Dagstuhl-Seminar 20041
Symmetric Cryptography
( 19. Jan – 24. Jan, 2020 )
Permalink
Organisatoren
- Nils Gregor Leander (Ruhr-Universität Bochum, DE)
- Kaisa Nyberg (Aalto University, FI)
- Kan Yasuda (NTT - Tokyo, JP)
Koordinator
- Bart Mennink (Radboud University Nijmegen, NL)
Kontakt
- Shida Kunz (für wissenschaftliche Fragen)
IT Security plays a crucial role in everyday life and business. Virtually all modern security solutions are based on cryptographic primitives. Symmetric cryptography deals with the case that both the sender and the receiver of a message are using the same key and is highly relevant not only for academia, but also for industrial research and applications.
We identified the following areas as among the most important topics for future research. At the upcoming Dagstuhl Seminar these topics will be intensively discussed. Besides short talks on the state-of-the-art, there will be plenty of time for discussions and for starting new research collaborations.
Cryptography in the presence of strong constraints: This deals with the development of symmetric cryptographic primitives and modes that must operate under strong constraints. This area, in the past often indicated by the misleading term lightweight cryptography, has become a very active research field in recent years. To give concrete examples of reasonable constraints, we like to mention the following (non-exhaustive) selection:
- energy per bit encrypted/authenticated: important in battery-powered devices and protection of massive datastreams
- power consumption: important in RFID tags or any other application where power is harvested, e.g., by means of solar cells
- latency: important in legacy architectures for bus and memory encryption
Besides the cryptographic security, we also consider side channel attacks a major issue, as especially in the above-mentioned application areas, the cryptography is executed in a potentially adversarial environment.
Proving relevant bounds for permutations and (tweakable) block ciphers: Security arguments for symmetric cryptographic primitives often rely on simplifying assumptions and unproven heuristics. Moreover, not only are they often limited by those simplifications, but more fundamentally by the resulting statements.
As an example, for arguing why differential and linear attacks do not apply to a given cipher, we would like to argue that no high-probability differential and no highly biased linear approximation exist that holds for an overwhelming fraction of keys, if not all. However, for most constructions, this has currently only been achieved for a very small number of rounds, and we are instead limited to bounding the probability of differential and linear trails averaged over independent round-keys. We like to note that achieving better and more meaningful bounds is not only of interest from a theoretical point of view. Having better bounds allows better tuning of the number of rounds and might thus finally lead to more efficient ciphers.
Development of modes for dedicated functionality or robustness: A cryptographic primitive, e.g., a cryptographic permutation or a (tweakable) block cipher, is of little use without being embedded in a suitable mode of operation. Traditional modes turn such a primitive into an (authenticated) encryption scheme, a message authentication code or a hash function. However, modes of operations could provide more advanced functionalities on the one hand and advanced security features on the other hand. Important examples include modes based on permutations, block ciphers or tweakable block ciphers that realize the following (not necessarily all at the same time): (i) Robustness against improper usage or implementation weaknesses, (ii) Joint modes of hashing and authenticated encryption using the same primitive, and (iii) secure channels.
Quantum cryptanalysis: The threat that one would be able to build a sufficiently large quantum computer has a major impact on the security of many cryptographic schemes we are using today. In particular, the seminal work of Shor showed that such computers would allow to factor large integers and compute discrete logs over large groups in practical time. In the case of symmetric cryptography, the situation seems less critical - but is also significantly less studied. For almost 20 years, it was believed that the only advantage an attacker would have by using a quantum computer when attacking symmetric cryptography is due to Grover's algorithm for speeding up brute force search. Indeed, Grover's algorithm reduces the effective key-length of any cryptographic scheme, and thus in particular of any block-cipher, by a factor of two. Only recently researchers have started to investigate in more detail how the security of symmetric primitives would be affected by attackers equipped with quantum computers. A great challenge is to get a fundamentally improved understanding of the security of common block ciphers (such as AES) and hash functions (such as SHA-3) against quantum adversaries.
IT Security plays a crucial role in everyday life and business. Virtually all modern security solutions are based on cryptographic primitives. Symmetric cryptography deals with the case that both the sender and the receiver of a message are using the same key and is highly relevant not only for academia, but also for industrial research and applications.
We identified the following areas as among the most important topics for future research.
Cryptography in the presence of strong constraints. This area deals with the development of symmetric cryptographic primitives and modes that must operate under strong constraints. The area, often indicated by the misleading term lightweight cryptography, has become a very active research field in recent years.
Proving relevant bounds for permutations and (tweakable) block ciphers. Security arguments for symmetric cryptographic primitives often rely on simplifying assumptions and unproven heuristics. Moreover, not only are they often limited by those simplifications, but more fundamentally by the resulting statements.
Development of modes for dedicated functionality or robustness. A cryptographic primitive, e.g., a cryptographic permutation or a (tweakable) block cipher, is of little use without being embedded in a suitable mode of operation. Traditional modes turn such a primitive into an (authenticated) encryption scheme, a message authentication code or a hash function. However, modes of operations could provide more advanced functionalities on the one hand and advanced security features on the other hand.
Quantum cryptanalysis. The threat that one would be able to build a sufficiently large quantum computer has a major impact on the security of many cryptographic schemes we are using today. In particular, the seminal work of Shor showed that such computers would allow to factor large integers and compute discrete logs over large groups in practical time. In the case of symmetric cryptography, the situation seems less critical - but is also significantly less studied. For almost 20 years, it was believed that the only advantage an attacker would have by using a quantum computer when attacking symmetric cryptography is due to Grover's algorithm for speeding up brute force search. Only recently researchers have started to investigate in more detail how the security of symmetric primitives would be affected by attackers equipped with quantum computers.
