 Research
 Open access
 Published:
Fullround impossible differential attack on shadow block cipher
Cybersecurity volume 6, Article number: 52 (2023)
Abstract
Lightweight block ciphers are the essential encryption algorithm for devices with limited resources. Its goal is to ensure the security of data transmission through resourceconstrained devices. Impossible differential cryptanalysis is one of the most effective cryptanalysis on block ciphers, and assessing the ability of resisting this attack is a basic design criterion. Shadow is a lightweight block cipher proposed by Guo et al. (IEEE Internet Things J 8(16):13014–13023, 2021). It utilizes a combination of ARX operations and generalized Feistel structure to overcome the weakness of the traditional Feistel structure that only diffuses half in one round. In this paper, we focus on the differential property of Shadow and its security against impossible differential cryptanalysis. First, we use the SAT method to automatically search for a fullround impossible differential distinguisher of Shadow32. Then, based on the experimental results, we prove that Shadow has a differential property with probability 1 based on the propagation of the state. Further, we can obtain an impossible differential distinguisher for an arbitrary number of rounds of Shadow. Finally, we perform a full key recovery attack on the fullround Shadow32 and Shadow64. Both experimentally and theoretically, our results indicate that Shadow is critically flawed, and regardless of the security strength of the internal components and the number of rounds applied, the overall cipher remains vulnerable to impossible differential cryptanalysis.
Introduction
Along the accelerated development of information technology, the Internet of Things (IoT) technologies such as RFID and wireless sensors are increasingly applied in daily life, and they are often integrated into devices with limited storage and computing resources. However, traditional block ciphers are not suitable for these devices, as their high software and hardware implementation requirements cannot guarantee the security of data transmission. Thus, there is a demand for lightweight block ciphers that can provide high performance and security in resourceconstrained environments.
Driven by protecting private data from resourceconstrained devices, lightweight block ciphers aim to achieve low resource utilization, low power consumption, high computational efficiency, and maintain the security of block ciphers. In line with this objective, many welldesigned lightweight block ciphers have been proposed, such as SEA (Standaert et al. 2006), HIGHT (Hong et al. 2006), PRESENT (Bogdanov et al. 2007), LBlock (Wu and Zhang 2011), SIMON and SPECK (Beaulieu et al. 2015), Midori (Banik et al. 2015) and Shadow (Guo et al. 2021) et al. Moreover, security evaluation for lightweight block ciphers is essential, and a new proposed lightweight block cipher needs to be assessed for its security against traditional cryptanalysis attacks, i.e. differential cryptanalysis (Biham and Shamir 1991), linear cryptanalysis (Matsui 1994), impossible differential cryptanalysis, and other cryptanalysis.
Impossible differential cryptanalysis was first proposed by Knudsen (1998) and Biham et al. (1999) respectively. It is one of the most effective cryptanalysis on block ciphers, and assessing the ability of resisting this cryptanalysis is a basic design criterion. Its basic idea is to exclude wrong keys that lead to zeroprobability difference and then recover the correct key by exhausting the candidate keys. In general, impossible differential cryptanalysis contains two phases, i.e., the search for impossible differential distinguisher phase and the key recovery phase. The key to the impossible differential analysis is to search for the longestround impossible differential distinguisher.
Research on the automated search method has been an important issue for the last 20 years. The first critical tool for automated search is the Mixed Integer Linear Programming (MILP), which was first employed by Mouha et al. (2012) to find the minimum number of active Sboxes for wordoriented block ciphers. Later, Sun et al. (2014) extended the method from wordoriented to bitoriented, and assessed the ability of bitoriented block ciphers to resist the (relatedkey) differential attack. Since then, the MILP has been widely used for the cryptanalysis of block ciphers. Cui et al. (2016) and Sasaki and Todo (2017) applied the MILP to impossible differential automatic search, respectively. In 2017, Abdelkhalek et al. (2017) applied the MILP to block ciphers with 8bit Sboxes. In recent years, the MILP has remained a popular tool for automated search for differential distinguishers (Zhu et al. 2019; Kumar and Yadav 2022; Kaur et al. 2023).
Another important tool for automated search is to rely on the Boolean Satisfiability Problem or satisfiability modulo theories (SAT/SMT). In 2012, Mouha et al. (2012) first used the SAT/SMT method to automatically seek optimal differential characteristics of Salsa20. Later in 2015, Kölbl et al. (2015) employed the SAT/SMT method to automatically search for optimal differential and linear characteristics of SIMON. In 2017, Sun et al. (2017) automatically search for bitbased integral distinguishers of ARX block ciphers based on the SAT/SMT method. In 2020, Hu et al. (2020) moved away from focusing on the propagation of the difference and proposed an SAT/SMTaided search method for impossible differential that used the propagation of the state. Later in 2021, Sun et al. (2021) focused on the acceleration of using the SAT/SMT methods to seek differential and linear characteristics. In 2023, Sun and Wang (2023) developed SAT/SMT models to search for differential and linear characteristics of block ciphers with large Sboxes.
Shadow, a lightweight block cipher, is proposed by Guo et al. (2021) to protect private data transmission through IoT nodes. Shadow utilizes a combination of ARX operations and a generalized Feistel structure, which resolves the issue of the current lightweight block ciphers based on ARX operations that only diffuse half in one round. The security of Shadow was first evaluated by the designers. They performed impossible differential cryptanalysis and biclique cryptanalysis on Shadow, where the impossible differential attack mainly utilizes a 4round impossible differential distinguisher to perform a 7round key recovery attack and the biclique attack constructs an 8round biclique structure. Consequently, the designers of Shadow asserted that Shadow exhibits a high level of resistance against cryptanalysis. In this paper, we show that Shadow can not resist impossible differential cryptanalysis, and we identify significant security weaknesses in the current design of Shadow.
Our contributions In this paper, we focus on the differential property of Shadow and its security against impossible differential cryptanalysis. For the first time, we perform an impossible differential attack on the fullround Shadow32 and Shadow64. Our results indicate that Shadow is critically flawed, and regardless of the security strength of the internal components and the number of rounds applied, the overall cipher remains vulnerable to impossible differential cryptanalysis. The specific results are displayed in Table 1. Our contributions can be concluded as follows.

We use the SAT method to find a fullround impossible differential distinguisher of Shadow32.

We prove that Shadow has a differential property with probability 1 based on the propagation of state proposed by Hu et al. (2020), and then present an impossible differential distinguisher for an arbitrary number of rounds.

