Abstract
Subterranean 2.0 designed by Daemen, Massolino and Rotella is a Round 2 candidate of the NIST Lightweight Cryptography Standardization process. In the official document of Subterranean 2.0, the designers have analyzed the state collisions in unkeyed absorbing by reducing the number of rounds to absorb the message from 2 to 1. However, little cryptanalysis of the authenticated encryption scheme Subterranean-SAE is made. For Subterranean-SAE, the designers introduce 8 blank rounds to separate the controllable input and output, and expect that 8 blank rounds can achieve a sufficient diffusion. Therefore, it is meaningful to investigate the security by reducing the number of blank rounds. Moreover, the designers make no security claim but expect a non-trivial effort to achieve full-state recovery in a nonce-misuse scenario. In this paper, we present the first practical full-state recovery attack in a nonce-misuse scenario with data complexity of 213 32-bit blocks. In addition, in a nonce-respecting scenario and if the number of blank rounds is reduced to 4, we can mount a key-recovery attack with 2122 calls to the internal permutation of Subterranean-SAE and 269.5 32-bit blocks. A distinguishing attack with 233 calls to the internal permutation of Subterranean-SAE and 233 32-bit blocks is achieved as well. Our cryptanalysis does not threaten the security claim for Subterranean-SAE and we hope it can enhance the understanding of Subterranean-SAE.
Highlights
As the lightweight cryptographic primitives are becoming more and more important in industry, the National Institute of Standards and Technology (NIST) started a public lightweight cryptography project in as early as 2013 and initiated the call for submissions in 2018, with the hope to select a lightweight cryptographic standard by combining the efforts of both academia and industry.In this paper, our target is the primitive Subterranean 2.0 [DMR19] designed by Daemen, Massolino and Rotella, which has been selected by NIST for the second round
We make the first effort to achieve it with a practical time complexity and data complexity 213
To investigate the security provided by the number of blank rounds, we consider the reduced variant of Subterranean-SAE by reducing the number of blank rounds to 4 from 8
Summary
We observe that the designers of Subterranean 2.0 only investigated the security of state collisions in unkeyed absorbing by reducing the number of rounds to absorb the message from 2 to 1. For the full-state recovery attack, our four types of conditional cube tester are used to recover some secret state bits. For the distinguishing attack, we have found 33 cube variables and used them to construct a cube tester for reduced Subterranean-SAE with practical time complexity 233 when the number of blank rounds is reduced to 4. The second step is to use a guess-and-determine technique to recover the full key In this way, we can achieve a key-recovery attack with time complexity 2122 and data complexity 269.5.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
