Single-Key Attack on Full-Round Shadow Designed for IoT Nodes

Abstract

With the rapid advancement of the Internet of Things (IoT), many innovative lightweight block ciphers have been introduced to meet the stringent security demands of IoT devices. Among these, the Shadow cipher stands out for its compactness, making it particularly well-suited for deployment in resource-constrained IoT nodes (IEEE Internet of Things Journal, 2021). This paper demonstrates two real-time attacks on Shadow for the first time: real-time plaintext recovery and key recovery. Firstly, numerous properties of Shadow are discussed, illustrating an equivalent representation of the two-round Shadow and the relationship between the round keys. Secondly, we introduce multiple two-round iterative linear approximations. Employing these approximations enables the derivation of full-round linear distinguishers. Moreover, we have uncovered numerous linear relationships between plaintext and ciphertext. Real-time plaintext recovery is achievable based on these established relationships. On average, it takes 5 seconds to recover the plaintext for a fixed ciphertext of Shadow-32. Thirdly, many properties of the propagation of difference through SIMON-like function are illustrated. According to these properties, various differential distinguishers up to full rounds are presented, allowing real-time key recovery. Specifically, the 64-bit master key of Shadow-32 can be retrieved in around two days on average. Experiments verify all our results.