology -ASIACRYPTrsquo96 International Con-ference on the eory and Applications of Cryptology andInformation Security pp 91ndash104 Kyongju South Korea April1996

[8] T P Berger J Francq M Minier and G ampomas ldquoExtendedgeneralized feistel networks using matrix representation topropose a new lightweight block cipher lilliputrdquo IEEETransactions on Computers vol 65 no 7 pp 2074ndash20892016

[9] S Vaudenay ldquoOn the Lai-Massey schemerdquo in Proceedings ofAdvances in Cryptology -ASIACRYPT99 International Con-ference on the eory and Applications of Cryptology andInformation Security pp 8ndash19 Singapore November 1999

[10] J N Jr V Rijmen B Preneel and J Wandelle ldquoampe meshblock ciphersrdquo in Proceedings of Information Security Ap-plications 4th International Workshop pp 458ndash473 WISAJeju Island Korea August 2003

[11] P Junod and S Vaudenay ldquoFox a new family of block ci-phersrdquo in Proceedings of Selected Areas in Cryptography 11thInternational Workshop SAC pp 114ndash129 Waterloo Can-ada August 2004

[12] J Daemen and V Rijmen e Design of Rijndael - the Ad-vanced Encryption Standard(AES) Springer Berlin Germany2nd edition 2020

[13] J Guo T Peyrin and A Poschmann ldquoampe Photon family oflightweight hash functionsrdquo in Proceedings of Advances inCryptologymdashCRYPTO 2011 - 31st Annual Cryptology Con-ference pp 222ndash239 Santa Barbara CA USA August 2011

[14] K Aoki T Ichikawa M Kanda et al ldquoCamellia a 128-bitblock cipher suitable for multiple platforms- design andanalysisrdquo In in Proceedings of Selected Areas in Cryptography7th Annual International Workshop SAC pp 39ndash56 OntarioCanada August 2000

[15] M Luby and C Rackoff ldquoHow to construct pseudo-randompermutations from pseudo-random functionsrdquo in Proceedingsof the Advances in CryptologymdashCRYPTO rsquo85 p 447 SantaBarbara CA USA August 1985

[16] J Patarin ldquoSecurity of random feistel schemes with 5 or moreroundsrdquo in Proceedings of the Advances in Cryptology-CRYPTO 2004 pp 106ndash122 Santa Barbara CA USA August2004

[17] V T Hoang and P Rogaway ldquoOn generalized feistel net-worksrdquo in Proceedings of Advances in Cryptology-CRYPTO2010 pp 613ndash630 Springer Santa Barbara CA USA August2010

[18] M Barbosa and P Farshim ldquoampe related-key analysis of feistelconstructionsrdquo in Proceedings of the International Workshopon Fast Software Encryption FSE 2014 pp 265ndash284 LondonUK March 2014

[19] C Gentry and Z Ramzan ldquoEliminating random permutationoracles in the even-mansour cipherrdquo in Proceedings of Ad-vances in Cryptology - ASIACRYPT 2004 10th InternationalConference on the eory and Application of Cryptology andInformation Security pp 32ndash47 Jeju Island Korea December2004

[20] C Guo and L Wang ldquoRevisiting key-alternating feistel ci-phers for shorter keys and multi-user securityrdquo in Proceedingsof Advances in CryptologymdashASIACRYPT 2018 - 24th In-ternational Conference on the eory and Application ofCryptology and Information Security pp 213ndash243 BrisbaneAustralia December 2018

[21] J Patarin ldquoHow to construct pseudorandom and superpseudorandom permutations from one single pseudorandomfunctionrdquo in Proceedings of Advances in Cryptology -EUROCRYPT rsquo92 Workshop on the eory and Application ofof Cryptographic Techniques pp 256ndash266 BalatonfuredHungary May 1992

[22] S Chen and J Steinberger ldquoTight security bounds for key-alternating ciphersrdquo in Proceedings of the Advances inCryptology - EUROCRYPT 2014 - 33rd Annual InternationalConference on the eory and Applications of CryptographicTechniques pp 327ndash350 Copenhagen Denmark May 2014


[23] V T Hoang and S Tessaro ldquoKey-alternating ciphers and key-length extension exact bounds and multi-user securityrdquo inProceedings of the CRYPTO 2016 pp 3ndash32 Berlin GermanyAugust 2016

[24] Y Dodis J Katz J Steinberger A ampiruvengadam andZ Zhang ldquoProvable security of substitution-permutationnetworksrdquo cryptology eprint archiverdquo 2017 httpeprintiacrorg2017016pdf Report 2017016

[25] B Cogliati and Y Seurin ldquoBeyond-birthday-bound securityfor tweakable even-mansour ciphers with linear tweak and keymixingrdquo in Proceedings of the International Conference on theeory and Application of Cryptology and InformationSecurityASIACRYPT 2015 pp 134ndash158 Auckland NewZealand December 2015

[26] B Cogliati R Lampe and Y Seurin ldquoTweaking even-man-sour ciphersrdquo in Proceedings of the Annual Cryptology Con-ference CRYPTO 2015 pp 189ndash208 Santa Barbara CA USAAugust 2015


Compared to the Feistel structure the diffusion of the SPNstructure might be faster However the decryption of an SPNstructure is usually different from that of the encryption thusmore resources might be required for the implementation Inrecent years there have been many ciphers using the SPNstructure such as AES [12] and PHOTON [13] Additionallythe SPN structure is often adopted as round functions in thedesign of Feistel ciphers such as SM4 [5] and Camellia [14]

Traditionally the security of block ciphers is defined as theindistinguishability from random permutations when the keysare random and secret ampis is known as pseudorandomnessHowever in some block cipher-based schemes such as hashfunctions the underlying block ciphersmay not have secret keysampe security arguments for these schemes thereby cannot bebased on the pseudorandomness of the underlying ciphers Toremedy this theory community usually assumes their un-derlying ciphers as ideal ciphers ie sets of independent randompermutations indexed by the keys and then argues the securityof the whole schemes By this we expect practical block ciphersto be as secure as ideal ciphers and a proof for such security isthe final goal of the theory community However given the stateof the art the only choice is to replace some of the underlyingcomponents of the block ciphers by idealized oracles and thenargue the closeness of the obtained idealized block ciphers andthe ideal ciphersampe security proved in this way cannot be usedas a guarantee for the actual security of practical block ciphersbut it is still helpful to deepen the understanding of that andpromote theoretical research to the ultimate goal

