Cube-Based Cryptanalysis of Subterranean-SAE

. Subterranean 2.0 designed by Daemen, Massolino and Rotella is a Round 2 candidate of the NIST Lightweight Cryptography Standardization process. In the oﬃcial document of Subterranean 2.0, the designers have analyzed the state collisions in unkeyed absorbing by reducing the number of rounds to absorb the message from 2 to 1. However, little cryptanalysis of the authenticated encryption scheme Subterranean-SAE is made. For Subterranean-SAE, the designers introduce 8 blank rounds to separate the controllable input and output, and expect that 8 blank rounds can achieve a suﬃcient diﬀusion. Therefore, it is meaningful to investigate the security by reducing the number of blank rounds. Moreover, the designers make no security claim but expect a non-trivial eﬀort to achieve full-state recovery in a nonce-misuse scenario. In this paper, we present the ﬁrst practical full-state recovery attack in a nonce-misuse scenario with data complexity of 2 13 32-bit blocks. In addition, in a nonce-respecting scenario and if the number of blank rounds is reduced to 4, we can mount a key-recovery attack with 2 122 calls to the internal permutation of Subterranean-SAE and 2 69 . 5 32-bit blocks. A distinguishing attack with 2 33 calls to the internal permutation of Subterranean-SAE and 2 33 32-bit blocks is achieved as well. Our cryptanalysis does not threaten the security claim for Subterranean-SAE and we hope it can enhance the understanding of Subterranean-SAE.


Introduction
As the lightweight cryptographic primitives are becoming more and more important in industry, the National Institute of Standards and Technology (NIST) started a public lightweight cryptography project in as early as 2013 and initiated the call for submissions in 2018, with the hope to select a lightweight cryptographic standard by combining the efforts of both academia and industry.
In this paper, our target is the primitive Subterranean 2.0 [DMR19] designed by Daemen, Massolino and Rotella, which has been selected by NIST for the second round.As said by the designers in the official document [DMR19], the round function is very simple and therefore it is an attractive target for cryptanalysis.Moreover, the algebraic degree of the one-round permutation is only 2, which gives us an impression that cube attack [DS09] and cube tester [ADMS09] may be feasible.In the recent three years, the cube attack has attracted the attention of many cryptographers.Especially, there is a series of publications [HWX + 17, LBDW17, LDB + 19, SGSL18] on the application of cube attack to the permutations underlying Keccak.Moreover, the bit-based division property introduced by Todo and Morii in [TM16] has also been applied to achieve a theoretical cube attack on stream ciphers in [TIHM17, WHT + 18].
On the other hand, we observe that the designers of Subterranean 2.0 only investigated the security of state collisions in unkeyed absorbing by reducing the number of rounds to absorb the message from 2 to 1.However, there is little cryptanalysis for the authenticated encryption scheme Subterranean-SAE.The designers of Subterranean 2.0 made the following statement for Subterranean-SAE in their NIST submission [DMR19]: In nonce-misuse scenario or when unwrapping invalid cryptograms returns more information than a simple error, we make no security claims and an attacker may even be able to reconstruct the secret state.Nevertheless we believe that this would probably a non-trivial effort, both in attack complexity as in ingenuity.
Therefore, we are motivated to devise a full-state recovery attack in the nonce-misuse scenario.In addition, the blank rounds in Subterranean-SAE are used to separate the controllable input and output and the designers choose 8 blank rounds.Thus, we believe that it is still interesting and meaningful to investigate its security when the number of blank rounds is reduced.
Our Contributions Inspired from the idea of the conditional cube tester proposed by Huang et al. [HWX + 17], we propose four types of conditional cube tester, each of which requires that the number of conditions involving the secret bits is 1.As far as we know, the additional constraint on the number of conditions is new, which is not well studied in previous work, although such a case has appeared in [LDB + 19].Then, we can mount three types of attacks on Subterranean-SAE as follows.Our results 1 are summarized in Table 1.
• For the full-state recovery attack, our four types of conditional cube tester are used to recover some secret state bits.Then, we use a guess-and-determine technique to recover the full state.Consequently, the full-state recovery attack on Subterranean-SAE can be achieved with a practical time complexity and about 2 13 32-bit message blocks.
• For the distinguishing attack, we have found 33 cube variables and used them to construct a cube tester for reduced Subterranean-SAE with practical time complexity 2 33 when the number of blank rounds is reduced to 4.
• When the number of blank rounds is reduced to 4, a key-recovery attack is also feasible.The attack procedure is composed of two steps.The first step is to recover some secret state bits as in the full-state recovery attack.The second step is to use a guess-and-determine technique to recover the full key.In this way, we can achieve a key-recovery attack with time complexity 2 122 and data complexity 2 69.5 .This paper is organized as follows.We briefly introduce Subterranean 2.0, cube attack, cube tester and conditional cube tester in Section 2.Then, the full-state recovery attack is described in Section 3. The distinguishing attack and key-recovery attack are shown in Section 4 and Section 5, respectively.Finally, the paper is concluded in Section 6.

Preliminaries
In this section, we will give an introduction of the round function of Subterranean 2.0 and its authenticated encryption scheme Subterranean-SAE.For more details, we refer to the official document [DMR19].Moreover, since our technique benefits from the development of cube attack, we will also briefly describe the main idea of cube attack [DS09], cube tester [ADMS09] and conditional cube tester [HWX + 17].

Description of Subterranean 2.0
The Subterranean 2.0 round function is composed of 4 simple operations and operates on a 257-bit state.Denote the 257-bit state by s and the four operations by χ, ι, θ, π.The one-round permutation R = π • θ • ι • χ is detailed as follows, where s[i] represents the i-th bit of s.

