TOP
Search the Dagstuhl Website
Looking for information on the websites of the individual seminars? - Then please:
Not found what you are looking for? - Some of our services have separate websites, each with its own search option. Please check the following list:
Schloss Dagstuhl - LZI - Logo
Schloss Dagstuhl Services
Seminars
Within this website:
External resources:
  • DOOR (for registering your stay at Dagstuhl)
  • DOSA (for proposing future Dagstuhl Seminars or Dagstuhl Perspectives Workshops)
Publishing
Within this website:
External resources:
dblp
Within this website:
External resources:
  • the dblp Computer Science Bibliography


Dagstuhl Seminar 18021

Symmetric Cryptography

( Jan 07 – Jan 12, 2018 )

(Click in the middle of the image to enlarge)

Permalink
Please use the following short url to reference this page: https://www.dagstuhl.de/18021

Organizers
  • Joan Daemen (Radboud University Nijmegen, NL & STMicroelectronics - Diegem, BE)
  • Tetsu Iwata (Nagoya University, JP)
  • Nils Gregor Leander (Ruhr-Universität Bochum, DE)
  • Kaisa Nyberg (Aalto University, FI)

Contact


Impacts

Schedule

Motivation

Cryptography is the science of designing and analyzing techniques for secure communication. Modern cryptography can be divided into several areas of study, with symmetric cryptography being one of the most important. In particular, as asymmetric primitives are typically orders of magnitude less efficient than symmetric cryptographic schemes, symmetric cryptosystems remain the main workhorses of cryptography and highly relevant not only for academia, but also for industrial research and applications. IT Security plays an increasingly crucial role in everyday life and business. Especially after the disclosure of the NSA world-spanning spying activities and in the context of the Internet of Things, IT Security and privacy protection is a vital topic of the 21st century. Virtually all modern security solutions are based on cryptographic primitives. In the seminar, we plan to discuss in detail the design and analysis of symmetric cryptographic primitives while focusing on the three topics below. This event is going to be the sixth in the series of the Dagstuhl seminars "SymmetricCryptography" held in 2007, 2009, 2012, 2014, and 2016.

Cryptography for the IoT Motivated by the upcoming IoT, one of the strong research trends in symmetric cryptography is lightweight cryptography. Those efforts resulted in a wide variety of block cipher designs suitable for IoT appliations. However, a block cipher is clearly not the solution to all cryptographic purposes. Research on other primitives and modes has just started and many primitives and modes of operations suitable for lightweight crypto remain to be explored.

Statistical Attacks Statistical attacks have been deployed widely and providing strong resistance against them has resulted in several important design criteria for contemporary symmetric primitives. One main issue that has become apparent only recently is the accuracy of the underlying statistical models that researchers are using. Typically, those models are presented under some simplifying assumptions, whose validity remains an open question. It is an important challenge to settle these unsatisfactory simplifications. This becomes even more important when the attacks are hard or impossible to verify experimentally due to the large computational costs involved. Moreover, to allow comparison between different attacks the researchers must agree on common attack models and parameters that measure the performance of the attack.

Symmetric cryptography in the era of mass surveillance The Snowden leaks have painfully illustrated that citizen privacy and anonymity is next to non-existent nowadays. Secret services and IT corporations massively spy on people's communication and data storage for motives such as profit and surveillance. They don't seem to be hindered significantly in this at all by the pervasive deployment of cryptography (TLS, GSM, WPA, etc.). At the Dagstuhl Seminar we will have a discussion session on how the symmetric crypto community can contribute to improve the situation. We expect an open discussion and it is likely new themes will be proposed. As a start, we are going to discuss the following items.

  • Education of the general public: it is impossible to have protection without awareness.
  • Education of the protocol designers and programmers: there are many new standards being drafted for the moment and many repeat the same mistakes over and over again. Often the cryptographic knowledge of people in the standardization committees is very limited.
  • Rewarding implementations: writing of optimized code (for software but also hardware, like VHDL) that additionally provides resistance against side-channel and/or fault attacks is a highly sophisticated task requires much insight and effort. However, in the current academic climate, such efforts are not sufficiently rewarded and we think it would be good to change this.
Copyright Joan Daemen, Tetsu Iwata, Nils Gregor Leander, and Kaisa Nyberg

Summary

IT Security plays an increasingly vital role in everyday life and business. When talking on a mobile phone, when withdrawing money from an ATM or when buying goods over the internet, security plays a crucial role in both protecting the user and in maintaining public confidence in the system. Especially after the disclosure of the NSA's world-spanning spying activities and in the context of the Internet of Things, IT Security and privacy protection is a vital topic of the 21st century. In the Internet of Things (IoT) era, everything will be connected. Intel estimates that 200 billion objects will be connected by 2020. The objects include for instance smart devices for healthcare, industrial control systems, automotive, and smart homes. Virtually all modern security solutions rely on cryptography.

