Churning (cipher)
Encyclopedia
Churning is an encryption function used to scramble downstream user data of the ATM
Asynchronous Transfer Mode
Asynchronous Transfer Mode is a standard switching technique designed to unify telecommunication and computer networks. It uses asynchronous time-division multiplexing, and it encodes data into small, fixed-sized cells. This differs from approaches such as the Internet Protocol or Ethernet that...

 passive optical network
Passive optical network
A passive optical network is a point-to-multipoint, fiber to the premises network architecture in which unpowered optical splitters are used to enable a single optical fiber to serve multiple premises, typically 16-128. A PON consists of an optical line terminal at the service provider's central...

 system defined by the ITU
Itu
Itu is an old and historic municipality in the state of São Paulo in Brazil. The population in 2009 was 157,384 and the area is 641.68 km². The elevation is 583 m. This place name comes from the Tupi language, meaning big waterfall. Itu is linked with the highway numbered the SP-75 and are flowed...

 G.983
G.983
ITU-T Recommendation G.983 is a family of recommendations that defines Broadband Passive Optical Network for telecommunications Access networks. It originally comprised ten recommendations, G.983.1 through G.983.10, but recommendations .6–.10 were withdrawn when their content was...

.1 standard.

The standard states that churning "offers a low level of protection for data confidentiality". Cryptanalysis had shown that "the churning cipher is robustly weak".

Algorithm

Churning uses 24 bits of the key, designated X1..X8 and P1..P16.

Ten static K bits are generated from the key:

K1 = (X1*P13*P14) + (X2*P13*not P14) + (X7*not P13*P14) + (X8*not P13*not P14)
K2 = (X3*P15*P16) + (X4*P15*not P16) + (X5*not P15*P16) + (X6*not P15*not P16)
K3 = (K1*P9) + (K2*not P9)
K4 = (K1*not P9) + (K2*P9)
K5 = (K1*P10) + (K2*not P10)
K6 = (K1*not P10) + (K2*P10)
K7 = (K1*P11) + (K2*not P11)
K8 = (K1*not P11) + (K2*P11)
K9 = (K1*P12) + (K2*not P12)
K10 = (K1*not P12) + (K2*P12)

The churning transforms eight Y bits into eight Z bits:

(Z1..Z4) = TransformNibble(Y1..Y4, K1, P1, K3, K2, P2, K4, K1, K3, K5, K2, P4, K6)
(Z5..Z8) = TransformNibble(Y5..Y8, K1, P5, K7, K2, P6, K8, K1, P7, K9, K2, P8, K10)

Cryptanalysis

The cryptanalysis had shown the cipher to be effectively broken in more than one way:
  • the cipher pretends to be using a 24-bit key, but the effective key length is 8 bit, making a full search attack trivial
  • being a substitution cipher
    Substitution cipher
    In cryptography, a substitution cipher is a method of encryption by which units of plaintext are replaced with ciphertext according to a regular system; the "units" may be single letters , pairs of letters, triplets of letters, mixtures of the above, and so forth...

    , churning is easily attacked using the standard attacks against this class of ciphers
  • the churning function is entirely linear, so it can be broken using linear algebra.

Triple churning

Due to extreme weakness of the churning cipher, PON systems frequently use the "triple churning" technique, where the three churning operations are combined with two XORs with adjacent data in the stream.

Sources

  • ITU-T Recommendation G.983.1. Broadband optical access systems based on Passive Optical Networks (PON). 13th of October 1998.
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK