Practical Cryptanalysis of the Open Smart Grid Protocol



This paper analyses the cryptography used in the Open Smart Grid Protocol (OSGP). The authenticated encryption (AE) scheme deployed by OSGP is a non-standard composition of RC4 and a home-brewed MAC, the ``OMA digest''.

We present several practical key-recovery attacks against the OMA digest. The first and basic variant can achieve this with a mere 13 queries to an OMA digest oracle and negligible time complexity. A more sophisticated version breaks the OMA digest with only 4 queries and a time complexity of about 225 simple operations. A different approach only requires one arbitrary valid plaintext-tag pair, and recovers the key in an average of 144 \emph{message verification} queries, or one ciphertext-tag pair and 168 \emph{ciphertext verification} queries.

Since the encryption key is derived from the key used by the OMA digest, our attacks break both confidentiality and authenticity of OSGP.


secret-key cryptography, cryptanalysis, smart grid, authenticated encryption




Fast Software Encryption 2015 2015


Cited by

Year 2015 : 3 citations

 Linus Feiten and Matthias Sauer. "Extracting the RC4 secret key of the Open Smart Grid Protocol (OSGP)." In 2015 Industrial Control System Security (ICSS) Workshop.

 Jakob Jakobsen and Claudio Orlandi. "On the CCA (in)security of MTProto." Cryptology ePrint Archive, Report 2015/1177. 2015.

 Klaus Kursawe and Christiane Peters. "Structural Weaknesses in the Open Smart Grid Protocol." Cryptology ePrint Archive, Report 2015/088, 2015.