Luby and Rackoff [15] proposed LubyndashRackoff (LR)scheme in 1985 ampey also proved that the balanced Feistelstructure covering 3 rounds is a pseudorandom permutationand that covering 4 rounds is a super-pseudorandom per-mutation Later the LR scheme has attracted a lot of at-tention and become the most popular model for Feistelciphers in which the round functions are set as randomfunctions Following [15] a long series of work establishedbetter security (maybe using a larger number of rounds)[16ndash18] Significantly Gentry and Ramzan [19] proved thatthe Feistel cipher covering 4 rounds without keys is secureagainst 2n2 queries On the basis Guo and Wang [20]showed that 4-round key-alternating Feistel (KAF) using thesame round function is secure against 2n2 queries iebirthday-bound security Guo also proved that the 6-roundkey-alternating Feistel (KAF) using the independent roundfunctions and appropriate keys is secure up to 22n3 queriesie beyond-birthday-bound security

Iterative structures in block ciphers mainly adopt thethree structures the Feistel structure the SPN structure andthe LaindashMassey scheme ampe solidification of iterativestructure may bring security risks once backdoors of someiterative structures are founded a series of block ciphers thatadopt the structure would be effectively attacked and will notbe secure any more ampis promotes the diversity research ofiterative structures In this paper we extend the originalFeistel structure and propose an extended Feistel (E-Feistel)structureampis paper mainly focuses on studying the securityof the E-Feistel structure from the perspective of theoreticalsecurity of the structure using H-coefficient technique ampemain contributions are as follows

(1) We propose a new iterative structure the E-Feistelstructure which also has consistent encryption withdecryption

(2) For birthday-bound security we prove that the 4-round KAEF with the same round function is secureup to 2n2 queries

(3) For beyond-birthday-bound security we prove thatthe 6-round KAEF with independent round func-tions is secure up to 22n3 queries

ampis paper is organized as follows We introduce thenotations in Section 2 Section 3 presents the extendedFeistel structureampen Sections 4 and 5 respectively presentour results on 4-round KAESF and 6-round KAEF and theirsecurity proofs Section 6 concludes this paper

2 Notations

Let F2 denote the binary field and Fn2 denote the

nminus dimensional vector space over F2 amproughout this paper(x1 x2 xn) always corresponds to a column vector Letc (c1 c2 cn) isin Fn

2 d (d1 d2 dn) isin Fn2 ampen the

point product of two vectors c and d is calculated as

c middot d c1d1 oplus c2d2 oplus middot middot middot oplus cndn (1)

denoted as cTd

21 e H-Coefficient Technique We use Patarinrsquos H-co-efficient technique [21 22] to prove the birthday-boundsecurity of 4-round KAEF and the beyond-birthday-boundsecurity of 6-round KAEF amperefore we sum up the in-teraction between distinguisher D and its oracles in thequeries of transcripts Suppose D enquiring the ith oracle(KAEFF

k(i) or P(i)) for q times a recordQEi

(L1R1 S1T)1 (LqiRqi

SqiTqi

)1113966 1113967 can be obtainedwhere (LjRj SjTj) represents the queries and answers ofKAEF Similarly the queries made to fi are recorded asQfi

(xi1 yi1) (xip yip)1113966 1113967 denoting the answer yij

obtained by querying fi with xij Let QE (QE1 QEm

)

and QF (Qf1 Qft

) ampe transcript of the distinguisherD is denoted as τ (QEQF)

Given a set Qfiof function queries and a function fi we

say that fi extends Qfi denoted fi⊢Qfi

if fi(x) y for all(x y) isin Qfi

Similarly given a transcript of permutationqueries QEi

and a permutation P(i) we say P(i) extends QEi

denoted P(i)⊢QEi if P(i)(LR) ST for all (LR ST) isin QEi

ampe latter definition also extends to the t-round KAEF builton F and a key k(i) in that case we write KAEFF

k(i)⊢QEi

Finally for QF (Qf1 Qft

) and F (f1 ft) iff1⊢Qf1and middot middot middotandft⊢Qft

then F⊢QFWith regard to all achievable transcripts τ which rep-

resent an achievable record for queries of a series of oracles(F P(1) P(m)) or (FKAEFF

k(1) KAEFFk(m) ) the

probability that D interacts with the real world and the idealworld is denoted as Prre(τ) and Prid(τ) respectively Prre(τ)

and Prid(τ) are defined formally as follows


Prre(τ) Pr k(1)

k(m)

1113872 1113873larr$

(K)m



k(m)⊢QEmandF⊢QF1113876 1113877

Prid(τ) Pr P(1)

P(m)

1113872 1113873larr$

(P(2n))m

Flarr$ (F(n))t P


andF⊢QF1113876 1113877

(2)















2 is defined as



2 to Fn2 ampen the






A A1 A2

A2 A11113890 1113891

B B

T1 B

T2

BT2 B

T1

⎡⎢⎣ ⎤⎥⎦

(7)









A middot BT

0 A1B2 oplusA2B1

A2B1 oplusA1B2 01113890 1113891 (8)




2e + 4qeqf

N (9)



2e + 4qeqf

N (10)











2e

N (11)



ExtF def x isin 0 1











N


N

(13)




(14)




A1 A2

B1 B2

f






N+

q2e

N+2q

2e

N

le7q

2e + 2qeqf

N

(15)


(L1R1 S1T)1 (LqeRqe

SqeTqe



⋮

xqe( )




⋮

xqe( )



(16)



(i)21113872 1113873 XiandF x

(i)31113872 1113873 Yi1113960 1113961

(17)


(1)2 x

(qe)2 x

(1)3 x



(j)2 or x

(i)3 x

(j)3 for some ine j




F(x(qe)2 ) F(x

(1)3 ) F(x



Pr F x(i)21113872 1113873 XiandF x

(i)31113872 1113873 Yi1113960 1113961

1N

21113888 1113889 (18)


Prre(τ k)

Prid(τ k)


k⊢QF|F⊢QF1113960 11139611113872 1113873


qe minus 1i0 1N2

minus i1113872 1113873

gePr KAEFSFF


1113937qe minus 1i0 1N2

minus i

ge 1 minus7q

2e + 2qeqfN1113872 1113873 1N2qe1113872 1113873

1113937qe minus 1i0 1N2

minus i1113872 1113873

ge 1 minus7q

2e + 2qeqf


q2e

N21113888 1113889ge 1 minus

7q2e + 2qeqf

Nminus

q2e

N2

(19)









kj are independent





3e + 13qeq

2f + 22q

2eqf

N2 +

2r 8qeq2f + 2q

2eqf1113872 1113873

N2 (20)




3e + 13qeq

2f + 22q

2eqf + 2r 8qeq

2f + 2q

2eqf1113872 1113873

N2 (21)


QF2 QF3

QF4 QF5

QF6) |QE| qe and

|QFi| qfi


















2f2


2



2fN

2 As a result



2f

N2 (22)







(23)


