Block Cipher in the Ideal Cipher Model: A Dedicated Permutation Modeled as a Black-Box Public Random Permutation

1. Introduction

A block cipher encryption design is called beyond birthday bound (BBB) secure if the proven upper bound on the adversarial advantage is meaningful even if an adversary can process more than $2^{n/2}$ data blocks, where $n$ is the size of the block of a block cipher. The first time, Iwata proposed a BBB encryption mode cipher-based encryption (CENC) [1]. This was nonce based construction providing a solution through the invocation of more than one block cipher and simple XOR operation and achieved $2^{2n/3}$ security against all nonce respecting adversaries. Later on, Iwata proved CENC construction based on mirror theory technique [2], and achieved optimal security [3]. Bhattacharya and Nandi also gave the BBB security of CENC by analyzing the security bound of variable output length using the chi-squared method.

1.1. Pseudorandom Permutation and Pseudorandom Function with BBB

The conventional approach for designing the cryptography primitives based on symmetric cipher is to behave as a perfectly random function. The vast majority, in this case, is an encryption scheme [4], MAC encryption schemes [5,6], and authenticated encryption schemes [7], following this paradigm via pseudorandom functions (PRF). Patarin suggested the construction of permutation sum and proved that a variant of single permutation indistinguishable from a random function up to BBB [8]. In 2003, Patarin gave the result $2^{2n/3}$ security [9], like so, in 2005, achieved up to this security bound [10,11]. However, the PRF provides a solution for increasing the use of cryptography in a real-world application. The pseudorandom permutation (PRP) is the leading building block of the cryptographic design in spite of PRF [12,13,14,15]. If a block cipher is directly implemented as a PRF, which will have provable security limit birthday bound with a large block, this is often acceptable. But it is not acceptable in practice with a lightweight block cipher, which has relatively small block sizes. The PRF can be replaced by a PRP up to birthday bound queries [16,17,18,19]. Moreover, if the block size of a block cipher is large enough, then the security loss is sometimes acceptable. Whatever, there are many scenarios, such as lightweight applications, whose numbers have grown tremendously before some years that require higher security bound [20,21,22,23,24,25,26]. In recent years, various constructions have been proposed that achieve BBB security against more than $2^{n/2}$ queries. We could categorize these constructions into XOR permutations based and truncation based. The XOR permutations is popular for BBB construction by taking the XOR of more than one independent PRP [20].

$$XO{R}_{E_{k_1},E_{k_2}}\left(x\right)=E_{k_1}\left(x\right)\oplus E_{k_2}\left(x\right)$$

This construction was analyzed by Lucks [21]. The single key variant of this construction provides the security up to $2^{2n/3}$ queries [27]. After that, Patarin revised this construction and improved the security bound up to $2^{n/67}$ [28]. Later on, the results were generated by more than two independent PRP with XOR operation [29]. Dai et al. [30] using the chi-squared method verified the $n-bit$ security of XOR construction, but the original proof was provided by Bhattacharya and Nandi [31]. The XOR construction is acceptable for encryption, but it is not usable for authentication, because domain size is required to extend. This can be solved through hashing the message, but the XOR construction needs some precise combination with a double block hash function [32,33,34]. The truncation based solution was presented by Hall et al. [17]. Later on, it was proved that truncating $n-bit$ permutation has security bound up to $2^{2n/3}$ queries [35]. Stam also derived these results in a non-cryptographic context [27]. Recently, another construction was proposed, which is known as Encrypted Davies Meyer (EDM) introduced by Cogliati and Seurin [36].

$$ED{M}_{E_{k_1}, E_{k_2}}\left(x\right)=E_{k_2}(E_{k_1}\left(x\right)\oplus x)$$

There are two independent permutations and it behaves like random function up to $q^3/2^{2n}$ [36]. Afterward, Dai et al. [30] achieved $q^4/2^{3n}$ using the chi-squared method. Now, a novel construction EDMD improved the security up to $2^n/67n$ by using mirror theory technique, which has almost an optimal security [37].

$$EDM{D}_{E_{k_1}, E_{k_2}}\left(x\right)=E_{k_2}(E_{k_1}\left(x\right))\oplus E_{k_1}\left(x\right)$$

Two independent keys are required for EDMD. The single key setting is significant for higher security bound and efficient construction, which was also performed in our construction. Anyways, this construction secures up to $q/2^{2n/3}$. Cogliati and Seurin also extended the EDMD construction called encrypted Wegman carter with davies meyer (EWCDM), which is nonce based BBB secure.

$$EWCD{M}_{E_{k_1}, E_{k_2},H_{k_h}}\left(N,M\right)=E_{k_2}(E_{k_1}\left(N\right)\oplus N\oplus H_K\left(M\right))$$

where, $H_K$ is a universal hash function, $N$ denote the nonce, and $M$ denote the message, which has an arbitrary length. The EWCDM achieved $BBB$ up to $2^{2n/3}$ MAC queries when it has nonce respecting setting. The use of internal state values of EWCDM construction makes their security analysis formally inapplicable [37]. Mennink presented the rationale relying on the EWCDM function, and simplified versions of the conversion method applied to the advanced encryption scheme (AES) [38]. The main proposal of AES-PRF, the AES with a feed forward of the middle state, achieved almost no optimal security. This construction was applied to GCM and GCM-SIV, and how it entails the significant security improvements was discussed. A little while back, Mennink presented a heuristic study to build BBB secure from public random permutation, showing that a single permutation call could not be secured BBB [39].

