Integral Attacks on Round-Reduced Bel-T-256

摘要

Bel-T is the national block cipher encryption standard of the Republic of Belarus. It has a 128-bit block size and a variable key length of 128, 192 or 256 bits. Bel-T combines a Feistel network with a Lai-Massey scheme to build a complex round function with 7 S-box layers per round then iterate this round function 8 times to construct the whole cipher. In this paper, we present integral attacks against Bel-T-256 using the propagation of the bit-based division property. Firstly, we propose two 2-round integral characteristics by employing a Mixed Integer Linear Programming (MILP) (Our open source code to generate the MILP model can be downloaded from https://github.com/mhgharieb/ Bel-T-256) approach to propagate the division property through the round function. Then, we utilize these integral characteristics to attack 3(2/7) rounds (out of 8) Bel-T-256 with data and time complexities of 2~(13) chosen plaintexts and 2~(199.33) encryption operations, respectively. We also present an attack against 3 6/7 rounds with data and time complexities of 2~(33) chosen plaintexts and 2~(254.61) encryption operations, respectively. To the best of our knowledge, these attacks are the first published theoretical attacks against the cipher in the single-key model.