TOP
Search the Dagstuhl Website
Looking for information on the websites of the individual seminars? - Then please:
Not found what you are looking for? - Some of our services have separate websites, each with its own search option. Please check the following list:
Schloss Dagstuhl - LZI - Logo
Schloss Dagstuhl Services
Seminars
Within this website:
External resources:
  • DOOR (for registering your stay at Dagstuhl)
  • DOSA (for proposing future Dagstuhl Seminars or Dagstuhl Perspectives Workshops)
Publishing
Within this website:
External resources:
dblp
Within this website:
External resources:
  • the dblp Computer Science Bibliography


Dagstuhl Seminar 16021

Symmetric Cryptography

( Jan 10 – Jan 15, 2016 )

(Click in the middle of the image to enlarge)

Permalink
Please use the following short url to reference this page: https://www.dagstuhl.de/16021

Organizers

Contact



Schedule

Motivation

The aim of the seminar is to bring together leading experts and exceptionally talented junior researchers working in the field of Symmetric Cryptography. Most of the participants are expected to give presentations on their current research. The schedule will ensure ample time for discussions and ad hoc sessions without talks prepared in advance of the seminar. We plan to hold one or two “brainstorming” or “rump” sessions, to discuss unfinished ideas, to present very recent results (perhaps found during the course of the seminar), and to reflect the current state of symmetric cryptography in general. The seminar will concentrate on the design and analysis of symmetric cryptographic primitives. Special focus will be put on the following two topics.

Authenticated encryption
At the Dagstuhl Seminar “Symmetric Cryptography” in 2012, the research question of schemes for authenticated encryption has been vividly discussed among the participants. The direction has been strongly supported by the community, and the CAESAR project (Competition for Authenticated Encryption: Security, Applicability, and Robustness) has been initiated. At the Dagstuhl Seminar “Symmetric Cryptography” in 2014, which took place roughly two months before the CAESAR submission deadline, several initial ideas for the constructions were presented, and there were presentations regarding the security definitions. The Dagstuhl Seminar “Symmetric Cryptography” in 2016 will take place in the middle of the CAESAR competition; it will be two years from the submission deadline and about two years until the announcement of the final portfolio. Therefore, this will be the perfect point in time to sum up the research done so far, to exchange ideas and to discuss future directions.

Even-Mansour Designs
In 1992, Even and Mansour proposed a new design paradigm that can be seen as the abstraction of the framework adopted in the design of AES. The design framework is highly relevant in practice, and it has been adopted in a variety of recent hash functions, block ciphers, and in the underlying primitive of several CAESAR submissions. Despite its long history of practical use, the community has so far failed to develop a complete understanding of its security. For example, the original proposal was accompanied with a proof of security, dealing with the case of one iteration, it took more than 20 years until the general case of r iterations has been solved. However, these results only deal with the simple case of distinguishing attack on a single, unknown key setting. Its security in more advanced, yet practically relevant security models, such as the related-key setting or the non-ideal-permutation setting, is largely unexplored. This is a fruitful and challenging area of research for the next 3 to 5 years, that will lead to a fundamental understanding of iterated constructions and ultimately to more efficient and more secure ciphers.


Summary

One lesson learned from the Snowden leaks is that digital systems can never be fully trusted and hence the security awareness of citizens has increased substantially. Whenever digital data is communicated or stored, it is subject to various attacks. One of the few working countermeasures are the use of cryptography. As Edward Snowden puts it: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on."

Consequently it holds that although modern cryptography addresses a variety of security challenges, efficiently protecting the enormous amount of daily electronic communication represents a major challenge. Here, symmetric cryptography is especially highly relevant not only for academia, but also for industrial research and applications.

Although symmetric cryptography has made enormous progress in the last couple of decades, for several reasons regularly new insights and challenges are evolving. In the past, the AES competition was led by US NIST to standardize a next generation block cipher to replace DES. Similar competitions, such as the eSTREAM and the SHA-3 competition, resulted in new standard algorithms that meet public demands. The outcome of the projects are practically used in our daily lives, and the fundamental understanding of the cryptographic research community of these primitives has been increased significantly.

