Keywords

1 Introduction

In 2011, the Republic of Belarus, formerly known by its Russian name Byelorussia, has approved the Bel-T block cipher family as the state standard cryptographic encryption algorithm [1]. The Bel-T family consists of three block ciphers, denoted as Bel-T-k, with the same block size of 128 bits and key length \(k=\) 128, 192 or 256 bits. Bel-T merges a Lai-Massey scheme [8] with a Feistel network [5]. To the authors’ knowledge, there are only two published cryptanalysis results on Bel-T’s; fault-based attacks are considered in [6], and related-key differential attack on round-reduced Bel-T-256 are presented in [2]. In this paper, we present the first published single-key attack against Bel-T-256. Table 1 contrasts the result of our attacks with the related-key differential attack in [2].

Table 1. Attack results on Bel-T-256
Full size table

Integral Attacks. In [4], Daemen et al. proposed a new cryptanalysis technique to analyze the security of the block cipher SQUARE. Subsequently, Knudsen and Wagner [7] formalized this technique and called it integral attack. The integral attack is a chosen-plaintext attack where the set of plaintext used in the attack is chosen to have XOR sum of 0. Firstly, the cryptanalyst constructs a multiset of plaintext such that it has a constant value at some bits while the other bits vary through all possible values. After that, the cryptanalyst calculates the XOR sum of all bits (or some of them) on the corresponding ciphertext after r rounds. If it is always 0 irrespective of the used secret key, we conclude that the cipher under test has an integral distinguisher.

The major techniques used to construct an integral characteristic include estimating the algebraic degree of the nonlinear parts of the cipher, and evaluating the propagation characteristic of the following integral properties [7]: ALL (\( \mathcal {A} \)) where every member appears the same number in the multiset; BALANCE (\( \mathcal {B} \)) where the XOR sum of all members in the multiset is 0; CONSTANT (\( \mathcal {C} \)) where the value is fixed to a constant for all members in the multiset; and UNKNOWN (\( \mathcal {U} \)) where the multiset is indistinguishable from one of n-bit random values.

Recently, Todo and Morii [16] proposed a generalization of the integral property called bit-based integral property. Unfortunately, the searching algorithm which they proposed to construct the integral distinguisher is restricted to ciphers whose block size is less than 32 bits due to its exponential time and memory complexities. To overcome this problem, Xiang et al. [17] proposed systematic rules to easily search for such integral distinguishers by employing a Mixed Integer Linear Programming (MILP) approach.

The rest of this paper is organized as follows. In Sect. 2, we briefly revisit the bit-based division property and summarize how to present its propagation through the basic cipher operations with MILP models. We also describe our approach to model the modular subtraction operation. In Sect. 3, we investigate the security of Bel-T block cipher against the integral attacks utilizing this MILP approach, finally, the conclusion is presented in Sect. 4.

2 Bit-Based Division Property

The division property, introduced by Todo [14], is a generalization of the integral property to utilize the hidden relations between the traditional \( \mathcal {A} \) and \( \mathcal {B}\) properties by exploiting the algebraic degree of the nonlinear components of the block cipher. Later, Todo in [15] proposed the first theoretical attack against the full round MISTY1 based on a 6-round integral distinguisher. To construct this distinguisher, Todo utilized an improved version of the division property after analyzing the Algebraic Normal Form (ANF) of the S-boxes.

Recently, Todo and Morii [16] proposed a special case of the division property, called bit-based division property, in which each bit is traced independently. The bit-based division property allows us to exploit both of the algebraic degree and the details of the round function’s structure. The bit-based division property is defined as follows:

Definition 1

(Bit-based Division Property [14]). Let \( \mathbb {X} \) be a multiset whose elements take a value of \(\mathbb {F}_2^n\). When the multiset \( \mathbb {X} \) has the division property \(\mathcal {D}^{1^n}_\mathbb {K}\), where \(\mathbb {K}\) denotes a set of n-dimensional vectors whose i-th element takes 0 or 1, it fulfills the following conditions:

$$\begin{aligned} \bigoplus \limits _{x\in \mathbb {X}} \varvec{x^u} = {\left\{ \begin{array}{ll} unknown &{} if\ there \ exists\ \varvec{k} \in \mathbb {K}\ s.t.\ \varvec{u}\succeq \varvec{k},\\ 0 &{} otherwise. \end{array}\right. } \end{aligned}$$

where \(\varvec{x^u}=\prod _{i=1}^n x[i]^{u[i]}\), \(\varvec{u}\succeq \varvec{k}\) if \(u[i] \ge k[i]\ \forall i\), and x[i], u[i] are the i-th bits of \(\varvec{x}\) and \(\varvec{u}\), respectively.

