Subterranean 2.0 is a cipher suite that can be used for hashing, authenticated encryption, MAC computation, etc. It was designed by Daemen, Massolino, Mehrdad, and Rotella, and has been selected as a candidate in the second round of NIST’s lightweight cryptography standardization process. Subterranean 2.0 is a duplex-based construction and utilizes a single-round permutation in the duplex. It is the simplicity of the round function that makes it an attractive target of cryptanalysis. In this paper, we examine the single-round permutation in various phases of Subterranean 2.0 and specify three related attack scenarios that deserve further investigation: keystream biases in the keyed squeezing phase, state collisions in the keyed absorbing phase, and one-round differential analysis in the nonce-misuse setting. To facilitate cryptanalysis in the first two scenarios, we novelly propose a set of size-reduced toy versions of Subterranean 2.0: Subterranean-m. Then we make an observation for the first time on the resemblance between the non-linear layer in the round function of Subterranean 2.0 and SIMON’s round function. Inspired by the existing work on SIMON, we propose explicit formulas for computing the exact correlation of linear trails of Subterranean 2.0 and other ciphers utilizing similar non-linear operations. We then construct our models for searching trails to be used in the keystream bias evaluation and state collision attacks. Our results show that most instances of Subterranean-m are secure in the first two attack scenarios but there exist instances that are not. Further, we find a flaw in the designers’ reasoning of Subterranean 2.0’s linear bias but support the designers’ claim that there is no linear bias measurable from at most \(2^{96}\) data blocks. Due to the time-consuming search, the security of Subterranean 2.0 against the state collision attack in keyed modes still remains an open question. Finally, we observe that one-round differentials allow to recover state bits in the nonce-misuse setting. By proposing nested one-round differentials, we obtain a sufficient number of state bits, leading to a practical state recovery with only 20 repetitions of the nonce and 88 blocks of data. It is noted that our work does not threaten the security of Subterranean 2.0.

Subterranean 2.0 是一个密码套件，可用于散列、认证加密、MAC 计算等。它由 Daemen、Massolino、Mehrdad 和 Rotella 设计，并被选为第二轮 NIST 轻量级密码标准化的候选者过程。Subterranean 2.0 是基于双工的结构，并在双工中使用单轮排列。轮函数的简单性使其成为密码分析的一个有吸引力的目标。在本文中，我们检查了 Subterranean 2.0 各个阶段的单轮置换，并指定了三个值得进一步研究的相关攻击场景：键控挤压阶段的密钥流偏差、键控吸收阶段的状态碰撞和一轮差分分析在 nonce-misuse 设置中。为了便于前两种情况下的密码分析，我们新颖地提出了一组缩小尺寸的 Subterranean 2.0 玩具版本：Subterranean-m。然后我们第一次观察了Subterranean 2.0的圆函数中的非线性层与SIMON的圆函数的相似性。受 SIMON 现有工作的启发，我们提出了显式公式，用于计算 Subterranean 2.0 和其他使用类似非线性运算的密码的线性轨迹的精确相关性。然后我们构建我们的模型来搜索要在密钥流偏差评估和状态碰撞攻击中使用的路径。我们的结果表明，在前两种攻击场景中，大多数 Subterranean-m 实例是安全的，但也存在不安全的实例。此外，我们发现设计师对地下 2 的推理存在缺陷。\(2^{96}\) 个数据块。由于搜索耗时，Subterranean 2.0 在键控模式下对抗状态碰撞攻击的安全性仍然是一个悬而未决的问题。最后，我们观察到一轮差异允许在 nonce-misuse 设置中恢复状态位。通过提出嵌套的一轮差分，我们获得了足够数量的状态位，从而实现了仅 20 次重复随机数和 88 个数据块的实际状态恢复。需要注意的是，我们的工作不会威胁到 Subterranean 2.0 的安全。