03. – 08. April 2022, Dagstuhl-Seminar 22141

Symmetric Cryptography


Nils Gregor Leander (Ruhr-Universität Bochum, DE)
Bart Mennink (Radboud University Nijmegen, NL)
Maria Naya-Plasencia (INRIA – Paris, FR)
Yu Sasaki (NTT – Tokyo, JP)

Auskunft zu diesem Dagstuhl-Seminar erteilt

Dagstuhl Service Team


Dagstuhl Report, Volume 12, Issue 4 Dagstuhl Report
Gemeinsame Dokumente
Programm des Dagstuhl-Seminars [pdf]


IT Security plays an increasingly crucial role in everyday life and business. Virtually all modern security solutions are based on cryptographic primitives. Symmetric cryptography deals with the case where both the sender and the receiver of a message use the same key. Due to their good performance, symmetric cryptosystems are highly relevant not only for academia, but also for industrial activities. We identified the following areas as some of the most important topics on symmetric cryptography at the moment.

Lessons Learnt from NIST Lightweight Cryptography Project. The US National Institute of Standards and Technology (NIST) acknowledged in 2013 the real-world importance of lightweight cryptography, and announced an initiative for standardization. It is expected that the new lightweight standard will not only be used in the US, but rather worldwide.

New Design Strategies. This area deals with the development of symmetric cryptographic primitives and modes that must operate for specific applications, such as STARKs, SNARKs, fully homomorphic encryption, and multi-party computation. These novel applications lead to a paradigm shift in design criteria that we are just starting to understand, both in terms of possible optimizations as well as security impacts.

Quantum-Safe Symmetric Cryptography. For symmetric cryptography, it is short-sighted to expect that cryptanalysis will not improve with the help of quantum computers in the future. It is of importance to understand both the possibility to quantize existing classical attacks, as well as the possibility to perform new types of cryptanalytic attacks using a quantum computer.

Understanding Security Implications from Ideal and Keyless Primitives. Permutation-based cryptography has gained astounding popularity in the last decade, and security proofs are performed in an ideal permutation model. Partly as a consequence of this, the concrete security analysis of the involved primitives has become more difficult. One challenge is to understand (i) to what extent distinguishers impact the security of cryptographic schemes and (ii) what non-random properties of permutations seem likely to be translated into an attack on the full scheme.

Seminar Program

The seminar program consisted of a few short presentations and in-depth group meetings. Presentations were about the above topics and other relevant areas of symmetric cryptography, including state-of-the-art cryptanalytic techniques and new designs. Below one can find the list of abstracts for talks given during the seminar. The research groups were on various topics in symmetric cryptography, all related to one of the above points in one way or another. On the last day of the seminar, the leaders of each group gave brief summaries of achievements. Some teams continued working on the topic after the seminar and started new research collaborations. Here are the summaries of the five groups:

  • Group 1 worked and discussed on various problems of provable security, roughly corresponding to one project per person. For three of the projects, the groups had preliminary discussions, and the next step will be to perform the remaining research and investigate the details offline. For two problems, namely improved unforgeability of certain MAC constructions and generic analysis of PRF’s and MAC’s on 2 public permutations, they advanced quite well and the details will be written down soon after the seminar.
  • Group 2 worked on several topics that they plan to continue after the seminar. One was to find good algorithms for detecting the optimal trees of some Boolean functions in the context of improved key-recovery attacks, and figuring out if we actually need trees, or if we could find or use better partitions that do not correspond to a tree and yet improve the complexity. They also worked on building two attacks on the HALFLOOP construction. They solved the problem of finding structures in linear layers and of decomposing them, and they applied this to Streebog. They also continued developing a new cryptanalysis family; differential meet-in-the-middle attacks. They figured out how to correctly combine it with bicliques, and started working on an application on the construction of SKINNY, which should be comparable if not better than the best known attacks.
  • Group 3 worked on several topics related to cryptanalysis, that they plan to continue after the seminar. The studied Tweakable Twine, a tweakable variant of Twine proposed in 2019. They looked at impossible differential distinguishers, but unfortunately they were not able to cover more rounds than in previous work. They also looked at the differential propagation of the cipher. They were able to find a distinguisher that would be established with a probability of 2^{-61}, and they rediscovered a 24-round zero correlation attack in Twine. They have also pointed out several observations on TinyJAMBU, including a method to break the P_b permutation (for 384 rounds) if one can observe collisions during the processing phase. They looked at a paper from 2016 on KATAN that searches for extended boomerang distinguishers. They are implementing the attacks to observe the impact of the middle-round dependencies experimentally. Finally, they looked at (free-start) collisions on Romulus-H and tried to find differential characteristics that are suitable to be used in two SKINNY invocations. One idea would be to use the dependencies to have a collision of a higher probability.
  • Group 4 has worked on integral distinguishers on big finite fields. After looking at different topics, this group focused in the following problem: can we find integral distinguishers from the knowledge of some properties of the univariate representation of a function F: 𝔽_2ⁿ → 𝔽_2ⁿ? In other words, they wanted to find some coefficients (λ₀, …, λ_{2ⁿ-1}) in 𝔽_2ⁿ such that ∀ x, ∑_{i = 0}^{2ⁿ-1} λ_i F(αⁱ X) = 0. In the particular case where all λ_i ∈ 𝔽_2ⁿ, this corresponds to finding sets of inputs such that the corresponding outputs sum to zero. They proved that ∑_{i = 0}^{2ⁿ-1} λ_i F(αⁱ X) does not contain any term of degree 𝓁 if and only if A_𝓁 = 0 or P(α^𝓁) = 0 where F(X) = ∑_{i = 0}^{2ⁿ-1} A_i Xⁱ = 0. Therefore, they aimed at finding polynomials P which vanish on all α^𝓁 when i varies in a given set, and which have the smallest possible number of terms. Indeed, the number of terms of P is the data complexity of the distinguisher. When the only information we have on F is that A_i = 0 for all i of weight ≥ d, then the polynomial P with binary coefficients and with the smallest weight corresponds to the usual distinguisher obtained with higher-order differentials, i.e., rot(P) = 2^d. However, if we have more information on A_i, then we can obtain distinguishers with lower data complexity than expected.
Summary text license
  Creative Commons BY 4.0
  Nils Gregor Leander, Bart Mennink, Maria Naya-Plasencia, and Yu Sasaki

Dagstuhl-Seminar Series


  • Cryptography And Security


  • Cryptography
  • Symmetric cryptography
  • Block ciphers
  • Hash functions
  • Stream cipers


In der Reihe Dagstuhl Reports werden alle Dagstuhl-Seminare und Dagstuhl-Perspektiven-Workshops dokumentiert. Die Organisatoren stellen zusammen mit dem Collector des Seminars einen Bericht zusammen, der die Beiträge der Autoren zusammenfasst und um eine Zusammenfassung ergänzt.


Download Übersichtsflyer (PDF).

Dagstuhl's Impact

Bitte informieren Sie uns, wenn eine Veröffentlichung ausgehend von Ihrem Seminar entsteht. Derartige Veröffentlichungen werden von uns in der Rubrik Dagstuhl's Impact separat aufgelistet  und im Erdgeschoss der Bibliothek präsentiert.


Es besteht weiterhin die Möglichkeit, eine umfassende Kollektion begutachteter Arbeiten in der Reihe Dagstuhl Follow-Ups zu publizieren.