#### 3.1.1. Type 1 Instances

According to the above limitation, the

$\mathrm{plaintext}\mathrm{dependent}\mathrm{variables}$ cannot be used to produce key value, so,

${a}_{2,2}=0$. The plaintext

$p$ should be involved in exactly one

XOR operation, so,

${b}_{2,2}=0$ and

${b}_{3,2}=0$. We set

${b}_{2,3}=1$, which is the first block cipher invocation, and set

${b}_{3,4}=1,$ which is second block cipher invocation. If

${b}_{2,3}=0$, it means two block ciphers’ invocations are parallel, and these instances are involved in type 2. It also shows that

${x}_{2}$ and

${y}_{2}$ are plaintext variables. Then, we set

${b}_{3,3}=0$ because

${y}_{2}$ is already used as a plaintext dependent variable. All of these simplified constructions of type 1 are shown in

Figure 2. We examined the instances of type 1, and ciphertext is computed as follows.

Instances with one block cipher Invocation of type 1.

We would show that any instance that makes only one block cipher invocation of type 1 construction could not achieve

$BBB$ security. Let

$E:{\left\{0,1\right\}}^{n}\times {\left\{0,1\right\}}^{n}\to {\left\{0,1\right\}}^{n}$ be a block cipher, shown in

Figure 3. We showed that there exists a distinguisher

$D$ that can distinguish any such block cipher from

$\mathrm{random}\mathrm{permutation}$ using at most

${2}^{n/2}$ queries.

● When ${a}_{1,1}=0$ and ${b}_{1,1}=1$.

In this case, we can see the input or output of $E$ is not related to $p$ or $c$. When ${b}_{1,2}=0$, then distinguisher $D$ selects arbitrary $p$ and ${p}^{\prime}$ to get $c$ and ${c}^{\prime}$. If the event $c={c}^{\prime}$ occurs, then output is 1; otherwise, it is 0. The success probability of $D$ is 1 when interacts with $1-{2}^{-n}$. The results are similar for ${b}_{2,3}=0$.

● When ${a}_{1,1}=0$ and ${b}_{1,1}=0$.

In this case, we can see the input or output of

$E$ is independent of the key. When

${b}_{1,2}=1$, the distinguisher

$D$ selects arbitrary

${x}_{1}$ and

${x}_{1}^{\prime}$ to get

${y}_{1}$ and

${y}_{1}^{\prime};$ then, it puts

$p={b}_{1,2}^{-1}{x}_{1}$ and

${p}^{\prime}={b}_{1,2}^{-1}{x}_{1}^{\prime}$ to get

$c$ and

${c}^{\prime}$. If the event occurs, then output is 1, otherwise 0.

The success probability of $D$ is 1 when interacts with $1-{2}^{-n}$. Similar is the case for ${b}_{2,1}=0$.

● When ${b}_{2,2}=0$.

In this case, there exists a distinguisher $D$, distinguishing the $\mathrm{real}\mathrm{world}$ oracle $\left({E}_{k}^{\pm},{E}^{\pm}\right)$ from the ideal world oracle $\left({\pi}^{\pm},{E}^{\pm}\right)$ with some probability. The distinguisher $D$ makes ${2}^{n/2}$ queries and operates as follows. For $j=1,\dots ,{2}^{n/2}$, the distinguisher $D$ selects arbitrary ${p}^{\left(j\right)}$ to get ${c}^{\left(j\right)}$. If ${c}^{\left(j\right)}\ne {c}^{({j}^{\prime})}$ for all queries and its indices $j\ne {j}^{\prime}$, then output 1, otherwise output 0.

At the end of type 1 instances, we can conclude that the plaintext added in the first $XOR$ operation and the output value after the first invocation of block cipher are included in second block cipher invocation as a key that is a $\mathrm{plaintext}\mathrm{dependent}\mathrm{variable}$, so the advantage of the adversary is at most around birthday bound.

#### 3.1.2. Type 2 Instances

Following the construction limitations, set

${b}_{3,5}=1$. The plaintext

$p$ should be involved in exactly one

$XOR$ operation, so,

${b}_{1,2}=0$ and

${b}_{3,2}=0.$ We set

${b}_{2,3}=1,$ that is, the first block cipher invocation, and thus, we set

${b}_{3,4}=1,$ that is, second block cipher invocation. It also shows that

${x}_{1}$ and

${y}_{1}$ are not plaintext dependent variables. All of these simplified constructions of type 1 are depicted in

Figure 4. Here, we examined the type 2 instances. For these instances, we computed ciphertext as follows.

The first block cipher invocation is ${y}_{1}=E\left({a}_{1,1}.k,{b}_{1,1}.k\right)$. Throughout all the instances of type 2, we call ${y}_{1}$ as a subkey that is obtained from the secret key $k$ for those instances with $\left({a}_{1,1},{b}_{1,1}\right)\ne \left(0,0\right)$. However, the computation from $p$ to ${x}_{2}$ is ${x}_{2}=p\oplus {b}_{2,1}.k\oplus {b}_{2,3}.{y}_{1},$ and $\Delta {x}_{2}=\Delta p$ always holds and $\Delta {y}_{2}=\Delta c,$ respectively. Moreover, for any plaintext and ciphertext pair $\left(p,c\right)$ and $\left({p}^{\prime},{c}^{\prime}\right),$ the adversary knows the internal variable differences $\Delta {x}_{2}$ and $\Delta {y}_{2}$. Therefore, according to the above constraint, we can find some conditions on the type 2 instances to achieve $BBB$.

● When $\left({a}_{1,1},{b}_{1,1}\right)\ne \left(0,0\right)$.

If $\left({a}_{1,1},{b}_{1,1}\right)=\left(0,0\right),$ then it means ${y}_{1}=E\left(0,0\right)$. Adversary makes a query $\left(0,0\right)$ to $E\left(\xb7,\xb7\right)$ to get ${y}_{1},$ and the first block cipher invocation kicks off. Then, the instances are based on only a single block cipher invocation in the adversary view. As we discussed in the previous sections, when $s<2$, the construction achieves security up to birthday bound.

● When $\left({a}_{2,1},{a}_{2,2}\right)\ne \left(0,0\right)$.

If

$\left({a}_{2,1},{a}_{2,2}\right)=\left(0,0\right),$ then adversary regards

${b}_{2,1}.k\oplus {b}_{2,3}.{y}_{1}$ and

${b}_{3,1}.k\oplus {b}_{3,3}.{y}_{1}$. So, the instance gives essentially one step of [

42].

● When $\left({b}_{2,1},{b}_{2,3}\right)\ne \left(0,0\right)$.

If $\left({b}_{2,1},{b}_{2,3}\right)=\left(0,0\right),$ then $p={x}_{2}$, i.e., the adversary knows and can control the ${x}_{2}$ value. A distinguisher $D$ is launched and fixes two distinct $p$ and ${p}^{\prime}$. The distinguisher $D$ queries to $\mathbb{E}{\left[2\right]}_{k}\left(\xb7,\xb7\right)$ and gets ciphertext $c$ and ${c}^{\prime}$ and stores $\left(c\oplus {c}^{\prime}\right),$ respectively. The $D$ makes a query for $E\left(\xb7,\xb7\right)$ and receives $\omega $ and $\stackrel{\xb4}{\omega}$, respectively, and matches $\omega \oplus \stackrel{\xb4}{\omega}$ to stored $c\oplus {c}^{\prime}$. The distinguisher $D$ recovers ${a}_{2,1}.k\oplus {a}_{2,2}.{y}_{1}.$ For any plaintext-ciphertext pair $\left(p,c\right)$ and $\left({p}^{\prime},{c}^{\prime}\right),$ the distinguisher $D$ can compute $z$ (such that ${a}_{2,1}.k\oplus {a}_{2,2}.{y}_{1}=z$) and ${z}^{\prime}$ and query $\left(z,p\right)$ and $({z}^{\prime},{p}^{\prime})$ to $E\left(\xb7,\xb7\right),$ recovering ${y}_{2}$ and ${y}_{2}^{\prime}$, respectively. So, the output of distinguisher $D$ is 1 if $c\oplus {c}^{\prime}={y}_{2}\oplus {y}_{2}^{\prime}$, otherwise, compute 0. When interacting with $\mathbb{E}\left[2\right],$ then the output of distinguisher $D$ is 1 until it recovers ${a}_{2,1}.k\oplus {a}_{2,2}.{y}_{1}$. Thus, the success probability is $1-{\left(1-{2}^{-n}\right)}^{{2}^{n}}$.

● When $\left({b}_{3,1},{b}_{3,3}\right)\ne \left(0,0\right)$.

This has a similar analysis which is presented above, where the adversary knows and has control over the value of ${y}_{2}$ and he fixes the ciphertext $c$ and ${c}^{\prime}$ and queries to $\mathbb{E}{\left[2\right]}_{k}^{-1}\left(\xb7,\xb7\right)$.

● When $\left({b}_{2,1},{b}_{2,3}\right)\ne ({a}_{2,1},{a}_{2,2})$.

If $\left({b}_{2,1},{b}_{2,3}\right)=({a}_{2,1},{a}_{2,2}),$ it has $\left({b}_{2,1}.k\oplus {b}_{2,3}.{y}_{1}\right)=({a}_{2,1}.k\oplus {a}_{2,2}.{y}_{1})$, which is denoted by $g$ and ${x}_{2}\oplus {z}_{2}=g\oplus p\oplus g=p$. Thus, the adversary knows and can control ${x}_{2}\oplus z$. A distinguisher $D$ is launched and gives queries to $\mathbb{E}{\left[2\right]}_{k}\left(\xb7,\xb7\right)$ and receives $c$ and ${c}^{\prime}$ and stores $\left(c\oplus {c}^{\prime}\right),$ respectively. Moreover, $D$ sends distinct queries to $E\left(\xb7,\xb7\right)$ and receives $\omega $ and $\stackrel{\xb4}{\omega ,}$ respectively, and stores $(\omega \oplus \stackrel{\xb4}{\omega )}$. Then, he matches $(\omega \oplus \stackrel{\xb4}{\omega )}$ and $\left(c\oplus {c}^{\prime}\right)$. The $D$ can compute ${x}_{2}$ and $z$ for any plaintext-ciphertext and receive ${y}_{2}$ from $E\left(\xb7,\xb7\right)$. Moreover, the distinguisher $D$ just needs to make some extra queries. Thus, the success probability is trivially $1-{\left(1-{2}^{-n}\right)}^{{2}^{n}}$.

● When $\left({b}_{3,1},{b}_{3,3}\right)\ne ({a}_{2,1},{a}_{2,2})$.

This is also having a similar analysis as shown above.

Putting all the above properties of type 2 instances together, we got 32 instances, denoted by

$E1,E2,\dots ,E32$ and depicted in

Figure 5. We investigated these constructions and found

${2}^{n}$ provable security. We used the H-Coefficient technique for proof, which is discussed in

Section 4.