Belt

Belt
Belt
Created by	2001 year
Published	2007 year
Key size	256 bit
Block size	128 bit
Number of rounds	eight
Type of	combination of Feistel Network and en: Lai-Massey scheme

BelT is the state standard for symmetric encryption and integrity control of the Republic of Belarus. The full name of the standard is STB 34.101.31-2007 “Information technology and security. Cryptographic algorithms for encryption and integrity control. " Adopted as a preliminary standard in 2007. Introduced as the final standard in 2011.

Description

BelT is a block cipher with a 256-bit key and 8 cycles of cryptographic transformations, operating with 128-bit words. Cryptographic algorithms of the standard are based on the basic encryption modes of data blocks. All algorithms of the standard are divided into 8 groups:

encryption algorithms in simple replacement mode ;
encryption algorithms in block coupling mode ;
gamma feedback encryption algorithms;
encryption algorithms in counter mode ;
algorithm for generating an insert;
algorithms for simultaneous encryption and data protection;
algorithms for simultaneous encryption and key protection;
hashing algorithm ;

The first four groups are designed to provide secure messaging. Each group includes an encryption algorithm and a secret key decryption algorithm. Parties with a shared key can organize the exchange of messages by encrypting them before sending and decrypting them upon receipt. In the modes of simple replacement and coupling of blocks, messages that contain at least one block are encrypted, and in the gamming modes with feedback and counter, messages of arbitrary length are encrypted.

The fifth algorithm is designed to control the integrity of messages using imitations - control words, which are determined using a secret key. Parties that have a shared key can organize integrity control during the exchange of messages by adding them to the insert when sending and checking the insert when receiving. Verification of the insertions additionally allows the recipient party to verify that the sending party knows the secret key, that is, verify the authenticity of the messages.

In the sixth group, the initial message is defined in two parts: open and critical. Protection algorithms are designed to control the integrity of both parts and ensure the confidentiality of the critical part. When protection is installed, an imitation of the entire message is calculated and its critical part is encrypted. When the protection is removed, the imitator is checked and, if the check was successful, the critical part is decrypted.

In the algorithms of the seventh group, the length of the message to be protected must be immediately known; these algorithms are recommended for key protection. The protected key is accompanied by an open header that contains the public attributes of the key and at the same time is a control value for integrity checking. Fixed persistent headers can be used, which serve only for integrity control. When installing security, the key is encrypted along with its header. When protection is removed, the inverse conversion is performed and the decrypted header is compared with the control one.

The eighth algorithm is designed to calculate hash values - control words that are determined without using a key. Parties may arrange for integrity monitoring of messages by comparing their hash values with valid control hash values. Changing a message with a high probability leads to a change in the corresponding hash value and therefore hash values can be used instead of the messages themselves, for example, in electronic digital signature systems

Block Encryption

Input and Output

The input to the encryption and decryption algorithms is a block $X\in \{0,1\}^{128}$ ${\ displaystyle X \ in \ {0,1 \} ^ {128}}$ and key $\theta \in \{0,1\}^{256}.$ ${\ displaystyle \ theta \ in \ {0,1 \} ^ {256}.}$

The output is a block $Y\in \{0,1\}^{128}$ ${\ displaystyle Y \ in \ {0,1 \} ^ {128}}$ - result of encryption or decryption of a word $X$ ${\ displaystyle X}$ on the key $\theta :Y=F_{\theta }(X)$ ${\ displaystyle \ theta: Y = F _ {\ theta} (X)}$ or $Y=F_{\theta }^{-1}(X).$ ${\ displaystyle Y = F _ {\ theta} ^ {- 1} (X).}$

Input data for encryption is prepared as follows:

Word $X$ ${\ displaystyle X}$ written as $X=X_{1}\|X_{2}\|X_{3}\|X_{4},X_{i}\in \{0,1\}^{32}.$ ${\ displaystyle X = X_ {1} \ | X_ {2} \ | X_ {3} \ | X_ {4}, X_ {i} \ in \ {0,1 \} ^ {32}.}$
Key $\theta$ ${\ displaystyle \ theta}$ written as $\theta =\theta _{1}\|\theta _{2}\|\theta _{3}\|\theta _{4}\|\theta _{5}\|\theta _{6}\|\theta _{7}\|\theta _{8},\theta _{i}\in \{0,1\}^{32}$ ${\ displaystyle \ theta = \ theta _ {1} \ | \ theta _ {2} \ | \ theta _ {3} \ | \ theta _ {4} \ | \ theta _ {5} \ | \ theta _ { 6} \ | \ theta _ {7} \ | \ theta _ {8}, \ theta _ {i} \ in \ {0,1 \} ^ {32}}$ , and the clock keys are determined $K_{1}=\theta _{1},K_{2}=\theta _{2},K_{3}=\theta _{3},K_{4}=\theta _{4},K_{5}=\theta _{5},K_{6}=\theta _{6},K_{7}=\theta _{7},K_{8}=\theta _{8},K_{9}=\theta _{1},......,K_{56}=\theta _{8}.$ ${\ displaystyle K_ {1} = \ theta _ {1}, K_ {2} = \ theta _ {2}, K_ {3} = \ theta _ {3}, K_ {4} = \ theta _ {4} , K_ {5} = \ theta _ {5}, K_ {6} = \ theta _ {6}, K_ {7} = \ theta _ {7}, K_ {8} = \ theta _ {8}, K_ {9} = \ theta _ {1}, ......, K_ {56} = \ theta _ {8}.}$

Symbols and auxiliary transformations

Conversion $G_{r}:\{0,1\}^{32}\rightarrow \{0,1\}^{32}$ ${\ displaystyle G_ {r}: \ {0,1 \} ^ {32} \ rightarrow \ {0,1 \} ^ {32}}$ matches the word $u=u_{1}\parallel u_{1}\parallel u_{2}\parallel u_{3}\parallel u_{4},u_{i}\in \{0,1\}^{8}$ ${\ displaystyle u = u_ {1} \ parallel u_ {1} \ parallel u_ {2} \ parallel u_ {3} \ parallel u_ {4}, u_ {i} \ in \ {0,1 \} ^ {8 }}$ word

Table 1 - Substitution

H

{\ displaystyle H}

$G_{r}(u)=RotHi^{r}(H(u_{1})\parallel H(u_{2})\parallel H(u_{3})\parallel H(u_{4})).$ ${\ displaystyle G_ {r} (u) = RotHi ^ {r} (H (u_ {1}) \ parallel H (u_ {2}) \ parallel H (u_ {3}) \ parallel H (u_ {4} )).}$

$RotHi^{r}-$ ${\ displaystyle RotHi ^ {r} -}$ cyclic left shift by $r$ ${\ displaystyle r}$ bit.

$H(u)-$ ${\ displaystyle H (u) -}$ the operation of replacing an 8-bit input string by substituting from table 1.

Substitution $H:\{0,1\}^{8}\rightarrow \{0,1\}^{8}$ ${\ displaystyle H: \ {0,1 \} ^ {8} \ rightarrow \ {0,1 \} ^ {8}}$ set by a fixed table. The table uses the hexadecimal representation of words $u\in \{0,1\}^{8}.$ ${\ displaystyle u \ in \ {0,1 \} ^ {8}.}$

$\boxplus$ ${\ displaystyle \ boxplus}$ and $\boxminus -$ ${\ displaystyle \ boxminus -}$ modulo addition and subtraction operations $2^{32}.$ ${\ displaystyle 2 ^ {32}.}$

Encryption

To encrypt a block $X$ ${\ displaystyle X}$ on the key $\theta$ ${\ displaystyle \ theta}$ The following steps are performed:

