Paper 2020/1133

Security Analysis of Subterranean 2.0

Ling Song
Yi Tu
Danping Shi
Lei Hu
Abstract

Subterranean 2.0 is a cipher suite that can be used for hashing, authenticated encryption, MAC computation, etc. It was designed by Daemen, Massolino, Mehrdad, and Rotella, and has been selected as a candidate in the second round of NIST's lightweight cryptography standardization process. Subterranean 2.0 is a duplex-based construction and utilizes a single-round permutation in the duplex. It is the simplicity of the round function that makes it an attractive target of cryptanalysis. In this paper, we examine the single-round permutation in various phases of Subterranean 2.0 and specify three related attack scenarios that deserve further investigation: keystream biases in the keyed squeezing phase, state collisions in the keyed absorbing phase, and one-round differential analysis in the nonce-misuse setting. To facilitate cryptanalysis in the first two scenarios, we novelly propose a set of size-reduced toy versions of Subterranean 2.0: Subterranean-m. Then we make an observation for the first time on the resemblance between the non-linear layer in the round function of Subterranean 2.0 and SIMON's round function. Inspired by the existing work on SIMON, we propose explicit formulas for computing the exact correlation of linear trails of Subterranean 2.0 and other ciphers utilizing similar non-linear operations. We then construct our models for searching trails to be used in the keystream bias evaluation and state collision attacks. Our results show that most instances of Subterranean-m are secure in the first two attack scenarios but there exist instances that are not. Further, we find a flaw in the designers' reasoning of Subterranean 2.0's linear bias but support the designers' claim that there is no linear bias measurable from at most $2^{96}$ data blocks. Due to the time-consuming search, the security of Subterranean 2.0 against the state collision attack in keyed modes still remains an open question. Finally, we observe that one-round differentials allow to recover state bits in the nonce-misuse setting. By proposing nested one-round differentials, we obtain a sufficient number of state bits, leading to a practical state recovery with only 20 repetitions of the nonce and 88 blocks of data. It is noted that our work does not threaten the security of Subterranean 2.0.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Designs, Codes and Cryptography
Keywords
Subterranean 2.0 permutation-based crypto keystream bias state collision state recovery
Contact author(s)
songling qs @ gmail com
History
2022-09-23: last of 6 revisions
2020-09-21: received
See all versions
Short URL
https://ia.cr/2020/1133
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2020/1133,
      author = {Ling Song and Yi Tu and Danping Shi and Lei Hu},
      title = {Security Analysis of Subterranean 2.0},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1133},
      year = {2020},
      note = {\url{https://eprint.iacr.org/2020/1133}},
      url = {https://eprint.iacr.org/2020/1133}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.