α1(k) def


11138681113868111386811138681113868

11138681113868111386811138681113868

α2(k) def


11138681113868111386811138681113868

11138681113868111386811138681113868

α23(k) def



11138681113868111386811138681113868

11138681113868111386811138681113868

α45(k) def



11138681113868111386811138681113868

11138681113868111386811138681113868

(24)




and(x5 y5) isin QF5











A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1

B1

B2

B2

B1 B2

L R

S T

k1

k2

k3

k4

k5

k6

F1

F2

F3

F4

F5

F6


A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1 B2

L R

S T

k1

k2

k3

k4

F

F

F

F







Lemma 3 We have

PrF1 F6Bad F1 F6( 1113857|F1⊢QF1

andF6⊢QF61113960 1113961le

qeq2f

N2 +

4q2eqf

N2 +

α23(k) + α45(k)

N+

qf α1(k) + α2(k)( 1113857

N (25)



n KAEFlowastE⊢Q


i 1 2 3 4 5 61113876 1113877 (26)



p τ F1 F6( 1113857



ampen we have

Prre(τ k)


F6⊢QF61113960 1113961 minus EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 1113961 (28)




EF1 F6 k ε F1 F6 k( 11138571113858 1113859le7q

3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2 (29)







(30)






We denote EG1 EG2

EG3 and EG4




|F⊢QF1113960 1113961 (31)







N1113888 1113889 1 minus

qf + qe + β2N

1113888 11138891

N2 (32)



qf + qe

Nminus O

2rmiddot q

2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (33)


qf + qe

Nminus O

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (34)


Pr EG1|F⊢QF1113960 1113961ge 1113945

G1| |

l11 minus

β1N

minusβ2N

minus O2r

middot q2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (35)



2rmiddot qeq

2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qf + 2qe1113872 1113873 β1 + β2( 1113857

N⎛⎝ ⎞⎠

1N

2|G1| (36)

To analyze EG2 EG3



| |EG3| |EG4

| O(2r middot q2N)


can be



Pr EG2andEG3|EG1


N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )


2β3 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G4| |

(37)



















most 1N



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (38)















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (39)




andF⊢QF we have


Pr EG2andEG3




N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(40)



andEG2andEG3


EG2 and EG3












andF⊢QF1113960 1113961le 2G4

11138681113868111386811138681113868111386811138681113868 middot qf + qe1113872 1113873

Nle2β3 middot qf + qe1113872 1113873

N (41)





1

N2 G4| |ge 1 minus

2β3 qf + qe1113872 1113873


1

N2 G4| |

(42)




N2 G1| |+G2| |+G3| |+G4| |( )

ge 1 minus ε1 + ε2 + ε3( 1113857( 11138571

N2qe

Since G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

1113868111386811138681113868 + G41113868111386811138681113868

1113868111386811138681113868 qe1113872 1113873

(43)





p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which


N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)


F6⊢QF6]



1113868111386811138681113868


1113868111386811138681113868


1113868111386811138681113868

(46)



Ek β11113858 1113859leqeqf

N (47)



and


(48)



N (49)



N+ α1(k) (50)





Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References





























Prre(τ) Pr k(1)

k(m)

1113872 1113873larr$

(K)m



k(m)⊢QEmandF⊢QF1113876 1113877

Prid(τ) Pr P(1)

P(m)

1113872 1113873larr$

(P(2n))m

Flarr$ (F(n))t P


andF⊢QF1113876 1113877

(2)















2 is defined as



2 to Fn2 ampen the






A A1 A2

A2 A11113890 1113891

B B

T1 B

T2

BT2 B

T1

⎡⎢⎣ ⎤⎥⎦

(7)









A middot BT

0 A1B2 oplusA2B1

A2B1 oplusA1B2 01113890 1113891 (8)




2e + 4qeqf

N (9)



2e + 4qeqf

N (10)











2e

N (11)



ExtF def x isin 0 1











N


N

(13)




(14)




A1 A2

B1 B2

f






N+

q2e

N+2q

2e

N

le7q

2e + 2qeqf

N

(15)


(L1R1 S1T)1 (LqeRqe

SqeTqe



⋮

xqe( )




⋮

xqe( )



(16)



(i)21113872 1113873 XiandF x

(i)31113872 1113873 Yi1113960 1113961

(17)


(1)2 x

(qe)2 x

(1)3 x



(j)2 or x

(i)3 x

(j)3 for some ine j




F(x(qe)2 ) F(x

(1)3 ) F(x



Pr F x(i)21113872 1113873 XiandF x

(i)31113872 1113873 Yi1113960 1113961

1N

21113888 1113889 (18)


Prre(τ k)

Prid(τ k)


k⊢QF|F⊢QF1113960 11139611113872 1113873


qe minus 1i0 1N2

minus i1113872 1113873

gePr KAEFSFF


1113937qe minus 1i0 1N2

minus i

ge 1 minus7q

2e + 2qeqfN1113872 1113873 1N2qe1113872 1113873

1113937qe minus 1i0 1N2

minus i1113872 1113873

ge 1 minus7q

2e + 2qeqf


q2e

N21113888 1113889ge 1 minus

7q2e + 2qeqf

Nminus

q2e

N2

(19)









kj are independent





3e + 13qeq

2f + 22q

2eqf

N2 +

2r 8qeq2f + 2q

2eqf1113872 1113873

N2 (20)




3e + 13qeq

2f + 22q

2eqf + 2r 8qeq

2f + 2q

2eqf1113872 1113873

N2 (21)


QF2 QF3

QF4 QF5

QF6) |QE| qe and

|QFi| qfi


















2f2


2



2fN

2 As a result



2f

N2 (22)







(23)


α1(k) def


11138681113868111386811138681113868

11138681113868111386811138681113868

α2(k) def


11138681113868111386811138681113868

11138681113868111386811138681113868

α23(k) def



11138681113868111386811138681113868

11138681113868111386811138681113868

α45(k) def



11138681113868111386811138681113868

11138681113868111386811138681113868

(24)




and(x5 y5) isin QF5











A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1

B1

B2

B2

B1 B2

L R

S T

k1

k2

k3

k4

k5

k6

F1

F2

F3

F4

F5

F6


A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1 B2

L R

S T

k1

k2

k3

k4

F

F

F

F







Lemma 3 We have

PrF1 F6Bad F1 F6( 1113857|F1⊢QF1

andF6⊢QF61113960 1113961le

qeq2f

N2 +

4q2eqf

N2 +

α23(k) + α45(k)

N+

qf α1(k) + α2(k)( 1113857

N (25)



n KAEFlowastE⊢Q


i 1 2 3 4 5 61113876 1113877 (26)



p τ F1 F6( 1113857



ampen we have

Prre(τ k)


F6⊢QF61113960 1113961 minus EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 1113961 (28)




