Differential Fault Analysis on the SHA1 Compression Function

In FDTC 2009, Li et al. published a DFA attack [20] against the symmetric block cipher SHACAL1 [11]. This block cipher substantially consists of the compression function of the hash function SHA1 [16] except for the final addition operation. When using the SHA1 compression function as a primitive in a keyed hash function like HMAC-SHA1 [17] or in a key derivation function it might be of some interest if the attack of Li et al. also applies to the SHA1 compression function. However, the final addition operation turns out to completely prevent this direct application. In this paper we extend the attack of Li et al. in order to overcome the problem of the final addition and to extract the secret inputs of the SHA1 compression function by analysing faulty outputs. Our implementation of the new attack needs about 1000 faulty outputs and a computation time of three hours on a normal PC to fully extract the secret inputs with high probability.