CAESAR is a competition for designing authenticated encryption schemes (AE). The schemes that are considered in this competition are supported associated data (AEAD). 57 candidates have been submitted to this competition, out of them 30 candidates later announced as the second round candidates. In this paper, we analysis the security of MORUS, a second round candidate of CAESAR, against mixed integer Linear programing based Linear cryptanalysis. In this study, the length of associated data is considered as zero (AD|=0|) and Linear characteristics for two version of MORUS, MORUS-640 and MORUS-1280, reduced to 3 rounds with bias and respectively are presented. The result of this paper is the first third party Linear analysis on round reduced of MORUS, to the best of our knowledge.

CAESAR competition is a competition for the design of cryptographic authenticated encryption schemes with associated data (AEAD). NORX is one of the CEASAR candidates which has been selected for the second round of this completion also. In this paper, the first Linear cryptanalysis of this scheme is presented using mixed integer Linear programming (MILP). The analysis conducted in this paper has been done for the reduced round NORX8, NORX16, NORX32 and NORX64. Our best Linear characteristics for these variants reduced to one round out of four rounds have biases 2-52, 2-47, 2-21 and 2-76 respectively. Due to the optimized answer for NORX8, this version of reduced NORX provides optimal security against Linear attack.

Shamir’s secret sharing scheme is one of the substantial threshold primitives, based on which many security protocols are constructed such as group authentication schemes. Notwithstanding the unconditional security of Shamir's secret sharing scheme, protocols that are designed based on this scheme do not necessarily inherit this property. In this work, we evaluate the security of a lightweight group authentication scheme, introduced for IoT networks in IEEE IoT Journal in 2020, and prove its weakness against the Linear subspace attack, which is a recently-proposed cryptanalytical method for secret sharing-based schemes. Then, we propose an efficient and attack-resistant group authentication protocol for IoT networks.

One of the most important areas of symmetric cryptography is block cipher algorithms which have many applications in security mechanisms. Linear and differential cryptanalysis are the most important statistical attacks against block ciphers. Since most of the attacks against block cipher algorithms are based on these two types of cryptanalysis, encryption algorithm design methods are guided to resist these attacks. This paper presents a new block cipher design method based on data dependent key which prevents Linear and differential attacks. Based on the proposed method, an instance structure for block cipher algorithms is presented and evaluated. It has been shown that the proposed structure resists Linear and differential attacks even in reduced number of rounds.

One of the most important methods for checking the resistant of a block cipher against Linear and differential analysis is counting of minimum active s-boxes. According to this number, proportion of minimum active s-boxes to all used s-boxes can be obtained. In Feistel structure, left and right half XORing cause difference cancelation reducing this proportion. One method for reducing difference cancelation and improving this proportion is presented previously using multiple MDS matrix. However, this method is suitable for design of 128 bit block ciphers and hasn’t good efficiency in 256 bit block ciphers. In this paper, the problem of finding proper multiple diffusion layers for Switching Structure on big dimension and big field is firstly surveyed. Then, a search algorithm is presented, used for making several categories of Recursive Diffusion Layers. In the next section, by using this Recursive Diffusion Layers, a 256 bit block cipher is designed base on Switching Structure. We verify security and efficiency of this scheme is verified and it is concluded that this scheme is resistant to Linear and differential attack showing impossible differential attack and also has a good efficiency compare to other 256 bit block cipher algorithm.

Hash functions have a very important role in network and telecommunication security. These functions play an important role in hashing a message which are widely used in cryptographic applications such as digital signatures, random number generator algorithms, authentication protocols, and so on. Rotational cryptanalysis is a relatively new attack that is part of a generic attack on hash functions and is effective on algorithms that have an ARX structure. In this paper, for the first time, we apply a rotational cryptanalysis and with the given assumption of the markov chain for the modular additions sequence employed in two algorithms Shabal and CubeHash, which are second-round candidates for the SHA-3 competition that use the ARX property in their structure. With the implementation of rotational cryptanalysis we arrived at the complexity of 2-3393. 58 for the entire 16+3-rounds Shabal algorithm and the complexity of 2-57. 6 for the en-tire 16-round CubeHash algorithm. According to the obtained results, it can be seen that due to the large number of modular additions with the given assumption of markov chain, the Shabal algorithm exhibits greater resistance to rotational cryptanalysis, compared to the CubeHash algorithm and is less likely to succeed.

AES - CMCCv1, AVALANCHEv1, CLOCv1, and SILCv1 are four candidates of the first round of CAESAR. CLOCv1 is presented in FSE 2014 and SILCv1 is designed upon it with the aim of optimizing the hardware implementation cost. In this paper, structural weaknesses of these candidates are studied. We present distinguishing attacks against AES - CMCCv1 with the complexity of two queries and the success probability of almost 1, and distinguishing attacks on CLOCv1 and SILCv1 with the complexity of O (2n/2) queries and the success probability of 0:63, in which n is bit length of message blocks. In addition, a forgery attack is presented against AVALANCHEv1 which requires only one query and has the success probability of 1. The attacks reveal weaknesses in the structure of these first round candidates and inaccuracy of their security claims.

In this paper we analyze the security of SEAS protocol. The only security goal of this protocol is to authenticate the RFID tag to the RFID reader which, in this paper, we show that the protocol does not satisfy this property. Hence, we do not recommend this protocol to be employed in any application. In this paper we present a tag impersonation attack against it. Tag impersonation attack is a forgery attack in which the reader authenticates the attacker as a legitimate tag. Our tag impersonation attack’s success probability, which is the first attack against the SEAS protocol to the best of our knowledge, is “1” and its complexity is only two runs of protocol.

Deoxys is a final-round candidate of the CAESAR competition. Deoxys is built upon an internal tweakable block cipher Deoxys-BC, where in addition to the plaintext and key, it takes an extra non-secret input called a tweak. This paper presents the first impossible differential cryptanalysis of Deoxys-BC-256 which is used in Deoxys as an internal tweakable block cipher. First, we find a 4.5-round ID characteristic by utilizing a miss-in-the-middle-approach. We then present several cryptanalysis based upon the 4.5 rounds distinguisher against round-reduced Deoxys-BC-256 in both single-key and related-key settings. Our contributions include impossible differential attacks on up to 8-round Deoxys-BC-256 in the single-key model. Our attack reaches 9 rounds in the related-key related-tweak model which has a slightly higher data complexity than the best previous results obtained by a related-key related-tweak rectangle attack presented at FSE 2018, but requires a lower memory complexity with an equal time complexity.

The A5/1 algorithm is one of the most famous stream cipher algorithms used for over-the-air communication privacy in GSM. The purpose of this paper is to analyze several weaknesses of A5/1, including an improvement to an attack and investigation of the A5/1 state transition. Biham and Dunkelman proposed an attack on A5/1 with a time and data complexity of 239.91and 221.1, respectively.In this paper, we propose a method for identification and elimination of useless states from the pre-computed tables and a new approach to access the table in the online phase of the attack which reduces the time complexity to 237.89 and the required memory in half. Furthermore, we discuss another weakness of A5/1 by investigating its internal state transition and its keystream sequence period. Consequently, the internal states are divided into two classes, initially periodic and ultimately periodic. The presented model is verified using a variety of simulations which are consistent with the theoretical results.