 Thanks, Stefano, for introduction. Let's have another work about inferntability, joint work with Jovgeny, Martin, and Join. It's about Confusion Diffusion Network. So the first question, what's Confusion Diffusion Networks? It's a terminology we invent ourselves. Well, it's just you mentioned the talk is not interesting. This network is motivated by substitution permutation networks, like ES. It's a famous one. It's a reputation of key addition, paralleled S-box, and diffusion. In SPN network, the S-box should be a complex permutation over a small domain. It should destroy structure, be linear, looks quite random. And the diffusion box should have simple structure and the round key. In Confusion Diffusion Network, it's the same, except we don't have the key anymore. Honestly, there's one more difference is that in the SPN, the S-box, it's kind of fixed. But in our work, S-box, it's random chosen. So we consider it's a domain extension. Like, you have a nice permutation, small permutation. How could you construct a nice permutation over a large domain? And the Confusion Diffusion terminology goes back to Shannon. Well, this design paradigm is credited to FISTO. So go up our talk of our work. Or we want to explore the theoretical soundness of Confusion Diffusion Network. It's a way to construct cryptography secure permutations. And in particular, the S-box would be modeled as a random permutation and a public random permutation. And we want to construct a bigger random permutation. We would work in ideal model. Yeah. Just one more time. S-box is random permutation oracle, or S-box are independent. The D-box will be fixed, explicit, and hopefully a very simple permutation. And does this network, similar to a random permutation, how many runs do we need? What kind of diffusion box we need? That would be the work we do. We don't really have close related work. So this is kind of related work. It's by Miles and Vila in crypto 2012. Deep proof indistinguishability result about SPN when the S-box is a secret permutation. And we basically nothing same, but that's kinds of related works. Some more notation. In this picture, it's an example of Confusion Diffusion Network. Each line would be an N-bit value. So the S-box would be a permutation or N-bit. You should think N as the security parameter in our construction. And in each round, there will be a W box in parallel. W is called Weth. And the number of rounds is named R. So the domain, the CDN, it's a permutation over W-bit. You also need to remember that the diffusion box, the top and the same one, it's also a permutation over W-bit. Now I'll define the indifference ability security experiment. In such experiment, there will be two words. One is the real world, one is the ideal world. And they can hardly be, they can hardly distinguish. In the real world, the distinguisher have R coincides to our construction in biodirection. It also have R coincides to each individual S-box used in our construction. One more time to remind you that all S-box are independent. And the diffusion box is fixed. In the ideal world, the confusion diffusion networks is replaced by a real, giant, random permutation. And to have us the same interface, we need a simulator. Whenever the distinguisher want to query the S-box, it's really answered by a simulator. The simulator should fake up some answers such that these two words look the same. In particular, the simulator should answer the query in a way such that the S-box seems to be consistent with the permutation queue. Thus, we must allow the simulator to assign queue. So the theorem should look like, our result should look like for a certain number of rounds for such and such diffusion permutations and for such a simulator. The distinguisher can now distinguish these two words using a certain number of queries. Notice that we want to start a case where the distinguisher is computationally unbounded. Thus, its ability is only limited by the number of queries he made. Now let's explore what's the diffusion permutation we'll use. In the star day, we have explored several combinatorial properties that would be very useful for the diffusion permutation. And this is some terminology we invented. They are, at first, so-called entry-wise randomized pre-image resistance, or RPR, and so-called entry-wise randomized collision resistance, or RCR, and in last conductance. We would explore them one by one. The first one would be randomized pre-image resistance. What does that mean? You have a diffusion permutation. And we focus on one of the input wire, say the first wire and one of the output wire, second wire. And we fix the rest of the input wire to some value. And we see the random input in the wire we care about. We hope that the output wire in this example, Y2, would be very random in the sense that for any value Y2 star, and for any X2, X3, X4 you fixed, by randomly choosing X1, X2 should maybe hit Y2. Y2 should hit Y2 star with very low probability. And it's, in fact, very easy. You just pick, you consider each wire as a field of size 2 to N, and you choose pi as a random linear