In the following, we present some propagation rules of the division property and show how to utilize MILP for automating the search for integral distinguishers based on the bit-based division property.

2.1 MILP Modeling for Propagation Rules of the Bit-Based Division Property

The advantage of the bit-based division property, over the traditional one, is its ability to exploit both the algebraic degree and the details of the round function structure by tracing each bit independently. The technique presented in [16] to find such distinguishers, however, is restricted to primitives whose block sizes are less than 32 bits due to its time and memory complexities. As mentioned above, to overcome this limitation, Xiang et al. [17] defined a new notation called Division Trail. With the division trail, it becomes easy to employ MILP for constructing the integral distinguisher. Later, Sun et al. complemented this work by handling ARX-based ciphers (modulo operations) [10] and ciphers with non-bit-permutation linear layers [11].

In the following subsection, we briefly describe how to model the division trail through several operations using MILP constraints. We firstly start by introducing the notation of a division trail.

Definition 2

(Division Trail [17]). Let \(f_r\) denote the round function of an iterated block cipher. Assume that the input multiset to the block cipher has the initial division property \(\mathcal {D}^{1^n}_{\{\varvec{k}\}}\), and denote the division property after i-round propagation through \(f_r\) by \(\mathcal {D}^{1^n}_{\mathbb {K}_i}\). Thus, we have the following chain of division property propagations:

$$\begin{aligned} \{\varvec{k}\} \overset{\mathrm {def}}{=} \mathbb {K}_0 \xrightarrow {f_r}\mathbb {K}_1 \xrightarrow {f_r}\mathbb {K}_2\xrightarrow {f_r}\cdots \xrightarrow {f_r}\mathbb {K}_r. \end{aligned}$$

Moreover, for any vector \(\varvec{k}_i^*\in \mathbb {K}_i(i\ge 1)\), there must exist a vector \(\varvec{k}_{i-1}^*\in \mathbb {K}_{i-1}\) such that \(\varvec{k}_{i-1}^*\) can propagate to \(\varvec{k}_i^*\) by the division property propagation rules. Furthermore, for \( (\varvec{k}_0, \varvec{k}_1,\dots ,\varvec{k}_r)\in \mathbb {K}_0\times \mathbb {K}_1\times \cdots \times \mathbb {K}_r\), if \(\varvec{k}_{i-1}\) can propagate to \(\varvec{k}_{i}\) for all \(i\in \{1,2,\dots ,r\}\), we call \( (\varvec{k}_0, \varvec{k}_1,\dots ,\varvec{k}_r)\) an r-round division trail. Thus, the set of the last vectors of all r-round division trails which start with \(\{\varvec{k}\}\) is equal to \(\mathbb {K}_r\). Then, the i-th bit of r-round ciphertext is balanced if \(e_i\) (a unit vector whose i-th element is 1) does not exist in \(\mathbb {K}_r\).

The propagation rules of the bit-based division property through basic operations in block ciphers can be found in [15]. In here, we only summarize the MILP models associated with such rules.

Model for COPY [11]. Let \((a)\xrightarrow {COPY}(b_1, b_2,\dots ,b_m)\) denote the division trail through COPY function, where one bit is copied to m bits. Then, it can be described using the following MILP constraints:

$$\begin{aligned} {\left\{ \begin{array}{ll} a-b_1-b_2-\dots -b_m = 0,\\ a, b_1, b_2, \dots ,b_m\ are\ binary\ variables \end{array}\right. } \end{aligned}$$

Model for XOR [11]. Let \((a_1, a_2,\dots ,a_m)\xrightarrow {XOR}(b)\) denote the division trail through an XOR function, where m bits are compressed to one bit using an XOR operation. Then, it can be described using the following MILP constraints:

$$\begin{aligned} {\left\{ \begin{array}{ll} a_1+a_2+\dots +a_m - b = 0,\\ a_1, a_2, \dots ,a_m, b\ are\ binary\ variables \end{array}\right. } \end{aligned}$$