We perform full key recovery on fullround Shadow32 with \(2^{30}\) data complexity, \(2^{48}\) 16round encryption time complexity and \(2^{43}\) 32bit block memory complexity.

We perform full key recovery on fullround Shadow64 with \(2^{61}\) data complexity, \(2^{96}\) 32round encryption time complexity and \(2^{90}\) 64bit block memory complexity.
Organization The subsequent sections of this paper are arranged as follows. Section “Preliminaries” describes the background knowledge used in this paper. Section “Automatic search for impossible differential distinguisher” shows how to automatically search for impossible differential distinguishers using the SAT method. Section “A proof of impossible differential distinguishers for an arbitrary number of rounds” proves the differential property with probability 1 of Shadow32/64 based on the propagation of state. Full key recovery attack on the fullround Shadow32 and Shadow64 are mounted in section “Key recovery attack on fullround Shadow32/64”. Finally, section “Summary” summarizes the paper.
Preliminaries
Notation
In this subsection, we first present the following notations that are utilized throughout the paper.

\(L^{i1}_0\): The input state for the first branch on the left of ith round;

\(L^{i1}_1\): The input state for the second branch on the left of ith round;

\(R^{i1}_0\): The input state for the first branch on the right of ith round;

\(R^{i1}_1\): The input state for the second branch on the right of ith round;

\(\triangle L^{i1}_0\):The input difference for the first branch on the left of ith round;

\(\triangle L^{i1}_1\): The input difference for the second branch on the left of ith round;

\(\triangle R^{i1}_0\): The input difference for the first branch on the right of ith round;

\(\triangle R^{i1}_1\): The input difference for the second branch on the right of ith round;

\(x^{i1}\): The input state of ith round;

\({\hat{x}}^{i1}\): The another input state of ith round;

\(\triangle x^{i1}\): The input difference of ith round;

\({\mathbb {F}}_2\): The binary field;

\(key^i\): The ith round subkey;

RN: full round;

r: iterative rounds;

m: block size of the cipher;

&: bitwise AND;

\(\oplus\): XOR;

