Skip to main content
SpringerLink
Log in

Improved (semi-free-start/near-) collision and distinguishing attacks on round-reduced RIPEMD-160

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

In this paper, we present an improved cryptanalysis of the double-branch hash function RIPEMD-160 standardized by ISO/IEC. First, how to theoretically calculate the step differential probability of RIPEMD-160 is solved, which was stated as an open problem by Mendel et al. at ASIACRYPT 2013. Then, we apply the start-from-the-middle framework to a newly discovered 32-step differential path of RIPEMD-160. Compared with the collision attack on 30 steps of RIPEMD-160 at ASIACRYPT 2017, two steps are extended and the time complexity is \(2^{71.9}\). We propose a new start-from-the-middle near-collision attack framework, and achieve a near-collision attack on 39 steps of RIPEMD-160 with a time complexity of \(2^{65}\). For the semi-free-start collision attack on 36 steps of RIPEMD-160 at ASIACRYPT 2013, by a different choice of the message words to merge two branches, adding some conditions on the starting point as well as solving the equation \(T^{\lll S_0}\boxplus C_0=(T\boxplus C_1)^{\lll S_1}\) (T is the variable) in an optimized way, the time complexity of this semi-free-start collision attack is reduced by a factor of \(2^{15.3}\) to \(2^{55.1}\). Finally, we present a 2-dimension sum distinguisher on 52 steps of RIPEMD-160 by using other message differences compared to ACNS 2012, which improves the best 2-dimension sum distinguisher on RIPEMD-160 by one step. Our attack takes into consideration the modular difference of the internal states when doing message modification in the first part of the differential path, and evaluating the probability of the last part of differential paths by experiment.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. Biham E., Chen R.: Near-collisions of SHA-0. In: Franklin M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004).

    Chapter  Google Scholar 

  2. Biryukov A., Lamberger M., Mendel F., Nikolić I.: Second-order differential collisions for reduced SHA-256. In: Lee D.H. (ed.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 270–287. Springer, Heidelberg (2011).

    Chapter  Google Scholar 

  3. Biryukov A., Nikolić I., Roy A.: Boomerang attacks on BLAKE-32. In: Joux A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 218–237. Springer, Heidelberg (2011).

    Google Scholar 

  4. Bosselaers A., Preneel B.: Integrity Primitives for Secure Information Systems: Final Ripe Report of Race Integrity Primitives Evaluation. Number 1007. Springer, Berlin (1995).

    Book  Google Scholar 

  5. Damgård I.: A design principle for hash functions. In: Brassard G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990).

    Google Scholar 

  6. Daum M.: Cryptanalysis of hash functions of the MD4-Family. (2005) http://www-brs.ub.ruhr-uni-bochum.de/netahtml/HSS/Diss/DaumMagnus/diss.pdf

  7. De Cannière C., Rechberger C.: Finding SHA-1 characteristics: general results and applications. In: Lai X., Chen K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006).

    Chapter  Google Scholar 

  8. Dobbertin H., Bosselaers A., Preneel B.: RIPEMD-160: a strengthened version of RIPEMD. In: Gollmann D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71–82. Springer, Heidelberg (1996).

    Google Scholar 

  9. Dobbertin H.: RIPEMD with two-round compress function is not collision-free. J. Cryptol. 10(1), 51–69 (1997).

    Article  Google Scholar 

  10. Dobraunig C., Eichlseder M., Mendel F.: Analysis of SHA-512/224 and SHA-512/256. In: Iwata T., Cheon J. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 612–630. Springer, Heidelberg (2015).

    Chapter  Google Scholar 

  11. Fouque P.A., Leurent G., Nguyen P.: Automatic search of differential path in MD4. ECRYPT hash worshop-cryptology eprint archive, report, 2007/206 (2007).

  12. Lamberger M., Mendel F.: Higher-order differential attack on reduced SHA-256. Cryptology ePrint Archive, Report 2011/037, 2011. http://eprint.iacr.org/2011/037.

  13. Landelle F., Peyrin T.: Cryptanalysis of full RIPEMD-128. In: Johansson T., Nguyen P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 71–82. Springer, Heidelberg (2013).

    Google Scholar 

  14. Leurent G.: Message freedom in MD4 and MD5 collisions: application to APOP. In: Biryukov A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 309–321. Springer, Heidelberg (2007).

    Google Scholar 

  15. Liu F., Mendel F., Wang G.: Collisions and semi-free-start collisions for round-reduced RIPEMD-160. In: Takagi T., Peyrin T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 158–186. Springer, Cham (2017).

    Chapter  Google Scholar 

  16. Liu F.: Efficient collision attack frameworks for RIPEMD-160. Cryptology ePrint Archive, Report 2018/652, 2018. https://eprint.iacr.org/2018/652.

  17. Mendel F., Nad T., Schläffer M.: Finding SHA-2 characteristics: searching through a minefield of conditions. In: Lee D.H., Wang X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 288–307. Springer, Heidelberg (2011).

    Chapter  Google Scholar 

  18. Mendel F., Nad T., Schläffer M.: Collision attacks on the reduced dual-stream hash function RIPEMD-128. In: Canteaut A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 226–243. Springer, Heidelberg (2012).

