ACD FotoCanvas print job - NSFCor.nsfc.gov.cn/bitstream/00001903-5/94994/1/1000006694504.pdf · GUO...
Transcript of ACD FotoCanvas print job - NSFCor.nsfc.gov.cn/bitstream/00001903-5/94994/1/1000006694504.pdf · GUO...
Editorial Board
Supported by NSFC .
Honorary Editor General ZHOU GuangZhao (Zhou Guang Zhao)
Editor General ZHU ZuoYan Institute of Hydrobiology, CAS
Editor-in-Chief LI Wei Beihang University
Executive Associate Editor-in-Chief WANG DongMing Centre National de la Recherche Scientifique
Associate Editors-in-Chief
GUO Lei Academy of Mathematics and Systems Science, CAS
HUANG Ru Peking University
QIN YuWen National Natural Science Foundation of China
SUN ZengQi Tsinghua University
YOU XiaoHu Southeast University
ZHAO QinPing Beihang University
ZHAO Wei University of Macau
Members
CHEN JianEr Texas A&M University
DU Richard LiMin Voxeasy Institute of Technology
GAO Wen Peking University
GE ShuZhi Sam University of Electronic Science and Technology of China
GUO GuangCan University of Science and Technology of China
HAN WenBao PLA Information Engineering University
HE JiFeng East China Normal University
HU WeiWu Institute of Computing Technology, CAS
HU ZhanYi Institute of Automation, CAS
IDA Tetsuo University of Tsukuba
JI YueFeng
Beijing University of Posts and Telecommu-nications
JIN Hai Huazhong University of Science and Technology
JIN YaQiu Fudan University
JING ZhongLiang Shanghai Jiao Tong University
LI Joshua LeWei University of Electronic Science and Technology of China LIU DeRong Institute of Automation, CAS LIN HuiMin Institute of Software, CAS LIN ZongLi University of Virginia LONG KePing University of Science and Technology Beijing LU Jian Nanjing University MEI Hong Peking University MENG LuoMing Beijing University of Posts and Telecommunications PENG LianMao Peking University PENG QunSheng Zhejiang University SHEN ChangXiang Computing Technology Institute of China Navy SUN JiaGuang Tsinghua University TANG ZhiMin Institute of Computing Technology, CAS TIAN Jie Institute of Automation, CAS
TSAI WeiTek Arizona State University WANG Ji National University of Defense Technology WANG JiangZhou University of Kent WANG Long Peking University WU YiRong Institute of Electronics, CAS XIE WeiXin Shenzhen University XU Jun Tsinghua University XU Ke Beihang University YIN QinYe Xi’an Jiaotong University YING MingSheng Tsinghua University ZHA HongBin Peking University ZHANG HuanGuo Wuhan University ZHOU Dian The University of Texas at Dallas ZHOU ZhiHua Nanjing University ZHUANG YueTing Zhejiang University
Editorial Staff SONG Fei FENG Jing ZHAO DongXia
SCIENCE CHINA Information Sciences
Contents Vol. 55 No. 11 November 2012
RESEARCH PAPER
Study on co-occurrence character networks from Chinese essays in different periods ............................................................................. 2417
LIANG Wei, SHI YuMing, TSE Chi K & WANG YanLi
Automatic composition of information-providing web services based on query rewriting ....................................................................... 2428
ZHAO WenFeng, LIU ChuanChang & CHEN JunLiang
A construction method of matroidal networks ............................................................................................................................................ 2445
YUAN Chen, KAN HaiBin, WANG Xin & IMAI Hideki
Communication network designing: Transmission capacity, cost and scalability ..................................................................................... 2454
ZHANG GuoQiang & ZHANG GuoQing
Corner occupying theorem for the two-dimensional integral rectangle packing problem ......................................................................... 2466
HUANG WenQi, YE Tao & CHEN DuanBing
Round-optimal zero-knowledge proofs of knowledge for NP .................................................................................................................... 2473
LI HongDa, FENG DengGuo, LI Bao & XUE HaiXia
Binary particle swarm optimization with multiple evolutionary strategies ................................................................................................ 2485
ZHAO Jing, HAN ChongZhao & WEI Bin
Communications and control co-design: a combined dynamic-static scheduling approach ...................................................................... 2495
LU ZiBao & GUO Ge
Optimized statistical analysis of software trustworthiness attributes ......................................................................................................... 2508
ZHANG Xiao, LI Wei, ZHENG ZhiMing & GUO BingHui
A new one-bit difference collision attack on HAVAL-128 ........................................................................................................................ 2521
ZHANG WenYing, LI YanYan & WU Lei
Signcryption with fast online signing and short signcryptext for secure and private mobile communication .......................................... 2530
YOUN Taek-Young & HONG Dowon
An ID-based authenticated dynamic group key agreement with optimal round ........................................................................................ 2542
TENG JiKai, WU ChuanKun & TANG ChunMing
Evolutionary ciphers against differential power analysis and differential fault analysis ........................................................................... 2555
TANG Ming, QIU ZhenLong, YANG Min, CHENG PingPan, GAO Si, LIU ShuBo & MENG QinShu
An oblivious fragile watermarking scheme for images utilizing edge transitions in BTC bitmaps ........................................................... 2570
ZHANG Yong, LU ZheMing & ZHAO DongNing
The essential ability of sparse reconstruction of different compressive sensing strategies ........................................................................ 2582
ZHANG Hai, LIANG Yong, GOU HaiLiang & XU ZongBen
Waveform design and high-resolution imaging of cognitive radar based on compressive sensing ........................................................... 2590
LUO Ying, ZHANG Qun, HONG Wen & WU YiRong
An efficient sparse channel estimator combining time-domain LS and iterative shrinkage for OFDM systems with IQ-imbalances ..... 2604
SHU Feng, ZHAO JunHui, YOU XiaoHu, WANG Mao, CHEN Qian & STEVAN Berber
Object registration for remote sensing images using robust kernel pattern vectors ................................................................................... 2611
DING MingTao, JIN Zi, TIAN Zheng, DUAN XiFa, ZHAO Wei & YANG LiJuan
Quasi-linear modeling of gyroresonance between different MLT chorus and geostationary orbit electrons ............................................ 2624
ZHANG ZeLong, XIAO FuLiang, HE YiHua, HE ZhaoGuo, YANG Chang, ZHOU XiaoPing & TANG LiJun
A variational method for contour tracking via covariance matching.......................................................................................................... 2635
WU YuWei, MA Bo & LI Pei
Near lossless compression of hyperspectral images based on distributed source coding .......................................................................... 2646
NIAN YongJian, WAN JianWei, TANG Yi & CHEN Bo
A 10 GHz multiphase LC VCO with a ring capacitive coupling structure ................................................................................................ 2656
CHEN YingMei, WANG Hui, YAN ShuangChao & ZHANG Li
Go To Website
. RESEARCH PAPER .
