Full-round impossible differential attack on shadow block cipher

Lightweight block ciphers are the essential encryption algorithm for devices with limited resources. Its goal is to ensure the security of data transmission through resource-constrained devices. Impossible differential cryptanalysis is one of the most effective cryptanalysis on block ciphers, and assessing the ability of resisting this attack is a basic design criterion. Shadow is a lightweight block cipher proposed by Guo et al. (IEEE Internet Things J 8(16):13014–13023, 2021). It utilizes a combination of ARX operations and generalized Feistel structure to overcome the weakness of the traditional Feistel structure that only diffuses half in one round. In this paper, we focus on the differential property of Shadow and its security against impossible differential cryptanalysis. First, we use the SAT method to automatically search for a full-round impossible differential distinguisher of Shadow-32. Then, based on the experimental results, we prove that Shadow has a differential property with probability 1 based on the propagation of the state. Further, we can obtain an impossible differential distinguisher for an arbitrary number of rounds of Shadow. Finally, we perform a full key recovery attack on the full-round Shadow-32 and Shadow-64. Both experimentally and theoretically, our results indicate that Shadow is critically flawed, and regardless of the security strength of the internal components and the number of rounds applied, the overall cipher remains vulnerable to impossible differential cryptanalysis.

Along the accelerated development of information technology, the Internet of Things (IoT) technologies such as RFID and wireless sensors are increasingly applied in daily life, and they are often integrated into devices with limited storage and computing resources. However, traditional block ciphers are not suitable for these devices, as their high software and hardware implementation requirements cannot guarantee the security of data transmission. Thus, there is a demand for lightweight block ciphers that can provide high performance and security in resource-constrained environments.

Driven by protecting private data from resource-constrained devices, lightweight block ciphers aim to achieve low resource utilization, low power consumption, high computational efficiency, and maintain the security of block ciphers. In line with this objective, many well-designed lightweight block ciphers have been proposed, such as SEA (Standaert et al. 2006), HIGHT (Hong et al. 2006), PRESENT (Bogdanov et al. 2007), LBlock (Wu and Zhang 2011), SIMON and SPECK (Beaulieu et al. 2015), Midori (Banik et al. 2015) and Shadow (Guo et al. 2021) et al. Moreover, security evaluation for lightweight block ciphers is essential, and a new proposed lightweight block cipher needs to be assessed for its security against traditional cryptanalysis attacks, i.e. differential cryptanalysis (Biham and Shamir 1991), linear cryptanalysis (Matsui 1994), impossible differential cryptanalysis, and other cryptanalysis.

Impossible differential cryptanalysis was first proposed by Knudsen (1998) and Biham et al. (1999) respectively. It is one of the most effective cryptanalysis on block ciphers, and assessing the ability of resisting this cryptanalysis is a basic design criterion. Its basic idea is to exclude wrong keys that lead to zero-probability difference and then recover the correct key by exhausting the candidate keys. In general, impossible differential cryptanalysis contains two phases, i.e., the search for impossible differential distinguisher phase and the key recovery phase. The key to the impossible differential analysis is to search for the longest-round impossible differential distinguisher.

Research on the automated search method has been an important issue for the last 20 years. The first critical tool for automated search is the Mixed Integer Linear Programming (MILP), which was first employed by Mouha et al. (2012) to find the minimum number of active S-boxes for word-oriented block ciphers. Later, Sun et al. (2014) extended the method from word-oriented to bit-oriented, and assessed the ability of bit-oriented block ciphers to resist the (related-key) differential attack. Since then, the MILP has been widely used for the cryptanalysis of block ciphers. Cui et al. (2016) and Sasaki and Todo (2017) applied the MILP to impossible differential automatic search, respectively. In 2017, Abdelkhalek et al. (2017) applied the MILP to block ciphers with 8-bit S-boxes. In recent years, the MILP has remained a popular tool for automated search for differential distinguishers (Zhu et al. 2019; Kumar and Yadav 2022; Kaur et al. 2023).

Another important tool for automated search is to rely on the Boolean Satisfiability Problem or satisfiability modulo theories (SAT/SMT). In 2012, Mouha et al. (2012) first used the SAT/SMT method to automatically seek optimal differential characteristics of Salsa20. Later in 2015, Kölbl et al. (2015) employed the SAT/SMT method to automatically search for optimal differential and linear characteristics of SIMON. In 2017, Sun et al. (2017) automatically search for bit-based integral distinguishers of ARX block ciphers based on the SAT/SMT method. In 2020, Hu et al. (2020) moved away from focusing on the propagation of the difference and proposed an SAT/SMT-aided search method for impossible differential that used the propagation of the state. Later in 2021, Sun et al. (2021) focused on the acceleration of using the SAT/SMT methods to seek differential and linear characteristics. In 2023, Sun and Wang (2023) developed SAT/SMT models to search for differential and linear characteristics of block ciphers with large S-boxes.

Shadow, a lightweight block cipher, is proposed by Guo et al. (2021) to protect private data transmission through IoT nodes. Shadow utilizes a combination of ARX operations and a generalized Feistel structure, which resolves the issue of the current lightweight block ciphers based on ARX operations that only diffuse half in one round. The security of Shadow was first evaluated by the designers. They performed impossible differential cryptanalysis and biclique cryptanalysis on Shadow, where the impossible differential attack mainly utilizes a 4-round impossible differential distinguisher to perform a 7-round key recovery attack and the biclique attack constructs an 8-round biclique structure. Consequently, the designers of Shadow asserted that Shadow exhibits a high level of resistance against cryptanalysis. In this paper, we show that Shadow can not resist impossible differential cryptanalysis, and we identify significant security weaknesses in the current design of Shadow.

