2888
JOURNAL OF COMPUTERS, VOL. 8, NO. 11, NOVEMBER 2013
Differential Fault Analysis on
the MD5 Compression Function
Wei Li1) ,2), 3) , Zhi Tao1), Dawu Gu4), Yi Wang5), Zhiqiang Liu4), 6), Ya Liu 7), 4)
1)
School of Computer Science and Technology, Donghua University, Shanghai, China
Shanghai Key Laboratory of Integrate Administration Technologies for Information Security, Shanghai, China
3)
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences,
Beijing, China
4)
Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, China
5)
Department of Information Science and Technology, East China University of Political Science and Law, Shanghai,
China
6)
ESAT/COSIC and IBBT, Katholieke Universiteit Leuven, Leuven, Belgium
7)
Department of Computer Science and Engineering, University of Shanghai for Science and Technology, Shanghai,
China
2)
E-mail: [email protected]
Abstract—The MD5, proposed by R. Riverst in 1992, is a
widely used hash function with Merkle-Damgard structure.
In the literature, many studies have been devoted to classical
cryptanalysis on the MD5, such as the collision attack, the
preimage attack etc. In this paper, we propose a new
differential fault analysis on the MD5 compression function
in the word-oriented random fault model. The simulating
experimental results show that 144 random faults on average
are required to obtain the current input message block. Our
method not only increases the efficiency of fault injection,
but also decreases the number of fault hash values. It
provides a new reference for the security analysis of the same
structure of the hash compression functions.
Index Terms—Hash function, MD5, Differential fault
analysis
I. INTRODUCTION
The hash functions have been widely used in a variety
of security applications, such as digital signature, files
transfer and authentication schemes, etc [1,2]. As a
famous hash function with the Merkle-Damgard structure,
the MD5 is proposed by R. Rivest in 1992 [3]. It processes
variable-length input messages and generates 128-bit
output as the hash value. In the literature, the strength of
the MD5 against various cryptanalytic techniques has
been analyzed, such as the collision attack, the preimage
attack etc. The previous research shows that the MD5 is
vulnerable to the classical cryptanalysis [4-14].
Other than the classical cryptanalysis, the differential
fault analysis is a new type of side channel attack, which
was first proposed by Biham E. and Shamir A. to break
the DES in 1997 [15]. Later it has been widely applied to
the cryptanalysis of public-key ciphers, stream ciphers,
and block ciphers, such as RSA, RC4, and AES etc [1619]. Recently, some researchers have inversteaged the
© 2013 ACADEMY PUBLISHER
doi:10.4304/jcp.8.11.2888-2894
differential fault analysis on the hash compression
function. In 2012, Hemme L. etc proposed that the SHA-1
compression function has the vulnerability of differential
fault analysis [20]. Its basic principle is to obtain the
difference between the correct output and faulty output by
inducing faults during the running process, and then the
attackers could recover the message by breaking the
internal states.
As the popular hash functions, MD5 and SHA-1 have
the same structure. However, there are some differences in
the designing details of the compression functions
between the MD5 and the SHA-1. Up to now, little
research has been devoted to the MD5 against the
differential fault analysis. On the basis of the analysis of
the SHA-1, we thus propose a method of differential fault
analysis to break the MD5 compression function. It adopts
the word-oriented fault model, so the attacker can induce a
single-word error in the compression function. As for the
MD5 compression function, we only require 144 faulty
hash values to recover the current input message block.
Compared with techniques available, our method can
recover the message of the MD5 compression with higher
efficiency of fault injection and less number of faulty hash
values.
The rest of this paper is organized as follows. Section II
briefly introduces the MD5. The next section proposes a
method differential fault analysis on the MD5
compression function in the word-oriented fault model.
Then section IV shows the experimental results. Finally
the last section concludes the paper.
II. DESCRIPTION OF THE MD5
The MD5 hash function is a widely used messagedigest algorithm. It produces a 128-bit hash value after
four rounds and every round function has 16 steps.
