HighLight: High-Security Lightweight Cryptography

Every day we use embedded cryptographic devices, such as smart cards and RFID-enabled cards, e.g. passports, cards deployed in access control to buildings, and cards for public transportation.  Ensuring the security of these devices is a challenging problem, as witnessed by the breaking of the cryptosystems used in mobile phones, car keys, and RFID-enabled cards ("OV-chipkaart").  The difficulty in securing those devices is due to firm constraints on chip cost, power and energy budgets while very short transaction times must be realized.

This is where so-called lightweight crypto comes into play:

cryptographic primitives that are designed to run efficiently on very small, resource-constrained, embedded devices.  Many of those primitives are block ciphers with 80-bit keys that silently target a security strength of 80 bits.  A security strength of $n$ bits means that breaking the security would takes 2^n "operations", e.g., executions of the block cipher.  Note that 80 bits is considered legacy by NIST and is also no longer recommended by other institutions like the German BSI or the French ANSSI.

Current lightweight crypto primitives face three problems. First, the 80-bit security strength is on the edge of being sufficient for the coming decades. Second, systems employing block ciphers with 80-bit keys do not offer a security strength of 80 bits in most practical settings due to multi-target, side channel, fault and a wide range of invasive attacks. Third, if quantum computers can be built one day, an n-bit key offers only n/2 security strength.

This workshop brings together experts working on symmetric-cipher design and experts in cryptography for highly constrained devices and physical attacks to work on what next-generation lightweight symmetric cryptography should look like.