In this work, we present new cryptanalytic results on the Ballet block cipher family, a simplified Lay-Massey ARX construction with a linear key schedule, winner of the symmetric algorithm category in the 2018–2020 Chinese National Cryptographic Algorithm Competition. Despite winning the competition, the cipher has received limited attention outside the Chinese Association for Cryptologic Research (CACR) community. We provide the first classical key recovery attacks in the literature, new explicit differential and linear trails (up to 16 rounds for differential, and 16 for linear, while the original paper only provided a bound for 9 rounds), improved impossible differential trails (8 rounds instead of 7), and the first differential-linear analysis of Ballet (up to 20 rounds). Our results lead to key recovery attacks on up to 16 rounds of Ballet-128/128/46, 17 rounds of Ballet-128/256/48 and 22 rounds of Ballet-256/256/74, extending the cryptanalytic understanding of this ARX-based design and contributing new insight into its security margin, an area that the designers themselves note warrants further study.
More Brisés in Ballet: Extending Differential and Linear Cryptanalysis / E. Bellini, G. Bellini, A. De Piccoli, M. Gallone, D. Gerault, Y. Ju Huang, P. Huynh, M. Onger, S. Pelizzola, A. Visconti. - (2026 Apr 29).
More Brisés in Ballet: Extending Differential and Linear Cryptanalysis
A. De Piccoli
Co-primo
;S. Pelizzola
Co-primo
;A. Visconti
Co-primo
2026
Abstract
In this work, we present new cryptanalytic results on the Ballet block cipher family, a simplified Lay-Massey ARX construction with a linear key schedule, winner of the symmetric algorithm category in the 2018–2020 Chinese National Cryptographic Algorithm Competition. Despite winning the competition, the cipher has received limited attention outside the Chinese Association for Cryptologic Research (CACR) community. We provide the first classical key recovery attacks in the literature, new explicit differential and linear trails (up to 16 rounds for differential, and 16 for linear, while the original paper only provided a bound for 9 rounds), improved impossible differential trails (8 rounds instead of 7), and the first differential-linear analysis of Ballet (up to 20 rounds). Our results lead to key recovery attacks on up to 16 rounds of Ballet-128/128/46, 17 rounds of Ballet-128/256/48 and 22 rounds of Ballet-256/256/74, extending the cryptanalytic understanding of this ARX-based design and contributing new insight into its security margin, an area that the designers themselves note warrants further study.
| File | Dimensione | Formato | |
|---|---|---|---|
|
2026-501.pdf
accesso aperto
Tipologia:
Pre-print (manoscritto inviato all'editore)
Licenza:
Creative commons
Dimensione
833.88 kB
Formato
Adobe PDF
|
833.88 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