\(\lll n\): rotation to the left by n bits;
Description of Shadow
Shadow utilizes a combination of ARX operations and a generalized Feistel structure, which includes two versions: Shadow32 and Shadow64. The block sizes of Shadow32 and Shadow64 are 32 and 64 bits, respectively, with key sizes of 64 and 128 bits and round numbers of 16 and 32, respectively.
Encryption algorithm
Shadow comprises three main operations: AND, Rotation, and XOR. Let \((L^{i1}_0,L^{i1}_1,R^{i1}_0,R^{i1}_1)\) be the input state of the ith round function, \((L^{i}_0,L^{i}_1,R^{i}_0,\) \(R^{i}_1)\) be the corresponding output state, and \(key^{i}_j(0 \le j \le 3)\) is selected from round subkey \(key^{i}\). The round function of Shadow is depicted in Fig. 1.
From Fig. 1, the round function of Shadow calls f four times, where f is
and this operation reduces logic hardware and software consumption.
For the RNround encryption process of Shadow, the plaintext \(P=(L^0_0,L^0_1,R^0_0,R^0_1)\) is divided into four equalsized blocks. First, the first branch on the left \(L^0_0\) calls the f function and then performs the XOR operation with the second branch on the left \(L^0_1\) and the subkey \(key^1_0\) to get P0, i.e. \(P0=f(L^0_0)\oplus L^0_1 \oplus key^1_0\). Similarly, the first branch on the right \(R^0_0\) performs the same operation with the second branch on the right \(R^0_1\) to get P1, i.e. \(P1=f(R^0_0)\oplus R^0_1 \oplus key^1_1\). The halfround output \((P0,L^0_0,P1,R^0_0)\) is obtained by swapping the left and right branches separately. Next, the P0 calls the f function and then performs the XOR operation with the \(L^0_0\) and the subkey \(key^1_2\) to get the \(L^1_1\), i.e. \(L^1_1=f(P0)\oplus L^0_0 \oplus key^1_2\). Similarly, the P1 performs the same operation with the \(R^0_0\) to get the \(R^1_1\), i.e. \(R^1_1=f(P1)\oplus R^0_0 \oplus key^1_3\). After the data exchange, the first round output is \((P1,L^1_1,P0,R^1_1)\). Repeat the above operation for RN rounds to generate the ciphertext \(C=(L^{RN}_0,L^{RN}_1,R^{RN}_0,R^{RN}_1)\). Notice that there is no data exchange in the last round. The corresponding encryption algorithm is exhibited in Algorithm 1. Since Shadow uses a generalized Feistel structure, the decryption algorithm only needs to use the round subkey in reverse order compared to the encryption algorithm.
Key schedule
Depending on the block size of Shadow, there are two kinds of round subkey generators, i.e. Generator1 and Generator2. For Shadow32, the 64bit primary key K is described as \(k_0k_1k_2\ldots k_{62}k_{63}\) and enters the Generator1. The Generator1 contains three operations, i.e. AddRoundConstant, NX Module, and Permutation. Firstly, the AddRoundConstant operation is performed on the 5bit key \(k_3k_4k_5k_6k_7\), followed by the NX Module on the 8bit key \(k_{56}k_{57}k_{58}\) \(\ldots k_{62}k_{63}\), and finally the Permutation on the 64bit key. Subsequently, the subkey \(K{'}\) of the first round is obtained, where the front 32bits of \(K{'}\) are partitioned into four equalsized segments for the round key XOR operation. The \(K{'}\) is then input to Generator1 to generate the subkeys for each round until the encryption is completed. The specific operation procedure of Generator1 is depicted in Fig. 2.
AddRoundConstant The round constant r is first expanded into its binary representation \(c_0c_1c_2c_3c_4\), after which the 5bit key \(k_3k_4k_5k_6k_7\) is XORed with the 5bit value \(c_0c_1c_2c_3c_4\).
NX Module The only nonlinear operation in Generator1 is the NX Module. For Shadow32, the 8bit key \(k_{56}k_{57}\ldots k_{62}k_{63}\) executes NX Module. The NX Module operates based on the following principle:
Permutation After the AddRoundConstant and NX Module operations are executed in Generator1, the Permutation is implemented for the 64bit key. As shown in Table 2, \(p_i\) denotes the position index before the Permutation, while \(p{'}_i\) denotes the position index after the Permutation.
For Shadow64, the 128bit primary key K is described as \(k_0k_1k_2\ldots k_{126}k_{127}\) and enters the Generator2. The Generator2 also contains three operations, i.e. AddRoundConstant, NX Module, and Permutation. In Generator2, the round constant r is first expanded into its binary representation \(c_0c_1c_2c_3\) \(c_4c_5\), which is XORed with the 6bit key \(k_2k_3k_4k_5\) \(k_6k_7\). Subsequently, the NX Module is applied to the 24bit key \(k_{104}k_{105}\ldots k_{126}k_{127}\), followed by the Permutation operation on the 128bit key. Finally, the subkey \(K{'}\) of the first round is obtained, where the front 64bits of \(K{'}\) are partitioned into four equalsized segments for the round key XOR operation. The \(K{'}\) is then input to Generator2 to derive the round keys until the encryption is completed. Additionally, the principle of Generator2 is similar to that of Generator1, but with different numbers of bits. The detailed operation procedure of Permutation is depicted in Table 3 and the NX Module operates based on the following principle:
Impossible differential cryptanalysis
Impossible differential cryptanalysis is a variant of differential cryptanalysis, which was proposed by Knudsen (1998) and Biham et al. (1999) respectively. Impossible differential cryptanalysis, as opposed to classical differential cryptanalysis which utilizes a high probability differential characteristic, utilizes a zeroprobability differential characteristic to recover keys. Its basic idea is to exclude wrong keys that lead to zeroprobability difference and then recover the correct key by exhausting the candidate keys. Impossible differential cryptanalysis comprises two phases: the phase of searching for impossible differential distinguishers, and the phase of key recovery. The key to the impossible differential analysis is to search for the longestround impossible differential distinguisher, as a higher number of rounds indicates a weaker resistance against the impossible differential attacks. The traditional search impossible differential distinguisher is to describe the propagation of difference in block ciphers, but the propagation of difference through nonlinear components is uncertain, making it impossible to consider the details of nonlinear components and the key schedule.
Definition 1
(Block Cipher) Let \({\mathbb {F}}_2\) be the binary field, and \({\mathbb {F}}^m_2\) and \({\mathbb {F}}^t_2\) be mdimensional and tdimensional vector space over the finite field \({\mathbb {F}}_2\), respectively. If the plaintext \(P \in {\mathbb {F}}^m_2\), the ciphertext \(C \in {\mathbb {F}}^m_2\), and the master key \(K \in {\mathbb {F}}^t_2\), then the iterative block cipher \(E^m_K\) with \({\mathbb {F}}^m_2\) as the plaintext space (ciphertext space) and \({\mathbb {F}}^t_2\) as the key space is
Definition 2
(Impossible Differential Distinguisher) For an iterative block cipher \(E^m_K\), let \(\alpha \in {\mathbb {F}}^m_2\) be the input difference and \(\beta \in {\mathbb {F}}^m_2\) be the rround output difference, if differential propagation probability \(Pr(\alpha \rightarrow \beta )=0\), then \(\alpha \nrightarrow \beta\) is a rround impossible differential distinguisher.
Since the input difference can be obtained by XOR of two input states, Hu et al. (2020) characterize the propagation of difference by describing the propagation of two sets of initial states. That is, given two input states \((x^0_0,x^0_1)\), perform rround encryption and obtain two groups of state propagation traces, i.e. \((x^0_0,x^1_0,x^2_0,\ldots ,x^{r}_0)\) and \((x^0_1,x^1_1,x^2_1,\ldots ,x^{r}_1)\), then by \(x^i_0 \oplus x^i_1 (0 \le i \le r)\) we can get the input difference and the output difference for each round, i.e. differential characteristic \((\triangle x^0,\triangle x^1,\ldots ,\triangle x^{r})\). Compared to the traditional impossible differential analysis, the impossible differential analysis based on the propagation of state not only takes into account the details of nonlinear components but also allows to consider the impact of the key schedule.
Definition 3
(Impossible Differential Distinguisher Based on the Propagation of State) For an iterative block cipher \(E^m_K\), if \(\forall (x_0,x_1) \in \{(a_0,a_1) \in {\mathbb {F}}^m_2 \times {\mathbb {F}}^m_2  a_0 \oplus a_1=\alpha \}\) and \(\alpha\) is the input difference, \(\forall (y_0,y_1) \in \{(b_0,b_1) \in {\mathbb {F}}^m_2 \times {\mathbb {F}}^m_2  b_0 \oplus b_1=\beta \}\) and \(\beta\) is the output difference, and \(E^r_K(x_0) \oplus E^r_K(x_1) \ne y_0 \oplus y_1\), i.e. differential propagation probability \(Pr(\alpha \rightarrow \beta )=0\), then \(\alpha \nrightarrow \beta\) is a rround impossible differential distinguisher based on the propagation of state.
The following is to use an obtained \((r1)\)round impossible differential distinguisher to recover the rround key.

Find a \((r1)\)round impossible differential distinguisher \(\alpha \rightarrow \beta\);

Select plaintext pairs \((P,{\hat{P}})\) with \(P \oplus {\hat{P}}=\alpha\), then perform rround encryption and get the ciphertext pairs \((C,{\hat{C}})\);

Guess possible values of the rround key \(k_r\). For each possible value of \(k_r\), decrypt ciphertext C and \({\hat{C}}\) one round forward and obtain \((D,{\hat{D}})\). Judge if \(D \oplus {\hat{D}}=\beta\) holds, if holds, then the guessed key is wrong;

Repeat the above steps until the only correct key remains.
Assuming that K bit keys can be obtained by the above attack, each plaintext pair can eliminate \(2^{t}\) of the key information. To ensure that the correct key is uniquely determined, the required plaintext pairs N must satisfy
When t is relatively large, it gives
The above equation shows that, when performing the impossible differential attack, the data complexity is almost independent of the amount of guessed key bits, and the main effect is the key information that can be eliminated for each plaintext pair.
SAT problem
The Boolean Satisfiability Problem (SAT) is a foundational computational problem in the fields of computer science and mathematical logic. It involves determining whether a given boolean formula, composed of boolean variables and logical operators such as AND, OR, and NOT, can be assigned truth values that satisfy the formula. STP is the publicly accessible solver for the SAT problem. Its input is expected to be a file with the “.stp” extension, adhering to the CVC language format.
When solving an SAT problem, the first step is to construct a model using the CVC language and save it as a file with the “.stp” extension. Subsequently, the STP solver is invoked for this file. If the STP returns “Valid.”, it indicates that the target problem has no solution. Otherwise, it returns a solution of the target problem and “Invalid.”. For more details about the STP solver and the CVC language, please refer to https://stp.github.io/.
The following are the CVC terms used in this paper:

1
ASSERT(): The command statement.

2
BITVECTOR(n): Declare variables as n bits.

3
\(t_1@t_2@\ldots @t_m\): The connection operation.