The above discussion shows that what to be tackled in PRF for BBB and where the goal is to build PRF, so that it is indistinguishable from a truly random function. However, our study aimed to build block cipher in the ideal cipher model, under the assumption that the block cipher is a PRP out of PRF, achieving full security. Moreover, the sum of even mansour (SoEM) construction achieves BBB up to $2^{2n/3}$, that is built from two randomly drawn keys and two independent permutations; if either keys or permutations are identical, then there is a birthday bound attack.

1.2. Our Construction

In this paper, we focused on a block cipher design based on a single key, which achieved BBB up to $2^n$ security. The main motivation is by the scenarios where the block cipher only has block size of $32-bit, 48-bit,$and $64-bit$ [40]. The target construction of block cipher depicted in Figure 1, defined as $\mathbb{E}\left[s\right]:K \times P\to P$, consists of two block cipher invocations and additional simple XOR operation. Furthermore, a heuristic approach is carried out to examine the instances of $\mathbb{E}\left[s\right]$ and, at last, $E1- E32$ efficient construction is successfully found. In detail, the first invoke of block cipher produces a subkey $y$ from the secret key $k$ such that $y=E\left(k,0\right)$, $y=E\left(0,k\right)$, and $y=E\left(k,k\right)$. The second invoke of a block cipher encrypt and decrypt the plaintext $p$ and ciphertext $c,$ respectively, with a key $k$ or $k\oplus \mathrm{y}$. However, we stress that the first block cipher invocation is precomputing and storing the subkey $y$. Thus, our design only requires one invocation of a block cipher for encryption and decryption when the subkey $y$ is precomputed and stored. We have designed this construction in the ideal cipher model that has the main advantage of provable security up to $2^n$. The previously available block cipher has maximum provable security up to $2^{2n/3}$. From the efficiency point of view, previous constructions required more than one key, $s>2$ block cipher invocations [20,36], and universal hash function invocations; in the absence of these, their efficiency needed to be increased. The minimum number of block cipher invocation with a single key is good for efficiency. Our design requires just a single secret key and one block cipher invocation for encryption and decryption when the subkey is precomputed and stored.

2. Preliminaries

2.1. Notations

The ${\left\{0,1\right\}}^n$ denotes the set of bit strings of length $n$. We denote the bitwise addition $a\oplus b$, where $a,b \in {\left\{0,1\right\}}^n$. The $Y\leftarrow Z$ is the assignment of $Z$ to the variable $Y$. The $x\stackrel{\$}{\leftarrow }X$ denotes the uniform random selection of $x$ from $X$. The $\left|X\right|$ denotes the number of elements in $X$. Let $a\in \left\{0, 1\right\}$ and $b \in \left\{0 , 1\right\},$ $a.b$denotes the multiplication of $a$ and $b$, if $a=1,$ then it is equal to $b$, and if $a=0,$ then $a.b$ equals to 0. The block cipher denotes as $E:K \times P\to P,$ where $P$ is a plaintext/message space, $K$ is the key space. Throughout the paper, we have fixed $K=P={\left\{0,1\right\}}^n$. Let $E\left(k,·\right)$ and $E^{-1}\left(k,·\right)$ denote the encryption and decryption, respectively, with a secret key $k\in K$. Let $E^{\pm }\left(k,·\right)$ involves $E\left(k,·\right)$ and $E^{-1}\left(k,·\right)$. Sometimes, we denote $E\left(k,·\right)$ as $E_k(·)$, $E^{-1}\left(k,·\right)$ as $E_k^{-1}(·)$, and $E^{\pm }\left(k,·\right)$ as $E_k(·)$ and $E_k^{-1}(·),$ respectively. The $\left(u,w\right)$ are the input and output tuple of $E$ such that $w=E\left(u\right)$. The input-output tuple of $E_k$ is denoted as $\left(p,c\right)$ such that $E_k\left(p\right)=c$. Let $Perm\left(n\right)$ denote the set of all permutations on ${\left\{0,1\right\}}^n$. The function $\pi$ is said to be an $\mathrm{ideal} \mathrm{cipher} \mathrm{model}$ if randomly selected that is $\pi \stackrel{R}{\leftarrow }Perm\left(n\right)$. Similarly, we define these notations$\pi \left(·,·\right)$, ${\pi }^{-1}\left(·,·\right)$, and ${\pi }^{\pm }\left(·,·\right),$ respectively.

2.2. Security Definition

A computationally unbounded distinguisher $D$ is an algorithm that has adaptive access to an oracle and outputs a $\mathrm{bit} 0 \mathrm{or} 1$. Let the two oracles $O_1$ and $O_2$ have the same interface, we can get the distinguishing advantage of $D$ as follows.

$$Adv\left(D\right)=\mathrm{Pr}[D^{O_1}\Rightarrow 1]- \mathrm{Pr}[\mathrm{Pr}[D^{O_2}\Rightarrow 1]$$

A block cipher with a key space $K$ and message space $P$ is a mapping $E:K \times P\to P$ such that for all key $k\in K$. The $E\left(K,P\right)$ is a permutation over $P$. We denote $E_k\left(P\right)$ for $E\left(K,P\right)$. The distinguisher $D$ is having query access to $(O_1,E^{\pm })$: $O_1$ is either $E_k^{\pm }\left(·,·\right)$ with $k\stackrel{\$}{\leftarrow }K$ or $\pi \stackrel{\$}{\leftarrow }Perm$. The $E^{\pm }$ is an underlying block cipher. The advantage of distinguisher $D$ in distinguishing $E$ and $\pi$ is defined as.

$$Ad{v}_E^{prp}\left(D\right)=\left|\mathrm{Pr}\left[D^{E_k^{\pm }\left(·,·\right),E^{\pm }\left(·,·\right)}\Rightarrow 1\right]-\mathrm{Pr}\left[D^{{\pi }^{\pm }\left(·,·\right),E^{\pm }\left(·,·\right)}\Rightarrow 1\right]\right|$$