SCIENCE CHINAInformation Sciences
November 2012 Vol. 55 No. 11: 2521–2529
doi: 10.1007/s11432-012-4619-2
c© Science China Press and Springer-Verlag Berlin Heidelberg 2012 info.scichina.com www.springerlink.com
A new one-bit difference collision attack onHAVAL-128
ZHANG WenYing1,2,3∗, LI YanYan1 & WU Lei1
1School of Information Science and Engineering, Shandong Normal University, Jinan 250014, China;2State Key Lab of Information Security, Institute of Information Engineering, Chinese Academy of Sciences,
Beijing 100093, China;3Shandong Provincial Key Laboratory for Novel Distributed Computer Software Technology, Jinan 250014, China
Received January 14, 2012; accepted April 8, 2012
Abstract In this paper, we give a new fast attack on HAVAL-128. Our attack includes many present methods
of constructing hash collisions. Moreover, we present a neighborhood modification. We propose a new difference
path different from the previous ones. The conclusion is that, when the output of each step satisfies our
condition, the message m can collide with m′ = m + Δm, where Δm = (0, 0, 0, 0, 231, 0, . . . , 0). There is only
one bit difference between m and m′. Two pairs of collision examples for HAVAL-128 are given. In order to
improve the probability of collision, we use four tricks of message modification. The attack’s running time is
less than 225.83 2-pass HAVAL computations, which is the best result for one-bit collision of HAVAL so far.
Keywords cryptography, hash function, HAVAL-128, collision, message modification
Citation Zhang W Y, Li Y Y, Wu L. A new one-bit difference collision attack on HAVAL-128. Sci China Inf
Sci, 2012, 55: 2521–2529, doi: 10.1007/s11432-012-4619-2
1 Introduction
HAVAL [1] was presented by Zheng et al. at Auscrypto’92. It can be processed in 3,4 or 5 passes, and
produces 128, 160, 192, or 224-bit fingerprint. On 3-pass HAVAL, Rompay et al. gave a collision attack
that requires 229 computations of the compression function [2] . Their attack can find a 1024-bit collision
pair m = (m0, . . . ,m31) and m′ = (m′0, . . . ,m
′31) with the differential Δm28 = 20 = 1 and Δmi = 0 for
other i. Finding hash collisions has attracted many attentions since Wang et al. presented their beautiful
work [3] at Crypto’2004. In [4] , Wang et al. showed a much better collision attack with 27 computation
of the compression function. Their attack can find a one-block collision pair m = (m0, . . . ,m31) and
m′ = (m0, . . . ,m31) with the three bits differential Δm0 = 210,Δm11 = 231,Δm18 = 23, and Δmi = 0
for other i.
According to the maximum likelihood principle in communication, it is possible that small errors occur
more often than big errors. On the other hand, in order to avoid the suspicion of the receiver, the intruders
prefer to modify less bits of the message. In order to find collisions, it is necessary to modify the message
as less as possible. Of course, the optimal number is one. So practical construction of collisions with one
bit difference is an interesting problem.
∗Corresponding author (email: [email protected])
2522 Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11
In this paper, we give a new one-block attack against 3-pass HAVAL with only one-bit difference. The
conclusion is that, when the output of each step satisfies our condition, by making one bit modifications
about m to get m′ = m+Δm, where Δm = (0, 0, 0, 0, 231, 0, . . . , 0), the message m can collide with m′.The collision occurs at the 67-th step, i.e., the beginning of pass 3. The computational complexity is less
than 225.83 2-pass HAVAL. We reduce the running time from 229 3-pass HAVAL to 225.83 2-pass HAVAL,
so our result is the best for one-bit collision of HAVAL so far.
Our attack includes methods of constructing hash collisions such as modular differential attack, multi-
message modification (advanced modification), Tunnel idea [5–7] and Improved tunnel idea, which is
called relieving the besieged by attacking the base of the besieger, an ancient Chinese strategy.
In addition, we present neighborhood modification.
The remainder of this paper is organized as follows. In Section 2, we provide a simple description
of 3-pass HAVAL. In Section 3, we give all the differential characteristics and sufficient conditions that
guarantee all the differential characteristics in the collision. In Section 4, in order to decrease the compu-
tational complexity we deduce some extra conditions in pass 1 which can ensure some conditions in pass 2
to be satisfied by four message modification methods, and give the algorithm of our attack partitively.
In Section 5, we calculate the complexity and give two collision examples. Finally, Section 6 concludes
this paper. In this paper we refer to the writing style of [4].
2 Description of HAVAL
The purpose of this paper is to break HAVAL with 3 passes named HAVAL-128. So we only describe
HAVAL-128. HAVAL-128 employs three passes. The i-th (i=1,2,3) pass includes one high nonlinear
function fiΦi which performs bit-wise operations on 32-bit words.
f1(Φ1(x6, x5, x4, x3, x2, x1, x0)) = x2x3 ⊕ x0x6 ⊕ x1x5 ⊕ x2x4 ⊕ x4,
f2(Φ2(x6, x5, x4, x3, x2, x1, x0)) = x0x3x5 ⊕ x5x6 ⊕ x1x2x5 ⊕ x4x5 ⊕ x0x2 ⊕ x3x5 ⊕ x1x3 ⊕ x1x2 ⊕ x6,
f3(Φ3(x6, x5, x4, x3, x2, x1, x0)) = x3x4x5 ⊕ x2x5 ⊕ x1x4 ⊕ x3x6 ⊕ x0x3 ⊕ x0.
For one 1024-bit block m of the message, the compressing process is as follows:
1. a0 = a, b0 = b, c0 = c, d0 = d, e0 = e, f0 = f, g0 = g, h0 = h, where (a, b, c, d, e, f, g, h) is the initial
input parameters for m. If m is the first 1024- bit message block to be hashed, the initial values are a =
0x243f6a88, b = 0x85a308d3, c = 0x13198a2e, d = 0x03707344, e = 0xa4093822, f = 0x299f31d0, g =
0x082efa98, h= 0xec4e6c89. Otherwise, they are the last set of outputs in the former message block.