JOURNAL OF COMPUTERS, VOL. 8, NO. 11, NOVEMBER 2013
2889
TABLE I.
Message Pre-process
As the input of the MD5, the input message, denoted by
W, is preprocessed. At first, a signal bit 1 is appended to
the end of W, and as many as 0s followed by the bit 1 to
make the bit length of W 64 bits less than multiples of 512
bits. Then the remaining 64 bits are filled up with the
original length of W. After that, we break up the expanded
W into chunks of 512 bit blocks and split it up into 16 32bit subwords for each block.
THE VALUE OF THE LEFT ROTATION
A.
Step
i%4=0
i%4=1
i%4=2
i%4=3
0-15
7
12
17
22
16-31
5
9
14
20
32-47
4
11
16
23
48-63
6
20
15
21
B.
Encryption Process
Let W[0], W[1], …, W[15] represent the 16 32-bit input
subwords. Let Y denote the 64-th step compression
function output and
32
Y = (Y0 , Y1 , Y2 , Y3 ) ∈{{0,1} }4 ,
where Y0 , Y1 , Y2 and Y3 are the 32-bit words.
Let Ti represent the constants and ( Ai , Bi , Ci , Di )
denote the i+1-th step inputs. Thus, ( A0 , B0 , C0 , D0 ) are
the initial chaining values for the current input message
block, and we update them in total four rounds where each
round is composed of 16 steps on the basis of the nonlinear function, the modular addition and the left rotation.
The MD5 compression function is described as follows:
Bi +1 = ( Ai + fi ( Bi , Ci , Di ) + W ⎡⎣ R ( i ) ⎤⎦ + Ti ) <<< s[i ] + Bi ,
Ai +1 = Di ,
Ci +1 = Bi ,
Di +1 = Ci ,
where i = 0, 1, …, 63 , R ( i ) is the i-th message order, s[i]
denotes the value of i-th left rotation and fi is the i-th
round function which is different in each round. fi is
described by the piecewise function below:
⎧ (b ∧ c) ∨ (¬b ∧ d ) 0 ≤ i ≤ 15
⎪(b ∧ d ) ∨ (c ∧ ¬d ) 16 ≤ i ≤ 31
⎪
fi = ⎨
32 ≤ i ≤ 47
⎪ (b ⊕ c ⊕ d )
⎪⎩ (c ⊕ (b ∨ ¬d ))
48 ≤ i ≤ 63
r1
r2
r3
r4
,
Ti = ⎢ 232 i sin ( i + 1) ⎥ ,
⎣
⎦
where the symbol ⎣ ⎦ denotes floor function and
represents taking the absolute value.
C. The Hash Value as the Output
In order to get the hash value , the output ( A64 , B64 ,
C64 , D64 ) after 64 steps are required to have modual
addition with the initial chaining value ( A0 , B0 , C0 , D0 ) .
It means that Y could be described as below:
Y = (Y0 , Y1 , Y2 , Y3 )
= ( A64 + A0 , B64 + B0 , C64 + C0 , D64 + D0 ) .
The MD5 algorithm output the bytes of Y0 from back
to front and do the same to the bytes of Y1 , Y2 , Y3 in
sequence.
III.
DIFFERENTIAL FAULT ANALYSIS ON THE MD5
A. The Basic Assumption
Our proposed fault model includes the following three
assumptions:
(1) The attacker has the capability to choose an input
message to process and obtain the corresponding right and
faulty hash values.
(2) The attacker could induce a single word error to one
transformation. However, both the location of this word in
this round and the value of the error are unknown.
(3) The initial chaining values ( A0 , B0 , C0 , D0 ) for
processing the current input message block are known.
where ⊕, ∧, ∨ and ¬ denote the bitwise logical operation
XOR, AND, OR and NOR, respectively; b, c and d
represent 32-bit input state words; r1 , r2 , r3 and B. The Basic Idea
r4 represent the four rounds in the MD5.
