January 19 – 24 , 2020, Dagstuhl Seminar 20041

Symmetric Cryptography


Nils Gregor Leander (Ruhr-Universität Bochum, DE)
Kaisa Nyberg (Aalto University, FI)
Kan Yasuda (NTT – Tokyo, JP)


Bart Mennink (Radboud University Nijmegen, NL)

For support, please contact

Dagstuhl Service Team


List of Participants
Shared Documents


IT Security plays a crucial role in everyday life and business. Virtually all modern security solutions are based on cryptographic primitives. Symmetric cryptography deals with the case that both the sender and the receiver of a message are using the same key and is highly relevant not only for academia, but also for industrial research and applications.

We identified the following areas as among the most important topics for future research. At the upcoming Dagstuhl Seminar these topics will be intensively discussed. Besides short talks on the state-of-the-art, there will be plenty of time for discussions and for starting new research collaborations.

Cryptography in the presence of strong constraints: This deals with the development of symmetric cryptographic primitives and modes that must operate under strong constraints. This area, in the past often indicated by the misleading term lightweight cryptography, has become a very active research field in recent years. To give concrete examples of reasonable constraints, we like to mention the following (non-exhaustive) selection:

  • energy per bit encrypted/authenticated: important in battery-powered devices and protection of massive datastreams
  • power consumption: important in RFID tags or any other application where power is harvested, e.g., by means of solar cells
  • latency: important in legacy architectures for bus and memory encryption

Besides the cryptographic security, we also consider side channel attacks a major issue, as especially in the above-mentioned application areas, the cryptography is executed in a potentially adversarial environment.

Proving relevant bounds for permutations and (tweakable) block ciphers: Security arguments for symmetric cryptographic primitives often rely on simplifying assumptions and unproven heuristics. Moreover, not only are they often limited by those simplifications, but more fundamentally by the resulting statements.

As an example, for arguing why differential and linear attacks do not apply to a given cipher, we would like to argue that no high-probability differential and no highly biased linear approximation exist that holds for an overwhelming fraction of keys, if not all. However, for most constructions, this has currently only been achieved for a very small number of rounds, and we are instead limited to bounding the probability of differential and linear trails averaged over independent round-keys. We like to note that achieving better and more meaningful bounds is not only of interest from a theoretical point of view. Having better bounds allows better tuning of the number of rounds and might thus finally lead to more efficient ciphers.

Development of modes for dedicated functionality or robustness: A cryptographic primitive, e.g., a cryptographic permutation or a (tweakable) block cipher, is of little use without being embedded in a suitable mode of operation. Traditional modes turn such a primitive into an (authenticated) encryption scheme, a message authentication code or a hash function. However, modes of operations could provide more advanced functionalities on the one hand and advanced security features on the other hand. Important examples include modes based on permutations, block ciphers or tweakable block ciphers that realize the following (not necessarily all at the same time): (i) Robustness against improper usage or implementation weaknesses, (ii) Joint modes of hashing and authenticated encryption using the same primitive, and (iii) secure channels.

Quantum cryptanalysis: The threat that one would be able to build a sufficiently large quantum computer has a major impact on the security of many cryptographic schemes we are using today. In particular, the seminal work of Shor showed that such computers would allow to factor large integers and compute discrete logs over large groups in practical time. In the case of symmetric cryptography, the situation seems less critical - but is also significantly less studied. For almost 20 years, it was believed that the only advantage an attacker would have by using a quantum computer when attacking symmetric cryptography is due to Grover's algorithm for speeding up brute force search. Indeed, Grover's algorithm reduces the effective key-length of any cryptographic scheme, and thus in particular of any block-cipher, by a factor of two. Only recently researchers have started to investigate in more detail how the security of symmetric primitives would be affected by attackers equipped with quantum computers. A great challenge is to get a fundamentally improved understanding of the security of common block ciphers (such as AES) and hash functions (such as SHA-3) against quantum adversaries.

Motivation text license
  Creative Commons BY 3.0 DE
  Joan Daemen, Nils Gregor Leander, Kaisa Nyberg, and Kan Yasuda

Dagstuhl Seminar Series


  • Security / Cryptology


  • Symmetric cryptography
  • (quantum) cryptanalysis
  • Constrained platforms


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.