Editorial Board

Supported by NSFC .

Honorary Editor General ZHOU GuangZhao (Zhou Guang Zhao)

Editor General ZHU ZuoYan Institute of Hydrobiology, CAS

Editor-in-Chief LI Wei Beihang University

Executive Associate Editor-in-Chief WANG DongMing Centre National de la Recherche Scientifique

Associate Editors-in-Chief

GUO Lei Academy of Mathematics and Systems Science, CAS

HUANG Ru Peking University

QIN YuWen National Natural Science Foundation of China

SUN ZengQi Tsinghua University

YOU XiaoHu Southeast University

ZHAO QinPing Beihang University

ZHAO Wei University of Macau

Members

CHEN JianEr Texas A&M University

DU Richard LiMin Voxeasy Institute of Technology

GAO Wen Peking University

GE ShuZhi Sam University of Electronic Science and Technology of China

GUO GuangCan University of Science and Technology of China

HAN WenBao PLA Information Engineering University

HE JiFeng East China Normal University

HU WeiWu Institute of Computing Technology, CAS

HU ZhanYi Institute of Automation, CAS

IDA Tetsuo University of Tsukuba

JI YueFeng

Beijing University of Posts and Telecommu-nications

JIN Hai Huazhong University of Science and Technology

JIN YaQiu Fudan University

JING ZhongLiang Shanghai Jiao Tong University

LI Joshua LeWei University of Electronic Science and Technology of China LIU DeRong Institute of Automation, CAS LIN HuiMin Institute of Software, CAS LIN ZongLi University of Virginia LONG KePing University of Science and Technology Beijing LU Jian Nanjing University MEI Hong Peking University MENG LuoMing Beijing University of Posts and Telecommunications PENG LianMao Peking University PENG QunSheng Zhejiang University SHEN ChangXiang Computing Technology Institute of China Navy SUN JiaGuang Tsinghua University TANG ZhiMin Institute of Computing Technology, CAS TIAN Jie Institute of Automation, CAS

TSAI WeiTek Arizona State University WANG Ji National University of Defense Technology WANG JiangZhou University of Kent WANG Long Peking University WU YiRong Institute of Electronics, CAS XIE WeiXin Shenzhen University XU Jun Tsinghua University XU Ke Beihang University YIN QinYe Xi’an Jiaotong University YING MingSheng Tsinghua University ZHA HongBin Peking University ZHANG HuanGuo Wuhan University ZHOU Dian The University of Texas at Dallas ZHOU ZhiHua Nanjing University ZHUANG YueTing Zhejiang University

Editorial Staff SONG Fei FENG Jing ZHAO DongXia

SCIENCE CHINA Information Sciences

Contents Vol. 55 No. 11 November 2012

RESEARCH PAPER

Study on co-occurrence character networks from Chinese essays in different periods ............................................................................. 2417

LIANG Wei, SHI YuMing, TSE Chi K & WANG YanLi

Automatic composition of information-providing web services based on query rewriting ....................................................................... 2428

ZHAO WenFeng, LIU ChuanChang & CHEN JunLiang

A construction method of matroidal networks ............................................................................................................................................ 2445

YUAN Chen, KAN HaiBin, WANG Xin & IMAI Hideki

Communication network designing: Transmission capacity, cost and scalability ..................................................................................... 2454

ZHANG GuoQiang & ZHANG GuoQing

Corner occupying theorem for the two-dimensional integral rectangle packing problem ......................................................................... 2466

HUANG WenQi, YE Tao & CHEN DuanBing

Round-optimal zero-knowledge proofs of knowledge for NP .................................................................................................................... 2473

LI HongDa, FENG DengGuo, LI Bao & XUE HaiXia

Binary particle swarm optimization with multiple evolutionary strategies ................................................................................................ 2485

ZHAO Jing, HAN ChongZhao & WEI Bin

Communications and control co-design: a combined dynamic-static scheduling approach ...................................................................... 2495

LU ZiBao & GUO Ge

Optimized statistical analysis of software trustworthiness attributes ......................................................................................................... 2508

ZHANG Xiao, LI Wei, ZHENG ZhiMing & GUO BingHui

A new one-bit difference collision attack on HAVAL-128 ........................................................................................................................ 2521

ZHANG WenYing, LI YanYan & WU Lei

Signcryption with fast online signing and short signcryptext for secure and private mobile communication .......................................... 2530

YOUN Taek-Young & HONG Dowon

An ID-based authenticated dynamic group key agreement with optimal round ........................................................................................ 2542

TENG JiKai, WU ChuanKun & TANG ChunMing

Evolutionary ciphers against differential power analysis and differential fault analysis ........................................................................... 2555

TANG Ming, QIU ZhenLong, YANG Min, CHENG PingPan, GAO Si, LIU ShuBo & MENG QinShu

An oblivious fragile watermarking scheme for images utilizing edge transitions in BTC bitmaps ........................................................... 2570

ZHANG Yong, LU ZheMing & ZHAO DongNing

The essential ability of sparse reconstruction of different compressive sensing strategies ........................................................................ 2582

ZHANG Hai, LIANG Yong, GOU HaiLiang & XU ZongBen

Waveform design and high-resolution imaging of cognitive radar based on compressive sensing ........................................................... 2590

LUO Ying, ZHANG Qun, HONG Wen & WU YiRong

An efficient sparse channel estimator combining time-domain LS and iterative shrinkage for OFDM systems with IQ-imbalances ..... 2604

SHU Feng, ZHAO JunHui, YOU XiaoHu, WANG Mao, CHEN Qian & STEVAN Berber

Object registration for remote sensing images using robust kernel pattern vectors ................................................................................... 2611

DING MingTao, JIN Zi, TIAN Zheng, DUAN XiFa, ZHAO Wei & YANG LiJuan

Quasi-linear modeling of gyroresonance between different MLT chorus and geostationary orbit electrons ............................................ 2624

ZHANG ZeLong, XIAO FuLiang, HE YiHua, HE ZhaoGuo, YANG Chang, ZHOU XiaoPing & TANG LiJun

A variational method for contour tracking via covariance matching.......................................................................................................... 2635

WU YuWei, MA Bo & LI Pei

Near lossless compression of hyperspectral images based on distributed source coding .......................................................................... 2646

NIAN YongJian, WAN JianWei, TANG Yi & CHEN Bo

A 10 GHz multiphase LC VCO with a ring capacitive coupling structure ................................................................................................ 2656

CHEN YingMei, WANG Hui, YAN ShuangChao & ZHANG Li

Go To Website

. RESEARCH PAPER .

