 Welcome to my talk, the T-wise independence of substitution permutation networks. I am Tian Ren. This is a joint work with Stefano and Vinard. A central problem in crypto is to construct random-looking heated permutations. Tons of works are targeting this problem. Among these works, there is a well-known but not so well-defined gap between theory and practice. The theory work called this object a pseudo-random permutation, and they focus on security based on well-studied assumptions. The practice work called this object a block cipher. They are okay with heuristical security. The first priority is being super-efficient. I've not seen the theory work don't care about efficiency or practical work don't care about proof. Just as we all know, this gap exists. And it seems very hard to bridge it. In the literature, we already have proper secure PRP based on moment function, factoring, or lattice problems. Unfortunately, none of them is fast enough to be practical. In practice, people use much more efficient block ciphers such as AS. Of course, everyone wants to understand whether AS is secure. From the theory perspective, we want to base AS on hardest assumptions. But we don't know how to do it. We don't even have a candidate assumption. Many theory work then try to argue the security of AS or similar ciphers in some idealized models. But still, this work are not analyzing the actual block ciphers. When we start proving security against arbitrary attacks, the next best thing we can hope for is to identify classes of attacks and to prove they cannot succeed with good probability. To show this in picture, the community has already identified many classes of attacks. Previous work shows AS can resist some certain classes of attacks to some extent. In this paper, we promote the starting of TEY's independence, which is a desired property of block ciphers. When TEY equals 2, it already implies resistance to several known attacks, including linear and differential attacks. Larger TEY implies resistance to more attacks. TEY's independence is a very natural property. For any TEY inputs, the corresponding TEY outputs should be ID uniform. To use a relaxed form, the corresponding TEY outputs should be epsilon close to uniform in statistical distance. For feasibility, the key lines has to be at least TEY times the output length. This requirement can be ensured by the standard assumption of independent run key, and it's assumed in almost every work in the field, especially starting in years. From the theory perspective, TEY's independence means security against unbounded adversary who makes at most TEY queries. Notice that linear and differential attacks relies on correlation within two queries. So in some sense, these attacks are captured by an adversary that makes only two queries. Similarly, degree 2 differential attacks can be captured by an adversary that makes only 2D queries. Therefore, TEY's independence implies resistance to all these attacks. And to any attacks that relies on correlations among a few queries. Quantitively, be sure to tie the relation between the closeness to 2S independence and resistance to linear and differential attacks. Now, I'm going to give a brief overview on the Cypher design KC and SPM and the concrete Cypher AS. I guess they are familiar to most audience. To encrypt an input used in KC, first, XOR it with a run key. Then, apply a fixed and public permutation. Then repeat this process. This is called a run key, repeat around many times to get the output. SPM is a special case of KC. It also tells you how to construct this fixed permutation. First, divide the input into a few small blocks. Apply a small permutation called SBOX to every block. Then, mix the output using a linear function. Both operations are very efficient. The SBOX can be complicated, but it's only over a small domain. The linear function is over a large domain, but it's very simple. The AS. AS is a special case of SPM. The block is 8-bit long, and the SBOX is the inverse function. Here, I ignore some technical details that are not important for understanding. So, R-round KC has R plus 1 run keys. Actually, it's also true for SPM or AS. And therefore, it cannot be R plus 2 while it's independent due to the length of randomness. Our positive result almost matches this bound. We show that R-round KC is close to slightly smaller than R while it's independent. This is an extension result and it's proved by a probabilistic method. I would like to emphasize here that the difference between our result and the ideal model results. In ideal model results, pi is typically modeled as random permutations to which the adversary only have all causes. While in our result, pi is public, and it's completely known to the adversary. This is our result for KC. For SPM, say there are K blocks each has a bibliotech. We consider the SBOX being inverse, which is used by AS, or cube, which is used by Mimic. For these SBOXes, we show 2-round SPM is close to 2S independence and 3-round SPM is even closer to 2S independence. We also show 6-round AS, the extra S-round. There's no idealization at all. It's 0.472 close to 2S independence. Compare this previous work. The state-of-art PSSL shows 4-round AS is point-wise close to 2S independence. Our result doesn't imply PSSL because they are considering a stronger notion of closeness. And PSSL doesn't imply our result because our bound is much tighter. Because our bound is tight enough, in particular, because it's smaller than a half, and it can be amplified. By increasing the number of rounds, AS will be exponentially close to 2S independence. So these are our results. In the rest of the talk, I'm going to give a technical overview of our proof. For KC, we show R-round KC is close to slightly less than R-wise independence. We prove it by induction. Say we have something that is T-wise independent. What if we compose it with one round of KC? The composition will be close to T-plus-1-wise independence. We call this independence amplification amount, and we prove this using a probabilistic argument. Here we saw the notion point-wise closeness again. It means that the T-outputs should be close to uniform not only in L-1 distance, but also in L-infinity distance. That is, their probability mass function should be close to uniform on every point. Because this notion is stronger, it's meaningful even if epsilon is much larger than 1, which is the case we consider. In our extraction lemma, the condition F being T-wise independence can be relaxed to F being close to T-wise independence. The resulting distance will increase proportionally. The independence amplification lemma already implies something interesting. 