Our contributions In this paper, we focus on the differential property of Shadow and its security against impossible differential cryptanalysis. For the first time, we perform an impossible differential attack on the full-round Shadow-32 and Shadow-64. Our results indicate that Shadow is critically flawed, and regardless of the security strength of the internal components and the number of rounds applied, the overall cipher remains vulnerable to impossible differential cryptanalysis. The specific results are displayed in Table 1. Our contributions can be concluded as follows.

• We use the SAT method to find a full-round impossible differential distinguisher of Shadow-32.

• We prove that Shadow has a differential property with probability 1 based on the propagation of state proposed by Hu et al. (2020), and then present an impossible differential distinguisher for an arbitrary number of rounds.

• We perform full key recovery on full-round Shadow-32 with \(2^{30}\) data complexity, \(2^{48}\) 16-round encryption time complexity and \(2^{43}\) 32-bit block memory complexity.

• We perform full key recovery on full-round Shadow-64 with \(2^{61}\) data complexity, \(2^{96}\) 32-round encryption time complexity and \(2^{90}\) 64-bit block memory complexity.

Organization The subsequent sections of this paper are arranged as follows. Section “Preliminaries” describes the background knowledge used in this paper. Section “Automatic search for impossible differential distinguisher” shows how to automatically search for impossible differential distinguishers using the SAT method. Section “A proof of impossible differential distinguishers for an arbitrary number of rounds” proves the differential property with probability 1 of Shadow-32/64 based on the propagation of state. Full key recovery attack on the full-round Shadow-32 and Shadow-64 are mounted in section “Key recovery attack on full-round Shadow-32/64”. Finally, section “Summary” summarizes the paper.

Notation

In this subsection, we first present the following notations that are utilized throughout the paper.

• \(L^{i-1}_0\): The input state for the first branch on the left of ith round;

• \(L^{i-1}_1\): The input state for the second branch on the left of ith round;

• \(R^{i-1}_0\): The input state for the first branch on the right of ith round;

• \(R^{i-1}_1\): The input state for the second branch on the right of ith round;

• \(\triangle L^{i-1}_0\):The input difference for the first branch on the left of ith round;

• \(\triangle L^{i-1}_1\): The input difference for the second branch on the left of ith round;

• \(\triangle R^{i-1}_0\): The input difference for the first branch on the right of ith round;

• \(\triangle R^{i-1}_1\): The input difference for the second branch on the right of ith round;

• \(x^{i-1}\): The input state of ith round;

• \({\hat{x}}^{i-1}\): The another input state of ith round;

• \(\triangle x^{i-1}\): The input difference of ith round;

• \({\mathbb {F}}_2\): The binary field;

• \(key^i\): The ith round subkey;

• RN: full round;

• r: iterative rounds;

• m: block size of the cipher;

• &: bitwise AND;

• \(\oplus\): XOR;

• \(\lll n\): rotation to the left by n bits;

Description of Shadow

Shadow utilizes a combination of ARX operations and a generalized Feistel structure, which includes two versions: Shadow-32 and Shadow-64. The block sizes of Shadow-32 and Shadow-64 are 32 and 64 bits, respectively, with key sizes of 64 and 128 bits and round numbers of 16 and 32, respectively.

Encryption algorithm

Shadow comprises three main operations: AND, Rotation, and XOR. Let \((L^{i-1}_0,L^{i-1}_1,R^{i-1}_0,R^{i-1}_1)\) be the input state of the ith round function, \((L^{i}_0,L^{i}_1,R^{i}_0,\) \(R^{i}_1)\) be the corresponding output state, and \(key^{i}_j(0 \le j \le 3)\) is selected from round subkey \(key^{i}\). The round function of Shadow is depicted in Fig. 1.

The ith round function of Shadow

Full size image

From Fig. 1, the round function of Shadow calls f four times, where f is

and this operation reduces logic hardware and software consumption.

For the RN-round encryption process of Shadow, the plaintext \(P=(L^0_0,L^0_1,R^0_0,R^0_1)\) is divided into four equal-sized blocks. First, the first branch on the left \(L^0_0\) calls the f function and then performs the XOR operation with the second branch on the left \(L^0_1\) and the subkey \(key^1_0\) to get P0, i.e. \(P0=f(L^0_0)\oplus L^0_1 \oplus key^1_0\). Similarly, the first branch on the right \(R^0_0\) performs the same operation with the second branch on the right \(R^0_1\) to get P1, i.e. \(P1=f(R^0_0)\oplus R^0_1 \oplus key^1_1\). The half-round output \((P0,L^0_0,P1,R^0_0)\) is obtained by swapping the left and right branches separately. Next, the P0 calls the f function and then performs the XOR operation with the \(L^0_0\) and the subkey \(key^1_2\) to get the \(L^1_1\), i.e. \(L^1_1=f(P0)\oplus L^0_0 \oplus key^1_2\). Similarly, the P1 performs the same operation with the \(R^0_0\) to get the \(R^1_1\), i.e. \(R^1_1=f(P1)\oplus R^0_0 \oplus key^1_3\). After the data exchange, the first round output is \((P1,L^1_1,P0,R^1_1)\). Repeat the above operation for RN rounds to generate the ciphertext \(C=(L^{RN}_0,L^{RN}_1,R^{RN}_0,R^{RN}_1)\). Notice that there is no data exchange in the last round. The corresponding encryption algorithm is exhibited in Algorithm 1. Since Shadow uses a generalized Feistel structure, the decryption algorithm only needs to use the round subkey in reverse order compared to the encryption algorithm.

