Practical Cryptanalysis of the Open Smart Grid Protocol
Abstract
This paper analyses the cryptography used in the Open Smart Grid Protocol (OSGP). The authenticated encryption (AE) scheme deployed by OSGP is a nonstandard composition of RC4 and a homebrewed MAC, the “OMA digest”.
We present several practical keyrecovery attacks against the OMA digest. The first and basic variant can achieve this with a mere 13 queries to an OMA digest oracle and negligible time complexity. A more sophisticated version breaks the OMA digest with only 4 queries and a time complexity of about \(2^{25}\) simple operations. A different approach only requires one arbitrary valid plaintexttag pair, and recovers the key in an average of 144 message verification queries, or one ciphertexttag pair and 168 ciphertext verification queries.
Since the encryption key is derived from the key used by the OMA digest, our attacks break both confidentiality and authenticity of OSGP.
Keywords
Block Cipher Message Authentication Code Forgery Attack European Telecommunication Standard Institute European Telecommunication Standard Institute1 Introduction

Vaudenay’s 2002 CBC padding oracle attack on MACthenencrypt AE modes allows an active adversary to decrypt messages without access to the secret key [30]. This attack stemmed from the authenticity verification leaking whether the decrypted message was adequately padded. Over the years, this strategy has been used quite successfully against TLS [4, 10, 12, 26].

In 2007, an attack [29] on the Wired Equivalent Privacy (WEP) standard, used in many 802.11 WiFi networks, allowed to recover the secret key within minutes from a few thousand intercepted messages. The attack exploited weaknesses in RC4.

In 2009, Albrecht, Paterson, and Watson [2] exploited a flaw in the SSH protocol and its OpenSSH implementation, when coupled with a block cipher in CBC mode. The attack allowed an adversary to recover 14 plaintext bits with probability \(2^{14}\) or 32 plaintext bits with probability \(2^{18}\).

In 2012, a flaw was uncovered in EAXprime [5], an AE block cipher mode derived from EAX [8], standardized as ANSI C12.222008 for Smart Grid applications, and also subject of a forthcoming NIST standard. The flaw facilitates forgery, distinguishing, and messagerecovery attacks [25].
In this paper, we investigate another flawed authenticated encryption scheme, which is deployed in the Open Smart Grid Protocol (OSGP) [15]. The latter is an application layer communication protocol for smart grids built on top of the ISO/IEC 149081 protocol stack [21], has been developed by the Energy Service Network Association (ESNA), and is a standard of the European Telecommunications Standards Institute (ETSI) since 2012 [1]. According to estimations, OSGPbased smart meters and devices are deployed in over 4 million devices worldwide as of 2015, making OSGP one of the most widely used network protocols for smart grid applications.
Our Results. Table 1 summarises the results of the different attacks on the authenticated encryption scheme of OSGP and also lists the corresponding sections where the attacks are described. While the attacks have various tradeoffs between the number of oracle queries and the computational complexity, each constitutes a complete break of the OSGP AE scheme. We also want to highlight the fact that the attacks from Sect. 3.4 are particularly powerful in the context of the protocol: verification oracles are easy to come across and the attack in its XOR variant does not need to know plaintext at all, since differences can be injected directly into the ciphertext. In other words, this is a practical attack on the AE scheme of OSGP and completely compromises its security.
Required number of queries and expected complexity for the attacks of Sect. 3, with varying timequery tradeoff parameter B. The abbreviation KP+ means knownplaintext with common prefix, CP denotes chosenplaintext, CC stands for chosenciphertext, and TG and TV denote taggeneration and tagverification oracles, respectively.
