Security analysis of Subterranean 2.0

Abstract

Subterranean 2.0 is a cipher suite that can be used for hashing, authenticated encryption, MAC computation, etc. It was designed by Daemen, Massolino, Mehrdad, and Rotella, and has been selected as a candidate in the second round of NIST’s lightweight cryptography standardization process. Subterranean 2.0 is a duplex-based construction and utilizes a single-round permutation in the duplex. It is the simplicity of the round function that makes it an attractive target of cryptanalysis. In this paper, we examine the single-round permutation in various phases of Subterranean 2.0 and specify three related attack scenarios that deserve further investigation: keystream biases in the keyed squeezing phase, state collisions in the keyed absorbing phase, and one-round differential analysis in the nonce-misuse setting. To facilitate cryptanalysis in the first two scenarios, we novelly propose a set of size-reduced toy versions of Subterranean 2.0: Subterranean-m. Then we make an observation for the first time on the resemblance between the non-linear layer in the round function of Subterranean 2.0 and SIMON’s round function. Inspired by the existing work on SIMON, we propose explicit formulas for computing the exact correlation of linear trails of Subterranean 2.0 and other ciphers utilizing similar non-linear operations. We then construct our models for searching trails to be used in the keystream bias evaluation and state collision attacks. Our results show that most instances of Subterranean-m are secure in the first two attack scenarios but there exist instances that are not. Further, we find a flaw in the designers’ reasoning of Subterranean 2.0’s linear bias but support the designers’ claim that there is no linear bias measurable from at most \(2^{96}\) data blocks. Due to the time-consuming search, the security of Subterranean 2.0 against the state collision attack in keyed modes still remains an open question. Finally, we observe that one-round differentials allow to recover state bits in the nonce-misuse setting. By proposing nested one-round differentials, we obtain a sufficient number of state bits, leading to a practical state recovery with only 20 repetitions of the nonce and 88 blocks of data. It is noted that our work does not threaten the security of Subterranean 2.0.

1 Introduction

The deployment of small computing devices such as RFID tags, microcontrollers, sensor nodes, and smart cards is becoming more and more common. Alongside this, the need for lightweight cryptography that aims to provide security solutions tailored for such resource-constrained devices is increasing. In 2013, the National Institute of Standards and Technology (NIST) initiated a public process to solicit, evaluate, and standardize lightweight authenticated encryption and hashing schemes that are suitable for use in constrained environments, i.e. the so-called LWC competitions [16]. In 2018, a call for submissions was launched and 57 submissions were received in 2019, among which 56 and 32 submissions were selected in the first and second rounds respectively. At the current stage, public evaluations of the candidates are strongly encouraged.

Subterranean 2.0 [8, 9] is a cipher suite that can be used for hashing, authenticated encryption, MAC computation, and stream encryption, etc. It was designed by Daemen, Massolino, Mehrdad, and Rotella and has been selected by NIST as a candidate for the second round of LWC competition. Subterranean 2.0 shares features with its predecessor Subterranean [6] which can be seen as a precursor to the Sponge construction [4]. The features of Subterranean 2.0 are summarized below.

Prime-sized state:

Subterranean 2.0 operates on a state of 257 bits which is small but still supports both hashing and authenticated encryption. It offers a security strength of 128 bits in keyed modes and 112 bits in unkeyed mode. In authenticated encryption where a nonce is used, the nonce should not repeat.

Duplex-based construction:

The duplex [3] plays a core role in Subterranean 2.0. On top of it, three functions were built, namely, Subterranean-XOF, Subterranean-deck, and Subterranean-SAE, where the latter two are keyed functions. The duplex absorbs/squeezes 32-bit blocks in keyed modes and 8-bit blocks in unkeyed mode.

Single-round permutation:

In the duplex, a lightweight single-round permutation is used. The round function operates at bit level and has algebraic degree 2. It has a minimum of substructures and ultimate weak alignment which prevents large classes of attacks.

Blank rounds used:

Between different phases, 8 blank rounds are used to prevent measurable characteristics between the controllable input and output.

Efficient hardware implementation:

Subterranean 2.0 is designed for hardware and offers a good option for environments that require lightweight crypto in hardware with high throughput requirements. Besides, it is very suitable for protection against differential power analysis such as masking and threshold implementations.

Due to the extremely simple round function, Subterranean 2.0 is an attractive target for cryptanalysis. In the design specification [8], the designers mainly investigated the security of state collisions in unkeyed absorbing and differential/linear properties of a multiple-round permutation. As a complement, Liu et al. [13] conducted cube-based cryptanalysis of Subterranean-SAE by exploiting the low algebraic degree of the round function. They showed that when the number of blank rounds is reduced to 4, one can mount a state recovery attack. Moreover, in the nonce-misuse setting the state recovery attack becomes practical using \(2^{13}\) blocks of data.

With respect to the simple single-round permutation of Subterranean 2.0, there are interesting attacks in different phases. Below, we list three related attacks in keyed modes that deserve further investigation.

1. 1.

   Linear bias of output blocks in keyed squeezing phase. It is claimed in the specification [8] that there is probably no linear bias over four or less output blocks of Subterranean 2.0 and that there is no bias measurable from \(2^{96}\) data blocks or less. Any analytical results that approve or disapprove of these claims can help understand the security of Subterranean 2.0.

2. 2.

   State collisions in keyed absorbing phase. In keyed modes, state collisions may lead to attacks like forgeries. However, security analysis of Subterranean 2.0 against such attacks is missing from the literature.

3. 3.

   One-round differential analysis of Subterranean-SAE in the message processing phase. In the phase of processing the message, when a duplex call is invoked, an output block is squeezed and an input block absorbed before and after the single-round permutation, respectively. In the case where nonce repeats, one-round differentials can be observed over successive calls of duplex. It is not clear how far an attack can go by exploiting one-round differentials.

1.1 Our contribution

In this paper, we examine the security of Subterranean 2.0 in the above three attack scenarios regarding its single-round permutation. In order to investigate the bias of keystreams and the state collision attack, it requires to find useful linear and differential trails under certain constraints. When carrying out differential/linear analysis of Subterranean 2.0, we face two challenges. The first is that the permutation has only one round and thus cannot be scaled down through the most common way of reducing the number of rounds for facilitating the differential/linear analysis. The other is the “dependency” issue that cannot be avoided either in differential analysis or linear analysis. The round function of Subterranean 2.0 exploits logic AND of neighbouring bits in the non-linear layer. Namely, state bits \(s_{i-1},s_i\) are fed into one AND operation and \(s_{i},s_{i+1}\) into another. These AND operations are dependent as neighbouring AND operations share an input bit. Consequently, the AND operations cannot be treated independently in differential/linear analysis. Such dependency makes it difficult to precisely evaluate the security of Subterranean 2.0 against linear attacks and state collision attacks.

In this paper, we use the following techniques to tackle these two challenges.

• We novelly propose a set of toy versions of Subterranean 2.0 with reduced state size. At first glance, Subterranean 2.0 can be weakened by increasing the rate. However, it cannot be done without changing the extraction function. Therefore, a better way seems to reduce the state size. Concretely, we choose a smaller prime number 97, adapt other parameters accordingly, and let the factor d used in the round function (see Sect. 2.2) be all possible values. Then we have a set of toy versions: Subterranean-m(d) which have much smaller state size and key size but share the same design with the original cipher.