Key schedule

Depending on the block size of Shadow, there are two kinds of round subkey generators, i.e. Generator1 and Generator2. For Shadow-32, the 64-bit primary key K is described as \(k_0||k_1||k_2||\ldots ||k_{62}||k_{63}\) and enters the Generator1. The Generator1 contains three operations, i.e. AddRoundConstant, NX Module, and Permutation. Firstly, the AddRoundConstant operation is performed on the 5-bit key \(k_3||k_4||k_5||k_6||k_7\), followed by the NX Module on the 8-bit key \(k_{56}||k_{57}||k_{58}\) \(||\ldots ||k_{62}||k_{63}\), and finally the Permutation on the 64-bit key. Subsequently, the subkey \(K{'}\) of the first round is obtained, where the front 32-bits of \(K{'}\) are partitioned into four equal-sized segments for the round key XOR operation. The \(K{'}\) is then input to Generator1 to generate the subkeys for each round until the encryption is completed. The specific operation procedure of Generator1 is depicted in Fig. 2.

The detailed operation procedure of Generator1

Full size image

AddRoundConstant The round constant r is first expanded into its binary representation \(c_0||c_1||c_2||c_3||c_4\), after which the 5-bit key \(k_3||k_4||k_5||k_6||k_7\) is XORed with the 5-bit value \(c_0||c_1||c_2||c_3||c_4\).

NX Module The only non-linear operation in Generator1 is the NX Module. For Shadow-32, the 8-bit key \(k_{56}||k_{57}||\ldots ||k_{62}||k_{63}\) executes NX Module. The NX Module operates based on the following principle:

Permutation After the AddRoundConstant and NX Module operations are executed in Generator1, the Permutation is implemented for the 64-bit key. As shown in Table 2, \(p_i\) denotes the position index before the Permutation, while \(p{'}_i\) denotes the position index after the Permutation.

For Shadow-64, the 128-bit primary key K is described as \(k_0||k_1||k_2||\ldots ||k_{126}||k_{127}\) and enters the Generator2. The Generator2 also contains three operations, i.e. AddRoundConstant, NX Module, and Permutation. In Generator2, the round constant r is first expanded into its binary representation \(c_0||c_1||c_2||c_3||\) \(c_4||c_5\), which is XORed with the 6-bit key \(k_2||k_3||k_4||k_5||\) \(k_6||k_7\). Subsequently, the NX Module is applied to the 24-bit key \(k_{104}||k_{105}||\ldots ||k_{126}||k_{127}\), followed by the Permutation operation on the 128-bit key. Finally, the subkey \(K{'}\) of the first round is obtained, where the front 64-bits of \(K{'}\) are partitioned into four equal-sized segments for the round key XOR operation. The \(K{'}\) is then input to Generator2 to derive the round keys until the encryption is completed. Additionally, the principle of Generator2 is similar to that of Generator1, but with different numbers of bits. The detailed operation procedure of Permutation is depicted in Table 3 and the NX Module operates based on the following principle:

Impossible differential cryptanalysis

Impossible differential cryptanalysis is a variant of differential cryptanalysis, which was proposed by Knudsen (1998) and Biham et al. (1999) respectively. Impossible differential cryptanalysis, as opposed to classical differential cryptanalysis which utilizes a high probability differential characteristic, utilizes a zero-probability differential characteristic to recover keys. Its basic idea is to exclude wrong keys that lead to zero-probability difference and then recover the correct key by exhausting the candidate keys. Impossible differential cryptanalysis comprises two phases: the phase of searching for impossible differential distinguishers, and the phase of key recovery. The key to the impossible differential analysis is to search for the longest-round impossible differential distinguisher, as a higher number of rounds indicates a weaker resistance against the impossible differential attacks. The traditional search impossible differential distinguisher is to describe the propagation of difference in block ciphers, but the propagation of difference through non-linear components is uncertain, making it impossible to consider the details of non-linear components and the key schedule.

Definition 1

(Block Cipher) Let \({\mathbb {F}}_2\) be the binary field, and \({\mathbb {F}}^m_2\) and \({\mathbb {F}}^t_2\) be m-dimensional and t-dimensional vector space over the finite field \({\mathbb {F}}_2\), respectively. If the plaintext \(P \in {\mathbb {F}}^m_2\), the ciphertext \(C \in {\mathbb {F}}^m_2\), and the master key \(K \in {\mathbb {F}}^t_2\), then the iterative block cipher \(E^m_K\) with \({\mathbb {F}}^m_2\) as the plaintext space (ciphertext space) and \({\mathbb {F}}^t_2\) as the key space is

Definition 2

(Impossible Differential Distinguisher) For an iterative block cipher \(E^m_K\), let \(\alpha \in {\mathbb {F}}^m_2\) be the input difference and \(\beta \in {\mathbb {F}}^m_2\) be the r-round output difference, if differential propagation probability \(Pr(\alpha \rightarrow \beta )=0\), then \(\alpha \nrightarrow \beta\) is a r-round impossible differential distinguisher.

Since the input difference can be obtained by XOR of two input states, Hu et al. (2020) characterize the propagation of difference by describing the propagation of two sets of initial states. That is, given two input states \((x^0_0,x^0_1)\), perform r-round encryption and obtain two groups of state propagation traces, i.e. \((x^0_0,x^1_0,x^2_0,\ldots ,x^{r}_0)\) and \((x^0_1,x^1_1,x^2_1,\ldots ,x^{r}_1)\), then by \(x^i_0 \oplus x^i_1 (0 \le i \le r)\) we can get the input difference and the output difference for each round, i.e. differential characteristic \((\triangle x^0,\triangle x^1,\ldots ,\triangle x^{r})\). Compared to the traditional impossible differential analysis, the impossible differential analysis based on the propagation of state not only takes into account the details of non-linear components but also allows to consider the impact of the key schedule.