The main procedure of this attack is as follows:
R ( i ) is also based on the round and defined as follows:
(1) The right output hash value is obtained when an
input message is processed.
0 ≤ i ≤ 15 r1
i
⎧
(2) We induce a random error in the 62-th step, and thus
⎪ 5 × i − 15 − 4 m od 16 16 ≤ i ≤ 31 r
(
) )
2
⎪(
obtain a faulty hash value. By differential analysis, many
.
R (i ) = ⎨
candidates for the subword that used in this step could be
⎪ ( 3 × ( i − 31 ) + 2 ) m od 16 32 ≤ i ≤ 47 r3
⎪
obtained.
48 ≤ i ≤ 63 r4
( i − 48 ) m od 16
⎩
(3) We repeat the above procedure to recover the value
s[i] is shown in Table I and four values used of the subword.
(4) The random errors are induced into the previous
recursively in each round.
The i-th constants Ti can be calculated by the steps and other subwords could be recovered
(5) The current input message W could be deduced on
following equation:
the basis of the crackable subwords.
© 2013 ACADEMY PUBLISHER
2890
JOURNAL OF COMPUTERS, VOL. 8, NO. 11, NOVEMBER 2013
C. The Detail Attack on the MD5
In the running procedure as depicted in Fig. 1, we
observe that the B is the only register which is updated at
every step. The following equation can be applied
on B64 in the last step:
B64 = ( A63 + f 63 ( B63 ,C63 , D63 ) + W [ R (63)] + T63 ) <<< s[63]
+ B63 .
For the correct output of the MD5, we have the
equation as follows:
Y = (Y0 , Y1 , Y2 , Y3 )
= ( A64 + A0 , B64 + B0 , C64 + C0 , D64 + D0 ) .
The known initial chaining values ( A0 , B0 , C0 , D0 )
could be substituted into the above equation and thus the
output of the last step ( A64 , B64 , C64 , D64 ) could be
derived. Thus, we have the following equations:
B63 = C64 ,
C63 = D64 ,
D63 = A64 ,
R ( 63) = 9,
and
s[63] = 21.
After substituting into the equation for B64 , we could
deduce the following equation:
B64 = ( A63 + f63 ( C64 , D64 , A64 ) + W [ R ( 63)] + T63 ) <<< s[63]
+ C64 .
In the above equation, there are only two unknown
values that W [ R (63)] and A63 . Our ultimate goal is to
recover the value of W [ R(63)] . If we could obtain the
value of A63 , then the W [ R (63)] is available by the
equation below:
W [ R ( 63)] = (( B64 − C64 ) <<< (32 − s[63]))
− A63 − f 63 ( B63 ,C63 , D63 ) − T63 .
We aim at obtaining the value of A63 , while A63 = D62 .
So we decrypt the value of D62 instead. In order to
recover the value of D62 , the error should occur in the
input of penultimate step. Once we broken the value of
D62 , that is to say, the value of A63 is known. Thus we
could recover W [ R (63)] according to the equation above.
The detail attacking procedure on the penultimate step is
as follows:
(1) The output hash value Y is derived when an
arbitrary input message is processed.
(2) We retrieve the word W [ R (63)] in the last step. In
our attack, several random faulty bytes could be injected
into the random positions of C62 during the process to
generate the faulty output Y * . It can be written below:
© 2013 ACADEMY PUBLISHER
Figure 1.
(
= (A
The attack in the MD5 compression function
Y * = Y0* ,Y1* ,Y2* , Y3*
*
64
+
*
A0 , B64
)
)
*
*
+ B0 ,C64
+ C0 , D64
+ D0 .
JOURNAL OF COMPUTERS, VOL. 8, NO. 11, NOVEMBER 2013
where the variables with the symbol ∗ represent the
faulty results of the registers.