• For the first time in the literature, we observe that the non-linear layer of the round function of Subterranean 2.0 can be represented by a SIMON-like function. SIMON [2] is a family of lightweight block ciphers and has been extensively analysed since its publication, such as differential/linear analyses in [12]. Inspired by the existing work on SIMON, we propose explicit formulas for computing the exact correlation of linear trails of Subterranean 2.0 and other ciphers utilizing AND operations. We then build our models for handling the dependency issue, as well as searching optimal differential/linear trails of Subterranean 2.0.

Applying our models to Subterranean 2.0 and Subterranean-m, we obtain the following results.

• For most values of d, Subterranean-m resists the linear attack and the state collision attack. However, there exist two instances of Subterranean-m(d) which do not resist the linear attack and the state collision attack respectively. This means different values of d are not equally good.

• There does exist linear bias over four or three output blocks for Subterranean 2.0 and Subterranean-m. Our work helps to find a flaw in the designers’ reasoning of Subterranean 2.0’s linear biases.

• Our experiments support the designers’ claim that there is no bias measurable from \(2^{96}\) data blocks or less.

Due to the time-consuming search, the security of Subterranean 2.0 against the state collision attack in keyed modes still remains an open question.

Finally, we exploit the one-round differentials to recover the state in the nonce-misuse setting. If the nonce repeats, one-round differentials observed in the message processing phase of Subterranean-SAE will leak some bits of the state due to the algebraic degree 2 of the round function. Further, we find out that ordinary one-round differentials can recover 41 bits at most. To enlarge the number of state bits that can be recovered, we propose nested one-round differentials where an one-round differential is prepended to another in a delicate way. As a result, a sufficient number of state bits can be recovered, which leads to a full state recovery and further a key recovery. The attack is practical and takes only 20 repetitions of the nonce and 88 blocks of data, which is much lower than the data complexity of the attack in [13] by Liu, Isobe and Meier. Our analysis shows that Subterranean-like constructions with a quadratic single-round permutation must be used carefully in practice since the security crashes without nonce uniqueness.

1.2 Organization

The rest of the paper is organized as follows. Basic notations, the design of Subterranean 2.0 and a set of toy versions are introduced in Sect. 2. Section 3 highlights several properties of Subterranean 2.0 and the relation to three attack scenarios: keystream biases, state collisions, and state recovery in the nonce-misuse setting. Linear attacks and state collisions in the keyed modes are investigated in Sect. 4. Section 5 presents a state recovery attack utilizing one-round differentials in the nonce-misuse setting. Finally, we conclude the paper in Sect. 6.

2 Notations and specification of Subterranean 2.0

In this section, we start by giving our notations and then briefly introduce Subterranean 2.0, including its round function, the duplex object and two keyed members: Subterranean-deck and Subterranean-SAE. To facilitate cryptanalysis of Subterranean 2.0, we introduce a set of toy versions: Subterranean-m(d). For more details of Subterranean 2.0, we refer the interested reader to the official specification [8].

2.1 Notations

b :

The size of the state

d :

The factor used in \(\pi \) of the round function

\(\overline{M}\) :

The string M padded to 33 bits with 10*

\(\varDelta X\) :

The difference of X where X may be the state or the input/output block

\(\varDelta X^t_i\) :

The difference of the i-th bit of X at time t

\(\ggg \) :

Cyclic right shift

\(\lll \) :

Cyclic left shift

\(|\cdot |\) :

The length in bits

||:

Concatenation of bit strings

2.2 Round function

The round function R operates on a b-bit state and consists of four bit-oriented steps: \(R=\pi \circ \theta \circ \iota \circ \chi \). Let s denote the state and \(s_i\) the i-th bit of s. Then for all \(0\le i < b\),

$$\begin{aligned} \chi&:~ s_i\leftarrow s_i + (s_{i+1} + 1)\cdot s_{i+2},\\ \iota&:~ s_0\leftarrow s_0+ 1,\\ \theta&:~ s_i\leftarrow s_i + s_{i+3} + s_{i+8},\\ \pi&:~ s_i\leftarrow s_{d\times i}. \end{aligned}$$

Here the addition and multiplication of state bits are in \(\mathbb {F}_2\) and expressions in the indices are taken modulo b. In Subterranean 2.0, \(b=257, d = 12\).

2.3 Duplex object and two keyed functions

2.3.1 Duplex object

The Subterranean 2.0 suite is built upon a duplex object which is displayed in Fig. 1. The duplex uses a single-round permutation, i.e. R, and has two functions: the duplex call and the output extraction, the latter of which is optional. The duplex call applies the round function R and absorbs a string M of at most 32 bits. Before adding the string to the internal state, the string is padded to 33 bits with 10*. The 33 bits are then injected into the state \(s_{12^{4i}}, 0\le i<33\). Namely, the injection rate is 33 bits. Before the duplex call, one may extract 32 bits from the state, each of which is the sum of two state bits:

$$\begin{aligned} Z_i=s_{12^{4i}} + s_{-12^{4i}}, \end{aligned}$$

for all \(0\le i<32\). The details of indices used for injection and extraction are shown in Table 1.

When the input is an empty string, the combination of the round function and the injection is denoted as \(R_{\epsilon }\) for convenience in the figures.

Table 1 Indices used for injection and extraction

2.3.2 Subterranean-deck and Subterranean-SAE

The Subterranean 2.0 suite has three functions: Subterranean-XOF, Subterranean-deck and Subterranean-SAE. Subterranean-XOF is designed to be used for unkeyed hashing, while Subterranean-deck and Subterranean-SAE are keyed functions. In this paper, we focus on the latter two.

Subterranean-deck takes as input an arbitrary-length key, typically of 128 bits, and a sequence of arbitrary-length strings and returns a bit string of arbitrary length, as shown in Fig. 2. Hence, it can be used as a stream cipher, a MAC function or for key derivation. Subterranean-SAE, depicted in Fig. 3, is designed for authenticated encryption. Below, a detailed description of Subterranean-SAE is given. With the description of Subterranean-SAE in mind, it requires little extra effort to follow the working procedures of Subterranean-deck.

Fig. 1

Duplex object

Fig. 2

Subterranean-deck

Fig. 3

Subterranean-SAE

The input of Subterranean-SAE contains a 128-bit key, a 128-bit nonce N, an associated data (AD) A which is optional, and a message M. The output is composed of the ciphertext and a 128-bit tag T.

Processing the key:

At first, the state is initialized with 0. The 128-bit key is split into four 32-bit blocks \(K^1\), \(K^2\), \(K^3\), \(K^4\) and one empty block \(\epsilon \), as the last block should be strictly shorter than 32 bits. Each block is padded with 10* and the first four padded blocks are denoted by \(\overline{K}^1\), \(\overline{K}^2\), \(\overline{K}^3\), and \(\overline{K}^4\). The whole five blocks are then absorbed one by one through the duplex call.

Processing the nonce:

The nonce is split into 32-bit blocks with the last block being shorter than 32 bits. Pad each block with 10* and sequentially inject the padded blocks into the state in a series of duplex calls.

Processing the AD:

Invoke the duplex eight times, each with an empty message \(\epsilon \) absorbed. Then absorb the AD in the same way as processing the nonce.

Processing the message:

The message is split into 32-bit blocks with the last block being shorter than 32 bits. Pad each block with 10*. Process message blocks one after another by the following steps: extract 32 output bits, invoke the duplex call to absorb a padded message block and XOR the message block with the extracted output to get the ciphertext block.

