Hash functions have a very important role in network and telecommunication security. These functions play an important role in hashing a message which are widely used in cryptographic applications such as digital signatures, random number generator algorithms, authentication protocols, and so on. Rotational cryptanalysis is a relatively new attack that is part of a generic attack on hash functions and is effective on algorithms that have an ARX structure. In this paper, for the first time, we apply a rotational cryptanalysis and with the given assumption of the markov chain for the modular additions sequence employed in two algorithms Shabal and CubeHash, which are second-round candidates for the SHA-3 competition that use the ARX property in their structure. With the implementation of rotational cryptanalysis we arrived at the complexity of 2-3393. 58 for the entire 16+3-rounds Shabal algorithm and the complexity of 2-57. 6 for the en-tire 16-round CubeHash algorithm. According to the obtained results, it can be seen that due to the large number of modular additions with the given assumption of markov chain, the Shabal algorithm exhibits greater resistance to rotational cryptanalysis, compared to the CubeHash algorithm and is less likely to succeed.

AES - CMCCv1, AVALANCHEv1, CLOCv1, and SILCv1 are four candidates of the first round of CAESAR. CLOCv1 is presented in FSE 2014 and SILCv1 is designed upon it with the aim of optimizing the hardware implementation cost. In this paper, structural weaknesses of these candidates are studied. We present distinguishing attacks against AES - CMCCv1 with the complexity of two queries and the success probability of almost 1, and distinguishing attacks on CLOCv1 and SILCv1 with the complexity of O (2n/2) queries and the success probability of 0:63, in which n is bit length of message blocks. In addition, a forgery attack is presented against AVALANCHEv1 which requires only one query and has the success probability of 1. The attacks reveal weaknesses in the structure of these first round candidates and inaccuracy of their security claims.

In this paper we analyze the security of SEAS protocol. The only security goal of this protocol is to authenticate the RFID tag to the RFID reader which, in this paper, we show that the protocol does not satisfy this property. Hence, we do not recommend this protocol to be employed in any application. In this paper we present a tag impersonation attack against it. Tag impersonation attack is a forgery attack in which the reader authenticates the attacker as a legitimate tag. Our tag impersonation attack’s success probability, which is the first attack against the SEAS protocol to the best of our knowledge, is “1” and its complexity is only two runs of protocol.

Deoxys is a final-round candidate of the CAESAR competition. Deoxys is built upon an internal tweakable block cipher Deoxys-BC, where in addition to the plaintext and key, it takes an extra non-secret input called a tweak. This paper presents the first impossible differential cryptanalysis of Deoxys-BC-256 which is used in Deoxys as an internal tweakable block cipher. First, we find a 4.5-round ID characteristic by utilizing a miss-in-the-middle-approach. We then present several cryptanalysis based upon the 4.5 rounds distinguisher against round-reduced Deoxys-BC-256 in both single-key and related-key settings. Our contributions include impossible differential attacks on up to 8-round Deoxys-BC-256 in the single-key model. Our attack reaches 9 rounds in the related-key related-tweak model which has a slightly higher data complexity than the best previous results obtained by a related-key related-tweak rectangle attack presented at FSE 2018, but requires a lower memory complexity with an equal time complexity.

The A5/1 algorithm is one of the most famous stream cipher algorithms used for over-the-air communication privacy in GSM. The purpose of this paper is to analyze several weaknesses of A5/1, including an improvement to an attack and investigation of the A5/1 state transition. Biham and Dunkelman proposed an attack on A5/1 with a time and data complexity of 239.91and 221.1, respectively.In this paper, we propose a method for identification and elimination of useless states from the pre-computed tables and a new approach to access the table in the online phase of the attack which reduces the time complexity to 237.89 and the required memory in half. Furthermore, we discuss another weakness of A5/1 by investigating its internal state transition and its keystream sequence period. Consequently, the internal states are divided into two classes, initially periodic and ultimately periodic. The presented model is verified using a variety of simulations which are consistent with the theoretical results.

In this paper, we propose a new method to launch a more efficient algebraic cryptanalysis. Algebraic cryptanalysis aims at finding the secret key of a cipher by solving a collection of polynomial equations that describe the internal structure of the cipher. Chosen correlated plaintexts, as what appears in higher order differential cryptanalysis and its derivatives such as cube attack or integral cryptanalysis, forces many linear relations between intermediate state bits in the cipher. In this paper, we take these polynomial relations into account, so it becomes possible to simplify the equation system arising from algebraic cryptanalysis, and consequently, solve the polynomial system more efficiently. We take advantage of the Universal Proning technique to provide an efficient method to recover such linear polynomials. Another important parameter in the algebraic cryptanalysis of ciphers is to effectively describe the cipher. We employ the so-called Forward-Backward representation of S-boxes together with Universal Proning to help provide a more powerful algebraic cryptanalysis based on Gröbner-basis computation. We show our method is more efficient than doing algebraic cryptanalysis with MQ representation, and also than employing MQ together with Universal Proning. To show the effectiveness of our approach, we applied it for the cryptanalysis of several lightweight block ciphers. By this approach, we managed to mount algebraic attack on 12-round LBlock, 6-round MIBS, 7-round PRESENT and 9-round SKINNY light-weight block ciphers, so far.