2. For j = 1, 2, 3,
for i = 32(j − 1), 32(j − 1) + 1, 32(j − 1) + 2, . . . , 32(j − 1) + 31,
pi = fj(Φj(gi, fi, ei, di, ci, bi, ai)),
ri = (pi ≫ 7) + (hi ≫ 11) +mord(j,i) + kj,i,
hi+1 = gi, gi+1 = fi, fi+1 = ei, ei+1 = di, di+1 = ci, ci+1 = bi, bi+1 = ai, ai+1 = ri.
3. a = a96 + a, b = b96 + b, . . . , h = h96 + h.
4. When the message m is the last 1024-bit block, the 128-finger print y3||y2||y1||y0 is calculated as
follows: h = h3||h2||h1||h0, g = g3||g2||g1||g0, f = f3||f2||f1||f0, e = e3||e2||e1||e0,
y3 = d+ h3||g2||f1||e0, y2 = c+ h2||g1||f0||e3, y1 = b+ h1||g0||f3||e2, y0 = a+ h0||g3||f2||c1.The operation in each step employs a constant k (see [1]), where k1,i = 0, 0 � i � 31,≫ represents
the circular right shift, + is the additive operation modular 232, x||y denotes the concatenation of x and
y. The compressing process for m includes 96 steps. Steps 1-32 belong to pass one, pass two contains
step 33-64, and pass three contains step 65-96. The orders of message words in each pass are defined in
Table 1. For the details, please refer to [1].
Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11 2523
Table 1 The orders of message words
pass 1 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 25 26 27 28 29 30 31
pass 2 05 14 26 18 11 28 07 16 00 23 20 22 01 10 04 08 30 03 21 09 17 24 29 06
19 12 15 13 02 25 31 27
pass 3 19 09 04 20 28 17 08 22 29 14 25 12 24 30 16 26 31 15 07 03 01 00 18 27
13 06 21 10 23 11 05 02
3 The differential characteristics and sufficient conditions
Note that the notations in our paper are the same as those in [4].
1. m = (m0,m1, . . . ,m31),m′ = (m′
0,m′1, . . . ,m
′31) are two 1024-bit messages.
2. Δmi = m′i−mi,Δai = a′i−ai,Δpi = p′i−pi denote the modular differences of two variables. These
notations are used to describe differential characteristics with ± symbols in our attack. ai(i = 1, 2, . . . , 67)
represents the output of the i-th step.
3. xi,j denotes the j-th bit of 32-bit word xi, xi[j1,j2,...,jk] denotes the j1, j2, . . . , jk-th bits of xi.
4. xi[j] is the value by changing the j-th bit of xi only, so xi[j] and xi are only different at the j-th
bit. xi[j, . . . , j + k] is the value by successively changing the j-th, (j + 1)-th, . . ., (j + k)-th bits of xi.
5. i+ k in 2i+k is additive operation modular 32, 0 � i � 31.
The overall attack. There is an attack to find one collision with the running time less than 225.83
2-pass HAVAL. There is only one bit difference between the two collision messages.
Proof. The attack is divided into eight parts. We will describe the first four parts in this section and
the remaining four will be described in Section 4.
1. Select the difference of two messages m,m′ as Δm = m′ −m = (Δm0,Δm1, . . . ,Δm31) such that
Δm4 = 231 and Δmi = 0 for the other i. After a lot of cryptanalysis, we find that two messages with
such a difference is apt to collide.
2. Determine all the differential characteristics such that (m,m′) consists of a collision (see Table 2).
In Table 2, a−1 = b0, a−2 = c0, a−3 = d0, a−4 = e0, a−5 = f0, a−6 = g0, a−7 = h0. The collision includes
only one partial collision, from steps 5–67.
3. Deduce all the conditions under which the differential characteristics in Table 2 hold. For example,
we give the deduction details of the first 3 steps.
Step 5. Δa5 = 231, a5,32 = 0, a′5,32 = 1, since Δm4 = 231.
Step 6. Δa6 = 224, a6[25 · · · 28] require that a6,25 = 1, a6,26 = 1, a6,27 = 1, a6,28 = 0. The positive
difference Δa6 = 224 is caused by the difference a5[32] in Boolean function f1(Φ1(b0, a0, a1, a2, a3, a4, a5)).
Since f1(Φ1(x6, x5, x4, x3, x2, x1, x0))⊕ f1(Φ1(x6, x5, x4, x3, x2, x1, x0 ⊕ 1)) = x6.
Step 7. a′7 = f1(Φ1(a0, a1, a2, a3, a4, a5[32], a6[25 · · ·28])) ≫ 7+(b ≫ 11)+m6, Δ(f1Φ1)6,32 = x6,32 =
b0,32 = 1. The positive difference Δa6 = (Δf1Φ1) ≫ 7 = 224 requires that (f1Φ1)6,32 = 0, (f1Φ1)′6,32 = 1,
i.e.,
(f1Φ1(b0, a0, a1, a2, a3, a4, a5))32 = (a2a3 ⊕ a5b0 ⊕ a4a0 ⊕ a1a3 ⊕ a1)32 = 0. (1)
In step 7 we will get a1,32 = 0. Substituting a5,32 = 0, b0,32 = 1, a0,32 = 0, a1,32 = 0 into (1), the
sufficient conditions for step 6 are
a2,32a3,32 = 0, a6[25...27] = 1, a6,28 = 0. (2)
From Δa7 = 219 and a7[20, 21], it follows that (Δf1Φ1)7[25,26,28,32] = 0, (Δf1Φ1)7,27 = 1. It is required
that Δf1(Φ1(a0, a1, a2, a3, a4, a5[32], a6))32 = a1,32 = 0, (Δf1(Φ1(a0, a1, . . . , a6[25, 26, 28]))25,26,28 =
a0[25,26,28] =0 and Δf1(Φ1(a0, a1, . . . , a6[27]))27 = a0,27 = 1. Then second equation is satisfied nat-
urally by the initial state a0 = 0x243f6a88. The positive difference (Δf1Φ1) = 226 requires that
f1(Φ1(a0, a1, a2, a3, a4, a5, a6))27 = (a4a3 ⊕ a6a0 ⊕ a1a5 ⊕ a4a2 ⊕ a2)27= 0. Since we already have a6,27
2524 Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11
Table 2 Differential characteristics in the collision of 5-67 steps
