Abstract
In this paper, we present an improved cryptanalysis of the double-branch hash function RIPEMD-160 standardized by ISO/IEC. First, how to theoretically calculate the step differential probability of RIPEMD-160 is solved, which was stated as an open problem by Mendel et al. at ASIACRYPT 2013. Then, we apply the start-from-the-middle framework to a newly discovered 32-step differential path of RIPEMD-160. Compared with the collision attack on 30 steps of RIPEMD-160 at ASIACRYPT 2017, two steps are extended and the time complexity is \(2^{71.9}\). We propose a new start-from-the-middle near-collision attack framework, and achieve a near-collision attack on 39 steps of RIPEMD-160 with a time complexity of \(2^{65}\). For the semi-free-start collision attack on 36 steps of RIPEMD-160 at ASIACRYPT 2013, by a different choice of the message words to merge two branches, adding some conditions on the starting point as well as solving the equation \(T^{\lll S_0}\boxplus C_0=(T\boxplus C_1)^{\lll S_1}\) (T is the variable) in an optimized way, the time complexity of this semi-free-start collision attack is reduced by a factor of \(2^{15.3}\) to \(2^{55.1}\). Finally, we present a 2-dimension sum distinguisher on 52 steps of RIPEMD-160 by using other message differences compared to ACNS 2012, which improves the best 2-dimension sum distinguisher on RIPEMD-160 by one step. Our attack takes into consideration the modular difference of the internal states when doing message modification in the first part of the differential path, and evaluating the probability of the last part of differential paths by experiment.
Similar content being viewed by others
References
Biham E., Chen R.: Near-collisions of SHA-0. In: Franklin M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004).
Biryukov A., Lamberger M., Mendel F., Nikolić I.: Second-order differential collisions for reduced SHA-256. In: Lee D.H. (ed.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 270–287. Springer, Heidelberg (2011).
Biryukov A., Nikolić I., Roy A.: Boomerang attacks on BLAKE-32. In: Joux A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 218–237. Springer, Heidelberg (2011).
Bosselaers A., Preneel B.: Integrity Primitives for Secure Information Systems: Final Ripe Report of Race Integrity Primitives Evaluation. Number 1007. Springer, Berlin (1995).
Damgård I.: A design principle for hash functions. In: Brassard G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990).
Daum M.: Cryptanalysis of hash functions of the MD4-Family. (2005) http://www-brs.ub.ruhr-uni-bochum.de/netahtml/HSS/Diss/DaumMagnus/diss.pdf
De Cannière C., Rechberger C.: Finding SHA-1 characteristics: general results and applications. In: Lai X., Chen K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006).
Dobbertin H., Bosselaers A., Preneel B.: RIPEMD-160: a strengthened version of RIPEMD. In: Gollmann D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71–82. Springer, Heidelberg (1996).
Dobbertin H.: RIPEMD with two-round compress function is not collision-free. J. Cryptol. 10(1), 51–69 (1997).
Dobraunig C., Eichlseder M., Mendel F.: Analysis of SHA-512/224 and SHA-512/256. In: Iwata T., Cheon J. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 612–630. Springer, Heidelberg (2015).
Fouque P.A., Leurent G., Nguyen P.: Automatic search of differential path in MD4. ECRYPT hash worshop-cryptology eprint archive, report, 2007/206 (2007).
Lamberger M., Mendel F.: Higher-order differential attack on reduced SHA-256. Cryptology ePrint Archive, Report 2011/037, 2011. http://eprint.iacr.org/2011/037.
Landelle F., Peyrin T.: Cryptanalysis of full RIPEMD-128. In: Johansson T., Nguyen P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 71–82. Springer, Heidelberg (2013).
Leurent G.: Message freedom in MD4 and MD5 collisions: application to APOP. In: Biryukov A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 309–321. Springer, Heidelberg (2007).
Liu F., Mendel F., Wang G.: Collisions and semi-free-start collisions for round-reduced RIPEMD-160. In: Takagi T., Peyrin T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 158–186. Springer, Cham (2017).
Liu F.: Efficient collision attack frameworks for RIPEMD-160. Cryptology ePrint Archive, Report 2018/652, 2018. https://eprint.iacr.org/2018/652.