CAESAR is a competition for designing authenticated encryption schemes (AE). The schemes that are considered in this competition are supported associated data (AEAD). 57 candidates have been submitted to this competition, out of them 30 candidates later announced as the second round candidates. In this paper, we analysis the security of MORUS, a second round candidate of CAESAR, against mixed integer linear programing based linear cryptanalysis. In this study, the length of associated data is considered as zero (AD|=0|) and linear characteristics for two version of MORUS, MORUS-640 and MORUS-1280, reduced to 3 rounds with bias and respectively are presented. The result of this paper is the first third party linear analysis on round reduced of MORUS, to the best of our knowledge.

CAESAR competition is a competition for the design of cryptographic authenticated encryption schemes with associated data (AEAD). NORX is one of the CEASAR candidates which has been selected for the second round of this completion also. In this paper, the first linear cryptanalysis of this scheme is presented using mixed integer linear programming (MILP). The analysis conducted in this paper has been done for the reduced round NORX8, NORX16, NORX32 and NORX64. Our best linear characteristics for these variants reduced to one round out of four rounds have biases 2-52, 2-47, 2-21 and 2-76 respectively. Due to the optimized answer for NORX8, this version of reduced NORX provides optimal security against linear attack.

Impossible difference attack is a powerful tool for evaluating the security of block ciphers based on finding a differential characteristic with the probability of exactly zero. The linear layer diffusion rate of a cipher plays a fundamental role in the security of the algorithm against the impossible difference attack. In this paper, we show an efficient method, which is independent of the quality of the linear layer, can find impossible differential characteristics of Zorro block cipher. In other words, using the proposed method, we show that, independent of the linear layer feature and other internal elements of the algorithm, it is possible to achieve effective impossible differential characteristic for the 9-round Zorro algorithm. Also, based on represented 9-round impossible differential characteristic, we provide a key recovery attack on reduced 10-round Zorro algorithm. In this paper, we propose a robust and different method to find impossible difference characteristics for Zorro cipher, which is independent of the linear layer of the algorithm. The main observation in this method is that the number of possible differences in that which may occur in the middle of Zorro algorithm might be very limited. This is due to the different structure of Zorro. We show how this attribute can be used to construct impossible difference characteristics. Then, using the described method, we show that, independent of the features of the algorithm elements, it is possible to achieve efficient 9-round impossible differential characteristics of Zorro cipher. It is important to note that the best impossible differential characteristics of the AES encryption algorithm are only practicable for four rounds. So the best impossible differential characteristic of Zorro cipher is far more than the best characteristic of AES, while both algorithms use an equal linear layer. Also, the analysis presented in the article, in contrast to previous analyzes, can be applied to all ciphers with the same structure as Zorro, because our analysis is independent of the internal components of the algorithm. In particular, the method presented in this paper shows that for all Zorro modified versions, there are similarly impossible differential characteristics. Zorro cipher is a block cipher algorithm with 128-bit block size and 128-bit key size. Zorro consists of 6 different sections, each with 4 rounds (24 rounds in all). Zorro does not have any subkey production algorithm and the main key is simply added to the value of the beginning state of each section using the XOR operator. Internal rounds of one section do not use the key. Similar to AES, Zorro state matrix can be shown by a 4 × 4 matrix, which each of these 16 components represent one byte. One round of Zorro, consists of four functions, which are SB*, AC, SR, and MC, respectively. The SB* function is a nonlinear function applying only to the four bytes in the first row of the state matrix. Therefore, in the opposite of the AES, where the substitution box is applied to all bytes, the Zorro substitution box only applies to four bytes. The AC operator is to add a round constant. Finally, the two SR and MC transforms are applied to the state matrix, which is, respectively, the shift row and mixed column used in the AES standard algorithm. Since the analyzes presented in this article are independent of the substitution properties, we do not use the S-box definition used by Zorro. Our proposed model uses this Zorro property that the number of possible differences after limited rounds can be much less than the total number of possible differences. In this paper, we introduce features of the Zorro, which can provide a high bound for the number of possible values of an intermediate difference. We will then present a model for how to find Zorro impossible differential characteristics, based on the limitations of the intermediate differences and using the miss-in-the-middle attack. Finally, we show that based on the proposed method, it is possible to find an impossible differential characteristic for 9 rounds of algorithms with a Zorro-like structure and regardless of the linear layer properties. Also, it is possible to apply the key recovery attack on 10 rounds of the algorithm. So, regardless of the features of the used elements, it can be shown that this number of round of algorithms is not secure even by changing the linear layer.

Binary Decision Diagram (in short BDD) is an efficient data structure which has been used widely in computer science and engineering. BDD-based attack in key stream cryptanalysis is one of the best forms of attack in its category. In this paper, we propose a new key stream attack which is based on ZDD (Zero-suppressed BDD). We show how a ZDD-based key stream attack is more efficient in time and space complexity over its BDD-based variant against the E0 type of the Bluetooth security mechanism. We implemented it by using the CUDD - Colorado University Decision Diagram package. Experimental results show great improvements. We have also derived a mathematical proof, which shows that it is better than the BDDbased attack method even for the worst case analysis.