CCA security for contracting (quasi-)Feistel constructions with tight round complexity

Abstract

Feistel constructions using contracting round functions were introduced in 1990s and generalized by Yun et al. (Des Codes Cryptogr 58(1):45–72, 2011) to a quasigroup-based definition. To our knowledge, the minimal number of rounds sufficient for CCA security remains elusive. We bridge this gap: for the general quasigroup-based contracting Feistel construction using round functions \(F_i: \mathcal {X}^{b-1} \rightarrow \mathcal {X}\), \(b \ge 3\), we prove CCA security at \(b+1\) rounds. This matches the attacked rounds of Patarin et al. (in: Lai, Chen (ed) ASIACRYPT, Springer, Heidelberg, 2006). Interestingly, this means 4 rounds are already sufficient for CCA security of the case \(b=3\), which is the same as the balanced Feistel.

Appendices

Examples of quasi-Feistel

Feistel. The r-round Feistel permutation \(\text {Feistel}_r[{\textbf {F}} ](x)=\text {Feistel}_r[{\textbf {F}} ](x_0, x_1)\) from round functions \({\textbf {F}} = (F_1, \ldots , F_r) \in \big ( \mathcal {F} (\{0,1\} ^n,\{0,1\} ^n)\big )^r\) is defined as follows:

1. 1.

   \(x_{i+1} \leftarrow x_{i-1} \oplus F_i\left( x_i\right) \), for \(i=1, \ldots , r\).

2. 2.

   Return \(y=\left( x_r, x_{r+1}\right) \).

This corresponds to an instance of the quasi-Feistel with \(\mathcal {X} = \{0,1\}^n\), \(P_{in}\) and \(P_{fi}\) identity permutations and \({{\Gamma }\llbracket x{\star } y \mid z \rrbracket } = x \oplus y\).

Contracting Feistel.

The r-round contracting Feistel permutation \(\text {ConFeistel}_r[{\textbf {F}} ](x)=\text {ConFeistel}_r[{\textbf {F}} ](x_0,\ldots , x_b)\) from functions \({\textbf {F}} = (F_1, \ldots , F_r) \in \big ( \mathcal {F} (\{0,1\}^{(b-1)n},\{0,1\} ^n)\big )^r\) is defined as follows:

1. 1.

   \(x_{i+1} \leftarrow x_{i-1} \oplus F_i(x_i,\ldots ,x_{i+b-2})\), for \(i=1, \ldots , r\).

2. 2.

   Return \(y=\left( x_r, x_{r+1}, \ldots , x_{r+b-1}\right) \).

This corresponds to an instance of the quasi-Feistel with \(\mathcal {X} = \{0,1\}^n\), \(\mathcal {Y} = \{0,1\}^{(b-1)n}\), \(P_{in}\) and \(P_{fi}\) identity permutations and \({{\Gamma }\llbracket x{\star } y \mid z \rrbracket } = x \oplus y\).

Lai-Massey. Let G be a finite abelian group. An orthomorphism \(\sigma : G \rightarrow G\) is a permutation such that \(x \mapsto \sigma (x)-x\) is also a permutation. Given such a \(\sigma \), we denote \(\sigma (x)-x\) by \(\varphi (x)\). We assume that all of \(\sigma , \sigma ^{-1}, \varphi , \varphi ^{-1}\) are very efficient to compute on G. The following is the definition of an r-round Lai-Massey permutation \(\text {LM}_r^{\sigma }[{\textbf {F}} ](x)=\text {LM}_r^{\sigma }[{\textbf {F}} ](x_0, x_1)\) with orthomorphism \(\sigma \), corresponding to round functions \({\textbf {F}} = (F_1, \ldots , F_r) \in \big ( \mathcal {F} (G,G)\big )^r\).

1. 1.

   \(\alpha _1 \leftarrow x_L, \beta _1 \leftarrow x_R\).

2. 2.

   \(\alpha _{i+1} \leftarrow \sigma \left( \alpha _i+F_i\left( \alpha _i-\beta _i\right) \right) , \beta _{i+1} \leftarrow \beta _i+F_i\left( \alpha _i-\beta _i\right) \), for \(i=1, \ldots , r\).

3. 3.

   \(y_L \leftarrow \alpha _{r+1}, y_R \leftarrow \beta _{r+1}\).