SCIENCE CHINAInformation Sciences

November 2012 Vol. 55 No. 11: 2521–2529

doi: 10.1007/s11432-012-4619-2

c© Science China Press and Springer-Verlag Berlin Heidelberg 2012 info.scichina.com www.springerlink.com

A new one-bit difference collision attack onHAVAL-128

ZHANG WenYing1,2,3∗, LI YanYan1 & WU Lei1

1School of Information Science and Engineering, Shandong Normal University, Jinan 250014, China;2State Key Lab of Information Security, Institute of Information Engineering, Chinese Academy of Sciences,

Beijing 100093, China;3Shandong Provincial Key Laboratory for Novel Distributed Computer Software Technology, Jinan 250014, China

Received January 14, 2012; accepted April 8, 2012

Abstract In this paper, we give a new fast attack on HAVAL-128. Our attack includes many present methods

of constructing hash collisions. Moreover, we present a neighborhood modification. We propose a new difference

path different from the previous ones. The conclusion is that, when the output of each step satisfies our

condition, the message m can collide with m′ = m + Δm, where Δm = (0, 0, 0, 0, 231, 0, . . . , 0). There is only

one bit difference between m and m′. Two pairs of collision examples for HAVAL-128 are given. In order to

improve the probability of collision, we use four tricks of message modification. The attack’s running time is

less than 225.83 2-pass HAVAL computations, which is the best result for one-bit collision of HAVAL so far.

Keywords cryptography, hash function, HAVAL-128, collision, message modification

Citation Zhang W Y, Li Y Y, Wu L. A new one-bit difference collision attack on HAVAL-128. Sci China Inf

Sci, 2012, 55: 2521–2529, doi: 10.1007/s11432-012-4619-2

1 Introduction

HAVAL [1] was presented by Zheng et al. at Auscrypto’92. It can be processed in 3,4 or 5 passes, and

produces 128, 160, 192, or 224-bit fingerprint. On 3-pass HAVAL, Rompay et al. gave a collision attack

that requires 229 computations of the compression function [2] . Their attack can find a 1024-bit collision

pair m = (m0, . . . ,m31) and m′ = (m′0, . . . ,m

′31) with the differential Δm28 = 20 = 1 and Δmi = 0 for

other i. Finding hash collisions has attracted many attentions since Wang et al. presented their beautiful

work [3] at Crypto’2004. In [4] , Wang et al. showed a much better collision attack with 27 computation

of the compression function. Their attack can find a one-block collision pair m = (m0, . . . ,m31) and

m′ = (m0, . . . ,m31) with the three bits differential Δm0 = 210,Δm11 = 231,Δm18 = 23, and Δmi = 0

for other i.

According to the maximum likelihood principle in communication, it is possible that small errors occur

more often than big errors. On the other hand, in order to avoid the suspicion of the receiver, the intruders

prefer to modify less bits of the message. In order to find collisions, it is necessary to modify the message

as less as possible. Of course, the optimal number is one. So practical construction of collisions with one

bit difference is an interesting problem.

∗Corresponding author (email: wenyingzh@sohu.com)

2522 Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11

In this paper, we give a new one-block attack against 3-pass HAVAL with only one-bit difference. The

conclusion is that, when the output of each step satisfies our condition, by making one bit modifications

about m to get m′ = m+Δm, where Δm = (0, 0, 0, 0, 231, 0, . . . , 0), the message m can collide with m′.The collision occurs at the 67-th step, i.e., the beginning of pass 3. The computational complexity is less

than 225.83 2-pass HAVAL. We reduce the running time from 229 3-pass HAVAL to 225.83 2-pass HAVAL,

so our result is the best for one-bit collision of HAVAL so far.

Our attack includes methods of constructing hash collisions such as modular differential attack, multi-

message modification (advanced modification), Tunnel idea [5–7] and Improved tunnel idea, which is

called relieving the besieged by attacking the base of the besieger, an ancient Chinese strategy.

In addition, we present neighborhood modification.

The remainder of this paper is organized as follows. In Section 2, we provide a simple description

of 3-pass HAVAL. In Section 3, we give all the differential characteristics and sufficient conditions that

guarantee all the differential characteristics in the collision. In Section 4, in order to decrease the compu-

tational complexity we deduce some extra conditions in pass 1 which can ensure some conditions in pass 2

to be satisfied by four message modification methods, and give the algorithm of our attack partitively.

In Section 5, we calculate the complexity and give two collision examples. Finally, Section 6 concludes

this paper. In this paper we refer to the writing style of [4].

2 Description of HAVAL

The purpose of this paper is to break HAVAL with 3 passes named HAVAL-128. So we only describe

HAVAL-128. HAVAL-128 employs three passes. The i-th (i=1,2,3) pass includes one high nonlinear

function fiΦi which performs bit-wise operations on 32-bit words.

f1(Φ1(x6, x5, x4, x3, x2, x1, x0)) = x2x3 ⊕ x0x6 ⊕ x1x5 ⊕ x2x4 ⊕ x4,

f2(Φ2(x6, x5, x4, x3, x2, x1, x0)) = x0x3x5 ⊕ x5x6 ⊕ x1x2x5 ⊕ x4x5 ⊕ x0x2 ⊕ x3x5 ⊕ x1x3 ⊕ x1x2 ⊕ x6,

f3(Φ3(x6, x5, x4, x3, x2, x1, x0)) = x3x4x5 ⊕ x2x5 ⊕ x1x4 ⊕ x3x6 ⊕ x0x3 ⊕ x0.

For one 1024-bit block m of the message, the compressing process is as follows:

1. a0 = a, b0 = b, c0 = c, d0 = d, e0 = e, f0 = f, g0 = g, h0 = h, where (a, b, c, d, e, f, g, h) is the initial

input parameters for m. If m is the first 1024- bit message block to be hashed, the initial values are a =

0x243f6a88, b = 0x85a308d3, c = 0x13198a2e, d = 0x03707344, e = 0xa4093822, f = 0x299f31d0, g =

0x082efa98, h= 0xec4e6c89. Otherwise, they are the last set of outputs in the former message block.

2. For j = 1, 2, 3,

for i = 32(j − 1), 32(j − 1) + 1, 32(j − 1) + 2, . . . , 32(j − 1) + 31,

pi = fj(Φj(gi, fi, ei, di, ci, bi, ai)),

ri = (pi ≫ 7) + (hi ≫ 11) +mord(j,i) + kj,i,

hi+1 = gi, gi+1 = fi, fi+1 = ei, ei+1 = di, di+1 = ci, ci+1 = bi, bi+1 = ai, ai+1 = ri.

