The Subterranean 2.0 Cipher Suite

Subterranean 2.0 can be used for hashing, MAC computation, stream encryption and several types of session authenticated encryption schemes. At its core it has a duplex object with a 257-bit state and a lightweight single-round permutation. This makes Subterranean 2.0 very well suited for low-area and low-energy implementations in dedicated hardware. We have submitted Subterranean 2.0 to the NIST Lightweight Cryptography Competition and it has passed to the 2nd round..



Third-party cryptanalysis

Here we list published cryptanalysis of Subterranean performed by third parties. At this moment there is a single paper.

Cube-Based Cryptanalysis of Subterranean-SAE


Fukang Liu, Takanori Isobe and Willi Meier

Keywords: modes: hashing, design, security reduction proofs: indifferentiability

The authors present a full-state recovery attack in a nonce-misuse scenario with data complexity of about 33 Kbytes. In a nonce-respecting scenario and if the number of blank rounds is reduced from the nominal 8 to 4, they do a key-recovery attack with computational complexity 2122 round function calls and data complexity 271.5 bytes.

Get the paper and bibtex from ToSC

Third-party implementations

Here we list of implementations made by third parties.

Subterranean for 8-bit AVR microcontrollers and 32-bit microcontrollers


Rhys Weatherley

The authors present an optimized implementation of most NIST lightweight competition submissions for 32-bit microcontroller platforms, such as ESP32, and 8-bit AVR microcontrollers. The implementations are more than 2 times faster on those platforms than the reference code.

Source code on the authors GitHub


(top) Last modified: June 16, 2020