Difference between revisions of "RIPEMD"
From The ECRYPT Hash Function Website
(→Collision Attacks) |
(→Collision Attacks) |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 12: | Line 12: | ||
=== Best Known Results === | === Best Known Results === | ||
| + | The best collision attack on full RIPEMD was published by Wang et al. It has complexity of 2<sup>18</sup> hash evaluations. | ||
---- | ---- | ||
| Line 21: | Line 22: | ||
=== Collision Attacks === | === Collision Attacks === | ||
| + | |||
| + | <bibtex> | ||
| + | @inproceedings{eurocryptWangLFCY05, | ||
| + | author = {Xiaoyun Wang and Xuejia Lai and Dengguo Feng and Hui Chen and Xiuyuan Yu}, | ||
| + | title = {Cryptanalysis of the Hash Functions MD4 and RIPEMD}, | ||
| + | booktitle = {EUROCRYPT}, | ||
| + | year = {2005}, | ||
| + | pages = {1-18}, | ||
| + | abstract = {MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 2^{20} MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2^{–2} to 2^{–6}, and the complexity of finding a collision doesnrsquot exceed 2^8 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 2^8. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2^{–122}. The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 2^{18} RIPEMD hash operations.}, | ||
| + | editor = {Ronald Cramer}, | ||
| + | volume = {3494}, | ||
| + | series = {LNCS}, | ||
| + | publisher = {Springer}, | ||
| + | isbn = {3-540-25910-4}, | ||
| + | url = {http://dx.doi.org/10.1007/11426639_1}, | ||
| + | } | ||
| + | </bibtex> | ||
| + | |||
<bibtex> | <bibtex> | ||
@inproceedings{fseDebaertG01, | @inproceedings{fseDebaertG01, | ||
Latest revision as of 18:19, 11 March 2008
Contents
1 Specification
- digest size: 128 bits
- max. message length: < 264 bits
- compression function: 512-bit message block, 2 streams with each 128-bit chaining variable
- Specification:
2 Cryptanalysis
2.1 Best Known Results
The best collision attack on full RIPEMD was published by Wang et al. It has complexity of 218 hash evaluations.
2.2 Generic Attacks
2.3 Collision Attacks
Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu - Cryptanalysis of the Hash Functions MD4 and RIPEMD
- EUROCRYPT 3494:1-18,2005
- http://dx.doi.org/10.1007/11426639_1
BibtexAuthor : Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu
Title : Cryptanalysis of the Hash Functions MD4 and RIPEMD
In : EUROCRYPT -
Address :
Date : 2005
Christophe Debaert, Henri Gilbert - The RIPEMD and RIPEMD Improved Variants of MD4 Are Not Collision Free
- FSE 2355:52-65,2002
- http://link.springer.de/link/service/series/0558/bibs/2355/23550052.htm
BibtexAuthor : Christophe Debaert, Henri Gilbert
Title : The RIPEMD and RIPEMD Improved Variants of MD4 Are Not Collision Free
In : FSE -
Address :
Date : 2002
Hans Dobbertin - RIPEMD with Two-Round Compress Function is Not Collision-Free
- J. Cryptology 10(1):51-70,1997
- http://dx.doi.org/10.1007/s001459900019
BibtexAuthor : Hans Dobbertin
Title : RIPEMD with Two-Round Compress Function is Not Collision-Free
In : J. Cryptology -
Address :
Date : 1997