4. 4.

   Return \(y=\left( y_L, y_R\right) \).

Define \(H: G^2 \rightarrow G^2\) by \( H(x, y)=\left( \sigma ^{-1}(x)-y, x-y\right) . \) As shown by Yun et al. [23, Lemma 2], H is invertible, where \( H^{-1}(s, t)=\left( t-s+\varphi ^{-1}(t-s),-s+\varphi ^{-1}(t-s)\right) . \)

Then, as shown by Yun et al. [23, Theorem 1], the Lai-Massey construction is an instance of the quasi-Feistel construction with \(\mathcal {X} = G\), \(P_{in} =H\), \(P_{fi} = H^{-1}\) and

$$\begin{aligned} {\Gamma } \llbracket x \star y \mid z \rrbracket =z+\varphi \left( z-x+y+\varphi ^{-1}(z-x)\right) . \end{aligned}$$

Further, the involved divisions are \( {\Gamma } \llbracket x / y \mid z \rrbracket =y+z-\varphi ^{-1}(x-z)+\sigma ^{-1}\left( \varphi ^{-1}(x-z)-y\right) \) and \( {\Gamma } \llbracket x \backslash y \mid z \rrbracket =x-z-\varphi ^{-1}(z-x)+\varphi ^{-1}(y-z). \).

Intuitions from CCA attack against \(\varPsi ^{2,3}[{\textbf {F}} ] \)

As discussed, the well-known CCA attack against 3-round balanced Feistel \(\text {Feistel}_3[{\textbf {F}} ]\) shows that \(\varPsi _{P_{in},P_{fi}}^{2,3}[{\textbf {F}} ] \) is not CCA secure. Using the notations from Appendix A, the attack proceeds as follows.

1. 1.

   Chooses \(x_0,x_0',x_1 \in \{0,1\} ^n\) with \(x_0 \ne x_0'\), and queries \(P(x_0,x_1) \rightarrow (x_3,x_4)\) and \(P(x_0',x_1) \rightarrow (x_3',x_4')\);

2. 2.

   Sets \(x_4'' \leftarrow x_4' \oplus x_0 \oplus x_0'\) and queries \(P^{-1}(x_4'',x_3') \rightarrow (x_0'',x_1'')\);

3. 3.

   Outputs 1 if and only if \(x_1'' = S' \oplus S \oplus R\).

We refer to Fig. 5 for the chains of values involved in the attack. The crucial idea is that the 3rd evaluation \(\text {Feistel}_3[{\textbf {F}} ]^{-1}(x_4'',x_3')\) does not give rise to a new \(F_2\)-call: \(x_2'' = x_4'' \oplus F_3(x_3') = (x_4' \oplus x_0 \oplus x_0') \oplus (x_2' \oplus x_4') = x_0 \oplus x_0' \oplus x_2' = x_2\)’

Fig. 5

Chains of values involved in the CCA attack against 3-round balanced Feistel. The numbers 1 and 3 indicate if the chain appears in step 1 or 3

Let’s see why this idea fails on \(\varPsi _{P_{in},P_{fi}}^{b,b+1}[{\textbf {F}} ] \). It suffices to consider \(\varPsi _{\textsf {id},\textsf {id}}^{3,4}[{\textbf {F}} ] \) for the identity permutation id. Consider proceeding as follows:

1. 1.

   Chooses \(x_0,x_0',x_1,x_2 \in \{0,1\} ^n\) with \(x_0 \ne x_0'\), and queries \(P(x_0,x_1,x_2) \rightarrow (x_4,x_5,x_6)\) and \(P(x_0',x_1,x_2) \rightarrow (x_4',x_5',x_6')\);

2. 2.

   Sets \(x_6'' \leftarrow x_6' \oplus x_0 \oplus x_0'\) and queries \(P^{-1}(x_4',x_5',x_6'') \rightarrow (x_0'',x_1'',x_2'')\).

The two encryption processes have \(x_3 = x_0 \oplus F_1(x_1,x_2)\) and \(x_3' = x_0' \oplus F_1(x_1,x_2)\), and thus \(x_3 \oplus x_3' = x_0 \oplus x_0'\). Therefore, the 3rd evaluation \(\varPsi _{\textsf {id},\textsf {id}}^{3,4}[{\textbf {F}} ] ^{-1}(x_4',x_5',x_6'')\) still does not give rise to new \(x_3\) values: it has \(x_3'' = x_6'' \oplus F_4(x_4',x_5') = (x_6' \oplus x_0 \oplus x_0') \oplus (x_3' \oplus x_6') = x_0 \oplus x_0' \oplus x_3' = x_3\), However, it internally calls \(F_3(x_3,x_4')\) which remains new since \((x_3,x_4') \ne (x_3,x_4),(x_3',x_4')\). This call gives rise to a random output which cannot cause \(x_2'' = x_2\) anymore.

We remark that in our security proof, the tree formed by such three chains was addressed in Subcase 1.4.2.a in Sect. 4.3.1.

Details of Case 2 \(d^{(i)} = \leftarrow \) for Sect. 4.3

When \(d^{(i)} = \leftarrow \), the event \(\varPsi ^{b,b+1}[{\textbf {F}} ] (x_0^{(i)},x_1^{(i)},\ldots ,x_{b-1}^{(i)}) = (x_{b+1}^{(i)},x_{b+2}^{(i)},\ldots ,x_{2b}^{(i)})\) is equivalent with \(F_1,\ldots ,F_{b}\) satisfying the following equations:

$$\begin{aligned}&F_1 ( x_1^{(i)},\ldots ,x_{b-1}^{(i)} ) = {{\Gamma }\llbracket x_0^{(i)}\backslash x_{b}^{(i)} \mid x_1^{(i)},\ldots ,x_{b-1}^{(i)} \rrbracket } , \nonumber \\&F_2 ( x_2^{(i)},\ldots ,x_{b}^{(i)} ) = {{\Gamma }\llbracket x_1^{(i)}\backslash x_{b+1}^{(i)} \mid x_2^{(i)},\ldots ,x_{b}^{(i)} \rrbracket } , \nonumber \\&\ldots , \nonumber \\&F_{b-1} ( x_{b-1}^{(i)},\ldots ,x_{2b-2}^{(i)} ) = {{\Gamma }\llbracket x_{b-2}^{(i)}\backslash x_{2b-2}^{(i)} \mid x_{b-1}^{(i)},\ldots ,x_{2b-2}^{(i)} \rrbracket } , \nonumber \\&F_b ( x_b^{(i)},\ldots ,x_{2b-1}^{(i)} ) = {{\Gamma }\llbracket x_{b-1}^{(i)}\backslash x_{2b-1}^{(i)} \mid x_b^{(i)},\ldots ,x_{2b-1}^{(i)} \rrbracket } . \end{aligned}$$

(21)

Event \(\varPsi ^{b,b+1}[{\textbf {F}} ] (x_0^{(i')},x_1^{(i')},\ldots ,x_{b-1}^{(i')}) = (x_{b+1}^{(i')},x_{b+2}^{(i')},\ldots ,x_{2b}^{(i')})\) is equivalent with \(F_1,\ldots ,F_{b+1}\) satisfying equations in Eq. (20). Since \(d^{(i)} = \leftarrow \) and \(\tau \) is good, it holds \(x_{1}^{(i)} \ne x_{1}^{(i')},\ldots ,x_{b-1}^{(i)} \ne x_{b-1}^{(i')}\). By these, in Eq. (21), the \(b-1\) equations on \(F_1,\ldots ,F_{b-1}\) are distinct from the corresponding equations in Eq. (21).

It remains to argue \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\), i.e., the equations on \(F_b\) are distinct. To this end, we distinguish cases as follows (though, they are similar to Sect. 4.3.1 by symmetry).

Subcase 2.1: the i-th and \(i'\)-th edges in \(\mathcal {G} (\tau )\) are in distinct trees. Similarly to Subcase 1.1, we have \(x_{b}^{(i)} \ne x_{b}^{(i')}\) and thus \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) by the goodness of \(\tau \).

Subcase 2.2: the i-th and \(i'\)-th edges are in the same tree in \(\mathcal {G} (\tau )\) and adjacent. Then we have \(x_{b}^{(i)} \ne x_{b}^{(i')}\) and thus \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) following an case-study that is the same as Subcase 1.2.