Mendel F., Nad T., Schläffer M.: Finding SHA-2 characteristics: searching through a minefield of conditions. In: Lee D.H., Wang X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 288–307. Springer, Heidelberg (2011).
Mendel F., Nad T., Schläffer M.: Collision attacks on the reduced dual-stream hash function RIPEMD-128. In: Canteaut A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 226–243. Springer, Heidelberg (2012).
Mendel F., Nad T., Scherz S., Schläffer M.: Differential attacks on reduced RIPEMD-160. In: Gollmann D., Freiling F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 23–38. Springer, Heidelberg (2012).
Mendel F., Nad T., Schläffer M.: Improving local collisions: new attacks on reduced SHA-256. In: Johanson T., Nguyen P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 262–278. Springer, Heidelberg (2013).
Mendel F., Peyrin T., Schläffer M., Wang L., Wu S.: Improved cryptanalysis of reduced RIPEMD-160. In: Kazue S., Palash S. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 484–503. Springer, Heidelberg (2013).
Merkle R.C.: One way hash functions and DES. In: Brassard G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990).
Menezes A., Oorschot P., Vanstone S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997).
Ohtahara C., Sasaki Y., Shimoyama T.: Preimage attacks on step-reduced RIPEMD-128 and RIPEMD-160. In: Lai X., Yung M., Lin D. (eds.) INSCRYPT 2010. LNCS, vol. 435, pp. 428–466. Springer, Heidelberg (2011).
Sasaki Y.: Boomerang distinguishers on MD4-family: first practical results on full 5-pass HAVAL. In: Miri A., Vaudenay S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 1–18. Springer, Heidelberg (2011).
Sasaki Y., Wang L.: Distinguishers beyond three rounds of the RIPEMD-128/-160 compression functions. In: Bao F., Samarati P., Zhou J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 275–292. Springer, Heidelberg (2012).
Stevens M.: Fast collision attack on MD5. Cryptology ePrint Archive: Report 2006/104. https://eprint.iacr.org/2006/104.
Stevens M., Bursztein E., Karpman P., Albertini A., Markov Y.: The first collision for full SHA-1. In: Katz J., Shacham H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017).
Wagner D.: The boomerang attack. In: Knudsen L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999).
Wang G., Wang M.: Cryptanalysis of reduced RIPEMD-128. J. Softw. 19(9), 2442–2448 (2008).
Wang G.: Collision attack on the full extended MD4 and pseudo-preimage attack on RIPEMD. J. Comput. Sci. Technol. 28(1), 129–143 (2013).
Wang G.: Practical collision attack on 40-step RIPEMD-128. In: Benaloh J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 444–460. Springer, Heidelberg (2014).
Wang G., Shen Y.: (Pseudo-) preimage attacks on step-reduced HAS-160 and RIPEMD-160. In: Chow S.S.M., Camenisch J., Hui L.C.K., Yiu S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 90–103. Springer, Heidelberg (2014).
Wang G., Yu H.: Improved cryptanalysis on RIPEMD-128. IET Inf. Secur. 9(6), 354–364 (2015).
Wang G., Shen Y., Liu F.: Cryptanalysis of 48-step RIPEMD-160. IACR Trans. Symmetric Cryptol. 2017(2), 177–202 (2017).
Wang X., Lai X., Feng D., Chen H., Yu X.: Cryptanalysis for hash functions MD4 and RIPEMD. In: Cramer R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005).
Wang X., Yu H.: How to break MD5 and other hash functions. In: Cramer R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005).
Wang X., Yu H., Yin Y.L.: Efficient collision search attacks on SHA-0. In: Shoup V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005).
Wang X., Yin Y.L., Yu H.: Finding collisions in the full SHA-1. In: Shoup V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005).
Acknowledgements
The authors would like to thank the anonymous reviewers for their helpful comments and suggestions. Gaoli Wang is supported by National Cryptography Development Fund (MMJJ20180201), International Science and Technology Cooperation Projects (No. 61961146004) and National Natural Science Foundation of China (No. 61572125).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by V. Rijmen.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Wang, G., Liu, F., Cui, B. et al. Improved (semi-free-start/near-) collision and distinguishing attacks on round-reduced RIPEMD-160. Des. Codes Cryptogr. 88, 887–930 (2020). https://doi.org/10.1007/s10623-020-00718-x
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-020-00718-x