Throughout this paper, we considered information as theoretical with computationally unbounded distinguishers $D$ sorely limited by the number of queries to the oracle. Overall, maximum is taken by distinguisher$D$ that makes at most $q$ queries to its $\mathrm{oracles}$.

$$Ad{v}_E^{prp}\left(q\right)=ma{x}_D\left\{Ad{v}_E^{prp}\left(D\right)\right\}$$

2.3. H-Coefficient Technique

Central to our proof is a H-Coefficient technique presented by Patarin [8,41]. As mentioned above, we considered the information as theoretical, with computationally unbounded distinguisher $D$. Thus, we always assumed that distinguisher $D$ is deterministic without the loss of generality. Let distinguisher $D$ interacts with $O_1$ and $O_2$. The interaction of $D$ with its oracles are recorded in a view $v$. The $X_{O_2}$ is the probability distribution of $v$ when distinguisher $D$ interacts with $O_2$. The $V$ is the set of all attainable views $v$ when $D$ interacting with $O_2$, which is $V=\left\{ v|\mathrm{Pr}\left[ X_{O_2}=v\right]>0 \right\}$. The H-Coefficient technique states as follows:

Let $0\le \epsilon \le 1$. Consider a partition $V=V_{good}\cup V_{bad}$ set of attainable view such that:

• $\mathrm{Pr}\left[ X_{O_2}\in V_{bad}\right]$
• $for all v\in V_{good},$$\frac{\mathrm{Pr}\left[ X_{O_1}=v\right]}{\mathrm{Pr}\left[ X_{O_2}=v\right]}\ge 1-\epsilon$

Then, the distinguishing advantage satisfies

$$Adv\left(D\right)\le \mathrm{Pr}\left[ X_{O_2}\in V_{bad}\right] + \epsilon$$

The core idea of the H-coefficient technique is: a large number of views are almost equally likely in both oracles (real worlds and the ideal world), and the odd ones occur with a small probability. Note that the partitioning of $V$ into$bad$ and $good$ views is directly reflected in the terms $\mathrm{Pr}\left[ X_{O_2}\in V_{bad}\right]$ and $\epsilon$ in the bound: if $V_{good}$ is too large, $\epsilon$ will $\mathrm{become}$ $\mathrm{large}$, whereas if $V_{bad}$ is too large, $\mathrm{Pr}\left[ X_{O_2}\in V_{bad}\right]$ will become $\mathrm{large}$.

3. Construction Limitations

In this section, we will discuss the construction limitations of secure block cipher in the ideal cipher model, which is built on dedicated block cipher invocations and simple XOR operation. The $XOR$ operation has efficiency benefits. The target construction is denoted as $\mathbb{E}\left[s\right]$ and is built on $s$ block cipher invocations. Let $E$ denote the underlying block cipher with $n-bit$ block size and $n-bit$. key size. Let p, $c$, and $k$ denote the plaintext, ciphertext, and key, respectively, where all have $n-bit$ size. Let $a_{i,j}$ and $b_{i,j}$ be $\mathrm{one} \mathrm{bit}$ variable of being$0$ or $1$, where $1\le i\le s + 1$ and $1\le j\le i + 2$. The encryption of $\mathbb{E}\left[s\right]$ is shown in Algorithm 1. The target construction $\mathbb{E}\left[s\right]$ is depicted in Figure 1. In detail, this is a graphical view from which we would acquire the resultant block cipher construction. Moreover, all the $s$ block cipher invocations are involved in the computation of the ciphertext $c$. The ciphertext $c$ must be invertible and efficiently decrypted from plaintext $p$ and key $k$. There are some limitations for $\mathbb{E}\left[s\right]$ to achieve our goal:

The plaintext $p$ should be involved in exactly one $XOR$ operation. The $p$ involves in XOR operation, which gives $x_i$ and corresponding $y_i$. So, both outputs ($x_i$ and $y_i$) are called plaintext dependent variable. On the other side, if a variable $y_i$ is used to compute another variable $x_{j,}$ which depends on $y_i$, then $x_j$ and corresponding $y_j$ would also be plaintext dependent variable. So, we cannot use plaintext dependent variable to produce any $\mathrm{key}$ or $\mathrm{subkey}$, otherwise, constructions will not be efficient.

There should be at most one plaintext dependent variable produced from the XOR operation. Otherwise, the decryption process cannot efficiently decrypt because there is more than one variable.

If we summarize and satisfy the above limitations, then $\mathbb{E}\left[s\right]$ can be an efficient block cipher construction. Moreover, an additional condition is also necessary for efficiency and security. Our $\mathrm{first}$ goal is to achieve $\mathrm{full}$ ($2^n$) $\mathrm{provable} \sec \mathrm{urity}$. The target construction is important to achieve the goal. Nowadays, $AES$ and $SIMON$ block cipher is utilized in various applications of different block sizes, such as $128-bit$ and $64-bit$. In some environments, the block size of $\mathrm{lightweight}$ block ciphers can be even shorter. Thus, block cipher construction with a simply birthday bound security may not be suitable for various applications. Therefore, another construction which provide higher security is definitely necessary. Particularly, for application design, a block cipher with full security is surely an interesting research $\mathrm{topic}$. Our second goal is the efficiency, we invoke two block cipher because minimum number of block cipher invocation led to concern about high efficiency. It is well known that block cipher invocations are much more time consuming than XOR operation. So, the efficiency reduces due to a number of block cipher invocation. But, besides this, we aimed to achieve perfect efficiency under the condition of no security sacrifices, i.e., eliminating the unnecessary input variables. In fact, this is also a reason in our target construction having simple XOR operation and only necessary input variables. Algorithm 1 is shown as follow:

Algorithm 1$\mathbb{E}\left[\mathit{s}\right]\left(·,·\right)$

input:$\mathit{k}, \mathit{p}, \mathit{E}\left(·,·\right), \mathit{v}\mathit{a}\mathit{i}\mathit{a}\mathit{b}\mathit{l}\mathit{e}\mathit{s} {\mathit{a}}_{\mathit{i},\mathit{j}} \mathit{a}\mathit{n}\mathit{d} {\mathit{b}}_{\mathit{i},\mathit{j}}$

Output: $\mathit{c}\mathit{i}\mathit{p}\mathit{h}\mathit{e}\mathit{r}\mathit{t}\mathit{e}\mathit{x}\mathit{t} {\mathit{x}}_1={\mathit{a}}_{1,1}.\mathit{k}, {\mathit{b}}_{1,1}.\mathit{k}\oplus {\mathit{b}}_{1,2}.\mathit{p}$

${\mathit{x}}_1={\mathit{a}}_{1,1}.\mathit{k}, {\mathit{b}}_{1,1}.\mathit{k}\oplus {\mathit{b}}_{1,2}.\mathit{p}$ $\mathit{f}\mathit{o}\mathit{r} \mathit{i}=1 \mathit{t}\mathit{o} \mathit{s}-1, \mathbf{do}$ ${\mathit{y}}_{\mathit{i}}=\mathit{E}\left({\mathit{a}}_{1,1}.\mathit{k},{\mathit{x}}_{\mathit{i}}\right)$ ${\mathit{x}}_{\mathit{i}+1}= {\mathit{a}}_{\mathit{i}\oplus 1,1}.\mathit{k}\oplus {\displaystyle \sum }_{\mathit{j}=2}^{\mathbf{i}+1}{\mathit{a}}_{\mathit{i}\oplus 1,\mathit{j}}.{\mathit{y}}_{\mathit{j}-1},{\mathit{b}}_{\mathit{i}\oplus 1,1}.\mathit{k}\oplus {\mathit{b}}_{\mathit{i}\oplus 1,2}.\mathit{p}\oplus {\displaystyle \sum }_{\mathit{j}=3}^{\mathbf{i}+2}{\mathit{b}}_{\mathit{i}\oplus 1,\mathit{j}}.{\mathit{y}}_{\mathit{j}-2}$ end for ${\mathit{y}}_{\mathit{s}}=\mathit{E}\left({\mathit{k}}_{\mathit{s}},{\mathit{x}}_{\mathit{s}}\right)$ $\mathit{c}= {\mathit{b}}_{\mathit{s}\oplus 1,1}.\mathit{k}\oplus {\mathit{b}}_{\mathit{s}\oplus 1,2}.\mathit{k}\oplus {\displaystyle \sum }_{\mathit{j}=3}^{\mathit{s}+2}{\mathit{b}}_{\mathit{s}\oplus 1,\mathit{j}}.{\mathit{y}}_{\mathit{j}-2}$ return ciphertext c

In order to achieve the above goals among the instances of target construction, we adopted a heuristic approach. For the instances of $\mathbb{E}\left[s\right]$, we invoked only two block cipher to achieve $2^n$ provable security because $s=1$ for instances of $\mathbb{E}\left[s\right]$ had most $2^{n/2}$ security. Thus, at least two block cipher invocations are required to bypass the birthday bound barrier.

We continued to examine the instances of $\mathbb{E}\left[2\right]$ and would not analyze the $\mathbb{E}[s>2]$ instances unless investigated all the instances of $\mathbb{E}\left[2\right]$ and none of them achieve $2^n$ security. In fact, if some instances of $\mathbb{E}\left[2\right]$ achieves $2^n$ security, then there is no need to examine the other instances of $\mathbb{E}\left[2\right]$. To follow the above strategy, we analyzed the target construction $\mathbb{E}\left[\mathrm{s}\right]$ and found 32 instances with $2^n$ provable security.

3.1. $\mathbb{E}\left[2\right]$ Instances

According to the previous discussion, the plaintext $p$ should be involved in exactly one XOR operation. There should be, at most, one plaintext dependent variable produced from the XOR operation. Otherwise, the decryption process cannot efficiently decrypt because there exists more than one variable. The plaintext dependent variable cannot be used to produce any key-value; otherwise, constructions will not be efficient. Following this strategy, we divided $\mathbb{E}\left[2\right]$ instances into three types on the basis of when plaintext $p$ is XOR to compute $x_i$ and $c,$ respectively.

• Type 1 instances: when $p$ is XOR to compute $x_1$
• Type 2 instances: when $p$ is XOR to compute $x_2$
• Type 3 instances: when $p$ is XOR to compute $c$

3.1.1. Type 1 Instances

According to the above limitation, the $\mathrm{plaintext} \mathrm{dependent} \mathrm{variables}$ cannot be used to produce key value, so, $a_{2,2}=0$. The plaintext $p$ should be involved in exactly one XOR operation, so, $b_{2,2}=0$ and $b_{3,2}=0$. We set $b_{2,3}=1$, which is the first block cipher invocation, and set $b_{3,4}=1,$ which is second block cipher invocation. If $b_{2,3}=0$, it means two block ciphers’ invocations are parallel, and these instances are involved in type 2. It also shows that $x_2$ and $y_2$ are plaintext variables. Then, we set $b_{3,3}=0$ because $y_2$ is already used as a plaintext dependent variable. All of these simplified constructions of type 1 are shown in Figure 2. We examined the instances of type 1, and ciphertext is computed as follows.

$$c=E\left(a_{2,1}.k, x_2\right)\oplus b_{3,1}.k$$

Instances with one block cipher Invocation of type 1.