4
\(t_1\) &\(t_2\) &\(\ldots\) &\(t_m\): The bitwise AND operation.

5
\(BVXOR(t_1,t_2)\): The bitwise XOR operation.
Automatic search for impossible differential distinguisher
In this section, we use the SAT method to automatically search for impossible differential distinguishers based on the propagation of the state, and find a fullround impossible differential distinguisher of Shadow32.
Bitoriented SAT model based on the propagation of the state
In this subsection, we will demonstrate the process of constructing the SAT model for searching impossible differential distinguishers based on the propagation of the state.
According to Definition 3, the modeling process is composed of two steps, the first step is to describe the propagation of the two sets of states under r rounds of iterations, and the second step is to obtain the input difference and the \(r{\text{round}}\) output difference by XORing the two sets of states and assign the given values. For the first step, the core is to model the propagation of the state under basic operations. Since Shadow utilizes ARX operations and is bitoriented, we will use the CVC language to generate statements for the propagation of the state under the operations bitoriented COPY, bitoriented AND, bitoriented Rotation, and bitoriented XOR. For the second step, we will use the CVC language to generate statements for the computation of the difference and the constraints on the difference.
Model 1
(COPY) Let F be a COPY function, where the input state is \(x \in {\mathbb {F}}^q_2\) and the output \(y^0,y^1,\ldots ,y^{t1} \in {\mathbb {F}}^q_2\) is caculated as \((y^0,y^1,\ldots ,y^{t1})\) \(=(x,x,\ldots ,x)\). The bit vector format is \(x=(x_0,\ldots ,\) \(x_{q1}), y^i=(y^i_0,y^i_1,\ldots ,y^i_{q1}),\) where \(x_j,y^i_j \in {\mathbb {F}}_2\), \(0\le j \le q1\) and \(0 \le i \le t1\). Then, the modeling of the propagation of the state under the COPY operation is described in CVC format as
The COPY operation is usually omitted in practical modeling because the value of the state remains unchanged after the COPY operation.
Model 2
(XOR) Let F be an XOR function, where the two input states are \(x,y \in {\mathbb {F}}^q_2\) and the output \(z \in {\mathbb {F}}^q_2\) is calculated as \(z=x \oplus y\). The bit vector format is \(x=(x_0,x_1,\ldots ,x_{q1}),y=(y_0,y_1,\ldots ,y_{q1})\), and \(z=(z_0,z_1,\ldots ,z_{q1})\), where \(x_j,y_j,z_j \in {\mathbb {F}}_2\) and \(0\le j \le q1\). Then, the modeling of the propagation of the state under the XOR operation is described in CVC format as
Model 3
(AND) Let F be a AND function, where the two input states are \(x,y \in {\mathbb {F}}^q_2\) and the output \(z \in {\mathbb {F}}^q_2\) is calculated as \(z=x\) & y. The bit vector format is \(x=(x_0,x_1,\ldots ,x_{q1}),y=(y_0,y_1,\ldots ,y_{q1})\), and \(z=(z_0,z_1,\ldots ,z_{q1})\), where \(x_j,y_j,z_j \in {\mathbb {F}}_2\) and \(0\le j \le q1\). Then, the modeling of the propagation of the state under the AND operation is described in CVC format as
Model 4
(Rotation) Let F be a Rotation function, where the input state is \(x \in {\mathbb {F}}^q_2\) and the output \(y \in {\mathbb {F}}^q_2\) is calculated as \(y=x \lll n\), where n is a constant. The bit vector format is \(x=(x_0,x_1,\ldots ,x_{q1})\) and \(y=(y_0,y_1,\ldots ,y_{q1})\), where \(x_j,y_j\in {\mathbb {F}}_2\) and \(0\le j \le q1\). Then, the modeling of the propagation of the state under the Rotation operation is described in CVC format as
Computation of difference Let \((x^0,{\hat{x}}^0) \in {\mathbb {F}}^q_2 \times {\mathbb {F}}^q_2\) be the two sets of initial states, and after r rounds of propagation, the rround states \((x^r,{\hat{x}}^r)\) is obtained. By \(\triangle x^0= x^0 \oplus {\hat{x}}^0\) and \(\triangle x^r= x^r \oplus {\hat{x}}^r\) we can obtain the input difference \(\triangle x^0\) and the \(r{\text{round}}\) output difference \(\triangle x^r\). The bit vector format is \(A=(A_0,A_1,\ldots ,A_{q1})\), where \(A=x^0,{\hat{x}}^0,x^r,{\hat{x}}^r,\triangle x^0,\triangle x^r.\) Then, the computation of the input difference and the \(r{\text{round}}\) output difference can be described in CVC format as
Constraints on difference Let the input difference \(\triangle x^0=\alpha\) and the \(r{\text{round}}\) output difference \(\triangle x^r=\beta\), where \(\alpha , \beta \in {\mathbb {F}}^q_2\) are the given value. The bit vector format is \(\alpha =(\alpha _0,\alpha _1,\ldots ,\alpha _{q1})\) and \(\beta =(\beta _0,\beta _1,\ldots ,\beta _{q1})\), where \(\alpha _j,\beta _j\in {\mathbb {F}}_2\) and \(0\le j \le q1\). Then, the constraints on the input difference and the output difference can be described in CVC format as
The search algorithm for impossible differential distinguisher of shadow
In this subsection, we will show how to automatically seek impossible differential distinguishers. The automated search method consists of two phases: statements generation phase and impossible differential distinguishers search phase. For the statements generation phase, Algorithm 2 automatically generates statements describing the input difference \(\triangle x^0\) propagate to the \(r{\text{round}}\) output difference \(\triangle x^r\) with \(\triangle x^0=\alpha\) and \(\triangle x^r=\beta\), and saves these statements as a file. For the impossible differential distinguishers search phase, Algorithm 3 invokes the STP to solve the file generated by Algorithm 2 to determine whether there is an impossible differential distinguisher by traversing sets of input differences and output differences satisfying certain conditions.
For Shadow, Algorithm 3 gives the overall framework for searching impossible differential distinguishers, i.e., the Main function; Algorithm 2 models the propagation of a given input difference to a given output difference, i.e., the Generate function. The inputs to Algorithm 3 are the input difference set Id and the output difference set Od, where \(Id=\{\alpha \in {\mathbb {F}}^m_2  wt(\alpha )=1\}\) and \(Od=\{\beta \in {\mathbb {F}}^m_2  wt(\beta )=1\}\), i.e., Id and Od are the sets of all input and output difference of weight 1. For each \(\alpha \in Id\) and \(\beta \in Od\), Algorithm 3 first invokes Algorithm 2 to generate the file describing the propagation of \(\alpha\) to \(\beta\), then invokes the STP to solve the file, if it returns “Valid.”, then \((\alpha ,\beta )\) is an impossible difference distinguisher and terminates the algorithm, otherwise, continues to traverse the Id and Od.
We present some specific explanations about Algorithm 2 as follows.