Attack  B  Queries  Complexity  Type  Oracle 

Section 3.1  1  13  \(2^{3.58}\)  CP  TG 
2  7  \(2^{10.58}\)  
3  5  \(2^{18.00}\)  
4  4  \(2^{25.58}\)  
5  4  \(2^{33.58}\)  
6  3  \(2^{41.00}\)  
Section 3.2  1  24/13  \(2^{10.58}\)  KP+/CP  TG 
2  12/7  \(2^{17.58}\)  
3  8/5  \(2^{25.00}\)  
4  6/4  \(2^{32.58}\)  
5  6/4  \(2^{40.32}\)  
6  4/3  \(2^{48.58}\)  
Section 3.4 (XOR)  —  \({\approx }168\)  \({\approx }168\)  CP/CC  TV 
Section 3.4 (Additive)  —  \({\approx }144\)  \({\approx }144\)  CP 
Outline. The paper is organised as follows. Section 2 introduces notation and the cryptographic infrastructure used in the Open Smart Grid Protocol. In Sect. 3, we give a detailed analysis of the said AE scheme. We start with some basic attacks that already allow recovery of the entire secret key but are not feasible within the scope of the protocol. Based on that we describe further improvements which eventually allow us to mount fast forgery attacks on the OSGP AE scheme and furthermore enable recovery of the complete secret key and in this case all within the context of the protocol. Finally, Sect. 4 concludes the paper.
2 Preliminaries
2.1 Notation
An nbit string x is an element of \(\{0,1\}^n\). For \(n = 8\) we call x a byte. The size of x in bits is denoted by \(\vert x \vert \). Concatenation of bit strings is denoted by \(\parallel \). Given a vector of bit strings \((x_0,\dots ,x_{n1})\), we denote by \(x_{i,j}\) the jth bit of the ith word where \(0 \le i \le n1\). When interpreting bit strings as integers we always use littleendian format and denote them in hexadecimal format using typewriter. A bit string consisting of n zeros is denoted by \(0^{n}\). A cyclic rotation of a bit string x by m bits to the left and right is denoted by \(x \lll m\) and \(x \ggg m\), respectively. The difference of two bit strings x and \(x'\) with respect to XOR is denoted by \(\varDelta {x}\), whereas a difference with respect to addition modulo \(2^n\) is denoted by \(\varDelta ^\boxminus x\).
2.2 The Cryptographic Infrastructure of OSGP
The OSGP AE scheme is based on three algorithms: the EN 14908 algorithm^{1}, the stream cipher RC4 and the socalled OMA digest, a message authentication code (MAC). These three algorithms are combined in a mixture of the generic composition [7] approaches MACandencrypt and MACthenencrypt to form an authenticated encryption scheme, see again Fig. 1. We note that, while the OMA digest is described in the OSGP specification [15], public information on the EN 14908 algorithm, specified in ISO/IEC 149081 [21], is hard to come by. All information on the latter was retrieved from the OSGP specification [15] and the related standard ISO/IEC CD 1454361 [20, p. 232] which, like ISO/IEC 149081 and a few other standards [6, 19, 28], is also a direct descendant of LonTalk [13].
The security of OSGP’s AE scheme depends on the 96bit Open Media Access Key (OMAK) \(k = k_1 \parallel k_0\) from which all other key material is derived. The OMAK is usually unique to a device but not hardcoded and can be changed, often to be shared with other devices under the same concentrator [15, Sect. 7.1]. Two things are derived from the OMAK: firstly, a socalled Base Encryption Key (BEK) \(k' = k'_1 \parallel k'_0\) is computed [15, Sect. 7.3] which is a 128bit key forming the basis for the RC4 encryption key. The BEK is constructed^{2} using the EN 14908 algorithm which appears to have been the basis for the OMA digest but uses smaller 48bit keys and processes message bytes in reversed order. The EN 14908 algorithm is applied to each of the halves \(k_0\) and \(k_1\) of the OMAK and the two constants \(x_0\) = {81, 3F, 52, 9A, 7B, E3, 89, BA} and \(x_1\) = {72, B0, 91, 8D, 44, 05, AA, 57}. The two 64bit results are then concatenated to form \(k'\), see Fig. 1. Note that the BEK only depends on the OMAK and is thus fixed as long as k remains unchanged.
After the tag generation, t is XORed into the lower half of the BEK \(k'\) which then produces the final 128bit RC4 encryption key \(k'' = k'_1 \parallel (k'_0 \oplus t)\), see again Fig. 1. This measure is intended to provide RC4 with everchanging key material, thus producing a fresh keystream with every new message, since, according to the OSGP specification, the sequence number n, which is appended to m, is continuously increased.
