The Brokenness of Tea-1: A Cautionary Tale of Export Restrictions and Cryptographic Vulnerabilities

In the world of cryptography, a protocol's strength is often measured by its ability to withstand brute-force attacks. However, even with the best security measures in place, vulnerabilities can still exist. This is precisely what happened with the Tea-1 protocol, which was used in the 1990s. The protocol, designed to be more liberal and exportable than other cryptographic protocols, was ultimately broken due to a combination of factors, including export restrictions and design flaws.

One of the key weaknesses of the Tea-1 protocol was its truncation method. The protocol's implementation allowed for the selection of 32-bit keys from an 80-bit input key. While this may seem like a reasonable compromise, it proved to be a fatal flaw. By selecting only 32 bits from the original 80-bit key, the protocol created a vulnerability that could be exploited by malicious actors. In particular, the truncation method made it possible for attackers to use brute force to try all possible combinations of the truncated key, effectively rendering the protocol insecure.

The impact of this weakness was exacerbated by the export restrictions that were in place at the time. The US government had imposed limits on the size of cryptographic keys that could be exported to certain countries, including Iran. This restriction allowed for the creation of a modified version of the Tea-1 protocol, which was deemed acceptable for export. However, this modification also introduced an additional vulnerability, as it revealed the truncated key to be only 32 bits in length. This lack of transparency and oversight enabled malicious actors to exploit this weakness, rendering the protocol even more insecure.

The discovery of these vulnerabilities was made possible by a team of researchers who reverse-engineered the Tea-1 protocol. These experts were able to identify the weaknesses in the protocol's design and implement a fix, which has since been widely adopted. The fact that this vulnerability went undetected for so long serves as a reminder of the importance of rigorous testing and security protocols.

The case of Tea-1 highlights the need for caution when designing cryptographic protocols. Even with the best intentions, flaws can be introduced through design or implementation errors. Furthermore, export restrictions and lack of transparency can exacerbate these weaknesses, enabling malicious actors to exploit them. The discovery of this vulnerability also underscores the importance of continuous security testing and scrutiny.

The experience of Tea-1 has significant implications for organizations that rely on cryptographic protocols. These protocols are often used in critical systems, such as financial transactions or secure communication networks. If even a seemingly secure protocol like Tea-1 can be broken, it is likely that other protocols are also vulnerable to similar weaknesses. This underscores the need for ongoing security testing and monitoring to identify potential vulnerabilities before they can be exploited.

The story of Tea-1 also raises questions about the motivations behind design decisions. In this case, the truncated key was used in an attempt to limit the size of the key that could be exported. However, this modification introduced a vulnerability that was not immediately apparent. This highlights the importance of considering all potential consequences when designing cryptographic protocols.

The discovery of vulnerabilities like those found in Tea-1 also underscores the value of collaboration and expertise. The team of researchers who reverse-engineered the protocol were able to identify weaknesses that had gone undetected for years. Their work serves as a reminder that even in the world of cryptography, expertise and collaboration are essential for identifying and addressing potential vulnerabilities.

In conclusion, the case of Tea-1 highlights the importance of rigorous testing, security protocols, and transparency when designing cryptographic protocols. The discovery of weaknesses in this protocol underscores the need for ongoing security monitoring and scrutiny to identify potential vulnerabilities before they can be exploited. As organizations continue to rely on cryptographic protocols, it is essential that they prioritize security and take proactive steps to address any identified vulnerabilities.

The story of Tea-1 also serves as a cautionary tale about the importance of considering all potential consequences when designing cryptographic protocols. The truncated key was used in an attempt to limit the size of the key that could be exported, but this modification introduced a vulnerability that was not immediately apparent. This highlights the need for careful consideration and testing during the design process.

In addition, the discovery of vulnerabilities like those found in Tea-1 underscores the value of collaboration and expertise. The team of researchers who reverse-engineered the protocol were able to identify weaknesses that had gone undetected for years. Their work serves as a reminder that even in the world of cryptography, expertise and collaboration are essential for identifying and addressing potential vulnerabilities.

The impact of this vulnerability was exacerbated by the lack of scrutiny and oversight. The US government's export restrictions allowed for the creation of a modified version of the Tea-1 protocol, which revealed additional weaknesses. This lack of transparency enabled malicious actors to exploit these vulnerabilities, rendering the protocol even more insecure.