Finalization:

Invoke the duplex eight times, each with an empty message \(\epsilon \) absorbed. Then invoke the duplex another four times, before each of which a 32-bit output is squeezed. Concatenate the four 32-bit output blocks to form the 128-bit tag.

2.4 Toy versions

To facilitate cryptanalysis, we scale down Subterranean 2.0 and define size-reduced versions. Subterranean 2.0 uses a prime-sized state to avoid the existence of exploitable symmetries. Therefore, the state size b of a toy cipher also needs to be prime but smaller than 257. Besides, the factor d used in the \(\pi \) step should have a large order in \(\mathbb {Z}^*_{b}\) and the order should be a multiple of 8 if the same extraction function \(Z_i=s_{d^{4i}} + s_{-d^{4i}}\) is used. With these in mind, we choose a prime 97¹ and let d be a generator of \(\mathbb {Z}^*_{97}\). In total, there are 32 generators of \(\mathbb {Z}^*_{97}\). In addition, the ratio of the extraction rate to the state size should remain close. As \(\frac{32}{257}\times 97 \approx 12\), we set the extraction rate of the toy ciphers to 12. Then we have a set of toy ciphers: Subterranean-m(d) whose parameters are summarized in Table 2. It turns out that the algebraic properties of \(\theta \) step remain with the new size of state, as shown in Appendix A.

Table 2 Subterranean 2.0 and its toy versions

3 Properties of Subterranean 2.0 and three attack scenarios

In this section, we highlight several important properties of Subterranean 2.0 and relate them to three attack scenarios.

Subterranean 2.0 is a duplex-based construction and uses bit-oriented operations that allow good performance in hardware implementation. Besides, the following properties are interesting in the attacker’s point of view.

Property 1:

Subterranean 2.0 employs an extremely simple permutation in the duplex call. The permutation has only one round and the round function has algebraic degree only 2. Additionally, the round function operates at bit level and allows a minimum of sub-structures by using a prime-sized state. That is to say, the round function is of weak alignment [7].

Property 2:

Subterranean 2.0 squeezes output blocks in a way similar to a stream cipher. Specifically, it outputs 32 bits as the keystream iteratively before each duplex call. Note that the keystreams can be known in the known-message model.

Property 3:

Subterranean-SAE processes the nonce with multiple duplex calls. Subterranean-SAE does not load the nonce into its initial state. Because of its small state size, Subterranean-SAE has to absorb the nonce with multiple duplex calls and the number of the duplex calls is 5.

3.1 Attack scenario 1: keystream biases

When considering Property 1 and Property 2 together, one may ask: are the keystreams truly random? One possible way to distinguish keystreams of a cipher from a random sequence is to utilize linear biases. Recently, exploitable biases using linear combinations of output bits were found in the authenticated encryption schemes MORUS [1, 18] and AEGIS [15]. It is important to known if this will happen to Subterranean 2.0.

Fig. 4

Linear trails for keystream bias evaluation

To investigate the bias of keystreams, it is to find a sequence of linear masks \((\lambda _0,\ldots ,\lambda _n)\) for the output blocks \(Z^i\), as illustrated in Fig. 4, such that

$$\begin{aligned} f=\sum _{i=0}^n \lambda _iZ^i \end{aligned}$$

is biased, i.e. the bias

$$\begin{aligned} \epsilon =\Pr (f=0)-\frac{1}{2}, \end{aligned}$$

or the correlation

$$\begin{aligned} Cor(f)=\Pr (f=0)-\Pr (f=1)=2\epsilon \end{aligned}$$

is different from zero. To detect a bias with given correlation C, one needs about \(C^{-2}\) data [14]. Therefore, if a sequence of masks can be found such that \((Cor(f))^{-2}\) is smaller than the data limit, then the cipher can be distinguished from a random function. In order to find a good sequence of masks, the same tools for linear cryptanalysis of block ciphers can be applied with the beginning and the end being set inactive, i.e. \(\beta _{-1}=0\), \(\alpha _n=0\) as shown in Fig. 4. In the middle, the propagation of linear masks must be compatible with each operation. Summing all approximations:

$$\begin{aligned}&\gamma _is^i+\lambda _iZ^i, \quad 0\le i\le n,\\&\alpha _is^i+\beta _is^{i+1}, ~ 0\le i\le n-1, \end{aligned}$$

we will have \(\sum _{i=0}^n \lambda _iZ^i\). For Subterranean 2.0, the correlation of keystreams \(\sum _{i=0}^n \lambda _iZ^i\) is the product of correlations of active ANDs in the involved round functions, as the extraction function is linear.

The designers kept the above attack in mind while designing Subterranean 2.0 and let the output Z be extracted from special state bits in order to prevent any bias in four consecutive output blocks. It is believed that using five or more output blocks eliminates measurable bias in Z. Any evidence that approves or disapproves of such a belief would be interesting to the community.

3.2 Attack scenario 2: state collisions

A similar cryptanalysis in the differential case would be state collision attacks. As illustrated in Fig. 5, the difference of the internal state is introduced by an input difference \(\varDelta X^0\) (through the nonce, AD or the message), and cancelled out by \(\varDelta X^n\) after n rounds. Such an attack is called “LOCAL attack” which was proposed by Khovratovich and Rechberger [11] and independently found by Wu et al. [22] against ALE [5].

Fig. 5

Differential trails for state collisions

The state collision may cause forgery attacks. Suppose the internal difference is introduced by the associated data AD and there exists such a differential trail with high probability p. Then a forgery attack can be mounted in the following way.

Let N, \(A_0||\cdots ||A_n\) and M be the nonce, AD and message to be forged, respectively. The attacker respects nonces and queries \((N,A_0\oplus \varDelta X^0||\cdots ||A_n\oplus \varDelta X^n,M)\) to the encryption oracle to get the 128-bit tag T. Then, T is a valid tag for \((N,A_0||\cdots ||\) \(A_n,M)\) with probability p. The forgery attack succeeds if it beats the generic one. In the case of Subterranean 2.0, it means \(p> 2^{-128}\).

As the nonce is processed in multiple duplex calls, it might be possible to find state collision during the nonce processing phase. If the state collision happens after absorbing nonce segments \(N_1\) and \(N'_1\) respectively (both are of the same length) and there are more bits of nonce to be absorbed, say \(N_2\), then \((N_1||N_2,A,M)\) and \((N'_1||N_2,A,M)\) lead to a state collision and further to the same tag T. As a result, for any \(A'\) and \(M'\), the attacker can make forgeries by using a new \(N_2\) and keeping the same \(N_1\) and \(N'_1\).

In spite of the importance of the security requirement for resisting state collision attacks, such a differential analysis is missing, either in the specification of Subterranean 2.0² or in the literature.

3.3 Attack scenario 3: state recovery in the nonce-misuse setting

Subterranean-SAE takes a nonce as input and strongly relies on nonce uniqueness for security. Even though no security claim was made in the nonce-misuse setting, it is believed by the designers in [9] that the state recovery attack is non-trivial.

In nonce-misuse scenario’s or when unwrapping invalid cryptograms returns more information than a simple error, we make no security claims and an attacker may even be able to reconstruct the secret state. Nevertheless we believe that this would probably a non-trivial effort, both in attack complexity as in ingenuity.