Model for AND [17]. Let \((a_0, a_1)\xrightarrow {AND}(b)\) denote the division trail though an AND function, where two bits are compressed using an AND operation. Then, it can be described using the following MILP constraints:

$$\begin{aligned} {\left\{ \begin{array}{ll} b - a_0 \ge 0,\\ b - a_1 \ge 0,\\ a_0, a_1, b\ are\ binary\ variables \end{array}\right. } \end{aligned}$$

MILP Model for S-Boxes. The original version of the bit-based division introduced in [16] is limited to bit-oriented ciphers and cannot be applied to ciphers with S-boxes. Xiang et al. overcome this problem by representing the S-Box using its algebraic normal form (ANF) (Algorithm 2 in [17]), also see [9].

The division trail though an n-bit S-box can be represented as a set of 2n-dimensional binary vectors \(\in \{0,1\}^{2n}\) which has a convex hull. The H-Representation of this convex hull can be computed using readily available functions such as inequality_generator() function in SageFootnote 1 which returns a set of linear inequalities that describe these vectors. We use this set of inequalities as MILP constraints to present the division trail though the S-box.

MILP Model for Modular Addition. In [10], Sun et al. proposed a systematic method to deduce an MILP model for the modular addition operation of 4-bit variables by expressing the operation at the bit-level. Then this method is generalized for n-bit variables in [12].

Let \(\varvec{x} = (x_0, x_1, \dots , x_{n-1}),\ \varvec{y}=(y_0, y_1,\dots , y_{n-1})\), and \(\varvec{z}=(z_0, z_1,\dots , z_{n-1})\)Footnote 2 be n-bit vectors where \(\varvec{z} =\varvec{x}\boxplus \varvec{y}\). Then, \(z_i\) can be iteratively expressed as follows:

$$\begin{aligned}&z_{n-1}=x_{n-1} \mathbin {\oplus }y_{n-1} \mathbin {\oplus }c_{n-1},~ c_{n-1} = 0,\\&z_i = x_i \mathbin {\oplus }y_i \mathbin {\oplus }c_i,~ c_i=x_{i+1}y_{i+1} \mathbin {\oplus }(x_{i+1} \mathbin {\oplus }y_{i+1}) c_{i+1}, ~~ i = n-2, n-3,\dots , 0. \end{aligned}$$

Consequently, the division trail through the modular addition can be deduced in terms of COPY, AND, and XOR operations [12].

MILP Model for Modular Addition with a Constant. In [10], Sun et al. explain how to deduce an MILP model for the modular addition of a 4-bit variable with a constant. The authors expressed the operation at the bit-level and exploited that the operations of XOR/AND with a constant do not influence the division property [10]. We can generalize this method for n-bit variables as follows. Let \(( a_0, a_1, \dots , a_{n-1})\) \(\rightarrow (d_0, d_1, \dots , d_{n-1})\) denote the division trail through n-bit modular addition with a constant, the division property propagation can be decomposed as COPY, AND, and XOR operations as follows:

where the intermediate variables \(a_{i,0},\ a_{i,1},\ a_{i,2},\ f_i,\ g_i,\ e_i\), and \(v_i\) are as shown in Table 2.

Table 2. The intermediate variables for modular addition with a constant
Full size table

MILP Model for Modular Subtraction. In this section, we present an approach to deduce an MILP model for the modular subtraction operation using the same methodology used for Modular Addition. For consistency, we use the same notation as in [10].