Seminar Program
The seminar program consisted of short presentations and group meetings. Presentations were about the above topics and other relevant areas of symmetric cryptography, including state-of-the-art cryptanalytic techniques and new designs. Below one can find the list of abstracts for talks given during the seminar. Also, participants met in smaller groups and spent a significant portion of the week, each group intensively discussing a specific research topic. There were eight research groups: 1) Design and analyze ciphers over prime fields, 2) Bounds on the degree of Feistel ciphers with round functions with low univariate degree, 3) Forkcipher, 4) Time-space tradeoffs, 5) Quantum cryptanalysis of hash functions, 6) NIST LWC, 7) Cryptanalysis of the Russian standards, and 8) Security of ProMACs. On the last day of the week the leaders of each group gave brief summaries of achievements. Some teams continued working on the topic after the seminar and started new research collaborations.
- Elena Andreeva (Technical University of Denmark - Lyngby, DK) [dblp]
- Frederik Armknecht (Universität Mannheim, DE) [dblp]
- Christof Beierle (Ruhr-Universität Bochum, DE) [dblp]
- Daniel J. Bernstein (University of Illinois - Chicago, US) [dblp]
- Eli Biham (Technion - Haifa, IL) [dblp]
- Christina Boura (University of Versailles, FR)
- Anne Canteaut (INRIA - Paris, FR) [dblp]
- Joo Yeon Cho (ADVA Optical Networking - Martinsried, DE)
- Itai Dinur (Ben Gurion University - Beer Sheva, IL) [dblp]
- Christoph Dobraunig (Radboud University Nijmegen, NL) [dblp]
- Orr Dunkelman (University of Haifa, IL) [dblp]
- Maria Eichlseder (TU Graz, AT) [dblp]
- Patrick Felke (FH Emden, DE)
- Henri Gilbert (ANSSI - Paris, FR) [dblp]
- Lorenzo Grassi (TU Graz, AT) [dblp]
- Tetsu Iwata (Nagoya University, JP) [dblp]
- Pierre Karpman (Université Grenoble Alpes - Saint Martin d'Hères, FR)
- Dmitry Khovratovich (Ethereum - Luxembourg, LU) [dblp]
- Virginie Lallemand (LORIA - Nancy, FR) [dblp]
- Tanja Lange (TU Eindhoven, NL) [dblp]
- Nils Gregor Leander (Ruhr-Universität Bochum, DE) [dblp]
- Gaëtan Leurent (INRIA - Paris, FR) [dblp]
- Stefan Lucks (Bauhaus-Universität Weimar, DE) [dblp]
- Atul Luykx (Swirlds - San Francisco, US) [dblp]
- Willi Meier (FH Nordwestschweiz - Windisch, CH) [dblp]
- Florian Mendel (Infineon Technologies AG - Neubiberg, DE) [dblp]
- Bart Mennink (Radboud University Nijmegen, NL) [dblp]
- Kazuhiko Minematsu (NEC - Kawasaki, JP) [dblp]
- Maria Naya-Plasencia (INRIA - Paris, FR) [dblp]
- Kaisa Nyberg (Aalto University, FI) [dblp]
- Léo Perrin (INRIA - Paris, FR) [dblp]
- Bart Preneel (KU Leuven, BE) [dblp]
- Yann Rotella (University of Versailles, FR)
- Arnab Roy (University of Bristol, GB) [dblp]
- Yu Sasaki (NTT - Tokyo, JP) [dblp]
- Ling Song (Chinese Academy of Sciences - Beijing, CN) [dblp]
- Meltem Sonmez Turan (NIST - Gaithersburg, US)
- Marc Stevens (CWI - Amsterdam, NL) [dblp]
- Stefano Tessaro (University of Washington - Seattle, US) [dblp]
- Emmanuel Thomé (INRIA Nancy - Grand Est, FR) [dblp]
- Yosuke Todo (NTT - Tokyo, JP) [dblp]
- Aleksei Udovenko (CryptoExperts - Paris, FR) [dblp]
- Damian Vizár (CSEM - Neuchatel, CH) [dblp]
- Kan Yasuda (NTT - Tokyo, JP) [dblp]
Verwandte Seminare
- Dagstuhl-Seminar 07021: Symmetric Cryptography (2007-01-07 - 2007-01-12) (Details)
- Dagstuhl-Seminar 09031: Symmetric Cryptography (2009-01-11 - 2009-01-16) (Details)
- Dagstuhl-Seminar 12031: Symmetric Cryptography (2012-01-15 - 2012-01-20) (Details)
- Dagstuhl-Seminar 14021: Symmetric Cryptography (2014-01-05 - 2014-01-10) (Details)
- Dagstuhl-Seminar 16021: Symmetric Cryptography (2016-01-10 - 2016-01-15) (Details)
- Dagstuhl-Seminar 18021: Symmetric Cryptography (2018-01-07 - 2018-01-12) (Details)
- Dagstuhl-Seminar 22141: Symmetric Cryptography (2022-04-03 - 2022-04-08) (Details)
- Dagstuhl-Seminar 24041: Symmetric Cryptography (2024-01-21 - 2024-01-26) (Details)
- Dagstuhl-Seminar 26061: Symmetric Cryptography (2026-02-01 - 2026-02-06) (Details)
Klassifikation
- security / cryptology
Schlagworte
- Symmetric cryptography
- (quantum) cryptanalysis
- constrained platforms