3. a = a96 + a, b = b96 + b, . . . , h = h96 + h.

4. When the message m is the last 1024-bit block, the 128-finger print y3||y2||y1||y0 is calculated as

follows: h = h3||h2||h1||h0, g = g3||g2||g1||g0, f = f3||f2||f1||f0, e = e3||e2||e1||e0,

y3 = d+ h3||g2||f1||e0, y2 = c+ h2||g1||f0||e3, y1 = b+ h1||g0||f3||e2, y0 = a+ h0||g3||f2||c1.The operation in each step employs a constant k (see [1]), where k1,i = 0, 0 � i � 31,≫ represents

the circular right shift, + is the additive operation modular 232, x||y denotes the concatenation of x and

y. The compressing process for m includes 96 steps. Steps 1-32 belong to pass one, pass two contains

step 33-64, and pass three contains step 65-96. The orders of message words in each pass are defined in

Table 1. For the details, please refer to [1].

Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11 2523

Table 1 The orders of message words

pass 1 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23

24 25 26 27 28 29 30 31

pass 2 05 14 26 18 11 28 07 16 00 23 20 22 01 10 04 08 30 03 21 09 17 24 29 06

19 12 15 13 02 25 31 27

pass 3 19 09 04 20 28 17 08 22 29 14 25 12 24 30 16 26 31 15 07 03 01 00 18 27

13 06 21 10 23 11 05 02

3 The differential characteristics and sufficient conditions

Note that the notations in our paper are the same as those in [4].

1. m = (m0,m1, . . . ,m31),m′ = (m′

0,m′1, . . . ,m

′31) are two 1024-bit messages.

2. Δmi = m′i−mi,Δai = a′i−ai,Δpi = p′i−pi denote the modular differences of two variables. These

notations are used to describe differential characteristics with ± symbols in our attack. ai(i = 1, 2, . . . , 67)

represents the output of the i-th step.

3. xi,j denotes the j-th bit of 32-bit word xi, xi[j1,j2,...,jk] denotes the j1, j2, . . . , jk-th bits of xi.

4. xi[j] is the value by changing the j-th bit of xi only, so xi[j] and xi are only different at the j-th

bit. xi[j, . . . , j + k] is the value by successively changing the j-th, (j + 1)-th, . . ., (j + k)-th bits of xi.

5. i+ k in 2i+k is additive operation modular 32, 0 � i � 31.

The overall attack. There is an attack to find one collision with the running time less than 225.83

2-pass HAVAL. There is only one bit difference between the two collision messages.

Proof. The attack is divided into eight parts. We will describe the first four parts in this section and

the remaining four will be described in Section 4.

1. Select the difference of two messages m,m′ as Δm = m′ −m = (Δm0,Δm1, . . . ,Δm31) such that

Δm4 = 231 and Δmi = 0 for the other i. After a lot of cryptanalysis, we find that two messages with

such a difference is apt to collide.

2. Determine all the differential characteristics such that (m,m′) consists of a collision (see Table 2).

In Table 2, a−1 = b0, a−2 = c0, a−3 = d0, a−4 = e0, a−5 = f0, a−6 = g0, a−7 = h0. The collision includes

only one partial collision, from steps 5–67.

3. Deduce all the conditions under which the differential characteristics in Table 2 hold. For example,

we give the deduction details of the first 3 steps.

Step 5. Δa5 = 231, a5,32 = 0, a′5,32 = 1, since Δm4 = 231.

Step 6. Δa6 = 224, a6[25 · · · 28] require that a6,25 = 1, a6,26 = 1, a6,27 = 1, a6,28 = 0. The positive

difference Δa6 = 224 is caused by the difference a5[32] in Boolean function f1(Φ1(b0, a0, a1, a2, a3, a4, a5)).

Since f1(Φ1(x6, x5, x4, x3, x2, x1, x0))⊕ f1(Φ1(x6, x5, x4, x3, x2, x1, x0 ⊕ 1)) = x6.

Step 7. a′7 = f1(Φ1(a0, a1, a2, a3, a4, a5[32], a6[25 · · ·28])) ≫ 7+(b ≫ 11)+m6, Δ(f1Φ1)6,32 = x6,32 =

b0,32 = 1. The positive difference Δa6 = (Δf1Φ1) ≫ 7 = 224 requires that (f1Φ1)6,32 = 0, (f1Φ1)′6,32 = 1,

i.e.,

(f1Φ1(b0, a0, a1, a2, a3, a4, a5))32 = (a2a3 ⊕ a5b0 ⊕ a4a0 ⊕ a1a3 ⊕ a1)32 = 0. (1)

In step 7 we will get a1,32 = 0. Substituting a5,32 = 0, b0,32 = 1, a0,32 = 0, a1,32 = 0 into (1), the

sufficient conditions for step 6 are

a2,32a3,32 = 0, a6[25...27] = 1, a6,28 = 0. (2)

From Δa7 = 219 and a7[20, 21], it follows that (Δf1Φ1)7[25,26,28,32] = 0, (Δf1Φ1)7,27 = 1. It is required

that Δf1(Φ1(a0, a1, a2, a3, a4, a5[32], a6))32 = a1,32 = 0, (Δf1(Φ1(a0, a1, . . . , a6[25, 26, 28]))25,26,28 =

a0[25,26,28] =0 and Δf1(Φ1(a0, a1, . . . , a6[27]))27 = a0,27 = 1. Then second equation is satisfied nat-

urally by the initial state a0 = 0x243f6a88. The positive difference (Δf1Φ1) = 226 requires that

f1(Φ1(a0, a1, a2, a3, a4, a5, a6))27 = (a4a3 ⊕ a6a0 ⊕ a1a5 ⊕ a4a2 ⊕ a2)27= 0. Since we already have a6,27

2524 Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11

Table 2 Differential characteristics in the collision of 5-67 steps

step i m′ Δai The outputs (ai, ai−1, ai−2, ai−3, ai−4, ai−5, ai−6, ai−7) of the compression process of m′