We would show that any instance that makes only one block cipher invocation of type 1 construction could not achieve $BBB$ security. Let $E:{\left\{0,1\right\}}^n \times {\left\{0,1\right\}}^n\to {\left\{0,1\right\}}^n$ be a block cipher, shown in Figure 3. We showed that there exists a distinguisher $D$ that can distinguish any such block cipher from $\mathrm{random} \mathrm{permutation}$ using at most $2^{n/2}$ queries.

● When $a_{1,1}=0$ and $b_{1,1}=1$.

In this case, we can see the input or output of $E$ is not related to $p$ or $c$. When $b_{1,2}=0$, then distinguisher $D$ selects arbitrary $p$ and $p^{\prime }$ to get $c$ and $c^{\prime }$. If the event $c=c^{\prime }$ occurs, then output is 1; otherwise, it is 0. The success probability of $D$ is 1 when interacts with $1-2^{-n}$. The results are similar for $b_{2,3}=0$.

● When $a_{1,1}=0$ and $b_{1,1}=0$.

In this case, we can see the input or output of $E$ is independent of the key. When $b_{1,2}=1$, the distinguisher $D$ selects arbitrary $x_1$ and $x_1^{\prime }$ to get $y_1$ and $y_1^{\prime };$ then, it puts $p=b_{1,2}^{-1}{x}_1$ and $p^{\prime }=b_{1,2}^{-1}{x}_1^{\prime }$ to get $c$ and $c^{\prime }$. If the event occurs, then output is 1, otherwise 0.

$$Event=\{\begin{array}{c}c\oplus c^{\prime }=b_{2,3}.y_1\oplus b_{2,3}. y_1^{\prime } if b_{2,2}.x_1=0 \\ c\oplus c^{\prime }=b_{2,3}.y_1\oplus b_{2,3}. y_1^{\prime }\oplus x_1\oplus x_1{}^{\prime } if b_{2,2}.x_1\ne 0\end{array}$$

The success probability of $D$ is 1 when interacts with $1-2^{-n}$. Similar is the case for $b_{2,1}=0$.

● When $b_{2,2}=0$.

In this case, there exists a distinguisher $D$, distinguishing the $\mathrm{real} \mathrm{world}$ oracle $\left(E_k^{\pm },E^{\pm }\right)$ from the ideal world oracle $\left({\pi }^{\pm },E^{\pm }\right)$ with some probability. The distinguisher $D$ makes $2^{n/2}$ queries and operates as follows. For $j=1, \dots , 2^{n/2}$, the distinguisher $D$ selects arbitrary $p^{\left(j\right)}$ to get $c^{\left(j\right)}$. If $c^{\left(j\right)}\ne c^{(j^{\prime })}$ for all queries and its indices $j\ne j^{\prime }$, then output 1, otherwise output 0.

At the end of type 1 instances, we can conclude that the plaintext added in the first $XOR$ operation and the output value after the first invocation of block cipher are included in second block cipher invocation as a key that is a $\mathrm{plaintext} \mathrm{dependent} \mathrm{variable}$, so the advantage of the adversary is at most around birthday bound.

3.1.2. Type 2 Instances

Following the construction limitations, set $b_{3,5}=1$. The plaintext $p$ should be involved in exactly one $XOR$ operation, so, $b_{1,2}=0$ and $b_{3,2}=0.$ We set $b_{2,3}=1,$ that is, the first block cipher invocation, and thus, we set $b_{3,4}=1,$ that is, second block cipher invocation. It also shows that $x_1$ and $y_1$ are not plaintext dependent variables. All of these simplified constructions of type 1 are depicted in Figure 4. Here, we examined the type 2 instances. For these instances, we computed ciphertext as follows.

$$c=E\left(a_{2,1}.k\oplus b_{3,3}.y_1, x_2\right)\oplus b_{3,1}.k\oplus b_{3,3}.y_1$$

The first block cipher invocation is $y_1=E\left(a_{1,1}.k,b_{1,1}.k\right)$. Throughout all the instances of type 2, we call $y_1$ as a subkey that is obtained from the secret key $k$ for those instances with $\left(a_{1,1},b_{1,1}\right)\ne \left(0,0\right)$. However, the computation from $p$ to $x_2$ is $x_2=p\oplus b_{2,1}.k\oplus b_{2,3}.y_1,$ and $\Delta x_2=\Delta p$ always holds and $\Delta y_2=\Delta c,$ respectively. Moreover, for any plaintext and ciphertext pair $\left(p,c\right)$ and $\left(p^{\prime },c^{\prime }\right),$ the adversary knows the internal variable differences $\Delta x_2$ and $\Delta y_2$. Therefore, according to the above constraint, we can find some conditions on the type 2 instances to achieve $BBB$.

● When $\left(a_{1,1},b_{1,1}\right)\ne \left(0,0\right)$.

If $\left(a_{1,1},b_{1,1}\right)=\left(0,0\right),$ then it means $y_1=E\left(0,0\right)$. Adversary makes a query $\left(0,0\right)$ to $E\left(·,·\right)$ to get $y_1,$ and the first block cipher invocation kicks off. Then, the instances are based on only a single block cipher invocation in the adversary view. As we discussed in the previous sections, when $s<2$, the construction achieves security up to birthday bound.

● When $\left(a_{2,1},a_{2,2}\right)\ne \left(0,0\right)$.

If $\left(a_{2,1},a_{2,2}\right)=\left(0,0\right),$ then adversary regards $b_{2,1}.k\oplus b_{2,3}.y_1$ and $b_{3,1}.k\oplus b_{3,3}.y_1$. So, the instance gives essentially one step of [42].

● When $\left(b_{2,1},b_{2,3}\right)\ne \left(0,0\right)$.

If $\left(b_{2,1},b_{2,3}\right)=\left(0,0\right),$ then $p=x_2$, i.e., the adversary knows and can control the $x_2$ value. A distinguisher $D$ is launched and fixes two distinct $p$ and $p^{\prime }$. The distinguisher $D$ queries to $\mathbb{E}{\left[2\right]}_k\left(·,·\right)$ and gets ciphertext $c$ and $c^{\prime }$ and stores $\left(c\oplus c^{\prime }\right),$ respectively. The $D$ makes a query for $E\left(·,·\right)$ and receives $\omega$ and $\acute{\omega }$, respectively, and matches $\omega \oplus \acute{ \omega }$ to stored $c\oplus c^{\prime }$. The distinguisher $D$ recovers $a_{2,1}.k\oplus a_{2,2}.y_1.$ For any plaintext-ciphertext pair $\left(p,c\right)$ and $\left(p^{\prime },c^{\prime }\right),$ the distinguisher $D$ can compute $z$ (such that $a_{2,1}.k\oplus a_{2,2}.y_1=z$) and $z^{\prime }$ and query $\left(z,p\right)$ and $(z^{\prime },p^{\prime })$ to $E\left(·,·\right),$ recovering $y_2$ and $y_2^{\prime }$, respectively. So, the output of distinguisher $D$ is 1 if $c\oplus c^{\prime }=y_2\oplus y_2^{\prime }$, otherwise, compute 0. When interacting with $\mathbb{E}\left[2\right],$ then the output of distinguisher $D$ is 1 until it recovers $a_{2,1}.k\oplus a_{2,2}.y_1$. Thus, the success probability is $1-{\left(1-2^{-n}\right)}^{2^n}$.

● When $\left(b_{3,1},b_{3,3}\right)\ne \left(0,0\right)$.

This has a similar analysis which is presented above, where the adversary knows and has control over the value of $y_2$ and he fixes the ciphertext $c$ and $c^{\prime }$ and queries to $\mathbb{E}{\left[2\right]}_k^{-1}\left(·,·\right)$.

● When $\left(b_{2,1},b_{2,3}\right)\ne (a_{2,1},a_{2,2})$.

If $\left(b_{2,1},b_{2,3}\right)=(a_{2,1},a_{2,2}),$ it has $\left(b_{2,1}.k\oplus b_{2,3}.y_1\right)=(a_{2,1}.k\oplus a_{2,2}.y_1)$, which is denoted by $g$ and $x_2\oplus z_2=g\oplus p\oplus g=p$. Thus, the adversary knows and can control $x_2\oplus z$. A distinguisher $D$ is launched and gives queries to $\mathbb{E}{\left[2\right]}_k\left(·,·\right)$ and receives $c$ and $c^{\prime }$ and stores $\left(c\oplus c^{\prime }\right),$ respectively. Moreover, $D$ sends distinct queries to $E\left(·,·\right)$ and receives $\omega$ and $\acute{\omega ,}$ respectively, and stores $(\omega \oplus \acute{ \omega )}$. Then, he matches $(\omega \oplus \acute{ \omega )}$ and $\left(c\oplus c^{\prime }\right)$. The $D$ can compute $x_2$ and $z$ for any plaintext-ciphertext and receive $y_2$ from $E\left(·,·\right)$. Moreover, the distinguisher $D$ just needs to make some extra queries. Thus, the success probability is trivially $1-{\left(1-2^{-n}\right)}^{2^n}$.

● When $\left(b_{3,1},b_{3,3}\right)\ne (a_{2,1},a_{2,2})$.

This is also having a similar analysis as shown above.

Putting all the above properties of type 2 instances together, we got 32 instances, denoted by $E1, E2,\dots , E32$ and depicted in Figure 5. We investigated these constructions and found $2^n$ provable security. We used the H-Coefficient technique for proof, which is discussed in Section 4.

3.1.3. Type 3 Instances

When $p$ is $XOR$ to compute $c$, then $b_{3,2}.p=1$, $b_{1,2}.p=0$, and $b_{2,2}.p=0.$ The constructions of type 3 are depicted in Figure 6. In this construction, it could be seen that $p$ and $c$ are linearly related, and distinguisher $D$ can distinguish by only two queries to $\mathbb{E}{\left[2\right]}_k\left(·,·\right)$ with distinct plaintext $p$ and $p\oplus \Delta ,$ verifying $\Delta c=\Delta$. Hence, the discussion of type 3 instances is omitted here.