EF1 F6 k ε F1 F6 k( 11138571113858 1113859le7q

3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2 (29)







(30)






We denote EG1 EG2

EG3 and EG4




|F⊢QF1113960 1113961 (31)







N1113888 1113889 1 minus

qf + qe + β2N

1113888 11138891

N2 (32)



qf + qe

Nminus O

2rmiddot q

2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (33)


qf + qe

Nminus O

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (34)


Pr EG1|F⊢QF1113960 1113961ge 1113945

G1| |

l11 minus

β1N

minusβ2N

minus O2r

middot q2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (35)



2rmiddot qeq

2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qf + 2qe1113872 1113873 β1 + β2( 1113857

N⎛⎝ ⎞⎠

1N

2|G1| (36)

To analyze EG2 EG3



| |EG3| |EG4

| O(2r middot q2N)


can be



Pr EG2andEG3|EG1


N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )


2β3 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G4| |

(37)



















most 1N



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (38)















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (39)




andF⊢QF we have


Pr EG2andEG3




N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(40)



andEG2andEG3


EG2 and EG3












andF⊢QF1113960 1113961le 2G4

11138681113868111386811138681113868111386811138681113868 middot qf + qe1113872 1113873

Nle2β3 middot qf + qe1113872 1113873

N (41)





1

N2 G4| |ge 1 minus

2β3 qf + qe1113872 1113873


1

N2 G4| |

(42)




N2 G1| |+G2| |+G3| |+G4| |( )

ge 1 minus ε1 + ε2 + ε3( 1113857( 11138571

N2qe

Since G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

1113868111386811138681113868 + G41113868111386811138681113868

1113868111386811138681113868 qe1113872 1113873

(43)





p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which


N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)


F6⊢QF6]



1113868111386811138681113868


1113868111386811138681113868


1113868111386811138681113868

(46)



Ek β11113858 1113859leqeqf

N (47)



and


(48)



N (49)



N+ α1(k) (50)





Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References



































2e

N (11)



ExtF def x isin 0 1











N


N

(13)




(14)




A1 A2

B1 B2

f






N+

q2e

N+2q

2e

N

le7q

2e + 2qeqf

N

(15)


(L1R1 S1T)1 (LqeRqe

SqeTqe



⋮

xqe( )




⋮

xqe( )



(16)



(i)21113872 1113873 XiandF x

(i)31113872 1113873 Yi1113960 1113961

(17)


(1)2 x

(qe)2 x

(1)3 x



(j)2 or x

(i)3 x

(j)3 for some ine j




F(x(qe)2 ) F(x

(1)3 ) F(x



Pr F x(i)21113872 1113873 XiandF x

(i)31113872 1113873 Yi1113960 1113961

1N

21113888 1113889 (18)


Prre(τ k)

Prid(τ k)


k⊢QF|F⊢QF1113960 11139611113872 1113873


qe minus 1i0 1N2

minus i1113872 1113873

gePr KAEFSFF


1113937qe minus 1i0 1N2

minus i

ge 1 minus7q

2e + 2qeqfN1113872 1113873 1N2qe1113872 1113873

1113937qe minus 1i0 1N2

minus i1113872 1113873

ge 1 minus7q

2e + 2qeqf


q2e

N21113888 1113889ge 1 minus

7q2e + 2qeqf

Nminus

q2e

N2

(19)









kj are independent





3e + 13qeq

2f + 22q

2eqf

N2 +

2r 8qeq2f + 2q

2eqf1113872 1113873

N2 (20)




3e + 13qeq

2f + 22q

2eqf + 2r 8qeq

2f + 2q

2eqf1113872 1113873

N2 (21)


QF2 QF3

QF4 QF5

QF6) |QE| qe and

|QFi| qfi


















2f2


2



2fN

2 As a result



2f

N2 (22)







(23)


α1(k) def


11138681113868111386811138681113868

11138681113868111386811138681113868

α2(k) def


11138681113868111386811138681113868

11138681113868111386811138681113868

α23(k) def



11138681113868111386811138681113868

11138681113868111386811138681113868

α45(k) def



11138681113868111386811138681113868

11138681113868111386811138681113868

(24)




and(x5 y5) isin QF5











A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1

B1

B2

B2

B1 B2

L R

S T

k1

k2

k3

k4

k5

k6

F1

F2

F3

F4

F5

F6


A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1 B2

L R

S T

k1

k2

k3

k4

F

F

F

F







Lemma 3 We have

PrF1 F6Bad F1 F6( 1113857|F1⊢QF1

andF6⊢QF61113960 1113961le

qeq2f

N2 +

4q2eqf

N2 +

α23(k) + α45(k)

N+

qf α1(k) + α2(k)( 1113857

N (25)



n KAEFlowastE⊢Q


i 1 2 3 4 5 61113876 1113877 (26)



p τ F1 F6( 1113857



ampen we have

Prre(τ k)


F6⊢QF61113960 1113961 minus EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 1113961 (28)




EF1 F6 k ε F1 F6 k( 11138571113858 1113859le7q

3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2 (29)







(30)






We denote EG1 EG2

EG3 and EG4




|F⊢QF1113960 1113961 (31)







N1113888 1113889 1 minus

qf + qe + β2N

1113888 11138891

N2 (32)



qf + qe

Nminus O

2rmiddot q

2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (33)


qf + qe

Nminus O

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (34)


Pr EG1|F⊢QF1113960 1113961ge 1113945

G1| |

l11 minus

β1N

minusβ2N

minus O2r

middot q2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (35)



2rmiddot qeq

2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qf + 2qe1113872 1113873 β1 + β2( 1113857

N⎛⎝ ⎞⎠

1N

2|G1| (36)

To analyze EG2 EG3



| |EG3| |EG4

| O(2r middot q2N)


can be



Pr EG2andEG3|EG1


N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )


2β3 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G4| |

(37)



















most 1N



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (38)















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (39)




andF⊢QF we have


Pr EG2andEG3




N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(40)



andEG2andEG3


EG2 and EG3












andF⊢QF1113960 1113961le 2G4

11138681113868111386811138681113868111386811138681113868 middot qf + qe1113872 1113873

Nle2β3 middot qf + qe1113872 1113873

N (41)





1

N2 G4| |ge 1 minus

2β3 qf + qe1113872 1113873


1

N2 G4| |

(42)




N2 G1| |+G2| |+G3| |+G4| |( )

ge 1 minus ε1 + ε2 + ε3( 1113857( 11138571

N2qe

Since G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

1113868111386811138681113868 + G41113868111386811138681113868

1113868111386811138681113868 qe1113872 1113873

(43)





p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which


N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)


F6⊢QF6]



1113868111386811138681113868


1113868111386811138681113868


1113868111386811138681113868

(46)



