##### Dagstuhl-Seminar 22141

### Symmetric Cryptography

##### ( 03. Apr – 08. Apr, 2022 )

##### Permalink

##### Organisatoren

- Nils Gregor Leander (Ruhr-Universität Bochum, DE)
- Bart Mennink (Radboud University Nijmegen, NL)
- Maria Naya-Plasencia (INRIA - Paris, FR)
- Yu Sasaki (NTT - Tokyo, JP)

##### Kontakt

- Andreas Dolzmann (für wissenschaftliche Fragen)
- Susanne Bach-Bernhard (für administrative Fragen)

##### Gemeinsame Dokumente

- Dagstuhl Materials Page (Use personal credentials as created in DOOR to log in)

##### Programm

IT Security plays an increasingly crucial role in everyday life and business. Virtually all modern security solutions are based on cryptographic primitives. Symmetric cryptography deals with the case where both the sender and the receiver of a message use the same key. Due to their good performance, symmetric cryptosystems are the main workhorses of cryptography and are highly relevant not only for academia, but also for industrial activities. For the Dagstuhl Seminar we plan to focus on several topics, which we believe to be of great importance for the research community and, likewise, to have a positive impact on industry and the deployment of secure crypto in the future.

** Learnt from NIST Lightweight Cryptography Project **

The US National Institute of Standards and Technology (NIST) acknowledged in 2013 the real-world importance of lightweight cryptography, and announced an initiative for standardization. It is expected that the new lightweight standard will not only be used in the US, but rather worldwide. While the exact timeline of the competition is not known at the time of writing, discussing the outcomes in April 2022 seems a very natural and timely topic.

**New Design Strategies**

Recently, the design of symmetric key primitives has started to focus on different types of optimization. Examples include new ciphers designed for applications to STARKs, SNARKs, fully homomorphic encryption and multi-party computation. This causes a paradigm shift in design criteria that we are just starting to understand, both in terms of possible optimizations as well as security impacts. Exploring those is one of the topics we envision for the seminar.

**
Quantum-Safe Symmetric Cryptography **

As years go by, quantum computers become more tangible. For symmetric cryptography, it is short-sighted to expect that cryptanalysis will not improve with the help of quantum. There are two challenges we want to target in the seminar. First, we want to find new quantum attacks, by either quantizing classical attacks, or by designing quantum cryptanalysis afresh. Second, we want to find generic and secure ways of extending the key or the state length; and design and implement efficient symmetric quantum-safe cryptographic functions.

**
Understanding Security Implications from Ideal and Keyless Primitives**

Permutation-based cryptography has gained astounding popularity in the last decade, and security proofs are performed in an ideal security model, namely the ideal permutation model. Besides, and partly as a consequence of this, the concrete security analysis of the involved primitives becomes more difficult. In this seminar, we want to explore (i) to what extent distinguishers impact the security of cryptographic schemes and (ii) what non-random properties of permutations seem likely to be translated into an attack on the full scheme.

**Seminar Structure **

We plan to organize research groups before the commencement of the actual seminar in April 2022 to make the seminar itself more productive. We expect the colleagues that will join the seminar to be fully committed to proposing topics for the research groups and to participating in them. We plan to have a first day of invited talks related to these selected research topics. We will also schedule short talks spread over small sessions to profit of the opportunity for catching up with what the other researchers are currently doing.

IT Security plays an increasingly crucial role in everyday life and business. Virtually all modern security solutions are based on cryptographic primitives. Symmetric cryptography deals with the case where both the sender and the receiver of a message use the same key. Due to their good performance, symmetric cryptosystems are highly relevant not only for academia, but also for industrial activities. We identified the following areas as some of the most important topics on symmetric cryptography at the moment.

**Lessons Learnt from NIST Lightweight Cryptography Project.** The US National Institute of Standards and Technology (NIST) acknowledged in 2013 the real-world importance of lightweight cryptography,
and announced an initiative for standardization. It is expected that the new lightweight standard will not only be used in the US,
but rather worldwide.

**New Design Strategies.** This area deals with the development of symmetric cryptographic primitives and modes that must
operate for specific applications, such as STARKs, SNARKs, fully homomorphic encryption, and multi-party computation.
These novel applications lead to a paradigm shift in design criteria that we are just starting to understand,
both in terms of possible optimizations as well as security impacts.