Recall Property 1 that Subterranean 2.0 uses the single-round permutation with algebraic degree 2 in the duplex call. In the setting that a nonce can be used more than once, one may inject a difference \(\varDelta \overline{M}^i\) at \(s^i\) in the message processing phase as shown in Fig. 6, one will obtain some linear relations of the state difference \(\varDelta s^{i+1}\) through the output difference \(\varDelta Z^{i+2}\) as each output bit is the sum of two internal bits. More importantly, \(\varDelta s^{i+1}\) is linear in bits of \(s^i\) due to Fact 1 for quadratic Boolean functions. Therefore, \(\varDelta Z^{i+2}\) will be linear in \(s^i\) as well, and thus some bits of \(s^i\) will be leaked by observing such one-round differentials.

Fig. 6

Notations for state recovery in the nonce-misuse setting

Fact 1

Let \(f: \mathbb {F}_2^n \rightarrow \mathbb {F}_2\) be a Boolean function with algebraic degree 2. Given the input difference \(\varDelta x\), the derivative of f is \(\varDelta f:=f(x)+f(x+\varDelta x)\) can be expressed linearly by the input bits.

Example 1

Let \(f: \mathbb {F}_2^2 \rightarrow \mathbb {F}_2\) and \(f(x)=x_0\cdot x_1\). Suppose the input difference is given as \(\varDelta x =(\varDelta x_0, \varDelta x_1)\). Then \(\varDelta f=f(x) +f(x+\varDelta x)= x_0\cdot x_1 + (x_0+\varDelta x_0)\cdot (x_1+\varDelta x_1)=\varDelta x_1 \cdot x_0+\varDelta x_0\cdot x_1+\varDelta x_0\cdot \varDelta x_1\).

Even though Subterranean-SAE aims for use cases where nonce uniqueness can be guaranteed, it would be interesting to know what the complexity of state recovery would be when nonce uniqueness is lost.

In the following two sections, the three potential attacks pointed out here will be investigated. Section 4 looks into differential and linear cryptanalysis regarding keystream biases and state collisions respectively and Sect. 5 examines state recovery attack in the nonce-misuse setting.

4 Differential and linear analysis tailored for keystream biases and state collisions

In this section, we first specify the issue of dependency in the \(\chi \) operation of the round function of Subterranean 2.0. We then point out the resemblance between the \(\chi \) operation and the round function of the SIMON block cipher [2]. Inspired by the existing work on SIMON [12], we propose explicit formulas for computing the exact correlation of linear trails of Subterranean 2.0 and other ciphers utilizing similar non-linear operations. Finally, we construct our models for searching differential/linear trails of Subterranean 2.0 tailored for keystream biases and state collisions.

4.1 Dependency of AND operations

In the design of Subterranean 2.0, the non-linear layer \(\chi \) of the round function exploits AND operations. Specifically, state bits \(s_{i-1}+1,s_i\) are fed into one AND operation and \(s_{i}+1,s_{i+1}\) into another. Unlike S-box based ciphers where the number of active S-boxes determines the upper bound of differential/linear probability, the number of active AND operations provides not much information for Subterranean 2.0. The reason is the dependency between AND operations.

Let us explain a bit more with an example of two AND operations: \(y_0= x_0\cdot x_1\) and \(y_1=x_1\cdot x_2\). Suppose the differentials of the two AND operations are \((1,0)\rightarrow 1\) and \((0,1)\rightarrow 0\). According to the difference distribution Table 3, the differential probability of the two AND operations is \(\frac{2}{4}\times \frac{2}{4}=2^{-2}\) if the two AND operations are independent. However, the two AND operations share an input bit \(x_1\) and thus not independent. Check that the solutions for the two differentials \((1,0)\rightarrow 1\) and \((0,1)\rightarrow 0\) are \((x_0,x_1)\in \{(0,1),(1,1)\}\) and \((x_1,x_2)\in \{(0,0),(0,1)\}\), which means \(x_1=1\) and \(x_1=0\) should hold simultaneously. This is a contradiction. In the case where the differentials for the two AND operations are \((1,0)\rightarrow 1\) and \((0,1)\rightarrow 1\), there is no such contradiction and the two differentials hold when \(x_1=0\), meaning the probability is \(2^{-1}\) instead of \(2^{-2}\).

Table 3 Difference distribution table (left) and linear approximation table (right) of the AND operation

The dependency between AND operations has a similar effect in linear analysis. Suppose the linear masks are \((0,1)\rightarrow 1\) and \((1, 1)\rightarrow 1\) for the two AND operations. This means \(x_0\cdot x_1\) and \(x_1\cdot x_2\) are approximated with \(x_1\) and \(x_1+x_2\) respectively. Treating them independently, we get correlation \(-2^{-1}\times 2^{-1}=-2^{-2}\) for the two AND operations according to the linear approximation Table 3. While considering together, \(x_0\cdot x_1+x_1\cdot x_2=x_1(x_0+x_2)\) is approximated with \(x_1+x_2\), resulting in a zero correlation. In the case where the linear masks are \((0,1)\rightarrow 1\) and \((1, 0)\rightarrow 1\), \(x_0\cdot x_1+x_1\cdot x_2=x_1(x_0+x_2)\) is approximated with \(x_1\), leading to a correlation \(2^{-1}\) instead of \(2^{-2}\). The case of two active AND operations is summarized in Example 2.

Example 2

Let \(f(x_0,x_1,x_2) = x_0\cdot x_1 + x_1\cdot x_2 + L(x_0,x_1,x_2) = x_0\cdot x_1 + x_1\cdot x_2 +u\cdot x_0+v\cdot x_1+ w\cdot x_2\) be a Boolean function and \(u,v,w\in \mathbb {F}_2\) are constants. If \(u+w=0\), then \(Cor(f)=2^{-1}\); otherwise, \(Cor(f)=0\).

Besides Subterranean 2.0, chaining AND operations also make up the non-linear layer of the round function in authenticated encryption schemes like MORUS [20], TinyJAMBU [21] and block ciphers like SIMON [2], etc. Handling the dependency among the chaining AND operations is a challenging task. Taking all the dependency into account usually makes the search for differential/linear trails inefficient or even infeasible. In the case where there exist very sparse differential/linear trails such that there is no adjacent active AND operations, treating AND operations independently works well [18, 19]. Recently, effort has been made to construct models that partially handles the dependency of the AND operations [17]. However, the methods which do not fully tackle the dependency are not applicable to Subterranean 2.0 whose differential/linear trails for state collisions or keystream bias of Subterranean 2.0 are relatively dense. This is confirmed by experiments where the trails obtained with these methods are almost invalid. Moreover, inexact models are unable to provide reliable bounds of differential/linear probability. Consequently, the dependency must be taken into consideration for evaluation of Subterranean 2.0 against state collision attacks and keystream bias.

4.2 Represent \(\chi \) as a SIMON-like function

Subterranean 2.0 uses bit-wise operations. In particular, in the \(\chi \) step, for \(0\le i < b\),

$$\begin{aligned} s_i\leftarrow s_i + s_{i+1} \cdot s_{i+2} + s_{i+2}. \end{aligned}$$

We observe that the \(\chi \) step bears a strong resemblance to SIMON’s round function. SIMON [2] is a family of lightweight block ciphers and follows the Feistel construction. Its round function has the following form

$$\begin{aligned} (x\lll \alpha )\odot (x\lll \beta )\oplus (x\lll \gamma ), \end{aligned}$$

where \(x\lll i\) corresponds to a cyclic left shift of word x by i bits, \(\odot \) and \(\oplus \) denote the bit-wise AND and XOR operations respectively. We notice that \(\chi \) can be re-written as a SIMON-like function:

$$\begin{aligned} s \leftarrow s \oplus (s\ggg 1)\odot (s\ggg 2) \oplus (s\ggg 2). \end{aligned}$$

Therefore, the techniques and tools in [12] for searching differential/linear trails of SIMON serves as a good starting point for differential and linear cryptanalysis of Subterranean 2.0.