Subcase 2.3: the i-th and \(i'\)-th edges are not adjacent in \(\mathcal {G} (\tau )\) but in the same directed path. Let \(\Big ( \big ( (x_0^{(j_\ell )},x_1^{(j_\ell )},\ldots ,x_{b-1}^{(j_\ell )}),(x_{b+1}^{(j_\ell )},\ldots ,x_{2b-1}^{(j_\ell )},x_{2b}^{(j_\ell )}), x_b^{(j_\ell )}, d^{(j_\ell )} \big ) \Big )_{\ell = 1,\ldots ,s}\) be the path with \(j_s = i\) (recall that \(i > i'\)), and let \(j_t = i'\) (where \(t < s - 1\)). Since \(d^{(j_s)} = d^{(i)} = \leftarrow \), this means its “previous” edge (the \(j_{s-1}\)-th edge) in the path has:

• \(d^{(j_{s-1})} = \rightarrow \) and \(j_{s-1} > j_t\) (by \(s - 1 > t\) and by Lemma 3), and

• \((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\) (since they are adjacent and \(d^{(j_s)} = d^{(i)} = \leftarrow \)).

By these, it holds \(x_{b+1}^{(j_s)} = x_{b+1}^{(j_{s-1})} \ne x_{b+1}^{(j_t)},\ldots ,x_{2b-1}^{(j_s)}=x_{2b-1}^{(j_{s-1})} \ne x_{2b-1}^{(j_t)}\) by \(\lnot \text {(B-1)} \). This implies \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) in this subcase.

Subcase 2.4: the i-th and \(i'\)-th edges are not adjacent in \(\mathcal {G} (\tau )\) and are in distinct directed paths. Let \(\Big ( \big ( (x_0^{(j_\ell )},\ldots ,x_{b-1}^{(j_\ell )}),(x_{b+1}^{(j_\ell )},\ldots ,x_{2b}^{(j_\ell )}), x_b^{(j_\ell )}, d^{(j_\ell )} \big ) \Big )_{\ell = 1,\ldots ,s}\) and \(\Big ( \big ( (x_0^{(j_\ell ')},\ldots ,x_{b-1}^{(j_\ell ')}),(x_{b+1}^{(j_\ell ')},\ldots ,x_{2b}^{(j_\ell ')}), x_b^{(j_\ell ')}, d^{(j_\ell ')} \big ) \Big )_{\ell = 1,\ldots ,t}\) be the two paths ending at the i-th and \(i'\)-th edges respectively (i.e., \(j_s = i\) and \(j_t' = i'\)). Since the two paths are in the same tree, it holds either \((x_1^{(j_1)},\ldots ,x_{b-1}^{(j_1)})=(x_1^{(j_1')},\ldots ,x_{b-1}^{(j_1')})\) is the root of the tree or \((x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)}) = (x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')})\) is the root. Since the two edges are not adjacent, it holds either \(s > 1\) or \(t > 1\). By these, we distinguish seven subcases (which are symmetrical to the subcases in Subcase 1.4) as follows.

First, Subcases 2.4.1.a–\(-\)2.4.1.c address the cases of \((x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')})\) and \(d^{(i')} = \leftarrow \) (which are symmetrical to Subcases 1.4.1.a–\(-\)1.4.1.c). Discussions further distinguish whether s or t equals 1.

\(\underline{Subcase\, 2.4.1.a: (x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')}), d^{(i')} = \leftarrow \, and\, t=1}\) (which means \(s>1\)). This subcase resembles Subcases 1.4.1.a by symmetry. By Lemma 3, it holds \(s \ge 3\). In addition, for the \(j_{s-1}\)-th record \(\big ( (x_0^{(j_{s-1})},\ldots ,x_{b-1}^{(j_{s-1})}),(x_{b+1}^{(j_{s-1})},\ldots ,x_{2b}^{(j_{s-1})}), x_b^{(j_{s-1})}, d^{(j_{s-1})} \big )\) it holds \(d^{(j_{s-1})} = \rightarrow \) and \((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\). Moreover, since \(s \ge 3\), it holds \(j_{s-1} \ne j_1'\). By this, it holds

$$\begin{aligned} x_{b+1}^{(i)} = x_{b+1}^{(j_{s-1})} \ne x_{b+1}^{(i')} = x_{b+1}^{(j_1')},\ldots , x_{2b-1}^{(i)} = x_{2b-1}^{(j_{s-1})} \ne x_{2b-1}^{(i')} = x_{2b-1}^{(j_1')} \end{aligned}$$

by \(\lnot \text {(B-1)} \). This implies \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) in this subcase.