The correct and faulty values of B63 could be written
as follows:
B63 = ( A62 + f 62 ( B62 ,C62 , D62 ) + W [ R (62)] + T62 ) <<< s[62]
+ B62 ,
(
(
)
)
*
*
B63
= A62 + f 62 B62 ,C62
, D62 + W [ R(62)] + T62 <<< s[62]
+ B62 .
(3) In the running procedure, we observe that
B62 = C63 = D64 ,
C62 = D63 = A64 ,
*
*
*
= D63
= A64
,
C62
B63 = C64 ,
and
*
*
B63
= C64
.
Thus,
C64 = ( A62 + f 62 ( D64 , A64 , D62 ) + W [ R(62)] + T62 ) <<< s[62]
+ D64 ,
*
*
C64
= ( A62 + f 62 ( D64 , A64
, D62 ) + W [ R(62)] + T62 ) <<< s[62]
+ D64 .
We could transform the two equations by moving the
D64 and s[62] from right to left and get
(C64 − D64 ) <<< (32 − s[62])
= ( A62 + f 62 ( D64 , A64 , D62 ) + W [ R(62)] + T62 ),
*
(C64
− D64 ) <<< (32 − s[62])
*
= ( A62 + f 62 ( D64 , A64
, D62 ) + W [ R(62)] + T62 ).
Thus, the modular subtraction between the above two
equations is
*
(C64
− D64 ) <<< (32 − s[62]) − (C64 − D64 ) <<< (32 − s[62])
*
= f62 ( D64 , A64
, D62 ) − f62 ( D64 , A64 , D62 ).
and
f 62 (b, c, d ) = (c ⊕ (b ∨ ¬d )) .
Assume that
*
((C64
Δ=
− D64 ) <<< (32 − s[62]))
− ( (C64 − D64 ) <<< (32 − s[62])),
*
*
δ = C62
⊕ C62 = A64
⊕ A64 ,
X = f 62 ( D64 , A64 , D62 ) = A64 ⊕ ( D64 ∨ ¬D62 ).
According to the equation after the modual subtraction,
the equation among X , δ and Δ is as below:
X ⊕ δ − X = Δ.
© 2013 ACADEMY PUBLISHER
2891
The candidates for X could be calculated by using the
following Proposition [21].
Proposition. The relationship among X , δ and Δ is as
follows, where X is the unknown 32-bit value, δ and
Δ are both known 32-bit value, − and ⊕ denote the
modual subtraction and the exclusive or, respectively :
X ⊕ δ − X = Δ.
Let X i , δi and Δi represent the i-th bit of X , δ and
Δ . Thus it has the following properties.
⎧ 0 or 1
⎪
X i = ⎨ 0 or 1
⎪δ ⊕ Δ
i +1
⎩ i +1
i = 31
δi = 0 and 0 ≤ i ≤ 30.
δi = 1 and 0 ≤ i ≤ 30
We are sure about some bits of the unknown value
X with the help of this proposition. Thus the number of
candidates for X could be decreased.
(4) We repeat the above procedure for many other
candidate sets for X . The true value of X is in all
candidate sets, in other word, at the intersection of all the
candidate sets. Then we continue doing the intersection
until the number of intersection result sets for X decrease
to the only two value. The candidates for D62 could be
derived, which is equal to the value of A63 . Thus the
value of W [ R(63)] could be derived. Fig. 1 shows the
attacking procedure in detail where the faults are induced
in C62 .
(5) Similar to the procedure of recovering W [ R(63)],
all the other words W [0], …, W [15] could be derived by
analyzing C61 , C60 , …, C48 on the previous steps. Then
the input message could be decrypted from the sixteen
subwords W [0], …, W [15] .
D. Retrieving the Input Message
In the attack, we could get two candidates for
W [ R(63)] at last and thus eliminate the fake value of
W [ R (63)] to obtain the only correct one. So does the other
fifteen subwords. Thus, we get 216 candidates for the input
message. The brute force search could check each
candidate by encrypting it with the known initial chaining
value ( A0 , B0 , C0 , D0 ) to recover the unique right input
message by comparing the obtained output hash value
with correct hash value.