permutation, such that the correlated matrix is made up of non-zero entries, the next step. So the next property is slightly more tricky. It's called randomized collision resistance. I guess from the picture, you could somehow understand what that does. The same thing, we focus on one input wire, say the first wire, and one output wire, say the second output wire. For the remaining input wire, we fix it to two different tuple. One is Y2, Y3, Y4, and Y2 prime, Y3 prime, Y4 prime. And so we fix S1 to be random. By fixing the rest of the input in these two different tuple, you get two different output, Y2 and Y2 prime. RCR says R2 should equal R2 prime with very low probability. So since then for collision, it could also stand for it cannot be linear, because linear permutation cannot be RCR. Say pi is a linear permutation. Then Y2 should be a linear combination of its input, like A times x1 plus B times x2, so it's Y2 prime. Then you could easily find some blue value, such that in that two equation, the blue part equals, thus despise how you randomly chose x1, y2 equals y2 prime with probability 1. Thus it cannot be RCR. Yeah, there's a spy showcase when W is equals 2, but I don't really want to discuss it. Though linear permutation doesn't work, V construct, explicit construction, that is RCR. So it's a linear permutation sigma composed, a fissile polynomial composed the inverse of sigma. The fissile polynomial is that there are W wires. You leave all but one wires alone. And for the last wire, you add something that is determined by the rest of the wire. Yeah, it's easy to see it's invertible. And we prove this construction is RCR, the detail is not present here. So the last property is called conductance. It's a very cool property, and it can be defined by a game. In the game, an adversary chose Q value in each wire. So this orange bubble, the value chosen by the adversary, says, yes, for example, U1 denotes Q value chosen by the adversary for the first input wire, and U2 for the value chosen for the second input wire, and so on. And the points earned by the adversary is the number of pairs such that of vector x and vector y. The vector x is inside the direct product of U1, U2, to U4, and the vector y is inside the direct product V1, V2, to V4, and such that y is the output of pi if the input affects. We define conductance as the maximum number of points can be earned by the adversary. So why do we care about conductance? Remember in ConfusionDiffusionNetwork, this diffusion box is surrounded by S-box. And in the ideal world, the S-box is simulated by simulator. And the simulator, at each point, should have committed to some of the value inside S-box. And maybe this green point that is the points that are adjacent to the diffusion permutation is the site. Sites U1 to U4, WV1 to VWDefined in conductance. Oh, sorry. The reason we care about conductance is that assuming the conductance is large, it means assuming the distinguisher have query or this S-box such that all these blue points have been defined in this S-box. Then the distinguisher have learned a lot in this part, which means the simulator needs to react like x, y, such that everything is well defined. The more work that the simulator does, the more likely it will be caught. So we would hope to have low conductance. It's easy to show that conductance is lower bounded by Q and R per bounded by Q to W. If you choose a random permutation, its conductance would be very close to Q, which is optimal. But we don't know any explicit construction for a permutation with low conductance. So that will be an open problem. And if you want to have a linear diffusion permutation, we conjecture there exists a linear permutation with conductance Q squared, but just a conjecture. So our result depends on how many runs we have and the word diffusion permutation you choose. If we can use any permutation, diffusion permutation on the left, five round would give you not so good security, and seven round would give you good security. But if you insist to use linear diffusion permutation, we need a nine round for not so good security, and 11 round for conjecturally good security. So good security means the advantage of the distinguisher is at most Q squared over 2 to the n, and not so good means Q to 2W to the 2 to the n, or 2 to the n. W is the wise of the CDN network. If W is a small constant, it doesn't matter, but if W is large, you want to have a good security. And we only have one proof and one simulator, but it's parameterized by three boolean flag. We slightly, yeah, we would explore it. This is the most compact SDN network we have, only five rounds, and despite the number of rounds, the simulator would vary similar to the previous work for 14 round FISTO network. If you have listened to previous presentation by Oshawaia, we are basically doing the same thing. We have a detection zone in the middle marked by yellow and an auto-detection zone. And if the detection zone detects something, it would complete the chain and adapt some value. So there are two adapt zones. And the adapt zone is guarded by what we