\(\underline{Subcase\, 2.4.1.b: (x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')}), d^{(i')} = \leftarrow \, and\, s=1}\) (which means \(t>1\)). It holds \(t \ge 3\) by Lemma 3, and \(d^{(j_{t-1}')} = \rightarrow \) and \((x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(j_{s-1}')}) = (x_{b+1}^{(j_t')},\ldots ,x_{2b-1}^{(j_t')})\) for the record \(\big ( (x_0^{(j_{t-1}')},x_1^{(j_{t-1}')},\ldots ,x_{b-1}^{(j_{t-1}')}),(x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(j_{t-1}')},x_{2b}^{(j_{t-1}')}), x_b^{(j_{t-1}')}, d^{(j_{t-1}')} \big )\). Moreover, since \(t \ge 3\), it holds \(j_{t-1}' \ne j_1\). By this, \(\lnot \text {(B-1)} \) implies \(x_{b+1}^{(i')} = x_{b+1}^{(j_{t-1}')} \ne x_{b+1}^{(i)} = x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(i')} = x_{2b-1}^{(j_{t-1}')} \ne x_{2b-1}^{(i)} = x_{2b-1}^{(j_1)}\), and thus \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\).

\(\underline{Subcase\, 2.4.1.c: (x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')}), d^{(i')} = \leftarrow , s>1\, and\, t>1.}\) By Lemma 3, it holds \(s \ge 3\) and \(t \ge 3\). In addition:

• For the \(j_{s-1}\)-th record \(\big ( (x_0^{(j_{s-1})},\ldots ,x_{b-1}^{(j_{s-1})}),(x_{b+1}^{(j_{s-1})},\ldots ,x_{2b}^{(j_{s-1})}), x_b^{(j_{s-1})}, d^{(j_{s-1})} \big )\) it holds \(d^{(j_{s-1})} = \rightarrow \) and \((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\);

• For the \(j_{t-1}'\)-th record \(\big ( (x_0^{(j_{t-1}')},\ldots ,x_{b-1}^{(j_{t-1}')}),(x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b}^{(j_{t-1}')}), x_b^{(j_{t-1}')}, d^{(j_{t-1}')} \big )\) it holds \(d^{(j_{t-1}')} = \rightarrow \) and \((x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(j_{t-1}')}) = (x_{b+1}^{(j_t')},\ldots ,x_{2b-1}^{(j_t')})\).

Moreover, since \(s \ge 3\) and \(t \ge 3\), it holds \(j_{s-1} \ne j_{t-1}'\). By this, it holds \(x_{b+1}^{(i)} = x_{b+1}^{(j_{s-1})} \ne x_{b+1}^{(i')} = x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(i)} = x_{2b-1}^{(j_{s-1})} \ne x_{2b-1}^{(i')} = x_{2b-1}^{(j_{t-1}')}\) by \(\lnot \text {(B-1)} \), regardless of whether \(j_{s-1} > j_{t-1}'\) or \(j_{s-1} < j_{t-1}'\). This implies \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) in this subcase.

Second, Subcases 2.4.2.a and 2.4.2.b address the subcases with \((x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')})\) and \(d^{(i')} = \rightarrow \). Discussions further distinguish whether s or t equals 1.

\(\underline{Subcase\, 2.4.2.a: (x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')}), d^{(i')} = \rightarrow and\, s=1.}\) By Lemma 3, it holds \(t \ge 2\). Lemma 3 also implies \(j_t' > j_1'\). By this, it holds \(x_{b+1}^{(j_1)} = x_{b+1}^{(j_1')} \ne x_{b+1}^{(j_t')},\ldots ,x_{2b-1}^{(j_1)} = x_{2b-1}^{(j_1')} \ne x_{2b-1}^{(j_t')}\) by \(\lnot \text {(B-1)} \), and thus \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\).