IV. THE EXPERIMENTAL RESULTS
We implemented the attack on a PC using the Java
language with 8GB memory. The fault induction was
simulated by computer software. In this situation, we ran
the attack algorithm to 30 process unit.
Fig. 2 shows the number of subkey candidates in
sixteen intersections of subword candidates to recover one
subword. We define accuracy, reliability and latency for
evaluating the experimental results in detail.
Accuracy is a measure that defines how close the
number of subword candidates are to the true number of
subword candidates. Basically, the closer the experimental
number of subword candidates is to the true number, the
JOURNAL OF COMPUTERS, VOL. 8, NO. 11, NOVEMBER 2013
Number of subword candidates : power(2,y)
2892
31
29
27
25
23
21
19
17
15
13
11
9
7
5
3
1
1st
4th
7th
10th
13th
16th
0
6
12
18
24
30
Number of experiments
Figure 2.
(color)16 intersections of the subword candidates in 30 experiments
more accurate the experiment is. Thus, we consider the
Root Mean-Square Error(RMSE) to measure the accuracy,
where RMSE is given by
RMSE =
1
N
TABLE II.
ONE SUBWORD RECOVERY ON RELIABILITY
N
∑ ⎡⎣hmeasured ( e ) − htrue ⎤⎦ ,
e =1
where N is the number of experiments in a set and e is the
index of the experiment, hmeasured is the number of
subword candidates, and htrue is the number of ture
subwords. As we know, there is only one true subword.
The closer the RMSE value is to 0, the more accurate the
experiments are.
We divide 30 experiments as 5 groups in average,
denoted as G1, G2, G3, G4 and G5. The RMSE values for
every intersections of subword candidates are shown in
Table II , where N=6, htrue =1 and e ∈ {1,2,…,30} . Thus,
the 16th intersection of subword candidates is almost
accurate, and we may derive the subword in this
intersection. That is about 9 fault ciphertexts are required
to recover one subword.
Reliability is the ratio of successful experiments out of
all experiments made. If the attacker could derive only
two subword candidates with just one different bit, the
experiment is successful.
Referring to Table III, it is observed that the ratio of
successful experiments in the 1st, 4th, 7th, 10th, 13th and
16th intersections of subword candidates are 0, 23.3%,
56.7%, 83.3%, 93.3% and 100%, respectively. That is, the
reliability is 100% if the attacker induces 17 random faults
to break a subword.
Latency is the time from the first fault injection to the
recovery of the subword in our software simulation. It is
measured in minutes. Fig. 3 shows that the latency of 30
experiments.The time of 70% experiments is between 0
and 25 minutes.
© 2013 ACADEMY PUBLISHER
Group
G1
G2
G3
G4
G5
1st
0
0
0
0
0
2nd
0
0
0
0
0
3rd
0
16.7%
0
66.7%
0
4th
0
16.7%
33.4%
66.7%
0
5th
0
16.7%
33.4%
83.3%
50%
6th
16.7%
16.7%
50%
83.3%
50%
7th
33.4%
16.7%
66.7%
83.3%
83.3%
8th
66.7%
33.4%
66.7%
100%
83.3%
9th
66.7%
33.4%
83.3%
100%
83.3%
10th
66.7%
66.7%
83.3%
100%
100%
11th
66.7%
66.7%
100%
100%
100%
12th
83.3%
66.7%
100%
100%
100%
13th
100%
66.7%
100%
100%
100%
14th
100%
66.7%
100%
100%
100%
15th
100%
83.3%
100%
100%
100%
16th
100%
100%
100%
100%
100%
intersection
JOURNAL OF COMPUTERS, VOL. 8, NO. 11, NOVEMBER 2013
2893
TABLE III.
7% 3%
ONE SUBWORD RECOVERY ON ACCURACY BY RMSE
0-25 min
20%
Group
25-50min
50-75min
70%
Figure 3.