4.3 Linear analysis

In [12], the authors proved that the input mask \(\alpha \) and output mask \(\beta \) for the operation \(x\odot (x\lll 1)\) should satisfy that \(\alpha \in U_\beta ^{\perp }\), where \(U_\beta = \{y|\beta \odot (y\lll 1)\oplus (\beta \odot y)\ggg 1\}\). Inspired by this, we further propose explicit formulas for calculating the correlation of linear trails of Subterranean 2.0, which are also applicable to other ciphers that exploit chains of AND operations.

In linear cryptanalysis of such ciphers, there are blocks of chained active AND operations where the correlation can be calculated for each block independently. Depending on the number of active AND operations involved in a block, there are two cases which are covered by Lemmas 1 and 2. For Subterranean 2.0, k in the two lemmas is 1. When the number n of active AND operations in a block is odd, i.e. \(n=2t-1, t>0\), any approximation is valid and the correlation is \(2^{-t}\). When the number n of active ANDs is even, i.e. \(n= 2t, t> 0\), the approximation should satisfy a condition cond as stated in Lemma 2. This is a one-bit condition and if it holds, the correlation is \(2^{-t}\). In other words, given a random approximation for an even block, it is valid with probability \(\frac{1}{2}\). In search of linear trails, it is the key point to make sure this condition holds for all even blocks. Without this condition being imposed, the obtained linear trail will be invalid with high chance when the trail is dense.

Lemma 1

Let \(f(x)=x_0x_k+x_kx_{2k}+\cdots +x_{(2t-2)k}x_{(2t-1)k}+L(x_0,x_k,\cdots ,x_{(2t-1)k})\) be a Boolean function where L is linear and \(t>0\). Then Cor(f) is \(2^{-t}\).

Proof

The quadratic part of f(x) can be re-written as

$$\begin{aligned} x_k(x_0 + x_{2k}) + x_{3k}(x_{2k} + x_{4k}) + \cdots + x_{(2t-3)k}(x_{(2t -4)k} + x_{(2t-2)k}) + x_{(2t-2)k}x_{(2t-1)k}. \end{aligned}$$

Apply the following transformation:

$$\begin{aligned} y_{(2j - 1)k}&= x_{(2j - 1)k}, \quad 1\le j \le t\\ y_{(2j)k}&= x_{(2j)k} + x_{2(j+1)k}, \quad 0\le j \le t -2\\ y_{(2t-2)k}&= x_{(2t-2)k}, \end{aligned}$$

which is equivalent to the transformation \(\varvec{x} = A\varvec{y}\):

$$\begin{aligned} x_{(2j - 1)k}&= y_{(2j - 1)k},\quad 1\le j \le t\\ x_{(2j)k}&= \sum ^{t}\limits _{i = j} y_{(2i)k}, \quad 0\le j \le t-1 \end{aligned}$$

Then one can obtain

$$\begin{aligned} g(\varvec{y}) = f(A\varvec{y}) = y_0y_k + y_{2k}y_{3k} + \ldots + y_{2(t -1)k}y_{(2t - 1)k} + L'(y_0, y_k,\ldots , y_{(2t-1)k}). \end{aligned}$$

Since the quadratic terms of g contains all \(y_{jk}, 0\le j \le 2t-1\), \(Cor(g) = 2^{-t}\). Therefore, \(Cor(f) = 2^{-t}\), as

$$\begin{aligned} Cor(g)&=\frac{1}{2^{2t}}\sum _{\varvec{y}\in \mathbb {F}_2^{2t}}(-1)^{g(\varvec{y})} =\frac{1}{2^{2t}}\sum _{\varvec{y}\in \mathbb {F}_2^{2t}}(-1)^{f(A\varvec{y})} =\frac{1}{2^{2t}}\sum _{\varvec{y}\in \mathbb {F}_2^{2t}}(-1)^{f(\varvec{y})} =Cor(f). \end{aligned}$$

\(\square \)

Lemma 2

Let \(f(x)=x_0x_k+x_kx_{2k}+\cdots +x_{(2t-2)k}x_{(2t-1)k}+x_{(2t-1)k}x_{2tk}+L_0(x_0,x_{2k}\)

\(\cdots ,x_{2tk}) +\) \( L_1(x_k,x_{3k},\cdots ,x_{(2t-1)k})\) be a Boolean function where \(L_0, L_1\) are linear and \(t>0\). Let \(\varvec{cond}\) be: \(L_0\) contains a even number of terms. Then Cor(f) is \(2^{-t}\) if \(\varvec{cond}\) holds and 0 otherwise.

Proof

The quadratic part of f(x) can be re-written as

$$\begin{aligned} x_k(x_0 + x_{2k}) + x_{3k}(x_{2k} + x_{4k}) + \dots + x_{(2t -1)k}(x_{(2t -2)k} + x_{(2t)k}) \end{aligned}$$

Apply the following transformation:

$$\begin{aligned} y_{(2j - 1)k}&= x_{(2j - 1)k}, \quad 1\le j \le t\\ y_{(2j)k}&= x_{(2j)k} + x_{2(j+1)k}, \quad 0\le j \le t -1\\ y_{(2t)k}&= x_{(2t)k}, \end{aligned}$$

which is equivalent to the transformation \(\varvec{x} = A\varvec{y}\):

$$\begin{aligned} x_{(2j - 1)k}&= y_{(2j - 1)k},\quad 1\le j \le t-1 \end{aligned}$$

(1)

$$\begin{aligned} x_{(2j)k}&= \sum ^{t}\limits _{i = j} y_{(2i)k}, \quad 0\le j \le t \end{aligned}$$

(2)

Then one can obtain

$$\begin{aligned} g(\varvec{y}) = f(A\varvec{y}) =y_0y_k + y_{2k}y_{3k} + \cdots + y_{2(t -1)k}y_{(2t - 1)k} + L(y_0, y_k,\dots , y_{(2t)k}). \end{aligned}$$

Obviously, \(Cor(g) = 0\) if \(L(y_0, y_k,\cdots , y_{(2t)k})\) contains the term \(y_{(2t)k}\), otherwise \(Cor(g) = 2^{-t}\). And \(L(y_0, y_k,\cdots , y_{(2t)k})\) has the term \(y_{(2t)k}\) if and only if \(L_0(x_0, x_{2k},\) \(\dots , x_{(2t)k})\) contains an odd number of terms according to Eq. (2). \(\square \)

Technically, for an even block with \(2t, t>0\) chained active AND operations, it requires \(t+1\) iterations to check the condition cond. Hence, the longer an even block is, the more time-consuming for the checking. As the state size of Subterranean 2.0 is 257 which is relatively large when compared to block ciphers like SIMON, the length of even block can reach 256 theoretically. In order to speed up the search for linear trails of Subterranean 2.0, it would be useful to identify a tighter upper bound of block length \(\ell \) for each round. This can be done as follows when the range of correlation or the target correlation is given.

1. 1.

   For round r, set the target correlation C, time limit D and set the block length as state size, i.e. \(\ell =b\)

   1. (a)

      For all possible positions for a block with \(\ell \) chained ANDs:

      1. i.

         Set the \(\ell \) ANDs active. If a solution is found or the searching time exceeds D, exit.