**Quantum-Safe Symmetric Cryptography.** For symmetric cryptography, it is short-sighted to expect that cryptanalysis will not
improve with the help of quantum computers in the future. It is of importance to understand both the possibility to quantize existing
classical attacks, as well as the possibility to perform new types of cryptanalytic attacks using a quantum computer.

**Understanding Security Implications from Ideal and Keyless Primitives.** Permutation-based cryptography has gained astounding
popularity in the last decade, and security proofs are performed in an ideal permutation model. Partly as a consequence of this,
the concrete security analysis of the involved primitives has become more difficult. One challenge is to understand
(i) to what extent distinguishers impact the security of cryptographic schemes and (ii) what non-random properties of permutations seem
likely to be translated into an attack on the full scheme.

### Seminar Program

The seminar program consisted of a few short presentations and in-depth group meetings. Presentations were about the above topics and other relevant areas of symmetric cryptography, including state-of-the-art cryptanalytic techniques and new designs. Below one can find the list of abstracts for talks given during the seminar. The research groups were on various topics in symmetric cryptography, all related to one of the above points in one way or another. On the last day of the seminar, the leaders of each group gave brief summaries of achievements. Some teams continued working on the topic after the seminar and started new research collaborations. Here are the summaries of the five groups:

- Group 1 worked and discussed on various problems of provable security, roughly corresponding to one project per person. For three of the projects, the groups had preliminary discussions, and the next step will be to perform the remaining research and investigate the details offline. For two problems, namely improved unforgeability of certain MAC constructions and generic analysis of PRF’s and MAC’s on 2 public permutations, they advanced quite well and the details will be written down soon after the seminar.
- Group 2 worked on several topics that they plan to continue after the seminar. One was to find good algorithms for detecting the optimal trees of some Boolean functions in the context of improved key-recovery attacks, and figuring out if we actually need trees, or if we could find or use better partitions that do not correspond to a tree and yet improve the complexity. They also worked on building two attacks on the HALFLOOP construction. They solved the problem of finding structures in linear layers and of decomposing them, and they applied this to Streebog. They also continued developing a new cryptanalysis family; differential meet-in-the-middle attacks. They figured out how to correctly combine it with bicliques, and started working on an application on the construction of SKINNY, which should be comparable if not better than the best known attacks.
- Group 3 worked on several topics related to cryptanalysis, that they plan to continue after the seminar. The studied Tweakable Twine, a tweakable variant of Twine proposed in 2019. They looked at impossible differential distinguishers, but unfortunately they were not able to cover more rounds than in previous work. They also looked at the differential propagation of the cipher. They were able to find a distinguisher that would be established with a probability of 2^{-61}, and they rediscovered a 24-round zero correlation attack in Twine. They have also pointed out several observations on TinyJAMBU, including a method to break the P_b permutation (for 384 rounds) if one can observe collisions during the processing phase. They looked at a paper from 2016 on KATAN that searches for extended boomerang distinguishers. They are implementing the attacks to observe the impact of the middle-round dependencies experimentally. Finally, they looked at (free-start) collisions on Romulus-H and tried to find differential characteristics that are suitable to be used in two SKINNY invocations. One idea would be to use the dependencies to have a collision of a higher probability.
- Group 4 has worked on integral distinguishers on big finite fields. After looking at different topics, this group focused in the following problem: can we find integral distinguishers from the knowledge of some properties of the univariate representation of a function F: 𝔽_2ⁿ → 𝔽_2ⁿ? In other words, they wanted to find some coefficients (λ₀, …, λ_{2ⁿ-1}) in 𝔽_2ⁿ such that ∀ x, ∑_{i = 0}^{2ⁿ-1} λ_i F(αⁱ X) = 0. In the particular case where all λ_i ∈ 𝔽_2ⁿ, this corresponds to finding sets of inputs such that the corresponding outputs sum to zero. They proved that ∑_{i = 0}^{2ⁿ-1} λ_i F(αⁱ X) does not contain any term of degree 𝓁 if and only if A_𝓁 = 0 or P(α^𝓁) = 0 where F(X) = ∑_{i = 0}^{2ⁿ-1} A_i Xⁱ = 0. Therefore, they aimed at finding polynomials P which vanish on all α^𝓁 when i varies in a given set, and which have the smallest possible number of terms. Indeed, the number of terms of P is the data complexity of the distinguisher. When the only information we have on F is that A_i = 0 for all i of weight ≥ d, then the polynomial P with binary coefficients and with the smallest weight corresponds to the usual distinguisher obtained with higher-order differentials, i.e., rot(P) = 2^d. However, if we have more information on A_i, then we can obtain distinguishers with lower data complexity than expected.