Definition 3

(Impossible Differential Distinguisher Based on the Propagation of State) For an iterative block cipher \(E^m_K\), if \(\forall (x_0,x_1) \in \{(a_0,a_1) \in {\mathbb {F}}^m_2 \times {\mathbb {F}}^m_2 | a_0 \oplus a_1=\alpha \}\) and \(\alpha\) is the input difference, \(\forall (y_0,y_1) \in \{(b_0,b_1) \in {\mathbb {F}}^m_2 \times {\mathbb {F}}^m_2 | b_0 \oplus b_1=\beta \}\) and \(\beta\) is the output difference, and \(E^r_K(x_0) \oplus E^r_K(x_1) \ne y_0 \oplus y_1\), i.e. differential propagation probability \(Pr(\alpha \rightarrow \beta )=0\), then \(\alpha \nrightarrow \beta\) is a r-round impossible differential distinguisher based on the propagation of state.

The following is to use an obtained \((r-1)\)-round impossible differential distinguisher to recover the r-round key.

• Find a \((r-1)\)-round impossible differential distinguisher \(\alpha \rightarrow \beta\);

• Select plaintext pairs \((P,{\hat{P}})\) with \(P \oplus {\hat{P}}=\alpha\), then perform r-round encryption and get the ciphertext pairs \((C,{\hat{C}})\);

• Guess possible values of the r-round key \(k_r\). For each possible value of \(k_r\), decrypt ciphertext C and \({\hat{C}}\) one round forward and obtain \((D,{\hat{D}})\). Judge if \(D \oplus {\hat{D}}=\beta\) holds, if holds, then the guessed key is wrong;

• Repeat the above steps until the only correct key remains.

Assuming that |K| bit keys can be obtained by the above attack, each plaintext pair can eliminate \(2^{-t}\) of the key information. To ensure that the correct key is uniquely determined, the required plaintext pairs N must satisfy

When t is relatively large, it gives

The above equation shows that, when performing the impossible differential attack, the data complexity is almost independent of the amount of guessed key bits, and the main effect is the key information that can be eliminated for each plaintext pair.

SAT problem

The Boolean Satisfiability Problem (SAT) is a foundational computational problem in the fields of computer science and mathematical logic. It involves determining whether a given boolean formula, composed of boolean variables and logical operators such as AND, OR, and NOT, can be assigned truth values that satisfy the formula. STP is the publicly accessible solver for the SAT problem. Its input is expected to be a file with the “.stp” extension, adhering to the CVC language format.

When solving an SAT problem, the first step is to construct a model using the CVC language and save it as a file with the “.stp” extension. Subsequently, the STP solver is invoked for this file. If the STP returns “Valid.”, it indicates that the target problem has no solution. Otherwise, it returns a solution of the target problem and “Invalid.”. For more details about the STP solver and the CVC language, please refer to https://stp.github.io/.

The following are the CVC terms used in this paper:

1. 1

   ASSERT(): The command statement.

2. 2

   BITVECTOR(n): Declare variables as n bits.

3. 3

   \(t_1@t_2@\ldots @t_m\): The connection operation.

4. 4

   \(t_1\) &\(t_2\) &\(\ldots\) &\(t_m\): The bitwise AND operation.

5. 5

   \(BVXOR(t_1,t_2)\): The bitwise XOR operation.

In this section, we use the SAT method to automatically search for impossible differential distinguishers based on the propagation of the state, and find a full-round impossible differential distinguisher of Shadow-32.

Bit-oriented SAT model based on the propagation of the state

In this subsection, we will demonstrate the process of constructing the SAT model for searching impossible differential distinguishers based on the propagation of the state.

According to Definition 3, the modeling process is composed of two steps, the first step is to describe the propagation of the two sets of states under r rounds of iterations, and the second step is to obtain the input difference and the \(r-{\text{round}}\) output difference by XORing the two sets of states and assign the given values. For the first step, the core is to model the propagation of the state under basic operations. Since Shadow utilizes ARX operations and is bit-oriented, we will use the CVC language to generate statements for the propagation of the state under the operations bit-oriented COPY, bit-oriented AND, bit-oriented Rotation, and bit-oriented XOR. For the second step, we will use the CVC language to generate statements for the computation of the difference and the constraints on the difference.

Model 1

(COPY) Let F be a COPY function, where the input state is \(x \in {\mathbb {F}}^q_2\) and the output \(y^0,y^1,\ldots ,y^{t-1} \in {\mathbb {F}}^q_2\) is caculated as \((y^0,y^1,\ldots ,y^{t-1})\) \(=(x,x,\ldots ,x)\). The bit vector format is \(x=(x_0,\ldots ,\) \(x_{q-1}), y^i=(y^i_0,y^i_1,\ldots ,y^i_{q-1}),\) where \(x_j,y^i_j \in {\mathbb {F}}_2\), \(0\le j \le q-1\) and \(0 \le i \le t-1\). Then, the modeling of the propagation of the state under the COPY operation is described in CVC format as

The COPY operation is usually omitted in practical modeling because the value of the state remains unchanged after the COPY operation.

Model 2

(XOR) Let F be an XOR function, where the two input states are \(x,y \in {\mathbb {F}}^q_2\) and the output \(z \in {\mathbb {F}}^q_2\) is calculated as \(z=x \oplus y\). The bit vector format is \(x=(x_0,x_1,\ldots ,x_{q-1}),y=(y_0,y_1,\ldots ,y_{q-1})\), and \(z=(z_0,z_1,\ldots ,z_{q-1})\), where \(x_j,y_j,z_j \in {\mathbb {F}}_2\) and \(0\le j \le q-1\). Then, the modeling of the propagation of the state under the XOR operation is described in CVC format as

Model 3

(AND) Let F be a AND function, where the two input states are \(x,y \in {\mathbb {F}}^q_2\) and the output \(z \in {\mathbb {F}}^q_2\) is calculated as \(z=x\) & y. The bit vector format is \(x=(x_0,x_1,\ldots ,x_{q-1}),y=(y_0,y_1,\ldots ,y_{q-1})\), and \(z=(z_0,z_1,\ldots ,z_{q-1})\), where \(x_j,y_j,z_j \in {\mathbb {F}}_2\) and \(0\le j \le q-1\). Then, the modeling of the propagation of the state under the AND operation is described in CVC format as