Line 1–3. Here \(x=(x^0,\ldots ,x^r)\) and \({\hat{x}}=({\hat{x}}^0,\ldots ,\) \({\hat{x}}^r)\), where \(x^i,{\hat{x}}^i \in {\mathbb {F}}^m_2\). Declare the state variables \(x^i_j\) and \({\hat{x}}^i_j\) as 1 bit, where \(0 \le i \le r\) and \(0 \le j \le m1\). Declare the intermediate variables and the difference variables as 1 bit.

Line 4–7. Using the provided propagation rules for each operation, model the propagation of \(x^0\) to \(x^r\) and \({\hat{x}}^0\) to \({\hat{x}}^r\) by incorporating intermediate variables.

Line 8–9. Based on the modeling for the computation of difference and the constraints on difference, generate the corresponding statements.

Line 10–11. The statement “QUERY(FALSE);” and the statement “COUNTEREXAMPLE;” need to be added at the ending of the file because these two statements are essential in solving an SAT problem using STP. By adding the two statements, if the STP returns “Valid.”, it means the SAT problem has no solution, otherwise, it returns a solution and “Invalid.”.
Experimental results In practice, we implemented Algorithms 3 and 2 using Python 3.8. and Cryptominisat. Finally, it took us approximately 41 hours to find a fullround impossible differential distinguisher of Shadow32, i.e. (0x80000000) \(\nrightarrow (0x40000000)\). The impossible differential distinguisher from the 1th to the 16th round and the time consumption is shown in Table 4. All the experiments are implemented on this platform: Intel(R) Xeon(R) CPU E52650 v4 @2.20GHz\(\times\)48, 503.8G RAM, 64bit Ubuntu 20.04.6 LTS with 4 threads. Conveniently, all the source codes are accessible at https://github.com/VanyaW/myproject.
From the experimental results, we find that Shadow may have an impossible differential distinguisher for an arbitrary number of rounds, which will be proved theoretically in the next section. Since the method would be limited by the block size and the number of rounds, we have not conducted experiments on Shadow64 under the limited time and resources, but the next section proves theoretically the existence of an impossible differential distinguisher for an arbitrary number of rounds of Shadow64.
A proof of impossible differential distinguishers for an arbitrary number of rounds
In this section, we will prove that Shadow has a differential property with probability 1 based on the propagation of state, then we can get an impossible differential distinguisher for an arbitrary number of rounds of Shadow.
Theorem 1
For rround Shadow, if for any input state \((L^0_0,L^0_1,R^0_0,R^0_1) \in F^m_2\) and \(({\hat{L}}^0_0,{\hat{L}}^0_1,{\hat{R}}^0_0,{\hat{R}}^0_1) \in F^m_2\) with the input difference \((\triangle L^{0}_0,\triangle L^{0}_1,\triangle R^{0}_0,\triangle R^{0}_1)\), after encrypting r rounds for the two sets of states, the corresponding output difference is \((\triangle L^{r}_0,\triangle L^{r}_1,\triangle R^{r}_0,\triangle R^{r}_1)\), then we have
Proof
To analyze the overall structure of Shadow more intuitively, we simplify to Fig. 3, which depicts any two consecutive rounds in the RNround Shadow encryption process. The red line of Fig. 3 represents a differential relationship as shown in Eq. (3), and the green line of Fig. 3 represents another differential relationship as shown in Eq. (4). Let the two input state for the \((i1)\)th round be
Then we have the \((i1)\)th round input difference
Correspondingly, the output difference of the \((i1)\)th round is
and the output difference of the ith round is
From the red line of Fig. 3, we have
and
Then combine (1) and (2), we get
Similarly, another input state holds
Thus, the difference \(\triangle L^{i}_0\) satisfies
Enlightenedly, from the green line of Fig. 3, we find
Similarly, another input state holds
Thus, the difference \(\triangle R^{i}_0\) satisfies
Finally, let (3) xor (4), we obtain
As the number of rounds i is arbitrary and \(i \ge 2\), if i is even, then
if i is odd, then
and complete the proof. \(\square\)
Based on Theorem 1 and Definition 3, we can obtain Corollary 1.
Corollary 1
For an arbitrary rround Shadow, the input difference is \((\triangle L^{0}_0,\triangle L^{0}_1,\triangle R^{0}_0,\triangle R^{0}_1)\), correspondingly, the output difference is \((\triangle L^{r}_0,\triangle L^{r}_1,\triangle R^{r}_0,\) \(\triangle R^{r}_1)\). if \(\triangle L^{0}_0 \oplus \triangle R^{0}_0 \ne \triangle L^{r}_0 \oplus \triangle R^{r}_0\) \((r=2n)\) or \(\triangle L^{1}_0 \oplus \triangle R^{1}_0 \ne \triangle L^{r}_0 \oplus \triangle R^{r}_0\) \((r=2n+1)\), then \((\triangle L^{0}_0,\triangle L^{0}_1,\triangle R^{0}_0,\triangle R^{0}_1)\) \(\nrightarrow\) \((\triangle L^{r}_0,\triangle L^{r}_1,\triangle R^{r}_0,\triangle R^{r}_1)\) is an impossible differential distinguisher of Shadow.
Key recovery attack on fullround Shadow32/64
In this section, we will use a concrete arbitrary Nround impossible differential distinguisher to perform key recovery for \((N+1)\)round Shadow32 and \((N+1)\)round Shadow64 respectively.
Key recovery attack on fullround Shadow32
Theorem 2
(Nround Impossible Differential Distinguisher of Shadow32) In the singlekey model, Shadow32 exists an arbitrary Nround impossible differential distinguisher, i.e.
where the Nth round includes data exchange.
Proof
Firstly, we have \(\triangle L^{0}_0=10000000,\) \(\triangle R^{0}_0=00000000,\triangle L^{N}_0=01000000,\triangle R^{N}_0=00000000\).

