Block Cipher in the Ideal Cipher Model: A Dedicated Permutation Modeled as a Black-Box Public Random Permutation

Designing a secure construction has always been a fascinating area for the researchers in the field of symmetric key cryptography. This research aimed to make contributions to the design of secure block cipher in the ideal cipher model whose underlying primitive is a family of n− bit to n− bit random permutations indexed by secret key. Our target construction of a secure block ciphers denoted as E[s] is built on a simple XOR operation and two block cipher invocations, under the assumptions that the block cipher in use is a pseudorandom permutation. One out of these two block cipher invocations produce a subkey that is derived from the secret key. It has been accepted that at least two block cipher invocations with XOR operations are required to achieve beyond birthday bound security. In this paper, we investigated the E[s] instances with the advanced proof technique and efficient block cipher constructions that bypass the birthday-bound up to 2n provable security was achieved. Our study provided new insights to the block cipher that is beyond birthday bound security.


Introduction
A block cipher encryption design is called beyond birthday bound (BBB) secure if the proven upper bound on the adversarial advantage is meaningful even if an adversary can process more than 2 n/2 data blocks, where n is the size of the block of a block cipher. The first time, Iwata proposed a BBB encryption mode cipher-based encryption (CENC) [1]. This was nonce based construction providing a solution through the invocation of more than one block cipher and simple XOR operation and achieved 2 2n/3 security against all nonce respecting adversaries. Later on, Iwata proved CENC construction based on mirror theory technique [2], and achieved optimal security [3]. Bhattacharya and Nandi also gave the BBB security of CENC by analyzing the security bound of variable output length using the chi-squared method.

Pseudorandom Permutation and Pseudorandom Function with BBB
The conventional approach for designing the cryptography primitives based on symmetric cipher is to behave as a perfectly random function. The vast majority, in this case, is an encryption scheme [4], MAC encryption schemes [5,6], and authenticated encryption schemes [7], following this paradigm via pseudorandom functions (PRF). Patarin suggested the construction of permutation sum and proved that a variant of single permutation indistinguishable from a random function up to BBB [8]. In 2003, Patarin gave the result 2 2n/3 security [9], like so, in 2005, achieved up to this security bound [10,11]. However, the PRF provides a solution for increasing the use of cryptography in a real-world application. The pseudorandom permutation (PRP) is the leading building block of the cryptographic design in spite of PRF [12][13][14][15]. If a block cipher is directly implemented as a PRF, which will have provable There are two independent permutations and it behaves like random function up to q 3 /2 2n [36]. Afterward, Dai et al. [30] achieved q 4 /2 3n using the chi-squared method. Now, a novel construction EDMD improved the security up to 2 n /67n by using mirror theory technique, which has almost an optimal security [37].
Two independent keys are required for EDMD. The single key setting is significant for higher security bound and efficient construction, which was also performed in our construction. Anyways, this construction secures up to q/2 2n/3 . Cogliati and Seurin also extended the EDMD construction called encrypted Wegman carter with davies meyer (EWCDM), which is nonce based BBB secure.
where, H K is a universal hash function, N denote the nonce, and M denote the message, which has an arbitrary length. The EWCDM achieved BBB up to 2 2n/3 MAC queries when it has nonce respecting setting. The use of internal state values of EWCDM construction makes their security analysis formally inapplicable [37]. Mennink presented the rationale relying on the EWCDM function, and simplified versions of the conversion method applied to the advanced encryption scheme (AES) [38]. The main proposal of AES-PRF, the AES with a feed forward of the middle state, achieved almost no optimal security. This construction was applied to GCM and GCM-SIV, and how it entails the significant security improvements was discussed. A little while back, Mennink presented a heuristic study to build BBB secure from public random permutation, showing that a single permutation call could not be secured BBB [39]. The above discussion shows that what to be tackled in PRF for BBB and where the goal is to build PRF, so that it is indistinguishable from a truly random function. However, our study aimed to build block cipher in the ideal cipher model, under the assumption that the block cipher is a PRP out of PRF, achieving full security. Moreover, the sum of even mansour (SoEM) construction achieves BBB up to 2 2n/3 , that is built from two randomly drawn keys and two independent permutations; if either keys or permutations are identical, then there is a birthday bound attack.

