Abstract
RIPEMD-160 is a hash function published in 1996, which shares similarities with other hash functions designed in this time-period like MD4, MD5 and SHA-1. However, for RIPEMD-160, no (semi-free-start) collision attacks on the full number of steps are known. Hence, it is still used, e.g., to generate Bitcoin addresses together with SHA-256, and is an ISO/IEC standard. Due to its dual-stream structure, even semifree- start collision attacks starting from the first step only reach 36 steps, which were firstly shown by Mendel et al. at Asiacrypt 2013 and later improved by Liu, Mendel and Wang at Asiacrypt 2017. Both of the attacks are based on a similar freedom degree utilization technique as proposed by Landelle and Peyrin at Eurocrypt 2013. However, the best known semi-free-start collision attack on 36 steps of RIPEMD-160 presented at Asiacrypt 2017 still requires 255.1 time and 232 memory. Consequently, a practical semi-free-start collision attack for the first 36 steps of RIPEMD-160 still requires a significant amount of resources. Considering the structure of these previous semi-free-start collision attacks for 36 steps of RIPEMD-160, it seems hard to extend it to more steps. Thus, we develop a different semi-free-start collision attack framework for reduced RIPEMD-160 by carefully investigating the message expansion of RIPEMD-160. Our new framework has several advantages. First of all, it allows to extend the attacks to more steps. Second, the memory complexity of the attacks is negligible. Hence, we were able to mount semi-free-start collision attacks on 36 and 37 steps of RIPEMD-160 with practical time complexity 241 and 249 respectively. Additionally, we describe semi-free-start collision attacks on 38 and 40 (out of 80) steps of RIPEMD-160 with time complexity 252 and 274.6, respectively. To the best of our knowledge, these are the best semi-free-start collision attacks for RIPEMD-160 starting from the first step with respect to the number of steps, including the first practical colliding message pairs for 36 and 37 steps of RIPEMD-160.
Highlights
To the best of our knowledge, these are the best semi-free-start collision attacks for RIPEMD-160 starting from the first step with respect to the number of steps, including the first practical colliding message pairs for 36 and 37 steps of RIPEMD-160
In the 1990s, most popular hash functions, like MD4, MD5, SHA-0, RIPEMD-160 [DBP96] and SHA-1 followed a similar design strategy based on round functions involving modular additions, word-wise rotations, and XORs (ARX)
With a new freedom degree utilization strategy, we develop an SFS collision attack framework for reduced RIPEMD-160
Summary
In the 1990s, most popular hash functions, like MD4, MD5, SHA-0, RIPEMD-160 [DBP96] and SHA-1 followed a similar design strategy based on round functions involving modular additions, word-wise rotations, and XORs (ARX). In contrast to MD4, MD5, SHA-0 and SHA-1, the compression function of RIPEMD160 is of a more complex nature, since the chaining value is duplicated and processed in two branches. Both branches, hereby employ a slightly different round function and the message expansion follows a different pattern. At the end of the compression function, both branches are merged again to form the 160-bit internal state or final hash value This increased complexity seems to complicate the analysis, and in contrast to MD4 [Dob, WLF+05], MD5 [WY05], SHA-0 [WYY05b] and SHA-1 [WYY05a, SBK+17], collision attacks on RIPEMD-160 do not reach the full number of rounds
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
