Differential Fault Attack On SHACAL-2 And The Encryption Mode Of MD5

Differential fault attack(DFA) is a kind of indirect attack method, and it is a powerful attack on both block ciphers and stream ciphers. DFA was firstly proposed by Biham in 1999, and from then on, it has been applied on many ciphers, such as DES, elliptic curve crytosystems, 3DES, SMS4, ARIA, CLEFIA, AES and so on.This paper mainly studies the differential properties of the nonlinear functions of SHACAL-2 and the Encryption Mode of MD5 by solving the mixed equations. And we apply the differential properties to the differential fault attack on SHACAL-2 and the Encryption Mode of MD5.The main results are listed as follows:(1) For SHACAL-2 algorithm, it is shown that the number of solutions of the differential equation is only related to the weight of the input difference when the difference only appears at the first position of the choice function, or only appears at the first or the second position of the majority function. This observation is applied to the differential fault analysis on SHACAL-2. It is shown from the theory that the efficient differential place is E. The results demonstrate that at least 160 random faults are needed to obtain 512-bit key with successful probability more than 60%, while at least 240 random faults are needed to obtain 512-bit key with successful probability more than 98%.(2) By studying the differential properties of the round functions in the encryption mode of MD5, we proposed a fast algorithm to solve the differential equations. We could give a differential fault analysis on the encryption mode of MD5 from the third last round with the proposed fast algorithm. The results show that if we induce faults from the third last round, 56 random faults are required to obtain 512-bit key successfully on average. However, If we induce the faults from the second last round, 112 random faults are required to obtain 512-bit key successfully on average. Comparing with inducing faults from the second round, it can bring the round of fault attack forward and the number of the faults needed to recover mask keys can be decreased to the half.