Our Construction
In this paper, we focused on a block cipher design based on a single key, which achieved BBB up to 2 n security. The main motivation is by the scenarios where the block cipher only has block size of 32 − bit, 48 − bit, and 64 − bit [40]. The target construction of block cipher depicted in Figure 1, defined as E[s] : K × P → P , consists of two block cipher invocations and additional simple XOR operation. Furthermore, a heuristic approach is carried out to examine the instances of E[s] and, at last, E1 − E32 efficient construction is successfully found. In detail, the first invoke of block cipher produces a subkey y from the secret key k such that y = E(k, 0), y = E(0, k), and y = E(k, k). The second invoke of a block cipher encrypt and decrypt the plaintext p and ciphertext c, respectively, with a key k or k ⊕ y. However, we stress that the first block cipher invocation is precomputing and storing the subkey y. Thus, our design only requires one invocation of a block cipher for encryption and decryption when the subkey y is precomputed and stored. We have designed this construction in the ideal cipher model that has the main advantage of provable security up to 2 n . The previously available block cipher has maximum provable security up to 2 2n/3 . From the efficiency point of view, previous constructions required more than one key, s > 2 block cipher invocations [20,36], and universal hash function invocations; in the absence of these, their efficiency needed to be increased. The minimum number of block cipher invocation with a single key is good for efficiency. Our design requires just a single secret key and one block cipher invocation for encryption and decryption when the subkey is precomputed and stored.

Notations
The {0, 1} n denotes the set of bit strings of length n. We denote the bitwise addition a ⊕ b, where a, b ∈ {0, 1} n . The Y ← Z is the assignment of Z to the variable Y. The x $ ← X denotes the uniform random selection of x from X. The |X| denotes the number of elements in X. Let a ∈ {0, 1} and b ∈ {0 , 1}, a.b denotes the multiplication of a and b, if a = 1, then it is equal to b, and if a = 0, then a.b equals to 0. The block cipher denotes as E : K × P → P, where P is a plaintext/message space, K is the key space. Throughout the paper, we have fixed K = P = {0, 1} n . Let E(k, ·) and E −1 (k, ·) denote the encryption and decryption, respectively, with a secret key k ∈ K. Let E ± (k, ·) involves E(k, ·) and E −1 (k, ·). Sometimes, we denote E(k, ·) as E k (·), E −1 (k, ·) as E −1 k (·), and E ± (k, ·) as E k (·) and E −1 k (·), respectively. The (u, w) are the input and output tuple of E such that w = E(u). The input-output tuple of E k is denoted as (p, c) such that E k (p) = c. Let Perm(n) denote the set of all permutations on {0, 1} n .

Security Definition
A computationally unbounded distinguisher D is an algorithm that has adaptive access to an oracle and outputs a bit 0 or 1. Let the two oracles O 1 and O 2 have the same interface, we can get the distinguishing advantage of D as follows.
A block cipher with a key space K and message space P is a mapping E : K × P → P such that for all key k ∈ K. The E(K, P) is a permutation over P. We denote E k (P) for E(K, P). The distinguisher D is The E ± is an underlying block cipher. The advantage of distinguisher D in distinguishing E and π is defined as.
Adv prp E (D) = Pr D E ± k (·,·),E ± (·,·) ⇒ 1 − Pr D π ± (·,·),E ± (·,·) ⇒ 1 Throughout this paper, we considered information as theoretical with computationally unbounded distinguishers D sorely limited by the number of queries to the oracle. Overall, maximum is taken by distinguisher D that makes at most q queries to its oracles.

