January 7 – 12 , 2018, Dagstuhl Seminar 18021

Symmetric Cryptography


Joan Daemen (Radboud University Nijmegen, NL, and STMicroelectronics – Diegem, BE)
Tetsu Iwata (Nagoya University, JP)
Nils Gregor Leander (Ruhr-Universität Bochum, DE)
Kaisa Nyberg (Aalto University, FI)

For support, please contact

Simone Schilke for administrative matters

Andreas Dolzmann for scientific matters

Dagstuhl Reports

As part of the mandatory documentation, participants are asked to submit their talk abstracts, working group results, etc. for publication in our series Dagstuhl Reports via the Dagstuhl Reports Submission System.


List of Participants
Shared Documents
Dagstuhl Seminar Schedule [pdf]


Cryptography is the science of designing and analyzing techniques for secure communication. Modern cryptography can be divided into several areas of study, with symmetric cryptography being one of the most important. In particular, as asymmetric primitives are typically orders of magnitude less efficient than symmetric cryptographic schemes, symmetric cryptosystems remain the main workhorses of cryptography and highly relevant not only for academia, but also for industrial research and applications. IT Security plays an increasingly crucial role in everyday life and business. Especially after the disclosure of the NSA world-spanning spying activities and in the context of the Internet of Things, IT Security and privacy protection is a vital topic of the 21st century. Virtually all modern security solutions are based on cryptographic primitives. In the seminar, we plan to discuss in detail the design and analysis of symmetric cryptographic primitives while focusing on the three topics below. This event is going to be the sixth in the series of the Dagstuhl seminars "SymmetricCryptography" held in 2007, 2009, 2012, 2014, and 2016.

Cryptography for the IoT Motivated by the upcoming IoT, one of the strong research trends in symmetric cryptography is lightweight cryptography. Those efforts resulted in a wide variety of block cipher designs suitable for IoT appliations. However, a block cipher is clearly not the solution to all cryptographic purposes. Research on other primitives and modes has just started and many primitives and modes of operations suitable for lightweight crypto remain to be explored.

Statistical Attacks Statistical attacks have been deployed widely and providing strong resistance against them has resulted in several important design criteria for contemporary symmetric primitives. One main issue that has become apparent only recently is the accuracy of the underlying statistical models that researchers are using. Typically, those models are presented under some simplifying assumptions, whose validity remains an open question. It is an important challenge to settle these unsatisfactory simplifications. This becomes even more important when the attacks are hard or impossible to verify experimentally due to the large computational costs involved. Moreover, to allow comparison between different attacks the researchers must agree on common attack models and parameters that measure the performance of the attack.

Symmetric cryptography in the era of mass surveillance The Snowden leaks have painfully illustrated that citizen privacy and anonymity is next to non-existent nowadays. Secret services and IT corporations massively spy on people's communication and data storage for motives such as profit and surveillance. They don't seem to be hindered significantly in this at all by the pervasive deployment of cryptography (TLS, GSM, WPA, etc.). At the Dagstuhl Seminar we will have a discussion session on how the symmetric crypto community can contribute to improve the situation. We expect an open discussion and it is likely new themes will be proposed. As a start, we are going to discuss the following items.

  • Education of the general public: it is impossible to have protection without awareness.
  • Education of the protocol designers and programmers: there are many new standards being drafted for the moment and many repeat the same mistakes over and over again. Often the cryptographic knowledge of people in the standardization committees is very limited.
  • Rewarding implementations: writing of optimized code (for software but also hardware, like VHDL) that additionally provides resistance against side-channel and/or fault attacks is a highly sophisticated task requires much insight and effort. However, in the current academic climate, such efforts are not sufficiently rewarded and we think it would be good to change this.

  Creative Commons BY 3.0 DE
  Joan Daemen, Tetsu Iwata, Nils Gregor Leander, and Kaisa Nyberg

Dagstuhl Seminar Series


  • Security / Cryptology


  • Symmetric cryptography
  • Cryptanalysis
  • Cryptography for IoT
  • Mass surveillance
  • AE

Book exhibition

Books from the participants of the current Seminar 

Book exhibition in the library, ground floor, during the seminar week.


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.

NSF young researcher support