While this seminar concentrates in general on the design and analysis of symmetric cryptographic primitives, special focus has been put on the following two topics that we explain in more detail below:

  1. Authenticated encryption
  2. Even-Mansour designs

Authenticated Encryption. Today the central research question is the construction of schemes for authenticated encryption. This symmetric primitive efficiently integrates the protection of secrecy and integrity in a single construction. The first wave of solutions resulted in several widely used standards, including CCM and GCM standardized by NIST, and the EAX-prime standardized by ANSI. However, it turns out that these constructions are far from optimum in terms of performance, security, usability, and functionality. For instance a stream of data cannot be protected with CCM, as the length of the entire input has to be known in advance. The security of GCM heavily relies on the existence of data called a nonce, which is supposed to never be repeated. Indeed, the security of GCM is completely lost once the nonce is repeated. While it is easy to state such a mathematical assumption, experience shows that there are many practical cases where realizing this condition is very hard. For instance the nonce may repeat if a crypto device is reset with malice aforethought, or as a consequence of physical attacks on the device. Furthermore, weak keys were identified in GCM, and the security of EAX-prime is questionable.

Thus there is a strong demand for secure and efficient authenticating encryption scheme. As a consequence, the CAESAR project (Competition for Authenticated Encryption: Security, Applicability, and Robustness) has been initiated. The goal of the project is to identify a portfolio of authenticated encryption schemes that (1) offer advantages over GCM/CCM and (2) are suitable for widespread adoption. The deadline of the submission was March 15, 2014, and the project attracted a total of 56 algorithms from 136 designers from all over the world. There are plenty of innovative designs with attractive features, and the final portfolio is planned to be announced at the end of 2017.

This seminar took place in the middle of the CAESAR competition; it is two years from the submission deadline and we have about two years until the announcement of the final portfolio. Therefore, it was a perfect point in time to sum up the research done so far, to exchange ideas and to discuss future directions.

Even-Mansour Designs. Another strong trend in the current symmetric key cryptography is related to the so-called Even-Mansour designs. This design paradigm was proposed in 1991 and can be seen as the abstraction of the framework adopted in the design of AES. This general design framework iterates r times the xor of a key and a public permutation. The design framework is highly relevant in practice, and it has been adopted in a variety of recent hash functions, block ciphers, and even in the underlying primitive of several CAESAR submissions. Despite its long history of practical use, the community has so far failed to develop a complete understanding of its security. From a theoretical viewpoint, the original proposal was accompanied with a proof of security, dealing with the case of r=1 iteration.

Only 20 years after the initial proposal, in 2012, a bound was proven for the security of r=2 iterations. In 2014, the question was solved to cover the general case of r iterations. However, these results only deal with the simple case of distinguishing attack on a single, unknown key setting. Its security in more advanced, yet practically relevant security models, such as the related-key setting or the chosen/known-key setting, is largely unexplored.

Another problem here is that the theoretical analysis assumes that the permutation used therein is ideal and the keys are ideally random, which is not the case for practical constructions. This implies that the theoretical results do not directly translate into the practical constructions, and the security analysis has to be repeated for each constructions.

Summing up, Evan-Mansour designs represent a fruitful and challenging area of research, that hopefully will lead to a fundamental understanding of iterated constructions and ultimately to more efficient and more secure ciphers.

