New Semi-Free-Start Collision Attack Framework for Reduced RIPEMD-160

RIPEMD-160 is a hash function published in 1996, which shares similarities with other hash functions designed in this time-period like MD4, MD5 and SHA-1. However, for RIPEMD-160, no (semi-free-start) collision attacks on the full number of steps are known. Hence, it is still used, e.g., to generate Bitcoin addresses together with SHA-256, and is an ISO/IEC standard. Due to its dual-stream structure, even semifree- start collision attacks starting from the first step only reach 36 steps, which were firstly shown by Mendel et al. at Asiacrypt 2013 and later improved by Liu, Mendel and Wang at Asiacrypt 2017. Both of the attacks are based on a similar freedom degree utilization technique as proposed by Landelle and Peyrin at Eurocrypt 2013. However, the best known semi-free-start collision attack on 36 steps of RIPEMD-160 presented at Asiacrypt 2017 still requires 255.1 time and 232 memory. Consequently, a practical semi-free-start collision attack for the first 36 steps of RIPEMD-160 still requires a significant amount of resources. Considering the structure of these previous semi-free-start collision attacks for 36 steps of RIPEMD-160, it seems hard to extend it to more steps. Thus, we develop a different semi-free-start collision attack framework for reduced RIPEMD-160 by carefully investigating the message expansion of RIPEMD-160. Our new framework has several advantages. First of all, it allows to extend the attacks to more steps. Second, the memory complexity of the attacks is negligible. Hence, we were able to mount semi-free-start collision attacks on 36 and 37 steps of RIPEMD-160 with practical time complexity 241 and 249 respectively. Additionally, we describe semi-free-start collision attacks on 38 and 40 (out of 80) steps of RIPEMD-160 with time complexity 252 and 274.6, respectively. To the best of our knowledge, these are the best semi-free-start collision attacks for RIPEMD-160 starting from the first step with respect to the number of steps, including the first practical colliding message pairs for 36 and 37 steps of RIPEMD-160.

[1]  Fukang Liu,et al.  Efficient Collision Attack Frameworks for RIPEMD-160 , 2019, IACR Cryptol. ePrint Arch..

[2]  Shuang Wu,et al.  Improved Cryptanalysis of Reduced RIPEMD-160 , 2013, ASIACRYPT.

[3]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[4]  Florian Mendel,et al.  Differential Attacks on Reduced RIPEMD-160 , 2012, ISC.

[5]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[6]  Thomas Peyrin,et al.  Cryptanalysis of Full RIPEMD-128 , 2013, Journal of Cryptology.

[7]  Florian Mendel,et al.  Branching Heuristics in Differential Collision Search with Applications to SHA-512 , 2014, FSE.

[8]  Florian Mendel,et al.  Finding SHA-2 Characteristics: Searching through a Minefield of Contradictions , 2011, ASIACRYPT.

[9]  Yu Sasaki,et al.  Preimage Attacks on the Step-Reduced RIPEMD-128 and RIPEMD-160 , 2012 .

[10]  Yu Sasaki,et al.  Preimage Attacks on Step-Reduced RIPEMD-128 and RIPEMD-160 , 2010, Inscrypt.

[11]  Florian Mendel,et al.  Improving Local Collisions: New Attacks on Reduced SHA-256 , 2013, EUROCRYPT.

[12]  Hans Dobbertin,et al.  Cryptanalysis of MD4 , 1996, Journal of Cryptology.

[13]  Florian Mendel,et al.  Collisions and Semi-Free-Start Collisions for Round-Reduced RIPEMD-160 , 2017, ASIACRYPT.

[14]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[15]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[16]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[17]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[18]  Gaoli Wang,et al.  Cryptanalysis of 48-step RIPEMD-160 , 2017, IACR Trans. Symmetric Cryptol..

[19]  Marc Stevens,et al.  The First Collision for Full SHA-1 , 2017, CRYPTO.