Ek β11113858 1113859leqeqf

N (47)



and


(48)



N (49)



N+ α1(k) (50)





Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References
































N+

q2e

N+2q

2e

N

le7q

2e + 2qeqf

N

(15)


(L1R1 S1T)1 (LqeRqe

SqeTqe



⋮

xqe( )




⋮

xqe( )



(16)



(i)21113872 1113873 XiandF x

(i)31113872 1113873 Yi1113960 1113961

(17)


(1)2 x

(qe)2 x

(1)3 x



(j)2 or x

(i)3 x

(j)3 for some ine j




F(x(qe)2 ) F(x

(1)3 ) F(x



Pr F x(i)21113872 1113873 XiandF x

(i)31113872 1113873 Yi1113960 1113961

1N

21113888 1113889 (18)


Prre(τ k)

Prid(τ k)


k⊢QF|F⊢QF1113960 11139611113872 1113873


qe minus 1i0 1N2

minus i1113872 1113873

gePr KAEFSFF


1113937qe minus 1i0 1N2

minus i

ge 1 minus7q

2e + 2qeqfN1113872 1113873 1N2qe1113872 1113873

1113937qe minus 1i0 1N2

minus i1113872 1113873

ge 1 minus7q

2e + 2qeqf


q2e

N21113888 1113889ge 1 minus

7q2e + 2qeqf

Nminus

q2e

N2

(19)









kj are independent





3e + 13qeq

2f + 22q

2eqf

N2 +

2r 8qeq2f + 2q

2eqf1113872 1113873

N2 (20)




3e + 13qeq

2f + 22q

2eqf + 2r 8qeq

2f + 2q

2eqf1113872 1113873

N2 (21)


QF2 QF3

QF4 QF5

QF6) |QE| qe and

|QFi| qfi


















2f2


2



2fN

2 As a result



2f

N2 (22)







(23)


α1(k) def


11138681113868111386811138681113868

11138681113868111386811138681113868

α2(k) def


11138681113868111386811138681113868

11138681113868111386811138681113868

α23(k) def



11138681113868111386811138681113868

11138681113868111386811138681113868

α45(k) def



11138681113868111386811138681113868

11138681113868111386811138681113868

(24)




and(x5 y5) isin QF5











A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1

B1

B2

B2

B1 B2

L R

S T

k1

k2

k3

k4

k5

k6

F1

F2

F3

F4

F5

F6


A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1 B2

L R

S T

k1

k2

k3

k4

F

F

F

F







Lemma 3 We have

PrF1 F6Bad F1 F6( 1113857|F1⊢QF1

andF6⊢QF61113960 1113961le

qeq2f

N2 +

4q2eqf

N2 +

α23(k) + α45(k)

N+

qf α1(k) + α2(k)( 1113857

N (25)



n KAEFlowastE⊢Q


i 1 2 3 4 5 61113876 1113877 (26)



p τ F1 F6( 1113857



ampen we have

Prre(τ k)


F6⊢QF61113960 1113961 minus EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 1113961 (28)




EF1 F6 k ε F1 F6 k( 11138571113858 1113859le7q

3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2 (29)







(30)






We denote EG1 EG2

EG3 and EG4




|F⊢QF1113960 1113961 (31)







N1113888 1113889 1 minus

qf + qe + β2N

1113888 11138891

N2 (32)



qf + qe

Nminus O

2rmiddot q

2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (33)


qf + qe

Nminus O

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (34)


Pr EG1|F⊢QF1113960 1113961ge 1113945

G1| |

l11 minus

β1N

minusβ2N

minus O2r

middot q2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (35)



2rmiddot qeq

2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qf + 2qe1113872 1113873 β1 + β2( 1113857

N⎛⎝ ⎞⎠

1N

2|G1| (36)

To analyze EG2 EG3



| |EG3| |EG4

| O(2r middot q2N)


can be



Pr EG2andEG3|EG1


N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )


2β3 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G4| |

(37)



















most 1N



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (38)















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (39)




andF⊢QF we have


Pr EG2andEG3




N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(40)



andEG2andEG3


EG2 and EG3












andF⊢QF1113960 1113961le 2G4

11138681113868111386811138681113868111386811138681113868 middot qf + qe1113872 1113873

Nle2β3 middot qf + qe1113872 1113873

N (41)





1

N2 G4| |ge 1 minus

2β3 qf + qe1113872 1113873


1

N2 G4| |

(42)




N2 G1| |+G2| |+G3| |+G4| |( )

ge 1 minus ε1 + ε2 + ε3( 1113857( 11138571

N2qe

Since G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

1113868111386811138681113868 + G41113868111386811138681113868

1113868111386811138681113868 qe1113872 1113873

(43)





p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which


N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)


F6⊢QF6]



1113868111386811138681113868


1113868111386811138681113868


1113868111386811138681113868

(46)



Ek β11113858 1113859leqeqf

N (47)



and


(48)



N (49)



N+ α1(k) (50)





Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References






























3e + 13qeq

2f + 22q

2eqf

N2 +

2r 8qeq2f + 2q

2eqf1113872 1113873

N2 (20)




3e + 13qeq

2f + 22q

2eqf + 2r 8qeq

2f + 2q

2eqf1113872 1113873

N2 (21)


QF2 QF3

QF4 QF5

QF6) |QE| qe and

|QFi| qfi


















2f2


2



2fN

2 As a result



2f

N2 (22)







(23)


α1(k) def


11138681113868111386811138681113868

11138681113868111386811138681113868

α2(k) def


11138681113868111386811138681113868

11138681113868111386811138681113868

α23(k) def



11138681113868111386811138681113868

11138681113868111386811138681113868

α45(k) def



11138681113868111386811138681113868

11138681113868111386811138681113868

(24)




and(x5 y5) isin QF5











A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1

B1

B2

B2

B1 B2

L R

S T

k1

k2

k3

k4

k5

k6

F1

F2

F3

F4

F5

F6


A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1 B2

L R

S T

k1

k2

k3

k4

F

F

F

F







Lemma 3 We have

PrF1 F6Bad F1 F6( 1113857|F1⊢QF1

andF6⊢QF61113960 1113961le

qeq2f

N2 +

4q2eqf

N2 +

α23(k) + α45(k)

N+

qf α1(k) + α2(k)( 1113857

N (25)



n KAEFlowastE⊢Q


i 1 2 3 4 5 61113876 1113877 (26)



p τ F1 F6( 1113857



ampen we have

Prre(τ k)


F6⊢QF61113960 1113961 minus EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 1113961 (28)




EF1 F6 k ε F1 F6 k( 11138571113858 1113859le7q

3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2 (29)







(30)






We denote EG1 EG2

EG3 and EG4




|F⊢QF1113960 1113961 (31)