Install $a\leftarrow X_{1},b\leftarrow X_{2},c\leftarrow X_{3},d\leftarrow X_{4}.$ ${\ displaystyle a \ leftarrow X_ {1}, b \ leftarrow X_ {2}, c \ leftarrow X_ {3}, d \ leftarrow X_ {4}.}$

Calculations on $i-$ ${\ displaystyle i-}$ ohm encryption clock
For $i$ ${\ displaystyle i}$ = 1,2, ..., 8 execute:

one)

b\leftarrow b\oplus G_{5}(a\boxplus K_{7i-6});

{\ displaystyle b \ leftarrow b \ oplus G_ {5} (a \ boxplus K_ {7i-6});}

2)

c\leftarrow c\oplus G_{21}(d\boxplus K_{7i-5});

{\ displaystyle c \ leftarrow c \ oplus G_ {21} (d \ boxplus K_ {7i-5});}

3)

a\leftarrow a\boxminus G_{13}(b\boxplus K_{7i-4});

{\ displaystyle a \ leftarrow a \ boxminus G_ {13} (b \ boxplus K_ {7i-4});}

four)

e\leftarrow G_{21}(b\boxplus c\boxplus K_{7i-3})\oplus \langle i\rangle _{32};

{\ displaystyle e \ leftarrow G_ {21} (b \ boxplus c \ boxplus K_ {7i-3}) \ oplus \ langle i \ rangle _ {32};}

five)

b\leftarrow b\boxplus e;

{\ displaystyle b \ leftarrow b \ boxplus e;}

6)

c\leftarrow c\boxminus e;

{\ displaystyle c \ leftarrow c \ boxminus e;}

7)

d\leftarrow d\boxplus G_{13}(c\boxplus K_{7i-2});

{\ displaystyle d \ leftarrow d \ boxplus G_ {13} (c \ boxplus K_ {7i-2});}

eight)

b\leftarrow b\oplus G_{21}(a\boxplus K_{7i-1});

{\ displaystyle b \ leftarrow b \ oplus G_ {21} (a \ boxplus K_ {7i-1});}

9)

c\leftarrow c\oplus G_{5}(d\boxplus K_{7i});

{\ displaystyle c \ leftarrow c \ oplus G_ {5} (d \ boxplus K_ {7i});}

ten)

a\leftrightarrow b;

{\ displaystyle a \ leftrightarrow b;}

eleven)

c\leftrightarrow d;

{\ displaystyle c \ leftrightarrow d;}

12)

b\leftrightarrow c;

{\ displaystyle b \ leftrightarrow c;}

3. Install

Y\leftarrow b\|d\|a\|c.

{\ displaystyle Y \ leftarrow b \ | d \ | a \ | c.}

4. Return

Y .

{\ displaystyle Y.}

Decryption

To decrypt a block $X$ ${\ displaystyle X}$ on the key $\theta$ ${\ displaystyle \ theta}$ The following steps are performed:

Install $a\leftarrow X_{1},b\leftarrow X_{2},c\leftarrow X_{3},d\leftarrow X_{4}.$ ${\ displaystyle a \ leftarrow X_ {1}, b \ leftarrow X_ {2}, c \ leftarrow X_ {3}, d \ leftarrow X_ {4}.}$
For $i=$ ${\ displaystyle i =}$ 8,7, ..., 1 execute:

one)

b\leftarrow b\oplus G_{5}(a\boxplus K_{7i});

{\ displaystyle b \ leftarrow b \ oplus G_ {5} (a \ boxplus K_ {7i});}

2)

c\leftarrow c\oplus G_{21}(d\boxplus K_{7i-1});

{\ displaystyle c \ leftarrow c \ oplus G_ {21} (d \ boxplus K_ {7i-1});}

3)

a\leftarrow a\boxminus G_{13}(b\boxplus K_{7i-2});

{\ displaystyle a \ leftarrow a \ boxminus G_ {13} (b \ boxplus K_ {7i-2});}

four)

e\leftarrow G_{21}(b\boxplus c\boxplus K_{7i-3})\oplus \langle i\rangle _{32};