Model 4

(Rotation) Let F be a Rotation function, where the input state is \(x \in {\mathbb {F}}^q_2\) and the output \(y \in {\mathbb {F}}^q_2\) is calculated as \(y=x \lll n\), where n is a constant. The bit vector format is \(x=(x_0,x_1,\ldots ,x_{q-1})\) and \(y=(y_0,y_1,\ldots ,y_{q-1})\), where \(x_j,y_j\in {\mathbb {F}}_2\) and \(0\le j \le q-1\). Then, the modeling of the propagation of the state under the Rotation operation is described in CVC format as

Computation of difference Let \((x^0,{\hat{x}}^0) \in {\mathbb {F}}^q_2 \times {\mathbb {F}}^q_2\) be the two sets of initial states, and after r rounds of propagation, the r-round states \((x^r,{\hat{x}}^r)\) is obtained. By \(\triangle x^0= x^0 \oplus {\hat{x}}^0\) and \(\triangle x^r= x^r \oplus {\hat{x}}^r\) we can obtain the input difference \(\triangle x^0\) and the \(r-{\text{round}}\) output difference \(\triangle x^r\). The bit vector format is \(A=(A_0,A_1,\ldots ,A_{q-1})\), where \(A=x^0,{\hat{x}}^0,x^r,{\hat{x}}^r,\triangle x^0,\triangle x^r.\) Then, the computation of the input difference and the \(r-{\text{round}}\) output difference can be described in CVC format as

Constraints on difference Let the input difference \(\triangle x^0=\alpha\) and the \(r-{\text{round}}\) output difference \(\triangle x^r=\beta\), where \(\alpha , \beta \in {\mathbb {F}}^q_2\) are the given value. The bit vector format is \(\alpha =(\alpha _0,\alpha _1,\ldots ,\alpha _{q-1})\) and \(\beta =(\beta _0,\beta _1,\ldots ,\beta _{q-1})\), where \(\alpha _j,\beta _j\in {\mathbb {F}}_2\) and \(0\le j \le q-1\). Then, the constraints on the input difference and the output difference can be described in CVC format as

The search algorithm for impossible differential distinguisher of shadow

In this subsection, we will show how to automatically seek impossible differential distinguishers. The automated search method consists of two phases: statements generation phase and impossible differential distinguishers search phase. For the statements generation phase, Algorithm 2 automatically generates statements describing the input difference \(\triangle x^0\) propagate to the \(r-{\text{round}}\) output difference \(\triangle x^r\) with \(\triangle x^0=\alpha\) and \(\triangle x^r=\beta\), and saves these statements as a file. For the impossible differential distinguishers search phase, Algorithm 3 invokes the STP to solve the file generated by Algorithm 2 to determine whether there is an impossible differential distinguisher by traversing sets of input differences and output differences satisfying certain conditions.

For Shadow, Algorithm 3 gives the overall framework for searching impossible differential distinguishers, i.e., the Main function; Algorithm 2 models the propagation of a given input difference to a given output difference, i.e., the Generate function. The inputs to Algorithm 3 are the input difference set Id and the output difference set Od, where \(Id=\{\alpha \in {\mathbb {F}}^m_2 | wt(\alpha )=1\}\) and \(Od=\{\beta \in {\mathbb {F}}^m_2 | wt(\beta )=1\}\), i.e., Id and Od are the sets of all input and output difference of weight 1. For each \(\alpha \in Id\) and \(\beta \in Od\), Algorithm 3 first invokes Algorithm 2 to generate the file describing the propagation of \(\alpha\) to \(\beta\), then invokes the STP to solve the file, if it returns “Valid.”, then \((\alpha ,\beta )\) is an impossible difference distinguisher and terminates the algorithm, otherwise, continues to traverse the Id and Od.

We present some specific explanations about Algorithm 2 as follows.

• Line 1–3. Here \(x=(x^0,\ldots ,x^r)\) and \({\hat{x}}=({\hat{x}}^0,\ldots ,\) \({\hat{x}}^r)\), where \(x^i,{\hat{x}}^i \in {\mathbb {F}}^m_2\). Declare the state variables \(x^i_j\) and \({\hat{x}}^i_j\) as 1 bit, where \(0 \le i \le r\) and \(0 \le j \le m-1\). Declare the intermediate variables and the difference variables as 1 bit.

• Line 4–7. Using the provided propagation rules for each operation, model the propagation of \(x^0\) to \(x^r\) and \({\hat{x}}^0\) to \({\hat{x}}^r\) by incorporating intermediate variables.

• Line 8–9. Based on the modeling for the computation of difference and the constraints on difference, generate the corresponding statements.

• Line 10–11. The statement “QUERY(FALSE);” and the statement “COUNTEREXAMPLE;” need to be added at the ending of the file because these two statements are essential in solving an SAT problem using STP. By adding the two statements, if the STP returns “Valid.”, it means the SAT problem has no solution, otherwise, it returns a solution and “Invalid.”.

Experimental results In practice, we implemented Algorithms 3 and 2 using Python 3.8. and Cryptominisat. Finally, it took us approximately 41 hours to find a full-round impossible differential distinguisher of Shadow-32, i.e. (0x80000000) \(\nrightarrow (0x40000000)\). The impossible differential distinguisher from the 1th to the 16th round and the time consumption is shown in Table 4. All the experiments are implemented on this platform: Intel(R) Xeon(R) CPU E5-2650 v4 @2.20GHz\(\times\)48, 503.8G RAM, 64-bit Ubuntu 20.04.6 LTS with 4 threads. Conveniently, all the source codes are accessible at https://github.com/VanyaW/myproject.