H-Coefficient Technique
Central to our proof is a H-Coefficient technique presented by Patarin [8,41]. As mentioned above, we considered the information as theoretical, with computationally unbounded distinguisher D. Thus, we always assumed that distinguisher D is deterministic without the loss of generality. Let distinguisher D interacts with O 1 and O 2 . The interaction of D with its oracles are recorded in a view v. The X O 2 is the probability distribution of v when distinguisher D interacts with O 2 . The V is the set of all technique states as follows: Let 0 ≤ ε ≤ 1. Consider a partition V = V good ∪ V bad set of attainable view such that: Then, the distinguishing advantage satisfies The core idea of the H-coefficient technique is: a large number of views are almost equally likely in both oracles (real worlds and the ideal world), and the odd ones occur with a small probability.
Note that the partitioning of V into bad and good views is directly reflected in the terms Pr X O 2 ∈ V bad and ε in the bound: if V good is too large, ε will become large, whereas if V bad is too large, Pr X O 2 ∈ V bad will become large.

Construction Limitations
In this section, we will discuss the construction limitations of secure block cipher in the ideal cipher model, which is built on dedicated block cipher invocations and simple XOR operation. The XOR operation has efficiency benefits. The target construction is denoted as E[s] and is built on s block cipher invocations. Let E denote the underlying block cipher with n − bit block size and n − bit. key size. Let p, c, and k denote the plaintext, ciphertext, and key, respectively, where all have n − bit size. Let a i,j and b i,j be one bit variable of being 0 or 1, where 1 ≤ i ≤ s + 1 and 1 ≤ j ≤ i + 2. The encryption of E[s] is shown in Algorithm 1. The target construction E[s] is depicted in Figure 1. In detail, this is a graphical view from which we would acquire the resultant block cipher construction. Moreover, all the s block cipher invocations are involved in the computation of the ciphertext c. The ciphertext c must be invertible and efficiently decrypted from plaintext p and key k. There are some limitations for E[s] to achieve our goal:

•
The plaintext p should be involved in exactly one XOR operation. The p involves in XOR operation, which gives x i and corresponding y i . So, both outputs (x i and y i ) are called plaintext dependent variable. On the other side, if a variable y i is used to compute another variable x j, which depends on y i , then x j and corresponding y j would also be plaintext dependent variable. So, we cannot use plaintext dependent variable to produce any key or subkey, otherwise, constructions will not be efficient.
There should be at most one plaintext dependent variable produced from the XOR operation. Otherwise, the decryption process cannot efficiently decrypt because there is more than one variable. If we summarize and satisfy the above limitations, then [ ] can be an efficient block cipher construction. Moreover, an additional condition is also necessary for efficiency and security. Our first goal is to achieve full (2 ) provable security. The target construction is important to achieve the goal. Nowadays, and block cipher is utilized in various applications of different block sizes, such as 128 − and 64 − . In some environments, the block size of lightweight block ciphers can be even shorter. Thus, block cipher construction with a simply birthday bound security may not be suitable for various applications. Therefore, another construction which provide higher security is definitely necessary. Particularly, for application design, a block cipher with full security is surely an interesting research topic. Our second goal is the efficiency, we invoke two block cipher because minimum number of block cipher invocation led to concern about high efficiency. It is well known that block cipher invocations are much more time consuming than XOR operation. So, the efficiency reduces due to a number of block cipher invocation. But, besides this, we aimed to achieve perfect efficiency under the condition of no security sacrifices, i. e., eliminating the unnecessary input variables. In fact, this is also a reason in our target construction having simple XOR operation and only necessary input variables. Algorithm 1 is shown as follow: In order to achieve the above goals among the instances of target construction, we adopted a heuristic approach. For the instances of [ ], we invoked only two block cipher to achieve 2 provable security because = 1 for instances of [ ] had most 2 /2 security. Thus, at least two block cipher invocations are required to bypass the birthday bound barrier. If we summarize and satisfy the above limitations, then E[s] can be an efficient block cipher construction. Moreover, an additional condition is also necessary for efficiency and security. Our first goal is to achieve full (2 n ) provable sec urity. The target construction is important to achieve the goal. Nowadays, AES and SIMON block cipher is utilized in various applications of different block sizes, such as 128 − bit and 64 − bit. In some environments, the block size of lightweight block ciphers can be even shorter. Thus, block cipher construction with a simply birthday bound security may not be suitable for various applications. Therefore, another construction which provide higher security is definitely necessary. Particularly, for application design, a block cipher with full security is surely an interesting research topic. Our second goal is the efficiency, we invoke two block cipher because minimum number of block cipher invocation led to concern about high efficiency. It is well known that block cipher invocations are much more time consuming than XOR operation. So, the efficiency reduces due to a number of block cipher invocation. But, besides this, we aimed to achieve perfect efficiency under the condition of no security sacrifices, i.e., eliminating the unnecessary input variables. In fact, this is also a reason in our target construction having simple XOR operation and only necessary input variables. Algorithm 1 is shown as follow: input: k, p, E(·, ·), vaiables a i,j and b i,j Output: ciphertext In order to achieve the above goals among the instances of target construction, we adopted a heuristic approach. For the instances of E[s], we invoked only two block cipher to achieve 2 n provable security because s = 1 for instances of E[s] had most 2 n/2 security. Thus, at least two block cipher invocations are required to bypass the birthday bound barrier. We continued to examine the instances of E[2] and would not analyze the E[s > 2] instances unless investigated all the instances of E [2] and none of them achieve 2 n security. In fact, if some instances of E[2] achieves 2 n security, then there is no need to examine the other instances of E [2]. To follow the above strategy, we analyzed the target construction E[s] and found 32 instances with 2 n provable security.

E[2] Instances
According to the previous discussion, the plaintext p should be involved in exactly one XOR operation. There should be, at most, one plaintext dependent variable produced from the XOR operation. Otherwise, the decryption process cannot efficiently decrypt because there exists more than one variable. The plaintext dependent variable cannot be used to produce any key-value; otherwise, constructions will not be efficient. Following this strategy, we divided E [2] instances into three types on the basis of when plaintext p is XOR to compute x i and c, respectively.
• Type 1 instances: when p is XOR to compute x 1 • Type 2 instances: when p is XOR to compute x 2 • Type 3 instances: when p is XOR to compute c

Type 1 Instances
According to the above limitation, the plaintext dependent variables cannot be used to produce key value, so, a 2,2 = 0. The plaintext p should be involved in exactly one XOR operation, so, b 2,2 = 0 and b 3,2 = 0. We set b 2,3 = 1, which is the first block cipher invocation, and set b 3,4 = 1, which is second block cipher invocation. If b 2,3 = 0, it means two block ciphers' invocations are parallel, and these instances are involved in type 2. It also shows that x 2 and y 2 are plaintext variables. Then, we set b 3,3 = 0 because y 2 is already used as a plaintext dependent variable. All of these simplified constructions of type 1 are shown in Figure 2. We examined the instances of type 1, and ciphertext is computed as follows. To follow the above strategy, we analyzed the target construction [s] and found 32 instances with 2 provable security.