{\ displaystyle e \ leftarrow G_ {21} (b \ boxplus c \ boxplus K_ {7i-3}) \ oplus \ langle i \ rangle _ {32};}

five)

b\leftarrow b\boxplus e;

{\ displaystyle b \ leftarrow b \ boxplus e;}

6)

c\leftarrow c\boxminus e;

{\ displaystyle c \ leftarrow c \ boxminus e;}

7)

d\leftarrow d\boxplus G_{13}(c\boxplus K_{7i-4});

{\ displaystyle d \ leftarrow d \ boxplus G_ {13} (c \ boxplus K_ {7i-4});}

eight)

b\leftarrow b\oplus G_{21}(a\boxplus K_{7i-5});

{\ displaystyle b \ leftarrow b \ oplus G_ {21} (a \ boxplus K_ {7i-5});}

9)

c\leftarrow c\oplus G_{5}(d\boxplus K_{7i-6});

{\ displaystyle c \ leftarrow c \ oplus G_ {5} (d \ boxplus K_ {7i-6});}

ten)

a\leftrightarrow b;

{\ displaystyle a \ leftrightarrow b;}

eleven)

c\leftrightarrow d;

{\ displaystyle c \ leftrightarrow d;}

12)

a\leftrightarrow d;

{\ displaystyle a \ leftrightarrow d;}

3. Install

Y\leftarrow c\|a\|d\|b.

{\ displaystyle Y \ leftarrow c \ | a \ | d \ | b.}

4. Return

Y .

{\ displaystyle Y.}

Development of an imitation

Input

The original message of arbitrary length, presented in the form of a bit sequence $X\in \{0,1\}^{*}$ ${\ displaystyle X \ in \ {0,1 \} ^ {*}}$ . If a $X$ ${\ displaystyle X}$ - a non-empty word, then write it in the form: ${\displaystyle X=X_{1}\|X_{2}\|...\|X_{n}},|X_{1}|=|X_{2}|=...=|X_{n-1}|=128,0<|X_{n}|\leq 128$ ${\ displaystyle {\ displaystyle X = X_ {1} \ | X_ {2} \ | ... \ | X_ {n}}, | X_ {1} | = | X_ {2} | = ... = | X_ {n-1} | = 128.0 <| X_ {n} | \ leq 128}$ . If $X$ ${\ displaystyle X}$ - empty then $n=1$ ${\ displaystyle n = 1}$ and $|X_{1}|=0$ ${\ displaystyle | X_ {1} | = 0}$ .
Key $\theta \in \{0,1\}^{256}$ ${\ displaystyle \ theta \ in \ {0,1 \} ^ {256}}$ - a bit sequence of length 256.

Auxiliary Conversions and Variables

Conversions $\phi _{1},\phi _{2}$ ${\ displaystyle \ phi _ {1}, \ phi _ {2}}$ : ${\{0,1\}}^{128}\rightarrow {\{0,1\}}^{128}$ ${\ displaystyle {\ {0,1 \}} ^ {128} \ rightarrow {\ {0,1 \}} ^ {128}}$ that act on the word $u=u_{1}||u_{2}||u_{3}||u_{4},u_{i}\in \{0,1\}^{32}$ ${\ displaystyle u = u_ {1} || u_ {2} || u_ {3} || u_ {4}, u_ {i} \ in \ {0,1 \} ^ {32}}$ - a bit sequence of length 32. Wherein:

$\phi _{1}(u)=u_{2}||u_{3}||u_{4}||(u_{1}\oplus u_{2}),$ ${\ displaystyle \ phi _ {1} (u) = u_ {2} || u_ {3} || u_ {4} || (u_ {1} \ oplus u_ {2}),}$

$\phi _{2}(u)=(u_{1}\oplus u_{4})||u_{1}||u_{2}||u_{3}.$ ${\ displaystyle \ phi _ {2} (u) = (u_ {1} \ oplus u_ {4}) || u_ {1} || u_ {2} || u_ {3}.}$

Display $\psi$ ${\ displaystyle \ psi}$ , which associates a bit sequence of length less than 128, a word of length 128. It operates according to the rule:

$\psi (u)=u||1||0^{127-|u|}$ ${\ displaystyle \ psi (u) = u || 1 || 0 ^ {127- | u |}}$ .

Auxiliary variables $r,s\in \{0,1\}^{256}$ ${\ displaystyle r, s \ in \ {0,1 \} ^ {256}}$ - bit sequences of length 128.

Algorithm for generating an insert

Populate helper variable $s$ ${\ displaystyle s}$ zeros: $s\leftarrow 0^{128}$ ${\ displaystyle s \ leftarrow 0 ^ {128}}$ and set the encryption result $s$ ${\ displaystyle s}$ on this key $\theta \in \{0,1\}^{256}$ ${\ displaystyle \ theta \ in \ {0,1 \} ^ {256}}$ at $r$ ${\ displaystyle r}$ : $r\leftarrow F_{\theta }(s)$ ${\ displaystyle r \ leftarrow F _ {\ theta} (s)}$ .
For each block of the input message $i=1,2,...,n-1$ ${\ displaystyle i = 1,2, ..., n-1}$ execute: $s\leftarrow F_{\theta }(s\oplus X_{i})$ ${\ displaystyle s \ leftarrow F _ {\ theta} (s \ oplus X_ {i})}$ .
If a $|X_{n}|=128$ ${\ displaystyle | X_ {n} | = 128}$ then execute $s\leftarrow s\oplus X_{n}\oplus \phi _{1}(r)$ ${\ displaystyle s \ leftarrow s \ oplus X_ {n} \ oplus \ phi _ {1} (r)}$ otherwise $s\leftarrow s\oplus \psi (X_{n})\oplus \phi _{2}(r)$ ${\ displaystyle s \ leftarrow s \ oplus \ psi (X_ {n}) \ oplus \ phi _ {2} (r)}$ .
Write to $T$ ${\ displaystyle T}$ first 64 bits of a word $F_{\theta }(s)$ ${\ displaystyle F _ {\ theta} (s)}$ : $T\leftarrow L_{64}(F_{\theta }(s))$ ${\ displaystyle T \ leftarrow L_ {64} (F _ {\ theta} (s))}$ .
Return $T$ ${\ displaystyle T}$ .

Hash Algorithm

The hash algorithm is used to calculate the hash value, which can later be used to control data integrity.

Input

The input to the algorithm is a message of arbitrary length, presented in the form of a bit sequence $X\in \{0,1\}^{*}$ ${\ displaystyle X \ in \ {0,1 \} ^ {*}}$ .

The output is the word $Y\in \{0,1\}^{256}$ ${\ displaystyle Y \ in \ {0,1 \} ^ {256}}$ .

For the algorithm to work, the original bit sequence is padded with zeros so that its length is divided by 256, and is represented as follows: $X=X_{1}||X_{2}||...||X_{d},X_{i}\in \{0,1\}^{256}$ ${\ displaystyle X = X_ {1} || X_ {2} || ... || X_ {d}, X_ {i} \ in \ {0,1 \} ^ {256}}$ . We will also need variables $s\in \{0,1\}^{128}$ ${\ displaystyle s \ in \ {0,1 \} ^ {128}}$ and $h\in \{0,1\}^{256}$ ${\ displaystyle h \ in \ {0,1 \} ^ {256}}$ .

Auxiliary Conversions

Let there be a word $u=u_{1}||u_{2}||u_{3}||u_{4},u_{i}\in \{0,1\}^{128}$ ${\ displaystyle u = u_ {1} || u_ {2} || u_ {3} || u_ {4}, u_ {i} \ in \ {0,1 \} ^ {128}}$ .

