 So, block ciphers are a building block for many cryptographic constructions, such as hash functions, encryption schemes, etc. These are key permutations that take into inputs, a key k and an input x and produce an input y, sorry, output y. And there are two popular design paradigms for designing block ciphers. These are the FISTIL network, for example, the data encryption standard DES, which used to be the previous standard, is based on a FISTIL network. And the current block cipher standard by NEST, AES, is actually a substitution permutation network. So, this figure on the right shows a substitution permutation network, an example of an SPN. The substitution step consists of the S boxes that are highlighted in green. And the permutation step consists of a P box and a simple key mixing via XOR. So, this would be referred to as a linear SPN. And I will talk about this and define it more precisely later in the talk. So, I'm just establishing this so that when I talk about related work, the context is clear. So, the FISTIL network has been long studied. There's a long line of work, starting with a seminal work of Lubey and Rakov, studying the provable security of FISTIL. Its security has also been considered in various other security models. SPN, on the other hand, has not been studied as extensively in the context of provable security. This is surprising given that SPNs have been around for a few decades. And a lot of the popular block ciphers, and in particular AES, is based on the substitution permutation network. So, in this work, we will focus on provable security of SPNs and try to address this gap. So, before I talk about our definitions and our results, I just want to place it in context of related work. So, SPNs with secret S-boxes that S-boxes which are keyed have been studied before. Now, Reingold, for example, proved security of a one round non-linear SPN. And the ideas there were further explored in the context of domain extension. Myles and Viola also studied linear SPNs where the S-boxes are random functions, in particular, that means that they are not invertible. And hence, it's possible that the SPN itself is not invertible. And hence, it's not exactly a block cipher. And they showed provable security in this context. They also studied security against linear and differential attacks for SPNs with concrete S-boxes. Our work considers a more general setting and more general attacks and hence is more captures additional settings than what was done by Myles and Viola. So, SPNs with public S-boxes are in fact how typically block ciphers are built. So, there has been some work on SPNs with public S-boxes as well. Dodis, Stam, Steinberger and Liu studied indifference ability of Confusion Diffusion Networks. So, indifference ability is a stronger notion of security. And Confusion Diffusion Networks can be viewed as unkeyed SPNs. So, they show results only for SPNs of greater than five rounds. And given that it's a stronger notion of security, they could only prove weak security bounds in that setting. And the well-known even Mansoor construction can also be considered to be a degenerate one-round SPN where no domain extension is happening. And it's just one block of input being the input of the S-box. So, the positive results in this setting are actually implied by a special case of our results. So, given that this is the current state of the art, I will first define what SPN is and then mention what our results are. So, SPN consists of two steps, the substitution step and the permutation step. So, the substitution step takes in a WN bit input, splits it into WN bit blocks and computes the S-box on each of these N bit blocks. So, the S-box is a substitution box, which is a cryptographic permutation from N bits to N bits. So, this is going to be the only source of cryptographic hardness in the construction. So, in particular notice that in the figure, the S-box is unkeyed and hence illustrates that the S-box is going to be public in our setting. So, the next step is the permutation step. The permutation step takes in a WN bit state again and applies a non-cryptographic keyed permutation to the state. So, first note that pi k is non-cryptographic and typically in real world block ciphers, pi k is linear and usually consists of a key mixing step followed by a linear transformation. In our setting, more generally, we would allow pi to be non-linear as well. But I want to emphasize that it's non-cryptographic and the only cryptographic hardness in the construction comes from the S-boxes. So, the substitution permutation step together consists of the substitution step and the permutation step. And an R round SPN is defined to be as follows. Round zero consists of a permutation step where there's just a non-cryptographic permutation pi. And then there's repeated application of the substitution and permutation steps defined earlier. So this is going to be an R round SPN. So in order to analyze security of SPNs, we consider the indistinguishability setting. And in particular, we analyze its security as a strong pseudo random permutation. So we capture security against chosen plaintext and chosen ciphertext attacks in an adaptive manner. So again, the S-boxes are modeled as public random permutations here and are the only source of cryptographic hardness. So consider the following setting where there is a distinguisher D, where in the ideal world has access to a random permutation P on WN bit inputs. And in the real world has access to an SPN under key K with access to an S-box. So given that the