Security analysis of Subterranean 2.0

Abstract Subterranean 2.0 is a cipher suite that can be used for hashing, authenticated encryption, MAC computation, etc. It was designed by Daemen, Massolino, Mehrdad, and Rotella, has been selected as candidate in the second round of NIST’s lightweight cryptography standardization process. duplex-based construction utilizes single-round permutation duplex. simplicity function makes it an attractive target cryptanalysis. In this paper, we examine various phases specify three related attack scenarios deserve further investigation: keystream biases keyed squeezing phase, state collisions absorbing one-round differential analysis nonce-misuse setting. To facilitate cryptanalysis first two scenarios, novelly propose set size-reduced toy versions 2.0: Subterranean-m. Then make observation time on resemblance between non-linear layer SIMON’s function. Inspired existing work SIMON, explicit formulas computing exact correlation linear trails other ciphers utilizing similar operations. We then construct our models searching to bias evaluation collision attacks. Our results show most instances Subterranean-m are secure but there exist not. Further, find flaw designers’ reasoning 2.0’s support claim no measurable from at $$2^{96}$$ 2 96 data blocks. Due time-consuming search, security against modes still remains open question. Finally, observe differentials allow recover bits By proposing nested differentials, obtain sufficient number bits, leading practical recovery with only 20 repetitions nonce 88 blocks data. noted does not threaten 2.0.