Bel-T is the national block cipher encryption standard of the Republic of Belarus. It operates on 128-bit blocks and uses either 128, 192 or 256-bit keys. Bel-T combines a Feistel network with a Lai-Massey scheme and it has a complex round function with 7 S-box layers. In this work, we use a Mixed Integer Linear Programming (MILP) approach to find a a related-key differential characteristic that extends for 4 rounds and 5 S-box layers ($4 rac{5}{7}$ rounds) with probability higher than 2-128. To build an MILP model of Bel-T that a solver can practically handle, we use a partial Difference Distribution Table (DDT) based on the Hamming weight of the input and output differences. The identified differential characteristic is used to mount a key recovery attack on 5 rounds and 6 S-box layers ($5 rac{6}{7}$ out of 8 rounds) of Bel-T-256 with 2123.28 chosen plaintexts and 2228.4 encryptions. According to the best of our knowledge, this is the first public cryptanalysis of Bel-T in the black-box attack model.

In this letter, we present a meet-in-the-middle attack on the 5-round reduced Kuznyechik cipher which has been recently chosen to be standardized by the Russian federation. Our attack is based on the differential enumeration approach. However, the application of the exact approach is not successful on Kuznyechik due to its optimal round diffusion properties. Accordingly, we adopt an equivalent representation for the last round where we can efficiently filter ciphertext pairs and launch the attack in the chosen ciphertext setting. We also utilize partial sequence matching which further reduces the memory and time complexities. For the 5-round reduced cipher, the 256-bit master key is recovered with an online time complexity of 2140.3, a memory complexity of 2153.3, and a data complexity of 2113.

Midori128 is a lightweight block cipher proposed at ASIACRYPT 2015 to achieve low energy consumption per bit. Currently, the best published impossible differential attack on Midori128 covers 10 rounds without the pre-whitening key. By exploiting the special structure of the S-boxes and the binary linear transformation layer in Midori128, we present impossible differential distinguishers that cover 7 full rounds including the mix column operations. Then, we exploit four of these distinguishers to launch multiple impossible differential attack against 11 rounds of the cipher with the pre-whitening and post-whitening keys.

In this letter, we present a meet-in-the-middle attack on the 7-round reduced block cipher Kalyna-b/2b, which has been approved as the new encryption standard of Ukraine (DSTU 7624:2014) in 2015. According to its designers, the cipher provides strength to several cryptanalytic methods after the fifth and sixth rounds of the versions with block length of 128 and 256 bits, respectively. Our attack is based on the differential enumeration approach, where we carefully deploy a four-round distinguisher in the first four rounds to bypass the effect of the carry bits resulting from the prewhitening modular key addition. We also exploit the linear relation between consecutive odd and even indexed round keys, which enables us to attack seven rounds and recover all the round keys incrementally. The attack on Kalyna with 128-bit block has a data complexity of 289 chosen plaintexts, time complexity of 2230.2 and a memory complexity of 2202.64. The data, time and memory complexities of our attack on Kalyna with 256-bit block are 2233, 2502.2 and 2170, respectively.

SPARX-128/256 is one of the two versions of the SPARX-128 block cipher family. It has 128-bit block size and 256-bit key size. SPARX has been developed using ARX-based S-boxes with the aim of achieving provable security against single-trail differential and linear cryptanalysis. In this letter, we propose 20-round impossible differential distinguishers for SPARX-128. Then, we utilize these distinguishers to attack 24 rounds (out of 40 rounds) of SPARX-128/256. Our attack has time complexity of 2232 memory accesses, memory complexity of 2160.81 128-bit blocks, and data complexity of 2104 chosen plaintexts.

Kiasu-BC is a recently proposed tweakable variant of the AES-128 block cipher. The designers of Kiasu-BC claim that no more than 7-round Meet-in-the-Middle (MitM) attack can be launched against it. In this letter, we present a MitM attack, utilizing the differential enumeration technique, on the 8-round reduced cipher. The attack has time complexity of 2116 encryptions, memory complexity of 286 128-bit blocks, and data complexity of 2116 plaintext-tweak combinations.