(1)
When \(N=2n(n>0)\), according to Theorem 1 and Corollary 1, since \(\triangle L^{0}_0 \oplus \triangle R^{0}_0 \ne \triangle L^{N}_0 \oplus \triangle R^{N}_0,\) thus finding the contradiction.

(2)
When \(N=2n+1(n>0)\), after the propagation of difference for the first round, the output difference \((\triangle L^{1}_0,\triangle L^{1}_1,\triangle R^{1}_0,\triangle R^{1}_1)\) is \((00000000,*0*01***,0*00001*,00000000)\), according to Theorem 1 and Corollary 1, since \(\triangle L^{1}_0 \oplus \triangle R^{1}_0 \ne \triangle L^{N}_0 \oplus \triangle R^{N}_0,\) thus finding the contradiction.
\(\hfill\square\)
Next based on the Nround impossible differential distinguisher, encrypt one round backward to perform key recovery for \((N+1)\)round Shadow32. The propagation of difference during the key recovery process is depicted in Fig. 4. The specific key recovery process is as follows.

Step 1 Let the difference of plaintext be
$$\begin{aligned} \triangle x^0&=(\triangle L^0_0,\triangle L^0_1,\triangle R^0_0,\triangle R^0_1)\\ \triangle L^0_0&=(10000000)\\ \triangle L^0_1&=(00000000)\\ \triangle R^0_0&=(00000000)\\ \triangle R^0_1&=(00000000). \end{aligned}$$Define the following plaintext structure
$$\begin{aligned} x^0&=(L^0_0,L^0_1,R^0_0,R^0_1)\\ L^0_0&=(\alpha _1\alpha _2\alpha _3\alpha _4\alpha _5\alpha _6\alpha _7\alpha _8)\\ L^0_1&=(\alpha _9\alpha _{10}\alpha _{11}\alpha _{12}\alpha _{13}\alpha _{14}\alpha _{15}\alpha _{16})\\ R^0_0&=(\alpha _{17}\alpha _{18}\alpha _{19}\alpha _{20}\alpha _{21}\alpha _{22}\alpha _{23}\alpha _{24})\\ R^0_1&=(\alpha _{25}\alpha _{26}\alpha _{27}\alpha _{28}\alpha _{29}\alpha _{30}\alpha _{31}\alpha _{32}), \end{aligned}$$where \(\alpha _i(1 \le i \le 32)\) is a constant. The plaintext can form 2 plaintext pairs. Select \(2^n\) plaintext structures, and there are \(2^{n+1}\) plaintext pairs \((x^{0},{\hat{x}}^{0})\). After \(N+1\) rounds of encryption, obtain the corresponding ciphertext pairs \((x^{N+1},{\hat{x}}^{N+1})\).

Step 2 Select the ciphertext pairs that satisfy the following form:
$$\begin{aligned} \begin{array}{l} \triangle x^{N+1}=(\triangle L^{N+1}_0,\triangle L^{N+1}_1,\triangle R^{N+1}_0,\triangle R^{N+1}_1)\\ \triangle L^{N+1}_0=(*0*00001)\\ \triangle L^{N+1}_1=(**0*01**)\\ \triangle R^{N+1}_0=(00000000)\\ \triangle R^{N+1}_1=(00000000), \end{array} \end{aligned}$$where \(* \in F_2\). Since the ciphertexts that satisfy the above form are \(2^7\), the probability is \(2^7 \times 2^{32}=2^{25}.\) After screening, the ciphertext pair remains \(2^{n+1} \times 2^{25}=2^{n24}.\)

Step 3 Guess 16bit key in the \((N+1)\)th round, i.e. \(key^{N+1}_2\) and \(key^{N+1}_0\). Then decrypt each ciphertext pair from Step 2 one round forward, and get \((\triangle L^{N}_0,\triangle L^{N}_1)\). Judge if \(\triangle L^{N}_0=01000000\) and \(\triangle L^{N}_1=00000000\) hold, if hold, then the guessed key is wrong and is excluded. Repeat the above steps until the only correct key remains.
Complexity analysis After step 3, the error value of the key is approximately \((2^{16}1) \times (12^{1})^{2^{n24}}\). When \(n=28\), \((2^{16}1) \times (12^{1})^{2^{n24}}<1\), therefore the wrong keys can all be excluded. Boura et al. (2014) presented that the data complexity is \(2^{n+\triangle in +1}\), where the \(\triangle in\) is the number of active bits for the difference of plaintext. So the data complexity is \(2^{28+1+1}=2^{30}\). Step 3 requires \(2^{n24} \times 2^{16} \times 2=2^{21}\) one round of encryption, in addition, the remaining 48 bits of the master key need to be searched exhaustively, so the time complexity required to recover full key is \(2^{21}/(N+1)+2^{48} \approx 2^{48}\) (N+1)round encryption. Since step 2 requires storing \(2^{n24}=2^4\) ciphertext pairs and \(2^{16}\) candidate keys, and an exhaustive search of 48 bits requires the storage of \(2^{48}\), the memory complexity required to recover full key is \((2^{4}+2^{16}+2^{48})/32 \approx 2^{43}\) 32bit block.
In summary, for Shadow32, the round number is 16 and N is 15. A fullround impossible differential attack on Shadow32 requires \(2^{30}\) data complexity, \(2^{48}\) 16round encryption time complexity and \(2^{43}\) 32bit block memory complexity.
Key recovery attack on fullround Shadow64
Theorem 3
(Nround Impossible Differential Distinguisher of Shadow64) In the singlekey model, Shadow64 exists an arbitrary Nround impossible differential distinguisher, i.e.
where the Nth round includes data exchange.
Proof
The process of proving Theorem 3 is similar to that of Theorem 2. Firstly, we have \(\triangle L^{0}_0=1000000000000000,\) \(\triangle R^{0}_0=0000000000000000,\triangle L^{N}_0=0100000000000000,\) \(\triangle R^{N}_0=0000000000000000\).

(1)
When \(N=2n(n>0)\), according to Theorem 1 and Corollary 1, since \(\triangle L^{0}_0 \oplus \triangle R^{0}_0 \ne \triangle L^{N}_0 \oplus \triangle R^{N}_0,\) thus finding the contradiction.