S-box is unkeyed and public, this traditional pseudo randomness notion has also in addition should capture access to an S-box. So this is the security notion we will consider here. In the ideal world, the distinguisher D has access to a random permutation P on WN bit inputs. And in addition, a random permutation S on N bit inputs. And in the real world, the distinguisher D has access to a random permutation S on N bit inputs. And in SPN with access to this S under key K, that is a permutation on WN bit inputs. So if a distinguisher D cannot distinguish between these two worlds with high probability, we consider the SPN to be secure. So in particular, note that the distinguisher D is computationally unbounded, but can only make a bound number of queries to its oracles. So now that we have established a security notion of SPNs that we consider here, I also want to mention how we categorize SPNs. So we categorize SPNs as linear and non-linear based on the permutation pi used in the permutation step. So for example, in the linear SPN, in a linear SPN, the permutation layer will be a linear function of the WN bit round key and the state. For example, as I mentioned before, a simple key mixing followed by an invertible linear transformation T is considered to be a linear permutation. And hence, such an SPN would be considered to be a linear SPN. So on the other hand, when the permutation layer consists of a permutation pi, there is a non-linear function on either the round key or the state, then it's considered a non-linear. The SPN itself is considered to be a non-linear SPN. So now that we have defined what an SPN is, what a linear and non-linear SPN is, and what the security notion we consider it, I will now mention our results. So we have the following results, firstly, for linear SPN. We show that a two-round linear SPN is insecure, and the attack is actually due to Hallowee and Rogaway for fields of characteristic 2, and it applies to our setting as well. We also show an attack that works for fields of arbitrary characteristic. Then we show a positive result saying that the three-round linear SPN is secure. This is under the assumption that the key permutations in the permutation layer satisfy some mild technical requirements, and these requirements are satisfied by matrices with maximal branch number. Our proof technique uses Petarin's H-coefficient method. So in the non-linear setting, particularly with the focus on improving the number of rounds, we can actually show that even the one-round non-linear SPN is secure. We do this by identifying a combinatorial property that the key permutations in the permutation step should satisfy. These would be referred to as blockwise universal permutations, and I will focus on this more in the rest of the talk. The proof here, again, uses Petarin's H-coefficient technique. And with a view to getting beyond-bird-day-bound security, we can actually show that a two-round non-linear SPN goes beyond the bird-day-bound, and this, again, this relies on the H-coefficient technique, but this is a refined technique due to Hoang and Tosaro from crypto-16. We can also show that R-round SPNs lead up to asymptotic security, and we can also extend this to incorporate tweaks and multi-user security, although I won't be focusing on that in the rest of the talk. So before I go into details on a particular result, I wanna mention how we should interpret our results. So firstly, this shows provable security of SPN-based block ciphers with public S-boxes which have not been analyzed before. It also has implications for domain extension of block ciphers. For example, instead of considering the S-box to be, say, an N-bit S-box where N is eight, as in the context of AES, if you consider the S-box to be instantiated by a block cipher itself, for example, AES, with a fixed key, then this results in a wide block cipher implying domain extension of block ciphers. I also want to mention that a fixed key block cipher is essential or a public random permutation is essential to allow for public S-boxes in our setting. And to analyze this, this is also the first construction of domain extension of block cipher with beyond-buddy security. I also want to mention a caveat of our results, which might be obvious already, that our bounds are weak for SPN-based block ciphers such as AES, when the size of the S-box is small, for example, when N equals eight, because you can think of the input, the size of the input to the S-box as a security parameter in our setting. So what is required is a theory that establishes the security of building block ciphers from small S-boxes. Evgeny has some thoughts on that and you should talk to him later if you're interested in finding out more. So just to recall, these are our results for linear SPNs and non-linear SPNs. We showed that a three-round linear SPN is secure and I will mention a few things about this later in the talk, but right now I will focus mainly on the proof of security for a one-round non-linear SPN. So in order to do that, I will first discuss the combinatorial property that the key permutations should satisfy in the permutation step. All right, so constructing non-linear SPNs. So the tool we use is what we call a block-wise universal permutations. This is a permutation pi that takes in a key k and a WN-bit input x, and a key permutation pi is said to be block-wise universal if it satisfies the following three properties. The first being for any distinct inputs x and x prime, the probability over a uniform key k that a block of pi applied on