[2] Instances
According to the previous discussion, the plaintext should be involved in exactly one XOR operation. There should be, at most, one plaintext dependent variable produced from the XOR operation. Otherwise, the decryption process cannot efficiently decrypt because there exists more than one variable. The plaintext dependent variable cannot be used to produce any key-value; otherwise, constructions will not be efficient. Following this strategy, we divided [2] instances into three types on the basis of when plaintext is XOR to compute and , respectively.  Type 1 instances: when is XOR to compute 1  Type 2 instances: when is XOR to compute 2  Type 3 instances: when is XOR to compute 3.1.1. Type 1 Instances According to the above limitation, the plaintext dependent variables cannot be used to produce key value, so, 2,2 = 0. The plaintext should be involved in exactly one XOR operation, so, 2,2 = 0 and 3,2 = 0. We set 2,3 = 1, which is the first block cipher invocation, and set 3,4 = 1, which is second block cipher invocation. If 2,3 = 0, it means two block ciphers' invocations are parallel, and these instances are involved in type 2. It also shows that 2 and 2 are plaintext variables. Then, we set 3,3 = 0 because 2 is already used as a plaintext dependent variable. All of these simplified constructions of type 1 are shown in Figure 2. We examined the instances of type 1, and ciphertext is computed as follows.
= ( 2,1 . , 2 ) ⊕ 3,1 . Instances with one block cipher Invocation of type 1 We would show that any instance that makes only one block cipher invocation of type 1 construction could not achieve security. Let : {0,1} × {0,1} → {0,1} be a block cipher, shown in Figure 3. We showed that there exists a distinguisher that can distinguish any such block cipher from random permutation using at most 2 /2 queries.   Instances with one block cipher Invocation of type 1. We would show that any instance that makes only one block cipher invocation of type 1 construction could not achieve BBB security. Let E : {0, 1} n × {0, 1} n → {0, 1} n be a block cipher, shown in Figure 3. We showed that there exists a distinguisher D that can distinguish any such block cipher from random permutation using at most 2 n/2 queries.
In this case, we can see the input or output of E is not related to p or c. When b 1,2 = 0, then distinguisher D selects arbitrary p and p to get c and c . If the event c = c occurs, then output is 1; otherwise, it is 0. The success probability of D is 1 when interacts with 1 − 2 −n . The results are similar for b 2,3 = 0.
Instances with one block cipher Invocation of type 1 We would show that any instance that makes only one block cipher invocation of type 1 construction could not achieve security. Let : {0,1} × {0,1} → {0,1} be a block cipher, shown in Figure 3. We showed that there exists a distinguisher that can distinguish any such block cipher from random permutation using at most 2 /2 queries. In this case, we can see the input or output of is not related to or . When 1,2 = 0, then distinguisher selects arbitrary and ′ to get and ′ . If the event = ′ occurs, then output ⊕ ⊕ 1,2 .  • When a 1,1 = 0 and b 1,1 = 0.
In this case, we can see the input or output of E is independent of the key. When b 1,2 = 1, the distinguisher D selects arbitrary x 1 and x 1 to get y 1 and y 1 ; then, it puts p = b −1 1,2 x 1 and p = b −1 1,2 x 1 to get c and c . If the event occurs, then output is 1, otherwise 0.
The success probability of D is 1 when interacts with 1 − 2 −n . Similar is the case for b 2,1 = 0.
In this case, there exists a distinguisher D, distinguishing the real world oracle E ± k , E ± from the ideal world oracle (π ± , E ± ) with some probability. The distinguisher D makes 2 n/2 queries and operates as follows. For j = 1, . . . , 2 n/2 , the distinguisher D selects arbitrary p ( j) to get c ( j) . If c ( j) c ( j ) for all queries and its indices j j , then output 1, otherwise output 0.
At the end of type 1 instances, we can conclude that the plaintext added in the first XOR operation and the output value after the first invocation of block cipher are included in second block cipher invocation as a key that is a plaintext dependent variable, so the advantage of the adversary is at most around birthday bound.