(2)
When \(N=2n+1(n>0)\), after the first difference propagation, the output difference \((\triangle L^{1}_0,\triangle L^{1}_1,\triangle R^{1}_0,\) \(\triangle R^{1}_1)\) is \((0000000000000000,10*0000**000***0,000000000*0000**,0000000000000000)\), according to Theorem 1 and Corollary 1, since \(\triangle L^{1}_0 \oplus \triangle R^{1}_0 \ne \triangle L^{N}_0 \oplus \triangle R^{N}_0,\) thus finding the contradiction.
\(\square\)
Next based on the Nround impossible differential distinguisher, encrypt one round backward to perform key recovery for \((N+1)\)round Shadow64. The propagation of difference during key recovery is shown in Fig. 5. The specific key recovery process is as follows.

Step 1 Let the difference of plaintext be
$$\begin{aligned} \triangle x^0&=(\triangle L^0_0,\triangle L^0_1,\triangle R^0_0,\triangle R^0_1)\\ \triangle L^0_0&=(1000000000000000)\\ \triangle L^0_1&=(0000000000000000)\\ \triangle R^0_0&=(0000000000000000)\\ \triangle R^0_1&=(0000000000000000). \end{aligned}$$Define the following plaintext structure
$$\begin{aligned} x^0&=(L^0_0,L^0_1,R^0_0,R^0_1)\\ L^0_0&=(\alpha _1\alpha _2\ldots \alpha _{15}\alpha _{16})\\ L^0_1&=(\alpha _{17}\alpha _{18}\ldots \alpha _{31}\alpha _{32})\\ R^0_0&=(\alpha _{33}\alpha _{34}\ldots \alpha _{47}\alpha _{48})\\ R^0_1&=(\alpha _{49}\alpha _{50}\ldots \alpha _{63}\alpha _{64}), \end{aligned}$$where \(\alpha _i(1 \le i \le 64)\) is a constant. The plaintext can form 2 plaintext pairs. Select \(2^n\) plaintext structures, and there are \(2^{n+1}\) plaintext pairs. After \(N+1\) rounds of encryption, obtain the corresponding ciphertext pairs \((x^{N+1},{\hat{x}}^{N+1})\).

Step 2 Select the ciphertext pairs that satisfy the following form:
$$\begin{aligned} \begin{array}{l} \triangle x^{N+1}=(\triangle L^{N+1}_0,\triangle L^{N+1}_1,\triangle R^{N+1}_0,\triangle R^{N+1}_1)\\ \triangle L^{N+1}_0=(*000000000*0000*)\\ \triangle L^{N+1}_1=(010*0000**000***)\\ \triangle R^{N+1}_0=(0000000000000000)\\ \triangle R^{N+1}_1=(0000000000000000), \end{array} \end{aligned}$$where \(* \in F_2\). Since the ciphertexts that satisfy the above form are \(2^9\), the probability is \(2^9 \times 2^{64}=2^{55}.\) After screening, the ciphertext pair is \(2^{n+1} \times 2^{55}=2^{n54}.\)