call entangled zone. For this five round construction to be not too good security, we need the diffusion permutation in the entangled zone to be RCR. But we know that this means this permutation cannot be linear. If you want to use linear permutation, we could add one more round in the entangled zone. And in such construction, a nine round construction, we only need the permutation in the entangled zone to be RPR, so they could be linear. And another concern is about the security. For five round, it's just OK security. You should consider it as, why should you consider it this way? The distinguisher can make at most Q query to each of the box in the middle. Thus, in order to fill the middle part, the distinguisher have like Q to the W different ways to fill it. And the security is like Q to the W is the different ways to fill the middle part square over to the M. For better security, we add one more round. So it would be difficult for the distinguisher to fill the middle part. The different ways the distinguisher can fill the middle part is bounded by the conductance of the middle diffusion permutation. And as we showed that, I just told, by choosing a random fixed permutation in the middle, the conductance is almost linear, so you would get good security. The same thing, if you want to use linear diffusion permutation, you could add one more round in entangled zone. In the middle one, it's your choice whether you want to switch to a linear permutation. If you can use nonlinear permutation, we have like probable good small conductance. If you choose a linear permutation, we only have conjectually small conductance. So we just discussed the security part. We have another problem about query complexity. Remember that the simulator could query the big, giant, real random permutation Q, something here. But our distinguisher would query maybe the big permutation for many times for any suspicious query that already filled the right box in the left. Yeah, still, the distinguisher might query at most Q to each of the red box in the left, but then it would have Q to the W different way to fill the left part. So the same trick, add one more round. Then the distinguisher only have conductance of mu different way to fill the left part. It would decrease the query complexity. So our construction has three different flags. You can add one more round for enhanced security. You can add one more round on the left for smaller query complexity. And you can add four round, one per entangled zone, to reduce the requirement on the diffusion permutation. In particular, you can use linear diffusion permutation. And this would be a summary of our result compared to previous works. It shows that we, and this is in the case when the vest equals two. For the five round, it's explicit construction for the seven round. The middle construction, the diffusion permutation with low conductance, they could only show its existence without construction. And that's the result. And also end of my talk. Thank you. All right, we have time for a couple of questions. Your analysis is concentrated on carefully chosen diffusion maps, which have good conductance properties, in practice, practical designs. People are using very simple diffusion layers. For example, think about n equals w. So you might have eight-bit S-boxes. And you have eight such S-boxes. And what you do is you just spread the eight output bits of the S-boxes, one going to each one of the eight S-boxes of the next round. So assuming that you have this particular diffusion network, which is not linear. I mean, it's linear, but trivially so. You are just doing a bit permutation, which splits the output of each S-box to different S-boxes in the next layer. What are the results that you can show? We could not show, just in that case, for two reasons. One, you are considered like n is quite small. But in our construction, I've said that n is like the security parameter. So when n is a small constant, we could not really prove anything. And for that kind of, you are seeing like the most traditional permutation in SPN network. That's quite weak for us. In that case, it's not PRP. It's not randomized pre-made resistance. But there exists simple construction of randomized pre-made resistance. Like you just do a linear permutation would be good enough. So for one question, it's no. For one, it's conjecturally yes. Number of questions? OK, just a good question, actually. So for the conductance, so you show the lower bound is Q and it goes up to Q to the W. So I understand you want to have simple construction. But if the extreme case, if you pick a permutation at random, can you show with some probability that it gets optimal conductance? So sorry. If you pick a permutation at random, can you show it with some positive probability? So which permutation in random? No, hypothetically, just for existential results. So can you show that permutations exist that have optimal conductance? We show there exists permutation with very low conductance. And in fact, most of permutation. OK, let's thank both speakers of this session again. Thank you.