Let \(\varvec{x}\), \(\varvec{y}\) and \(\varvec{z}\) be n-bit vectors where \(\varvec{z} =\varvec{x} \boxminus \varvec{y}\). This relation can be rewritten as \(\varvec{z} =\varvec{x} ~\boxplus \) (2’s complement of \(\varvec{y}\)) \(=\varvec{x} \boxplus (\bar{\varvec{y}} \boxplus 1)\), where \( \bar{\varvec{y}} \) is the 1’s complement of \(\varvec{y}\). Therefore, the division trail through the modular subtraction can be modelled as a division trail through a modular addition followed by a modular addition with a constant. This representation has two issues. The first issue is that two operations are used to present one operation which requires the use of more MILP constraints and variables, and consequently slowing down the search process. The second issue is that the information about the value of the constant, which is 1, in the modular addition with a constant is not utilized. This may lead the search process to conclude that some bits are not balanced even that they are balanced, as we show in Appendix A. Instead, at the bit level implementation, the modular subtraction operation is handled as a modular addition operation with two modifications: the first carry to the modular addition will be 1 instead of 0 \((c_{n-1} = 1)\), and the second input to the modular addition will be the 1’s complement of the second operand (\(\bar{\varvec{y}}\)).

Let \(\varvec{x} = (x_0, x_1, \dots , x_{n-1}),\ \varvec{y}=(y_0, y_1,\dots , y_{n-1})\), and \(\varvec{z}=(z_0, z_1,\dots , z_{n-1})\). Then, \(z_i\) can be iteratively expressed as follows:

$$\begin{aligned}&z_{n-1}=x_{n-1} \mathbin {\oplus }\bar{y}_{n-1} \mathbin {\oplus }c_{n-1},~ c_{n-1} = 1,\\&z_i = x_i \mathbin {\oplus }\bar{y}_i \mathbin {\oplus }c_i,~ c_i=x_{i+1}\bar{y}_{i+1} \mathbin {\oplus }(x_{i+1} \mathbin {\oplus }\bar{y}_{i+1}) c_{i+1}, ~~ \forall i = n-2, n-3,\dots , 0.\\&where \ \bar{y}_i = y_i \mathbin {\oplus }1 \end{aligned}$$

The operation of XOR/AND with a constant does not influence the division property [10]. Therefore, the division property of \( \bar{\varvec{y}} \) is the same of \(\varvec{y} \). Consequently, we can generalize the modular subtraction operation for n-bit variables as follows:

Proposition 1

Let \((( a_0, a_1, \dots , a_{n-1}), ( b_0, b_1, \dots , b_{n-1}))\) \(\rightarrow (d_0, d_1, \dots , d_{n-1})\) be a division trail through n-bit modular subtraction operation. The division property propagation can be decomposed as COPY, AND, and XOR operations as follows:

where the intermediate variables \(a_{i,0},\ a_{i,1},\ a_{i,2},\ t_0,\ t_1,\ v_i,\ g_i,\ r_i,\ m_i,\ q_i\), and \(w_i\) are as shown in Table 3.

In Appendix A, we present the results of an experiment we performed on a toy cipher to validate the model of the modular subtraction and show the effect of the first carry.

Table 3. The intermediate variables for modular subtraction
Full size table

3 Integral Attack on Bel-T-256

In this Section, we investigate the security of the Bel-T block cipher against the integral attack based on the bit-based division property.

3.1 Bel-T Specification

The official Bel-T specification is available only in Russian and the only version of the specification available in English is the one provided in its fault-based attacks analysis [6]. Bel-T has a 128-bit block size and a variable key length of 128, 192 or 256 bits. The 128-bit plaintext is divided into 4 32-bit words, i.e., \(P = A^0||B^0||C^0||D^0\). Then, the round function illustrated in Fig. 1, is repeated eight times for all versions of Bel-T. Three mappings G\( _5 \), G\( _{13} \) and G\(_{21}\): \(\{0, 1\}^{32} \rightarrow \{0, 1\}^{32}\) are used, where G\(_r\) maps a 32-bit word \( u = u_1||u_2||u_3||u_4 \), with \( u_i \in \{0, 1\}^8 \), as follows: G\(_r(u) = (H(u_1 )||H(u_2 )||H(u_3)||H(u_4 )) \lll r\). Here, H is an 8-bit S-box and \({\lll }r\) stands for left shift rotation by r positions. The specification of the 8-bit S-box can be found in [6].

Key Schedule. In all versions of Bel-T, the 128-bit plaintext block P is encrypted using a 256-bit encryption key denoted as \(K_1||\dots ||K_8\), where \(K_i\) is a 32-bit word for \(1\le i \le 8\). The encryption key is distributed among the round keys as shown in Table 4. The encryption key is extracted from the master key as follows:

  • Bel-T-256: the encryption key is identical to the master key.

