An algebraic approach to symmetric linear layers in cryptographic primitives

Subterranean 2.0 is a permutation-based cipher suite which works with a 257 bit-state. It is designed for lightweight cryptography, and it scores very well with respect to energy consumption. Its security has been investigated by the designers against well-known attack vectors. A possible point of concern is the relatively low order of its linear layer, which equals 256. In the past, such properties have been exploited by invariant subspace attacks. We define linear mappings with a similar structure as the linear layer of Subterranean as SC-compositions. In this work, we explore finding SC-compositions with a higher order than 256. We rely on concepts from abstract algebra and number theory to understand the relation between the order and the bit-states of SC-compositions. Using a 257 bit-state as done in Subterranean is an unfortunate choice for designing such SC-compositions with a high order. We present two examples with different bit-states, each having a significantly higher order than 256.