Full-round impossible differential attack on shadow block cipher

Lightweight block ciphers are the essential encryption algorithm for devices with limited resources. Its goal is to ensure the security of data transmission through resource-constrained devices. Impossible differential cryptanalysis is one of the most effective cryptanalysis on block ciphers, and assessing the ability of resisting this attack is a basic design criterion. Shadow is a lightweight block cipher proposed by Guo et al. (IEEE Internet Things J 8(16):13014–13023, 2021). It utilizes a combination of ARX operations and generalized Feistel structure to overcome the weakness of the traditional Feistel structure that only diffuses half in one round. In this paper, we focus on the differential property of Shadow and its security against impossible differential cryptanalysis. First, we use the SAT method to automatically search for a full-round impossible differential distinguisher of Shadow-32. Then, based on the experimental results, we prove that Shadow has a differential property with probability 1 based on the propagation of the state. Further, we can obtain an impossible differential distinguisher for an arbitrary number of rounds of Shadow. Finally, we perform a full key recovery attack on the full-round Shadow-32 and Shadow-64. Both experimentally and theoretically, our results indicate that Shadow is critically flawed, and regardless of the security strength of the internal components and the number of rounds applied, the overall cipher remains vulnerable to impossible differential cryptanalysis.


Introduction
Along the accelerated development of information technology, the Internet of Things (IoT) technologies such as RFID and wireless sensors are increasingly applied in daily life, and they are often integrated into devices with limited storage and computing resources.However, traditional block ciphers are not suitable for these devices, as their high software and hardware implementation requirements cannot guarantee the security of data transmission.Thus, there is a demand for lightweight block ciphers that can provide high performance and security in resource-constrained environments.
Driven by protecting private data from resourceconstrained devices, lightweight block ciphers aim to achieve low resource utilization, low power consumption, high computational efficiency, and maintain the security of block ciphers.In line with this objective, many well-designed lightweight block ciphers have been proposed, such as SEA (Standaert et al. 2006), HIGHT (Hong et al. 2006), PRESENT (Bogdanov et al. 2007), LBlock (Wu and Zhang 2011), SIMON and SPECK (Beaulieu et al. 2015), Midori (Banik et al. 2015) and Shadow (Guo et al. 2021) et al.Moreover, security evaluation for lightweight block ciphers is essential, and a new proposed lightweight block cipher needs to be assessed for its security against traditional cryptanalysis attacks, i.e. differential cryptanalysis (Biham and Shamir 1991), linear cryptanalysis (Matsui 1994), impossible differential cryptanalysis, and other cryptanalysis.
Impossible differential cryptanalysis was first proposed by Knudsen (1998) and Biham et al. (1999) respectively.It is one of the most effective cryptanalysis on block ciphers, and assessing the ability of resisting this cryptanalysis is a basic design criterion.Its basic idea is to exclude wrong keys that lead to zero-probability difference and then recover the correct key by exhausting the candidate keys.In general, impossible differential cryptanalysis contains two phases, i.e., the search for impossible differential distinguisher phase and the key recovery phase.The key to the impossible differential analysis is to search for the longest-round impossible differential distinguisher.
Research on the automated search method has been an important issue for the last 20 years.The first critical tool for automated search is the Mixed Integer Linear Programming (MILP), which was first employed by Mouha et al. (2012) to find the minimum number of active S-boxes for word-oriented block ciphers.Later, Sun et al. (2014) extended the method from wordoriented to bit-oriented, and assessed the ability of bit-oriented block ciphers to resist the (related-key) differential attack.Since then, the MILP has been widely used for the cryptanalysis of block ciphers.Cui et al. (2016) and Sasaki and Todo (2017) applied the MILP to impossible differential automatic search, respectively.In 2017, Abdelkhalek et al. (2017) applied the MILP to block ciphers with 8-bit S-boxes.In recent years, the MILP has remained a popular tool for automated search for differential distinguishers (Zhu et al. 2019;Kumar and Yadav 2022;Kaur et al. 2023).
Another important tool for automated search is to rely on the Boolean Satisfiability Problem or satisfiability modulo theories (SAT/SMT).In 2012, Mouha et al. (2012) first used the SAT/SMT method to automatically seek optimal differential characteristics of Salsa20.Later in 2015, Kölbl et al. (2015) employed the SAT/ SMT method to automatically search for optimal differential and linear characteristics of SIMON.In 2017, Sun et al. (2017) automatically search for bit-based integral distinguishers of ARX block ciphers based on the SAT/SMT method.In 2020, Hu et al. (2020) moved away from focusing on the propagation of the difference and proposed an SAT/SMT-aided search method for impossible differential that used the propagation of the state.Later in 2021, Sun et al. (2021) focused on the acceleration of using the SAT/SMT methods to seek differential and linear characteristics.In 2023, Sun and Wang (2023) developed SAT/SMT models to search for differential and linear characteristics of block ciphers with large S-boxes.Shadow, a lightweight block cipher, is proposed by Guo et al. (2021) to protect private data transmission through IoT nodes.Shadow utilizes a combination of ARX operations and a generalized Feistel structure, which resolves the issue of the current lightweight block ciphers based on ARX operations that only diffuse half in one round.The security of Shadow was first evaluated by the designers.They performed impossible differential cryptanalysis and biclique cryptanalysis on Shadow, where the impossible differential attack mainly utilizes a 4-round impossible differential distinguisher to perform a 7-round key recovery attack and the biclique attack constructs an 8-round biclique structure.Consequently, the designers of Shadow asserted that Shadow exhibits a high level of resistance against cryptanalysis.In this paper, we show that Shadow can not resist impossible differential cryptanalysis, and we identify significant security weaknesses in the current design of Shadow.
Our contributions In this paper, we focus on the differential property of Shadow and its security against impossible differential cryptanalysis.For the first time, we perform an impossible differential attack on the fullround Shadow-32 and Shadow-64.Our results indicate that Shadow is critically flawed, and regardless of the security strength of the internal components and the number of rounds applied, the overall cipher remains vulnerable to impossible differential cryptanalysis.The specific results are displayed in Table 1.Our contributions can be concluded as follows.
• We use the SAT method to find a full-round impossible differential distinguisher of Shadow-32.• We prove that Shadow has a differential property with probability 1 based on the propagation of state proposed by Hu et al. (2020), and then present an impossible differential distinguisher for an arbitrary number of rounds.• We perform full key recovery on full-round Shadow-32 with 2 30 data complexity, 2 48 16-round encryption time complexity and 2 43 32-bit block memory complexity.• We perform full key recovery on full-round Shadow-64 with 2 61 data complexity, 2 96 32-round encryption time complexity and 2 90 64-bit block memory complexity.Organization The subsequent sections of this paper are arranged as follows.Section "Preliminaries" describes the background knowledge used in this paper.Section "Automatic search for impossible differential distinguisher" shows how to automatically search for impossible differential distinguishers using the SAT method.Section "A proof of impossible differential distinguishers for an arbitrary number of rounds" proves the differential property with probability 1 of Shadow-32/64 based on the propagation of state.Full key recovery attack on the full-round Shadow-32 and Shadow-64 are mounted in section "Key recovery attack on full-round Shadow-32/64".Finally, section "Summary" summarizes the paper.

