April 3 – 8 , 2022, Dagstuhl Seminar 22141

Symmetric Cryptography


Nils Gregor Leander (Ruhr-Universität Bochum, DE)
Bart Mennink (Radboud University Nijmegen, NL)
Maria Naya-Plasencia (INRIA – Paris, FR)
Yu Sasaki (NTT – Tokyo, JP)

For support, please contact

Susanne Bach-Bernhard for administrative matters

Michael Gerke for scientific matters


IT Security plays an increasingly crucial role in everyday life and business. Virtually all modern security solutions are based on cryptographic primitives. Symmetric cryptography deals with the case where both the sender and the receiver of a message use the same key. Due to their good performance, symmetric cryptosystems are the main workhorses of cryptography and are highly relevant not only for academia, but also for industrial activities. For the Dagstuhl Seminar we plan to focus on several topics, which we believe to be of great importance for the research community and, likewise, to have a positive impact on industry and the deployment of secure crypto in the future.

Learnt from NIST Lightweight Cryptography Project
The US National Institute of Standards and Technology (NIST) acknowledged in 2013 the real-world importance of lightweight cryptography, and announced an initiative for standardization. It is expected that the new lightweight standard will not only be used in the US, but rather worldwide. While the exact timeline of the competition is not known at the time of writing, discussing the outcomes in April 2022 seems a very natural and timely topic.

New Design Strategies
Recently, the design of symmetric key primitives has started to focus on different types of optimization. Examples include new ciphers designed for applications to STARKs, SNARKs, fully homomorphic encryption and multi-party computation. This causes a paradigm shift in design criteria that we are just starting to understand, both in terms of possible optimizations as well as security impacts. Exploring those is one of the topics we envision for the seminar.

Quantum-Safe Symmetric Cryptography
As years go by, quantum computers become more tangible. For symmetric cryptography, it is short-sighted to expect that cryptanalysis will not improve with the help of quantum. There are two challenges we want to target in the seminar. First, we want to find new quantum attacks, by either quantizing classical attacks, or by designing quantum cryptanalysis afresh. Second, we want to find generic and secure ways of extending the key or the state length; and design and implement efficient symmetric quantum-safe cryptographic functions.

Understanding Security Implications from Ideal and Keyless Primitives
Permutation-based cryptography has gained astounding popularity in the last decade, and security proofs are performed in an ideal security model, namely the ideal permutation model. Besides, and partly as a consequence of this, the concrete security analysis of the involved primitives becomes more difficult. In this seminar, we want to explore (i) to what extent distinguishers impact the security of cryptographic schemes and (ii) what non-random properties of permutations seem likely to be translated into an attack on the full scheme.

Seminar Structure
We plan to organize research groups before the commencement of the actual seminar in April 2022 to make the seminar itself more productive. We expect the colleagues that will join the seminar to be fully committed to proposing topics for the research groups and to participating in them. We plan to have a first day of invited talks related to these selected research topics. We will also schedule short talks spread over small sessions to profit of the opportunity for catching up with what the other researchers are currently doing.

Motivation text license
  Creative Commons BY 4.0
  Nils Gregor Leander, Bart Mennink, Maria Naya-Plasencia, and Yu Sasaki

Dagstuhl Seminar Series


  • Cryptography And Security


  • Cryptography
  • Symmetric cryptography
  • Block ciphers
  • Hash functions
  • Stream cipers


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.