5 m′4 231 a5[32], a4, a3, a2, a1, a0, b0, c0

6 m5 224 a6[25 · · · 28], a5[32], a4, a3, a2, a1, a0, b07 m6 219 a7[20, 21], a6[25 · · · 28], a5[32], a4, a3, a2, a1, a08 m7 218 a8[19], a7[20, 21], a6[25 · · · 28], a5[32], a4, a3, a2, a19 m8 0 a9, a8[19], a7[20, 21], a6[25 · · · 28], a5[32], a4, a3, a210 m9 0 a10, a9, a8[19], a7[20, 21], a6[25 · · · 28], a5[32], a4, a311 m10 212 a11[13 · · · 16], a10, a9, a8[19], a7[20, 21], a6[25 · · · 28], a5[32], a412 m11 0 a12, a11[13 · · · 16], a10, a9, a8[19], a7[20, 21], a6[25 · · · 28], a5[32]13 m12 25 a13[6 · · · 9], a12, a11[13 · · · 16], a10, a9, a8[19], a7[20, 21], a6[25 · · · 28]14 m13 0 a14, a13[6 · · · 9], a12, a11[13 · · · 16], a10, a9, a8[19], a7[20, 21]15 m14 −211 a15[12], a14, a13[6 · · · 9], a12, a11[13 · · · 16], a10, a9, a8[19]16 m15 0 a16, a15[12], a14, a13[6 · · · 9], a12, a11[13 · · · 16], a10, a917 m16 0 a17, a16, a15[12], a14, a13[6 · · · 9], a12, a11[13 · · · 16], a1018 m17 0 a18, a17, a16, a15[12], a14, a13[6 · · · 9], a12, a11[13 · · · 16]19 m18 0 a19, a18, a17, a16, a15[12], a14, a13[6 · · · 9], a1220 m19 0 a20, a19, a18, a17, a16, a15[12], a14, a13[6 · · · 9]21 m20 226 a21[27], a20, a19, a18, a17, a16, a15[12], a14

22 m21 0 a22, a21[27], a20, a19, a18, a17, a16, a15[12]

23 m22 −20 a23[1], a22, a21[27], a20, a19, a18, a17, a16

24 m23 0 a24, a23[1], a22, a21[27], a20, a19, a18, a17

25 m24 0 a25, a24, a23[1], a22, a21[27], a20, a19, a18

26 m25 0 a26, a25, a24, a23[1], a22, a21[27], a20, a19

27 m26 0 a27, a26, a25, a24, a23[1], a22, a21[27], a20

28 m27 0 a28, a27, a26, a25, a24, a23[1], a22, a21[27]

29 m28 215 a29[16 · · · 19], a28, a27, a26, a25, a24, a23[1], a2230 m29 0 a30, a29[16 · · · 19], a28, a27, a26, a25, a24, a23[1]31 m30 −221 a31[22], a30, a29[16 · · · 19], a28, a27, a26, a25, a2432 m31 0 a32, a31[22], a30, a29[16 · · · 19], a28, a27, a26, a2533 m5 0 a33, a32, a31[22], a30, a29[16 · · · 19], a28, a27, a2634 m14 0 a34, a33, a32, a31[22], a30, a29[16 · · · 19], a28, a2735 m26 211 a35[12], a34, a33, a32, a31[22], a30, a29[16 · · · 19], a2836 m18 0 a36, a35[12], a34, a33, a32, a31[22], a30, a29[16 · · · 19]37 m11 0 a37, a36, a35[12], a34, a33, a32, a31[22], a30

38 m28 0 a38, a37, a36, a35[12], a34, a33, a32, a31[22]

39 m7 −210 a39[11], a38, a37, a36, a35[12], a34, a33, a32

40 m16 0 a40, a39[11], a38, a37, a36, a35[12], a34, a33

41 m0 0 a41, a40, a39[11], a38, a37, a36, a35[12], a34

42 m23 0 a42, a41, a40, a39[11], a38, a37, a36, a35[12]

43 m20 20 a43[1], a42, a41, a40, a39[11], a38, a37, a36

44 m22 0 a44, a43[1], a42, a41, a40, a39[11], a38, a37

45 m1 0 a45, a44, a43[1], a42, a41, a40, a39[11], a38

46 m10 0 a46, a45, a44, a43[1], a42, a41, a40, a39[11]

47 m′4 0 a47, a46, a45, a44, a43[1], a42, a41, a40

48 m8 0 a48, a47, a46, a45, a44, a43[1], a42, a41

49 m30 0 a49, a48, a47, a46, a45, a44, a43[1], a42

(To be continued on the next page)

Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11 2525

(Continued)

step i m′ Δai The outputs (ai, ai−1, ai−2, ai−3, ai−4, ai−5, ai−6, ai−7) of the compression process of m′

50 m3 0 a50, a49, a48, a47, a46, a45, a44, a43[1]

51 m21 221 a51[22], a50, a49, a48, a47, a46, a45, a44

52 m9 0 a52, a51[22], a50, a49, a48, a47, a46, a45

53 m17 0 a53, a52, a51[22], a50, a49, a48, a47, a46

54 m24 0 a54, a53, a52, a51[22], a50, a49, a48, a47

55 m29 0 a55, a54, a53, a52, a51[22], a50, a49, a48

56 m6 0 a56, a55, a54, a53, a52, a51[22], a50, a49

57 m19 0 a57, a56, a55, a54, a53, a52, a51[22], a50

58 m12 0 a58, a57, a56, a55, a54, a53, a52, a51[22]

59 m15 210 a59[11], a58, a57, a56, a55, a54, a53, a52

60 m13 0 a60, a59[11], a58, a57, a56, a55, a54, a53

61 m2 0 a61, a60, a59[11], a58, a57, a56, a55, a54

62 m25 0 a62, a61, a60, a59[11], a58, a57, a56, a55

63 m31 0 a63, a62, a61, a60, a59[11], a58, a57, a56

64 m27 0 a64, a63, a62, a61, a60, a59[11], a58, a57

65 m19 0 a65, a64, a63, a62, a61, a60, a59[11], a58

66 m9 0 a66, a65, a64, a63, a62, a61, a60, a59[11]

67 m′4 0 a67, a66, a65, a64, a63, a62, a61, a60

= 1, a0,27 = 1, a2,27 = 0 and we will get a5,27 = a4,27 at step 8. At last we have(a1,27 ⊕ a3,27)a4,27 = 1,

that is, a4,27 = 1, a3,27 = 1 + a1,27. Therefore the sufficient conditions for step 7 are

a7,20 = 1, a7,21 = 0, a0,25 = a0,26 = a0,28 = 0, a0,27 = 1, a1,32 = 0, a4,27 = 1, a3,27 = 1 + a1,27. (3)

The conditions ensure that the difference of other steps can be similarly deduced. In Section 4, in order

to decrease the computational complexity, using neighborhood modification, tunnel idea and relieving

the besieged by attacking the base of the besieger, we will add some extra conditions to the a2 − a32-th

step. These conditions are marked by a superscript A. Summing up all the conditions, we obtain Table 3.