N1113888 1113889 1 minus

qf + qe + β2N

1113888 11138891

N2 (32)



qf + qe

Nminus O

2rmiddot q

2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (33)


qf + qe

Nminus O

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (34)


Pr EG1|F⊢QF1113960 1113961ge 1113945

G1| |

l11 minus

β1N

minusβ2N

minus O2r

middot q2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (35)



2rmiddot qeq

2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qf + 2qe1113872 1113873 β1 + β2( 1113857

N⎛⎝ ⎞⎠

1N

2|G1| (36)

To analyze EG2 EG3



| |EG3| |EG4

| O(2r middot q2N)


can be



Pr EG2andEG3|EG1


N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )


2β3 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G4| |

(37)



















most 1N



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (38)















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (39)




andF⊢QF we have


Pr EG2andEG3




N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(40)



andEG2andEG3


EG2 and EG3












andF⊢QF1113960 1113961le 2G4

11138681113868111386811138681113868111386811138681113868 middot qf + qe1113872 1113873

Nle2β3 middot qf + qe1113872 1113873

N (41)





1

N2 G4| |ge 1 minus

2β3 qf + qe1113872 1113873


1

N2 G4| |

(42)




N2 G1| |+G2| |+G3| |+G4| |( )

ge 1 minus ε1 + ε2 + ε3( 1113857( 11138571

N2qe

Since G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

1113868111386811138681113868 + G41113868111386811138681113868

1113868111386811138681113868 qe1113872 1113873

(43)





p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which


N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)


F6⊢QF6]



1113868111386811138681113868


1113868111386811138681113868


1113868111386811138681113868

(46)



Ek β11113858 1113859leqeqf

N (47)



and


(48)



N (49)



N+ α1(k) (50)





Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References































and(x5 y5) isin QF5











A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1

B1

B2

B2

B1 B2

L R

S T

k1

k2

k3

k4

k5

k6

F1

F2

F3

F4

F5

F6


A1 A2

A1 A2

A1 A2

A1 A2

B1 B2

B1 B2

B1 B2

B1 B2

L R

S T

k1

k2

k3

k4

F

F

F

F







Lemma 3 We have

PrF1 F6Bad F1 F6( 1113857|F1⊢QF1

andF6⊢QF61113960 1113961le

qeq2f

N2 +

4q2eqf

N2 +

α23(k) + α45(k)

N+

qf α1(k) + α2(k)( 1113857

N (25)



n KAEFlowastE⊢Q


i 1 2 3 4 5 61113876 1113877 (26)



p τ F1 F6( 1113857



ampen we have

Prre(τ k)


F6⊢QF61113960 1113961 minus EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 1113961 (28)




EF1 F6 k ε F1 F6 k( 11138571113858 1113859le7q

3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2 (29)







(30)






We denote EG1 EG2

EG3 and EG4




|F⊢QF1113960 1113961 (31)







N1113888 1113889 1 minus

qf + qe + β2N

1113888 11138891

N2 (32)



qf + qe

Nminus O

2rmiddot q

2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (33)


qf + qe

Nminus O

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (34)


Pr EG1|F⊢QF1113960 1113961ge 1113945

G1| |

l11 minus

β1N

minusβ2N

minus O2r

middot q2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (35)



2rmiddot qeq

2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qf + 2qe1113872 1113873 β1 + β2( 1113857

N⎛⎝ ⎞⎠

1N

2|G1| (36)

To analyze EG2 EG3



| |EG3| |EG4

| O(2r middot q2N)


can be



Pr EG2andEG3|EG1


N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )


2β3 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G4| |

(37)



















most 1N



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (38)















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (39)




andF⊢QF we have


Pr EG2andEG3




N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(40)



andEG2andEG3


EG2 and EG3












andF⊢QF1113960 1113961le 2G4

11138681113868111386811138681113868111386811138681113868 middot qf + qe1113872 1113873

Nle2β3 middot qf + qe1113872 1113873

N (41)





1

N2 G4| |ge 1 minus

2β3 qf + qe1113872 1113873


1

N2 G4| |

(42)




N2 G1| |+G2| |+G3| |+G4| |( )

ge 1 minus ε1 + ε2 + ε3( 1113857( 11138571

N2qe

Since G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

1113868111386811138681113868 + G41113868111386811138681113868

1113868111386811138681113868 qe1113872 1113873

(43)





p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which


N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)


F6⊢QF6]



1113868111386811138681113868


1113868111386811138681113868


1113868111386811138681113868

(46)



Ek β11113858 1113859leqeqf

N (47)



and


(48)



N (49)



N+ α1(k) (50)





Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References

































Lemma 3 We have

PrF1 F6Bad F1 F6( 1113857|F1⊢QF1

andF6⊢QF61113960 1113961le

qeq2f

N2 +

4q2eqf

N2 +

α23(k) + α45(k)

N+

qf α1(k) + α2(k)( 1113857

N (25)



n KAEFlowastE⊢Q


i 1 2 3 4 5 61113876 1113877 (26)



p τ F1 F6( 1113857



ampen we have

Prre(τ k)


F6⊢QF61113960 1113961 minus EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 1113961 (28)




EF1 F6 k ε F1 F6 k( 11138571113858 1113859le7q

3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2 (29)







(30)






We denote EG1 EG2

EG3 and EG4




|F⊢QF1113960 1113961 (31)







N1113888 1113889 1 minus

qf + qe + β2N

1113888 11138891

N2 (32)



qf + qe

Nminus O

2rmiddot q

2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (33)


qf + qe

Nminus O

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (34)


Pr EG1|F⊢QF1113960 1113961ge 1113945

G1| |

l11 minus

β1N

minusβ2N

minus O2r

middot q2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (35)



2rmiddot qeq

2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qf + 2qe1113872 1113873 β1 + β2( 1113857

N⎛⎝ ⎞⎠

1N

2|G1| (36)

To analyze EG2 EG3



| |EG3| |EG4

| O(2r middot q2N)


can be



Pr EG2andEG3|EG1


N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )


2β3 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G4| |

(37)



















most 1N



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (38)















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (39)




andF⊢QF we have


Pr EG2andEG3




N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(40)



andEG2andEG3


EG2 and EG3












andF⊢QF1113960 1113961le 2G4

11138681113868111386811138681113868111386811138681113868 middot qf + qe1113872 1113873

Nle2β3 middot qf + qe1113872 1113873

N (41)





1

N2 G4| |ge 1 minus

2β3 qf + qe1113872 1113873


1

N2 G4| |

(42)




N2 G1| |+G2| |+G3| |+G4| |( )

ge 1 minus ε1 + ε2 + ε3( 1113857( 11138571

N2qe

Since G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

1113868111386811138681113868 + G41113868111386811138681113868

1113868111386811138681113868 qe1113872 1113873

(43)





p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which


N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)


