Flexible Symmetric Cryptography

For more than thirty years, block ciphers have been the workhorses for most applications of symmetric cryptography. Given two inputs (key and plaintext) a block cipher encryption generates one output (the ciphertext). Whenever a complex cryptosystem has been designed, based on a primitive, the primitive was often a block cipher. Yet, those days are over, and there are two new alternatives: cryptographic permutations and tweakable block ciphers.

A cryptographic permutation is a block cipher without a key schedule. This minimalistic approach works very well for the design of hash functions, such as SHA-3, the first hash function standard based on a cryptographic permutation instead of a block cipher. The use of permutations also gained in popularity for encryption and/or authentication after adapting the so-called sponge construction to keyed modes. In the ongoing CAESAR competition for the development of a portfolio of authenticated encryption schemes, a significant amount of submissions is based on different variants of the duplex construction, the sponge's sibling.

Tweakable block ciphers are block ciphers with an additional third input for the "tweak", giving the mode designer a more flexible tool than an ordinary block cipher. No less than one third of the 51 initial CAESAR submissions use tweakable block ciphers, either implicitly or explicitly, and either as dedicated or generic design. Tweakable block cipher based modes have achieved speed-ups in authenticated encryption of a factor almost 2 over existing block-cipher-based schemes.

The incentive of the workshop is to improve and intensify the design and analysis, both generically and specifically, of the symmetric key cryptographic primitives and modes of the future, and therewith to contribute to a speed-up of adoption. We particularly target to flexibilize symmetric cryptography towards its edge fields, including quantum cryptography, fully homomorphic encryption, lightweight encryption, and side-channel security.