Paper 2019/879

Cube-Based Cryptanalysis of Subterranean-SAE

Fukang Liu, Takanori Isobe, and Willi Meier


Subterranean 2.0 designed by Daemen, Massolino and Rotella is a Round 2 candidate of the NIST Lightweight Cryptography Standardization process. In the official document of Subterranean 2.0, the designers have analyzed the state collisions in unkeyed absorbing by reducing the number of rounds to absorb the message from 2 to 1. However, little cryptanalysis of the authenticated encryption scheme Subterranean-SAE is made. For Subterranean-SAE, the designers introduce 8 blank rounds to separate the controllable input and output, and expect that 8 blank rounds can achieve a sufficient diffusion. Therefore, it is meaningful to investigate the security by reducing the number of blank rounds. Moreover, the designers make no security claim but expect a non-trivial effort to achieve full-state recovery in a nonce-misuse scenario. In this paper, we present the first practical full-state recovery attack in a nonce-misuse scenario with data complexity of $2^{13}$ 32-bit blocks. In addition, in a nonce-respecting scenario and if the number of blank rounds is reduced to 4, we can mount a key-recovery attack with $2^{122}$ calls to the internal permutation of Subterranean-SAE and $2^{69.5}$ 32-bit blocks. A distinguishing attack with $2^{33}$ calls to the internal permutation of Subterranean-SAE and $2^{33}$ 32-bit blocks is achieved as well. Our cryptanalysis does not threaten the security claim for Subterranean-SAE and we hope it can enhance the understanding of Subterranean-SAE.

Note: 1. Provide more quadratic boolean equations in the state recovery attack. 2. Correct some editorial errors.

Available format(s)
Secret-key cryptography
Publication info
Published by the IACR in FSE 2020
AEADSubterranean 2.0full-state recoverydistinguishing attackkey recoveryconditional cube tester
Contact author(s)
liufukangs @ 163 com
takanori isobe @ ai u-hyogo ac jp
willi meier @ fhnw ch
2019-11-22: last of 6 revisions
2019-08-01: received
See all versions
Short URL
Creative Commons Attribution


      author = {Fukang Liu and Takanori Isobe and Willi Meier},
      title = {Cube-Based Cryptanalysis of Subterranean-SAE},
      howpublished = {Cryptology ePrint Archive, Paper 2019/879},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.