4. Security Proof

Let $E1, E2,\dots ,E32$ is any instance, and $E$ is an underlying block cipher. Let there be any distinguisher $D$ that has access to oracles $O_1$ and $O_2,$ either $E_k^{\pm }\left(·,·\right),E^{\pm }\left(·,·\right)$ with $k\stackrel{\$}{\leftarrow }K$ or ${\pi }^{\pm }\left(·,·\right),E^{\pm }\left(·,·\right)$. The distinguisher $D$ is computationally unbounded and deterministic, making $q$ queries when interacting with $O_1$ and $O_2$. We defined distinguisher queries to $O_1$ and $O_2$ as $q_1$ and $q_2,$ respectively: $q=q_1 + q_2$ and do not contain duplicate queries. When distinguisher $D$ interacts with $O_1$ and $O_2,$ the queries response are $v_1=\left\{\left(p_1 , c_1\right), \dots , \left(p_{q_1} , c_{q_1}\right)\right\}$ and $v_2=\left\{\left(u_1,w_1\right), \dots , \left(u_{q_2},w_{q_2}\right)\right\},$ respectively. The $v$ is the view denoting the transcripts, and in the end, the distinguisher $D$ obtains a view $v=\left(v_1,v_2\right)$. The distinguisher $D,$ based on the $v,$ computes its decision bit. Accordingly, the decision $bit$ probability distribution of distinguisher $D$ relies on the probability distribution of $v$. The $X$ and $Y$ are the probability distribution on $v$ when interacts with $(E_k^{\pm }\left(·,·\right),E^{\pm }\left(·,·\right))$ and $\left({\pi }^{\pm }\left(·,·\right),E^{\pm }\left(·,·\right)\right),$ respectively. We used $V$ as an attainable view when $D$ interacts with $O_1$, which is $V=\left\{v|\mathrm{Pr}\left[Y=v\right]>0\right\}$ and $V=V_{good}\cup V_{bad}$. The main goal of the proof is to disclose the subkey $y$ and secret key $k$ after interacting with $O_1$ and $O_2$. In $\left({\pi }^{\pm }\left(·,·\right),E^{\pm }\left(·,·\right)\right)$ as $(O_1$,$O_2)$, we chose $k\stackrel{\$}{\leftarrow }K$ and got corresponding subkey$y$ by querying $E^{\pm }$. The distinguisher $D$ can easily derive query response $\left(u,w\right)$ of $E^{\pm }\left(·,·\right)$ invocations for each query response $\left(p_i,c_i\right)$ in $\mathrm{view} v_1$. The query responses of a block cipher $E$ for each view $v=\left(v_1,v_2\right)\in V$ is divided into three tables. The first one consists of a single query response of block cipher $E$: $T^1=\left\{\left((u_1^1,w_1^1=y\right)\right\}$. The second table consists of the other queries’ responses of block cipher $E$ derived from $v_1$: $T^2=\left\{\left((u_1^2,w_1^2\right), \dots , u_{q_2}^2,w_{q_2}^2\right\}$. The last table consists of all queries’ responses from $v_2:T^3$: $T^3=\left\{\left((u_1^3,w_1^3\right), \dots , u_{q_2}^3,w_{q_2}^3\right\}$.

4.1. Bad Events

$v\in V_{bad}$ if there are following queries: $T^1=\left\{\left((u_1^1,w_1^1=y\right)\right\}$, $T^2=\left\{\left((u_1^2,w_1^2\right), \dots , u_{q_2}^2,w_{q_2}^2\right\},$ and $T^3=\left\{\left((u_1^3,w_1^3\right), \dots , u_{q_2}^3,w_{q_2}^3\right\}$ such that the following condition holds: there exists $(u_j^i,w_j^i)$ in table $T^i$ and $(u_{j^{\prime }}^{i^{\prime }},w_{j^{\prime }}^{i^{\prime }})$ in table ${T^i}^{\prime }$ such that $(u_j^i,w_j^i)$ = $(u_{j^{\prime }}^{i^{\prime }},w_{j^{\prime }}^{i^{\prime }})$ where $i\ne i^{\prime },$ then $v$ causes bad event.

4.2. $Pr\left[Y\in V_{bad}\right]$

According to our construction, we gave here the exact definition of $V_{bad},$ which also ensures the $V_{good}$. The $V_{good}$ does not cause bad event. Here, we defined the $V_{bad}$ of $E1$ only due to the limited space. At least, one event defines the $V_{bad}$ if it exists.

(a)

$\left(p_i,c_i\right)\in v_1$ such that $p_i=y$;

(b)

$\left(p_i,c_i\right)\in v_1$ such that $c_i=k$;

(c)

$\left(p_i,c_i\right)\in v_1$ and $\left(u_j,w_j\right)\in v_2$ such that $(u_j=p_i\oplus \mathrm{y})$

(d)

$\left(p_i,c_i\right)\in v_1$ and $\left(u_j,w_j\right)\in v_2$ such that $(w_j=c_i\oplus y\oplus k)$

The subkey $y$ and secret $k$ are uniformly selected at random from a $\mathrm{set} \mathrm{of}$ size of at least $2^n-q-1$. We get

$$\mathrm{Pr}\left[\left(a\right)\right]\le q/2^n-q-1;$$

$$\mathrm{Pr}\left[\left(b\right)\right]\le q/2^n-q-1;$$

$$\mathrm{Pr}\left[\left(c\right)\right]\le q/2^n-q-1;$$

$$\mathrm{Pr}\left[\left(d\right)\right]\le q/2^n-q-1;$$

Thus, we get

$$\mathrm{Pr}\left[Y\in V_{bad}\right]\le \mathrm{Pr}\left[\left(a\right)\right] + \mathrm{Pr}\left[\left(b\right)\right]+\mathrm{Pr}\left[\left(c\right)\right]+\mathrm{Pr}\left[\left(d\right)\right]$$

Let $q< 2^{n-1}$ and using above values, we get

$$\mathrm{Pr}\left[Y\in V_{bad}\right]\le \frac{4q}{2^{n-1}}$$

4.3. Ratio for $V_{good}$

First of all, $\mathrm{Pr}\left[X=v\right]$. The $X$ is a random variable that is defined on the probability space of all possible underlying block cipher $E$ and all possible secret key $k$. The probability space of $X$ is denoted as $al{l}_X$. Correspondingly, the $\left|al{l}_X\right|$ is equal to $2^n {\left(2^n!\right)}^{ 2^n}$. In $al{l}_X$, an element $\pi$ getting along with $v$ is taken, if $\pi$ gives exactly the same responses for all queries. The $com{p}_X\left(v\right)$ is defined as all the elements in $al{l}_X$ compatible with $v$.

