关键词: Shadow算法, 轻量级分组密码, 差分特征, 线性特征, 密钥恢复

Abstract: As the Radio Frequency Identification (RFID) and wireless sensors become increasingly common, the need to secure data transmitted and processed by such devices with limited resources has led to the emergence and growth of lightweight cryptography. Characterized by their small key sizes and limited number of encryption rounds, lightweight ciphers demand precise security evaluations before being put into service. The differential and linear characteristic of full-round Shadow algorithm was analyzed for lightweight cryptographic security requirements. Firstly, a concept of quadratic difference was proposed, which describes the differential characteristic more clearly. Secondly, the existence of a full-round differential characteristic with probability 1 for the algorithm was proved, followed by experimental verification of its correctness. Next, a full-round linear characteristic was provided. After that, the theorem that, given a set of Shadow-32 (Shadow-64) plain ciphertexts, it is possible to obtain 8 (16) bits of key information was proved and experimentally verified for its correctness. Furthermore, based on the linear equation relationship between plaintexts, ciphertexts, and round keys, the number of quadratic equations and independent variables of the Boolean function were estimated. Then, the computational complexity of solving the initial key was calculated to be 2^64. Finally, the structural features of the Shadow were summarized, and the focus of future research was provided. Differential and linear characteristic analysis of full-round Shadow algorithm will be insightful for the differential and linear analysis of other lightweight ciphers.

Key words: Shadow algorithm, lightweight block cipher, differential characteristic, linear characteristic, key recovery