nach oben

Journal of Cryptology

Erschienen in:

01.10.2016

Cryptanalysis of Full RIPEMD-128

verfasst von: Franck Landelle, Thomas Peyrin

Erschienen in: Journal of Cryptology | Ausgabe 4/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In this article we propose a new cryptanalysis method for double-branch hash functions and we apply it on the standard RIPEMD-128, greatly improving over previously known results on this algorithm. Namely, we are able to build a very good differential path by placing one nonlinear differential part in each computation branch of the RIPEMD-128 compression function, but not necessarily in the early steps. In order to handle the low differential probability induced by the nonlinear part located in later steps, we propose a new method for using the available freedom degrees, by attacking each branch separately and then merging them with free message blocks. Overall, we present the first collision attack on the full RIPEMD-128 compression function as well as the first distinguisher on the full RIPEMD-128 hash function. Experiments on reduced number of rounds were conducted, confirming our reasoning and complexity analysis. Our results show that 16-year-old RIPEMD-128, one of the last unbroken primitives belonging to the MD-SHA family, might not be as secure as originally thought.

Vorheriger Artikel Toward a Game Theoretic View of Secure Computation

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

The padding is the same as for MD4: a “1" is first appended to the message, then x “0" bits (with \(x=512-(|m|+1+64 \pmod {512})\)) are added, and finally, the message length |m| encoded on 64 bits is appended as well.

Our message words fixing approach is certainly not optimal, but this phase is not the bottleneck of our attack and we preferred to aim for simplicity when possible. In case a very fast implementation is needed, a more efficient but more complex strategy would be to find a bit per bit scheduling instead of a word-wise one.

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche (2008). Keccak specifications. Submission to NIST, http://keccak.noekeon.org/Keccak-specifications.pdf

A. Bosselaers, B. Preneel, (eds.), in Integrity Primitives for Secure Information Systems, Final Report of RACE Integrity Primitives Evaluation RIPE-RACE 1040, volume 1007 of LNCS. (Springer, Berlin, 1995)

C. De Cannière, C. Rechberger, Finding SHA-1 characteristics: general results and applications, in ASIACRYPT (2006), pp. 1–20

I. Damgård. A design principle for hash functions, in CRYPTO, volume 435 of LNCS, ed. by G. Brassard (Springer, 1989), pp. 416–427

B. den Boer, A. Bosselaers. Collisions for the compression function of MD5. In EUROCRYPT (1993), pp. 293–304

H. Dobbertin, Cryptanalysis of MD5 compress, in Rump Session of Advances in Cryptology EUROCRYPT 1996 (1996). ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf

H. Dobbertin, RIPEMD with two-round compress function is not collision-free. J. Cryptol. 10(1), 51–70 (1997)

H. Dobbertin, A. Bosselaers, B. Preneel, RIPEMD-160: a strengthened version of RIPEMD, in FSE (1996), pp. 71–82

H. Gilbert, T. Peyrin, Super-Sbox cryptanalysis: improved attacks for AES-like permutations, in FSE (2010), pp. 365–383

10.

ISO. ISO/IEC 10118-3:2004: Information technology—-Security techniques—Hash-functions—Part 3: Dedicated hash-functions. pub-ISO, pub-ISO:adr, Feb 2004

11.

M. Iwamoto, T. Peyrin, Y. Sasaki. Limited-birthday distinguishers for hash functions—collisions beyond the birthday bound can be meaningful, in ASIACRYPT (2) (2013), pp. 504–523

12.

A. Joux, T. Peyrin. Hash functions and the (amplified) boomerang attack, in CRYPTO (2007), pp. 244–263

13.

F. Landelle, T. Peyrin. Cryptanalysis of Full RIPEMD-128, in EUROCRYPT (2013), pp. 228–244

14.

S. Manuel, T. Peyrin, Collisions on SHA-0 in one hour, in FSE, pp. 16–35 (2008)

15.

F. Mendel, T. Nad, S. Scherz, M. Schläffer, Differential attacks on reduced RIPEMD-160, in ISC (2012), pp. 23–38

16.

F. Mendel, T. Nad, M. Schläffer. Collision attacks on the reduced dual-stream hash function RIPEMD-128, in FSE (2012), pp. 226–243

17.

F. Mendel, T. Peyrin, M. Schläffer, L. Wang, S. Wu, Improved cryptanalysis of reduced RIPEMD-160, in ASIACRYPT (2) (2013), pp. 484–503

18.

F. Mendel, N. Pramstaller, C. Rechberger, V. Rijmen, On the collision resistance of RIPEMD-160, in ISC (2006), pp. 101–116

19.

R.C. Merkle. One way hash functions and DES, in CRYPTO (1989), pp. 428–446

20.

C. Ohtahara, Y. Sasaki, T. Shimoyama, Preimage attacks on step-reduced RIPEMD-128 and RIPEMD-160, in Inscrypt (2010), pp. 169–186

21.

R.L. Rivest, The MD4 message-digest algorithm. Request for Comments (RFC) 1320, Internet Activities Board, Internet Privacy Task Force, April 1992

22.

Y. Sasaki, K. Aoki, Meet-in-the-middle preimage attacks on double-branch hash functions: application to RIPEMD and others, in ACISP (2009), pp. 214–231

23.

Y. Sasaki, L. Wang, Distinguishers beyond three rounds of the RIPEMD-128/-160 compression functions, in ACNS (2012), pp. 275–292

24.

M. Stevens, A. Sotirov, J. Appelbaum, A.K. Lenstra, D. Molnar, D.A. Osvik, B. de Weger, Short chosen-prefix collisions for MD5 and the creation of a Rogue CA certificate, in CRYPTO (2009), pp. 55–69

25.

L. Wang, Y. Sasaki, W. Komatsubara, K. Ohta, K. Sakiyama. (Second) Preimage attacks on step-reduced RIPEMD/RIPEMD-128 with a new local-collision approach, in CT-RSA (2011), pp. 197–212

26.

X. Wang, X. Lai, D. Feng, H. Chen, X. Yu, Cryptanalysis of the hash functions MD4 and RIPEMD, in EUROCRYPT (2005), pp. 1–18

27.

X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in CRYPTO (2005), pp. 17–36

28.

X. Wang, H. Yu, How to break MD5 and other hash functions, in EUROCRYPT (2005), pp. 19–35

29.

X. Wang, H. Yu, Y.L. Yin, Efficient collision search attacks on SHA-0. In CRYPTO (2005), pp. 1–16

Titel: Cryptanalysis of Full RIPEMD-128
verfasst von: Franck Landelle
Thomas Peyrin
Publikationsdatum: 01.10.2016
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 4/2016
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-015-9213-5

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2016

Constant-Size Structure-Preserving Signatures: Generic Constructions and Simple Assumptions

The -curve Construction for Endomorphism-Accelerated Elliptic Curves

Key Recovery Attacks on Iterated Even–Mansour Encryption Schemes

New Second-Preimage Attacks on Hash Functions

Unconditionally Anonymous Ring and Mesh Signatures

Toward a Game Theoretic View of Secure Computation