3.1.1. Type 1 Instances
According to the above limitation, the
cannot be used to produce key value, so,
. The plaintext
should be involved in exactly one
XOR operation, so,
and
. We set
, which is the first block cipher invocation, and set
which is second block cipher invocation. If
, it means two block ciphers’ invocations are parallel, and these instances are involved in type 2. It also shows that
and
are plaintext variables. Then, we set
because
is already used as a plaintext dependent variable. All of these simplified constructions of type 1 are shown in
Figure 2. We examined the instances of type 1, and ciphertext is computed as follows.
Instances with one block cipher Invocation of type 1.
We would show that any instance that makes only one block cipher invocation of type 1 construction could not achieve
security. Let
be a block cipher, shown in
Figure 3. We showed that there exists a distinguisher
that can distinguish any such block cipher from
using at most
queries.
● When and .
In this case, we can see the input or output of is not related to or . When , then distinguisher selects arbitrary and to get and . If the event occurs, then output is 1; otherwise, it is 0. The success probability of is 1 when interacts with . The results are similar for .
● When and .
In this case, we can see the input or output of
is independent of the key. When
, the distinguisher
selects arbitrary
and
to get
and
then, it puts
and
to get
and
. If the event occurs, then output is 1, otherwise 0.
The success probability of is 1 when interacts with . Similar is the case for .
● When .
In this case, there exists a distinguisher , distinguishing the oracle from the ideal world oracle with some probability. The distinguisher makes queries and operates as follows. For , the distinguisher selects arbitrary to get . If for all queries and its indices , then output 1, otherwise output 0.
At the end of type 1 instances, we can conclude that the plaintext added in the first operation and the output value after the first invocation of block cipher are included in second block cipher invocation as a key that is a , so the advantage of the adversary is at most around birthday bound.
3.1.2. Type 2 Instances
Following the construction limitations, set
. The plaintext
should be involved in exactly one
operation, so,
and
We set
that is, the first block cipher invocation, and thus, we set
that is, second block cipher invocation. It also shows that
and
are not plaintext dependent variables. All of these simplified constructions of type 1 are depicted in
Figure 4. Here, we examined the type 2 instances. For these instances, we computed ciphertext as follows.
The first block cipher invocation is . Throughout all the instances of type 2, we call as a subkey that is obtained from the secret key for those instances with . However, the computation from to is and always holds and respectively. Moreover, for any plaintext and ciphertext pair and the adversary knows the internal variable differences and . Therefore, according to the above constraint, we can find some conditions on the type 2 instances to achieve .
● When .
If then it means . Adversary makes a query to to get and the first block cipher invocation kicks off. Then, the instances are based on only a single block cipher invocation in the adversary view. As we discussed in the previous sections, when , the construction achieves security up to birthday bound.
● When .
If
then adversary regards
and
. So, the instance gives essentially one step of [
42].
● When .
If then , i.e., the adversary knows and can control the value. A distinguisher is launched and fixes two distinct and . The distinguisher queries to and gets ciphertext and and stores respectively. The makes a query for and receives and , respectively, and matches to stored . The distinguisher recovers For any plaintext-ciphertext pair and the distinguisher can compute (such that ) and and query and to recovering and , respectively. So, the output of distinguisher is 1 if , otherwise, compute 0. When interacting with then the output of distinguisher is 1 until it recovers . Thus, the success probability is .
● When .
This has a similar analysis which is presented above, where the adversary knows and has control over the value of and he fixes the ciphertext and and queries to .
● When .
If it has , which is denoted by and . Thus, the adversary knows and can control . A distinguisher is launched and gives queries to and receives and and stores respectively. Moreover, sends distinct queries to and receives and respectively, and stores . Then, he matches and . The can compute and for any plaintext-ciphertext and receive from . Moreover, the distinguisher just needs to make some extra queries. Thus, the success probability is trivially .
● When .
This is also having a similar analysis as shown above.
Putting all the above properties of type 2 instances together, we got 32 instances, denoted by
and depicted in
Figure 5. We investigated these constructions and found
provable security. We used the H-Coefficient technique for proof, which is discussed in
Section 4.