Sequence numbers are shared between sender and receiver in OSGP. The receiver of a message verifies that the correct sequence number was appended to the latter. Messages with sequence numbers in the range \(\{n,\dots ,n+8\}\) are accepted as valid requests. If a message with sequence number \(n1\) is received, then the recipient does not execute the request but instead resends the answer of the (previously executed) request of number \(n1\). Sequence numbers outside of this range trigger an error and the OSGP device replies with a failure code and the correct sequence number. More details on the handling of sequence numbers can be found in [15, Sect. 9.7].
After the setup phase is finished, \(k''\) is used to encrypt \(m \parallel n\) via RC4 to obtain the ciphertext c. Finally, \(c \parallel t\) is transmitted. Messages \(m \parallel n\) processed in OSGP are allowed to have a maximum size of 114 bytes [15, Sect. 9.2]. This complicates some attacks that require up to 136byte messages. Nevertheless, we will also describe scenarios that respect this message size limit.
3 Analysis
OSGP uses RC4 for encryption without discarding any initial bytes. RC4 has known statistical key and plaintextrecovery attacks, and these have been shown to be practically feasible [3, 16, 17, 18, 27, 29, 31]. However, in this work we do not focus on RC4, but instead on the OMA digest, see Algorithm 1.
3.1 ChosenPlaintext Key Recovery Attacks
Let \(a = (a_0,\dots ,a_{7})\) denote the 8byte internal state of the OMA digest. The attacks discussed below use chosen 144byte messages \(m = m_0 \parallel \dots \parallel m_{143}\) ^{3}, and exploit differential weaknesses in the OMA digest.
Bytewise Key Recovery. Analysing the above attack more thoroughly, we noticed that we can recover one key byte at a time by injecting the input difference \(\mathtt 80 \) into the message a couple of steps earlier. This reduces the number of queries and the work load of the attack drastically. In other words, we will show how to reconstruct the entire OMAK with only \(12+1\) chosenplaintext queries.
\(i = 17,\dots ,6\)  \(\varDelta a_0\)  \(\varDelta a_1\)  \(\varDelta a_2\)  \(\varDelta a_3\)  \(\varDelta a_4\)  \(\varDelta a_5\)  \(\varDelta a_6\)  \(\varDelta a_7\) 

\(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \) 
\(m_{8i9}\)  00  00  00  00  00  00  00  00 
\(m_{8i8}\)  00  00  00  00  00  00  00  80 
\(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \) 
\(m_{8i1}\)  80  80  80  80  80  80  80  80 
\(m_{8i}\)  80  80  80  80  80  80  80  \(\varDelta x_7\) 
\(m_{8i+1}\)  80  80  80  80  80  80  \(\varDelta x_6\)  \(\varDelta x_7\) 
\(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \)  \(\dots \) 
\(m_{8i+7}\)  \(\varDelta x_0\)  \(\varDelta x_1\)  \(\varDelta x_2\)  \(\varDelta x_3\)  \(\varDelta x_4\)  \(\varDelta x_5\)  \(\varDelta x_6\)  \(\varDelta x_7\) 
1.  \(k_{i { \text{ mod } }12,0} = \text{ lsb }(\varDelta x_7) \oplus \text{ lsb }(\mathtt 80 ) \)  5.  \(k_{i { \text{ mod } }12,4} = \text{ lsb }(\varDelta x_3) \oplus \text{ lsb }(\varDelta x_4)\) 
2.  \(k_{i { \text{ mod } }12,1} = \text{ lsb }(\varDelta x_6) \oplus \text{ lsb }(\varDelta x_7)\)  6.  \(k_{i { \text{ mod } }12,5} = \text{ lsb }(\varDelta x_2) \oplus \text{ lsb }(\varDelta x_3)\) 
3.  \(k_{i { \text{ mod } }12,2} = \text{ lsb }(\varDelta x_5) \oplus \text{ lsb }(\varDelta x_6)\)  7.  \(k_{i { \text{ mod } }12,6} = \text{ lsb }(\varDelta x_1) \oplus \text{ lsb }(\varDelta x_2)\) 
4.  \(k_{i { \text{ mod } }12,3} = \text{ lsb }(\varDelta x_4) \oplus \text{ lsb }(\varDelta x_5)\)  8.  \(k_{i { \text{ mod } }12,7} = \text{ lsb }(\varDelta x_0) \oplus \text{ lsb }(\varDelta x_1)\) 
3.2 KnownPlaintext Key Recovery Attack
The second attack is not differential in nature and requires a weaker attacker. We only assume in the following that the attacker is able to capture plaintexts with a common prefix of various lengths. This may be feasible by, e.g., capturing repeated messages with different sequence numbers.