From the experimental results, we find that Shadow may have an impossible differential distinguisher for an arbitrary number of rounds, which will be proved theoretically in the next section. Since the method would be limited by the block size and the number of rounds, we have not conducted experiments on Shadow-64 under the limited time and resources, but the next section proves theoretically the existence of an impossible differential distinguisher for an arbitrary number of rounds of Shadow-64.

In this section, we will prove that Shadow has a differential property with probability 1 based on the propagation of state, then we can get an impossible differential distinguisher for an arbitrary number of rounds of Shadow.

Theorem 1

For r-round Shadow, if for any input state \((L^0_0,L^0_1,R^0_0,R^0_1) \in F^m_2\) and \(({\hat{L}}^0_0,{\hat{L}}^0_1,{\hat{R}}^0_0,{\hat{R}}^0_1) \in F^m_2\) with the input difference \((\triangle L^{0}_0,\triangle L^{0}_1,\triangle R^{0}_0,\triangle R^{0}_1)\), after encrypting r rounds for the two sets of states, the corresponding output difference is \((\triangle L^{r}_0,\triangle L^{r}_1,\triangle R^{r}_0,\triangle R^{r}_1)\), then we have

Proof

To analyze the overall structure of Shadow more intuitively, we simplify to Fig. 3, which depicts any two consecutive rounds in the RN-round Shadow encryption process. The red line of Fig. 3 represents a differential relationship as shown in Eq. (3), and the green line of Fig. 3 represents another differential relationship as shown in Eq. (4). Let the two input state for the \((i-1)\)th round be

Then we have the \((i-1)\)th round input difference

Correspondingly, the output difference of the \((i-1)\)th round is

and the output difference of the ith round is

From the red line of Fig. 3, we have

and

Then combine (1) and (2), we get

Similarly, another input state holds

Thus, the difference \(\triangle L^{i}_0\) satisfies

Enlightenedly, from the green line of Fig. 3, we find

Similarly, another input state holds

Thus, the difference \(\triangle R^{i}_0\) satisfies

Finally, let (3) xor (4), we obtain

As the number of rounds i is arbitrary and \(i \ge 2\), if i is even, then

if i is odd, then

and complete the proof. \(\square\)

Any two consecutive rounds of Shadow

Full size image

Based on Theorem 1 and Definition 3, we can obtain Corollary 1.

Corollary 1

For an arbitrary r-round Shadow, the input difference is \((\triangle L^{0}_0,\triangle L^{0}_1,\triangle R^{0}_0,\triangle R^{0}_1)\), correspondingly, the output difference is \((\triangle L^{r}_0,\triangle L^{r}_1,\triangle R^{r}_0,\) \(\triangle R^{r}_1)\). if \(\triangle L^{0}_0 \oplus \triangle R^{0}_0 \ne \triangle L^{r}_0 \oplus \triangle R^{r}_0\) \((r=2n)\) or \(\triangle L^{1}_0 \oplus \triangle R^{1}_0 \ne \triangle L^{r}_0 \oplus \triangle R^{r}_0\) \((r=2n+1)\), then \((\triangle L^{0}_0,\triangle L^{0}_1,\triangle R^{0}_0,\triangle R^{0}_1)\) \(\nrightarrow\) \((\triangle L^{r}_0,\triangle L^{r}_1,\triangle R^{r}_0,\triangle R^{r}_1)\) is an impossible differential distinguisher of Shadow.

In this section, we will use a concrete arbitrary N-round impossible differential distinguisher to perform key recovery for \((N+1)\)-round Shadow-32 and \((N+1)\)-round Shadow-64 respectively.

Key recovery attack on full-round Shadow-32

Theorem 2

(N-round Impossible Differential Distinguisher of Shadow-32) In the single-key model, Shadow-32 exists an arbitrary N-round impossible differential distinguisher, i.e.

where the Nth round includes data exchange.

Proof

Firstly, we have \(\triangle L^{0}_0=10000000,\) \(\triangle R^{0}_0=00000000,\triangle L^{N}_0=01000000,\triangle R^{N}_0=00000000\).

1. (1)

   When \(N=2n(n>0)\), according to Theorem 1 and Corollary 1, since \(\triangle L^{0}_0 \oplus \triangle R^{0}_0 \ne \triangle L^{N}_0 \oplus \triangle R^{N}_0,\) thus finding the contradiction.

2. (2)

   When \(N=2n+1(n>0)\), after the propagation of difference for the first round, the output difference \((\triangle L^{1}_0,\triangle L^{1}_1,\triangle R^{1}_0,\triangle R^{1}_1)\) is \((00000000,*0*01***,0*00001*,00000000)\), according to Theorem 1 and Corollary 1, since \(\triangle L^{1}_0 \oplus \triangle R^{1}_0 \ne \triangle L^{N}_0 \oplus \triangle R^{N}_0,\) thus finding the contradiction.

\(\hfill\square\)

Next based on the N-round impossible differential distinguisher, encrypt one round backward to perform key recovery for \((N+1)\)-round Shadow-32. The propagation of difference during the key recovery process is depicted in Fig. 4. The specific key recovery process is as follows.

