 Hi everyone! This work is about the provable security of a novel blog-cypher paradigm named the SP Network with partial nonlinear layers. The work is cooperated with Francois, Weijia, Xiao and Yu. As mentioned, we studied a novel blog-cypher structure named SP Network with partial nonlinear layers that is obtained by removing a part of the S-boxes in a normal SP network as shown in this picture. For this structure, we provided the first systematic provable security treatments, prove security against the CCA attacks, and prove security against the impossible differential attacks. We also showed tight bonds on the number of active S-boxes in differential trails and provide principled linear layers that can help achieve these tight bonds. This means the paradigm is sound or even advantages in a well-defined sense. To see the results, let's first talk about some background. So, consider the problem of designing a blog-cypher. We have two final approaches. The first is the partial network and its generalizations. See this picture. In every round of such structures, only a part of the intermediate state will go through the nonlinear run function and this part is kept in the output while non-instance is of course the data encryption standard. The second is the SP network. See this picture. In this structure, in every round, the entire input is divided into a number of chunks and every chunk goes into a nonlinear S-box. The outputs of the S-boxes are then merged with a linear diffusion layer T. An important example is the advanced encryption standard and the reasonably accepted ISO standards such as screening and deoxys. This work is to consider an exception lying between the two approaches. See this picture. As far as we know, the motivation to use this structure was due to cyber-channel masking. In detail, to protect the implementation of a blog-cypher against the power analysis and other cyber-channel attacks, one will use secret sharing-based techniques, dividing the secret keys and intermediate states into shares and operate on these shares with the hope that every share leaks independently and this could reduce the total amount of cyber-channel information leakages. Because the end-action is nonlinear with respect to XOR, performing end-actions on these shares are difficult and more expensive. It is thus natural to seek for new blog-cypher with less end-actions as possible. The first attempt was made at chess 2013, providing a blog-cypher named Zoro. The central idea is to reshape the AS, so concretely in the AS, the subsidy tuition layer has 16 parallel applications of an 8-bit S-box. Zoro replaces the S-box with a lighter one and reduces the number of end gates in every S-box evaluation. But more importantly, Zoro only keeps four S-boxes in every subsidy tuition step and removes the other three quarters and this reduces the security of the round function. To compensate for this weaker round function, Zoro increases the number of rounds from 10 in the AS to 12 in Zoro. So the total number of S-box evaluation in the whole encryption is reduced from 160 in AS to 48 in Zoro. And as mentioned, every S-box is lighter than AS as well, so this significantly reduces the total cost of masking. This novel blog-cypher structure is called SP Network with partial nonlinear layers in subsequent works or partial SP Networks for simplicity. Besides Mark's scheme, blog-cypher evaluated in the MPC engine also desire less end-actions. This scenario is even more extreme because XOR actions can be evaluated locally in the MPC engine, while end-actions incur communication overheads and communication is the current bottleneck of MPC. So subsequent designs follow this paradigm, including low MC, high-disparadigm and malicious for the MPC blog-cypher. So for the remaining, let's recall the idea for clearness given a normal SP Network. Assume that the number of chunks here is W. For example, in this picture we have 4 chunks. And we remove a number of S-boxes to obtain the partial SP Network structure. And we call the number of remaining S-boxes divided by W the rate of the structure. For example, in this picture we have 4 chunks, but only 2 of them go through the S-box, so the rate is 2 divided by 4 or 1 divided by 2. The normal SPN is a special case of such partial SP Network with rate 1. Our community has conjectured some of the advantages of the partial SP Networks. So for example, obviously one would think that to achieve the same level of security, PSPNs consume less nonlinear actions than normal SPNs. Of course, this is the very motivation of using this structure. The bar on conjectured that by treating stronger linear layers with some S-boxes, PSPNs can achieve more security against the structural attacks such as impossible and differential and integral. We will study the models for partial SP Networks and try to shed some light on these questions. Let's now see our results. We prove CCA security for partial SP Networks with rate 1 divided by 2 and the security against the impossible differential attacks for 4 rounds when the rate is at least 3 quarters. Finally, we provide the first principle, the linear layers. This ensures a tight number of active S-boxes in differentials. So let's now see the results one by one. We first record the setting for CCA security. In this setting, a distribution has two oracles. The right oracle is the underlying S-boxes modeled as public random permutations. In the real world, the left oracle is the partial SP Network using a random key. In the ideal world, the left oracle is a WN bit-wide random permutation and the distribution has to tell apart the two worlds. And its advantage is defined in this expression. And we first show chosen pentax differential immigration attack on 3 rounds. Even if the S-boxes and linear transformations in the 3 rounds are independent, the idea is as follows. Let's consider the linear layer T1 in the first round. Since only a half of the chunks have S-boxes, it is always possible to derive a differential on T1 with the input and output differences of this form. The right half of the input difference has no active S-box, while the right half of the output difference has only one active S-box and the difference is data. So after this output difference propagates along the second S-box layer, the left half is inviroment since there is no S-box, and the right half has at most total impossibilities here. So after the difference further propagates along the second linear layer T2, the left half here has at most total impossibilities as well, and these possibilities can be computed and kept. So by this, we acquire the construction oracle with a pair of pentaxes with input difference, delta 1 concatenated with zeros, and check if the left half of the output difference is in the 2-2-n possibilities that we can predict. The time complexity is 2-2-n, but the query complexity is just down, so they are typed. Under the assumption that first all the S-box evaluations in the network use the same S-box as and S is an N-bit public random commutation. And second, the same linear transformations T is used in the five runs, and T is a linear transformation slightly stronger than an MDS commutation. And finally, the first and the final key addition are using two uniformly distributed keys, K0 and K5. So with these assumptions and assumed that distinguishing QC queries to the left construction oracle and QS queries