$$\mathrm{Pr}\left[X=v\right]=\frac{\left|com{p}_X\left(v\right)\right|}{al{l}_X}$$

Similarly, $Y$ is defined on the probability space of $E1$, underlying block cipher $E$, and key $k$. On defining $com{p}_X\left(v\right)$ and $al{l}_{Y,}$ respectively, we have

$$\mathrm{Pr}\left[Y=v\right]=\frac{\left|com{p}_Y\left(v\right)\right|}{al{l}_Y}$$

$al{l}_Y$ is $2^n {\left(2^n!\right)}^{ 2^n} {\left(2^n!\right)}^{ 2^n}$, that is the number of keys times, the number of block ciphers. We next computed $\left|com{p}_X\left(v\right)\right|$ and $\left|com{p}_Y\left(v\right)\right|$. We knew that the view $v$ contains the key $k$ value, that is, at the end of the interaction, it is disclosed to distinguisher $D$. A set of input outputs of underlying block cipher $E$ are derived and separately stored in tables $T^1$, $T^2,$ and $T^3$. The number of input-output of $E$ with the key value $i$ is denoted as ${\alpha }_i$ and ${\beta }_i$ in$T^2$ and $T^3,$ respectively, where $0\le i\le 2^n-1$. The ${\gamma }_i$ denotes the number of queries to $O_1$ with key value. There is no collision between any two tables, so $v$ is good. Secondly, the distinguisher $D$ never makes duplicate queries. Therefore, all the inputs and outputs of $E$ in $T^1$, $T^2,$ and $T^3$ are distinct, showing that${ \gamma }_i={\alpha }_i$. The query response $(u_1^1,w_1^1)$ of $E$ in $T^1$ has $u_1^1=k$ or $u_1^1=0$ ($E1 to E20$ have $u_1^1=k$ and others $u_1^1=0$). On assuming $u_1^1=k$, we got

$$\left|com{p}_X\left(v\right)\right|=\left(2^n-{\alpha }_k- {\beta }_k-1\right)!{\displaystyle \prod }_{i=0}^{k-1}\left(2^n-{\alpha }_i- {\beta }_i\right)!{\displaystyle \prod }_{i=k + 1}^{2^n-1}\left(2^n-{\alpha }_i- {\beta }_i\right)!$$

$$\left|com{p}_Y\left(v\right)\right|={\displaystyle \prod }_{i=0}^{2^n-1}\left(2^n-{ \gamma }_i\right)!\left(\left(2^n- {\beta }_k-1\right)!{\displaystyle \prod }_{i=0}^{k-1}\left(2^n- {\beta }_i\right)!{\displaystyle \prod }_{i=k + 1}^{2^n-1}\left(2^n- {\beta }_i\right)!\right)$$

$$={{\displaystyle \prod }}_{i=0}^{2^n-1}\left(2^n-{\alpha }_i\right)!\left(\left(2^n- {\beta }_k-1\right)!{{\displaystyle \prod }}_{i=0}^{k-1}\left(2^n- {\beta }_i\right)!{{\displaystyle \prod }}_{i=k + 1}^{2^n-1}\left(2^n- {\beta }_i\right)!\right)$$

$$=\left(2^n-{\alpha }_k\right)!\left(2^n- {\beta }_k-1\right)!{\displaystyle \prod }_{i=0}^{k-1}\left(2^n-{\alpha }_i\right)!\left(2^n- {\beta }_i\right)!{\displaystyle \prod }_{i=k + 1}^{2^n-1}\left(2^n-{\alpha }_i\right)!\left(2^n- {\beta }_i\right)!$$

From $\left(2^n-\alpha \right)!\left(2^n-\beta \right)!\le \left(2^n-\alpha -\beta \right)!(2^n)!$, we have

$$\left|com{p}_Y\left(v\right)\right|\le \left(2^n-{\alpha }_k- {\beta }_k-1\right)! {(2^n!)}^{2^n}$$

We can compute

$$\begin{gathered} \frac{\left|com{p}_X\left(v\right)\right|}{\left|com{p}_Y\left(v\right)\right|}\ge \frac{\left(2^n-{\alpha }_k- {\beta }_k-1\right)!{\displaystyle \prod }_{i=0}^{k-1}\left(2^n-{\alpha }_i- {\beta }_i\right)!{\displaystyle \prod }_{i=k + 1}^{2^n-1}\left(2^n-{\alpha }_i- {\beta }_i\right)!}{\left(2^n-{\alpha }_k- {\beta }_k-1\right)! {(2^n!)}^{2^n}{\displaystyle \prod }_{i=0}^{k-1}\left(2^n-{\alpha }_i- {\beta }_i\right)!{\displaystyle \prod }_{i=k + 1}^{2^n-1}\left(2^n-{\alpha }_i- {\beta }_i\right)!} \\ =\frac{1}{{(2^n!)}^{2^n}} \end{gathered}$$

Finally, we can compute

$$\frac{\mathrm{Pr}\left[X=v\right]}{\mathrm{Pr}\left[X=v\right]}=\frac{\left|com{p}_X\left(v\right)\right|}{\left|com{p}_Y\left(v\right)\right|}\times \frac{al{l}_Y}{al{l}_X}$$

$$\ge \frac{1}{{(2^n!)}^{2^n}}\times \frac{2^n{(2^n!)}^{2^n}{(2^n!)}^{2^n}}{2^n{(2^n!)}^{2^n}}=1$$

Thus, it gives a ratio for $V_{good}=0$

Combining both 4.2 and 4.3,

$$Ad{v}_{E1}^{prp}\left(q\right)\le \frac{4q}{2^{n-1}}$$