Notation
In this subsection, we first present the following notations that are utilized throughout the paper.
• L i−1 0 : The input state for the first branch on the left of ith round; • L i−1 1 : The input state for the second branch on the left of ith round; • R i−1 0 : The input state for the first branch on the right of ith round; • R i−1 1 : The input state for the second branch on the right of ith round; • △L i−1 0 :The input difference for the first branch on the left of ith round; • △L i−1 1 : The input difference for the second branch on the left of ith round; • △R i−1 0 : The input difference for the first branch on the right of ith round; • △R i−1 1 : The input difference for the second branch on the right of ith round;

Description of Shadow
Shadow utilizes a combination of ARX operations and a generalized Feistel structure, which includes two versions: Shadow-32 and Shadow-64.The block sizes of Shadow-32 and Shadow-64 are 32 and 64 bits, respectively, with key sizes of 64 and 128 bits and round numbers of 16 and 32, respectively.

Encryption algorithm
Shadow comprises three main operations: AND, Rotation, and XOR.Let be the input state of the ith round function, (L i 0 , L i 1 , R i 0 , R i 1 ) be the cor- responding output state, and key i j (0 ≤ j ≤ 3) is selected from round subkey key i .The round function of Shadow is depicted in Fig. 1.
From Fig. 1, the round function of Shadow calls f four times, where f is and this operation reduces logic hardware and software consumption.
For the RN-round encryption process of Shadow, the plaintext P = (L 0 0 , L 0 1 , R 0 0 , R 0 1 ) is divided into four equal- sized blocks.First, the first branch on the left L 0 0 calls the f function and then performs the XOR operation with the second branch on the left L 0 1 and the subkey Similarly, the first branch on the right R 0 0 performs the same operation with the second branch on the right R 0 1 to get P1, i.e.P1 = f (R 0 0 ) ⊕ R 0 1 ⊕ key 1 1 .The half-round output (P0, L 0 0 , P1, R 0 0 ) is obtained by swapping the left and right branches separately.Next, the P0 calls the f function and then performs the XOR operation with the L 0 0 and the subkey key 1 2 to get the Similarly, the P1 performs the same operation with the R 0 0 . Notice that there is no data exchange in the last round.The corresponding encryption algorithm is exhibited in Algorithm 1.Since Shadow uses a generalized Feistel structure, the decryption algorithm only needs to use the round subkey in reverse order compared to the encryption algorithm.

Key schedule
Depending on the block size of Shadow, there are two kinds of round subkey generators, i.e.Generator1 and Generator2.For Shadow-32, the 64-bit primary key K is described as k 0 ||k 1 ||k 2 || . . .||k 62 ||k 63 and enters the Generator1.The Generator1 contains three operations, i.e.AddRoundConstant, NX Module, and Permutation.Firstly, the AddRoundConstant operation is performed on the 5-bit key k 3 ||k 4 ||k 5 ||k 6 ||k 7 , followed by the NX Module on the 8-bit key k 56 ||k 57 ||k 58 || . . .||k 62 ||k 63 , and finally the Permutation on the 64-bit key.Subsequently, the subkey K ′ of the first round is obtained, where the front 32-bits of K ′ are partitioned into four equal-sized segments for the round key XOR operation.The K ′ is then input to Gen- erator1 to generate the subkeys for each round until the encryption is completed.The specific operation procedure of Generator1 is depicted in Fig. Permutation After the AddRoundConstant and NX Module operations are executed in Generator1, the Permutation is implemented for the 64-bit key.As shown in Table 2, p i denotes the position index before the Per- mutation, while p ′ i denotes the position index after the Permutation.
For Shadow-64, the 128-bit primary key K is described as k 0 ||k 1 ||k 2 || . . .||k 126 ||k 127 and enters the Genera- tor2.The Generator2 also contains three operations, i.e.AddRoundConstant, NX Module, and Permutation.In Generator2, the round constant r is first expanded into its binary representation c 0 ||c 1 ||c 2 ||c 3 || c 4 ||c 5 , which is XORed with the 6-bit key k 2 ||k 3 ||k 4 ||k 5 || k 6 ||k 7 .Sub- sequently, the NX Module is applied to the 24-bit key Fig. 2 The detailed operation procedure of Generator1 k 104 ||k 105 || . . .||k 126 ||k 127 , followed by the Permutation operation on the 128-bit key.Finally, the subkey K ′ of the first round is obtained, where the front 64-bits of K ′ are partitioned into four equal-sized segments for the round key XOR operation.The K ′ is then input to Generator2 to derive the round keys until the encryption is completed.Additionally, the principle of Generator2 is similar to that of Generator1, but with different numbers of bits.The detailed operation procedure of Permutation is depicted in Table 3 and the NX Module operates based on the following principle:

Impossible differential cryptanalysis
Impossible differential cryptanalysis is a variant of differential cryptanalysis, which was proposed by Knudsen (1998) and Biham et al. (1999) respectively.Impossible differential cryptanalysis, as opposed to classical differential cryptanalysis which utilizes a high probability differential characteristic, utilizes a zero-probability differential characteristic to recover keys.Its basic idea is to exclude wrong keys that lead to zero-probability difference and then recover the correct key by exhausting the candidate keys.Impossible differential cryptanalysis comprises two phases: the phase of searching for impossible differential distinguishers, and the phase of key recovery.The key to the impossible differential analysis is to search for the longest-round impossible differential distinguisher, as a higher number of rounds indicates a weaker resistance against the impossible differential attacks.The traditional search impossible differential distinguisher is to describe the propagation of difference in block ciphers, but the propagation of difference through non-linear components is uncertain, making it impossible to consider the details of non-linear components and the key schedule.
Definition 1 (Block Cipher) Let F 2 be the binary field, and F m 2 and F t 2 be m-dimensional and t-dimensional vector space over the finite field F 2 , respectively.If the plain- text P ∈ F m 2 , the ciphertext C ∈ F m 2 , and the master key K ∈ F t 2 , then the iterative block cipher E m K with F m 2 as the plaintext space (ciphertext space) and F t 2 as the key space is Definition 2 (Impossible Differential Distinguisher) For an iterative block cipher E m K , let α ∈ F m 2 be the input difference and β ∈ F m 2 be the r-round output difference, if differential propagation probability Pr(α → β) = 0 , then α β is a r-round impossible differential distinguisher.
Since the input difference can be obtained by XOR of two input states, Hu et al. (2020) characterize the propagation of difference by describing the propagation of two sets of initial states.That is, given two input states (x 0 0 , x 0 1 ) , perform r-round encryption and obtain two groups of state propagation traces, i.e. (x 0 0 , x 1 0 , x 2 0 , . . ., x r 0 ) and (x 0 1 , x 1 1 , x 2 1 , . . ., x r 1 ) , then by we can get the input difference and the output difference for each round, i.e. differential characteristic (△x 0 , △x 1 , . . ., △x r ) .Compared to the tra- ditional impossible differential analysis, the impossible differential analysis based on the propagation of state not only takes into account the details of non-linear components but also allows to consider the impact of the key schedule.
Definition 3 (Impossible Differential Distinguisher Based on the Propagation of State) For an iterative block cipher β is a r-round impossible differential distin- guisher based on the propagation of state.
The following is to use an obtained (r − 1)-round impossible differential distinguisher to recover the r-round key.Assuming that |K| bit keys can be obtained by the above attack, each plaintext pair can eliminate 2 −t of the key information.To ensure that the correct key is uniquely determined, the required plaintext pairs N must satisfy When t is relatively large, it gives The above equation shows that, when performing the impossible differential attack, the data complexity is almost independent of the amount of guessed key bits, and the main effect is the key information that can be eliminated for each plaintext pair.

SAT problem
The Boolean Satisfiability Problem (SAT) is a foundational computational problem in the fields of computer science and mathematical logic.It involves determining whether a given boolean formula, composed of boolean variables and logical operators such as AND, OR, and NOT, can be assigned truth values that satisfy the formula.STP is the publicly accessible solver for the SAT problem.Its input is expected to be a file with the ".stp" extension, adhering to the CVC language format.When solving an SAT problem, the first step is to construct a model using the CVC language and save it as a file with the ".stp" extension.Subsequently, the STP solver is invoked for this file.If the STP returns "Valid.", it indicates that the target problem has no solution.Otherwise, it returns a solution of the target problem and "Invalid.".For more details about the STP solver and the CVC language, please refer to https:// stp.github.io/.
The following are the CVC terms used in this paper: 1 ASSERT(): The command statement.

Automatic search for impossible differential distinguisher
In this section, we use the SAT method to automatically search for impossible differential distinguishers based on the propagation of the state, and find a full-round impossible differential distinguisher of Shadow-32.

Bit-oriented SAT model based on the propagation of the state
In this subsection, we will demonstrate the process of constructing the SAT model for searching impossible differential distinguishers based on the propagation of the state.
According to Definition 3, the modeling process is composed of two steps, the first step is to describe the propagation of the two sets of states under r rounds of iterations, and the second step is to obtain the input difference and the r − round output difference by XOR- ing the two sets of states and assign the given values.For the first step, the core is to model the propagation of the state under basic operations.Since Shadow utilizes ARX operations and is bit-oriented, we will use the CVC language to generate statements for the propagation of the state under the operations bit-oriented COPY, bit-oriented AND, bit-oriented Rotation, and bit-oriented XOR.For the second step, we will use the CVC language to generate statements for the computation of the difference and the constraints on the difference.
Model 1 (COPY) Let F be a COPY function, where the input state is x ∈ F q 2 and the output y 0 , y 1 , . . ., y t−1 ∈ F q 2 is caculated as (y 0 , y 1 , . . ., y t−1 ) = (x, x, . . ., x) .The bit vector format is x = (x 0 , . . ., x q−1 ), y i = (y i 0 , y i 1 , . . ., y i q−1 ), where x j , y i j ∈ F 2 , 0 ≤ j ≤ q − 1 and 0 ≤ i ≤ t − 1 .Then, the modeling of the propagation of the state under the COPY operation is described in CVC format as The COPY operation is usually omitted in practical modeling because the value of the state remains unchanged after the COPY operation.