The Subterranean-SAE Authenticated Encryption Scheme
Based on the Subterranean 2.0 round function, the designers have constructed an authenticated encryption scheme named Subterranean-SAE.A restricted version of Subterranean-SAE is illustrated in Figure 1.In this scheme, the input consists of a 128-bit key K, a 128-bit nonce N , the associated data A and the message M .The output is the ciphertext C and tag T .The procedure to generate the ciphertext and tag can be briefly described as follows: Step 1: Absorb the key: Initialize a state s with all bits set to 0. Split the 128-bit key K into four 32-bit blocks K 0 , K 1 , K 2 and K 3 .Then, make four consecutive calls to duplex(s, K i ) (0 ≤ i ≤ 3) (refer to Algorithm 1 for duplex) to update the internal state.Finally, make a call to duplex(s, N U LL) to further update the internal state, where N U LL represents an empty string.
Step 2: Absorb the nonce: Split the 128-bit nonce N into four 32-bit blocks N 0 , N 1 , N 2 and N 3 .Then, make four consecutive calls to duplex(s, N i ) (0 ≤ i ≤ 3) to update the internal state.Finally, make a call to duplex(s, N U LL) to further update the internal state.
Step 3: Blank rounds: Make 8 consecutive calls to duplex(s, N U LL) to update the internal state.
Step 4: Absorb the associated data: (the case when M is empty is included in this case), make one more call to duplex(s, N U LL) to update the internal state.
Step 6: Blank rounds: Make 8 consecutive calls to duplex(s, N U LL) to update the internal state.
Step 7: Extract tag: Make a call to extract(s) and obtain T 0 .Then, make 3 consecutive calls to duplex(s, N U LL).After each call to duplex(s, N U LL), make a call to extract(s) to obtain 32-bit The details of duplex(s, σ) and extract(s) are described in Algorithm 1 and Algorithm 2, where σ is a bit string with at most 32 bits.The readers can also refer to the official document of Subterranean 2.0 [DMR19] for a better understanding.
The pseudocode in Algorithm 1 and Algorithm 2 is slightly different from the official document since we introduced two extra arrays IN and EX that are specified in Table 2.For a better understanding of the attacks, we introduce another array IN of size 32, where

z[j]=s[IN[j]]⊕ s[EX[j]]
3: end for 4: return z In our paper, we only concentrate on a specific non-random behaviour, i.e. the cube sum is zero.To describe the cube tester, we first recall the concept of cube attack as follows.

Cube Tester
Then, F can be written as where the polynomial P t only depends on the variables in (x j1 , x j2 , • • •, x j n−k ) and none of the monomials of the polynomial Q t is divisible by t.Define U t as a cube, which is a set of 2 k vectors X ∈ F n 2 as specified below: where x j (j ∈ J) are undetermined variables.Denote the element in U t by u t .Then, the sum of the values of F over the cube When applying the cube attacks to cryptographic primitives, the polynomial F is too complex to analyze.Therefore, the attacker tries to find a suitable monomial t and recover the corresponding P t at the offline phase.Then, the attacker can construct an equation P t (X ) = c at the online phase, where c ∈ GF (2) and the components of X consist in variables x j (j ∈ J).By considering different t or different output bits, the attacker can finally collect a sufficient number of equations.Especially, if the key information is involved in this equation system and all the equations are linear, the attacker can efficiently solve this equation system to recover the secret information.

Cube tester
We focus on one specific non-random behaviour detected by the cube tester, i.e. the cube sum is zero.Specifically, if there exists such a cube U t that the following equation always holds, then U t can be viewed as one type of the cube tester [ADMS09], i.e. the sum over it always equals zero.ut∈Ut F (u t ) = P t = 0.
For example, consider the following polynomial F : Then, the following equation always holds: The reason is that none of the monomials in F (x 0 , x 1 , x 2 , x 3 ) is divisible by x 0 x 3 .However, if we sum F over all values of (x 1 , x 2 ), then we can obtain the following equation: That is, the sum is dependent on the value of x 4 .

Conditional Cube Tester
The conditional cube tester was first proposed by Huang et al. [HWX + 17], which was used to detect a non-randomness of reduced-round Keccak-based constructions where the cube sum is zero.Different from the cube tester in [ADMS09], the cube sum becomes zero only when some specified conditions are satisfied for the conditional cube tester [HWX + 17].The conditional cube tester can be used to construct a distinguisher as well as to mount a key-recovery attack.The attack procedure of the conditional cube tester consists of the offline phase and online phase as well.
At the offline phase, the aim is to find suitable cube variables (defined in Subsection 2.3) and a corresponding set of conditions 2 and L i (α, β) is a linear expression over GF(2) in terms of (α, β).Moreover, suppose α consists of secret variables and β consists of public variables that can be controlled by the attacker.Then, the attacker concludes that the cube sum must be zero when all the conditions L i (α, β) = 0 hold.For convenience, with "variable α" or "variable β", we mean the set of variables addressed by the set α or β.
For a key-recovery attack, α will be involved in some of the conditions L i (α, β) = 0.Then, at the online phase, the attacker can continuously adjust the value of the expression of L i (α, β) until he observes that the cube sum becomes zero.When the cube sum becomes zero, he can conclude that all the conditions L i (α, β) = 0 have been satisfied with an overwhelming probability.In this way, he can also collect a sufficient number of linear equations.Solving this equation system can help recover some secret information.
When the aim is to construct a distinguisher, α will not be involved in any conditions.Therefore, the attacker can choose the message to make all the conditions hold and then he can know that the cube sum must be zero.

Our Conditional Cube Tester
As has been discussed above, when the attacker uses a conditional cube tester to recover the secret information, he concludes that all the conditions have been satisfied when he observes that the cube sum becomes zero.However, such a conclusion may be wrong since it is still possible that the cube sum will be zero even if the conditions are not satisfied, especially when the number of cube variables is small and the diffusion is weak.
Hence, there are two directions to confirm the correctness of such a conclusion.One direction is to obtain a strict distinguisher which can distinguish two cases (cube sum is zero and nonzero) with probability 1, which will be used in our full-state recovery attack.The second direction is the same as in [HWX + 17].In the specific scenario, a sufficient number of cube variables and number of rounds to diffuse variables are introduced so that we can conclude that all the involved conditions are fulfilled with an overwhelming probability if the cube sum is zero.This way will be used in our key-recovery attack in the nonce-respecting scenario.

Full-State Recovery Attack
In this section, we describe how to mount a full-state recovery attack on Subterranean-SAE in a nonce-misuse scenario.

Overview
Suppose the same nonce can be reused for several times.Our attack procedure can be divided into two steps.
Step 1: Use four types of conditional cube tester to recover some secret state bits.
Step 2: Utilize the guess-and-determine technique.Specifically, guess extra unknown secret state bits to construct a sufficient number of linear Boolean equations.Solve the equation system to recover the full state and check its correctness according to the ciphertext and tag value.

