19. – 24. Januar 2020, Dagstuhl-Seminar 20041

Symmetric Cryptography


Nils Gregor Leander (Ruhr-Universität Bochum, DE)
Kaisa Nyberg (Aalto University, FI)
Kan Yasuda (NTT – Tokyo, JP)


Bart Mennink (Radboud University Nijmegen, NL)

Auskunft zu diesem Dagstuhl-Seminar erteilt

Dagstuhl Service Team


Dagstuhl Report, Volume 10, Issue 1 Dagstuhl Report
Gemeinsame Dokumente


IT Security plays a crucial role in everyday life and business. Virtually all modern security solutions are based on cryptographic primitives. Symmetric cryptography deals with the case that both the sender and the receiver of a message are using the same key and is highly relevant not only for academia, but also for industrial research and applications.

We identified the following areas as among the most important topics for future research.

Cryptography in the presence of strong constraints. This area deals with the development of symmetric cryptographic primitives and modes that must operate under strong constraints. The area, often indicated by the misleading term lightweight cryptography, has become a very active research field in recent years.

Proving relevant bounds for permutations and (tweakable) block ciphers. Security arguments for symmetric cryptographic primitives often rely on simplifying assumptions and unproven heuristics. Moreover, not only are they often limited by those simplifications, but more fundamentally by the resulting statements.

Development of modes for dedicated functionality or robustness. A cryptographic primitive, e.g., a cryptographic permutation or a (tweakable) block cipher, is of little use without being embedded in a suitable mode of operation. Traditional modes turn such a primitive into an (authenticated) encryption scheme, a message authentication code or a hash function. However, modes of operations could provide more advanced functionalities on the one hand and advanced security features on the other hand.

Quantum cryptanalysis. The threat that one would be able to build a sufficiently large quantum computer has a major impact on the security of many cryptographic schemes we are using today. In particular, the seminal work of Shor showed that such computers would allow to factor large integers and compute discrete logs over large groups in practical time. In the case of symmetric cryptography, the situation seems less critical - but is also significantly less studied. For almost 20 years, it was believed that the only advantage an attacker would have by using a quantum computer when attacking symmetric cryptography is due to Grover's algorithm for speeding up brute force search. Only recently researchers have started to investigate in more detail how the security of symmetric primitives would be affected by attackers equipped with quantum computers.

Seminar Program

The seminar program consisted of short presentations and group meetings. Presentations were about the above topics and other relevant areas of symmetric cryptography, including state-of-the-art cryptanalytic techniques and new designs. Below one can find the list of abstracts for talks given during the seminar. Also, participants met in smaller groups and spent a significant portion of the week, each group intensively discussing a specific research topic. There were eight research groups: 1) Design and analyze ciphers over prime fields, 2) Bounds on the degree of Feistel ciphers with round functions with low univariate degree, 3) Forkcipher, 4) Time-space tradeoffs, 5) Quantum cryptanalysis of hash functions, 6) NIST LWC, 7) Cryptanalysis of the Russian standards, and 8) Security of ProMACs. On the last day of the week the leaders of each group gave brief summaries of achievements. Some teams continued working on the topic after the seminar and started new research collaborations.

Summary text license
  Creative Commons BY 3.0 Unported license
  Nils Gregor Leander, Bart Mennink, Kaisa Nyberg, and Kan Yasuda

Dagstuhl-Seminar Series


  • Security / Cryptology


  • Symmetric cryptography
  • (quantum) cryptanalysis
  • Constrained platforms


In der Reihe Dagstuhl Reports werden alle Dagstuhl-Seminare und Dagstuhl-Perspektiven-Workshops dokumentiert. Die Organisatoren stellen zusammen mit dem Collector des Seminars einen Bericht zusammen, der die Beiträge der Autoren zusammenfasst und um eine Zusammenfassung ergänzt.


Download Übersichtsflyer (PDF).


Es besteht weiterhin die Möglichkeit, eine umfassende Kollektion begutachteter Arbeiten in der Reihe Dagstuhl Follow-Ups zu publizieren.

Dagstuhl's Impact

Bitte informieren Sie uns, wenn eine Veröffentlichung ausgehend von
Ihrem Seminar entsteht. Derartige Veröffentlichungen werden von uns in der Rubrik Dagstuhl's Impact separat aufgelistet  und im Erdgeschoss der Bibliothek präsentiert.