75-100min
One subword recovery on latency
Thus, about 9 faulty ciphertexts are required to recover
one subword on average with a complexity of 216 in the
word oriented fault model. So we need about 144 faulty
injections to completely retrieve the current input message.
V. CONCLUSIONS
In this paper, we check the security of MD5 function
with differential fault analysis. Our attack required 144
faulty hash values in the word-oriented random fault
model. It shows that MD5 is vulnerable to the differential
fault analysis under the circumstance that the initial
chaining values are known. The future work is to apply
differential fault analysis to verify the security of the MD5
when the initial chaining values for the current block are
unknown.
ACKNOWLEDGMENT
The authors are grateful to the editors and the
anonymous reviewers for their helpful comments. This
work is supported by the National Natural Science
Foundation of China under Grant No. 61003278, No.
61073150 and No. 61202371, Innovation Program of
Shanghai Municipal Education Commission under Grant
No. 14ZZ066, the open research fund of State Key
Laboratory of Information Security, the Opening Project
of Shanghai Key Laboratory of Integrate Administration
Technologies for Information Security, the Fundamental
Research Funds for the Central Universities,
National Key Basic Research Program of China under
Grant No. 2013CB338004, China Postdoctoral Science
Foundation under Grant No. 2012M521829, and Shanghai
Postdoctoral Research Funding Program under Grant No.
12R21414500, the National Social Science Foundation of
China under Grant No. 13CFX054.
G1
G2
G3
G4
G5
1st
468.66
331.59
326.38
28.92
1183.14
2nd
198.84
49.09
53.96
4.00
74.47
3rd
28.15
16.92
5.77
1.15
14.00
4th
9.05
10.05
2.59
0.82
5.72
5th
4.62
7.94
2.00
0.58
1.91
6th
3.00
3.87
1.53
0.58
1.29
7th
2.31
1.91
0.82
0.58
0.58
8th
1.63
1.41
0.58
0
0.58
9th
0.82
1.15
0.58
0
0.58
10th
0.82
0.82
0.58
0
0
11th
0.82
0.82
0
0
0
12th
0.58
0.82
0
0
0
13th
0
0.82
0
0
0
14th
0
0.82
0
0
0
15th
0
0.58
0
0
0
16th
0
0
0
0
0
intersection
[4] X. Wang and H. Yu, “How to break MD5 and other hash
functions,” In: C. Ronald, Ed. The 24th International
Conference on the Theory and Applications of
Cryptographic Techniques–EUROCRYPT 2005, LNCS, vol.
3494, pp. 19–35, Springer, Berlin, 2005.
[5] Y. Sasaki, Y. Naito, N. Kunihiro and K. Ohta, “Improved
collision attack on MD4 and MD5,” IEICE Transactions on
Fundamentals of Electronics, Communications and
Computer Sciences E90-A(1), pp. 36–47, 2007
[6] J. Aumasson, W. Meier and F. Mendel, “Preimage attacks
on 3-pass HAVAL and step-reduced MD5,” In: A. Roberto,
K. Liam and S. Francesco, Eds. The 15th Annual Workshop
on Selected Areas in Cryptography–SAC 2008. LNCS, vol.
5381, pp. 120–135. Springer, Berlin, 2009.
REFERENCES
[7] J. Black, M. Cochran, T. Highland, “A study of the MD5
[1] J. Liu, X. Wang, K. Yang and C. Zhao, “A Fast New
attacks: insights and improvements,” In: R. Matt, Ed. The
Cryptographic Hash Function Based on Integer Tent
13th International Workshop of Fast Software Encryption–
Mapping System,” Journal of Computers, vol 7, No 7
FSE 2006. LNCS, vol. 4047, pp. 262–277. Springer, Berlin,
(2012), pp. 1671-1680, July 2012.
2006.