\((N+1)\)-round impossible differential cryptanalysis on Shadow-32

Full size image

• Step 1 Let the difference of plaintext be

  $$\begin{aligned} \triangle x^0&=(\triangle L^0_0,\triangle L^0_1,\triangle R^0_0,\triangle R^0_1)\\ \triangle L^0_0&=(10000000)\\ \triangle L^0_1&=(00000000)\\ \triangle R^0_0&=(00000000)\\ \triangle R^0_1&=(00000000). \end{aligned}$$

  Define the following plaintext structure

  $$\begin{aligned} x^0&=(L^0_0,L^0_1,R^0_0,R^0_1)\\ L^0_0&=(\alpha _1\alpha _2\alpha _3\alpha _4\alpha _5\alpha _6\alpha _7\alpha _8)\\ L^0_1&=(\alpha _9\alpha _{10}\alpha _{11}\alpha _{12}\alpha _{13}\alpha _{14}\alpha _{15}\alpha _{16})\\ R^0_0&=(\alpha _{17}\alpha _{18}\alpha _{19}\alpha _{20}\alpha _{21}\alpha _{22}\alpha _{23}\alpha _{24})\\ R^0_1&=(\alpha _{25}\alpha _{26}\alpha _{27}\alpha _{28}\alpha _{29}\alpha _{30}\alpha _{31}\alpha _{32}), \end{aligned}$$

  where \(\alpha _i(1 \le i \le 32)\) is a constant. The plaintext can form 2 plaintext pairs. Select \(2^n\) plaintext structures, and there are \(2^{n+1}\) plaintext pairs \((x^{0},{\hat{x}}^{0})\). After \(N+1\) rounds of encryption, obtain the corresponding ciphertext pairs \((x^{N+1},{\hat{x}}^{N+1})\).

• Step 2 Select the ciphertext pairs that satisfy the following form:

  $$\begin{aligned} \begin{array}{l} \triangle x^{N+1}=(\triangle L^{N+1}_0,\triangle L^{N+1}_1,\triangle R^{N+1}_0,\triangle R^{N+1}_1)\\ \triangle L^{N+1}_0=(*0*00001)\\ \triangle L^{N+1}_1=(**0*01**)\\ \triangle R^{N+1}_0=(00000000)\\ \triangle R^{N+1}_1=(00000000), \end{array} \end{aligned}$$

  where \(* \in F_2\). Since the ciphertexts that satisfy the above form are \(2^7\), the probability is \(2^7 \times 2^{-32}=2^{-25}.\) After screening, the ciphertext pair remains \(2^{n+1} \times 2^{-25}=2^{n-24}.\)

• Step 3 Guess 16-bit key in the \((N+1)\)th round, i.e. \(key^{N+1}_2\) and \(key^{N+1}_0\). Then decrypt each ciphertext pair from Step 2 one round forward, and get \((\triangle L^{N}_0,\triangle L^{N}_1)\). Judge if \(\triangle L^{N}_0=01000000\) and \(\triangle L^{N}_1=00000000\) hold, if hold, then the guessed key is wrong and is excluded. Repeat the above steps until the only correct key remains.

Complexity analysis After step 3, the error value of the key is approximately \((2^{16}-1) \times (1-2^{-1})^{2^{n-24}}\). When \(n=28\), \((2^{16}-1) \times (1-2^{-1})^{2^{n-24}}<1\), therefore the wrong keys can all be excluded. Boura et al. (2014) presented that the data complexity is \(2^{n+\triangle in +1}\), where the \(\triangle in\) is the number of active bits for the difference of plaintext. So the data complexity is \(2^{28+1+1}=2^{30}\). Step 3 requires \(2^{n-24} \times 2^{16} \times 2=2^{21}\) one round of encryption, in addition, the remaining 48 bits of the master key need to be searched exhaustively, so the time complexity required to recover full key is \(2^{21}/(N+1)+2^{48} \approx 2^{48}\) (N+1)-round encryption. Since step 2 requires storing \(2^{n-24}=2^4\) ciphertext pairs and \(2^{16}\) candidate keys, and an exhaustive search of 48 bits requires the storage of \(2^{48}\), the memory complexity required to recover full key is \((2^{4}+2^{16}+2^{48})/32 \approx 2^{43}\) 32-bit block.

In summary, for Shadow-32, the round number is 16 and N is 15. A full-round impossible differential attack on Shadow-32 requires \(2^{30}\) data complexity, \(2^{48}\) 16-round encryption time complexity and \(2^{43}\) 32-bit block memory complexity.

Key recovery attack on full-round Shadow-64

Theorem 3

(N-round Impossible Differential Distinguisher of Shadow-64) In the single-key model, Shadow-64 exists an arbitrary N-round impossible differential distinguisher, i.e.

where the Nth round includes data exchange.

Proof

The process of proving Theorem 3 is similar to that of Theorem 2. Firstly, we have \(\triangle L^{0}_0=1000000000000000,\) \(\triangle R^{0}_0=0000000000000000,\triangle L^{N}_0=0100000000000000,\) \(\triangle R^{N}_0=0000000000000000\).

1. (1)

   When \(N=2n(n>0)\), according to Theorem 1 and Corollary 1, since \(\triangle L^{0}_0 \oplus \triangle R^{0}_0 \ne \triangle L^{N}_0 \oplus \triangle R^{N}_0,\) thus finding the contradiction.

2. (2)

   When \(N=2n+1(n>0)\), after the first difference propagation, the output difference \((\triangle L^{1}_0,\triangle L^{1}_1,\triangle R^{1}_0,\) \(\triangle R^{1}_1)\) is \((0000000000000000,10*0000**000***0,000000000*0000**,0000000000000000)\), according to Theorem 1 and Corollary 1, since \(\triangle L^{1}_0 \oplus \triangle R^{1}_0 \ne \triangle L^{N}_0 \oplus \triangle R^{N}_0,\) thus finding the contradiction.

\(\square\)

Next based on the N-round impossible differential distinguisher, encrypt one round backward to perform key recovery for \((N+1)\)-round Shadow-64. The propagation of difference during key recovery is shown in Fig. 5. The specific key recovery process is as follows.

