Difference between revisions of "RIPEMD"

From The ECRYPT Hash Function Website
(Spezification)
(Collision Attacks)
 
(7 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Specification ==
 
== Specification ==
  
<!--
+
 
* digest size: 160 bits
+
* digest size: 128 bits
 
* max. message length: < 2<sup>64</sup> bits
 
* max. message length: < 2<sup>64</sup> bits
* compression function: 512-bit message block, 160-bit chaining variable
+
* compression function: 512-bit message block, 2 streams with each 128-bit chaining variable
 
* Specification:  
 
* Specification:  
-->
+
 
  
 
== Cryptanalysis ==
 
== Cryptanalysis ==
Line 12: Line 12:
  
 
=== Best Known Results ===
 
=== Best Known Results ===
 +
The best collision attack on full RIPEMD was published by Wang et al. It has complexity of 2<sup>18</sup> hash evaluations.
  
 
----
 
----
Line 21: Line 22:
  
 
=== Collision Attacks ===
 
=== Collision Attacks ===
 +
 +
<bibtex>
 +
@inproceedings{eurocryptWangLFCY05,
 +
  author = {Xiaoyun Wang and Xuejia Lai and Dengguo Feng and Hui Chen and Xiuyuan Yu},
 +
  title = {Cryptanalysis of the Hash Functions MD4 and RIPEMD},
 +
  booktitle = {EUROCRYPT},
 +
  year = {2005},
 +
  pages = {1-18},
 +
  abstract = {MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 2^{20} MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2^{–2} to 2^{–6}, and the complexity of finding a collision doesnrsquot exceed 2^8 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 2^8. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2^{–122}. The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 2^{18} RIPEMD hash operations.},
 +
  editor = {Ronald Cramer},
 +
  volume = {3494},
 +
  series = {LNCS},
 +
  publisher = {Springer},
 +
  isbn = {3-540-25910-4},
 +
  url = {http://dx.doi.org/10.1007/11426639_1},
 +
}
 +
</bibtex>
 +
 +
<bibtex>
 +
@inproceedings{fseDebaertG01,
 +
  author    = {Christophe Debaert and Henri Gilbert},
 +
  title    = {The RIPEMD and RIPEMD Improved Variants of MD4 Are Not Collision Free},
 +
  pages    = {52-65},
 +
  url        = {http://link.springer.de/link/service/series/0558/bibs/2355/23550052.htm},
 +
  editor    = {Mitsuru Matsui},
 +
  booktitle = {FSE},
 +
  publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {2355},
 +
  year      = {2002},
 +
  isbn      = {3-540-43869-6},
 +
  abstract  = {In 1992, the cryptographic hash function RIPEMD, a European proposal, was introduced as an improved variant of the MD4 hash function. RIPEMD involves two parallel lines of modified versions of the MD4 compression function. Three years later, an attack against a reduced version of RIPEMD in which the first or the last round of the RIPEMD compression function is omitted was described by Hans Dobbertin, who also published in 1998 a cryptanalysis of MD4. In this paper, we present a method for finding collisions in each of the parallel lines of RIPEMD. The collision search procedure requires only a few seconds computing time. We show that although the modifications of the MD4 compression function Used in RIPEMD introduce additional constraints in the cryptanalysis as Compared with Dobbertin’s attack of MD4, these modifications do not result in an increase of the collision search computation time. It is still an open question whether collisions can be found for the full RIPEMD function.},
 +
}
 +
</bibtex>
 +
 +
<bibtex>
 +
@article{jocDobbertin97,
 +
  author    = {Hans Dobbertin},
 +
  title    = {RIPEMD with Two-Round Compress Function is Not Collision-Free},
 +
  journal  = {J. Cryptology},
 +
  volume    = {10},
 +
  number    = {1},
 +
  year      = {1997},
 +
  pages    = {51-70},
 +
  url        = {http://dx.doi.org/10.1007/s001459900019},
 +
  abstract  = {In 1990 Rivest introduced the cryptographic hash function MD4. The compress function of MD4 has three rounds. After partial attacks against MD4 were found, the stronger mode RIPEMD was designed as a European proposal in 1992 (RACE project). Its compress function consists of two parallel lines of modified versions of MD4-compress. RIPEMD is currently being considered to become an international standard (ISO/IEC Draft 10118-3). However, in this paper an attack against RIPEMD is described, which leads to comparable results with the previously known attacks against MD4: The reduced versions of RIPEMD, where the first or the last round of the compress function is omitted, are not collision-free. Moreover, it turns out that the methods developed in this note can be applied to find collisions for the full MD4.},
 +
}
 +
</bibtex>
  
 
----
 
----

Latest revision as of 18:19, 11 March 2008

1 Specification

  • digest size: 128 bits
  • max. message length: < 264 bits
  • compression function: 512-bit message block, 2 streams with each 128-bit chaining variable
  • Specification:


2 Cryptanalysis

2.1 Best Known Results

The best collision attack on full RIPEMD was published by Wang et al. It has complexity of 218 hash evaluations.


2.2 Generic Attacks


2.3 Collision Attacks

Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu - Cryptanalysis of the Hash Functions MD4 and RIPEMD

EUROCRYPT 3494:1-18,2005
http://dx.doi.org/10.1007/11426639_1
Bibtex
Author : Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu
Title : Cryptanalysis of the Hash Functions MD4 and RIPEMD
In : EUROCRYPT -
Address :
Date : 2005

Christophe Debaert, Henri Gilbert - The RIPEMD and RIPEMD Improved Variants of MD4 Are Not Collision Free

FSE 2355:52-65,2002
http://link.springer.de/link/service/series/0558/bibs/2355/23550052.htm
Bibtex
Author : Christophe Debaert, Henri Gilbert
Title : The RIPEMD and RIPEMD Improved Variants of MD4 Are Not Collision Free
In : FSE -
Address :
Date : 2002

Hans Dobbertin - RIPEMD with Two-Round Compress Function is Not Collision-Free

J. Cryptology 10(1):51-70,1997
http://dx.doi.org/10.1007/s001459900019
Bibtex
Author : Hans Dobbertin
Title : RIPEMD with Two-Round Compress Function is Not Collision-Free
In : J. Cryptology -
Address :
Date : 1997

2.4 Second Preimage Attacks


2.5 Preimage Attacks


2.6 Others