Fortunately, the discovery of these vulnerabilities led to improvements in the protocol. The authors of the modified protocol took steps to address the weaknesses and implement fixes. These efforts demonstrate the importance of proactive security measures and ongoing testing to identify potential vulnerabilities before they can be exploited.

In the world of cryptography, security is an ongoing concern. Even with the best protocols in place, vulnerabilities can still exist. The case of Tea-1 highlights the need for careful consideration, rigorous testing, and transparency when designing cryptographic protocols. By prioritizing these factors, organizations can ensure that their critical systems remain secure and resilient to potential threats.

"WEBVTTKind: captionsLanguage: enrecently um a couple of researchers have found a a big hack in Tetra which is a system for radio um that is used all over the world um for security critical operations police forces military apparatus but also critical infrastructure Like Trains dams electricity Nets you know important stuff so this should be like encrypted and really heavily secure exactly you want it to be secure you want people not to know what the communication is you don't want criminals for example knowing what the police are saying to each other and you don't want people to be able to insert messages you don't want people to send a message saying open the floodgates Tetra is a proprietary standard supported by a European Institute called Etsy a standards Institute and I think it's a strange choice to have a proprietary standard and I think I can explain to you why this is also a point that the people um that found the vulnerabilities are are very strongly making themselves as well the well-known algorithms like AES or all the big ones we all know how they work right the schematics are available online someone can implement it and then you can check whether the implementation follows the design and everyone around the world can have a look at the design and see if there's any security flaws and the answer isn't always going to be no typically people will eventually find some weaknesses and sometimes they will find big flaws and if this is the case we can update the standard we can make the changes appropriately and criminals have a short time window in which they can potentially exploit it but it won't be the case that there's a massive gap for for decades that no one seems to know about and that's exactly what happened in in this case Tetra is used for networks that are built out of radio stations so you don't want to rely on the internet but you want to have your own radio stations and they're communicating with each other potentially relaying messages as well and this is of course very useful for the applications that we just talked about right you don't want the police to suddenly be unable to communicate to each other or to the station when the internet goes down or when there's an emergency and the broad you know the bandwidth is is sucked up by people sending messages you want your own separate system similarly for the critical infrastructures I just talked about you don't want to rely on internet connectivity you want to have your own system and as we discussed we want this to be secure now this is exactly what it is it's a system proprietary and in order to keep the algorithm a secret manufacturers had to sign a non-disclosure agreement before they got the specifications they then had to implement the algorithm either on Hardware or on software but then make sure that it's not possible to reverse engineer it now I say it's not possible of course it's possible right um all you can really ask is that they make it very difficult to reverse Engineers the three guys involved are Carlo Mayes voterbox and yours vetsels where are they from anywhere uh they might be from the same country as we but that's a total coincidence um but at least I can pronounce their names um so they spent quite a bit of time and effort reverse engineering the protocols and the the implementation thereof because of course there's multiple manufacturers all it really takes is one manufacturer to not quite secure the system as well as they should have in terms of being able to reverse engineer it so they were able to find a machine with an implementation that had some weaknesses that were exposing bits and Bulbs of the internal workings and they were able to exploit that to to find out what the code is what the algorithms are and then step two they analyzed it and what I found was not very good they found a whole list of weaknesses and vulnerabilities several of which were bad but two of which were really really bad so I'm going to be talking about the two that are really really bad um so the first one is a vulnerability that exists across all implementations of tetra later on we're going to talk be talking about one specific implementation but this one is true for all of them which is why I would say this is the worst one um so all cryptographic Primitives used in ETC are proprietary and they're all Stream ciphers So a stream Cipher is one of two major types of symmetric encryption one is the block Cipher the analogy is um you're chopping a file up into bits and pieces and then scrambling them together and your secret key tells you how you scramble it but also how you unscramble it a scream Cipher is different and a key is used to generate a long stream of bits and this stream of bits can then be used as a so-called one-time pad so how does that work well let's start with a naive stream Cipher so we have some key and we're using this key as input to some magic box and then the magic box outputs a stream of bits let's call them b0 B1 Etc then we have a message our message of course is digital so this is also a sequence of bits let's call them m0 M1 Etc what we can then do is we can take the bitwise exclusive or and what that does is it combines the bits in a in a reversible way such that we get a secret message this is our ciphertext and so the ciphertext will then be c0 C1 Etc where the bit CI is simply determined by taking the ith bit from the bit stream and the if bit of the message and taking