\(\underline{Subcase\, 2.4.2.b: (x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')}), d^{(i')} = \rightarrow and\, s>1.}\) By Lemma 3, it holds \(s \ge 3\) and \(t \ge 2\). In addition, it holds \(d^{(j_{s-1})} = \rightarrow \) and \((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\) for the record \(\big ( (x_0^{(j_{s-1})},\ldots ,x_{b-1}^{(j_{s-1})}),(x_{b+1}^{(j_{s-1})},\ldots ,x_{2b}^{(j_{s-1})}), x_b^{(j_{s-1})}, d^{(j_{s-1})} \big )\). By this, it holds \(x_{b+1}^{(j_{s-1})} \ne x_{b+1}^{(j_t')},\ldots ,x_{2b-1}^{(j_{s-1})} \ne x_{2b-1}^{(j_t')}\) by \(\lnot \text {(B-1)} \), regardless of whether \(j_{s-1} > j_t'\) or \(j_{s-1} < j_t'\), and thus \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\).

Third, Subcase 2.4.3 considers \((x_1^{(j_1)},\ldots ,x_{b-1}^{(j_1)}) = (x_1^{(j_1')},\ldots ,x_{b-1}^{(j_1')})\) and \(d^{(i')} = \leftarrow \).

\(\underline{Subcase\, 2.4.3: (x_1^{(j_1)},\ldots ,x_{b-1}^{(j_1)}) = (x_1^{(j_1')},\ldots ,x_{b-1}^{(j_1')})\, and\, d^{(i')} = \leftarrow .}\) By Lemma 3, it holds \(s \ge 2\) and \(t \ge 2\). This means:

• For the \(j_{s-1}\)-th record \(\big ( (x_0^{(j_{s-1})},\ldots ,x_{b-1}^{(j_{s-1})}),(x_{b+1}^{(j_{s-1})},\ldots ,x_{2b}^{(j_{s-1})}), x_b^{(j_{s-1})}, d^{(j_{s-1})} \big )\) it holds \(d^{(j_{s-1})} = \rightarrow \) and \((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\);

• For the \(j_{t-1}'\)-th record \(\big ( (x_0^{(j_{t-1}')},\ldots ,x_{b-1}^{(j_{t-1}')}),(x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b}^{(j_{t-1}')}), x_b^{(j_{t-1}')}, d^{(j_{t-1}')} \big )\) it holds \(d^{(j_{t-1}')} = \rightarrow \) and \((x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(j_{t-1}')}) = (x_{b+1}^{(j_t')},\ldots ,x_{2b-1}^{(j_t')})\).

Moreover, since \(s \ge 2\) and \(t \ge 2\), it holds \(j_{s-1} \ne j_{t-1}'\). By this, it holds \(x_{b+1}^{(j_{s-1})} \ne x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(j_{s-1})} \ne x_{2b-1}^{(j_{t-1}')}\) (and further \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\)) by \(\lnot \text {(B-1)} \), regardless of whether \(j_{s-1} > j_{t-1}'\) or \(j_{s-1} < j_{t-1}'\).

The final subcase considers \((x_1^{(j_1)},\ldots ,x_{b-1}^{(j_1)}) = (x_1^{(j_1')},\ldots ,x_{b-1}^{(j_1')})\) and \(d^{(i')} = \rightarrow \).

\(\underline{Subcase\, 2.4.4: (x_1^{(j_1)},\ldots ,x_{b-1}^{(j_1)}) = (x_1^{(j_1')},\ldots ,x_{b-1}^{(j_1')})\, and\, d^{(i')} = \rightarrow .}\) Note that \(d^{(i)} = \leftarrow \) implies \(s \ge 2\). For the \(j_{s-1}\)-th record \(\big ( (x_0^{(j_{s-1})},\ldots ,x_{b-1}^{(j_{s-1})}),(x_{b+1}^{(j_{s-1})},\ldots ,x_{2b}^{(j_{s-1})}), x_b^{(j_{s-1})}, d^{(j_{s-1})} \big )\) it holds \(d^{(j_{s-1})} = \rightarrow \) and \((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\). By this, it holds \(x_{b+1}^{(j_{s-1})} \ne x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_{s-1})} \ne x_{2b-1}^{(j_1')}\) by \(\lnot \text {(B-1)} \), regardless of whether \(j_{s-1} > j_1'\) or \(j_{s-1} < j_1'\). This implies \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) in this subcase.

Summary for Subcase 2.4. In summary, when \(d^{(i)} = \leftarrow \) and the i-th and \(i'\)-th edges are not adjacent in \(\mathcal {G} (\tau )\) and are in distinct directed paths (and \(\tau \) is good), it always holds \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\).