[2] H. Elkamchouchi, M. Nasr and R. Ismail, “Secure and Fast [8] J. Vabek, D. Joscák, M. Bohácek, J. Tuma, “A new type of
Hashing Algorithm with Multiple Security Levels,” Journal
2-block collisions in MD5,” In: C. Roy, R. Vincent and D.
of Software, vol 4, No 9 (2009), pp. 935-942, November
Abhijit, Eds. The 9th International Conference on
2009.
Cryptology in India–INDOCRYPT 2008. LNCS, vol. 5365,
[3] R. Rivest, “The MD5 Message Digest Algorithm,” Request
pp. 78–90. Springer, Berlin, 2008
for Comments 1321, MIT Laboratory for Computer Science [9] G. Leurent, “Message freedom in MD4 and MD5 collisions:
and RSA Data Security, The Internet Engineering Task
Application to APOP,” In: B. Alex, Ed. The 14th
Force–IETF, April 1992, http://www.ietf.org/rfc/rfc1321.txt.
International Workshop of Fast Software Encryption–FSE
© 2013 ACADEMY PUBLISHER
2894
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
JOURNAL OF COMPUTERS, VOL. 8, NO. 11, NOVEMBER 2013
2007. LNCS, vol. 4593, pp. 309–328. Springer, Berlin,
2007.
M. Stevens, A. Lenstra and B. Weger, “Chosen-prefix
collisions for MD5 and colliding X.509 certificates for
different identities,” In: N. Moni, Ed. The 26th International
Conference on the Theory and Applications of
Cryptographic Techniques–EUROCRYPT 2007. LNCS, vol.
4515, pp. 1–22. Springer, 2007.
M. Stevens, A. Sotirov, et al. “Short chosen-prefix
collisions for MD5 and the creation of a rogue CA
certificate,” In: H. Shai, Ed. The 29th International
Cryptology Conference–CRYPTO 2009. LNCS, vol. 5677,
pp. 55–69. Springer, 2009.
F. Mendel, C. Rechberger and M. Schläffer, “MD5 is
weaker than weak: Attacks on concatenated combiners,” In:
M. Matsui, Ed. The 15th Annual International Conference
on the Theory and Application of Cryptology and
Information Security–ASIACRYPT 2009. LNCS, vol. 5912,
pp. 144–161. Springer, 2009.
K. Aoki and Y. Sasaki, “Preimage attacks on one-block
MD4, 63-step MD5 and more,” In: A. Roberto, K. Liam and
S. Francesco, Eds. The 15th Annual Workshop on Selected
Areas in Cryptography–SAC 2008. LNCS, vol. 5381, pp.
103–119. Springer, 2009.
Y. Sasaki and K. Aoki, “Finding preimages in full MD5
faster than exhaustive search,” In: A. Joux, Ed. The 28th
International Conference on the Theory and Applications of
Cryptographic Techniques–EUROCRYPT 2009. LNCS, vol.
5479, pp. 134–152. Springer, 2009.
E. Biham and A. Shamir, "Differential fault analysis of
secret key cryptosystems," In: B.S.Jr Kaliski, , Ed. The 17th
International Cryptology Conference–CRYPTO '97, LNCS,
vol. 1294, pp. 513-525, Springer, 1997.
D. Boneh, R. DeMillo, R. Lipton, “On the Importance of
Checking Cryptographic Protocols for Faults,” In: W. Fumy,
Ed. The International Conference on the Theory and
Applications of Cryptographic Techniques–EUROCRYPT
'97, LNCS, vol. 1233, pp. 37–51, Springer, Konstanz,
Germany, May 11–15, 1997.
W. Li, X. Xia, D. Gu, Z. Liu, J. Li and Y. Liu, “A New
Differential Fault Attack on SPN Structure, with
Application to AES Cipher,” Journal of Computers, vol 6,
No 2 (2011), pp. 216-223, February 2011.
P. Dusart, G. Letourneux and O. Vivolo, “Differential Fault
Analysis on A. E. S.,” In: J.Y. Zhou, M. Yung and Y.F.
