Improved Cryptanalysis of Reduced RIPEMD-160

In this article, we propose an improved cryptanalysis of the double-branch hash function standard RIPEMD-160. Using a carefully designed non-linear path search tool, we study the potential differential paths that can be constructed from a difference in a single message word and show that some of these message words can lead to very good differential path candidates. Leveraging the recent freedom degree utilization technique from Landelle and Peyrin to merge two branch instances, we eventually manage to obtain a semi-free-start collision attack for 42 steps of the RIPEMD-160 compression function, while the previously best know result reached 36 steps. In addition, we also describe a 36-step semi-free-start collision attack which starts from the first step.

[1]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[2]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[3]  Florian Mendel,et al.  Differential Attacks on Reduced RIPEMD-160 , 2012, ISC.

[4]  Bruce Schneier One-way hash functions , 1991 .

[5]  Florian Mendel,et al.  Finding SHA-2 Characteristics: Searching through a Minefield of Contradictions , 2011, ASIACRYPT.

[6]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[7]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[8]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[9]  Yu Sasaki,et al.  Preimage Attacks on Step-Reduced RIPEMD-128 and RIPEMD-160 , 2010, Inscrypt.

[10]  Florian Mendel,et al.  Improving Local Collisions: New Attacks on Reduced SHA-256 , 2013, EUROCRYPT.

[11]  Gaëtan Leurent,et al.  Analysis of Differential Attacks in ARX Constructions , 2012, ASIACRYPT.

[12]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[13]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[14]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[15]  Joos Vandewalle,et al.  Integrity primitives for secure information systems : final report of RACE Integrity Primitives Evaluation RIPE-RACE 1040 , 1995 .

[16]  Hans Dobbertin,et al.  RIPEMD with two-round compress function is not collision-free , 1997, Journal of Cryptology.

[17]  Yu Sasaki,et al.  Distinguishers beyond Three Rounds of the RIPEMD-128/-160 Compression Functions , 2012, ACNS.

[18]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[19]  Thomas Peyrin,et al.  Cryptanalysis of Full RIPEMD-128 , 2013, Journal of Cryptology.