Define two mappings:

$\sigma _{1}:{\{0,1\}}^{512}\rightarrow {\{0,1\}}^{128},$ ${\ displaystyle \ sigma _ {1}: {\ {0,1 \}} ^ {512} \ rightarrow {\ {0,1 \}} ^ {128},}$

$\sigma _{2}:{\{0,1\}}^{512}\rightarrow {\{0,1\}}^{256},$ ${\ displaystyle \ sigma _ {2}: {\ {0,1 \}} ^ {512} \ rightarrow {\ {0,1 \}} ^ {256},}$

which act on the word $u$ ${\ displaystyle u}$ according to the rules:

$\sigma _{1}(u)=F_{u_{1}||u_{2}}(u_{3}\oplus u_{4})\oplus u_{3}\oplus u_{4},$ ${\ displaystyle \ sigma _ {1} (u) = F_ {u_ {1} || u_ {2}} (u_ {3} \ oplus u_ {4}) \ oplus u_ {3} \ oplus u_ {4} ,}$

$\sigma _{2}(u)=(F_{\theta _{1}}(u_{1})\oplus u_{1})||(F_{\theta _{2}}(u_{2})\oplus u_{2}),$ ${\ displaystyle \ sigma _ {2} (u) = (F _ {\ theta _ {1}} (u_ {1}) \ oplus u_ {1}) || (F _ {\ theta _ {2}} (u_ {2}) \ oplus u_ {2}),}$

Where $\theta _{1}=\sigma _{1}(u)||u_{4}$ ${\ displaystyle \ theta _ {1} = \ sigma _ {1} (u) || u_ {4}}$ , $\theta _{2}=(\sigma _{1}(u)\oplus 1^{128})||u_{3}$ ${\ displaystyle \ theta _ {2} = (\ sigma _ {1} (u) \ oplus 1 ^ {128}) || u_ {3}}$ .

Hash value calculation

Scheme of one iteration of the hashing algorithm

The algorithm is performed in several stages:

Fill the variable $s$ ${\ displaystyle s}$ zeros: $s\longleftarrow 0^{128}$ ${\ displaystyle s \ longleftarrow 0 ^ {128}}$ .
To variable $h$ ${\ displaystyle h}$ write the first two rows of the lookup table $H$ ${\ displaystyle H}$ moving from left to right and from top to bottom: $h\longleftarrow B194BAC80A08F53B366D008E584A5DE48504FA9D1BB6C7AC252E72C202FDCE0D_{16}$ ${\ displaystyle h \ longleftarrow B194BAC80A08F53B366D008E584A5DE48504FA9D1BB6C7AC252E72C202FDCE0D_ {16}}$ .
For each block $X$ $i$ $,$ $i$ $=$ $one$ $,$ $d$ $¯$ {\ displaystyle X_ {i}, i = {\ overline {1, d}}} we perform operations:
1. $s\leftarrow s\oplus \sigma _{1}(X_{i}\|h)$ ${\ displaystyle s \ leftarrow s \ oplus \ sigma _ {1} (X_ {i} \ | h)}$ ;
2. $h\leftarrow \sigma _{2}(X_{i}||h)$ ${\ displaystyle h \ leftarrow \ sigma _ {2} (X_ {i} || h)}$ .
We calculate $Y$ ${\ displaystyle Y}$ : $Y\longleftarrow \sigma _{2}(\langle |X|\rangle _{128}||s||h)$ ${\ displaystyle Y \ longleftarrow \ sigma _ {2} (\ langle | X | \ rangle _ {128} || s || h)}$ .
We return the received value $Y$ ${\ displaystyle Y}$ , which is the hash value of the source text $X$ ${\ displaystyle X}$ .

Belt

Description

Block Encryption

Input and Output

Symbols and auxiliary transformations

Encryption

Decryption

Development of an imitation

Input

Auxiliary Conversions and Variables

Algorithm for generating an insert

Hash Algorithm

Input

Auxiliary Conversions

Hash value calculation

Links

More articles: