MILP-based differential cryptanalysis on full-round shadow

Abstract

Shadow (Guo et al., 2021) is a lightweight block cipher based on a new logical combination method of AND-RX operation and the generalized Feistel structure with high diffusion and excellent performance in hardware implementation. In this paper, the components and structure of Shadow cipher are researched, and based on MILP automatic search algorithms for differential trails the 2-round iterative differential characteristics are obtained, then the full-round differential characteristics of both Shadow-32 and Shadow-64 are given. Moreover, targeting Shadow-32, we conduct 32-bit round-key recovery attack by using four 13.5-round differential trails, and the experimental verification shows that the time complexity is 226.02 and space complexity is 214.1. Recovering the 64 master key bits need to solve a system of multivariate equations over F2 with the time complexity more than 250.69. For Shadow-64, the process of recovering the master key is similar. Finally, we analyze the reasons for the insecurity of the Shadow cipher that may help to improve the cryptographic performance of the Shadow or provide help for a new block cipher design.