# Integral Attacks on Round-Reduced Bel-T-256

## Abstract

Bel-T is the national block cipher encryption standard of the Republic of Belarus. It has a 128-bit block size and a variable key length of 128, 192 or 256 bits. Bel-T combines a Feistel network with a Lai-Massey scheme to build a complex round function with 7 S-box layers per round then iterate this round function 8 times to construct the whole cipher. In this paper, we present integral attacks against Bel-T-256 using the propagation of the bit-based division property. Firstly, we propose two 2-round integral characteristics by employing a Mixed Integer Linear Programming (MILP) (Our open source code to generate the MILP model can be downloaded from https://github.com/mhgharieb/Bel-T-256) approach to propagate the division property through the round function. Then, we utilize these integral characteristics to attack 3\(\frac{2}{7}\) rounds (out of 8) Bel-T-256 with data and time complexities of \(2^{13}\) chosen plaintexts and \(2^{199.33}\) encryption operations, respectively. We also present an attack against 3\(\frac{6}{7}\) rounds with data and time complexities of \(2^{33}\) chosen plaintexts and \(2^{254.61}\) encryption operations, respectively. To the best of our knowledge, these attacks are the first published theoretical attacks against the cipher in the single-key model.

## Keywords

Bel-T Integral attacks Bit-based division property MILP## Supplementary material

## References

- 1.Preliminary state standard of republic of belarus (stbp 34.101.312011) (2011). http://apmi.bsu.by/assets/files/std/belt-spec27.pdf
- 2.Abdelkhalek, A., Tolba, M., Youssef, A.M.: Related-key differential attack on round-reduced Bel-T-256. IEICE Trans. Fundam. Electron. Commun. Comput. Sci.
**101**(5), 859–862 (2018)CrossRefGoogle Scholar - 3.Beaulieu, R., Treatman-Clark, S., Shors, D., Weeks, B., Smith, J., Wingers, L.: The SIMON and SPECK lightweight block ciphers. In: 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–6. IEEE (2015)Google Scholar
- 4.Daemen, J., Knudsen, L., Rijmen, V.: The block cipher square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052343CrossRefGoogle Scholar
- 5.Feistel, H., Notz, W.A., Smith, J.L.: Some cryptographic techniques for machine-to-machine data communications. Proc. IEEE
**63**(11), 1545–1554 (1975)CrossRefGoogle Scholar - 6.Jovanovic, P., Polian, I.: Fault-based attacks on the Bel-T block cipher family. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, pp. 601–604. EDA Consortium (2015)Google Scholar
- 7.Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_9CrossRefGoogle Scholar
- 8.Lai, X., Massey, J.L.: A proposal for a new block encryption standard. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 389–404. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46877-3_35CrossRefGoogle Scholar
- 9.Sun, L., Wang, M.: Toward a further understanding of bit-based division property. Sci. China Inf. Sci.
**60**(12), 128101 (2017)MathSciNetCrossRefGoogle Scholar - 10.Sun, L., Wang, W., Liu, R., Wang, M.: MILP-aided bit-based division property for ARX-based block cipher. Cryptology ePrint Archive, report 2016/1101 (2016). https://eprint.iacr.org/2016/1101
- 11.Sun, L., Wang, W., Wang, M.: MILP-aided bit-based division property for primitives with non-bit-permutation linear layers. Cryptology ePrint Archive, report 2016/811 (2016). https://eprint.iacr.org/2016/811
- 12.Sun, L., Wang, W., Wang, M.: Automatic search of bit-based division property for ARX ciphers and word-based division property. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 128–157. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_5CrossRefGoogle Scholar
- 13.Sun, S., et al.: Towards finding the best characteristics of some bit-oriented block ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties (2014). https://eprint.iacr.org/2014/747
- 14.Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_12CrossRefGoogle Scholar
- 15.Todo, Y.: Integral cryptanalysis on full MISTY1. J. Cryptol.
**30**(3), 920–959 (2017)MathSciNetCrossRefGoogle Scholar - 16.Todo, Y., Morii, M.: Bit-based division property and application to Simon family. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_18CrossRefGoogle Scholar
- 17.Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_24CrossRefGoogle Scholar