Step 3 Guess 32bit key in the \((N+1)\)th round, i.e. \(key^{N+1}_2\) and \(key^{N+1}_0\). Then decrypt each ciphertext pair from Step 2 one round forward, and get \((\triangle L^{N}_0,\triangle L^{N}_1)\). Judge if \(\triangle L^{N}_0=0100000000000000\) and \(\triangle L^{N}_1=0000000000000000\) hold, if hold, then the guessed key is wrong and is excluded. Repeat the above steps until the only correct key remains.
Complexity analysis After step 3, the error value of the key is approximate \((2^{32}1) \times (12^{1})^{2^{n54}}\). When \(n=59\), \((2^{32}1) \times (12^{1})^{2^{n54}}<1\), therefore the wrong keys can all be excluded. Boura et al. (2014) presented that the data complexity is \(2^{n+\triangle in +1}\), where the \(\triangle in\) is the number of active bits for the difference of plaintext. So the data complexity is \(2^{59+1+1}=2^{61}\). Step 3 requires \(2^{n54} \times 2^{32} \times 2=2^{38}\) one round of encryption, in addition, the remaining 96 bits of the master key need to be searched exhaustively, so the time complexity required to recover the full key is \(2^{38}/(N+1)+2^{96} \approx 2^{96}\) \((N+1)\)round encryption. Since step 2 requires to store \(2^{n54}=2^5\) ciphertext pairs and \(2^{32}\) candidate keys, and an exhaustive search of 96 bits requires the storage of \(2^{96}\), the memory complexity required to recover the full key is \((2^{5}+2^{32}+2^{96})/64 \approx 2^{90}\) 64bit block.
For Shadow64, the round number is 32 and N is 31. A fullround impossible differential attack requires \(2^{61}\) data complexity, \(2^{96}\) 32round encryption time complexity and \(2^{90}\) 64bit block memory complexity. It is worth noting that simply increasing the number of iterative rounds of Shadow cannot resist the impossible differential attack.
Summary
In this paper, we focus on the differential property of Shadow and its security against the impossible differential attack. First, we use the SAT method to automatically search for a fullround impossible differential distinguisher of Shadow32. Then, based on the experimental results, we prove that Shadow has a differential property with probability 1 based on the propagation of state. Further, we present an arbitrary number of rounds of impossible differential distinguisher for Shadow. Finally, we use a concrete arbitrary Nround impossible differential distinguisher to perform key recovery for \((N+1)\)round Shadow32 and Shadow64. For Shadow32, a 16round full key recovery attack requires \(2^{30}\) data complexity, \(2^{48}\) 16round encryption time complexity and \(2^{43}\) 32bit block memory complexity. For Shadow64, a 32round full key recovery attack requires \(2^{61}\) data complexity, \(2^{96}\) 32round encryption time complexity and \(2^{90}\) 64bit block memory complexity.
Both experimentally and theoretically, our results indicate that Shadow is critically flawed, and regardless of the security strength of the internal components and the number of rounds applied, the overall cipher remains vulnerable to the impossible differential attack.
Availability of data and materials
Not applicable.
References
Abdelkhalek A, Sasaki Y, Todo Y, Tolba M, Youssef AM (2017) MILP modeling for (large) sboxes to optimize probability of differential characteristics. IACR Trans Symmetr Cryptol 99–129
Banik S, Bogdanov A, Isobe T, Shibutani K, Hiwatari H, Akishita T, Regazzoni F (2015) Midori: a block cipher for low energy. In: Proceedings of the advances in cryptology—ASIACRYPT 2015: 21st international conference on the theory and application of cryptology and information security, Auckland, New Zealand, November 29–December 3, 2015, Part II. Springer, vol 21, pp 411–436
Beaulieu R, Shors D, Smith J, TreatmanClark S, Weeks B, Wingers L (2015) The SIMON and SPECK lightweight block ciphers. In: Proceedings of the 52nd annual design automation conference, pp 1–6
Biham E, Shamir A (1991) Differential cryptanalysis of deslike cryptosystems. J Cryptol 4:3–72
Biham E, Biryukov A, Shamir A (1999) Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Proceedings of the advances in cryptologyEUROCRYPT’99: international conference on the theory and application of cryptographic techniques Prague, Czech Republic, May 2–6, 1999. Springer, vol 18, pp 12–23
Bogdanov A, Knudsen LR, Leander G, Paar C, Poschmann A, Robshaw MJ, Seurin Y, Vikkelsoe C (2007) Present: an ultralightweight block cipher. In: Proceedings of the cryptographic hardware and embedded systemsCHES 2007: 9th international workshop, Vienna, Austria, September 10–13, 2007. Springer, vol 9, pp 450–466
Boura C, NayaPlasencia M, Suder V (2014) Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon (full version). Ph.D. thesis, IACR cryptology ePrint archive
Cui T, Chen S, Jia K, Fu K, Wang M (2016) New automatic search tool for impossible differentials and zerocorrelation linear approximations. Cryptology ePrint archive
Guo Y, Li L, Liu B (2021) Shadow: a lightweight block cipher for IoT nodes. IEEE Internet Things J 8(16):13014–13023
Hong D, Sung J, Hong S, Lim J, Lee S, Koo BS, Lee C, Chang D, Lee J, Jeong K et al (2006) Hight: a new block cipher suitable for lowresource device. In: Proceedings of the Cryptographic hardware and embedded systemsCHES 2006: 8th international workshop, Yokohama, Japan, October 10–13, 2006. Springer, vol 8, pp 46–59
Hu X, Li Y, Jiao L, Tian S, Wang M (2020) Mind the propagation of states: new automatic search tool for impossible differentials and impossible polytopic transitions. In: Proceedings of the advances in cryptology—ASIACRYPT 2020: 26th international conference on the theory and application of cryptology and information security, Daejeon, South Korea, December 7–11, 2020, Part I 26. Springer, pp 415–445
Kaur M, Yadav T, Kumar M, Dey D (2023) Fullround differential attack on ULC and LICID block ciphers designed for IoT. Cryptology ePrint archive
Knudsen L (1998) Deala 128bit block cipher. Complexity 258(2):216
Kölbl S, Leander G, Tiessen T (2015) Observations on the SIMON block cipher family. In: Proceedings of the advances in cryptology—CRYPTO 2015: 35th annual cryptology conference, Santa Barbara, CA, USA, August 16–20, 2015, Part I. Springer, vol 35, pp 161–185
Kumar M, Yadav T (2022) MILP based differential attack on round reduced warp. In: Proceedings of the security, privacy, and applied cryptography engineering: 11th international conference, SPACE 2021, Kolkata, India, December 10–13, 2021. Springer, pp 42–59
Matsui M (1994) Linear cryptanalysis method for DES cipher. In: Proceedings of the advances in cryptologyEUROCRYPT’93: workshop on the theory and application of cryptographic techniques Lofthus, Norway, May 23–27, 1993. Springer, vol 12, pp 386–397
Mouha N, Wang Q, Gu D, Preneel B (2012) Differential and linear cryptanalysis using mixedinteger linear programming. In: Information security and cryptology: 7th international conference, Inscrypt 2011, Beijing, China, November 30–December 3, 2011. Revised selected papers 7. Springer, pp 57–76
Sasaki Y, Todo Y (2017) New impossible differential search tool from design and cryptanalysis aspects: Revealing structural properties of several ciphers. In: Advances in Cryptology–EUROCRYPT 2017: 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30–May 4, 2017, Proceedings, Part III 36, pp. 185–215. Springer
Standaert FX, Piret G, Gershenfeld N, Quisquater JJ (2006) SEA: a scalable encryption algorithm for small embedded applications. In: Proceedings of the smart card research and advanced applications: 7th IFIP WG 8.8/11.2 international conference, CARDIS 2006, Tarragona, Spain, April 19–21, 2006. Springer, vol 7, pp 222–236
Sun S, Hu L, Wang P, Qiao K, Ma X, Song L (2014) Automatic security evaluation and (relatedkey) differential characteristic search: application to SIMON, PRESENT, LBlock, DES (l) and other bitoriented block ciphers. In: Proceedings of the advances in cryptology—ASIACRYPT 2014: 20th international conference on the theory and application of cryptology and information security, Kaoshiung, Taiwan, ROC, December 7–11, 2014, Part I. Springer, vol 20, pp 158–178
Sun L, Wang M (2023) SoK: modeling for large sboxes oriented to differential probabilities and linear correlations. IACR Trans Symmetric Cryptol 111–151
Sun L, Wang W, Wang M (2017) Automatic search of bitbased division property for ARX ciphers and wordbased division property. In: Proceedings of the advances in cryptology—ASIACRYPT 2017: 23rd international conference on the theory and applications of cryptology and information security, Hong Kong, China, December 3–7, 2017, Part I. Springer, vol 23, pp 128–157
Sun L, Wang W, Wang M (2021) Accelerating the search of differential and linear characteristics with the sat method. IACR Trans Symmetric Cryptol 269–315
Wu W, Zhang L (2011) LBlock: a lightweight block cipher. In: Proceedings of the applied cryptography and network security: 9th international conference, ACNS 2011, Nerja, Spain, June 7–10, 2011. Springer, vol 9, pp 327–344
Zhu B, Dong X, Yu H (2019) MILPbased differential attack on roundreduced gift. In: Proceedings of the topics in cryptology—CTRSA 2019: the cryptographers’ track at the RSA conference 2019, San Francisco, CA, USA, March 4–8, 2019. Springer, pp 372–390
Acknowledgements
I would like to express my sincere gratitude to my colleagues for their invaluable support, advice, and insightful discussions during the preparation of this thesis. I also wish to extend my appreciation to the anonymous reviewers for their constructive comments and feedback.
Funding
This work was supported by the National Natural Science Foundation of China (No. 12371525).
Author information
Authors and Affiliations
Contributions
All the authors have equal contributions to this paper.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no known competing fnancial interests or personal relationships that could have appeared to infuence the work reported in this paper.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Liu, Y., Li, Y., Chen, H. et al. Fullround impossible differential attack on shadow block cipher. Cybersecurity 6, 52 (2023). https://doi.org/10.1186/s42400023001847
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s42400023001847