Efficient Collision Attack Frameworks for RIPEMD-160

Abstract

RIPEMD-160 is an ISO/IEC standard and has been applied to generate the Bitcoin address with SHA-256. Due to the complex dual-stream structure, the first collision attack on reduced RIPEMD-160 presented by Liu, Mendel and Wang at Asiacrypt 2017 only reaches 30 steps, having a time complexity of \(2^{70}\). Apart from that, several semi-free-start collision attacks have been published for reduced RIPEMD-160 with the start-from-the-middle method. Inspired from such start-from-the middle structures, we propose two novel efficient collision attack frameworks for reduced RIPEMD-160 by making full use of the weakness of its message expansion. Those two frameworks are called dense-left-and-sparse-right (DLSR) framework and sparse-left-and-dense-right (SLDR) framework. As it turns out, the DLSR framework is more efficient than SLDR framework since one more step can be fully controlled, though with extra \(2^{32}\) memory complexity. To construct the best differential characteristics for the DLSR framework, we carefully build the linearized part of the characteristics and then solve the corresponding nonlinear part using a guess-and-determine approach. Based on the newly discovered differential characteristics, we provide colliding messages pairs for the first practical collision attacks on 30 and 31 (out of 80) steps of RIPEMD-160 with time complexity \(2^{35.9}\) and \(2^{41.5}\) respectively. In addition, benefiting from the partial calculation, we can attack 33 and 34 (out of 80) steps of RIPEMD-160 with time complexity \(2^{67.1}\) and \(2^{74.3}\) respectively. When applying the SLDR framework to the differential characteristic used in the Asiacrypt 2017 paper, we significantly improve the time complexity by a factor of \(2^{13}\). However, it still cannot compete with the results obtained from the DLSR framework. To the best of our knowledge, these are the best collision attacks on reduced RIPEMD-160 with respect to the number of steps, including the first colliding message pairs for 30 and 31 steps of RIPEMD-160.

Appendices

A Application of the SLDR Framework

A direct application of this framework to the 30-step differential characteristic in [16] will improve the collision attack by a factor of \(2^{11}\). The constraints on \(RQ_{i}\) and the starting point are displayed in Tables 9 and 10 respectively.

Table 9. Starting point for the differential characteristic presented at Asiacrypt’17

Table 10. Information of \(RQ_{i}\)

Observe that \(m_{14}\) is randomly chosen in the SLDR framework and used to update \(Y_{25}\). When the starting point is extended to \(Y_{20}\), \(sum_0 = Y_{20}^{\lll 10} \boxplus K_{1}^{r}=\texttt {0xf45c8129}\) is constant. Let \(F=IFZ(Y_{24}, Y_{23}, Y_{22}^{\lll 10})=(Y_{24} \bigwedge Y_{22}^{\lll 10})\oplus (Y_{23} \bigwedge \overline{Y_{22}^{\lll 10}})\). Adding six extra bit conditions on \(Y_{23}\) (\(Y_{23}^{26\sim 24}=000_2\)) and \(Y_{22}\) (\(Y_{22}^{16\sim 14}=000_2\)) will make \(F^{26\sim 24} = 000_{2}\). Then, adding four bit conditions on \(m_{14}\) (\(m_{14}^{26\sim 23}=1000_2\)) will make \(RQ_{25}^{26\sim 25}=00_{2}\) since \(RQ_{25} = F\boxplus sum_0 \boxplus m_{14}\). In this way, the condition \(Y_{25}^{1\sim 0}=01_2\) can always hold. Since all the newly added conditions can be fully controlled under this framework, two more probabilistic bit conditions are controlled, thus improving the collision attack by a factor of \(2^{13}\) in total. A solution for the dense right branch is as follows: \(m_0 =\texttt {0x284ca581}\), \(m_1=\texttt {0x55fd6120}\), \(m_2=\texttt {0x694b052c}\), \(m_3=\texttt {0xd5f43d9f}\), \(m_4= \texttt {0xa064a7c8}\), \(m_5=\texttt {0xb9f7b3cd}\), \(m_6= \texttt {0x1221b7bb}\), \(m_7=\texttt {0x42156657}\), \(m_8=\texttt {0x121ecfee}\), \(m_9=\texttt {0xce7a7105}\), \(m_{10}=\texttt {0xf2d47e6f}\), \(m_{11}=\texttt {0xf567ac2e}\), \(m_{12}=\texttt {0x20d0d1cb}\), \(m_{13}=\texttt {0x9d928b7d}\), \(m_{14}=\texttt {0x5c6ff19b}\), \(m_{15}=\texttt {0xc306e50f}\).

B Differential Characteristics

We present the differential characteristics used for collision attack in this section.

Table 11. 30-Step differential characteristic

Table 12. 31-Step differential characteristic

Table 13. 33-Step differential characteristic

Table 14. 34-Step differential characteristic