TY - JOUR
T1 - Redefining Security in Shadow Cipher for IoT Nodes
T2 - New Full-Round Practical Distinguisher and the Infeasibility of Key-Recovery Attacks
AU - Kim, Sunyeop
AU - Shin, Myoungsu
AU - Kim, Seonkyu
AU - Shin, Hanbeom
AU - Kim, Insung
AU - Kwon, Donggeun
AU - Lee, Dongjae
AU - Kim, Seonggyeom
AU - Hong, Deukjo
AU - Sung, Jaechul
AU - Hong, Seokhie
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2024
Y1 - 2024
N2 - Shadow is a block cipher for IoT Nodes proposed in the IEEE IoT Journal in 2021. The primary design principle of Shadow is the adoption of a variant 4-branch Feistel structure to ensure a fast diffusion. We refer to this structure as the Shadow structure and prove that it is almost identical to the Feistel structure, which invalidates the design principle. We also present a new structural distinguisher that can distinguish the Shadow structure from a random permutation with only two plaintext/ciphertext pairs. Additionally, we demonstrate that the key-recovery attacks utilizing the impossible differential proposed by Liu et al. in the Cybersecurity Journal in 2023 and the integral characteristic proposed by Mirzaie et al. in the IEEE IoT Journal are infeasible. Instead, we extend our distinguisher to a key-recovery attack using only one plaintext/ciphertext pair by exploiting the key schedule. Moreover, upon investigating Shadow's round function, we observe that only specific forms of monomials can appear in the ciphertext, leading to an integral distinguisher involving four plaintext/ciphertext pairs. Notably, the algebraic degree does not exceed 12 for Shadow-32 and 20 for Shadow-64, regardless of the number of rounds used. Our results show that Shadow is highly vulnerable to algebraic attacks, emphasizing the need for careful consideration of algebraic attacks when incorporating AND, rotation, and XOR operations in cipher design.
AB - Shadow is a block cipher for IoT Nodes proposed in the IEEE IoT Journal in 2021. The primary design principle of Shadow is the adoption of a variant 4-branch Feistel structure to ensure a fast diffusion. We refer to this structure as the Shadow structure and prove that it is almost identical to the Feistel structure, which invalidates the design principle. We also present a new structural distinguisher that can distinguish the Shadow structure from a random permutation with only two plaintext/ciphertext pairs. Additionally, we demonstrate that the key-recovery attacks utilizing the impossible differential proposed by Liu et al. in the Cybersecurity Journal in 2023 and the integral characteristic proposed by Mirzaie et al. in the IEEE IoT Journal are infeasible. Instead, we extend our distinguisher to a key-recovery attack using only one plaintext/ciphertext pair by exploiting the key schedule. Moreover, upon investigating Shadow's round function, we observe that only specific forms of monomials can appear in the ciphertext, leading to an integral distinguisher involving four plaintext/ciphertext pairs. Notably, the algebraic degree does not exceed 12 for Shadow-32 and 20 for Shadow-64, regardless of the number of rounds used. Our results show that Shadow is highly vulnerable to algebraic attacks, emphasizing the need for careful consideration of algebraic attacks when incorporating AND, rotation, and XOR operations in cipher design.
KW - algebraic attack
KW - Block cipher
KW - cube attack
UR - http://www.scopus.com/inward/record.url?scp=85208654515&partnerID=8YFLogxK
U2 - 10.1109/JIOT.2024.3491138
DO - 10.1109/JIOT.2024.3491138
M3 - Article
AN - SCOPUS:85208654515
SN - 2327-4662
JO - IEEE Internet of Things Journal
JF - IEEE Internet of Things Journal
ER -