key k and input x and a block of the output of pi applied on key k and input x prime is equal. This should happen with low probability. And the second condition that a block-wise universal permutation should satisfy is that on a WN-bit input x and on key k, where the key k is chosen uniformly, distinct blocks of pi of k comma x should be equal with low probability. And finally, the third condition that a block-wise universal permutation should satisfy is that for a uniformly chosen key k, a block of pi k comma x should be equal to a constant c with low probability. So this notion of block-wise universal permutations was in fact considered before by Hallowe-Rogaway and others. And they in fact did not require the third condition that we mentioned here. And this third condition is required in our setting because of the fact that we allow for public S-boxes. So given that we have this notion of block-wise universal permutations, let's see how to actually construct a secure one-round non-linear SPN using those block-wise universal permutations. So let pi be a key permutation that is block-wise universal. And let's consider the one-round non-linear SPN that is shown here. So the first, the round zero permutation step is just going to be an application of pi which is block-wise universal. So followed by the substitution step which is just an application of S-boxes. And followed by the permutation step of round one which is going to be pi inverse where pi is the block-wise universal permutation. So we will see that this one-round non-linear SPN is secure up to the birthday bound. And this is true even when the same key k is used both in the round zero permutation pi and the round one permutation pi inverse. So the intuition for this proof is as follows. So block-wise universality ensures that the inputs to the S-boxes are distinct when the distinguisher makes a construction query. So this is because if you recall, block-wise universality allows or says that on distinct inputs x and x prime, any two blocks of pi kx and pi kx prime will be equal with low probability. And on the same input x, distinct blocks pi k, x will be equal with low probability. So you can see that on construction queries, inputs to S-box will be distinct with high probability given that pi is a block-wise universal permutation. We can also easily see this in the inverse direction because an inverse query would just be applying pi inverse of inverse which is just pi being a block-wise universal permutation. So the other thing to consider given the fact that we are in the public S-box setting are the distinguishes queries to the S-box directly. And again, these queries to S would collide with low probability with any construction query given the fact that block-wise universality by its third condition guarantees that an output of pi k, x will equal a constant c with low probability. So this is the intuition for why this one round non-linear SPN, where pi is a block-wise universal permutation is secure up to the birthday bond. So the next question is how to instantiate these block-wise universal permutations. So we show a few instantiations in the paper. One of them is a construction with n-bit keys but with high degree, high degree implying high degree of the block-wise universal permutation. And the other is a construction with longer keys but with low degree, just degree being three. So now that we saw the construction of a secure one round non-linear SPN, with the remaining time I just wanna give intuition as to why a three round linear SPN is secure using the intuition provided by the block-wise universal permutations. Again, the three round linear SPN is secure only under some mild assumptions on the permutation step which is satisfied by matrices with maximal Brown's number. So recall that in a linear SPN, the permutation layer is a linear function of the WN-bit round key and the state. And for example, as shown in the figure, this can be captured by simple key mixing followed by an invertible linear transformation T. Informally, the security of a three round linear SPN holds because the first round of an SPN and the last round of an SPN can be considered to be a block-wise universal permutation. Then it sort of fits into the pi followed by application of S-boxes followed by an application of pi inverse that we saw in the non-linear one round setting. But this intuition doesn't translate formally into a proof and this is because the block-wise universal permutation, if it's a one round linear SPN, that implies that it includes a substitution step as well. In particular, the S-boxes there are public and the block-wise universal permutation by definition is keyed. So even though the intuition kind of tells you why it can be secure, we need to go through a dedicated proof to show the security of a three round linear SPN. So again, just to emphasize, we show results on both linear and non-linear SPNs. So a three round linear SPN is secure up to the birthday bound assuming some mild assumptions on the permutation step. In order to reduce the number of rounds, we focus on non-linear SPNs where we show even a one round non-linear SPN is secure and furthermore, we can increase security of and go beyond the birthday bound in the non-linear SPN setting. So the takeaway is that provable security of SPNs have not been a focus for a while, especially in the public S-box setting. So we focus on that and also our results imply domain extension of block ciphers. In particular, we show domain extension beyond birthday bound security. Thank you.