It can be verified that these conditions are sufficient for all the differential characteristics in the collision.

4. According to the conditions in Table 3, we give the attack algorithm for the first pass of HAVAL .

Pregenerate m. We first choose a1, a2, . . . , a32 which satisfy the conditions of Table 3 randomly, then

compute pi, i = 0, 1, . . . , 31, and compute mi at last. The program is as follows:

For i = 0 to 31 {pi = f1Φ1(ai−6, ai−5, ai−4, ai−3, ai−2, ai−1, ai)

ri = (pi ≫ 7) + (ai−7 ≫ 11)

mi = ai+1 − ri // generate mi }.

4 Four kinds of message modification method

Although m and m′ satisfy all the conditions in pass 1 after the computation in the last part of Section

3, there are 47 conditions on steps 33-62 in Table 3, so (m,m′) is a collision with probability of 2−47. In

order to improve the probability of collision, we use four tricks of message modification.

4.1 Advanced modifications of mi

Advanced modification was proposed byWang [3,4]. For example, since a33 = (f2(Φ2(a26, a27, a28, a29, a30,

a31, a32) ≫ 7) + (a25 ≫ 11) + m5 + k2,0, if a33,12 �= 1, then a6,12 = a6,12 ⊕ 1 and we get a new a6.

According to the new a6, we recompute successively new m5,m6,m7,m8,m9,m10, m11,m12,m13. This

modification only causes the change of the 12-th bit for a6 and has no relation with other ai in pass 1.

2526 Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11

Table 3 The conditions under which (m,m′) is a collision

step The conditions of the chaining variable ai

1-2 a1,20 = 0, a1,21 = 0, a1,32 = 0, a2,19 = 0, a2,25 = 0, a2,27 = 0, a2,28 = 0, a2,26 = 1

3 a3,20 = a3,21 = 0, a3,32a2,32 = 0, aA3,1 = 1, aA3,11 = 1, a3,27 = 1 + a1,27

4 a4,19 = 0, aA4,22 = 0, a4,27 = 1, (a3,26 ⊕ 1)(a4,26 ⊕ 1) = 0, a4,32 = a3,32

5 a5[13···16] = 0, a5,32 = 0, a5,27 = 1, a5[25,26,28] = a4[25,26,28]

6 aA6,22 = 0, a6,28 = 0, a6,32 = 0, a6[25···27] = 1, a6,20 = a5,20, a6,21 = a5,21

7 aA7,1 = 0, a7[6···9] = 0, aA7,11 = 0, a7[14···16] = 0, a7,21 = 0, a7[25···28] = 0 a7,13 = 1, a7,20 = 1, a7,32 = 1,

a7,19 = a6,19

8 aA8,1 = 0, a8,19 = 0, a8,21 = 0, a8,20 = 1, a8[25···28] = 1

9 a9[6···9] = 0, aA9,11 = 0, a9,12 = 0, a9,19 = 0, a9,32 = 0, a9,20 = 1, a9,21 = 1

10 aA10,12 = 0, a10[25···28] = 0, a10,19 = 1, a10[13···16] = a9[13···16](a10,13 ⊕ 1)(a8,13 ⊕ 1) = 0, a4,20a10,20 + a5,20 = 1

11 a11,12 = 0, a11,16 = 0, a11[20,21] = 0, a11,32 = 0, a11[13···15] = 1, aA11,11 = a10,11

12 a12[13···15] = 0, a12,19 = 0, a12[25···27] = 0, a12,16 = 1, aA12,22 = 1, a12,28 = 1,a12[6...9] = a11[6...9]

13 a13,9 = 0, aA13,11 = 0, aA13,12 = 0, a13,15 = 0, a13,20 = 0 a13[6···8]=1,a13[13,14,16]= 1, a13,21=1, a13,1 = a12,1

14 a14[6...9] = 0, aA14,11 = 0, aA14,12 = 0, a14,19 = 1, a14,15a10,15 = 0, a8,16a14,16 + a9,16 = 1

15-16 a15[13···16] = 0, a15,27 = 0, a15[6...9] = 1, a15,12 = 1, a16,12 = 0, aA16,22 = 0, aA16,1 = 1

17 a17,1 = 0, a17[6...8] = 0, a17[13···16] = 0, a17,27 = 0, a17,9 = 1, a17,12 = 1

18 aA18,11 = 0, aA18,12 = 0, a16,9 + a12,9a18,9 = 1

19-20 a19,1 = 0, a19[6...9] = 0, a19,12 = 0, aA20,1 = 0, a20,27 = a19,27

21-24 a21,12 = 0, a21,27= 0, a22,27 = 0, a22,1 = a21,1, a23[16···19] = 0, a23,1 = 1, a23,27 = 1, a24,1=0

25 a25[16···19] = 0, aA25,22 = aA25,23 = 0, a25,27 = 0, a25,1 = 1

27-28 a27[16···19] = 0, aA27,23 = 0, a27,27 = 0, a28[16···19] = 0, a28,22 = 1

29 a29,1 = 0, a29,19 = 0, a29,16 = a29,17 = a29,18 = 1, aA29,23 = 1

30 a30,22 = 0, aA30,23 = 0, a30,12 = 1, a30[16···19] = 1, a27,29a29,29 ⊕ aA30,29 = 1

31 a31[16···19] = 0, a31,22 = 1, aA31,23 = 1

32 a32,19 = 0, a32,12 = 1, a32,16 = a32,17 = a32,18 = 1, a32,22 = 1, aA32,23 = 1

33-34 a33,22 = 0, a33,12 = 1, a33,16 = a33,17 = a33,18 = 1, a34,11 = 0, a34,22 = 1, aN34,12 = 0

35-37 a35,12 = 0, aN35,22 = 1, aN36,11 = 1, a36,12 = 1, a37,11 = 0, a37,12 = 0

38-40 aN38,1 = 0, a38,11 = 0, a38,12 = 1, a39,11 = 1, a39,12 = 1, aN40,1 = 1, a40,11 = 1

41-44 a41,1 = 0, a41,11 = 0, aS42,1 = 0, aS42,11 = 1, aS43,1 = 0, aS43,11 = 1, aS44,1 = 1

45-50 aS45,1 = 0, aS46,1 = 1, aN46,22 = 0, aS47,1 = 1, aS48,22 = 1, aS49,22 = 0, aS50,22 = 0

51-56 a51,22 = 0, a52,22 = 1, aS53,22 = 0, aS54,22 = 1, aS55,22 = 1, a54,11aS56,11 = 0

57-62 aS57,11 = 0, aS58,11 = 0, aS59,11 = 0, (a56,11 + 1)aS60,11 = 0, aS61,11 = 0, aS62,11 = 0

After the modification, a33,12 changes from 0 to 1, and all the conditions in the first pass remain un-

changed. The program is as follows:

If a33,12 �= 1, then a6,12 = a6,12 ⊕ 1, for i = 5 to 13 {pi = f1Φ1(ai−6, ai−5, ai−4, ai−3, ai−2, ai−1, ai)

ri = (pi ≫ 7) + (ai−7 ≫ 11)

mi = ai+1 − ri //regenerate mi

}a33 = (p33 ≫ 7) + (a26 ≫ 11) +m5 + k2,0.