The search algorithm for impossible differential distinguisher of shadow
In this subsection, we will show how to automatically seek impossible differential distinguishers.The automated search method consists of two phases: statements generation phase and impossible differential distinguishers search phase.For the statements generation phase, Algorithm 2 automatically generates statements describing the input difference △x 0 propagate to the r − round output difference △x r with △x 0 = α and △x r = β , and saves these statements as a file.For the impossible differential distinguishers search phase, Algorithm 3 invokes the STP to solve the file generated by Algorithm 2 to determine whether there is an impossible differential distinguisher by traversing sets of input differences and output differences satisfying certain conditions.
We present some specific explanations about Algorithm 2 as follows.
• Line 4-7.Using the provided propagation rules for each operation, model the propagation of x 0 to x r and x0 to xr by incorporating intermediate variables.• Line 8-9.Based on the modeling for the computation of difference and the constraints on difference, generate the corresponding statements.• Line 10-11.The statement "QUERY(FALSE);" and the statement "COUNTEREXAMPLE;" need to be added at the ending of the file because these two statements are essential in solving an SAT problem using STP.By adding the two statements, if the STP returns "Valid.", it means the SAT problem has no solution, otherwise, it returns a solution and "Invalid.".
From the experimental results, we find that Shadow may have an impossible differential distinguisher for an arbitrary number of rounds, which will be proved theoretically in the next section.Since the method would be limited by the block size and the number of rounds, we have not conducted experiments on Shadow-64 under the limited time and resources, but the next section proves theoretically the existence of an impossible differential distinguisher for an arbitrary number of rounds of Shadow-64.

A proof of impossible differential distinguishers for an arbitrary number of rounds
In this section, we will prove that Shadow has a differential property with probability 1 based on the propagation of state, then we can get an impossible differential distinguisher for an arbitrary number of rounds of Shadow.

Key recovery attack on full-round Shadow-64
Theorem 3 (N-round Impossible Differential Distinguisher of Shadow-64) In the single-key model, Shadow-64 exists an arbitrary N-round impossible differential distinguisher, i.e.
Next based on the N-round impossible differential distinguisher, encrypt one round backward to perform key recovery for (N + 1)-round Shadow-64.The propagation of difference during key recovery is shown in Fig. 5.The specific key recovery process is as follows.
• Step 1 Let the difference of plaintext be Define the following plaintext structure where α i (1 ≤ i ≤ 64) is a constant.The plaintext can form 2 plaintext pairs.Select 2 n plaintext struc- tures, and there are 2 n+1 plaintext pairs.After N + 1 rounds of encryption, obtain the corresponding ciphertext pairs (x N +1 , xN+1 ).
• Step 3 Guess 32-bit key in the (N + 1) th round, i.e. key N +1 2 and key N +1 0 .Then decrypt each ciphertext pair from Step 2 one round forward, and get (△L N 0 , △L N 1 ) .Judge if △L N 0 = 0100000000000000 and △L N 1 = 0000000000000000 hold, if hold, then the guessed key is wrong and is excluded.Repeat the above steps until the only correct key remains.
For Shadow-64, the round number is 32 and N is 31.A full-round impossible differential attack requires 2 61 data complexity, 2 96 32-round encryption time complexity and 2 90 64-bit block memory complexity.It is worth noting that simply increasing the number of iterative rounds of Shadow cannot resist the impossible differential attack.

Summary
In this paper, we focus on the differential property of Shadow and its security against the impossible differential attack.First, we use the SAT method to automatically search for a full-round impossible differential distinguisher of Shadow-32.Then, based on the experimental results, we prove that Shadow has a differential property with probability 1 based on the propagation of state.Further, we present an arbitrary number of rounds of impossible differential distinguisher for Shadow.Finally, we use a concrete arbitrary N-round impossible differential distinguisher to perform key recovery for (N + 1)-round Shadow-32 and Shadow-64.For Shadow-32, a 16-round full key recovery attack requires 2 30 data complexity, 2 48 16-round encryption time complexity and 2 43 32-bit block memory complexity.For Shadow-64, a 32-round full key recovery attack requires 2 61 data complexity, 2 96 32-round encryption time complexity and 2 90 64-bit block memory complexity.
Both experimentally and theoretically, our results indicate that Shadow is critically flawed, and regardless of the security strength of the internal components and the number of rounds applied, the overall cipher remains vulnerable to the impossible differential attack.

•
Find a (r − 1)-round impossible differential distin- guisher α → β; • Select plaintext pairs (P, P) with P ⊕ P = α , then perform r-round encryption and get the ciphertext pairs (C, Ĉ); • Guess possible values of the r-round key k r .For each possible value of k r , decrypt ciphertext C and Ĉ one round forward and obtain (D, D) .Judge if D ⊕ D = β holds, if holds, then the guessed key is wrong; • Repeat the above steps until the only correct key remains.

Table 1
Analytical results of Shadow-32/

Table 4
The impossible differential distinguisher of Shadow-32 from the 1th to the 16th round and the time consumption