  • Bel-T-192: the master key is formatted as \(K_1||\dots ||K_6\) and \(K_7, K_8\) are set to \(K_7:=K_1 \mathbin {\oplus }K_2 \mathbin {\oplus }K_3\) and \(K_8:=K_4 \mathbin {\oplus }K_5 \mathbin {\oplus }K_6\).

  • Bel-T-128: the master key is formatted as \(K_1||\dots ||K_4\) and \(K_5, K_6, K_7, K_8\) are set to \(K_5:=K_1\), \(K_6:=K_2\), \(K_7:=K_3\) and \(K_8:=K_4\).

3.2 Integral Distinguishers of Bel-T

As shown in Fig. 1, the Bel-T round function includes 7 S-boxes, modular additions, modular additions with key and modular subtractions. We construct an MILP model for the bit-based division property through Bel-T as follows. Firstly, we generate the division trail of the S-box using Algorithm 2 in [17]. Then, we deduce the inequalities of the S-box using inequality_generator() function in Sage. In the case of the Bel-T S-box, the number of generated inequalities is 71736, which is very large set to be handled by any MILP optimizer. Therefore, we reduce this set using a Greedy Algorithm which is proposed by Sun et al. in [13]. The size of the reduced set of the S-box representation inequalities is 28 and can be found in Appendix B.

Then, we implement the MILP model for modular addition and deduce the model for subtraction. Finally, we use the GurobiFootnote 3 optimizer to search for the longest integral distinguisher for Bel-T. Based on our implementation, we found several 2-round integral distinguishers. Our code that is used to generate the MILP model for Bel-T and to search for an integral distinguisher can be downloaded from github.Footnote 4

In here, we present two such distinguishers which are chosen in order to minimize the attack data and time complexities.

$$\begin{aligned}&IC1:((\mathcal {C}_{0-31}),(\mathcal {C}_{0-31}),(\mathcal {C}_{0-17}||\mathcal {A}_{18-18}||\mathcal {C}_{19-31}), (\mathcal {A}_{0-7}||\mathcal {C}_{8-31}))\\&\qquad \xrightarrow {2R}((\mathcal {U}_{0-31}),(\mathcal {U}_{0-31}),(\mathcal {U}_{0-26}||\mathcal {B}_{27-31}),(\mathcal {U}_{0-31}))\\&IC2:((\mathcal {C}_{0-31}),(\mathcal {C}_{0-31}),(\mathcal {C}_{0-10}||\mathcal {A}_{11-26}||\mathcal {C}_{27-31}), (\mathcal {A}_{0-15}||\mathcal {C}_{16-31}))\\&\qquad \xrightarrow {2R}((\mathcal {U}_{0-26}||\mathcal {B}_{27-31}),(\mathcal {U}_{0-31}),(\mathcal {B}_{0-31}),(\mathcal {U}_{0-31})) \end{aligned}$$

where \( \mathcal {C}_{i-j}/\mathcal {A}_{i-j}/\mathcal {B}_{i-j}/\mathcal {U}_{i-j} \) denote CONSTANT/ALL/BALANCE/UNKNOWN from bit number i to bit number j respectively counting from the most significant bit of the branch. Both of these integral distinguishers have been verified experimentally using a set of 256 randomly generated keys.

Table 4. Encryption key schedule of Bel-T, where i and \(K_{7i-j}\) denote the round number and the round key, respectively.
Full size table
Fig. 1.
figure 1

Bel-T round function, where \(\oplus , \boxplus , \boxminus \) denote bit-wise XOR, arithmetic addition and subtraction modulo \( 2^{32} \) respectively, and \((i)_{32}\) denotes the round number represented as 32-bit word.

Full size image

3.3 Integral Cryptanalysis of 3\(\frac{2}{7}\)-Round Bel-T-256

In this section, we present our Integral attack on 3\(\frac{2}{7} \)-round Bel-T-256 by appending one round and two S-box layers on the above derived integral distinguisher IC1 as illustrated in Fig. 2.

Data Collection. We select m structures of plaintexts. In each structure, the 9 bits (bit number 18 in branch \( C^0 \) and bits 0-7 in branch \( D^0 \)) vary through all \( 2^9 \) possible values and all other bits are fixed to an arbitrary constant value.