   2. (b)

      \(\ell =\ell -1\) and go to (a).

We then propose two models:

1. 1.

   Set \(\ell \) to a reasonable value for all rounds, e.g. \(\ell =6\). This model is used for searching linear trails with good correlations.

2. 2.

   For each round, set \(\ell \) to the upper bound found by the above procedure. This model is used for providing tighter lower bounds of correlation of linear trails.

We apply these two models to Subterranean 2.0 and Subterranean 2.0-m(d). The results in Table 4 are obtained. Note that, the search space of linear trails over n blocks covers the search space of linear trails over less blocks.

• For Subterranean-m(d)

  • The correlations of linear trails become stable when four blocks are involved, as shown in Fig. 7.

  • When \(d=58\), there exists a linear trail over three output blocks with correlation \(2^{-23}\), as shown in Table 9. This means \(d=58\) is not a safe parameter for Subterranean-m.

• For Subterranean 2.0

  • There does not exist any linear trail over four blocks with correlation higher or equal to \(2^{-49}\).

When \(d=58\), the curve in Fig. 7 goes significantly low. We conjecture that it may come from the interplay between operations \(\pi \) and extraction/injection which depend on d, and other operations, i.e. \(\chi \), \(\iota \), and \(\theta \). The indices used in \(\chi \), \(\iota \), and \(\theta \) are computed through additions in \(\mathbb {Z}\). Conversely, the indices used in \(\pi \) and extraction/injection are computed through multiplications in \(\mathbb {Z^*}\) (except 0). When d varies, we have different combinations of these two parts and each combination is unique. It may be possible that there are good linear trails for certain combination. A similar conjecture could be made for the differential case that will be discussed subsequently.

4.4 Differential analysis

In differential cryptanalysis of Subterranean 2.0, we adapt Theorem 1 from [12] and then apply it to Subterranean 2.0.

Theorem 1

([12]) Let \(f(x)= (x\lll 1)\odot x\) be a Boolean function on \(\mathbb {F}_2^n\). The probability that difference \(\alpha \) goes to difference \(\beta \) through f is

$$\begin{aligned} \Pr (\alpha \xrightarrow []{f} \beta )= {\left\{ \begin{array}{ll} 2^{-n+1} &{} \alpha =\varvec{1}~\mathrm{and}~ wt(\beta )\equiv 0~ \mathrm{mod}~2,\\ 2^{-wt(vb+db)} &{} \alpha \ne \varvec{1}~\mathrm{and}~\beta \odot \overline{vb}=\varvec{0}~\mathrm{and}~((\beta \lll 1)\oplus \beta )\odot db =\varvec{0}, \\ 0 &{} \mathrm{otherwise,} \end{array}\right. } \end{aligned}$$

where \(vb = (\alpha \lll 1)\vee \alpha \), \(db=\alpha \odot \overline{(\alpha \lll 1)}\odot (\alpha \lll 2)\) and wt(x) is the Hamming weight of x.

The original Theorem 1 considers bit vector x of an even number of bits. When the state size is odd, the condition for the first case should be adapted to \(wt(\beta )\equiv 1\). Based on Theorem 1, the results in Table 5 are obtained. Also, the search space of differential trails using n blocks covers the search space of differential trails using less blocks.

• For Subterranean-m(d)

  • The probabilities of differential trails become stable when five blocks are involved, as shown in Fig. 8.

  • When \(d=41\), there exists a differential trail using four input blocks with probability \(2^{-47}\), as shown in Table 8. This means \(d=41\) is not a safe parameter for Subterranean-m.

• For Subterranean 2.0

  • There does not exist any differential trail over four blocks with probability higher or equal to \(2^{-108}\).

Table 4 Correlation of keystreams

Table 5 Result of searching differential trails for state collisions

4.5 Impact on Subterranean-deck and Subterranean-SAE

As between extractions or injections, there is only one round, there is little clustering effect in the differential/linear analysis of Subterranean 2.0.³ Thus the security of Subterranean 2.0 against the linear attack and the state collision attack can be almost deduced from optimal differential/linear trails.

4.5.1 Bias of keystreams

For both Subterranean-deck and Subterranean-SAE, the security is claimed against attackers that are limited to \(2^{96}\) data blocks. Thus a useful linear trail should have correlation higher than \(2^{-48}\). In the specification of Subterranean 2.0 [8], there is a statement below.

This provides evidence that there is probably no bias for masks Z of less than 5 blocks and we believe there is no bias in Z measurable from output sequences of \(2^{96}\) blocks or less.

Our linear analysis is twofold: we find that the first half of the statement is not a reasonable conjecture and we support the second half of the statement with detailed experiments. Our results show that there exist linear trails over three or four blocks for both Subterranean 2.0 and Subterranean-m. Within four keystream blocks, linear trails with correlation higher than \(2^{-48}\) do not exist for Subterranean 2.0. The experiments on the toy cipher Subterranean-m show that there are no better linear trails when we increase the number of keystream blocks to five, which gives some confidence that there is no better linear trails as well for Subterranean 2.0 over more output blocks. In short, our results support the designers’ claim on the security against linear cryptanalysis.

The designers’ conclusion that there is probably no bias over less than five blocks lies in an analysis considering a single active output bit. Recall that the expression of the output block

$$\begin{aligned} Z^{t+1}_i= s^{t+1}_{12^{4i}} + s^{t+1}_{-12^{4i}} \end{aligned}$$

and the round function

$$\begin{aligned} s^{t+1}_{j}=s^t_i + s^t_{i+3}+s^t_{i+8}+(s^t_{i+1}+1)\cdot s^t_{i+2}+(s^t_{i+4}+1)\cdot s^t_{i+5}+(s^t_{i+9}+1)\cdot s^t_{i+10} \end{aligned}$$

where \(i=12j\). It can then be obtained that \(Z^{t+1}_i= s^{t}_{12^{4i+1}} + s^{t}_{-12^{4i+1}} + q(s^t)\). Note that if there is an isolated term of degree 1 in the approximation, the correlation will be zero. As \(12^{4i+1}\) and \(-12^{4i+1}\) are not elements of the subgroup \(\left\langle 12^4 \right\rangle \), they cannot be cancelled out by \(Z^t_j\). Based on this, the designers reached the conclusion about the length of linear trails of Subterranean 2.0. Nevertheless, state bits outside \(\left\langle 12^4 \right\rangle \), like \(s^{t}_{12^{4i+1}}\) and \(s^{t}_{-12^{4i+1}}\), may be cancelled out when there are multiple active bits in the output block. Let us take the 3-block linear trail of Subterranean-m(58) (see Table 9) as an example. In this linear trail, both \(Z^2_0\) and \(Z^2_1\), i.e. the first and the second bits of the third output block, are active. According to the expressions below, we can see that \(s^1_{-58}\) is cancelled out.

$$\begin{aligned} Z^2_{0}&= s^2_{58^{4\cdot 0}} + s^2_{-58^{4\cdot 0}} \\&= s^1_{58} + s^1_{60} + s^1_{61} + s^1_{63} + s^1_{66} + s^1_{68} + \varvec{s^1_{-58}} + s^1_{41} + s^1_{42} + s^1_{44} + s^1_{47} + s^1_{49} + q_1(s^1),\\ Z^2_{1}&= s^2_{58^{4\cdot 1}} + s^2_{-58^{4\cdot 1}} \\&s^1_{58^5} + s^1_{62} + s^1_{63} + s^1_{65} + s^1_{68} + s^1_{70} + s^1_{-58^5} + \varvec{s^1_{-58}} + s^1_{40} + s^1_{42} + s^1_{45} + s^1_{47} + q_2(s^1). \end{aligned}$$

The full expression of the approximation can be found in Table 10. Consequently, treating the active bits globally, the invoked active bits located outside the group \(\left\langle 12^4 \right\rangle \) maybe cancelled out by each other. Thus, it does not necessarily take four rounds to make them fall back into \(\left\langle 12^4 \right\rangle \). More importantly, concrete linear trails with three or four blocks are found for both Subterranean 2.0⁴ and Subterranean-m.