This attack relies uniquely on the OMA digest’s invertibility, as seen in Algorithm 2. The basic idea here is to have two messages, m and \(m'\) that are equal except in the last r bytes; partially reversing the final state of m by r iterations, then using that state to process the final bytes of \(m'\) should only happen when the (guessed) key bits used in those iterations are correct. This does not always happen, but it reduces the keyspace to virtually one or two guesses per key byte. The concrete realisation of the attack is also described in Algorithm 6.
3.3 Optimizing the Attacks
The attacks of Sects. 3.1 and 3.2 have an obvious generalization that trades queries for computation time. This is also a consequence of the OMA digest’s reversibility.
Let \(B \ge 1\) be the number of key bytes to recover per query; the attack from Sect. 3.2 generalizes trivially to any B, by guessing B adjacent key bytes per query, at an average cost of \(\left\lceil \frac{12}{B} \right\rceil + 1\) queries and \(\left\lceil \frac{12}{B} \right\rceil 2^{8B  1}\) operations^{4}.
The method from Sect. 3.1 also generalizes well to any B, by guessing the last \(B1\) bytes and recovering the first one by injecting a difference. Its average cost is \(\left\lceil \frac{12}{B} \right\rceil + 1\) queries and \(\left\lceil \frac{12}{B} \right\rceil 2^{8(B1)  1}\) operations. We note that for \(B \ge 2\) the messages used in either case need not be longer than 113 bytes, bypassing OSGP’s restriction on message sizes.
3.4 Forgeries and a Third KeyRecovery Attack
Forgeries in the OMA digest are possible by exploiting the differential properties described in Sect. 3.1. To this end, we first explore XOR differentials and afterwards describe attacks using additive differentials.
\(k_{i+1 { \text{ mod } }12,j}\)  0  1  

\(\varDelta x\)  C0  40  01  03  07  0F  1F  3F  7F  FF  
\(\log _2 p\)  1  1  1  2  3  4  5  6  7  7 
Thus, choosing \(\varDelta x \in \) {C0, 40, 01} has a probability of about 1 / 4 of creating a valid forgery, assuming a uniformly random key bit.
Forgeries Using Additive Differentials. Injecting additive differences is also useful to get a wider range of possible highprobability differences, since every operation in the OMA digest, with the exception of the cyclic rotation, has additive differential probability 1^{5}.
\((\alpha , \beta )\)  p 

(0, 0)  \(2^{8}(2^7  {\varDelta ^\boxminus x}_R)(2 + {\varDelta ^\boxminus x}_L)\) 
(0, 1)  \(2^{8}{\varDelta ^\boxminus x}_R(2  {\varDelta ^\boxminus x}_L  1)\) 
(1, 0)  \(2^{8}(2^7  {\varDelta ^\boxminus x}_R){\varDelta ^\boxminus x}_L\) 
(1, 1)  \(2^{8}{\varDelta ^\boxminus x}_R({\varDelta ^\boxminus x}_L + 1)\) 
Similar remarks apply to the rotation by 7 case. By choosing \(\varDelta ^\boxminus x\) carefully, one can maximize the probability of \(\varDelta ^\boxminus y\) as well, as also previously exploited by Daum [11]. For instance, choosing the difference \(\varDelta ^\boxminus x = \mathtt 02 \), one obtains \(\varDelta ^\boxminus y \in \) {01, FC, 81, FB, FD}, with respective probabilities \(\{127/256,126/256,1/256,1/256,1/256\}\). Therefore, one can expect 2 queries to be sufficient in over \({\approx }98\,\%\) of the time with this method.
Using Forgeries for Key Recovery. Such a highprobability forgery attack, dependent on the value of key bits, gives us yet another attack vector for key recovery. This attack is much simpler than the previous ones, and unlike those it does not need to work “right to left” on the message bytes: given a known plaintext, inject \((\mathtt 02 , \mathtt 02 , \varDelta ^\boxminus y)\) and query a verification oracle. If the forged message is validated, recover the key bit corresponding to \(m_{i+8}\) by looking up which \(\varDelta ^\boxminus y\) corresponds to which key bit. This process can be repeated 96 times to recover the entire key.
Additionally, this attack can work even over ciphertext, by using the XORdifferences (80, 80, \(\varDelta x)\) with \(\varDelta x \in \){40,C0,01}. The approach here is the same, albeit requiring a few more queries, but it can be applied over unknown ciphertext encrypted with RC4, as is the case with OSGP. The attack thus completely breaks not only the OMA digest, but also the entire cryptographic security of OSGP.
3.5 Extension of the OSGP Analysis to Other Standards
The EN 14908 algorithm, used in OSGP for key derivation and quite similar to the OMA digest, is also used in other LonTalkderived standards for authentication [6, 13, 19, 20, 21, 28]. We found evidence that the foundations of the technology (presumably also including the EN 14908 algorithm) were laid in 1988 [24, p. 3]. LonTalk was estimated to be implemented in over 90 million devices as of 2010 [14]. Given that the EN 14908 algorithm has a 48bit key, it is already broken by design. That said, the attacks described in the previous sections can be adapted to key recovery attacks on the EN 14908 algorithm—likely present in every other LonTalkderived standard—in much less than \(2^{48}\) work.
4 Conclusion
We have presented a thorough analysis of the OMA digest specified in OSGP. This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever. We described multiple attacks having different levels of applicability in the context of OSGP. The forgery attacks presented in Sect. 3.4 belong to the most powerful and practical, and allow to retrieve the 96bit secret key in a mere 144 and 168 chosenplaintext queries to a tagverification oracle exploiting the very slow propagation of additive and XORdifferences in the OMA digest. We also described how the latter variant can work as a ciphertextonly attack, making it even more devastating. For easier verifiability, we implemented the attacks of Sect. 3 in the Python language; the code is listed in Appendix A.
In summary, the work at hand is another entry in the long list of examples of flawed authenticated encryption schemes, and shows once more how easily a determined attacker can break the security of protocols based on weak cryptography.
Footnotes
 1.
The OSGP specification describes EN 14908 as an encryption algorithm, but it is clearly nothing of the sort. We therefore only talk about the EN 14908 algorithm in this work.
 2.
The OSGP specification is rather unclear on how the BEK is derived. The presented description is based on our investigations also involving other standards [20, p.232]. The key observation here is that the BEK derived from the OMAK. The concrete realisation is not too important, though, and is only described for the sake of completeness.
 3.
For simplicity, we use 144byte messages throughout this section. Note, however, that the presented attacks use messages which are never longer than 136 bytes.
 4.
An “operation” here is taken to mean at most the cost of an OMA digest evaluation over a message.
 5.
Note that \(\lnot x = x \oplus \mathtt FF = x  1\).
Notes
Acknowledgments
Our results were fully disclosed to the members of OSGP Alliance, who acknowledged our findings on the OSGP standard, in November 2014. We would like to thank JeanPhilippe Aumasson, Tanja Lange and Ilia Polian for helpful discussions during our work.