the xor now the xor is a bitwise operation so if we have zero X or zero what it does is it Compares them and if they are the same the output will be zero but if they are different the output will be 1. another way to think about it is that we have a message M and the bits B and the bits determine whether or not we're flipping the bit right so if this is our original message we say we have a 0 x or zero we're not flipping the bit so we're keeping zero one so we're zero well we have a one we're not flipping it because it's zero so we remain one all we have zero but now we accelerate with one which means we flipped a bit so a zero becomes a one and a one becomes a zero that's how you can think about it now obviously if you xor a message twice with the same bit string you get your original message back and this is of course exactly what we want so in other words we can get our message back by taking our ciphertext and applying the same stream Cipher so now all we need to do to communicate in secret with each other is make sure that we agree on the same bitstream there's the same key in this case right because the key is generating the bitstream um and we both have the same one so I X over it with the bitstream you take that result xor it as well and now we agree on the same message and we've communicated to each other in secret can you see potentially a problem here the case the the problem surely the key how you generate that thing if if you don't get that key right so no it's not how you generate the key it's actually how you use the key okay because let's say that I'm running the same protocol tomorrow what will the bit stream be the same it will be exactly the same and this is of course a massive problem because I can take the two Cipher texts and xor them with each other and the bit streams will cancel out and the result will be the xor of the two messages in other words if I have two Cipher texts with the same bit stream we get let's say m i xor bi that's m is our first message and then we accelerate with the other ciphertext let's call it m Prime I sore bi well xor you can move the things around just like with a plus so we can move these two together and they will cancel out so the result will be MI xor M Prime I which means that if I know something about M Prime I I know something about Mi right so I can use this as a this is called a decryption Oracle and so if I can manipulate the values of M Prime I can learn the values of M and this is a big problem this is one of the worst things that can happen so instead of using a single input we need to use two inputs the other input being a so-called initialization Vector this is not a secret unlike the key but it's a fixed value that changes every time you use it so both parties will know if we're using the stream Cipher in this context this will be the IV and this is immutable so that means that I cannot manipulate the IV to be the same tomorrow as it will be today so we're guaranteed to end up with a different bit string now I think you can see where I'm going with this the implementation of tetra doesn't do this correctly what it uses for the initialization Vector is some information that can be found in the data frames that are used in the protocol so in particular it will be a sequence number relating to the frame as well as the current time and some other information that's not so relevant now what the attacker can do to trick the system is they can reset the um sequence number because the sequence number increments every time people communicate so I can just come up with a sequence number that was used in the past and the system thinks oh something must have gone wrong and then resets to that point something it shouldn't be doing but it will and that means that now the same initialization Vector can be forced by the attacker to be used by the system which means stream reuse and this is a total break right it means that we can pretty much read everything insert messages do whatever we want and we didn't use any of the properties of the proprietary implementations of the cryptography we just used the way the crypto was used so that's the first break the other break has to do with the actual implementation of the system the system uses various implementation of the cryptography these are handcrafted crypto which is usually not a good idea right you want to use the publicly existing cryptographic Primitives simply because they're well tested they've been used they've been studied and any weaknesses that are potentially still there are going to be very difficult to find um here perhaps not so much so they have four Primitives that you can select tea A2 ta3 and tea A4 now tea is only allowed to be used by Nations that were associated with the European Union because the standards Institute Etsy is a European Institute and they simply restricted exports to only Europeans and friends effectively then t-a-a-t-e-a-3 um what had a more liberal definition of friends so it could be exported more widely but not to countries that that we wouldn't consider well that the EU wouldn't consider to be to be friends so think of countries like Iran in particular um so these countries were forced to use tea one there's also dea4 but it's not quite clear who the intended audience for that was and it seems to not really be used so we will ignore tea ea4 for now um and it was tea one that was fundamentally broken um so in part because of export restrictions um that were there in the 90s in the US there was a limit on how big the keys could be so the key the tea one uses was 80 bits which is probably enough right if you use it properly it should be enough but they weren't allowed to use all 80 bits so the protocol actually selects 32 bits from those 80 bits in in some way and those 32 bits we can call it the truncated key those 32 bits are actually the bits that are used in the protocol so the protocol is running on a 32-bit key even though the input key is 80 bits but that means it's brute forcible right so if we can enter the calculation at the stage of the truncated key we can just try all 2 to the power 32 combinations and see which one it is and so that's that's really bad then to make matters worse um the way in which the truncation was done allowed researchers to even try to figure out what the original key was based on the truncated key so tea one is completely broken and part of the reason why it's broken was because of export restrictions that existed in the time now a mistake like this could not have survived scrutiny right anyone looking at this would immediately say hey this is an issue this is not a secure protocol and in fact in some Communications about the very system people were saying well it's actually only 32 bits so we're allowed to export it to Iran that's why I'm mentioning this example because that's a country that has these to which America has these export restrictions um so what what did we learn from this right so the authors have reverse engineered system so from this we can learn why it's a bad idea to try to hide the implementation of a protocol right these are three good guys that have reversed engineered it immediately took action you know warned people um and waited until for publication until the system was mostly fixed have other people found it in the meantime certainly I would imagine so um nothing you know negative to say about these three guys but I'm sure that any organization with a bunch of Smart Guys in this domain that really wanted to do this would have been able to to reverse engineer it and not necessarily tell anyone about this so this could be a criminal organization this could be a security organization so you're never going to be able to keep your secret protocols actually secret um so that's one thing we can learn the other thing we can learn is that um the lack of scrutiny allows these vulnerabilities to exist for much longer than they should have countries in organizations Etc we're all using weak versions of a protocol for decades and God knows whether or not there were bad actors that had already knowledge about certain techniques to to abuse the system right we will never know this they why would they tell us right so fortunately these three guys have you know taking the effort to reverse engineer it which I think is really cool thing to do then figured out how the protocols worked found some weaknesses and I would really expect people that are more sort of experts on this sort of crypto to be able to find some additional weaknesses and vulnerabilities in addition to to what they have already found I did see a report on this to him and it said something about a deliberate baked in back door is that something that was also there was that one of these vulnerabilities I mean the fact that we can even speculate about this being a possibility is an issue right um there have been instances in the past of this happening it's not clear at the moment whether it was a deliberate backdoor um the the authors do mention a a suspicious um s books now we don't really have to know what an Xbox is but it's a small part of the cryptographic algorithm and it's working in a strange way now whether this is intentional accidental or you know uh nefarious we don't know but the point is the fact that this thing has been there for 25 years without anyone knowing about it is harmful in and of itself so this one goes all the way over to here this one goes over here and so and so on remember this is going to be an intuitive process and what we want to do is move these things around and permute them exclusive or gate with two inputs A and B the output of those is called the sum it's the sum in that columnrecently um a couple of researchers have found a a big hack in Tetra which is a system for radio um that is used all over the world um for security critical operations police forces military apparatus but also critical infrastructure Like Trains dams electricity Nets you know important stuff so this should be like encrypted and really heavily secure exactly you want it to be secure you want people not to know what the communication is you don't want criminals for example knowing what the police are saying to each other and you don't want people to be able to insert messages you don't want people to send a message saying open the floodgates Tetra is a proprietary standard supported by a European Institute called Etsy a standards Institute and I think it's a strange choice to have a proprietary standard and I think I can explain to you why this is also a point that the people um that found the vulnerabilities are are very strongly making themselves as well the well-known algorithms like AES or all the big ones we all know how they work right the schematics are available online someone can implement it and then you can check whether the implementation follows the design and everyone around the world can have a look at the design and see if there's any security flaws and the answer isn't always going to be no typically people will eventually find some weaknesses and sometimes they will find big flaws and if this is the case we can update the standard we can make the changes appropriately and criminals have a short time window in which they can potentially exploit it but it won't be the case that there's a massive gap for for decades that no one seems to know about and that's exactly what happened in in this case Tetra is used for networks that are built out of radio stations so you don't want to rely on the internet but you want to have your own radio stations and they're communicating with each other potentially relaying messages as well and this is of course very useful for the applications that we just talked about right you don't want the police to suddenly be unable to communicate to each other or to the station when the internet goes down or when there's an emergency and the broad you know the bandwidth is is sucked up by people sending messages you want your own separate system similarly for the critical infrastructures I just talked about you don't want to rely on internet connectivity you want to have your own system and as we discussed we want this to be secure now this is exactly what it is it's a system proprietary and in order to keep the algorithm a secret manufacturers had to sign a non-disclosure agreement before they got the specifications they then had to implement