4.5.2 State collisions

State collisions can be used for probabilistic forgeries as long as the differential probability \(p>2^{-|K|}\) when the tag length is the same as the key length. That is, the forgery attack is not constrained by the data limit. Searching differential trails for Subterranean 2.0 is hard due to the large internal state. The experiments on the toy cipher Subterranean-m show that there is only one value for the parameter d such that the state collision attack is possible. When the injection rate of Subterranean-m is reduced to a smaller value, say 8, all values of d allow resistance against the state collision attack. It is very likely that these results of Subterranean-m reflect the security of Subterranean 2.0 against the state collision attack due to similar designs.

5 Key recovery of Subterranean-SAE in the nonce-misuse setting

In this section, it is shown that a practical state recovery attack can be mounted with only 88 32-bit blocks and 20 repetitions of nonce by one-round differential analysis.

5.1 One-round differential analysis

In the duplex call of Subterranean 2.0, a single-round permutation is used. As the round function has algebraic degree only 2, the output difference of the round function will be linear in the input. So is the difference of the following keystream block. Let us explain the idea with an example as follows.

Example 3

Suppose one bit difference is injected at position 1 of \(s^i\) (see Fig. 6). After one round, the bits at positions [0, 64, 85, 107, 150, 171, 192, 214, 235] of \(s^{i+1}\) have difference \([s^i_2,s^i_2, s^i_2, s^i_0+1,1,s^i_0+1,s^i_0+1,1,1]\) and there is no difference at other positions. From the extraction, we have \(\varDelta Z^{i+2}_8=\varDelta s^{i+1}_{64}+\varDelta s^{i+1}_{193}=s^i_2\). Thus obtain one state bit \(s^i_2\) by observing \(\varDelta Z^{i+2}\).

This means, in the message processing phase, if a difference is injected at \(s^i\), some state bits of \(s^i\) can be recovered by observing the output difference after one round. We call this one-round differential of Subterranean 2.0. As can be seen that the recovered bits are among the neighbouring bits of the injected difference. For Subterranean-SAE, the number of bit positions for injection is 32. Further analysis shows that only 41 neighbouring bits can be recovered by one-round differentials.

5.2 Nested one-round differential analysis

To enlarge the number of state bits that can be recovered, we propose a nested one-round differential analysis which exploits the output difference in two consecutive rounds. The core idea is that injecting difference at \(s^i\) will lead to differences of \(s^{i+1}\) at positions that may fall outside the set of 32 injection positions. Therefore, besides injecting difference through the input block, we can also utilize the difference generated by the previous round by treating the previous round as a difference injector.

It is known that the difference after two rounds is not linear in the input bits anymore. However, by our nested one-round differential analysis, some bits of the internal state can still be recovered as long as the input difference to the second round is sparse. Next, we illustrate the nested one-round differential by Example 4.

Example 4

Suppose one bit difference is injected at position 1 of \(s^i\) (see Fig. 6). Treat the second round independently with input difference \([s^i_2,s^i_2, s^i_2, s^i_0+1,1,s^i_0+1,s^i_0+1,1,1]\) at positions [0, 64, 85, 107, 150, 171, 192, 214, 235] based on Example 3. By observing the difference of the output block after the second round \(\varDelta Z^{i+3}\), retrieve relations between \(s^{i+1}\), \(s^i_0, s^i_2\) through \(\varDelta Z^{i+3}\), and select the linear ones which are:

$$\begin{aligned} \varDelta Z^{i+3}_1&= s^0_2, \\ \varDelta Z^{i+3}_3&= s^0_0 + 1,\\ \varDelta Z^{i+3}_8&= s^0_2, \\ \varDelta Z^{i+3}_{12}&= s^1_{234} + 1,\\ \varDelta Z^{i+3}_{13}&= s^1_{149} + 1,\\ \varDelta Z^{i+3}_{14}&= s^0_2,\\ \varDelta Z^{i+3}_{16}&= s^0_0 + 1, \\ \varDelta Z^{i+3}_{22}&= s^1_{213} + 1,\\ \varDelta Z^{i+3}_{23}&= s^1_{215}. \end{aligned}$$

Therefore, 6 bits: \(s^0_0, s^0_2, s^1_{149}, s^1_{213}, s^1_{215}, s^1_{234}\) can be recovered.

5.3 Key recovery

In our attack, we utilize 9 types of difference injections No. \(1\sim 9\) as listed in Table 6, each of which recovers a set of bits in \(s^i\). Using 19 injections of difference in total, 131 bits information of \(s^1\) and 128 bits information of \(s^2\) can be known, as illustrated in Table 7. With this information, the full state \(s^1\) can be recovered as follows.

Guess another 26 bits of \(s^1\), as listed in the last row of Table 7. Then all bits of \(s^2\) can be expressed in \(257-131-26 = 100\) unknowns and there remain 26 quadratic terms composed of these unknowns. When the 26 quadratic terms are treated as independent unknowns, there will be 100 + 26 unknown. As 128 bits of \(s^2\) are known, a system of 128 linear equations in 126 unknowns can be constructed and solved easily. There may be multiple solutions for \(s^1\), most of which are not the actual one and can be discarded by exploiting unused output bits (without increasing the data complexity). The time complexity of recovering the full \(s^1\) is dominated by solving \(2^{26}\) systems, each of which has 128 linear equations and 126 unknowns.

Table 6 Difference injection and state recovery

Table 7 State recovery with 19 injections of difference under the nonce-misuse setting

5.3.1 Recover the key

Once the unique state \(s^1\) is identified, the 128-bit key can be recovered by a guess-and-determine procedure as in [13]. First, with \(s^1\), the state after injecting \(K^4\) can be computed. As \(K^4\) is unknown, only 225 bits of the state before the injection are known. Then, guess 32 bits of \(K^1\) and 3 bits of \(K^2\) at positions [2, 136, 189] so that the state after injecting \(K^3\) are linear in the remaining 29 bits of \(K^2\) and the full 32 bits of \(K^3\). Hence, the 225 known bits before injecting \(K^4\) are quadratic in these 61 key bits. A detailed analysis shows that the expressions of the 225 known bits contain at most 128 quadratic terms. Again if we treat these 128 quadratic terms as independent unknowns, then there will be a system of 61+128 unknowns and 225 linear equations. The solution of the system provides information of \((K^1, K^2, K^3)\). When \((K^1, K^2, K^3)\) is obtained, recovering \(K^4\) is trivial. As a result, recovering the key from \(s^1\) requires to solve \(2^{35}\) systems, each of which has 225 linear equations in 189 unknowns. In summary, the key can be recovered practically if the same nonce repeats 20 times.

5.3.2 Relation to the extraction function

In the squeezing phase, Subterranean 2.0 outputs a block of 32 bits, each of which is the sum of two state bits: \(Z_i=s_{12^{4i}} + s_{-12^{4i}}\), for \(0\le i<32\). Instead of outputting state bits directly, this extraction function is meant to frustrate state recovery attacks [10] in the nonce respected setting. In our one-round differential analysis, this extraction function allows more state bits involved in the output block and thus more state bits can be recovered. For example, if we set \(Z_i=s_{12^{4i}}\), for \(0\le i<32\), type 1 injection of difference will lead to a recovery of 17 bits versus 30 bits under the original extraction and 20 state bits can be recovered with ordinary one-round differential analysis versus 41 state bits under the original extraction. Note that our one-round differential analysis requires a nonce-misuse setting.

5.3.3 Comparison to the work by Liu, Isobe and Meier

In [13], Liu, Isobe and Meier presented a practical state-recovery attack in the nonce-misuse setting with \(2^{13}\) 32-bit blocks based on conditional cube analysis. It was exploited that when the condition holds, the sum of over a set of outputs will be zero. They mainly utilized a 2-dimensional set to recover one bit, which means 4 repetitions of nonce are required for retrieving 1 state bit. On the contrary, as many as 30 state bits can be recovered with 2 repetitions of nonce by a one-round differential. Therefore, the data complexity is much lower in our one-round differential analysis.

6 Concluding remarks

In this paper, we investigated the “single-round permutation” in various phases of Subterranean 2.0 and identified three related attack scenarios that deserve further analysis: keystream biases in the keyed squeezing phase, state collisions in the keyed absorbing phase, and one-round differentials in the message processing phase when a nonce is reused.

To carry out a study on the security in the first two attack scenarios, it is necessary to search for differential/linear trails under special constraints. First, we proposed a set of toy versions of Subterranean 2.0: Subterranean-m(d) to understand Subterranean 2.0 with easier effort. Besides, we observed a resemblance between the non-linear layer of the round function of Subterranean 2.0 and SIMON’s round function. Such resemblance offers a good starting point for differential/linear analysis of Subterranean 2.0. Inspired by the existing work on SIMON, we proposed explicit formulas for computing the correlation of linear trails of ciphers that exploit chaining AND operations like Subterranean 2.0, and built our own models for Subterranean 2.0. The experiments on Subterranean-m(d) show that for most choices of d, Subterranean-m is secure against linear attacks and state collision attacks, but Subterranean-m(58) (resp. Subterranean-m(41)) is vulnerable to linear attacks (resp. state collision attacks). It is very likely that these results of Subterranean-m reflect the security of Subterranean 2.0 due to similar designs. We also found a flaw in the designers’ reasoning of Subterranean 2.0’s linear bias but supported the designers’ claim that there is no bias measurable from \(2^{96}\) data blocks or less. Due to the time-consuming search for differential trails of Subterranean 2.0, its security against the state collision attack in keyed modes still remains an open question.

Finally, we observed that one-round differentials allow to recover state bits in the nonce-misuse setting. In order to recover a sufficient number of state bits, we further proposed nested one-round differentials where a one-round differential is prepended to another, acting as a difference injector. As a result, a practical state recovery attack can be achieved with only 20 repetitions of the nonce and 88 blocks of data. Our analysis shows that Subterranean-like constructions with quadratic single-round permutation must be used carefully in practice as the security crashes when nonce uniqueness is lost.

Appendices

Appendix A: Algebraic properties of \(\theta \)

For studying the algebraic properties of \(\theta \), we treat the state s as a binary polynomial \(\sum _is_iX^i\), following the way in [8]. Then the \(\theta \) operation becomes a modular multiplication

$$\begin{aligned} \theta (s(X))=s(X)(1+X^3+X^8) ~\mathrm {mod}~ (1+X^{b}). \end{aligned}$$

In particular, we consider \(b=97\). The modulus \(1+X^{97}\) is the product of \(X+1\) and two irreducible polynomials of degree 48.

$$\begin{aligned}&X^{48} + X^{43} + X^{41} + X^{40} + X^{38} + X^{36} + X^{32} + X^{29} + X^{24} + X^{19} + X^{16} + X^{12} + X^{10} + X^{8} + X^{7} + X^{5} + 1,\\&X^{48} + X^{47} + X^{46} + X^{45} + X^{44} + X^{41} + X^{36} + X^{35} + X^{33} + X^{32} + X^{30} + X^{29} + X^{25} + X^{24} + X^{23} + X^{19} +\\&X^{18} + X^{16} +X^{15} + X^{13} + X^{12} + X^{7} + X^{4} + X^{3} + X^{2} + X + 1. \end{aligned}$$

Fig. 7

Correlations of keystreams with \(3\sim 5\) blocks for Subterranean-m

Fig. 8

Differential probabilities with \(3\sim 6\) blocks for Subterranean-m

Let \(P(X)=1+X^3+X^8\). As P(X) is coprime with \(1+X^{97}\), the inverse of P(X) is

$$\begin{aligned}&X^{92} + X^{91} + X^{87} + X^{86} + X^{84} + X^{83} + X^{82} + X^{81} + X^{77} + X^{75} + X^{74} + X^{73} + X^{72} + X^{70} + X^{68} + X^{66} + \\&X^{64} + X^{63} + X^{62} +X^{61} + X^{60} + X^{59} + X^{57} + X^{53} + X^{51} + X^{49} + X^{48} + X^{46} + X^{45} + X^{44} + X^{39} + X^{38} + \\&X^{37} + X^{36} + X^{34} + X^{33} + X^{32} + X^{30} + X^{27} + X^{26} + X^{24} + X^{21} + X^{18} + X^{10} + X^{5} + X^{2} + 1, \end{aligned}$$

where there are 47 terms (versus 127 for \(b=257\)). Hence, the high diffusion in the backward direction still remains for \(b=97\).

Also, the order of P(X) is sufficiently large. The order of 2 in (\(\mathbb {Z}/97\mathbb {Z}^*,\times \)) is 48. Therefore,

$$\begin{aligned} P^{2^{48}}(X) ~\mathrm {mod}~{(1+X^{97})}=P(X^{2^{48}~\mathrm {mod}~{97}})=P(X). \end{aligned}$$

This means the order of P(X) divides \(2^{48}-1=3^2 \cdot 5 \cdot 7 \cdot 13 \cdot 17 \cdot 97 \cdot 241 \cdot 257 \cdot 673\). Through a computation on Sage, it shows that the order of P(X) is \(2^{48}-1\) (versus \(2^{16}-1\) for \(b=257\)).

When b is set to another primes of the form \(8k+1<257\), for \(k=2,5, 9, 11, 12, 14, 17, 24, 29\), 30, a similar analysis can be done for studying algebraic properties of \(\theta \). It shows that in all cases \(\theta \) is reversible and its inverse is dense.

Table 8 Differential trail of Subterranean-m(41) using 4 blocks with probability \(2^{-47}\) for state collisions

Table 9 Linear trail of Subterranean-m(58) using 3 blocks with correlation \(2^{-23}\)

Table 10 Detailed approximation and the final approximation derived from Table 9

Appendix B: Differential/linear trails

This section presents two exact differential/linear trails of Subterranean-m in Tables 8 and 9, based on which state collisions or linear bias can be detected. The approximation derived from the linear trail in Table 9 can be found in Table 10 and its correlation can be verified using Lemmas 1 and 2. When d varies, the correlations (resp. probabilities) of linear (resp. differential) trails of Subterranean-m regarding keystream bias (resp. state collisions) are displayed in Fig. 7 (resp. Fig. 8).