Supplementary material
References
 1.Approval of OSGP as an ETSI Standard (2012). http://www.etsi.org/newsevents/news/382newsrelease18january2012
 2.Albrecht, M.R., Paterson, K.G., Watson, G.J.: Plaintext recovery attacks against SSH. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP 2009, pp. 16–26. IEEE Computer Society (2009)Google Scholar
 3.AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: King, S.T. (ed.) Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, 14–16 August 2013, pp. 305–320. USENIX Association (2013)Google Scholar
 4.AlFardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, 19–22 May 2013, pp. 526–540. IEEE Computer Society (2013). http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=6547086
 5.ANSI: Protocol Specification For Interfacing to Data Communication Networks. ANSI C12.222008, American National Standards Institute, January 2009Google Scholar
 6.ANSI: Control Network Protocol Specification. ANSI/CEA709.1C, American National Standards Institute, December 2010Google Scholar
 7.Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000) CrossRefGoogle Scholar
 8.Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 9.Bernstein, D.J.: Cryptographic competitions – Disasters (2014). http://competitions.cr.yp.to/disasters.html. Accessed 27 January 2014
 10.Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 11.Daum, M.: Cryptanalysis of Hash functions of the MD4family. Ph.D. thesis, Ruhr University Bochum, May 2005. http://wwwbrs.ub.ruhrunibochum.de/netahtml/HSS/Diss/DaumMagnus/
 12.Duong, T., Rizzo, J.: Here Come The \(\oplus \) Ninjas (Unpublished, May 2011)Google Scholar
 13.Echelon Corporation: LonTalk Protocol Specification, version 3.0 (1994)Google Scholar
 14.Echelon Corporation: 90 Million EnergyAware LonWorks Devices Worldwide (2010). http://www.businesswire.com/news/home/20100412005544/en/90MillionEnergyAwareLonWorksDevicesWorldwide
 15.ETSI: Open Smart Grid Protocol (OSGP). Reference DGS/OSG001, European Telecommunications Standards Institute, Sophia Antipolis Cedex  France, January 2012. http://www.osgp.org/
 16.Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 17.Fluhrer, S.R., McGrew, D.A.: Statistical analysis of the alleged RC4 keystream generator. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 19–30. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 18.Gupta, S.S., Maitra, S., Paul, G., Sarkar, S.: (Non)Random sequences from (non)random permutations  analysis of RC4 stream cipher. J. Cryptology 27(1), 67–108 (2014)CrossRefzbMATHGoogle Scholar
 19.IEEE: Draft Standard for Communications Protocol Aboard Passenger Trains. IEEE P1473/D8, July 2010. http://ieeexplore.ieee.org/servlet/opac?punumber=5511471
 20.ISO: Information Technology – Interconnection of Information Technology Equipment – Home Electronic System (HES) Architecture – Mediumindependent Protocol Based on ANSI/CEA709.1B. ISO/IEC CD 1454361:2006, International Organization for Standardization (2006). http://hesstandards.org/doc/SC25_WG1_N1229.pdf
 21.ISO: Information Technology  Control Network Protocol  Part 1: Protocol Stack. ISO/IEC 14908–1:2012, International Organization for Standardization, Geneva, Switzerland (2012)Google Scholar
 22.Kursawe, K., Peters, C.: Structural Weaknesses in the Open Smart Grid Protocol. Cryptology ePrint Archive, Report 2015/088 (2015). https://eprint.iacr.org/2015/088
 23.Lipmaa, H., Moriai, S.: Efficient algorithms for computing differential properties of addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 24.LonMark International: LON and BACnet: History and Approach. http://www.lonmark.org/connection/presentations/2012/Q2/LightBuilding/06+LON+and+BACnet+History+andNewron+System.pdf
 25.Minematsu, K., Lucks, S., Morita, H., Iwata, T.: Attacks and security proofs of EAXprime. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 327–347. Springer, Heidelberg (2014) Google Scholar
 26.Möller, B., Duong, T., Kotowicz, K.: This POODLE Bites: Exploiting The SSL 3.0 Fallback, October 2014. https://www.openssl.org/bodo/sslpoodle.pdf
 27.Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Discovery and exploitation of new biases in RC4. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 74–91. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 28.Standardization Administration of China: Control Network LONWORKS Technology Specification – Part 1: Protocol Specification. GB/Z 20177.12006 (2006)Google Scholar
 29.Tews, E., Weinmann, R.P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 s. In: Kim, S., Yung, M., Lee, H.W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 188–202. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 30.Vaudenay, S.: Security flaws induced by CBC padding  applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–546. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 31.Vaudenay, S., Vuagnoux, M.: Passive–only key recovery attacks on RC4. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 344–359. Springer, Heidelberg (2007) CrossRefGoogle Scholar