If the new a33 does not satisfy a33,16 = 1, a similar program can be run for a33,16 = 1 on the new a33,

and so on for a33,17 = 1, a33,18 = 1.

4.2 Neighborhood modification

If a33,22 = 0 is not satisfied, since in Table 3 a6,22 has been fixed to 0, we cannot modify a6,22 any more.

Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11 2527

We now propose another idea named neighborhood modification, that is, to modify a32 that neighbors

a33. Note that in p32 = f2(Φ2(a26, . . . , a31, a32)), a32 acts as x0, f2(Φ2(x6, x5, x4, x3, x2, x1, x0 ⊕ 1)) ⊕f2(Φ2(x6, x5, x4, x3, x2, x1, x0)) = x3x5 ⊕ x2, in order to ensure that the modification of x0 results in the

changing f2(Φ2), we fix x3x5 ⊕ x2 to 1, so we add the condition a27,29a29,29 ⊕ a30,29 = 1 to Table 3.

The algorithm is: if a33,22 = 0, then a32,29 = a32,29 ⊕ 1, and recompute m31 = a32 − r32 and a33 =

(p32 ≫ 7) + (a25 ≫ 11) +m5 + k2,0.

As to step 34, if a34,11 = 0 or a34,22 = 1 cannot be satisfied, so we can use advanced modifications on

m14. However, for a34,12 = 0, since a15,12 has been fixed to 1 in Table 3, we cannot modify a15,12, but

have to select another series of a1, . . . , a32. So we sign aN34,12 = 0, and these are the same for the following

similar conditions in Table 3.

4.3 Relieving the besieged by attacking the base of the besieger

For example, since a35 = (f2(Φ2(a28, . . . , a34) ≫ 7)+ (a27 ≫ 11)+m26 + k2,2, we can modify either a27or m26. Our goal is not to modify a27, but m26, which means that to solve this problem is to modify

a19 and hence modify m18,m26 as a result. The increment of a19 and m26 will counteract in the formula

a27 = (f1(Φ1(a20, . . . , a26) ≫ 7)+(a19 ≫ 11)+m26 when computing a27. We call this method relieving

the besieged by attacking the base of the besieger, an ancient Chinese strategy.

Notion. Since the difference at a35,22 comes from the difference at a19,1, the difference at a35,12comes from the difference at a19,23. Taking into account the probability of occurrences of carries, we

should consider a35,22 firstly. If a35,22 �= 1, since a19,1 = 0 is a prior fixed condition in Table 3, we can

not modify a19,1 any more, so we have to reselect another series of a1, . . . , a32.

If a35,12 �= 0, then a19,23 = a19,23 ⊕ 1, and recompute m18,m19, . . . ,m26 according to the new a19.

a19 = (f1(Φ1(a12, . . . , a18)) ≫ 7) + (a11 ≫ 11) +m18,

a20 = (f1(Φ1(a13, . . . , a19)) ≫ 7) + (a12 ≫ 11) +m19,

a21 = (f1(Φ1(a14, . . . , a19, a20)) ≫ 7) + (a13 ≫ 11) +m20,...

a26 = (f1(Φ1(a19, . . . , a25)) ≫ 7) + (a18 ≫ 11) +m25,

a27 = (f1(Φ1(a20, . . . , a26)) ≫ 7) + (a19 ≫ 11) +m26.

According to the above relations, the program should be as follows:

If a35,12 �= 0, then a19,23 = a19,23 ⊕ 1, for i = 18 to 26 {pi = f1Φ1(ai−6, ai−5, ai−4, ai−3, ai−2, ai−1, ai)

ri = (pi ≫ 7) + (ai−7 ≫ 11)

mi = ai+1 − ri //regenerate mi }.At last, we recompute a35 = (p35 ≫ 7) + (a27 ≫ 11) +m26 + k2,2 according to the new m26.

4.4 The tunnel idea

As to Step 36, we use the Tunnel idea, which is the improved advanced modifications proposed by

Klima [7]. If a36 does not satisfy the conditions, we modify a28 and get the modification of m27 but

so ding should have no impacts on ai of pass 2, that is, a33, a34,a35. For example, considering step 33,

in the Boolean function f2Φ2, a28 acts on x4, a27 acts on x5, since f2(Φ2(x6, x5, x4, x3, x2, x1, x0)) ⊕f2(Φ2(x6, x5, x4 ⊕ 1, x3, x2, x1, x0)) = x5, in order to ensure that the modification of a28 has no influence

on a33, the condition a27,23 = 0 should be added to Table 3. Finally, we get conditions a27,23 = 0, a30,23 =

0, a31,23 = 1, a32,23 = 1, a29,23 = 1. The program is as follows:

If a36,12 �= 1, then a28,23 = a28,23 ⊕ 1, for i = 27 to 31 {pi = f1Φ1(ai−6, ai−5, ai−4, ai−3, ai−2, ai−1, ai)

ri = (pi ≫ 7) + (ai−7 ≫ 11)

2528 Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11

Table 4 The modification method from 33 to 62 steps

Step 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

Message’s order 5 14 26 18 11 28 7 16 0 23 20 22 1 10 4

Modify method A A√ √

T T T T T N N N N N N

Step 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62

Message’s order 8 30 3 21 9 17 24 29 6 19 12 15 13 2 25

Modify method N N N√

T N N N N N N N N N N

mi = ai+1 − ri //regenerate mi }a36 = (p36 ≫ 7) + (a28 ≫ 11) +m18 + k2,3.