step i m′ Δai The outputs (ai, ai−1, ai−2, ai−3, ai−4, ai−5, ai−6, ai−7) of the compression process of m′
5 m′4 231 a5[32], a4, a3, a2, a1, a0, b0, c0
6 m5 224 a6[25 · · · 28], a5[32], a4, a3, a2, a1, a0, b07 m6 219 a7[20, 21], a6[25 · · · 28], a5[32], a4, a3, a2, a1, a08 m7 218 a8[19], a7[20, 21], a6[25 · · · 28], a5[32], a4, a3, a2, a19 m8 0 a9, a8[19], a7[20, 21], a6[25 · · · 28], a5[32], a4, a3, a210 m9 0 a10, a9, a8[19], a7[20, 21], a6[25 · · · 28], a5[32], a4, a311 m10 212 a11[13 · · · 16], a10, a9, a8[19], a7[20, 21], a6[25 · · · 28], a5[32], a412 m11 0 a12, a11[13 · · · 16], a10, a9, a8[19], a7[20, 21], a6[25 · · · 28], a5[32]13 m12 25 a13[6 · · · 9], a12, a11[13 · · · 16], a10, a9, a8[19], a7[20, 21], a6[25 · · · 28]14 m13 0 a14, a13[6 · · · 9], a12, a11[13 · · · 16], a10, a9, a8[19], a7[20, 21]15 m14 −211 a15[12], a14, a13[6 · · · 9], a12, a11[13 · · · 16], a10, a9, a8[19]16 m15 0 a16, a15[12], a14, a13[6 · · · 9], a12, a11[13 · · · 16], a10, a917 m16 0 a17, a16, a15[12], a14, a13[6 · · · 9], a12, a11[13 · · · 16], a1018 m17 0 a18, a17, a16, a15[12], a14, a13[6 · · · 9], a12, a11[13 · · · 16]19 m18 0 a19, a18, a17, a16, a15[12], a14, a13[6 · · · 9], a1220 m19 0 a20, a19, a18, a17, a16, a15[12], a14, a13[6 · · · 9]21 m20 226 a21[27], a20, a19, a18, a17, a16, a15[12], a14
22 m21 0 a22, a21[27], a20, a19, a18, a17, a16, a15[12]
23 m22 −20 a23[1], a22, a21[27], a20, a19, a18, a17, a16
24 m23 0 a24, a23[1], a22, a21[27], a20, a19, a18, a17
25 m24 0 a25, a24, a23[1], a22, a21[27], a20, a19, a18
26 m25 0 a26, a25, a24, a23[1], a22, a21[27], a20, a19
27 m26 0 a27, a26, a25, a24, a23[1], a22, a21[27], a20
28 m27 0 a28, a27, a26, a25, a24, a23[1], a22, a21[27]
29 m28 215 a29[16 · · · 19], a28, a27, a26, a25, a24, a23[1], a2230 m29 0 a30, a29[16 · · · 19], a28, a27, a26, a25, a24, a23[1]31 m30 −221 a31[22], a30, a29[16 · · · 19], a28, a27, a26, a25, a2432 m31 0 a32, a31[22], a30, a29[16 · · · 19], a28, a27, a26, a2533 m5 0 a33, a32, a31[22], a30, a29[16 · · · 19], a28, a27, a2634 m14 0 a34, a33, a32, a31[22], a30, a29[16 · · · 19], a28, a2735 m26 211 a35[12], a34, a33, a32, a31[22], a30, a29[16 · · · 19], a2836 m18 0 a36, a35[12], a34, a33, a32, a31[22], a30, a29[16 · · · 19]37 m11 0 a37, a36, a35[12], a34, a33, a32, a31[22], a30
38 m28 0 a38, a37, a36, a35[12], a34, a33, a32, a31[22]
39 m7 −210 a39[11], a38, a37, a36, a35[12], a34, a33, a32
40 m16 0 a40, a39[11], a38, a37, a36, a35[12], a34, a33
41 m0 0 a41, a40, a39[11], a38, a37, a36, a35[12], a34
42 m23 0 a42, a41, a40, a39[11], a38, a37, a36, a35[12]
43 m20 20 a43[1], a42, a41, a40, a39[11], a38, a37, a36
44 m22 0 a44, a43[1], a42, a41, a40, a39[11], a38, a37
45 m1 0 a45, a44, a43[1], a42, a41, a40, a39[11], a38
46 m10 0 a46, a45, a44, a43[1], a42, a41, a40, a39[11]
47 m′4 0 a47, a46, a45, a44, a43[1], a42, a41, a40
48 m8 0 a48, a47, a46, a45, a44, a43[1], a42, a41
49 m30 0 a49, a48, a47, a46, a45, a44, a43[1], a42
(To be continued on the next page)
Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11 2525
(Continued)
step i m′ Δai The outputs (ai, ai−1, ai−2, ai−3, ai−4, ai−5, ai−6, ai−7) of the compression process of m′
50 m3 0 a50, a49, a48, a47, a46, a45, a44, a43[1]
51 m21 221 a51[22], a50, a49, a48, a47, a46, a45, a44
52 m9 0 a52, a51[22], a50, a49, a48, a47, a46, a45
53 m17 0 a53, a52, a51[22], a50, a49, a48, a47, a46
54 m24 0 a54, a53, a52, a51[22], a50, a49, a48, a47
55 m29 0 a55, a54, a53, a52, a51[22], a50, a49, a48
56 m6 0 a56, a55, a54, a53, a52, a51[22], a50, a49
57 m19 0 a57, a56, a55, a54, a53, a52, a51[22], a50
58 m12 0 a58, a57, a56, a55, a54, a53, a52, a51[22]
59 m15 210 a59[11], a58, a57, a56, a55, a54, a53, a52
60 m13 0 a60, a59[11], a58, a57, a56, a55, a54, a53
61 m2 0 a61, a60, a59[11], a58, a57, a56, a55, a54
62 m25 0 a62, a61, a60, a59[11], a58, a57, a56, a55
63 m31 0 a63, a62, a61, a60, a59[11], a58, a57, a56
64 m27 0 a64, a63, a62, a61, a60, a59[11], a58, a57
65 m19 0 a65, a64, a63, a62, a61, a60, a59[11], a58
66 m9 0 a66, a65, a64, a63, a62, a61, a60, a59[11]
67 m′4 0 a67, a66, a65, a64, a63, a62, a61, a60
= 1, a0,27 = 1, a2,27 = 0 and we will get a5,27 = a4,27 at step 8. At last we have(a1,27 ⊕ a3,27)a4,27 = 1,
that is, a4,27 = 1, a3,27 = 1 + a1,27. Therefore the sufficient conditions for step 7 are
a7,20 = 1, a7,21 = 0, a0,25 = a0,26 = a0,28 = 0, a0,27 = 1, a1,32 = 0, a4,27 = 1, a3,27 = 1 + a1,27. (3)
The conditions ensure that the difference of other steps can be similarly deduced. In Section 4, in order
to decrease the computational complexity, using neighborhood modification, tunnel idea and relieving
the besieged by attacking the base of the besieger, we will add some extra conditions to the a2 − a32-th
step. These conditions are marked by a superscript A. Summing up all the conditions, we obtain Table 3.
It can be verified that these conditions are sufficient for all the differential characteristics in the collision.
4. According to the conditions in Table 3, we give the attack algorithm for the first pass of HAVAL .
Pregenerate m. We first choose a1, a2, . . . , a32 which satisfy the conditions of Table 3 randomly, then
compute pi, i = 0, 1, . . . , 31, and compute mi at last. The program is as follows:
For i = 0 to 31 {pi = f1Φ1(ai−6, ai−5, ai−4, ai−3, ai−2, ai−1, ai)
ri = (pi ≫ 7) + (ai−7 ≫ 11)
mi = ai+1 − ri // generate mi }.
4 Four kinds of message modification method
Although m and m′ satisfy all the conditions in pass 1 after the computation in the last part of Section
3, there are 47 conditions on steps 33-62 in Table 3, so (m,m′) is a collision with probability of 2−47. In
order to improve the probability of collision, we use four tricks of message modification.
4.1 Advanced modifications of mi
Advanced modification was proposed byWang [3,4]. For example, since a33 = (f2(Φ2(a26, a27, a28, a29, a30,
a31, a32) ≫ 7) + (a25 ≫ 11) + m5 + k2,0, if a33,12 �= 1, then a6,12 = a6,12 ⊕ 1 and we get a new a6.
According to the new a6, we recompute successively new m5,m6,m7,m8,m9,m10, m11,m12,m13. This
modification only causes the change of the 12-th bit for a6 and has no relation with other ai in pass 1.
2526 Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11
Table 3 The conditions under which (m,m′) is a collision
step The conditions of the chaining variable ai
1-2 a1,20 = 0, a1,21 = 0, a1,32 = 0, a2,19 = 0, a2,25 = 0, a2,27 = 0, a2,28 = 0, a2,26 = 1
3 a3,20 = a3,21 = 0, a3,32a2,32 = 0, aA3,1 = 1, aA3,11 = 1, a3,27 = 1 + a1,27
4 a4,19 = 0, aA4,22 = 0, a4,27 = 1, (a3,26 ⊕ 1)(a4,26 ⊕ 1) = 0, a4,32 = a3,32
5 a5[13···16] = 0, a5,32 = 0, a5,27 = 1, a5[25,26,28] = a4[25,26,28]
6 aA6,22 = 0, a6,28 = 0, a6,32 = 0, a6[25···27] = 1, a6,20 = a5,20, a6,21 = a5,21
7 aA7,1 = 0, a7[6···9] = 0, aA7,11 = 0, a7[14···16] = 0, a7,21 = 0, a7[25···28] = 0 a7,13 = 1, a7,20 = 1, a7,32 = 1,
a7,19 = a6,19
8 aA8,1 = 0, a8,19 = 0, a8,21 = 0, a8,20 = 1, a8[25···28] = 1
9 a9[6···9] = 0, aA9,11 = 0, a9,12 = 0, a9,19 = 0, a9,32 = 0, a9,20 = 1, a9,21 = 1
10 aA10,12 = 0, a10[25···28] = 0, a10,19 = 1, a10[13···16] = a9[13···16](a10,13 ⊕ 1)(a8,13 ⊕ 1) = 0, a4,20a10,20 + a5,20 = 1
11 a11,12 = 0, a11,16 = 0, a11[20,21] = 0, a11,32 = 0, a11[13···15] = 1, aA11,11 = a10,11
12 a12[13···15] = 0, a12,19 = 0, a12[25···27] = 0, a12,16 = 1, aA12,22 = 1, a12,28 = 1,a12[6...9] = a11[6...9]
13 a13,9 = 0, aA13,11 = 0, aA13,12 = 0, a13,15 = 0, a13,20 = 0 a13[6···8]=1,a13[13,14,16]= 1, a13,21=1, a13,1 = a12,1
14 a14[6...9] = 0, aA14,11 = 0, aA14,12 = 0, a14,19 = 1, a14,15a10,15 = 0, a8,16a14,16 + a9,16 = 1
15-16 a15[13···16] = 0, a15,27 = 0, a15[6...9] = 1, a15,12 = 1, a16,12 = 0, aA16,22 = 0, aA16,1 = 1
17 a17,1 = 0, a17[6...8] = 0, a17[13···16] = 0, a17,27 = 0, a17,9 = 1, a17,12 = 1
18 aA18,11 = 0, aA18,12 = 0, a16,9 + a12,9a18,9 = 1
19-20 a19,1 = 0, a19[6...9] = 0, a19,12 = 0, aA20,1 = 0, a20,27 = a19,27
21-24 a21,12 = 0, a21,27= 0, a22,27 = 0, a22,1 = a21,1, a23[16···19] = 0, a23,1 = 1, a23,27 = 1, a24,1=0
25 a25[16···19] = 0, aA25,22 = aA25,23 = 0, a25,27 = 0, a25,1 = 1
27-28 a27[16···19] = 0, aA27,23 = 0, a27,27 = 0, a28[16···19] = 0, a28,22 = 1
29 a29,1 = 0, a29,19 = 0, a29,16 = a29,17 = a29,18 = 1, aA29,23 = 1
30 a30,22 = 0, aA30,23 = 0, a30,12 = 1, a30[16···19] = 1, a27,29a29,29 ⊕ aA30,29 = 1
31 a31[16···19] = 0, a31,22 = 1, aA31,23 = 1
32 a32,19 = 0, a32,12 = 1, a32,16 = a32,17 = a32,18 = 1, a32,22 = 1, aA32,23 = 1
33-34 a33,22 = 0, a33,12 = 1, a33,16 = a33,17 = a33,18 = 1, a34,11 = 0, a34,22 = 1, aN34,12 = 0
35-37 a35,12 = 0, aN35,22 = 1, aN36,11 = 1, a36,12 = 1, a37,11 = 0, a37,12 = 0
38-40 aN38,1 = 0, a38,11 = 0, a38,12 = 1, a39,11 = 1, a39,12 = 1, aN40,1 = 1, a40,11 = 1
41-44 a41,1 = 0, a41,11 = 0, aS42,1 = 0, aS42,11 = 1, aS43,1 = 0, aS43,11 = 1, aS44,1 = 1
45-50 aS45,1 = 0, aS46,1 = 1, aN46,22 = 0, aS47,1 = 1, aS48,22 = 1, aS49,22 = 0, aS50,22 = 0
51-56 a51,22 = 0, a52,22 = 1, aS53,22 = 0, aS54,22 = 1, aS55,22 = 1, a54,11aS56,11 = 0
57-62 aS57,11 = 0, aS58,11 = 0, aS59,11 = 0, (a56,11 + 1)aS60,11 = 0, aS61,11 = 0, aS62,11 = 0
After the modification, a33,12 changes from 0 to 1, and all the conditions in the first pass remain un-
changed. The program is as follows:
If a33,12 �= 1, then a6,12 = a6,12 ⊕ 1, for i = 5 to 13 {pi = f1Φ1(ai−6, ai−5, ai−4, ai−3, ai−2, ai−1, ai)
ri = (pi ≫ 7) + (ai−7 ≫ 11)
mi = ai+1 − ri //regenerate mi
}a33 = (p33 ≫ 7) + (a26 ≫ 11) +m5 + k2,0.