Copyright Frederik Armknecht, Tetsu Iwata, Kaisa Nyberg, and Bart Preneel

Participants
  • Elena Andreeva (KU Leuven, BE) [dblp]
  • Frederik Armknecht (Universität Mannheim, DE) [dblp]
  • Daniel J. Bernstein (University of Illinois - Chicago, US) [dblp]
  • Eli Biham (Technion - Haifa, IL) [dblp]
  • Alex Biryukov (University of Luxembourg, LU) [dblp]
  • Andrey Bogdanov (Technical University of Denmark - Lyngby, DK) [dblp]
  • Anne Canteaut (INRIA - Paris, FR) [dblp]
  • Benoît Cogliati (University of Versailles, FR) [dblp]
  • Joan Daemen (STMicroelectronics - Diegem, BE) [dblp]
  • Itai Dinur (Ben Gurion University - Beer Sheva, IL) [dblp]
  • Orr Dunkelman (University of Haifa, IL) [dblp]
  • Henri Gilbert (ANSSI - Paris, FR) [dblp]
  • Jian Guo (Nanyang TU - Singapore, SG) [dblp]
  • Matthias Hamann (Universität Mannheim, DE) [dblp]
  • Tetsu Iwata (Nagoya University, JP) [dblp]
  • Jérémy Jean (ANSSI - Paris, FR) [dblp]
  • Antoine Joux (UPMC - Paris, FR) [dblp]
  • Dmitry Khovratovich (University of Luxembourg, LU) [dblp]
  • Matthias Krause (Universität Mannheim, DE) [dblp]
  • Nils Gregor Leander (Ruhr-Universität Bochum, DE) [dblp]
  • Jooyoung Lee (Sejong University - Seoul, KR) [dblp]
  • Gaëtan Leurent (INRIA - Paris, FR) [dblp]
  • Stefan Lucks (Bauhaus-Universität Weimar, DE) [dblp]
  • Willi Meier (FH Nordwestschweiz - Windisch, CH) [dblp]
  • Bart Mennink (KU Leuven, BE) [dblp]
  • Kazuhiko Minematsu (NEC - Kawasaki, JP) [dblp]
  • Nicky Mouha (KU Leuven, BE) [dblp]
  • Chanathip Namprempre (Thammasat University - Patumtani, TH) [dblp]
  • Mridul Nandi (Indian Statistical Institute - Kolkata, IN) [dblp]
  • Ivica Nikolic (Nanyang TU - Singapore, SG) [dblp]
  • Kaisa Nyberg (Aalto University, FI) [dblp]
  • Jacques Patarin (University of Versailles, FR) [dblp]
  • Léo Perrin (University of Luxembourg, LU) [dblp]
  • Bart Preneel (KU Leuven, BE) [dblp]
  • Christian Rechberger (Technical University of Denmark - Lyngby, DK) [dblp]
  • Yu Sasaki (NTT Labs - Tokyo, JP) [dblp]
  • Ernst Schulte-Geers (BSI - Bonn, DE) [dblp]
  • Adi Shamir (Weizmann Institute - Rehovot, IL) [dblp]
  • John Steinberger (Tsinghua University - Beijing, CN) [dblp]
  • Marc Stevens (CWI - Amsterdam, NL) [dblp]
  • Tyge Tiessen (Technical University of Denmark - Lyngby, DK) [dblp]
  • Meiqin Wang (Shandong Univ. - Jinan, CN) [dblp]
  • Xiaoyun Wang (Tsinghua University - Beijing, CN) [dblp]
  • Kan Yasuda (NTT Labs - Tokyo, JP) [dblp]

Related Seminars
  • Dagstuhl Seminar 07021: Symmetric Cryptography (2007-01-07 - 2007-01-12) (Details)
  • Dagstuhl Seminar 09031: Symmetric Cryptography (2009-01-11 - 2009-01-16) (Details)
  • Dagstuhl Seminar 12031: Symmetric Cryptography (2012-01-15 - 2012-01-20) (Details)
  • Dagstuhl Seminar 14021: Symmetric Cryptography (2014-01-05 - 2014-01-10) (Details)
  • Dagstuhl Seminar 18021: Symmetric Cryptography (2018-01-07 - 2018-01-12) (Details)
  • Dagstuhl Seminar 20041: Symmetric Cryptography (2020-01-19 - 2020-01-24) (Details)
  • Dagstuhl Seminar 22141: Symmetric Cryptography (2022-04-03 - 2022-04-08) (Details)
  • Dagstuhl Seminar 24041: Symmetric Cryptography (2024-01-21 - 2024-01-26) (Details)

Classification
  • data structures / algorithms / complexity
  • security / cryptology

Keywords
  • Cryptanalysis
  • Lightweight Cryptography
  • Authenticity
  • Integrity
  • Confidentiality
  • Hash Functions
  • Block Ciphers
  • Stream Ciphers
  • Provable Security