This ensures that each structure satisfies the required input division property of the integral distinguisher IC1. After that, we query the encryption oracle to obtain the corresponding ciphertexts. Subsequently, we apply the following key recovery procedure.

Fig. 2.
figure 2

3\(\frac{2}{7} \)-round attack on Bel-T-256

Full size image

Key Recovery. For ciphertexts in each structure obtained in the data collection phase, we apply the following procedure:

  1. 1.

    Guess \(K_8\) and \(K_4\) and partially decrypt the ciphertext to obtain \( b_2 \).

  2. 2.

    Guess \(K_6\) and \(K_5\) and partially decrypt the ciphertext to obtain \( c_2 \).

  3. 3.

    Recall that \(b_1 = b_2 - G_{21}(b_1+c_1+K_2)\oplus (3)_{32}\) and \(c_1 = c_2 + G_{21}(b_1+c_1+K_2)\oplus (3)_{32}\). Hence \(b_1+c_1=b_2+c_2\). Therefore, by guessing \(K_2\), we can deduce \(G_{21}(b_1+c_1+K_2) = G_{21}(b_2+c_2+K_2)\) and then compute \(c_1\) from \(b_2\) and \(c_2\).

  4. 4.

    Guess \(K_3\) and use the previous guessed value of \(K_8\) to compute \(c_0\) from \(c_1\) and \(c_2\).

  5. 5.

    For each bit in the 5 least significant bits of the 32-bit word \(c_0\), check that its XOR sum over the structure is zero. The probability that all these 5 bits are balanced is \( 2^{-5}\). Therefore the probability that a key is survived after this test is also \( 2^{-5} \). This means that the number of 192-bit key candidates passed this check is \(2^{192}\times 2^{-5}\).

After repeating the above procedure for m structures, the number of surviving 192-bit key candidates will be \(2^{192} \times (2^{-5})^m = 2^{192-5m}\). After that, we recover the 256-bit master key by testing the \( 2^{192-5m} \) 192-bit surviving key candidates along with the remaining \( 2^{64} \) values for \(K_1 \) and \( K_7 \) using 2 plaintext/ciphertext pairs.

Attack Complexity. The data complexity of the above attack is \(m \times 2^{9}\) chosen plaintexts. The dominant part of time complexity is coming from deducing 192-bit key candidates after checking m structures. This part is equal to \(\frac{7}{23}\times 2^{9} \times 2^{192}\times [1+2^{-5}+(2^{-5})^2 + \dots + (2^{-5})^{m-1}] = \frac{7}{23}\times 2^{201}\times \dfrac{1-(2^{-5})^m}{1-2^{-5}} \). Additionally, the part due to exhaustively searching for the master key which is equal to \(2\times 2^{64} \times 2^{192-5m} = 2^{257-5m}\). To balance the attack between data and time complexities, we take \(m=16\). This means that the data complexity will be \(16\times 2^9 = 2^{13}\) chosen plaintexts and the time complexity will be \( \frac{7}{23}\times 2^{201}\times \dfrac{1-2^{-80}}{1-2^{-5}} + 2^{177} \approx 2^{199.33}\) encryption operations.

It should be noted that other choices of m can lead to possible data and time trade-off. For example, if we set \(m=1\), the data complexity will be reduced to \(2^9\) chosen plaintexts at the expense of increasing the time complexity to \(2^{252}\).

3.4 Integral Cryptanalysis of 3\( \frac{6}{7} \)-Round Bel-T-256

In this section, we present our integral attack on 3\( \frac{6}{7} \)-round Bel-T-256 by appending one round and six S-box layers on the above derived integral distinguisher IC2, which is the only distinguisher makes the attack feasible, as illustrated in Fig. 3.

Fig. 3.
figure 3

3\( \frac{6}{7} \)-round attack on Bel-T-256

Full size image

Data Collection. We select m structures of plaintexts. In each structure, the 32 bits (bits 11–26 in branch \( C^0 \) and bits 0–15 in branch \( D^0 \)) vary through all \( 2^{32} \) possible values and all other bits are fixed to an arbitrary constant value. This ensures that each structure satisfies the required input division property of the integral distinguisher IC2. After that, we query the encryption oracle to obtain the corresponding ciphertexts. Subsequently, we apply the following key recovery procedure. Key Recovery. For ciphertexts in each structure obtained in the data collection, we apply the following procedure:

  1. 1.