If the new a33 does not satisfy a33,16 = 1, a similar program can be run for a33,16 = 1 on the new a33,
and so on for a33,17 = 1, a33,18 = 1.
4.2 Neighborhood modification
If a33,22 = 0 is not satisfied, since in Table 3 a6,22 has been fixed to 0, we cannot modify a6,22 any more.
Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11 2527
We now propose another idea named neighborhood modification, that is, to modify a32 that neighbors
a33. Note that in p32 = f2(Φ2(a26, . . . , a31, a32)), a32 acts as x0, f2(Φ2(x6, x5, x4, x3, x2, x1, x0 ⊕ 1)) ⊕f2(Φ2(x6, x5, x4, x3, x2, x1, x0)) = x3x5 ⊕ x2, in order to ensure that the modification of x0 results in the
changing f2(Φ2), we fix x3x5 ⊕ x2 to 1, so we add the condition a27,29a29,29 ⊕ a30,29 = 1 to Table 3.
The algorithm is: if a33,22 = 0, then a32,29 = a32,29 ⊕ 1, and recompute m31 = a32 − r32 and a33 =
(p32 ≫ 7) + (a25 ≫ 11) +m5 + k2,0.
As to step 34, if a34,11 = 0 or a34,22 = 1 cannot be satisfied, so we can use advanced modifications on
m14. However, for a34,12 = 0, since a15,12 has been fixed to 1 in Table 3, we cannot modify a15,12, but
have to select another series of a1, . . . , a32. So we sign aN34,12 = 0, and these are the same for the following
similar conditions in Table 3.
4.3 Relieving the besieged by attacking the base of the besieger
For example, since a35 = (f2(Φ2(a28, . . . , a34) ≫ 7)+ (a27 ≫ 11)+m26 + k2,2, we can modify either a27or m26. Our goal is not to modify a27, but m26, which means that to solve this problem is to modify
a19 and hence modify m18,m26 as a result. The increment of a19 and m26 will counteract in the formula
a27 = (f1(Φ1(a20, . . . , a26) ≫ 7)+(a19 ≫ 11)+m26 when computing a27. We call this method relieving
the besieged by attacking the base of the besieger, an ancient Chinese strategy.
Notion. Since the difference at a35,22 comes from the difference at a19,1, the difference at a35,12comes from the difference at a19,23. Taking into account the probability of occurrences of carries, we
should consider a35,22 firstly. If a35,22 �= 1, since a19,1 = 0 is a prior fixed condition in Table 3, we can
not modify a19,1 any more, so we have to reselect another series of a1, . . . , a32.
If a35,12 �= 0, then a19,23 = a19,23 ⊕ 1, and recompute m18,m19, . . . ,m26 according to the new a19.
a19 = (f1(Φ1(a12, . . . , a18)) ≫ 7) + (a11 ≫ 11) +m18,
a20 = (f1(Φ1(a13, . . . , a19)) ≫ 7) + (a12 ≫ 11) +m19,
a21 = (f1(Φ1(a14, . . . , a19, a20)) ≫ 7) + (a13 ≫ 11) +m20,...
a26 = (f1(Φ1(a19, . . . , a25)) ≫ 7) + (a18 ≫ 11) +m25,
a27 = (f1(Φ1(a20, . . . , a26)) ≫ 7) + (a19 ≫ 11) +m26.
According to the above relations, the program should be as follows:
If a35,12 �= 0, then a19,23 = a19,23 ⊕ 1, for i = 18 to 26 {pi = f1Φ1(ai−6, ai−5, ai−4, ai−3, ai−2, ai−1, ai)
ri = (pi ≫ 7) + (ai−7 ≫ 11)
mi = ai+1 − ri //regenerate mi }.At last, we recompute a35 = (p35 ≫ 7) + (a27 ≫ 11) +m26 + k2,2 according to the new m26.
4.4 The tunnel idea
As to Step 36, we use the Tunnel idea, which is the improved advanced modifications proposed by
Klima [7]. If a36 does not satisfy the conditions, we modify a28 and get the modification of m27 but
so ding should have no impacts on ai of pass 2, that is, a33, a34,a35. For example, considering step 33,
in the Boolean function f2Φ2, a28 acts on x4, a27 acts on x5, since f2(Φ2(x6, x5, x4, x3, x2, x1, x0)) ⊕f2(Φ2(x6, x5, x4 ⊕ 1, x3, x2, x1, x0)) = x5, in order to ensure that the modification of a28 has no influence
on a33, the condition a27,23 = 0 should be added to Table 3. Finally, we get conditions a27,23 = 0, a30,23 =
0, a31,23 = 1, a32,23 = 1, a29,23 = 1. The program is as follows:
If a36,12 �= 1, then a28,23 = a28,23 ⊕ 1, for i = 27 to 31 {pi = f1Φ1(ai−6, ai−5, ai−4, ai−3, ai−2, ai−1, ai)
ri = (pi ≫ 7) + (ai−7 ≫ 11)
2528 Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11
Table 4 The modification method from 33 to 62 steps
Step 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
Message’s order 5 14 26 18 11 28 7 16 0 23 20 22 1 10 4
Modify method A A√ √
T T T T T N N N N N N
Step 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62
Message’s order 8 30 3 21 9 17 24 29 6 19 12 15 13 2 25
Modify method N N N√
T N N N N N N N N N N
mi = ai+1 − ri //regenerate mi }a36 = (p36 ≫ 7) + (a28 ≫ 11) +m18 + k2,3.
As to step 37, since a37 = (f2(Φ2(a30, . . . , a36)) ≫ 7)+(a29 ≫ 11)+m11+k2,4, we can modifym11, i.e.,
modify a12. The modification of a12 may lead to a modification of the series of m12,m13,m14,m15,m16,
m17,m18,m19, but the modification of m14,m18 will result in a modification of a34, a36, . . ., and conse-
quently the system will go into a dead loop. In order to avoid looping, we deduce the conditions under
which the modification of a12 should not inflect m14 and m18. In the formula of computing a15(m14),
a12 acts as x2 in function f1Φ1. To ensure that the change of x2 has no relation with f1Φ1, there must
be x3 ⊕ x4 = 0, that is, a11,11 = a10,11, a11,12 = a10,12. We add the two conditions to Table 3, and sign
these conditions in green. Similarly, for m18, we have a18,11 = 0, a18,12 = 0.
a13 = (f1(Φ1(a6, . . . , a12)) ≫ 7) + (a5 ≫ 11) + m12, a14 = (f1(Φ1(a7, . . . , a12, a13)) ≫ 7) + (a6 ≫11)+m13, a15 = (f1(Φ1(a8, . . . , a12, a13, a14)) ≫ 7)+(a7 ≫ 11)+m14, a16 = (f1(Φ1(a9, . . . , a12, . . . , a15))
≫ 7) + (a8 ≫ 11) + m15, a17 = (f1(Φ1(a10, a11, a12, . . . , a16)) ≫ 7) + (a9 ≫ 11) + m16, a18 =
(f1(Φ1(a11, a12, . . . , a17)) ≫ 7) + (a10 ≫ 11) + m17, a19 = (f1(Φ1(a12, . . . , a18)) ≫ 7) + (a11 ≫11) +m18, a20 = (f1(Φ1(a13, . . . , a19)) ≫ 7) + (a12 ≫ 11) +m19.
The program should be as follows:
If a37,11 �= 0, then a12,11 = a12,11 ⊕ 1, for i = 11, 12, 13, 15, 16, 17, 19 {
pi = f1Φ1(ai−6, ai−5, ai−4, ai−3, ai−2, ai−1, ai)
ri = (pi ≫ 7) + (ai−7 ≫ 11)
mi = ai+1 − ri //regenerate mi
}a37 = (p37 ≫ 7) + (a29 ≫ 11) +m11 + k2,4.
If the new a37 does not satisfy a37,12 = 0, the new a37 operates the program similarly.
The modification method from 38 to 62 steps can be similarly determined. Here we list the message
modification method for them, where A, T,√, N refer to advanced modification, tunnel idea, relieving
the besieged by attacking the base of the besieger, cannot be modified which should be random searched
correspondingly. We marked the conditions on the step which cannot be modified by a superscript S,
means that they should be exhaustive searched (see Table 4).
5 Computational complexity
The conditions on steps 1–32 can be satisfied naturally by fixing the corresponding bits of ai. The
non-superscripted conditions on steps 33–62 can be satisfied by advanced modification, neighborhood
modification, tunnel idea and relieving the besieged by attacking the base of the besieger. Summing up
the conditions with superscripts N or S on steps 33–62, there are 27 conditions in total. The probability
of (a56,11 + 1)a60,11 = 0 and that of a54,11a56,11 = 0 are both equal to 34 , and the search ends at the
62-th step at most, which is still in the second pass, hence the computational complexity is less than
225 × (43 )2 ≈ 225.83 2-pass HAVAL computation.
Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11 2529
Table 5 Two pairs of one bit difference collision for HAVAL-128
M1 10b69da6 f332b024 d817b166 90028f76 38083a40 fee7a645 3f379dc7 67eb432c 4ee00ff2 8b456516
a456a264 4a6c8cdd b2cff58b 0ccd2544 219f1088 89c6c158 c70af062 c306fc81 e5899b4e 4ca6cb0f
b5574dc6 311e56e4 d18c0e04 453b1e22 58a068c0 080ec5de 061a69e4 c52024db d1f67945 62a787c5
637c1442 b07d27af
M ′1 10b69da6 f332b024 d817b166 90028f76 B8083a40 fee7a645 3f379dc7 67eb432c4ee00ff2 8b456516
a456a264 4a6c8cdd b2cff58b 0ccd2544 219f1088 89c6c158 c70af062 c306fc81 e5899b4e 4ca6cb0f
b5574dc6 311e56e4 d18c0e04 453b1e22 58a068c0 080ec5de 061a69e4 c52024db d1f67945 62a787c5
637c1442 b07d27af
H1 a904d0e0 19099ca2 fa16bdca 7c6b612a
M2 00361520 33187de3 f3f6ec98 469d9079 5828a3ec 338d4c7c fa767472 d26c3b0e 9ea4d8d9 1ce91782
923093d0 9c16084d 70e63f2d e61ade1f e13e96b9 a14b2849 cc10cca6 afb3c021 29a6edf6 35955713
4400db75 fa4376bb 676c5c6a 2dd1b40e 0d31b354 3c45d1b1 447ec497 7edb538e b2de29ec c8c958c5
c9e57a70 4256d1b7
M ′2 00361520 33187de3 f3f6ec98 469d9079 D828a3ec 338d4c7c fa767472 d26c3b0e9ea4d8d9 1ce91782
923093d0 9c16084d 70e63f2d e61ade1f e13e96b9 a14b2849 cc10cca6 afb3c021 29a6edf6 35955713
4400db75 fa4376bb 676c5c6a 2dd1b40e 0d31b354 3c45d1b1 447ec497 7edb538e b2de29ec c8c958c5
c9e57a70 4256d1b7
H2 da4d3e47 141253d5 dc76b66a 4ca9eddc
6 Examples and conclusions
At the end of this paper, we give two examples for collisions of HAVAL-128 in Table 5, with every pair
of collision messages being different only at one position such that m′ = m+ (0, 0, 0, 0, 231, 0, . . . , 0).
In this paper, we give a new attack against 3-pass HAVAL with only one bit difference. We propose
a new difference path and the neighborhood modification, and provide two new collision examples for
HAVAL-128.
Acknowledgements
This work was supported by the National Natural Science Foundation of China (Grant No. 60970004, 61173134,
61272434), the Natural Science Foundation of Shandong Province (Grant No. ZR2011FQ032, ZR2012FM004),
the Project of Shandong Province Higher Educational Science and Technology Program (Grant No. J11LG33),
and the Project of Senior Visiting Scholar of Shandong Province.