the algorithm either on Hardware or on software but then make sure that it's not possible to reverse engineer it now I say it's not possible of course it's possible right um all you can really ask is that they make it very difficult to reverse Engineers the three guys involved are Carlo Mayes voterbox and yours vetsels where are they from anywhere uh they might be from the same country as we but that's a total coincidence um but at least I can pronounce their names um so they spent quite a bit of time and effort reverse engineering the protocols and the the implementation thereof because of course there's multiple manufacturers all it really takes is one manufacturer to not quite secure the system as well as they should have in terms of being able to reverse engineer it so they were able to find a machine with an implementation that had some weaknesses that were exposing bits and Bulbs of the internal workings and they were able to exploit that to to find out what the code is what the algorithms are and then step two they analyzed it and what I found was not very good they found a whole list of weaknesses and vulnerabilities several of which were bad but two of which were really really bad so I'm going to be talking about the two that are really really bad um so the first one is a vulnerability that exists across all implementations of tetra later on we're going to talk be talking about one specific implementation but this one is true for all of them which is why I would say this is the worst one um so all cryptographic Primitives used in ETC are proprietary and they're all Stream ciphers So a stream Cipher is one of two major types of symmetric encryption one is the block Cipher the analogy is um you're chopping a file up into bits and pieces and then scrambling them together and your secret key tells you how you scramble it but also how you unscramble it a scream Cipher is different and a key is used to generate a long stream of bits and this stream of bits can then be used as a so-called one-time pad so how does that work well let's start with a naive stream Cipher so we have some key and we're using this key as input to some magic box and then the magic box outputs a stream of bits let's call them b0 B1 Etc then we have a message our message of course is digital so this is also a sequence of bits let's call them m0 M1 Etc what we can then do is we can take the bitwise exclusive or and what that does is it combines the bits in a in a reversible way such that we get a secret message this is our ciphertext and so the ciphertext will then be c0 C1 Etc where the bit CI is simply determined by taking the ith bit from the bit stream and the if bit of the message and taking the xor now the xor is a bitwise operation so if we have zero X or zero what it does is it Compares them and if they are the same the output will be zero but if they are different the output will be 1. another way to think about it is that we have a message M and the bits B and the bits determine whether or not we're flipping the bit right so if this is our original message we say we have a 0 x or zero we're not flipping the bit so we're keeping zero one so we're zero well we have a one we're not flipping it because it's zero so we remain one all we have zero but now we accelerate with one which means we flipped a bit so a zero becomes a one and a one becomes a zero that's how you can think about it now obviously if you xor a message twice with the same bit string you get your original message back and this is of course exactly what we want so in other words we can get our message back by taking our ciphertext and applying the same stream Cipher so now all we need to do to communicate in secret with each other is make sure that we agree on the same bitstream there's the same key in this case right because the key is generating the bitstream um and we both have the same one so I X over it with the bitstream you take that result xor it as well and now we agree on the same message and we've communicated to each other in secret can you see potentially a problem here the case the the problem surely the key how you generate that thing if if you don't get that key right so no it's not how you generate the key it's actually how you use the key okay because let's say that I'm running the same protocol tomorrow what will the bit stream be the same it will be exactly the same and this is of course a massive problem because I can take the two Cipher texts and xor them with each other and the bit streams will cancel out and the result will be the xor of the two messages in other words if I have two Cipher texts with the same bit stream we get let's say m i xor bi that's m is our first message and then we accelerate with the other ciphertext let's call it m Prime I sore bi well xor you can move the things around just like with a plus so we can move these two together and they will cancel out so the result will be MI xor M Prime I which means that if I know something about M Prime I I know something about Mi right so I can use this as a this is called a decryption Oracle and so if I can manipulate the values of M Prime I can learn the values of M and this is a big problem this is one of the worst things that can happen so instead of using a single input we need to use two inputs the other input being a so-called initialization Vector this is not a secret unlike the key but it's a fixed value that changes every time you use it so both parties will know if we're using the stream Cipher in this context this will be the IV and this is immutable so that means that I cannot manipulate the IV to be the same tomorrow as it will be today so we're guaranteed to end up with a different bit string now I think you can see where I'm going with this the implementation of tetra doesn't do this correctly what it uses for the initialization Vector is some information that can be found in the data frames that are used in the protocol so in particular it will be a sequence number relating to the frame as well as the current time and some other information that's not so relevant now what the attacker can do to trick the system is they can reset the um sequence number because the sequence