As to step 37, since a37 = (f2(Φ2(a30, . . . , a36)) ≫ 7)+(a29 ≫ 11)+m11+k2,4, we can modifym11, i.e.,

modify a12. The modification of a12 may lead to a modification of the series of m12,m13,m14,m15,m16,

m17,m18,m19, but the modification of m14,m18 will result in a modification of a34, a36, . . ., and conse-

quently the system will go into a dead loop. In order to avoid looping, we deduce the conditions under

which the modification of a12 should not inflect m14 and m18. In the formula of computing a15(m14),

a12 acts as x2 in function f1Φ1. To ensure that the change of x2 has no relation with f1Φ1, there must

be x3 ⊕ x4 = 0, that is, a11,11 = a10,11, a11,12 = a10,12. We add the two conditions to Table 3, and sign

these conditions in green. Similarly, for m18, we have a18,11 = 0, a18,12 = 0.

a13 = (f1(Φ1(a6, . . . , a12)) ≫ 7) + (a5 ≫ 11) + m12, a14 = (f1(Φ1(a7, . . . , a12, a13)) ≫ 7) + (a6 ≫11)+m13, a15 = (f1(Φ1(a8, . . . , a12, a13, a14)) ≫ 7)+(a7 ≫ 11)+m14, a16 = (f1(Φ1(a9, . . . , a12, . . . , a15))

≫ 7) + (a8 ≫ 11) + m15, a17 = (f1(Φ1(a10, a11, a12, . . . , a16)) ≫ 7) + (a9 ≫ 11) + m16, a18 =

(f1(Φ1(a11, a12, . . . , a17)) ≫ 7) + (a10 ≫ 11) + m17, a19 = (f1(Φ1(a12, . . . , a18)) ≫ 7) + (a11 ≫11) +m18, a20 = (f1(Φ1(a13, . . . , a19)) ≫ 7) + (a12 ≫ 11) +m19.

The program should be as follows:

If a37,11 �= 0, then a12,11 = a12,11 ⊕ 1, for i = 11, 12, 13, 15, 16, 17, 19 {

pi = f1Φ1(ai−6, ai−5, ai−4, ai−3, ai−2, ai−1, ai)

ri = (pi ≫ 7) + (ai−7 ≫ 11)

mi = ai+1 − ri //regenerate mi

}a37 = (p37 ≫ 7) + (a29 ≫ 11) +m11 + k2,4.

If the new a37 does not satisfy a37,12 = 0, the new a37 operates the program similarly.

The modification method from 38 to 62 steps can be similarly determined. Here we list the message

modification method for them, where A, T,√, N refer to advanced modification, tunnel idea, relieving

the besieged by attacking the base of the besieger, cannot be modified which should be random searched

correspondingly. We marked the conditions on the step which cannot be modified by a superscript S,

means that they should be exhaustive searched (see Table 4).

5 Computational complexity

The conditions on steps 1–32 can be satisfied naturally by fixing the corresponding bits of ai. The

non-superscripted conditions on steps 33–62 can be satisfied by advanced modification, neighborhood

modification, tunnel idea and relieving the besieged by attacking the base of the besieger. Summing up

the conditions with superscripts N or S on steps 33–62, there are 27 conditions in total. The probability

of (a56,11 + 1)a60,11 = 0 and that of a54,11a56,11 = 0 are both equal to 34 , and the search ends at the

62-th step at most, which is still in the second pass, hence the computational complexity is less than

225 × (43 )2 ≈ 225.83 2-pass HAVAL computation.

Zhang W Y, et al. Sci China Inf Sci November 2012 Vol. 55 No. 11 2529

Table 5 Two pairs of one bit difference collision for HAVAL-128

M1 10b69da6 f332b024 d817b166 90028f76 38083a40 fee7a645 3f379dc7 67eb432c 4ee00ff2 8b456516

a456a264 4a6c8cdd b2cff58b 0ccd2544 219f1088 89c6c158 c70af062 c306fc81 e5899b4e 4ca6cb0f

b5574dc6 311e56e4 d18c0e04 453b1e22 58a068c0 080ec5de 061a69e4 c52024db d1f67945 62a787c5

637c1442 b07d27af

M ′1 10b69da6 f332b024 d817b166 90028f76 B8083a40 fee7a645 3f379dc7 67eb432c4ee00ff2 8b456516

a456a264 4a6c8cdd b2cff58b 0ccd2544 219f1088 89c6c158 c70af062 c306fc81 e5899b4e 4ca6cb0f

b5574dc6 311e56e4 d18c0e04 453b1e22 58a068c0 080ec5de 061a69e4 c52024db d1f67945 62a787c5

637c1442 b07d27af

H1 a904d0e0 19099ca2 fa16bdca 7c6b612a

M2 00361520 33187de3 f3f6ec98 469d9079 5828a3ec 338d4c7c fa767472 d26c3b0e 9ea4d8d9 1ce91782

923093d0 9c16084d 70e63f2d e61ade1f e13e96b9 a14b2849 cc10cca6 afb3c021 29a6edf6 35955713

4400db75 fa4376bb 676c5c6a 2dd1b40e 0d31b354 3c45d1b1 447ec497 7edb538e b2de29ec c8c958c5

c9e57a70 4256d1b7

M ′2 00361520 33187de3 f3f6ec98 469d9079 D828a3ec 338d4c7c fa767472 d26c3b0e9ea4d8d9 1ce91782

923093d0 9c16084d 70e63f2d e61ade1f e13e96b9 a14b2849 cc10cca6 afb3c021 29a6edf6 35955713

4400db75 fa4376bb 676c5c6a 2dd1b40e 0d31b354 3c45d1b1 447ec497 7edb538e b2de29ec c8c958c5

c9e57a70 4256d1b7

H2 da4d3e47 141253d5 dc76b66a 4ca9eddc

6 Examples and conclusions

At the end of this paper, we give two examples for collisions of HAVAL-128 in Table 5, with every pair

of collision messages being different only at one position such that m′ = m+ (0, 0, 0, 0, 231, 0, . . . , 0).

In this paper, we give a new attack against 3-pass HAVAL with only one bit difference. We propose

a new difference path and the neighborhood modification, and provide two new collision examples for

HAVAL-128.

Acknowledgements

This work was supported by the National Natural Science Foundation of China (Grant No. 60970004, 61173134,

61272434), the Natural Science Foundation of Shandong Province (Grant No. ZR2011FQ032, ZR2012FM004),

the Project of Shandong Province Higher Educational Science and Technology Program (Grant No. J11LG33),

and the Project of Senior Visiting Scholar of Shandong Province.