Additional Constraint
In recent two years, the conditional cube tester has been intensively investigated [HWX + 17, LBDW17, LDB + 19, LCW19, SGSL18].However, in order to apply it to Subterranean-SAE, an additional constraint to build the conditional cube tester is essential, which has not been clearly discussed before, as far as we know.The additional constraint is the number of conditions involving the secret variables.We have described the general idea of conditional cube tester [HWX + 17] in Subsection 2.4.Especially, there will be a set of conditions L i (α, β) (defined in Subsection 2.4) in order to construct a conditional cube tester.Then, our additional constraint can be described as follows: Additional constraint The number of such conditions L i (α, β) = 0 that involves α is one.
First of all, let us assume that the attacker can always satisfy the conditions where no secret variable is involved since he can carefully choose the value of the public variables.Under this assumption, what benefits will this additional constraint bring?On one hand, if we observe that the cube sum is nonzero, we can immediately conclude that L i (α, β) = 1.This is because the sum must be zero if L i (α, β) = 0. On the other hand, once the cube sum is zero, we can conclude that L i (α, β) = 0 with an overwhelming probability as well.In other words, whatever the cube sum is, there is no need to adjust the value of β in L i (α, β) and we can directly collect an equation.
However, consider the case when there are more than 1 condition involving the secret variable α, supposing they are L 0 (α, β) = 0 and L 1 (α, β) = 0.When the cube sum is zero, we can conclude that L 0 (α, β) = 0 and L 1 (α, β) = 0 with an overwhelming probability.However, when the cube sum is nonzero, there will be three possible values of (L 0 (α, β), L 1 (α, β)), which are (0, 1), (1, 0) and (1, 1).In all previous applications of conditional cube tester to Keccak-based constructions, the public variable β is always involved in all the conditions.Thus, if the attacker observes that the cube sum is nonzero, he can always adjust the value of β until he observes that the cube sum becomes zero and then collect the equations.However, if β is not involved in either L 0 or L 1 , the attacker will lose the control over the values of the expressions L 0 and L 1 .Consequently, the attacker obviously cannot know the actual value of (L 0 (α, β), L 1 (α, β)) when the cube sum is nonzero.
As will be shown, to apply the conditional cube tester to Subterranean-SAE, the condition is directly imposed on one secret state bit.Thus, no public variable is involved in the conditions.In this case, once more bit conditions are involved, the attacker cannot determine which condition holds if the cube sum is nonzero and he can only know that the conditions do not hold simultaneously.However, with our additional constraint, the attacker can always collect an equation whatever the cube sum is.In the following contents, the details of our conditional cube tester will be introduced.

Determining Parameters for Conditional Cube Tester
Since the publication of conditional cube tester [HWX + 17], MILP-based methods to search the corresponding parameters have been developed [LBDW17,SGSL18].In addition, there is also a dedicated method to search the cube variables for Keccak-MAC in [LCW19].Our method to search the parameters for the conditional cube tester is based on an idea similar to the dedicated method [LCW19].But the details are obviously different from that in [LCW19].
There are four types of conditional cube tester in our attack, denoted by TYPE-I, TYPE-II, TYPE-III and TYPE-IV conditional cube tester respectively.The method to determine the parameters will vary for different types of conditional cube tester.
To make this part understandable, we first give an illustration of how the message is processed in Subterranean-SAE, as shown in Figure 2. The input to the round permutation is denoted by M S in i when processing the message block.For the attack, we send an encryption query (N , A, M 0 , M 1 , M 2 , M 3 ) to collect the corresponding tag (T 0 , T 1 , T 2 , T 3 ).Our first aim is to recover some bits of the secret states (M S in 1 , M S in 2 , M S in 3 ) and the final aim is to recover the full M S in 1 in this query.According to the process of absorbing the message in Figure 2, it can be observed that the attacker can always control 32 bits of the input to the round permutation as well as extract 32-bit information after one-round permutation.Thus, we use an equivalent description of this process, as depicted in Figure 3. Specifically, s i (i ≥ 0) denotes the input to the (i + 1)-th round permutation, while s i χ , s i ι , s i θ denotes the state after the χ, ι, θ operation, respectively, in the (i + 1)-th round.Note that the attacker can always control 32 bits of s i and extract 32-bit information of s i by making a call to z i = extract(s i ).
In the following part, we suppose the secret input states are (s 0 , s 1 ) and will introduce how to use the four types of conditional cube tester to recover some of their secret bits.Then, we will describe how to deploy it to recover some secret bits of (M S in 1 , M S in 2 , M S in 3 ).
Figure 3: Equivalent description of processing the message For a better understanding of the following contents, we make a definition of the relations between two variables v 0 and v 1 .Based on the Subterranean 2.0 round function, any bit of the internal state s x (x ≥ 0) can be expressed as a Boolean polynomial in terms of a previous internal state s y (0 ≤ y ≤ x).Suppose there are two variables v 0 and v 1 , which will be set at two internal state bits s i0 [j 0 ] and s i1 [j 1 ] (i 0 ≥ 0, i 1 ≥ 0), respectively.For convenience, assume that i 0 ≤ i 1 .Then, for an internal state s i2 (i 2 ≥ i 1 ), consider any two consecutive bits s i2 [index] and s i2 [index + 1].For s i2 [index], it can be expressed as a Boolean polynomial in terms of s i0 .For s i2 [index + 1], it can be expressed as a Boolean polynomial in terms of s i1 .Definition 1.For all 257 pairs of the two consecutive state bits s i2 [index] and s i2 [index + 1], if all of them satisfy that either the expression of s i2 [index] must not contain the variable v 0 or the expression of Based on such a definition, the relation between v 0 and v 1 in a specific internal state s i2 is static since the expression of s i2 [index] in terms of s i0 and the expression of s i2 [index+1] in terms of s i1 are static.However, if some state bits of s i3 (i 0 ≤ i 3 < i 2 ) are set to specific constants, certain monomials in the expression of s i2 [index] in terms of s i0 or in the expression of s i2 [index + 1] in terms of s i1 will disappear.Given a certain assignment to some state bits of s i3 , if one could identify that some monomials must disappear, one could simplify the expression of s i2 [index] and the expression of s i2 [index + 1] by removing these monomials.After simplification, if all the two consecutive state bits in s i2 satisfy that either the expression of s i2 [index] must not contain the variable v 0 or the expression of s i2 [index + 1] must not contain the variable v 1 , v 0 is still said not to be next to v 1 in s i2 .How to find and identify such an assignment to affect the relation between v 0 and v 1 is what we will address in this paper.