- Subhadeep Banik (University of Lugano, CH)
- Christof Beierle (Ruhr-Universität Bochum, DE) [dblp]
- Ritam Bhaumik (INRIA - Paris, FR)
- Xavier Bonnetain (LORIA & INRIA Nancy, FR) [dblp]
- Christina Boura (University of Versailles, FR)
- Clémence Bouvier (INRIA - Paris, FR)
- Anne Canteaut (INRIA - Paris, FR) [dblp]
- Patrick Derbez (University of Rennes, FR)
- Orr Dunkelman (University of Haifa, IL) [dblp]
- Maria Eichlseder (TU Graz, AT) [dblp]
- Patrick Felke (FH Emden, DE)
- Antonio Florez-Gutierrez (INRIA - Paris, FR)
- Margot Funk (University of Versailles, FR)
- Aldo Gunsing (Radboud University Nijmegen, NL)
- Ashwin Jha (CISPA - Saarbrücken, DE)
- Pierre Karpman (Université Grenoble Alpes - Saint Martin d'Hères, FR)
- Daniël Kuijsters (Radboud University Nijmegen, NL)
- Virginie Lallemand (LORIA - Nancy, FR) [dblp]
- Eran Lambooij (University of Haifa, IL)
- Nils Gregor Leander (Ruhr-Universität Bochum, DE) [dblp]
- Bart Mennink (Radboud University Nijmegen, NL) [dblp]
- Nicky Mouha (NIST - Gaithersburg, US) [dblp]
- Maria Naya-Plasencia (INRIA - Paris, FR) [dblp]
- Patrick Neumann (Ruhr-Universität Bochum, DE)
- Clara Pernot (INRIA - Paris, FR)
- Léo Perrin (INRIA - Paris, FR) [dblp]
- Shahram Rasoolzadeh (Radboud University Nijmegen, NL)
- Christian Rechberger (TU Graz, AT) [dblp]
- Yann Rotella (University of Versailles, FR)
- Sondre Rønjom (University of Bergen, NO)
- Yu Sasaki (NTT - Tokyo, JP) [dblp]
- Markus Schofnegger (TU Graz, AT)
- André Schrottenloher (CWI - Amsterdam, NL) [dblp]
- Yaobin Shen (University of Louvain, BE)
- Tyge Tiessen (Technical University of Denmark - Lyngby, DK) [dblp]
- Aleksei Udovenko (University of Luxembourg, LU) [dblp]

##### Verwandte Seminare

- Dagstuhl-Seminar 07021: Symmetric Cryptography (2007-01-07 - 2007-01-12) (Details)
- Dagstuhl-Seminar 09031: Symmetric Cryptography (2009-01-11 - 2009-01-16) (Details)
- Dagstuhl-Seminar 12031: Symmetric Cryptography (2012-01-15 - 2012-01-20) (Details)
- Dagstuhl-Seminar 14021: Symmetric Cryptography (2014-01-05 - 2014-01-10) (Details)
- Dagstuhl-Seminar 16021: Symmetric Cryptography (2016-01-10 - 2016-01-15) (Details)
- Dagstuhl-Seminar 18021: Symmetric Cryptography (2018-01-07 - 2018-01-12) (Details)
- Dagstuhl-Seminar 20041: Symmetric Cryptography (2020-01-19 - 2020-01-24) (Details)
- Dagstuhl-Seminar 24041: Symmetric Cryptography (2024-01-21 - 2024-01-26) (Details)

##### Klassifikation

- Cryptography and Security

##### Schlagworte

- cryptography
- symmetric cryptography
- block ciphers
- hash functions
- stream cipers