Han, Eds. The 1st International Conference of Applied
Cryptography and Network Security–ACNS 2003, LNCS,
vol. 2846, pp. 293–306, Springer, Kunming, China, October.
16–19, 2003.
E. Biham, L. Granboulan and P. Q. Nguyen, “Impossible
Fault Analysis of RC4 and Differential Fault Analysis of
RC4,” In: G. Henri, H. Helena, Eds. The 12th International
Workshop of Fast Software Encryption–FSE 2005, LNCS,
vol. 3557, pp. 359–367, Springer, Paris, France, February.
21–23, 2005.
L. Hemme and L. Hoffmann, “Differential Fault Analysis
on the SHA–1 Compression Function,” In: L. Breveglieri, S.
Guilley, I. Koren, D. Naccache and J. Takahashi, Eds. The
2011 Workshop on Fault Diagnosis and Tolerance in
Cryptography–FDTC 2011, pp. 54–62, IEEE Computer
Society, Tokyo, Japan, September. 29, 2011.
R. Li, C. Li and C. Gong, ”Differential fault analysis on
SHACAL-1,” In: L. Breveglieri, I. Koren, D. Naccache, E.
Oswald and J. Seifert, Eds. The 6th International Workshop
on Fault Diagnosis and Tolerance in Cryptography–FDTC
2009, pp. 120–126. IEEE Computer Society, Los Alamitos
2009.
© 2013 ACADEMY PUBLISHER
Wei Li, born in 1980, is currently an
associate professor in School of
Computer Science and Technology,
Donghua University. She was awarded a
B.S. degree in engineering from Anhui
University in 2002, and her M.S. degree
and Ph.D. degree in engineering in 2006
and 2009, both from Shanghai Jiao Tong
University. She serves as the members for
CACR (China Association of Cryptologic
Research), CCF (China Computer Federation), IEEE and ACM.
Her research interests include the design and analysis of
symmetric ciphers.
Zhi Tao is currently a Master candidate in School of Computer
Science and Technology, Donghua University. His research
interests include security analysis of lightweight ciphers.
Dawu Gu is a professor at Shanghai Jiao Tong University in
Computer Science and Engineering Department. He was
awarded a B.S. degree in applied mathematics in 1992, and a
Ph.D. degree in cryptography in 1998, both from Xidian
university of China. He serves as board members of CACR
(China Association of Cryptologic Research) and Shanghai Open
System Federation. He is technical committee members for
CACR and CCF (China Computer Federation), technical editor
of China Communications, members of ACM, IACR, IEICE. He
was the winner of New Century Excellent Talent Program made
by Ministry of Education of China in 2005. He has been invited
as Chairs and TPC members for many international conferences
like ACNS, ISC, ISPEC, ICICS, NSS, E-Forensics, etc. His
research interests cover cryptology and computer security. He
has got over 100 scientific papers in academic journals and
conferences.
Yi Wang is currently an associate professor in Department of
Information Science and Technology, East China University of
Political Science and Law. She was awarded her Ph.D. degree
from Shanghai Jiao Tong University in 2004. Her research
interests include information and network security.
Zhiqiang Liu, born in 1977, is now a Post-doc in the department
of Computer Science and Engineering, Shanghai Jiao Tong
University. He received his B.S. degree and M.S. degree in
Mathematics, and Ph.D. degree in Cryptography from Shanghai
Jiao Tong University in 1998, 2001 and 2012 respectively. From
2001 to 2008, he worked in ZTE, Alcatel and VLI in the realm of
NextGeneration Network (NGN)/IP Multimedia Subsystem
(IMS). Currently, his researchinterests include cryptanalysis and
design of block ciphers and Hash functions.
Ya Liu is currently a lecturer in Department of Computer
Science and Engineering, University of Shanghai for Science and
Technology. She was awarded her Ph.D. degree from Shanghai
Jiao Tong University in 2013. Her research interests include the
design and analysis of symmetric ciphers and computational
number theory.