IT Security plays a vital role in our society. For example, when multiple parties communicate via a mobile phone or chat, or during online shopping, security takes a decisive part in protecting the users, the service operators, and in maintaining public confidence in the system. Cryptography is an essential concept to be implemented in the underlying system. Modern cryptography can be divided into two distinct subareas, symmetric cryptography (where all parties share the same secret key) and asymmetric cryptography (where all parties are in possession of a public key and a private key). We plan to discuss in detail timely topics related to the design and analysis of symmetric cryptographic schemes with a focus on the following topics:

Arithmetization-oriented primitives. Solutions for more complex cryptographic applications such as multi-party computation, fully homomorphic encryption, or non-interactive zero-knowledge proof systems often use symmetric cryptographic primitives as an underlying building block. The main design criterion for symmetric primitives used in such protocols is optimized arithmetic complexity. In the recent years, several such primitives operating over prime fields or over large binary fields have been introduced. Their security is however not well understood and many of those designs have been broken. The main goal of this topic is to better understand the security of symmetric cryptographic primitives optimized for arithmetic complexity.

Tools for automated cryptanalysis of primitives. The security of symmetric cryptography is based on cryptanalysis: we only gain confidence in a symmetric cryptographic function through extensive and continuous scrutiny. One of the main challenges of the community is to unify the knowledge obtained through the years on the different families of attacks, to transform it with an algorithmic approach and to endow it with optimizations. The optimal result would be a toolbox congregating all the new optimized algorithms, which would allow to provide the best known attacks on a given construction through an easy application, as well as prove theoretical bounds to support meaningful security arguments. We want to continue this direction of automating and optimizing cryptanalytic attacks.

Design and analysis of modes of operation with new security features. Cryptographic schemes have historically been built on block ciphers and security proofs were performed based on falsifiable assumptions. This gives cryptanalysts a well-isolated and well-defined target.

In March 2024, the National Institute of Standards and Technology (NIST) announced their plan to develop a new block cipher mode that is a tweakable, variable-input-length, strong pseudorandom permutation (VIL-SPRP) with a reduction proof to the security of the underlying block cipher. Such a mode could potentially provide significant advantages over many of the existing modes. The activities by NIST send a clear sign that research on tweakable wide block encryption will be active. This Dagstuhl Seminar is a good opportunity to discuss wide block ciphers.

Intuitively, key-committing security captures the security of AEAD such that any ciphertext should be decrypted only with the key that is used to generate it; in other words, any ciphertext should not be decrypted with multiple keys. Context-committing security is a generalized notion, indicating that any ciphertext should not be decrypted with multiple decryption contexts. The attacker's goal is to find keys/contexts behaving in a badly controlled way, and thus it is not covered by the classical AEAD security notions. Committing security is expected to continue to be actively researched, and is a topic to be discussed in this Dagstuhl Seminar.

Creative Commons BY 4.0

Christof Beierle, Maria Eichlseder, Maria Naya-Plasencia, and Yu Sasaki