Symmetric cryptography deals with the case that both the sender and the receiver of a message are using the same key. This differentiates symmetric cryptography from its asymmetric counterpart, where senders or verifiers use a "public key" and receivers or signers use a corresponding but different "private key". As asymmetric primitives are typically orders of magnitude less efficient than symmetric cryptographic schemes, symmetric cryptosystems remain the main workhorses of cryptography and highly relevant not only for academia, but also for industrial research and applications. While great progress has been made in designing and analyzing ciphers, fundamental aspects of these ciphers are still not fully understood. Moreover, as we have learned from the Snowden revelations, cryptography in general and symmetric cryptography in particular faces new fascinating challenges.

Current Topics and Challenges

We identified the following three areas as among the most important topics for future research.

Cryptography for the IoT. Motivated by the upcoming IoT, one of the strong research trends in symmetric cryptography is about lightweight cryptography. Here, lightweight cryptography refers to strong cryptography, that can be executed on heavily resource constrained devices. Those efforts resulted in a wide variety of block cipher designs suitable for IoT applications. For instance, PRESENT designed in 2007 is one of the early designs with strong implementation advantages on hardware, and there have been other innovative follow-up block cipher designs. Some of them are standardized as the international standard, and used in thousands of devices in our daily lives. However, a block cipher is not the solution to all cryptographic purposes. For instance, to encrypt a certain amount of data, the block cipher has to be integrated into a suitable mode of operation. In most practical use cases, confidentiality is not the only concern, as many scenarios require data authenticity as well. Here a message authentication code (MAC) can be used to ensure authenticity. Authenticated encryption (AE) is used for protecting both confidentiality and authenticity.

The first MAC, called Chaskey, that specifically targets applications for lightweight cryptography was proposed only recently in 2014. The CAESAR project, an international competition for AE initiated at Dagstuhl, attracted several submissions that were designed for the purposes for lightweight cryptography. There is also a recent attempt to design a lightweight tweakable block cipher, an advanced primitive of a block cipher that allows more flexible usage, which can be efficiently integrated into highly secure encryption and/or authentication mechanisms. However, this research just started and many primitives and modes of operations suitable for lightweight crypto remain to be explored.

Statistical Attacks. Statistical attacks have been deployed widely and providing strong resistance against them has resulted in several important design criteria for contemporary symmetric primitives. The first type of statistical attacks that is applicable to a large set of block ciphers is differential cryptanalysis, introduced by Biham and Shamir. Since its invention in the early nineties several variants, tweaks and generalizations have been proposed and applied to many block ciphers. The second generally applicable attack on block ciphers is Matsui's linear cryptanalysis. Similarly to differential attacks, since its introduction, many extensions and improvements have been made. One main issue that has become apparent only recently is the accuracy of the underlying statistical models that researchers are using. Typically, those models are presented under some simplifying assumptions, whose validity remains an open question. It is an important challenge to settle these unsatisfactory simplifications. This becomes even more important when the attacks are hard or impossible to verify experimentally due to the large computational costs involved. Moreover, to allow comparison between different attacks the researchers must agree on common attack models and parameters that measure the performance of the attack.

Symmetric Cryptography and Real-World Needs. The symmetric cryptography community has many very talented people and the state of the area has moved from it infancy in the seventies to a mature field today. However, we should ensure that the world's population does benefit of this progress. In particular, the Snowden leaks have painfully illustrated that citizen privacy and anonymity is next to non-existent nowadays. Secret services and IT corporations massively spy on people's communication and data storage for motives such as profit and surveillance. They don't seem to be hindered significantly in this at all by the pervasive deployment of cryptography (TLS, GSM, WPA, etc.). Cynically, monopolistic corporations like Google use encryption to protect the data of their users from prying eyes of other players such as network providers. It appears that much of the cryptography deployed today is there to protect the powers that be rather than protect human rights. With the roll-out of smart grid and internet-of-things surveillance will become quasi universal with all imaginable devices reporting on our behavior to big corporations. This situation has been addressed in several invited talks by Bart Preneel and Adi Shamir and they rightfully say that we as a cryptographic community should attempt to improve this. Along the same lines, Phil Rogaway gave a highly acclaimed invited talk at Asiacrypt 2015 on the moral aspects on cryptographic research. He invites us to do some introspection and ask the question: are we doing the right thing?

We believe these questions are important also for the symmetric crypto community. While the problem is certainly not restricted to symmetric cryptography and probably cannot be solved by symmetric cryptography alone, we should consider it our moral duty to improve the situation.

Seminar Program

The seminar program consists of presentations about the above topics, and relevant areas of symmetric cryptography, including new cryptanalytic techniques and new designs. Furthermore, there were discussion sessions. In "Discussion on CAESAR with focus on robustness", we discussed about the meaning and relevance of the term robustness in general and for the CAESAR competition in particular. In "Discussion on Mass Surveillance", a number of questions related to the real-world relevance of the symmetric crypto community and its research were discussed. For both discussions we provide summery of the questions and results.