    Google Scholar 

  19. Mendel F., Nad T., Scherz S., Schläffer M.: Differential attacks on reduced RIPEMD-160. In: Gollmann D., Freiling F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 23–38. Springer, Heidelberg (2012).

    Google Scholar 

  20. Mendel F., Nad T., Schläffer M.: Improving local collisions: new attacks on reduced SHA-256. In: Johanson T., Nguyen P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 262–278. Springer, Heidelberg (2013).

    Chapter  Google Scholar 

  21. Mendel F., Peyrin T., Schläffer M., Wang L., Wu S.: Improved cryptanalysis of reduced RIPEMD-160. In: Kazue S., Palash S. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 484–503. Springer, Heidelberg (2013).

    Chapter  Google Scholar 

  22. Merkle R.C.: One way hash functions and DES. In: Brassard G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990).

    Google Scholar 

  23. Menezes A., Oorschot P., Vanstone S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997).

    MATH  Google Scholar 

  24. Ohtahara C., Sasaki Y., Shimoyama T.: Preimage attacks on step-reduced RIPEMD-128 and RIPEMD-160. In: Lai X., Yung M., Lin D. (eds.) INSCRYPT 2010. LNCS, vol. 435, pp. 428–466. Springer, Heidelberg (2011).

    Google Scholar 

  25. Sasaki Y.: Boomerang distinguishers on MD4-family: first practical results on full 5-pass HAVAL. In: Miri A., Vaudenay S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 1–18. Springer, Heidelberg (2011).

    Google Scholar 

  26. Sasaki Y., Wang L.: Distinguishers beyond three rounds of the RIPEMD-128/-160 compression functions. In: Bao F., Samarati P., Zhou J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 275–292. Springer, Heidelberg (2012).

    Google Scholar 

  27. Stevens M.: Fast collision attack on MD5. Cryptology ePrint Archive: Report 2006/104. https://eprint.iacr.org/2006/104.

  28. Stevens M., Bursztein E., Karpman P., Albertini A., Markov Y.: The first collision for full SHA-1. In: Katz J., Shacham H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017).

    Chapter  Google Scholar 

  29. Wagner D.: The boomerang attack. In: Knudsen L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999).

    Google Scholar 

  30. Wang G., Wang M.: Cryptanalysis of reduced RIPEMD-128. J. Softw. 19(9), 2442–2448 (2008).

    Article  MathSciNet  Google Scholar 

  31. Wang G.: Collision attack on the full extended MD4 and pseudo-preimage attack on RIPEMD. J. Comput. Sci. Technol. 28(1), 129–143 (2013).

    Article  MathSciNet  Google Scholar 

  32. Wang G.: Practical collision attack on 40-step RIPEMD-128. In: Benaloh J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 444–460. Springer, Heidelberg (2014).

    Google Scholar 

  33. Wang G., Shen Y.: (Pseudo-) preimage attacks on step-reduced HAS-160 and RIPEMD-160. In: Chow S.S.M., Camenisch J., Hui L.C.K., Yiu S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 90–103. Springer, Heidelberg (2014).

    Google Scholar 

  34. Wang G., Yu H.: Improved cryptanalysis on RIPEMD-128. IET Inf. Secur. 9(6), 354–364 (2015).

    Article  Google Scholar 

  35. Wang G., Shen Y., Liu F.: Cryptanalysis of 48-step RIPEMD-160. IACR Trans. Symmetric Cryptol. 2017(2), 177–202 (2017).

    Google Scholar 

  36. Wang X., Lai X., Feng D., Chen H., Yu X.: Cryptanalysis for hash functions MD4 and RIPEMD. In: Cramer R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005).

    Chapter  Google Scholar 

  37. Wang X., Yu H.: How to break MD5 and other hash functions. In: Cramer R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005).

    Chapter  Google Scholar 

  38. Wang X., Yu H., Yin Y.L.: Efficient collision search attacks on SHA-0. In: Shoup V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005).

    Chapter  Google Scholar 

  39. Wang X., Yin Y.L., Yu H.: Finding collisions in the full SHA-1. In: Shoup V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005).

    Chapter  Google Scholar 

Download references

Acknowledgements

The authors would like to thank the anonymous reviewers for their helpful comments and suggestions. Gaoli Wang is supported by National Cryptography Development Fund (MMJJ20180201), International Science and Technology Cooperation Projects (No. 61961146004) and National Natural Science Foundation of China (No. 61572125).

Author information

Authors and Affiliations

  1. Shanghai Key Laboratory of Trustworthy Computing, Software Engineering Institute, East China Normal University, Shanghai, 200062, China

    Gaoli Wang, Fukang Liu & Binbin Cui

  2. Infineon Technologies AG, Augsburg, Germany

    Florian Mendel

  3. Graz University of Technology, Graz, Austria

    Christoph Dobraunig

Authors
  1. Gaoli Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fukang Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Binbin Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Florian Mendel
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Christoph Dobraunig
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gaoli Wang.

Additional information

Communicated by V. Rijmen.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wang, G., Liu, F., Cui, B. et al. Improved (semi-free-start/near-) collision and distinguishing attacks on round-reduced RIPEMD-160. Des. Codes Cryptogr. 88, 887–930 (2020). https://doi.org/10.1007/s10623-020-00718-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-020-00718-x

Keywords

Mathematics Subject Classification

Search

Navigation