## Cryptology ePrint Archive: Report 2019/879

Cube-Based Cryptanalysis of Subterranean-SAE

Fukang Liu and Takanori Isobe and Willi Meier

Abstract: Subterranean 2.0 designed by Daemen, Massolino and Rotella is a Round 2 candidate of the NIST Lightweight Cryptography Standardization process. In the official document of Subterranean 2.0, the designers have analyzed the state collisions in unkeyed absorbing by reducing the number of rounds to absorb the message from 2 to 1. However, little cryptanalysis of the authenticated encryption scheme Subterranean-SAE is made. For Subterranean-SAE, the designers introduce 8 blank rounds to separate the controllable input and output, and expect that 8 blank rounds can achieve a sufficient diffusion. Therefore, it is meaningful to investigate the security by reducing the number of blank rounds. Moreover, the designers make no security claim but expect a non-trivial effort to achieve full-state recovery in a nonce-misuse scenario. In this paper, we present the first practical full-state recovery attack in a nonce-misuse scenario with data complexity of $2^{13}$ 32-bit blocks. In addition, in a nonce-respecting scenario and if the number of blank rounds is reduced to 4, we can mount a key-recovery attack with $2^{122}$ calls to the internal permutation of Subterranean-SAE and $2^{69.5}$ 32-bit blocks. A distinguishing attack with $2^{33}$ calls to the internal permutation of Subterranean-SAE and $2^{33}$ 32-bit blocks is achieved as well. Our cryptanalysis does not threaten the security claim for Subterranean-SAE and we hope it can enhance the understanding of Subterranean-SAE.

Category / Keywords: secret-key cryptography / AEAD, Subterranean 2.0, full-state recovery, distinguishing attack, key recovery, conditional cube tester

Original Publication (in the same form): IACR-FSE-2020

Date: received 30 Jul 2019, last revised 21 Nov 2019

Contact author: liufukangs at 163 com,takanori isobe@ai u-hyogo ac jp,willi meier@fhnw ch

Available format(s): PDF | BibTeX Citation

Note: 1. Provide more quadratic boolean equations in the state recovery attack. 2. Correct some editorial errors.

Short URL: ia.cr/2019/879

[ Cryptology ePrint archive ]