to the right S-box oracle, we prove such a security bound. This type of birthday bound is common in similar probable security treatments. Probable CCA security bound is limited by the size of the random primitives in use, which is very small in our context. So for example, the AS parameters have n equals 8 and our bound implies security up to only 2-4 queries. This is of course of no practical meaning. But the interesting point is that now we see the partial SP network can be proven secure in the same model as a normal SP network and generalized FASTO networks. So we can have a fair comparison about their advantages or disadvantages. So in particular, to achieve CCA security, the PSGN network uses rate 1 divided by 2 and 5 runs. So it is in total 5W divided by 2 S-boxes. To achieve the same result, the normal SPN will use 3 runs and thus it uses 3W S-boxes, which is more. So in some sense, we confirm the conjecture that PSGN indeed consumes less non-linearity for security in a formal sense. But of course the interpretation should be considered in caution. We indeed prove their advantage, but the model we use may be a bit debatable. We now see the second result. We also begin with the setting. With small random primitives, we cannot prove gold security bounds for general adversaries, as we discussed. So another approach is to prove security against certain types of attacks. In this respect, Sun Yidai also posed a model to prove security against the impossible differential attacks. It assumes any differential with non-zero input and output differences is possible on the S-box. So this eliminates the details of the S-box and greatly simplifies the analysis and enables security proofs against the impossible differential. So Sun Yidai also called block ciphers with such idealized S-box as block cipher structures and called random analysis structural analysis. In this setting, they were able to establish probable impossible differential security for several structures. Our result should be interpreted as follows. There is no further on the impossible differential distinguisher when a rate exceeds three quarters, unless the details of the components in the block ciphers are considered. This positive result is better than the analogues on AES-like STNs, because the later needs five runs and because it's the later uses a linear layer that is much weaker than MDS. So the result means it indeed makes sense to trade stronger linear layers with S-boxes and the structural security may be improved. For our last result, we consider sparse PSPNs with rate much smaller than one divided by two. This sort of parameter is indeed used in low MC and HEDIS. For simplicity, we assume the reciprocal of R is an integral rule. For example, in this figure, we have 12 chunks, but only two have S-boxes, so it's rated one divided by six and the reciprocal rho equals six. A local rule here is that there always exist a rho minus one run differential trails with probability of one, because the trail could just avoid to have active S-boxes in the rho runs. For example, this one, this example has five run differential trails with probability of one. Then the question is how to design the linear layers to ensure security lower bound. There was no obvious answer and as a consequence, low MC used distinct possible random linear test permutations in the runs. To address this question, our idea is actually very simple. It's actually called the idea of using MDS transformation to ensure optimal differential security in two runs. In two runs, the linear transformation T is designed to such that every one run differential delta one to delta two use a cold ward of an MDS code. Then the MDS property will ensure a lower bound on the weight of the cold ward, and this later becomes a lower bound on the number of active S-boxes in the one run differential. We generalize this idea to the pnspn with a very small rate. A rho run differential trail could have zero active S-box, but in this case, the rho differences delta one to delta rho will yield S-box. So if you have a cold ward of a MDS code with long cold wards, then the MDS property will ensure a lower bound on the number of active S-boxes in the low runs. Then by analysis using combinatorics, this will ensure at least one active S-box in every row run differential, which is tight. So with this idea, we construct an MDS code and use the generalization, the generation matrix to have rho minus one distinct linear transformations, and then we can use the rho minus one transformations for the rate pspn. While distinct runs still have to use distinct linear transformations, we have a clear underlying mathematical principle compared with the choices. Through this idea, we construct an MDS code and use the generation matrix to have rho minus one distinct linear transformations. We can then use these transformations for the rate pspn. While distinct runs still have to use distinct linear transformations, now we have a clear underlying mathematical principle compared with ad hoc choice in low MC. MDS codes only exist for certain parameters and this limits the effectiveness of our approach. We list a number of possible combinations of parameters that our approach work. Using larger S-boxes means injecting larger fields in the cold waters and MDS codes exist for possible parameters as reflected by the more frequent check marks in the right columns. So by this, we advocate using large but weak S-boxes in partial SPN ciphers. Use large S-boxes to ensure the existence of the MDS code and the effectiveness of our approach while the S-box could be cryptographically weak to reduce implementation overhead. Such S-boxes can be built by the approach of SHA-3 or using the randomly proposed ARX box. Finally, we'd like to mention a trivial extension of our final result. Our linear transformations ensure at least one active S-box in low runs and by composing this result, it ensures at least T active S-boxes in every T low runs. So while this result is trivial, it seems a useful starting point for MPC-oriented block ciphers. More clearly, one could begin with an instantiation of our construction and then seek for more fine-grained security analysis and refinements, and this may give rise to elegant and secure PSN ciphers. To conclude, we make the first step towards understanding the theoretical soundness of the partial SPN networks. Provide the first systematic probable security treatments regarding different security definitions and our approach to design the linear layers. Of course, there are a number of possibilities for future, including to weaken the assumptions of security proofs against the impossible differentials, to seek for new STRP encryption modes from the PSN structure, and to seek for more applications of large but weak S-box methodology in concrete block ciphers. Also, one may consider the security of the 4 round PSN with rate 1 divided by 2, since we were unable to find either attacks or proofs. Though we believe the most interesting point is to seek for more persuasive theory results, justifying or dismissing the advantages of PSNs. We prove the advantage in the SPRP mode, but the model is, as mentioned, debatable. So for example, what about algebraic degrees? Can the lower bounds on the degrees justify the advantages? We hope our work could incur more such investigations. Thank you for listening, and of course, comments are welcome.