TYPE-I Conditional Cube Tester
For the TYPE-I condition cube tester, we only choose two cube variables v 0 and v 1 , where v 0 and v 1 are set at s 0 and s 1 respectively.The condition is imposed on a certain bit s 0 [x], denoted by f (s 0 [x]) = 0, where f (s 0 [x]) is a linear expression in terms of s 0 [x], thus being either s 0 [x] or s 0 [x] ⊕ 1.Then, v 0 and v 1 should satisfy the following conditions: Condition 1: If f (s 0 [x]) = 0 holds, after one-round permutation for v 0 , v 0 will not be next to v 1 in s 1 .In this case, z 2 is linear in (v 0 , v 1 ).
Condition 2: If f (s 0 [x]) = 0 does not hold, after one-round permutation for v 0 , v 0 will be next to v 1 in s 1 and some bits of z 2 must contain the quadratic term v 0 v 1 .
An illustration for the TYPE-I condition cube tester is given in Figure 4.

TYPE-II Conditional Cube Tester
For the TYPE-II condition cube tester, we choose three cube variables v 0 , v 1 and v 2 , where v 0 and (v 1 , v 2 ) are set at s 0 and s 1 respectively.The condition is imposed on a certain bit Then, v 0 and (v 1 , v 2 ) should satisfy the following conditions: Condition 1: v 1 and v 2 are not next to each other in s 1 .
Condition 2: If f (s 0 [x]) = 0 holds, after one-round permutation for v 0 , v 0 will not be next to v 1 nor v 2 in s 1 .In this case, z 2 is linear in (v 0 , v 1 , v 2 ).Since the degree of the one-round permutation is 2, z 3 will not contain the term v 0 v 1 v 2 .
Condition 3: If f (s 0 [x]) = 0 does not hold, after one-round permutation for v 0 , v 0 will be next to v 1 in s 1 .In addition, after one more round permutation, z 3 must contain the cubic term v 0 v 1 v 2 .
An illustration for the TYPE-II condition cube tester is given in Figure 5.

TYPE-III Conditional Cube Tester
For the TYPE-III condition cube tester, we choose two cube variables v 0 and v 1 , where v 0 and v 1 are set at s 0 and s 2 respectively.The condition is imposed on a certain bit Then, v 0 and v 1 should satisfy the following conditions: Condition 1: If f (s 0 [x]) = 0 holds, after two-round permutation for v 0 , v 0 will not be next to v 1 in s 2 .In this case, z 3 will not contain the term v 0 v 1 .An illustration for the TYPE-III condition cube tester is given in Figure 6.

TYPE-IV Conditional Cube Tester
For the TYPE-IV condition cube tester, we choose two cube variables v 0 and v 1 , where v 0 and v 1 are set at s 0 and s 2 respectively.Different from the previous three types of conditional cube tester, the condition is imposed on a certain bit Then, v 0 and v 1 should satisfy the following conditions: ) = 0 holds, after two-round permutation for v 0 , v 0 will not be next to v 1 in s 2 .In this case, z 3 will not contain the term v 0 v 1 .
Condition 2: If f (s 1 [x]) = 0 does not hold, after two-round permutation for v 0 , v 0 will be next to v 1 in s 2 and some bits of z 3 must contain the term v 0 v 1 .
Condition 3: The value of f (s 1 [x]) will remain the same if v 0 takes different values.
The TYPE-IV conditional cube tester will allow us to recover more secret state bits.An illustration for the TYPE-IV condition cube tester is given in Figure 7.One can easily capture the difference between TYPE-III and TYPE-IV condition cube tester according to the illustrations.

Tracing Propagation of Cube Variables
Suppose a variable v is set at the input state bit s i [p].According to the definition of χ operation, there will be three bits containing the variable.We classify the bits into three types in a similar way as in [LCW19] in order to achieve better tracing.
• Core bit: The bit s i χ [p] is defined as the core bit since s i χ [p] will always contain the variable v.After ι, θ and π operations, it will propagate to three bit positions of s i+1 , which will be stored in the array CORE of size 3 (0 ≤ i ≤ 2).
• Zero-condition bit: The bit s i χ [p − 1] is defined as the zero-condition bit since will propagate to three bit positions of s i+1 , which will be stored in the array ZERO of size 3.
• One-condition bit: The bit s i χ [p − 2] is defined as the one-condition bit since s i χ [p − 2] will not contain the variable v if s i [p − 1] = 1.The variable v in s i χ [p − 2] will propagate to three bit positions of s i+1 , which will be stored in the array ONE of size 3.
For convenience, given a position p, we suppose CORE, ZERO and ONE can be computed as follows:

ONE = returnOne(p).
The three functions returnCore, returnZero and returnOne can be easily implemented by considering the effect of the linear layer of the round function of Subterranean 2.0.

Searching Cube Variables for TYPE-I Conditional Cube Tester
Using the above tracing algorithm, we can obtain CORE, ZERO and ONE by tracing the propagation of v 0 through the one-round permutation.Then we determine the compatible cube variable v 1 set at s 1 according to CORE, ZERO and ONE with Algorithm 6 in Appendix B. According to the result obtained from Algorithm 6, it is not sufficient to determine whether a candidate for v 1 is valid.The reason is that the attacker can only extract fixed 32-bit information z 2 of s 2 , where If the condition used to slow down the propagation of v 1 does not hold, then s 1 χ will contain the term v 0 v 1 .However, the attacker cannot ensure that the quadratic term v 0 v 1 will propagate to z 2 .In this case, z 2 is still linear in (v 0 , v 1 ).Therefore, for each candidate of v 1 , we have to make a further filtering.Suppose v 1 is set at one candidate bit position q and the zero-bit/one-bit bit of v 0 will propagate to s 1 [q − 1] (or s 1 [q + 1]).Then, we trace the propagation of a variable v q (which is quadratic) set in s 1 [q − 2] (or s 1 [q − 1]) with the above tracing method and obtain the array CORE .At last, we check whether there is an element CORE or where 0 ≤ j ≤ 31.If there is, the candidate bit position q is valid.In other words, if the predefined bit condition f (s 0 [x]) = 0 does not hold, at least one bit of z 2 will contain the quadratic term v 0 v 1 .If it holds, z 2 is linear in (v 0 , v 1 ).Thus, we can obtain an equation based on the cube sum of z 2 as follows: With this method to select cube variables, we can find 24 possible choices for (v 0 , v 1 ) and recover 24 secret bits of s 0 , as listed in Table 6 in Appendix B. To have a better understanding of this table, we give an explanation for one choice.Consider the parameter that v 0 is set at s 0 [2] and v 1 is set at s 1 [213].If the condition s 0 [3] = 0 does not hold, the cube sum of z 2 will be nonzero.Therefore, if we observe that the cube sum of z 2 is zero, we know that s 0 [3] = 0. Otherwise, s 0 [3] = 1.

Searching Cube Variables for TYPE-II Conditional Cube Tester
For TYPE-II conditional cube tester, the number of cube variables is 3. Therefore, when the secret bits cannot be recovered by TYPE-I, TYPE-III and TYPE-IV conditional cube tester, we will use it.Note that v 0 is set at s 0 .Similarly, we will obtain the candidate for v 1 set at s 1 .However, different from the TYPE-I conditional cube tester, we do not filter the case when v 0 v 1 does not appear at z 2 .We still trace the propagation of the quadratic term v 0 v 1 to the state s 2 and record the bit positions in s 2 which always contain the term v 0 v 1 .In addition, we also trace the propagation of v 2 set in s 1 to the state s 2 and record the bit positions in s 2 which always contain the term v 2 .We expect that after χ operation, there will always exist a cubic term v 0 v 1 v 2 in s 2 χ , which can be easily detected with the recorded bit positions for the propagation of v 0 v 1 and v 2 .Moreover, the cubic term will also always propagate to the output bits in z 3 .Therefore, we can construct a distinguisher as follows: If the predefined bit condition f (s 0 [x]) = 0 does not hold, at least one bit of z 3 will contain the cubic term v 0 v 1 v 2 .If it holds, s 2 is linear in (v 0 , v 1 , v 2 ) and z 3 will obviously not contain the cubic term v 0 v 1 v 2 .Thus, we can obtain an equation based on the cube sum of z 3 as follows: In this case, we have 2 choices for (v 0 , v 1 , v 2 ) and can recover 2 secret bits of s 0 , as listed in Table 7 in Appendix B. The explanation for this table is the same as that for Table 6.

Searching Cube Variables for TYPE-III Conditional Cube Tester
For the TYPE-III conditional cube tester, the number of cube variables is two.The cube variables (v 0 , v 1 ) are set at s 0 and s 2 respectively.Similarly, we first obtain three kinds of bit positions in s 1 which will contain the variable v 0 and record them in the array CORE, ZERO and ONE respectively.
Then, we define three new arrays COREAll, ZEROAll and ONEAll, which can be computed as follows: The function obtainAll can be referred to Algorithm 3.
Note that ZEROAll and ONEAll will contain all possible influenced bit positions.However, the information provided by COREAll, ZEROAll and ONEAll is still not sufficient to help determine a candidate position for v 1 .The reason is that some bits of s 1 will influence the propagation of the variables located at ZERO and ONE of s 1 .Therefore, to find out which bits of s 2 will always contain the variable propagating from the bit positions ZERO (or ONE) of s 1 , we define two extra arrays ZEROCore and ONECore and compute them as follows: obtainCore(ZERO, ZEROCore), obtainCore(ONE, ONECore).The function obtainN ext can be referred to Algorithm 5. Specifically, these five new arrays are used to store which bits in IN will be next to the elements in COREAll, ZEROAll, ONEAll, ZEROCore and ONECore respectively.
At last, we can determine a candidate bit position in s 2 for v 1 .The bit position q (q ∈ IN ) can be viewed as a candidate only if it satisfies the following condition: A valid bit position p for v 1 should satisfy one more condition.For example, suppose p − 1 ∈ ZEROCore (or p + 1 ∈ ZEROCore).Then at least one bit of z 3 must contain the term s 2 [p]s 2 [p − 1] (or s 2 [p]s 2 [p + 1]).In other words, if the propagation of v 0 is not prevented by a condition, a quadratic term v 0 v 1 will always appear at the expression of s 3 .However, if such a propagation is prevented, s 3 is linear in (v 0 , v 1 ).Therefore, we can construct a distinguisher as follows: If the predefined bit condition f (s 0 [x]) = 0 does not hold, at least one bit of z 3 will contain the quadratic term v 0 v 1 .If it holds, s 2 is linear in (v 0 , v 1 ) and z 3 will obviously not contain the quadratic term v 0 v 1 .Thus, we can obtain an equation based on the cube sum of z 3 as follows: In total, we have 27 possible choices for (v 0 , v 1 ) and can recover 27 secret bits of s 0 , as listed in Table 8 in Appendix B. The explanation for this table is the same as that for Table 6.

Searching Cube Variables for TYPE-IV Conditional Cube Tester
For the TYPE-IV conditional cube tester, the number of cube variables is two.The cube variables (v 0 , v 1 ) are set at s 0 and s 2 respectively.Similarly, we first obtain three kinds of bit positions in s 1 which will contain the variable v 0 and record them in the array CORE, ZERO and ONE respectively.
Next, for the three bit positions in CORE, we trace their propagation one by one and record all the possible bit positions of s 2 that will contain the variables propagating from CORE[0], CORE[1] and CORE[2] of s 1 in CORE0, CORE1 and CORE2, respectively.Formally,
Then, we introduce two extra arrays ZEROAll and ONEAll and compute them as follows: obtainAll(ZERO, ZEROAll), obtainAll(ONE, ONEAll).Based on the newly defined 14 arrays, we can determine a candidate position denoted by p for v 1 in s 2 .The value of p has to satisfy one of the 6 conditions as listed in Table 3.It can be easily observed that any of the 6 conditions is used to ensure that only one bit condition on s 1 will determine whether v 0 will be next to v 1 , which is irrelevant to the conditions on s 0 since we consider candidates from the propagation of core bits.Similar to previous three types of conditional cube tester, we have to further verify whether the quadratic term will appear in z 3 if the specified condition does not hold.Only then can we finally determine the position for p.
With such a searching method, we can recover extra 43 secret bits of s 1 .The parameters for TYPE-IV conditional cube tester are given in Table 9 in Appendix B. We give an explanation here.Take the first choice for instance.The cube variable v 0 is set at s 0 [1] and v 1 is set at s 2 [190].Note that flipping s 0 [1] will have no influence on the value of s 1 [213].If the condition that s 1 [213] = 1 does not hold, then the cube sum of z 3 must be nonzero.If it holds, the cube sum must be zero.Thus, we can recover s 1 [213] as follows based on the cube sum of z 3 .
Note that for each parameter set in Table 9, only the bits set to variables in s 0 are allowed to take different values from that of the to-be-recovered s 0 when using TYPE-IV conditional cube tester, although the attacker can control 32 bits of the to-be-recovered s 0 .

Experimental Verification
We have implemented the four types of conditional cube tester and can successfully recover the 24 + 2 + 27 = 53 secret state bits of s 0 and 43 secret bits of s 1 .In each test, we will randomly generate 100000 examples of (s 0 , s 1 ).Our experiments show that the 96 secret bits can always be correctly recovered for the 100000 random examples.Observe that by continuously performing the four types of conditional cube tester, i.e. continuously treating (s i , s i+1 ) as secret states, we can always recover 53 secret state bits of s i and 43 secret bits of s i+1 .In other words, we can recover in total 53 + 43 = 96 secret bits of s i (i ≥ 1).

Recovering the Full State
Based on the above method, 96 bits of the secret state s 1 can be recovered.Note that we can also extract 32-bit information z 1 = extract(s 1 ), where Since some bits s 1 [IN[j]] and s 1 [EX[j]] (0 ≤ j ≤ 31) are known, we can recover in total 111 bits of s 1 .Moreover, we know extra 32 − 16 = 16 linear equations of the secret state s 1 .The recovered 111 secret bits are listed in Table 4, as marked in red.Recovering the 111 secret bits requires 24 × 2 2 + 2 × 2 3 + 27 × 2 2 + 43 × 2 2 = 392 encryption queries.Now, we describe how to recover the full state.Set the nonce N and the associated data A as constants.Randomly choose a message longer than 128 bits denoted by M .The procedure to recover some secret state bits is described as below.
1. Send an encryption query (N, A, M ) and obtain (C, T ).Our goal is to recover the secret state (M S in 1 , M S in 2 , M S in 3 ) in this query, as shown in Figure 2. 2. The first phase is to recover some bits of M S in 1 using TYPE-IV conditional cube tester.At this phase, we treat M S in 0 , M S in 1 and M S in 2 as s 0 , s 1 and s 2 respectively.Based on the parameters of the parameters for TYPE-IV conditional cube tester in Table 9, we can recover 43 secret bits of M S in 1 .3. The second phase is to recover some bits of M S in 1 and M S in 2 .At this phase, when asking an encryption query, the first message block has to be kept the same with that in the very first query.Then, we treat M S in 1 , M S in 2 and M S in 3 as s 0 , s 1 and s 2 respectively.Based on the four types of conditional cube tester and their corresponding parameters in Table 6, Table 7, Table 8 and Table 9, we can recover 53 extra secret bits of M S in 1 and 43 secret bits of M S in 2 .4. The third phase is to recover some bits of M S in 2 and M S in 3 .At this phase, when asking an encryption query, the first two message blocks have to be kept the same with those in the very first query.Then, we treat M S in 2 , M S in 3 and M S in 4 as s 0 , s 1 and s 2 respectively.Using the four types of conditional cube tester, we can recover 53 extra secret bits of M S in 2 and 43 secret bits of M S in 3 .5. The forth phase is to recover some more bits of M S in 3 .At this phase, when asking an encryption query, the first three message blocks have to be kept the same with those in the very first query.Then, we treat M S in 3 , M S in 4 and M S in 5 as s 0 , s 1 and s 2 respectively.Based on the first three types of conditional cube tester, 53 extra secret bits of M S in 3 can be recovered.After the above procedure, we know 111 secret bits and 16 linear equations of M S in 1 , M S in 2 and M S in 3 , respectively.Such a phase will require 3 × (24 × 2 2 + 2 × 2 3 + 27 × 2 2 + 43 × 2 2 ) = 1176 encryption queries with about 2 13 32-bit message blocks.The recovered 111 bit positions are listed in Table 4, as marked in red.

Computing the Remaining Unknown Secret Bits of M S in 1
Based on the above method, we can collect sufficient leaked bit information of M S in 1 , M S in 2 and M S in 3 .Now we explain how to use this leaked information to recover the full state.The main idea is to construct a quadratic Boolean equation system which can be efficiently solved with the method of change of variables.
Since we already know 111 bits of M S in 1 , there will be 257 − 111 = 146 unknown secret state bits, which can be treated as 146 unknown variables.Moreover, since the algebraic degree of the one-round permutation is only 2, we know that the 111 recovered bits of M S in 2 are quadratic in the 146 unknown variables.In addition, since 111 bits of M S in 2 are known, we know that some of the 111 bits of M S in 3 will be linear in M S in 2 and also quadratic in the 146 unknown variables.The reason is that s i χ [k − 1] and s i χ [k − 2] will be linear in s i if s i [k] is known.We write the expressions of the known bits of s i+1 quadratic in the 146 unknown variables when the 111 bits of s i are recovered for a better understanding.Details are given in Appendix A. In total, extra 51 Boolean equations can be obtained, where the terms on the right side will be quadratic in the 146 unknown variables, which can be easily verified according to Table 4. Now we describe how practical it is to recover the remaining 146 unknown secret bits of M S in 1 .We guess 16 secret bits among the 146 unknown variables as follows, which are marked in blue in Table 4. 7,9,25,27,51,53,55,57,73,75,114,116,118,123,125,151 In this way, after one-round permutation, there are at most 54 possible quadratic terms formed by the remaining 146 − 16 = 130 unknown variables.By replacing the 54 possible quadratic terms with 54 new variables, we can view the 130 unknown variables as 54 + 130 = 184 variables.Note that we know 16 extra linear equations of M S in 1 , 111 bits of M S in 2 , 16 extra linear equations of M S in 2 and 51 quadratic equations in terms of the unknown (not-guessed) variables based on the recovered state bits of M S in 3 .Thus, we can in total construct 16 + 111 + 16 + 51 = 194 linear equations in terms of the new 184 variables.As a result, each guessed value of 16 secret state bits will suggest only one solution for the full state.We can check each solution by computing the corresponding ciphertext and tag with the full state and compare it with the pre-obtained value.Only the correct value of the full state will remain.Thus, the time complexity to recover the full state is upper bounded by 2 16 , which is very practical.The reason to make the number of equations larger than the number of variables is to avoid the case when there are some unexpected linearly dependent equations.

Recovering the Secret Key
After the full secret state is recovered, we can compute backward until the state after K 3 is absorbed, denoted by KS in 3 , as shown in Figure 9.In other words, we know 257 − 32 = 225 bits of KS in 3 .Then, we can guess the 32-bit K 0 and 3 bits of K 1 that are injected at bit positions (2, 136, 189).In this way, we know that the state after K 2 is absorbed is linear in the remaining 29 secret bits of K 1 and the 32-bit K 2 , thus making the 225 known bits of KS in 3 quadratic in these 29 + 32 = 61 variables.By computing the propagation of the 29 bits of K 1 for one-round permutation, we can easily count the quadratic terms formed by 61 secret variables and find that there are at most 125 + 3 = 128 possible quadratic terms.Thus, by replacing these 128 quadratic terms with 128 new variables, we know that the 225 known bits of KS in 3 will be linear in the 128 + 61 = 189 variables.In other words, we can construct an equation system of size 225 in terms of 189 variables.Only the right guess for the 32 + 3 = 35 key bits will make this equation system have a solution.After the solution for (K 0 , K 1 , K 2 ) is obtained, combining with the recovered full state, we can compute the 32-bit K 3 and recover the full key.Hence, after the full state is recovered, the time complexity to recover the secret key is 2 35 .

Distinguisher for 4-Blank-Round Subterranean-SAE
Similar to the full-state recovery attack, we consider an equivalent representation of the state transform as depicted in Figure 3. Suppose we are able to control 32 bits of s 0 and s 1 .Moreover, only z i (i ≥ 7) can be collected by the attacker.Now, we show how to construct a cube tester by setting cube variables at s 0 and s 1 .
Condition 2: After one more round permutation for v 0 j (0 ≤ j ≤ 3), none of them are next to any of v 1 i (0 ≤ i ≤ 28) in s 1 .Moreover, v 0 j (0 ≤ j ≤ 3) are still not next to each other in s 1 .In other words, if we set five cube variables in s 0 [i] (i ∈ {3, 137, 189, 190, 223}), after one-round permutation, none of them will propagate to the positions which are next to the 32 controllable bit positions in s 1 and they will not be next to each other either.Of course, the bit positions 189 and 190 cannot be chosen simultaneously.Moreover, we also observe that if s 1 [136] is set to a constant, then a cube variable set in s 0 [111] will not propagate to the positions which are next the remaining 31 controllable bit positions in s 1 nor next to the above five cube variables.Note that our goal is to select only 4 positions in s 0 for v 0 i (0 ≤ j ≤ 3).Thus, we can easily find a solution, as displayed in Table 5.Our experiments have shown that the analysis is correct.
With the 33 cube variables in Table 5, s 2 will be linear in them.Since the degree of one permutation round is 2, the cube sum of z 7 will always be zero.Now we describe how to construct a distinguisher for Subterranean-SAE when the number of blank rounds is reduced to 4.
Step 1: Set associated data empty and the first message block M 0 as a constant.
Step 2: Treat N 2 , N 3 as s 0 , s 1 respectively.When the number of blank rounds is reduced to 4, we can treat the ciphertext block C 0 as z 7 , as shown in Figure 8.According to Table 5, send 2 33 encryption queries (N, A, M ) with N taking all possible 2 33 values and compute the sum of C 0 .The sum will always be zero.

Complexity Evaluation
Since we need to send 2 33 encryption queries (N, A, M ) with different N , the data and time complexity are both 2 33 .

Key-Recovery for 4-Blank-Round Subterranean-SAE
When the number of blank rounds is reduced to 4, a key-recovery attack will be feasible.
The attack procedure can be divided into two steps on the whole.
Step 1: With a similar idea of the full-state recovery attack, recover some secret bits of the state after N 1 is absorbed.
Step 2: Guess some secret key bits and keep the remaining secret key bits as variables.
Combining with the recovered secret state bits, construct equation system in terms of these variables and solve it.Each solution will correspond to the full key.
To make this part clear, similar to the distinguishing attack, we first consider an equivalent representation of the state transform.In our distinguishing attack, the cube sum is always zero, which cannot help recover extra secret information.Thus, we hope the cube sum will depend on the value of one secret state bit as in the full-state recovery attack.Then, according to the cube sum, we can directly obtain one secret state bit.
While the cube variables are set at s 0 and s 1 and the attacker can only get z i (i ≥ 7) in the distinguishing attack, we will set cube variables at s i (0 ≤ i ≤ 2) and suppose the attacker can only get z i (i ≥ 8) in the key-recovery attack.The main idea can be briefly described as follows: 1. Set 32 cube variables in s 2 , denoted by ] where 0 ≤ j < 33 − n and r ∈ {k|0 ≤ k ≤ 31}.Suppose f (s 0 [x]) represents either s 0 [x] or s 0 [x] ⊕ 1.There will be some conditions on v 0 and v 1 as follows: Condition 1: v 0 are not next to each other in s 0 .After one-round permutation for v 0 , they still will not be next to each other in s 1 .
Condition 2: v 1 are not next to each other in s 1 .
Condition 3: If the specified bit condition f (s 0 [x]) = 0 holds, after one-round permutation for v 0 , none of v 0 will be next to any of v 1 in s 1 .
Condition 4: If the specified bit condition f (s 0 [x]) = 0 does not hold, after one-round permutation for v 0 , v 0 will be next to at least one of v 1 in s 1 .
With the above conditions, we know that s 2 will be linear in (v 0 , v 1 ) if f (s 0 [x]) = 0 holds.Observe that the algebraic degree of z 8 is at most 2 6 = 64 in terms of s 2 and there are extra 32 cube variables in s 2 .Hence, if f (s 0 [x]) = 0 holds, the degree-65 term v 0 v 1 v 2 will not appear in the expression of z 8 and the cube sum of z 8 will be zero.
However, when the condition does not hold, s 2 will contain a quadratic term.Then, the degree-65 term v 0 v 1 v 2 is expected to appear in the expression of z 8 due to the sufficient diffusion for the cube variables.For this case, the cube sum of z 8 cannot be predicted.
Consequently, according to the cube sum, we can directly recover the one secret bit s 0 [x] as in the full-state recovery attack.Combining the methods to select cube variables for full-state recovery attack and distinguishing attack, we can find 22 valid choices for (v 0 , v 1 ) and therefore recover 22 secret bits of s 0 , as listed in Table 10 and Table 11 in Appendix B. For a better understanding of the two tables, we take the first choice in Table 10 for instance and give an explanation.10 to recover the secret state s 0 [2], the cube variables v 0 are set at 6 bit positions of s 0 and v 1 are set at 27 bit positions of s 1 .Specifically, Once the condition s 0 [2] = 0 holds, the cube sum of z 8 is zero.However, when s 0 [2] = 0, three bits of s 2 will always contain a quadratic term v 0 0 v 1 0 .Moreover, similar to the full-state recovery attack, we have verified that there will always be a cubic term in a certain bit of s 3 .Since there are 65 cube variables and sufficient number of rounds to diffuse v 0 , v 1 and v 2 , we expect there will be a degree-65 term in z 8 .Therefore, based on the cube sum of z 8 , we directly recover the secret state bit s 0 [2] as follows: Now, we describe how to use the above method to recover the secret state after N 1 is absorbed.Set the associated data A as empty and the first message block M 0 as a zero constant.Denote the state after N i is absorbed as N S in i , as depicted in Figure 9.The attack procedure can be described as follows: Step 1: Send an encryption query (N, A, M ) and obtain (C, T ).
Step 2: Keep M 0 and N 0 constant.Treat N S in 1 , N S in 2 and N S in 3 as s 0 , s 1 and s 2 respectively.For each choice of the 65 cube variables in Table 10 and Table 11, send 2 65 encryption queries (N, A, M ) with N taking all possible 2 65 values and compute the sum of C 0 .If the sum is zero, the corresponding condition will hold.If it is not zero, the condition will not hold.Whatever the sum is, we can recover one secret bit of N S ot 0 .The time and data complexity to recover the 22 secret bits of N S ot 0 are both 22 × 2 65 = 2 69.5 .
After recovering the 22 secret bits of N S ot 0 , we will start to construct 22 equations.Suppose K 0 , K 1 and K 2 are fixed, we then use a trivial MILP-based method to find the maximum number of variables in K 3 which are still linear after two-round permutation and the Gurobi solver returns 9.The 9 positions are listed below: 11, 35, 70, 95, 140, 165, 190, 213, 241.In other words, if we fix the remaining 32 − 9 = 23 bits of K 3 as constants, N S in 0 will be linear in these 9 secret bits.Since N S ot 0 is quadratic in N S in 0 , we cannot construct a linear equation system.Guessing 3 more bits among the 9 secret bits will reduce the number of variables to 6. Therefore, there will be 6 × (6 − 1)/2 = 15 quadratic terms.By replacing the 15 quadratic terms with 15 new variables, we can now know that N S ot 0 is linear in the 6 + 15 = 21 variables.Since 22 bits of N S ot 0 have been recovered, we can construct 22 linear equations in terms of 21 variables.It is expected that there is only one solution for each guess of K i (0 ≤ i ≤ 3).For each solution, we compute the tag T and the corresponding ciphertext C .Only when T = T and C = C will imply that the recovered key is correct.

Complexity Evaluation
The key-recovery attack is divided into two steps.The first step is to recover 22 secret state bits.The time complexity and data complexity at this step is 22 × 2 65 ≈ 2 69.5 .After the 22 secret bits are recovered, we will start the second step.At this step, we will guess 122 bits of the secret key and let the remaining 6 key bits keep as variables.For each guess of the 122 secret key bits, we can construct a linear equation system of size 22 to compute the 6 unknown key bits with Gauss elimination.The time to solve this equation system is negligible.Moreover, we expect there is only one solution for this linear equation system.After the 6 unknown key bits are computed, the key is known and we can compute the ciphertext and tag computed based on this key and compare it with the pre-obtained ciphertext and tag.The probability that they match with each other is lower than 2 −128 .Therefore, only the correct key will remain and the time complexity of the second step is 2 122 .In total, the time complexity and data complexity of key-recovery attack are 2 122 and 2 69.5 , respectively.

Conclusion
The designers of Subterranean 2.0 expect that it may require a non-trivial effort to mount a full-state recovery attack for Subterranean-SAE in the nonce-misuse scenario.Following this expectation, we make the first effort to achieve it with a practical time complexity and data complexity 2 13 .To investigate the security provided by the number of blank rounds, we consider the reduced variant of Subterranean-SAE by reducing the number of blank rounds to 4 from 8. For such a variant, a distinguishing attack can be achieved with time and data complexity 2 33 .The key-recovery attack with time complexity 2 122 and data complexity 2 69.5 is also faster than brute force for this variant.We hope our cryptanalysis can advance the understanding of Subterranean-SAE.

A Extra Quadratic Boolean Equations
We present the extra 51 equations in this section.

B Tables and Algorithm
We present some tables and the algorithm in this section.

Figure 2 :
Figure 2: Processing the message

Figure 4 :
Figure 4: Illustration of TYPE-I conditional cube tester

Figure 5 :
Figure 5: Illustration of TYPE-II conditional cube tester

Table 1 :
The analytical results of Subterranean-SAE.The time complexity represents the required number of calls to the internal permutation of Subterranean-SAE.The data complexity represents the required number of 32-bit blocks.The associated data are all set to empty in the three attacks.
Cube testers were first proposed by Aumasson et al. at FSE 2009 [ADMS09] after Dinur et al. introduced the cube attack at Eurocrypt 2009 [DS09].Different from standard cube attack, which aims at key extraction, a cube tester performs non-randomness detections.

Table 2 :
The details of IN and EX

Table 3 :
Conditions to determine a candidate position

Table 4 :
Information of known bits, secret bits and guessed bits, where the known bits are marked in red, the guessed bits are marked in blue, and the secret bits are marked in black.

Table 5 :
Cube variables for cube tester Bit positions in s 0 30, 111, 137, 223 ) Moreover, we write the expressions for extra two output bits.

Table 6 :
Parameters for TYPE-I conditional cube tester

Table 7 :
Parameters for TYPE-II conditional cube tester