F6⊢QF6]



1113868111386811138681113868


1113868111386811138681113868


1113868111386811138681113868

(46)



Ek β11113858 1113859leqeqf

N (47)



and


(48)



N (49)



N+ α1(k) (50)





Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References

































We denote EG1 EG2

EG3 and EG4




|F⊢QF1113960 1113961 (31)







N1113888 1113889 1 minus

qf + qe + β2N

1113888 11138891

N2 (32)



qf + qe

Nminus O

2rmiddot q

2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (33)


qf + qe

Nminus O

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (34)


Pr EG1|F⊢QF1113960 1113961ge 1113945

G1| |

l11 minus

β1N

minusβ2N

minus O2r

middot q2f

N2 +

qf + qe1113872 11138732

N2

⎛⎝ ⎞⎠⎛⎝ ⎞⎠1

N2 (35)



2rmiddot qeq

2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qf + 2qe1113872 1113873 β1 + β2( 1113857

N⎛⎝ ⎞⎠

1N

2|G1| (36)

To analyze EG2 EG3



| |EG3| |EG4

| O(2r middot q2N)


can be



Pr EG2andEG3|EG1


N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )


2β3 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G4| |

(37)



















most 1N



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (38)















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (39)




andF⊢QF we have


Pr EG2andEG3




N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(40)



andEG2andEG3


EG2 and EG3












andF⊢QF1113960 1113961le 2G4

11138681113868111386811138681113868111386811138681113868 middot qf + qe1113872 1113873

Nle2β3 middot qf + qe1113872 1113873

N (41)





1

N2 G4| |ge 1 minus

2β3 qf + qe1113872 1113873


1

N2 G4| |

(42)




N2 G1| |+G2| |+G3| |+G4| |( )

ge 1 minus ε1 + ε2 + ε3( 1113857( 11138571

N2qe

Since G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

1113868111386811138681113868 + G41113868111386811138681113868

1113868111386811138681113868 qe1113872 1113873

(43)





p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which


N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)


F6⊢QF6]



1113868111386811138681113868


1113868111386811138681113868


1113868111386811138681113868

(46)



Ek β11113858 1113859leqeqf

N (47)



and


(48)



N (49)



N+ α1(k) (50)





Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References













































most 1N



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (38)















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873


N (39)




andF⊢QF we have


Pr EG2andEG3




N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(40)



andEG2andEG3


EG2 and EG3












andF⊢QF1113960 1113961le 2G4

11138681113868111386811138681113868111386811138681113868 middot qf + qe1113872 1113873

Nle2β3 middot qf + qe1113872 1113873

N (41)





1

N2 G4| |ge 1 minus

2β3 qf + qe1113872 1113873


1

N2 G4| |

(42)




N2 G1| |+G2| |+G3| |+G4| |( )

ge 1 minus ε1 + ε2 + ε3( 1113857( 11138571

N2qe

Since G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

1113868111386811138681113868 + G41113868111386811138681113868

1113868111386811138681113868 qe1113872 1113873

(43)





p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which


N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)


F6⊢QF6]



1113868111386811138681113868


1113868111386811138681113868


1113868111386811138681113868

(46)



Ek β11113858 1113859leqeqf

N (47)



and


(48)



N (49)



N+ α1(k) (50)





Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References





























Pr EG2andEG3




N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(40)



andEG2andEG3


EG2 and EG3












andF⊢QF1113960 1113961le 2G4

11138681113868111386811138681113868111386811138681113868 middot qf + qe1113872 1113873

Nle2β3 middot qf + qe1113872 1113873

N (41)





1

N2 G4| |ge 1 minus

2β3 qf + qe1113872 1113873


1

N2 G4| |

(42)




N2 G1| |+G2| |+G3| |+G4| |( )

ge 1 minus ε1 + ε2 + ε3( 1113857( 11138571

N2qe

Since G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

1113868111386811138681113868 + G41113868111386811138681113868

1113868111386811138681113868 qe1113872 1113873

(43)





p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which


N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)


F6⊢QF6]



1113868111386811138681113868


1113868111386811138681113868


1113868111386811138681113868

(46)



Ek β11113858 1113859leqeqf

N (47)



and


(48)



N (49)



N+ α1(k) (50)





Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References
































p τ F1 F6( 1113857

1113937qe minus 1i0 1N2


for which


N+2r

middot qeq2f

N2 +

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q3e

N2 (45)


F6⊢QF6]



1113868111386811138681113868


1113868111386811138681113868


1113868111386811138681113868

(46)



Ek β11113858 1113859leqeqf

N (47)



and


(48)



N (49)



N+ α1(k) (50)





Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References





























Ek α1(k)1113858 1113859 1113944(LRST)isinQE

1113944

x1 y1( )isinQF1


N

(51)


EF1 F6 k ε F1 F6 k( 11138571113858 1113859le4qeq

2f + 6q

2eqf

N2 +

2 qf + qe1113872 1113873 2rqeqf + qeqf + 2q

2e1113872 1113873

N2 +

2rmiddot qeq

2f

N2

+2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873 + q

3e

N2

7q3e + 10qeq

2f + 18q

2eqf + 3 middot 2r


middot q2eqf

N2

(52)


Prre(τ)

Prid(τ)ge 1 minus


2f

N2 + Ek Pr Bad F1 F6( 1113857|F1⊢QF1

F6⊢QF61113960 1113961 + Ek EF1 F6

ε F1 F6 k( 1113857|F1⊢QF1 F6⊢QF6

1113960 11139611113960 11139611113960⎛⎝ ⎞⎠ (53)





Ek α23(k)1113960 1113961leqeq

2f

N

Ek α45(k)1113960 1113961le2r

qeq2f

N

(54)



1113960 11139611113960 le3qeq

2f

N2 +

2rqeq

2f

N2 +

4q2eqf

N2

(55)


6 Conclusion


Appendix

A Proof of Lemma 3









2









N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References



































N2

(A1)









(A2)






B Proof of Lemma 5


G1 (L1R1X1 A1S1T1) (L|G1|R|G1|X|G1|1113966





ExtF(l)3



G2F3 def


ExtF(l)4



G3F4 def


(B1)




(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References































(l)4





(l+1)2 ) and




(B2)




(l+1)2 ) satisfies








(l+1)5 ) satisfies







By these we have



Let e(l)3 |ExtF(l)








qf + e(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B6)

By symmetry


qf + e(l)4 + G3F4

111386811138681113868111386811138681113868111386811138681113872 1113873

N

(B7)




(l)3 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873


qf + e(l)4 + G2F3

111386811138681113868111386811138681113868111386811138681113872 1113873

N⎛⎝ ⎞⎠

1N

2 (B8)