Type 2 Instances
Following the construction limitations, set b 3,5 = 1. The plaintext p should be involved in exactly one XOR operation, so, b 1,2 = 0 and b 3,2 = 0. We set b 2,3 = 1, that is, the first block cipher invocation, and thus, we set b 3,4 = 1, that is, second block cipher invocation. It also shows that x 1 and y 1 are not plaintext dependent variables. All of these simplified constructions of type 1 are depicted in Figure 4. Here, we examined the type 2 instances. For these instances, we computed ciphertext as follows.
In this case, we can see the input or output of is independent of the key. When 1,2 = 1, the distinguisher selects arbitrary 1 and 1 ′ to get 1 and 1 ′ ; then, it puts = 1,2 −1 1 and ′ = 1,2 −1 1 ′ to get and ′ . If the event occurs, then output is 1, otherwise 0.
At the end of type 1 instances, we can conclude that the plaintext added in the first operation and the output value after the first invocation of block cipher are included in second block cipher invocation as a key that is a plaintext dependent variable, so the advantage of the adversary is at most around birthday bound.

Type 2 Instances
Following the construction limitations, set 3,5 = 1. The plaintext should be involved in exactly one operation, so, 1,2 = 0 and 3,2 = 0. We set 2,3 = 1, that is, the first block cipher invocation, and thus, we set 3,4 = 1, that is, second block cipher invocation. It also shows that 1 and 1 are not plaintext dependent variables. All of these simplified constructions of type 1 are depicted in Figure 4. Here, we examined the type 2 instances. For these instances, we computed ciphertext as follows.
If ( 1,1 , 1,1 ) = (0,0), then it means 1 = (0,0). Adversary makes a query (0,0) to (·,·) to get 1 , and the first block cipher invocation kicks off. Then, the instances are based on only a single block cipher invocation in the adversary view. As we discussed in the previous sections, when < 2, the construction achieves security up to birthday bound.   The first block cipher invocation is y 1 = E(a 1,1 .k, b 1,1 .k). Throughout all the instances of type 2, we call y 1 as a subkey that is obtained from the secret key k for those instances with (a 1,1 , b 1,1 ) (0, 0). However, the computation from p to x 2 is x 2 = p ⊕ b 2,1 .k ⊕ b 2,3 .y 1 , and ∆x 2 = ∆p always holds and ∆y 2 = ∆c, respectively. Moreover, for any plaintext and ciphertext pair (p, c) and (p , c ), the adversary knows the internal variable differences ∆x 2 and ∆y 2 . Therefore, according to the above constraint, we can find some conditions on the type 2 instances to achieve BBB.
• When (b 3,1 , b 3,3 ) (a 2,1 , a 2,2 ). This is also having a similar analysis as shown above. Putting all the above properties of type 2 instances together, we got 32 instances, denoted by E1, E2, . . . , E32 and depicted in Figure 5. We investigated these constructions and found 2 n provable security. We used the H-Coefficient technique for proof, which is discussed in Section 4. This is also having a similar analysis as shown above. Putting all the above properties of type 2 instances together, we got 32 instances, denoted by 1, 2, … , 32 and depicted in Figure 5. We investigated these constructions and found 2 provable security. We used the H-Coefficient technique for proof, which is discussed in Section 4.

Type 3 Instances
When is to compute , then 3,2 . = 1, 1,2 . = 0, and 2,2 . = 0. The constructions of type 3 are depicted in Figure 6. In this construction, it could be seen that and are linearly related, and distinguisher can distinguish by only two queries to [2] (·,·) with distinct plaintext and ⊕ , verifying = . Hence, the discussion of type 3 instances is omitted here.

Type 3 Instances
When p is XOR to compute c, then b 3,2 .p = 1, b 1,2 .p = 0, and b 2,2 .p = 0. The constructions of type 3 are depicted in Figure 6. In this construction, it could be seen that p and c are linearly related, and distinguisher D can distinguish by only two queries to E[2] k (·, ·) with distinct plaintext p and p ⊕ ∆, verifying ∆c = ∆. Hence, the discussion of type 3 instances is omitted here. Figure 5. The 1, 2, … , 32 efficient construction: the internal variable is referred to as a subkey for these constructions.

