On MILP-Based Automatic Search for Differential Trails Through Modular Additions with Application to Bel-T

  • Muhammad ElSheikh
  • Ahmed Abdelkhalek
  • Amr M. YoussefEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11627)


Using modular addition as a source of nonlinearity is frequently used in many symmetric-key structures such as ARX and Lai–Massey schemes. At FSE’16, Fu et al. proposed a Mixed Integer Linear Programming (MILP)-based method to handle the propagation of differential trails through modular additions assuming that the two inputs to the modular addition and the consecutive rounds are independent. However, this assumption does not necessarily hold. In this paper, we study the propagation of the XOR difference through the modular addition at the bit level and show the effect of the carry bit. Then, we propose a more accurate MILP model to describe the differential propagation through the modular addition taking into account the dependency between the consecutive modular additions. The proposed MILP model is utilized to launch a differential attack against Bel-T-256, which is a member of the Bel-T block cipher family that has been adopted recently as a national standard of the Republic of Belarus. In particular, we employ the concept of partial Differential Distribution Table to model the 8-bit S-Box of Bel-T using a MILP approach in order to automate finding a differential characteristic of the cipher. Then, we present a \(4\frac{1}{7}\)-round (out of 8) differential attack which utilizes a 3-round differential characteristic that holds with probability \(2^{-111}\). The data, time and memory complexities of the attack are \(2^{114}\) chosen plaintexts, \( 2^{237.14} \) \(4\frac{1}{7}\)-round encryptions, and \(2^{224}\) 128-bit blocks, respectively.


Differential cryptanalysis MILP Modular addition ARX Bel-T 


  1. 1.
    Preliminary State Standard of Republic of Belarus (STBP 34.101.312011) (2011).
  2. 2.
    Abdelkhalek, A., Sasaki, Y., Todo, Y., Tolba, M., Youssef, A.: MILP modeling for (large) s-boxes to optimize probability of differential characteristics. IACR Trans. Symmetric Cryptology 2017(4), 99–129 (2017)Google Scholar
  3. 3.
    Abdelkhalek, A., Tolba, M., Youssef, A.M.: Related-key differential attack on round-reduced Bel-T-256. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 101(5), 859–862 (2018)CrossRefGoogle Scholar
  4. 4.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, New York (1993). Scholar
  5. 5.
    Biryukov, A., Velichkov, V.: Automatic search for differential trails in ARX ciphers. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 227–250. Springer, Cham (2014). Scholar
  6. 6.
    Cui, T., Jia, K., Fu, K., Chen, S., Wang, M.: New automatic search tool for impossible differentials and zero-correlation linear approximations. Cryptology ePrint Archive, Report 2016/689 (2016).
  7. 7.
    Daemen, J., Rijmen, V.: Probability distributions of correlation and differentials in block ciphers. J. Math. Cryptology JMC 1(3), 221–242 (2007)MathSciNetzbMATHGoogle Scholar
  8. 8.
    ElSheikh, M., Tolba, M., Youssef, A.M.: Integral Attacks on Round-Reduced Bel-T-256. In: Cid, C., Jacobson Jr., M. (eds.) Selected Areas in Cryptography - SAC 2018. LNCS, vol. 11349, pp. 73–91. Springer, Cham (2019). Scholar
  9. 9.
    Feistel, H., Notz, W.A., Smith, J.L.: Some cryptographic techniques for machine-to-machine data communications. Proc. IEEE 63(11), 1545–1554 (1975)CrossRefGoogle Scholar
  10. 10.
    Fu, K., Wang, M., Guo, Y., Sun, S., Hu, L.: MILP-based automatic search algorithms for differential and linear trails for speck. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 268–288. Springer, Heidelberg (2016). Scholar
  11. 11.
    Jovanovic, P., Polian, I.: Fault-based attacks on the Bel-T block cipher family. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, pp. 601–604. EDA Consortium (2015)Google Scholar
  12. 12.
    Lai, X., Massey, J.L.: A proposal for a new block encryption standard. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 389–404. Springer, Heidelberg (1991). Scholar
  13. 13.
    Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991). Scholar
  14. 14.
    Leurent, G.: Analysis of differential attacks in ARX constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 226–243. Springer, Heidelberg (2012). Scholar
  15. 15.
    Lipmaa, H., Moriai, S.: Efficient algorithms for computing differential properties of addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002). Scholar
  16. 16.
    McCluskey Jr., E.J.: Minimization of boolean functions. Bell Syst. Tech. J. 35(6), 1417–1444 (1956)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). Scholar
  18. 18.
    Quine, W.V.O.: A way to simplify truth functions. Am. Math. Monthly 62(9), 627–631 (1955). Scholar
  19. 19.
    Sasaki, Y., Todo, Y.: New impossible differential search tool from design and cryptanalysis aspects. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 185–215. Springer, Cham (2017). Scholar
  20. 20.
    Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptology 21(1), 131–147 (2008)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Sun, L., Wang, W., Liu, R., Wang, M.: MILP-aided bit-based division property for ARX-based block cipher. Cryptology ePrint Archive, Report 2016/1101 (2016).
  22. 22.
    Sun, L., Wang, W., Wang, M.: MILP-aided bit-based division property for primitives with non-bit-permutation linear layers. Cryptology ePrint Archive, Report 2016/811 (2016).
  23. 23.
    Sun, S., et al.: Towards Finding the Best Characteristics of Some Bit-oriented Block Ciphers and Automatic Enumeration of (Related-key) Differential and Linear Characteristics with Predefined Properties (2014).
  24. 24.
    Wang, G., Keller, N., Dunkelman, O.: The delicate issues of addition with respect to XOR differences. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 212–231. Springer, Heidelberg (2007). Scholar
  25. 25.
    Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Muhammad ElSheikh
    • 1
  • Ahmed Abdelkhalek
    • 1
  • Amr M. Youssef
    • 1
    Email author
  1. 1.Concordia Institute for Information Systems EngineeringConcordia UniversityMontréalCanada

Personalised recommendations