 Hello everyone, I'm Yuan Gao from the Shandong University. This work was cooperated with my advisor Chun Guo, Mei Qin Wang, Wei Jia Wang, and Jie Jingwen. In this paper, we prove that the 4-round SPN with a linear diffusion layer is secured up to 2 to 2n divided by 3 queries. Beyond the birthday bound, where n is the size of the idealized S-boxes, as long as the 4 S-boxes S1, S2, S3, S4 used in the 4 rounds are independent public random permutations. The round case K0 to K4 are uniform and independent, and the diffusion layer T is a linear permutation with some special combinatorial properties. To elaborate in detail, here is the outline of this talk. I will first introduce the background. Our result is about the structure of block ciphers. Modern block ciphers mostly follow two structures. One choice is the face-tail networks and their generalizations. In its basic form, the face-tail network applies a dauman preserving function on half of the data, and then executes XOR and swap operations as in this picture. This can be generalized to using compression functions as in this picture. m is less than n, and the function f compress the n-bates into n-bates, and then executes XOR and swap operations using expansion functions and using smaller functions. Famous examples include DES, the Roushian Standard Guest, and the ISO Standard Chameleon. In theory, security of face-tail networks can be proved in the Lubey-Rakoff model. That assumes the round functions are PRFs, or secret random functions, and proves the networks are indistinguishable from large random permutations. We mention a few such works here. The other general structure is the SP network. It starts with a set of public K less S-boxes like this, and extends it to a Ked permutation on Wn-bates inputs by iterating a substitution step. That is, break down the Wn-bates state into W disjoint chunks of n-bates and evaluate an S-box on each chunk, plus a permutation step. That is, apply a Ked permutation to the whole Wn-bates state, which is also applied to the plaintext before the first round. Usually, the permutation is linear, and all non-linearity or crypto strings comes from the substitution step, all the S-boxes. Various popular block ciphers include the AES, Serpent, and the ISO or IEC lightweight standard present. Regarding to its probable security, we consider the S-boxes act as the only source of cryptographic hardness, while the permutation layers only supply auxiliary combinatorial properties. That is, the S-boxes may be idealized as secret random functions or permutations, leaving the permutation layers as efficient non-cryptographic functions. Probable security is limited by the S-boxes size, which is too small. For example, 8-bit for AES. But this line of work is theoretical support for the SPN approach to construct block ciphers and do not relate to any concrete SPN-based block ciphers. Assuming PRF-based S-boxes, Iwata and Kurosawa proved PRP security for serpent-like SP network models with such secret S-boxes on FSE 2000. Meals and Viola proved chosen plain-text security for linear SPNs with PRF S-boxes, zero free permutations, and more than two rounds in crypto 2012. By zero free, we mean the linear layer has no zero entry. On the other hand, assuming public S-boxes, Daudis A.O. in crypto 2018 repopularized this line of work. They showed that for NAW, three-round linear SPNs are undivided by 2-bit SPRP secure, and even a one-round SPN can be secure if appropriate CAD permutations are used. Cognitive and Lee in crypto 2018 make SPNs tick-ball by allowing CAD tick-ball permutations in the permutation layer and prove their security as tick-ball block ciphers. They prove that beyond the birthday bound security for two-round nonlinear SPNs with independent S-boxes and independent run case, and two-t-round nonlinear SPNs in multi-user are also secure, as long as the number of adversarial queries is well below 2 to tn divided by t plus 1. Besides, Daudis A.O. in Eurocrypt 2016 shows that indifferential ability of K less SP networks. Now we discuss what we do. With more than two rounds, nonlinear SPNs could ensure beyond birthday bound security, but the security of more practical relevant linear SPNs is only proved up to birthday bound at three rounds. So we focus on linear SPNs with independent S-boxes and independent run case and try to break the birthday barrier. We prove that assume w is greater than or equal to 2 and p plus wq is less than or equal to n divided by 2. Let SPKTS be a full-round linear SPN. If the run case K from K0 to K4 are uniform and independent and t is good, then the single-user attack advantage has this bound and the multi-user advantage has this one. Both of them are of the order Q22 divided by 223n beyond the birthday bound. Regarding which t is good, we write t and its inverse as such two w square entries. Then we say t is good if it satisfies t contains no zero entries, no row of t contains redundant entries, the inverse of t contains no zero entries and no row of the inverse of t contains redundant entries. The first and the third conditions are also required for the birthday security of three-round linear SPNs and the second and the fourth conditions can be seen as a second-order extension of the first and the third ones. Here is a summary of probable result on SP networks. The first column presents the number of runs in the model. The second column indicates how many S-boxes are used in the model and whether they are public or secret. Regarding security, PRF, PRP, SPRP, and TSPRP, which is twig-ball strong fatal random permutation indicate the security model. SU and MU indicates if it is in the single or multi-user setting. Well, the header term indicates the concrete probable bounds. These are the security models of the real world and the ideal world. In the real world, distinguisher D has access to the SPNK with a random K and in the ideal world, distinguisher D has access to the random permutation. In both worlds, D has access to the four S-boxes, S1, S2, S3, and S4, and makes Q queries to SPNK or RP and P queries to S1 to S4. Our proof implies the H coefficient technique and we use the crypto properties of the first and the fourth S-boxes and we show that the intermediate value here and there are close to the two-round nonlinear SPN of K and Li. So we first formalize this observation and then apply their result. This finishes the proof. To conclude, with four rounds and a moderately stronger linear permutation layer, a linear substitution permutation network is secured up to 2 to 2N divided by three queries, which overcomes the both-state barrier. But we remark that the security of T-round linear SPNs for general T remains open and why their tweaks can be mixed into the construction via auction to ensure beyond birthday bound security remains unknown. Thank you for your attention. Questions or comments?