Type 3 Instances
When is to compute , then 3,2 . = 1, 1,2 . = 0, and 2,2 . = 0. The constructions of type 3 are depicted in Figure 6. In this construction, it could be seen that and are linearly related, and distinguisher can distinguish by only two queries to [2] (·,·) with distinct plaintext and ⊕ , verifying = . Hence, the discussion of type 3 instances is omitted here.
The distinguisher D is computationally unbounded and deterministic, making q queries when interacting with O 1 and O 2 . We defined distinguisher queries to O 1 and O 2 as q 1 and q 2 , respectively: q = q 1 + q 2 and do not contain duplicate queries. When distinguisher D interacts with O 1 and O 2 , the queries response are v 1 = (p 1 , c 1 ), . . . , p q 1 , c q 1 and v 2 = (u 1 , w 1 ), . . . , u q 2 , w q 2 , respectively.
The v is the view denoting the transcripts, and in the end, the distinguisher D obtains a view v = (v 1 , v 2 ). The distinguisher D, based on the v, computes its decision bit. Accordingly, the decision bit probability distribution of distinguisher D relies on the probability distribution of v. The X and Y are the probability distribution on v when interacts with (E ± k (·, ·), E ± (·, ·)) and (π ± (·, ·), E ± (·, ·)), respectively. We used V as an attainable view when D interacts with O 1 , which is The main goal of the proof is to disclose the subkey y and secret key k after interacting with O 1 and O 2 .
The distinguisher D can easily derive query response (u, w) of E ± (·, ·) invocations for each query response (p i , c i ) in view v 1 . The query responses of a block cipher E for each view v = (v 1 , v 2 ) ∈ V is divided into three tables. The first one consists of a single query response of block cipher E:

Pr[Y ∈ V bad ]
According to our construction, we gave here the exact definition of V bad , which also ensures the V good . The V good does not cause bad event. Here, we defined the V bad of E1 only due to the limited space. At least, one event defines the V bad if it exists.
The subkey y and secret k are uniformly selected at random from a set of size of at least 2 n − q − 1. We get Pr[(a )] ≤ q/2 n − q − 1;

Ratio for V good
First of all, Pr[X = v]. The X is a random variable that is defined on the probability space of all possible underlying block cipher E and all possible secret key k. The probability space of X is denoted as all X . Correspondingly, the |all X | is equal to 2 n (2 n !) 2 n . In all X , an element π getting along with v is taken, if π gives exactly the same responses for all queries. The comp X (v) is defined as all the elements in all X compatible with v.
Similarly, Y is defined on the probability space of E1, underlying block cipher E, and key k. On defining comp X (v) and all Y, respectively, we have all Y is 2 n (2 n !) 2 n (2 n !) 2 n , that is the number of keys times, the number of block ciphers. We next computed comp X (v) and comp Y (v) . We knew that the view v contains the key k value, that is, at the end of the interaction, it is disclosed to distinguisher D. A set of input outputs of underlying block cipher E are derived and separately stored in tables T 1 , T 2 , and T 3 . The number of input-output of E with the key value i is denoted as α i and β i in T 2 and T 3 , respectively, where 0 ≤ i ≤ 2 n − 1. The γ i denotes the number of queries to O 1 with key value. There is no collision between any two tables, so v is good. Secondly, the distinguisher D never makes duplicate queries. Therefore, all the inputs and outputs of E in T 1 , T 2 , and T 3 are distinct, showing that γ i = α i . The query response (u 1 1 , w 1 1 ) of E in T 1 has u 1 1 = k or u 1 1 = 0 (E1 to E20 have u 1 1 = k and others u 1 1 = 0). On assuming u 1 1 = k, we got We can compute Finally, we can compute (2 n !) 2 n × 2 n (2 n !) 2 n (2 n !) 2 n 2 n (2 n !) 2 n = 1 Thus, it gives a ratio for V good = 0 Combining both 4.

Conflicts of Interest:
The authors declare no conflict of interest.