0 round KC, which is one time pad, is 1-wise independence. Then, by repeatedly applying independence amplification, R-round KC is somewhat close to R-plus-1-wise independence. The distance is huge, but this is already a non-trivial result. This can be complemented by another lemma we call it distance amplification lemma, which is also proved by probabilistic method. See, F is very close to T-wise independence, and it's somewhat close to T-plus-1-wise independence. Then adding one more round will make it very close to T-plus-1-wise independence. Okay, now we are ready to prove our KC result. It's a two-dimension induction of Schrodinger table. The base case is 1-wise independence. Any round-off case is 1-wise independence. Applying the independence amplification lemma, R-round KC is somewhat close to R-plus-1-wise independence. Then applies the distance amplification lemma. By adding a few more rounds, somewhat closeness will become very close. This concludes the proof. Next, I'm going to show how SPN and AS are close to 2-wise independence, because this involves only two inputs. A nice observation is that only the difference matters here. What does that mean? Lemma open the SPN for a bit. Fit two inputs into SPN. After exploring the first round key, the only remaining information is their difference. Okay, similarly for output, we care about the distribution of the two outputs. The joint distribution of the two outputs is close to uniform if and only if the difference is close to uniform. So we only need to care about the difference. In SPN, S-box is the only non-linear operation. We need to understand how it maps input difference to output difference. Formally speaking, given two inputs of different data, what is the distribution of the output difference? We started the case when the S-box is inverse RQ. For these S-boxes, the output difference is a random vector orthogonal to the input difference. So in the picture, we can replace the S-box with processed samples from the orthogonal subsidies. This might sound too good to be true, and it's actually not exactly true. But almost. One exception is when delta equals zero. When input difference is zero, means the inputs are the same. In such case, the output must also be the same. I also ignore some other technical details in the picture. These details are not important for the proof. You can find them in the paper, but please ignore them for now. Say we feed a non-zero input difference to subspace sampling process. Then the output must have high mean entropy. The output difference will affect the next round's input difference. So what if the input difference has high entropy? We are in the next round now. As we proved in what we called extraction lemma, in such case the output difference is close to uniform. We prove it by free analysis, and we later find an alternative proof using elementary method. So this can be generalized to consider multiple blocks together. As long as each input block has high entropy, the joint distribution of the output block is close to uniform. The most important bits here is that the input difference don't have to be independent. They can have arbitrary correlations. For example, they can be all equal. We only require the marginal distribution to have high entropy. So we also have a stronger extraction lemma. It says if every subset of input blocks has high mean entropy, again, they can have any correlation. As long as any subset of input block has high mean entropy, the output will be very close to uniform. So quantitatively, this improved by a factor of, this improved is financially in K. Now we are ready to show the main result. So here is a SPN. As we just discussed, all the S-boxes can be replaced by a subspace sampling. The input difference is non-zero somewhere. The subspace sampling gives you high entropy. The linear function will propagate the entropy to all blocks. Here star means the linear function has to satisfy a property that all of its coefficients are non-zero. In particular, this is not satisfied by aS. But let's say the entropy is propagated to all blocks. Then we can apply extraction lemma as the condition is satisfied. Remember, the only thing we need is that each input block, individually has high entropy. Therefore, two rounds of SPN is close to twice independent. To show a tighter bound, let's retrieve one step. The delta two column all has high mean entropy, which means with high probability, they are all non-zero. Then subspace sampling gives you high entropy. Independently on each block. You can think that the delta two prime column to be all independent. This is not exactly true, but can be formalized. Then after the last linear mixing, it's not hard to show that every subset of the delta three column has high entropy. Here, we only require the linear function to be invertible. Now the condition of strong extraction lemma satisfies. Again, this is all we need. Every subset has high entropy. There can be any correlation. Therefore, we show three round SPN. It's very close to twice independence. Similarly, by making our hands dirty, we can prove six round AS is close to twice independence. Remember, we also have the almost tight result for our KSC. Here are all we prove. Let me finish the talk with summary slides. The T-wise independence has a really rich body of problems we find. And we only touch the surface. For example, independence amplification is something we don't find in previous work. Can you show three-wise independence of some existing concrete cipher? Of course, our result is extension, so you probably need some brand-new technique. Key scheduling. We and almost every work in the field assume independent round keys. That is also the only idealization we use. Is it possible to say something meaningful while taking the key scheduling into account? Okay. The relationship between T-wise independence and other attacks. T-wise independence might imply reasons to more attacks. On the other hand, when you're looking for attacks on AS, you should probably avoid those attacks that relies on correlation based on few self-attacks because we know AS is to some extent a two-wise independent. And finally, can you analyze other concrete cipher designs? For example, they are for example like ARX. And that's all I want to share today. Thank you for listening.