Security analysis of Subterranean 2.0

Song, Ling; Tu, Yi; Shi, Danping; Hu, Lei

doi:10.1007/s10623-021-00892-6

Cited by 4 publications

(2 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Related work. We conclude by briefly discussing the relation of our work with the one recently proposed by Song et al in [STSH21]. First of all, in there, authors propose several attacks on different primitives of Subterranean based on one-round differentials, on the contrary, we investigated 8 rounds of Subterranean.…”

Section: Generating All Input Differences Of χ Given Its Output Diffe...mentioning

confidence: 77%

“…Besides this, in [STSH21], authors pointed out that the χ function in Subterranean can be re-written as the non-linear layer of SIMON [BSS + 13], a family of lightweight block ciphers proposed by Beaulieu et al Its round function contains (x ≪ α) • (x ≪ β) + (x ≪ γ), where x ≪ i indicates the cyclic left shift over i bits, while the χ function in Subterranean can be re-written as x + (x ≫ 1) • (x ≫ 2) + (x ≫ 2) where x ≫ i indicates the cyclic right shift over i bits. This suggests that the techniques for searching differential trails of SIMON can be potentially applied to Subterranean as well.…”

Section: Generating All Input Differences Of χ Given Its Output Diffe...mentioning

confidence: 84%

See 1 more Smart Citation

Differential Trail Search in Cryptographic Primitives with Big-Circle Chi:

Mehrdad

Mella

Grassi

et al. 2022

ToSC

View full text Add to dashboard Cite

Proving upper bounds for the expected differential probability (DP) of differential trails is a standard requirement when proposing a new symmetric primitive. In the case of cryptographic primitives with a bit-oriented round function, such as Keccak, Xoodoo and Subterranean, computer assistance is required in order to prove strong upper bounds on the probability of differential trails. The techniques described in the literature make use of the fact that the non-linear step of the round function is an S-box layer. In the case of Keccak and Xoodoo, the S-boxes are instances of the chi mapping operating on l-bit circles with l equal to 5 and 3 respectively. In that case the differential propagation properties of the non-linear layer can be evaluated efficiently by the use of pre-computed difference distribution tables.Subterranean 2.0 is a recently proposed cipher suite that has exceptionally good energy-efficiency when implemented in hardware (ASIC and FPGA). The non-linear step of its round function is also based on the chi mapping, but operating on an l = 257-bit circle, comprising all the state bits. This making the brute-force approach proposed and used for Keccak and Xoodoo infeasible to apply. Difference propagation through the chi mapping from input to output can be treated using linear algebra thanks to the fact that chi has algebraic degree 2. However, difference propagation from output to input is problematic for big-circle chi. In this paper, we tackle this problem, and present new techniques for the analysis of difference propagation for big-circle chi.We implemented these techniques in a dedicated program to perform differential trail search in Subterranean. Thanks to this, we confirm the maximum DP of 3-round trails found by the designers, we determine the maximum DP of 4-round trails and we improve the upper bounds for the DP of trails over 5, 6, 7 and 8 rounds.

show abstract

Section: Generating All Input Differences Of χ Given Its Output Diffe...mentioning

confidence: 77%

Section: Generating All Input Differences Of χ Given Its Output Diffe...mentioning

confidence: 84%