(l)4 cupG3F4 (B9)









as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References




































as

pcoll 1113944










(l)3 F3 x3( 1113857 y31113966 1113967

11138681113868111386811138681113868

11138681113868111386811138681113868

(B13)


(l)3





thus

Pr F2 x(l+1)21113872 1113873 O


1N

(B14)

and

1113944


x4isinG3F4



N

(B15)


α+34(k X)

defx3 y3( 1113857 x4 y4( 1113857( 1113857 isin QF3


11138681113868111386811138681113868

11138681113868111386811138681113868

(B16)




amperefore



N (B17)




2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References































2



1113944


4 DomF



(B18)



(i)4 isin ExtF

(i)4 while x

(i)4 notin ExtF

(iminus 1)4 ) and










was uniform ampus




(B19)




le1

N2

(B20)


y(i)3 F3(x




(i)3 is


(i)3


lisions ie



amperefore


Num(l)3 O


minus 1Xi1113872 1113873

N2 (B23)



Num Ominus 1


Xi1113872 1113873

N2 (B24)




1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References































1113936

3j1 Pr Coll x3 x


Pr Ei1113858 1113859

le 11139443

j1B middot


Pr Ei1113858 1113859 B

(B25)

ampis means

1113944





sgn(i) middotNum(l)

3 Ominus 1


Xi1113872 1113873

N2


qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B26)


1113944

x3isinExtF(l)

3 DomF3x4isinDomF4




(B27)








was uniform ampus



(B28)




1N

2 (B29)








quired to happen


1N

2 (B30)

which follows



1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References






























1113944

x3isinExtF(l)



sgnprime(i) middot1

N2 le

qfe(l)3

N2 le

qfqe

N2 (B31)



1113944

x3isinExtF(l)


4 DomF4




(B32)

where



(i)3 notin DomF3




(j)4 notin DomF4


(i)3 Xj oplusOy



(j)3 is



(x(i)3 x

(j)4 )


(i)3 Xj oplusOy



(i)3 x

(j)4 )

In all

1113944


(l)4 DomF4


le 1113944i1l

1113944i1l

Num3 Ominus 1


N2 le 1113944

i1l

qf + e(l)3

N2 le

qf qf + qe1113872 1113873

N2

(B33)



Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

qf qf + qe1113872 1113873

N2 +

qfqe

N2 +

qf qf + qe1113872 1113873

N2

le1113936x4isinG3F4

Num(l)3 O


minus 1X41113872 1113873

N+2r

middot q2f

N2 +

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

(B34)








(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References






























(l)3

Nminus


3 Xl+1 + k4 + X4( 1113857

Nminus2r

middot q2f

N2 minus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B35)



(l)3 cupG2F3



minus 1Xl+1 oplusZl+1( 11138571113960 1113961

1

N2

(B36)


pcoll 1113944


3 cupG2F3



(B37)





1113944



Num(l)4 O


N (B38)


ExtF(l)4 F4(x4) y4|


αminus34(k A)

def| ((x3 y3) (x41113864 y4)) isin QF3

times QF4 k3




34 k Al+1( 11138571113960 1113961

Nle

q2f

N2 (B39)


nition we have




(B40)




(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References































(i)3 notin DomF3







Num(l)4 O


minus 1Ai1113872 1113873

N2 (B41)




1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2 le

qf qf + qe1113872 1113873

N2

(B42)


nition we have




(B43)




1113944



(l)4

N2 le

qfqe

N2 (B44)


(l)4 DomF4


1113944


(l)4 DomF4


1113944i1l

Num(l)4 O


minus 1Ai1113872 1113873

N2

le 1113944j1l

qf + e(l)4

N2 le

qf qf + qe1113872 1113873

N2

(B45)




(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References































(l)4

Nminus



Nminus

2qf + qe1113872 1113873 qf + qe1113872 1113873

N2

⎛⎝ ⎞⎠1

N2

(B46)


in


(l)3 + G2F3

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠⎛⎝ ⎞⎠ 1 minus

qf + e(l)4 + G3F4

11138681113868111386811138681113868111386811138681113868

N⎛⎝ ⎞⎠

+2qf + e

(l)3 + e

(l)4

Nminus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2


Num(l)3 O


Num(l)4 O


N

1N

2

ge 1 minus2r

middot q2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F1113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl

⎛⎝ ⎞⎠1

N2

(B47)


Ek Pr EG1|F⊢QF1113960 11139611113960 1113961ge 1113945

G1| |minus 1

l01 minus

2rmiddot q

2f

N2 minus

2 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

G2F31113868111386811138681113868

1113868111386811138681113868 + G3F41113868111386811138681113868

1113868111386811138681113868

Nminus Bl


N2 G1| |

ge 1 minus2r

middot qeq2f

N2 minus

2qe 2qf + qe1113872 1113873 qf + qe1113872 1113873

N2 minus

qe β1 + β2( 1113857

Nminus 1113944

qeminus 1

l0Bl


N2 G1| |

(B48)


definition we have

1113944y3isin 01 n

Num(l)3 y3( 1113857 qf + e

(l)3 le qf + qe


Num(l)4 y4( 1113857 qf + e

(l)4 le qf + qe

(B49)


amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References





























amperefore

1113944

qeminus 1

l01113944

x4isinG3F4

Num(l)3 O


x3isinG3F4

qf + qe1113872 1113873le qf + qe1113872 1113873β2 (B50)

and similarly

1113944

qeminus 1

l01113944

x3isinG2F3

Num(l)4 O


11138681113868111386811138681113868111386811138681113868le qf + qe1113872 1113873β1 (B51)

















(B52)



G21113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ1 qf + qe1113872 1113873

N (B53)

















Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References































Similar to Bad1(F3)


G31113868111386811138681113868

1113868111386811138681113868 middot qf + G11113868111386811138681113868

1113868111386811138681113868 + G21113868111386811138681113868

1113868111386811138681113868 + G31113868111386811138681113868

11138681113868111386811138681113872 1113873

Nleβ2 qf + qe1113872 1113873

N (B54)





Pr EG2andEG3

|EG1andF⊢QF1113960 1113961


|Bad1 F2( 1113857andBad1 F3( 11138571113960 1113961

ge 1 minusβ1 + β2( 1113857 qf + qe1113872 1113873

N⎛⎝ ⎞⎠

1

N2 G2| |+G3| |( )

(B55)



andEG2andEG3


EG2 or EG3













G41113868111386811138681113868

1113868111386811138681113868 middot qf + qe1113872 1113873

N⎛⎝ ⎞⎠le

2β3 qf + qe1113872 1113873

N (B57)







2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References


































2β3 qf + qe1113872 1113873


1

N2 G4| |

(B58)

Data Availability




References


































Documents

New Approach towards Generalizing Feistel Networks and Its