References
1 Zheng Y L, Pieprzyk J, Seberry J. HAVAL-a one-way hashing algorithm with variable length of output. In: Seberry
J, Zheng Y L, eds. Advances in Cryptology, Auscrypt92 Proceedings. LNCS, Vol 718. Berlin: Springer-Verlag, 1993.
83–104
2 Van R B, Biryukov A, Preneel B, et al. Cryptanalysis of 3-pass HAVAL. In: Laih C-S, ed. Advances in Cryptology-
ASIACRYPT 2003. LNCS, Vol 2894. Berlin: Springer-Verlag, 2003. 228–245
3 Wang X Y, Yu H B. How to break MD5 and other hash functions. In: Cramer R, ed. Advances in Cryptology -
EUROCRYPT 2005. LNCS, Vol 3494. Berlin: Springer-Verlag, 2005. 19–35
4 Wang X Y, Feng D G, Yu X Y. An attack on hash function HAVAL-128. Sci China Ser F-Inf Sci, 2005, 48: 545–556
5 Xie T, Liu F B, Feng D G. Could the 1-MSB input difference be the fastest collision attack for MD5? Cryptology
ePrint Archive, 2008: 230. Available from: http://eprint.iacr.org/2008/230.pdf
6 Liang J, Lai X J. Improved collision attack on hash function MD5. J Comput Sci Technol, 2007, 22: 79-87
7 Klima V. Finding MD5 collisions on a notebook PC using multi-message modifications. Cryptology ePrint Archive,
2005: 102. Available from: http://eprint.iacr.orgl2005/102.pdf
Information for authors SCIENCE CHINA Information Sciences (Sci China Inf Sci), cosponsored by the Chinese Academy of Sciences and the National Natural Science Foundation of China, and published by Science China Press, is committed to publishing high- quality, original results of both basic and applied research in all areas of information sciences, including computer science and technology; systems science, control science and engi-neering (published in Issues with odd numbers); information and communication engineering; electronic science and technology (published in Issues with even numbers). Sci China Inf Sci is published monthly in both print and electronic forms. It is indexed by Academic OneFile, Astrophysics Data System (ADS), CSA, Cabells, Current Contents/Engineering, Computing and Technology, DBLP, Digital Mathematics Reg-istry, Earthquake Engineering Abstracts, Engineered Materi-als Abstracts, Gale, Google, INSPEC, Journal Citation Re-ports/Science Edition, Mathematical Reviews, OCLC, ProQuest, SCOPUS, Science Citation Index Expanded, Summon by Serial Solutions, VINITI, Zentralblatt MATH.
Papers published in Sci China Inf Sci include: REVIEW (20 printed pages on average) surveys repre-
sentative results and important advances on well-identified topics, with analyses and insightful views on the states of the art and highlights on future research directions.
RESEARCH PAPER (no more than 15 printed pages) presents new and original results and significant develop-ments in all areas of information sciences for broad reader-ship.
BRIEF REPORT (no more than 4 printed pages) describes key ideas, methodologies, and results of latest developments in a timely manner.
Authors are recommended to use Science China’s online submission services. To submit a manuscript, please go to www.scichina.com, create an account to log in http://mco3. manuscriptcentral.com/scis, and follow the instructions there to upload text and image/table files.
Authors are encouraged to submit such accompanying materials as short statements on the research background and area/subareas and significance of the work, and brief introductions to the first and corresponding authors including their mailing addresses with post codes, telephone numbers, fax numbers, and e-mail addresses. Authors may also sug-gest several qualified experts (with full names, affiliations, phone numbers, fax numbers, and e-mail addresses) as referees, and/or request the exclusion of some specific indi-viduals from potential referees.
All submissions will be reviewed by referees selected by the editorial board. The decision of acceptance or rejection of a manuscript is made by the editorial board based on the referees’ reports. The entire review process may take 90 to 120 days, and the editorial office will inform the author of the decision as soon as the process is completed. If the editorial board fails to make a decision within 120 days, please contact the editorial office.
Authors should guarantee that their submitted manuscript has not been published before and has not been submitted elsewhere for print or electronic publication consideration. Submission of a manuscript is taken to imply that all the named authors are aware that they are listed as coauthors, and they have agreed on the submitted version of the paper. No change in the order of listed authors can be made without an agreement signed by all the authors.
Once a manuscript is accepted, the authors should send a copyright transfer form signed by all authors to Science China Press. Authors of one published paper will be presented one sample copy. If more sample copies or offprints are required, please contact the managing editor and pay the extra fee. The
full text opens free to domestic readers at www.scichina.com, and is available to overseas readers at www.springerlink.com.
Subscription information ISSN print edition: 1674-733X ISSN electronic edition: 1869-1919 Volume 55 (12 issues) will appear in 2012 Subscription rates For information on subscription rates please contact: Customer Service China: [email protected] North and South America: [email protected] Outside North and South America: [email protected] Orders and inquiries: China Science China Press 16 Donghuangchenggen North Street, Beijing 100717, China Tel: +86 10 64015683 Fax: +86 10 64016350 Email: [email protected] North and South America Springer New York, Inc. Journal Fulfillment, P.O. Box 2485 Secaucus, NJ 07096 USA Tel: 1-800-SPRINGER or 1-201-348-4033 Fax: 1-201-348-4505 Email: [email protected] Outside North and South America: Springer Distribution Center Customer Service Journals Haberstr. 7, 69126 Heidelberg, Germany Tel: +49-6221-345-0, Fax: +49-6221-345-4229 Email: [email protected] Cancellations must be received by September 30 to take effect at the end of the same year. Changes of address: Allow for six weeks for all changes to become effective. All communications should include both old and new addresses (with postal codes) and should be ac-companied by a mailing label from a recent issue. According to § 4 Sect. 3 of the German Postal Services Data Protection Regulations, if a subscriber’s address changes, the German Federal Post Office can inform the publisher of the new ad-dress even if the subscriber has not submitted a formal ap-plication for mail to be forwarded. Subscribers not in agree-ment with this procedure may send a written complaint to Customer Service Journals, Karin Tiks, within 14 days of publication of this issue. Microform editions are available from: ProQuest. Further information available at http://www.il.proquest.com/uni Electronic edition An electronic version is available at springerlink.com. Production Science China Press 16 Donghuangchenggen North Street, Beijing 100717, China Tel: +86 10 64015683 or +86 10 64034134 Fax: +86 10 64016350 Printed in the People’s Republic of China Jointly published by Science China Press and Springer