References

1 Zheng Y L, Pieprzyk J, Seberry J. HAVAL-a one-way hashing algorithm with variable length of output. In: Seberry

J, Zheng Y L, eds. Advances in Cryptology, Auscrypt92 Proceedings. LNCS, Vol 718. Berlin: Springer-Verlag, 1993.

83–104

2 Van R B, Biryukov A, Preneel B, et al. Cryptanalysis of 3-pass HAVAL. In: Laih C-S, ed. Advances in Cryptology-

ASIACRYPT 2003. LNCS, Vol 2894. Berlin: Springer-Verlag, 2003. 228–245

3 Wang X Y, Yu H B. How to break MD5 and other hash functions. In: Cramer R, ed. Advances in Cryptology -

EUROCRYPT 2005. LNCS, Vol 3494. Berlin: Springer-Verlag, 2005. 19–35

4 Wang X Y, Feng D G, Yu X Y. An attack on hash function HAVAL-128. Sci China Ser F-Inf Sci, 2005, 48: 545–556

5 Xie T, Liu F B, Feng D G. Could the 1-MSB input difference be the fastest collision attack for MD5? Cryptology

ePrint Archive, 2008: 230. Available from: http://eprint.iacr.org/2008/230.pdf

6 Liang J, Lai X J. Improved collision attack on hash function MD5. J Comput Sci Technol, 2007, 22: 79-87

7 Klima V. Finding MD5 collisions on a notebook PC using multi-message modifications. Cryptology ePrint Archive,

2005: 102. Available from: http://eprint.iacr.orgl2005/102.pdf

Information for authors SCIENCE CHINA Information Sciences (Sci China Inf Sci), cosponsored by the Chinese Academy of Sciences and the National Natural Science Foundation of China, and published by Science China Press, is committed to publishing high- quality, original results of both basic and applied research in all areas of information sciences, including computer science and technology; systems science, control science and engi-neering (published in Issues with odd numbers); information and communication engineering; electronic science and technology (published in Issues with even numbers). Sci China Inf Sci is published monthly in both print and electronic forms. It is indexed by Academic OneFile, Astrophysics Data System (ADS), CSA, Cabells, Current Contents/Engineering, Computing and Technology, DBLP, Digital Mathematics Reg-istry, Earthquake Engineering Abstracts, Engineered Materi-als Abstracts, Gale, Google, INSPEC, Journal Citation Re-ports/Science Edition, Mathematical Reviews, OCLC, ProQuest, SCOPUS, Science Citation Index Expanded, Summon by Serial Solutions, VINITI, Zentralblatt MATH.

Papers published in Sci China Inf Sci include: REVIEW (20 printed pages on average) surveys repre-

sentative results and important advances on well-identified topics, with analyses and insightful views on the states of the art and highlights on future research directions.

RESEARCH PAPER (no more than 15 printed pages) presents new and original results and significant develop-ments in all areas of information sciences for broad reader-ship.

BRIEF REPORT (no more than 4 printed pages) describes key ideas, methodologies, and results of latest developments in a timely manner.

Authors are recommended to use Science China’s online submission services. To submit a manuscript, please go to www.scichina.com, create an account to log in http://mco3. manuscriptcentral.com/scis, and follow the instructions there to upload text and image/table files.

Authors are encouraged to submit such accompanying materials as short statements on the research background and area/subareas and significance of the work, and brief introductions to the first and corresponding authors including their mailing addresses with post codes, telephone numbers, fax numbers, and e-mail addresses. Authors may also sug-gest several qualified experts (with full names, affiliations, phone numbers, fax numbers, and e-mail addresses) as referees, and/or request the exclusion of some specific indi-viduals from potential referees.

All submissions will be reviewed by referees selected by the editorial board. The decision of acceptance or rejection of a manuscript is made by the editorial board based on the referees’ reports. The entire review process may take 90 to 120 days, and the editorial office will inform the author of the decision as soon as the process is completed. If the editorial board fails to make a decision within 120 days, please contact the editorial office.

Authors should guarantee that their submitted manuscript has not been published before and has not been submitted elsewhere for print or electronic publication consideration. Submission of a manuscript is taken to imply that all the named authors are aware that they are listed as coauthors, and they have agreed on the submitted version of the paper. No change in the order of listed authors can be made without an agreement signed by all the authors.

Once a manuscript is accepted, the authors should send a copyright transfer form signed by all authors to Science China Press. Authors of one published paper will be presented one sample copy. If more sample copies or offprints are required, please contact the managing editor and pay the extra fee. The

full text opens free to domestic readers at www.scichina.com, and is available to overseas readers at www.springerlink.com.

Subscription information ISSN print edition: 1674-733X ISSN electronic edition: 1869-1919 Volume 55 (12 issues) will appear in 2012 Subscription rates For information on subscription rates please contact: Customer Service China: sales@scichina.org North and South America: journals-ny@springer.com Outside North and South America: subscriptions@springer.com Orders and inquiries: China Science China Press 16 Donghuangchenggen North Street, Beijing 100717, China Tel: +86 10 64015683 Fax: +86 10 64016350 Email: informatics@scichina.org North and South America Springer New York, Inc. Journal Fulfillment, P.O. Box 2485 Secaucus, NJ 07096 USA Tel: 1-800-SPRINGER or 1-201-348-4033 Fax: 1-201-348-4505 Email: journals-ny@springer.com Outside North and South America: Springer Distribution Center Customer Service Journals Haberstr. 7, 69126 Heidelberg, Germany Tel: +49-6221-345-0, Fax: +49-6221-345-4229 Email: subscriptions@springer.com Cancellations must be received by September 30 to take effect at the end of the same year. Changes of address: Allow for six weeks for all changes to become effective. All communications should include both old and new addresses (with postal codes) and should be ac-companied by a mailing label from a recent issue. According to § 4 Sect. 3 of the German Postal Services Data Protection Regulations, if a subscriber’s address changes, the German Federal Post Office can inform the publisher of the new ad-dress even if the subscriber has not submitted a formal ap-plication for mail to be forwarded. Subscribers not in agree-ment with this procedure may send a written complaint to Customer Service Journals, Karin Tiks, within 14 days of publication of this issue. Microform editions are available from: ProQuest. Further information available at http://www.il.proquest.com/uni Electronic edition An electronic version is available at springerlink.com. Production Science China Press 16 Donghuangchenggen North Street, Beijing 100717, China Tel: +86 10 64015683 or +86 10 64034134 Fax: +86 10 64016350 Printed in the People’s Republic of China Jointly published by Science China Press and Springer