\((N+1)\)-round impossible differential cryptanalysis on Shadow-64

Full size image

• Step 1 Let the difference of plaintext be

  $$\begin{aligned} \triangle x^0&=(\triangle L^0_0,\triangle L^0_1,\triangle R^0_0,\triangle R^0_1)\\ \triangle L^0_0&=(1000000000000000)\\ \triangle L^0_1&=(0000000000000000)\\ \triangle R^0_0&=(0000000000000000)\\ \triangle R^0_1&=(0000000000000000). \end{aligned}$$

  Define the following plaintext structure

  $$\begin{aligned} x^0&=(L^0_0,L^0_1,R^0_0,R^0_1)\\ L^0_0&=(\alpha _1\alpha _2\ldots \alpha _{15}\alpha _{16})\\ L^0_1&=(\alpha _{17}\alpha _{18}\ldots \alpha _{31}\alpha _{32})\\ R^0_0&=(\alpha _{33}\alpha _{34}\ldots \alpha _{47}\alpha _{48})\\ R^0_1&=(\alpha _{49}\alpha _{50}\ldots \alpha _{63}\alpha _{64}), \end{aligned}$$

  where \(\alpha _i(1 \le i \le 64)\) is a constant. The plaintext can form 2 plaintext pairs. Select \(2^n\) plaintext structures, and there are \(2^{n+1}\) plaintext pairs. After \(N+1\) rounds of encryption, obtain the corresponding ciphertext pairs \((x^{N+1},{\hat{x}}^{N+1})\).

• Step 2 Select the ciphertext pairs that satisfy the following form:

  $$\begin{aligned} \begin{array}{l} \triangle x^{N+1}=(\triangle L^{N+1}_0,\triangle L^{N+1}_1,\triangle R^{N+1}_0,\triangle R^{N+1}_1)\\ \triangle L^{N+1}_0=(*000000000*0000*)\\ \triangle L^{N+1}_1=(010*0000**000***)\\ \triangle R^{N+1}_0=(0000000000000000)\\ \triangle R^{N+1}_1=(0000000000000000), \end{array} \end{aligned}$$

  where \(* \in F_2\). Since the ciphertexts that satisfy the above form are \(2^9\), the probability is \(2^9 \times 2^{-64}=2^{-55}.\) After screening, the ciphertext pair is \(2^{n+1} \times 2^{-55}=2^{n-54}.\)

• Step 3 Guess 32-bit key in the \((N+1)\)th round, i.e. \(key^{N+1}_2\) and \(key^{N+1}_0\). Then decrypt each ciphertext pair from Step 2 one round forward, and get \((\triangle L^{N}_0,\triangle L^{N}_1)\). Judge if \(\triangle L^{N}_0=0100000000000000\) and \(\triangle L^{N}_1=0000000000000000\) hold, if hold, then the guessed key is wrong and is excluded. Repeat the above steps until the only correct key remains.

Complexity analysis After step 3, the error value of the key is approximate \((2^{32}-1) \times (1-2^{-1})^{2^{n-54}}\). When \(n=59\), \((2^{32}-1) \times (1-2^{-1})^{2^{n-54}}<1\), therefore the wrong keys can all be excluded. Boura et al. (2014) presented that the data complexity is \(2^{n+\triangle in +1}\), where the \(\triangle in\) is the number of active bits for the difference of plaintext. So the data complexity is \(2^{59+1+1}=2^{61}\). Step 3 requires \(2^{n-54} \times 2^{32} \times 2=2^{38}\) one round of encryption, in addition, the remaining 96 bits of the master key need to be searched exhaustively, so the time complexity required to recover the full key is \(2^{38}/(N+1)+2^{96} \approx 2^{96}\) \((N+1)\)-round encryption. Since step 2 requires to store \(2^{n-54}=2^5\) ciphertext pairs and \(2^{32}\) candidate keys, and an exhaustive search of 96 bits requires the storage of \(2^{96}\), the memory complexity required to recover the full key is \((2^{5}+2^{32}+2^{96})/64 \approx 2^{90}\) 64-bit block.

For Shadow-64, the round number is 32 and N is 31. A full-round impossible differential attack requires \(2^{61}\) data complexity, \(2^{96}\) 32-round encryption time complexity and \(2^{90}\) 64-bit block memory complexity. It is worth noting that simply increasing the number of iterative rounds of Shadow cannot resist the impossible differential attack.

In this paper, we focus on the differential property of Shadow and its security against the impossible differential attack. First, we use the SAT method to automatically search for a full-round impossible differential distinguisher of Shadow-32. Then, based on the experimental results, we prove that Shadow has a differential property with probability 1 based on the propagation of state. Further, we present an arbitrary number of rounds of impossible differential distinguisher for Shadow. Finally, we use a concrete arbitrary N-round impossible differential distinguisher to perform key recovery for \((N+1)\)-round Shadow-32 and Shadow-64. For Shadow-32, a 16-round full key recovery attack requires \(2^{30}\) data complexity, \(2^{48}\) 16-round encryption time complexity and \(2^{43}\) 32-bit block memory complexity. For Shadow-64, a 32-round full key recovery attack requires \(2^{61}\) data complexity, \(2^{96}\) 32-round encryption time complexity and \(2^{90}\) 64-bit block memory complexity.

Both experimentally and theoretically, our results indicate that Shadow is critically flawed, and regardless of the security strength of the internal components and the number of rounds applied, the overall cipher remains vulnerable to the impossible differential attack.

Not applicable.

I would like to express my sincere gratitude to my colleagues for their invaluable support, advice, and insightful discussions during the preparation of this thesis. I also wish to extend my appreciation to the anonymous reviewers for their constructive comments and feedback.

This work was supported by the National Natural Science Foundation of China (No. 12371525).

Authors and Affiliations

1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

   Yuting Liu, Yongqiang Li, Huiqin Chen & Mingsheng Wang

2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

   Yuting Liu, Yongqiang Li, Huiqin Chen & Mingsheng Wang

Contributions

All the authors have equal contributions to this paper.

Corresponding author

Correspondence to Yongqiang Li.

Competing interests

The authors declare that they have no known competing fnancial interests or personal relationships that could have appeared to infuence the work reported in this paper.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions