Related-Key Differential Attack on Round-Reduced Bel-T-256


IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E101-A   No.5   pp.859-862
Publication Date: 2018/05/01
Online ISSN: 1745-1337
DOI: 10.1587/transfun.E101.A.859
Type of Manuscript: LETTER
Category: Cryptography and Information Security
related-key,  differential cryptanalysis,  Bel-T,  

Full Text: PDF(564.5KB)
>>Buy this Article

Bel-T is the national block cipher encryption standard of the Republic of Belarus. It operates on 128-bit blocks and uses either 128, 192 or 256-bit keys. Bel-T combines a Feistel network with a Lai-Massey scheme and it has a complex round function with 7 S-box layers. In this work, we use a Mixed Integer Linear Programming (MILP) approach to find a a related-key differential characteristic that extends for 4 rounds and 5 S-box layers ($4 rac{5}{7}$ rounds) with probability higher than 2-128. To build an MILP model of Bel-T that a solver can practically handle, we use a partial Difference Distribution Table (DDT) based on the Hamming weight of the input and output differences. The identified differential characteristic is used to mount a key recovery attack on 5 rounds and 6 S-box layers ($5 rac{6}{7}$ out of 8 rounds) of Bel-T-256 with 2123.28 chosen plaintexts and 2228.4 encryptions. According to the best of our knowledge, this is the first public cryptanalysis of Bel-T in the black-box attack model.