number increments every time people communicate so I can just come up with a sequence number that was used in the past and the system thinks oh something must have gone wrong and then resets to that point something it shouldn't be doing but it will and that means that now the same initialization Vector can be forced by the attacker to be used by the system which means stream reuse and this is a total break right it means that we can pretty much read everything insert messages do whatever we want and we didn't use any of the properties of the proprietary implementations of the cryptography we just used the way the crypto was used so that's the first break the other break has to do with the actual implementation of the system the system uses various implementation of the cryptography these are handcrafted crypto which is usually not a good idea right you want to use the publicly existing cryptographic Primitives simply because they're well tested they've been used they've been studied and any weaknesses that are potentially still there are going to be very difficult to find um here perhaps not so much so they have four Primitives that you can select tea A2 ta3 and tea A4 now tea is only allowed to be used by Nations that were associated with the European Union because the standards Institute Etsy is a European Institute and they simply restricted exports to only Europeans and friends effectively then t-a-a-t-e-a-3 um what had a more liberal definition of friends so it could be exported more widely but not to countries that that we wouldn't consider well that the EU wouldn't consider to be to be friends so think of countries like Iran in particular um so these countries were forced to use tea one there's also dea4 but it's not quite clear who the intended audience for that was and it seems to not really be used so we will ignore tea ea4 for now um and it was tea one that was fundamentally broken um so in part because of export restrictions um that were there in the 90s in the US there was a limit on how big the keys could be so the key the tea one uses was 80 bits which is probably enough right if you use it properly it should be enough but they weren't allowed to use all 80 bits so the protocol actually selects 32 bits from those 80 bits in in some way and those 32 bits we can call it the truncated key those 32 bits are actually the bits that are used in the protocol so the protocol is running on a 32-bit key even though the input key is 80 bits but that means it's brute forcible right so if we can enter the calculation at the stage of the truncated key we can just try all 2 to the power 32 combinations and see which one it is and so that's that's really bad then to make matters worse um the way in which the truncation was done allowed researchers to even try to figure out what the original key was based on the truncated key so tea one is completely broken and part of the reason why it's broken was because of export restrictions that existed in the time now a mistake like this could not have survived scrutiny right anyone looking at this would immediately say hey this is an issue this is not a secure protocol and in fact in some Communications about the very system people were saying well it's actually only 32 bits so we're allowed to export it to Iran that's why I'm mentioning this example because that's a country that has these to which America has these export restrictions um so what what did we learn from this right so the authors have reverse engineered system so from this we can learn why it's a bad idea to try to hide the implementation of a protocol right these are three good guys that have reversed engineered it immediately took action you know warned people um and waited until for publication until the system was mostly fixed have other people found it in the meantime certainly I would imagine so um nothing you know negative to say about these three guys but I'm sure that any organization with a bunch of Smart Guys in this domain that really wanted to do this would have been able to to reverse engineer it and not necessarily tell anyone about this so this could be a criminal organization this could be a security organization so you're never going to be able to keep your secret protocols actually secret um so that's one thing we can learn the other thing we can learn is that um the lack of scrutiny allows these vulnerabilities to exist for much longer than they should have countries in organizations Etc we're all using weak versions of a protocol for decades and God knows whether or not there were bad actors that had already knowledge about certain techniques to to abuse the system right we will never know this they why would they tell us right so fortunately these three guys have you know taking the effort to reverse engineer it which I think is really cool thing to do then figured out how the protocols worked found some weaknesses and I would really expect people that are more sort of experts on this sort of crypto to be able to find some additional weaknesses and vulnerabilities in addition to to what they have already found I did see a report on this to him and it said something about a deliberate baked in back door is that something that was also there was that one of these vulnerabilities I mean the fact that we can even speculate about this being a possibility is an issue right um there have been instances in the past of this happening it's not clear at the moment whether it was a deliberate backdoor um the the authors do mention a a suspicious um s books now we don't really have to know what an Xbox is but it's a small part of the cryptographic algorithm and it's working in a strange way now whether this is intentional accidental or you know uh nefarious we don't know but the point is the fact that this thing has been there for 25 years without anyone knowing about it is harmful in and of itself so this one goes all the way over to here this one goes over here and so and so on remember this is going to be an intuitive process and what we want to do is move these things around and permute them exclusive or gate with two inputs A and B the output of those is called the sum it's the sum in that column\n"