    Guess \(K_4\) and partially decrypt the ciphertext to obtain \( c_5 \).

  2. 2.

    Recall that \(b_4 = b_5 - G_{21}(b_4+c_4+K_1)\oplus (4)_{32}\) and \(c_4 = c_5 + G_{21}(b_4+c_4+K_1)\oplus (4)_{32}\), hence \(b_4+c_4=b_5+c_5\). Therefore, by guessing \(K_1\), we can deduce \(G_{21}(b_4+c_4+K_1) = G_{21}(b_5+c_5+K_1)\) and then compute \(b_4\) and \(c_4\) from \(b_5\) and \(c_5\).

  3. 3.

    Guess \(K_2, K_6, K_7\) and \( K_8\) and deduce each 32-bit words \(a_2, b_3, c_3\) and \(d_1\).

  4. 4.

    Use the previous guessed value of \(K_4\) to get the value of \(b_2\) from \(a_2\) and \(b_3\).

  5. 5.

    Guess \(K_5\) and get the value of \(c_2\) from \(c_3\) and \(d_1\).

  6. 6.

    Recall that \(b_1 = b_2 - G_{21}(b_1+c_1+K_2)\oplus (3)_{32}\) and \(c_1 = c_2 + G_{21}(b_1+c_1+K_2)\oplus (3)_{32}\), hence \(b_1+c_1=b_2+c_2\). Therefore, by guessing \(K_2\), we can deduce \(G_{21}(b_1+c_1+K_2) = G_{21}(b_2+c_2+K_2)\) and then compute \(b_1\) from \(b_2\) and \(c_2\).

  7. 7.

    Use the previous guessed value of \(K_1\) to compute \(a_1\) from \(a_2\) and \(b_1\).

  8. 8.

    For each bit in the 5 least significant bits of 32-bit word \(a_1\), check that the XOR sum of it over the structure is zero. The probability that all these 5 bits are balanced is \( 2^{-5}\). Therefore the probability that a key is survived after this test is also \( 2^{-5} \). This means that the number of 224-bit key candidates passed this check is \(2^{224} \times 2^{-5}\).

After repeating the above procedure for m structures, the number of surviving 224-bit key candidates will be \(2^{224} \times (2^{-5})^m = 2^{224-5m}\). After that we recover the 256-bit master key by testing the \( 2^{224-5m} \) 192-bit surviving key candidates along with the remaining \( 2^{32} \) values for \(K_3 \) using 2 plaintext/ciphertext pairs.

Attack Complexity. The data complexity is \(m \times 2^{32}\) chosen plaintexts. The dominant part of time complexity is coming from deducing 224-bit key candidates after checking m structure. This part is equal to \(\frac{10}{27}\times 2^{32} \times 2^{224}\times [1+2^{-5}+(2^{-5})^2 + \dots + (2^{-5})^{m-1}] = \frac{10}{27}\times 2^{256}\times \dfrac{1-(2^{-5})^m}{1-2^{-5}} \). Additionally, the part due to exhaustively searching for the master key which is equal to \(2 \times 2^{32} \times 2^{224-5m} = 2^{257-5m}\). To balance the attack between data and time complexities, we take \(m=2\). This means that the data complexity will be \(2\times 2^{32} = 2^{33}\) chosen plaintexts and the time complexity will be \( \frac{10}{27}\times 2^{256}\times \dfrac{1-2^{-10}}{1-2^{-5}} + 2^{247} \approx 2^{254.61}\) encryption.

4 Conclusion

In this paper, we investigated the security of Bel-T-256 against integral attacks based on the bit-based division property. In particular, we have built a MILP model for the Bel-T round function to automate the search for integral distinguishers based on the bit-based division property. Using two of the obtained integral distinguishers, we presented attacks on 3\(\frac{2}{7}\) and 3\(\frac{6}{7}\) rounds of Bel-T-256 with data and time complexities of \(2^{13}\), \(2^{33}\) chosen plaintexts and \(2^{199.33}\), \(2^{254.61}\) encryption operations, respectively.