Copyright Joan Daemen, Tetsu Iwata, Nils Gregor Leander, and Kaisa Nyberg

Participants
  • Frederik Armknecht (Universität Mannheim, DE) [dblp]
  • Tomer Ashur (KU Leuven, BE) [dblp]
  • Christof Beierle (Ruhr-Universität Bochum, DE) [dblp]
  • Daniel J. Bernstein (University of Illinois - Chicago, US) [dblp]
  • Eli Biham (Technion - Haifa, IL) [dblp]
  • Alex Biryukov (University of Luxembourg, LU) [dblp]
  • Anne Canteaut (INRIA - Paris, FR) [dblp]
  • Joan Daemen (Radboud University Nijmegen, NL & STMicroelectronics - Diegem, BE) [dblp]
  • Itai Dinur (Ben Gurion University - Beer Sheva, IL) [dblp]
  • Christoph Dobraunig (TU Graz, AT) [dblp]
  • Orr Dunkelman (University of Haifa, IL) [dblp]
  • Maria Eichlseder (TU Graz, AT) [dblp]
  • Henri Gilbert (ANSSI - Paris, FR) [dblp]
  • Tetsu Iwata (Nagoya University, JP) [dblp]
  • Jérémy Jean (ANSSI - Paris, FR) [dblp]
  • Dmitry Khovratovich (University of Luxembourg, LU) [dblp]
  • Stefan Kölbl (Technical University of Denmark - Lyngby, DK) [dblp]
  • Virginie Lallemand (Ruhr-Universität Bochum, DE) [dblp]
  • Tanja Lange (TU Eindhoven, NL) [dblp]
  • Nils Gregor Leander (Ruhr-Universität Bochum, DE) [dblp]
  • Gaëtan Leurent (INRIA - Paris, FR) [dblp]
  • Stefan Lucks (Bauhaus-Universität Weimar, DE) [dblp]
  • Willi Meier (FH Nordwestschweiz - Windisch, CH) [dblp]
  • Bart Mennink (Radboud University Nijmegen, NL) [dblp]
  • Vasily Mikhalev (Universität Mannheim, DE) [dblp]
  • Kazuhiko Minematsu (NEC - Kawasaki, JP) [dblp]
  • Nicky Mouha (NIST - Gaithersburg, US) [dblp]
  • Mridul Nandi (Indian Statistical Institute - Kolkata, IN) [dblp]
  • Maria Naya-Plasencia (INRIA - Paris, FR) [dblp]
  • Kaisa Nyberg (Aalto University, FI) [dblp]
  • Stav Perle (Technion - Haifa, IL) [dblp]
  • Léo Perrin (INRIA - Paris, FR) [dblp]
  • Thomas Peyrin (Nanyang TU - Singapore, SG) [dblp]
  • Christian Rechberger (TU Graz, AT) [dblp]
  • Arnab Roy (University of Bristol, GB) [dblp]
  • Yu Sasaki (NTT - Tokyo, JP) [dblp]
  • Yannick Seurin (ANSSI - Paris, FR) [dblp]
  • Adi Shamir (Weizmann Institute - Rehovot, IL) [dblp]
  • Marc Stevens (CWI - Amsterdam, NL) [dblp]
  • Stefano Tessaro (University of California - Santa Barbara, US) [dblp]
  • Yosuke Todo (NTT - Tokyo, JP) [dblp]
  • Gilles Van Assche (STMicroelectronics - Diegem, BE) [dblp]
  • Damian Vizár (EPFL - Lausanne, CH) [dblp]
  • Meiqin Wang (Shandong University - Jinan, CN) [dblp]
  • Kan Yasuda (NTT - Tokyo, JP) [dblp]

Related Seminars
  • Dagstuhl Seminar 07021: Symmetric Cryptography (2007-01-07 - 2007-01-12) (Details)
  • Dagstuhl Seminar 09031: Symmetric Cryptography (2009-01-11 - 2009-01-16) (Details)
  • Dagstuhl Seminar 12031: Symmetric Cryptography (2012-01-15 - 2012-01-20) (Details)
  • Dagstuhl Seminar 14021: Symmetric Cryptography (2014-01-05 - 2014-01-10) (Details)
  • Dagstuhl Seminar 16021: Symmetric Cryptography (2016-01-10 - 2016-01-15) (Details)
  • Dagstuhl Seminar 20041: Symmetric Cryptography (2020-01-19 - 2020-01-24) (Details)
  • Dagstuhl Seminar 22141: Symmetric Cryptography (2022-04-03 - 2022-04-08) (Details)
  • Dagstuhl Seminar 24041: Symmetric Cryptography (2024-01-21 - 2024-01-26) (Details)

Classification
  • security / cryptology

Keywords
  • Symmetric cryptography
  • cryptanalysis
  • cryptography for IoT
  • mass surveillance
  • AE