nach oben

Designs, Codes and Cryptography

Erschienen in:

28.01.2020

Improved (semi-free-start/near-) collision and distinguishing attacks on round-reduced RIPEMD-160

verfasst von: Gaoli Wang, Fukang Liu, Binbin Cui, Florian Mendel, Christoph Dobraunig

Erschienen in: Designs, Codes and Cryptography | Ausgabe 5/2020

Einloggen, um Zugang zu erhalten

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In this paper, we present an improved cryptanalysis of the double-branch hash function RIPEMD-160 standardized by ISO/IEC. First, how to theoretically calculate the step differential probability of RIPEMD-160 is solved, which was stated as an open problem by Mendel et al. at ASIACRYPT 2013. Then, we apply the start-from-the-middle framework to a newly discovered 32-step differential path of RIPEMD-160. Compared with the collision attack on 30 steps of RIPEMD-160 at ASIACRYPT 2017, two steps are extended and the time complexity is \(2^{71.9}\). We propose a new start-from-the-middle near-collision attack framework, and achieve a near-collision attack on 39 steps of RIPEMD-160 with a time complexity of \(2^{65}\). For the semi-free-start collision attack on 36 steps of RIPEMD-160 at ASIACRYPT 2013, by a different choice of the message words to merge two branches, adding some conditions on the starting point as well as solving the equation \(T^{\lll S_0}\boxplus C_0=(T\boxplus C_1)^{\lll S_1}\) (T is the variable) in an optimized way, the time complexity of this semi-free-start collision attack is reduced by a factor of \(2^{15.3}\) to \(2^{55.1}\). Finally, we present a 2-dimension sum distinguisher on 52 steps of RIPEMD-160 by using other message differences compared to ACNS 2012, which improves the best 2-dimension sum distinguisher on RIPEMD-160 by one step. Our attack takes into consideration the modular difference of the internal states when doing message modification in the first part of the differential path, and evaluating the probability of the last part of differential paths by experiment.

Vorheriger Artikel Full classification of permutation rational functions and complete rational functions of degree three over finite fields

Nächster Artikel On the smoothing parameter and last minimum of random orthogonal lattices

Biham E., Chen R.: Near-collisions of SHA-0. In: Franklin M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004).CrossRef

Biryukov A., Lamberger M., Mendel F., Nikolić I.: Second-order differential collisions for reduced SHA-256. In: Lee D.H. (ed.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 270–287. Springer, Heidelberg (2011).CrossRef

Biryukov A., Nikolić I., Roy A.: Boomerang attacks on BLAKE-32. In: Joux A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 218–237. Springer, Heidelberg (2011).

Bosselaers A., Preneel B.: Integrity Primitives for Secure Information Systems: Final Ripe Report of Race Integrity Primitives Evaluation. Number 1007. Springer, Berlin (1995).CrossRef

Damgård I.: A design principle for hash functions. In: Brassard G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990).

Daum M.: Cryptanalysis of hash functions of the MD4-Family. (2005) http://www-brs.ub.ruhr-uni-bochum.de/netahtml/HSS/Diss/DaumMagnus/diss.pdf

De Cannière C., Rechberger C.: Finding SHA-1 characteristics: general results and applications. In: Lai X., Chen K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006).CrossRef

Dobbertin H., Bosselaers A., Preneel B.: RIPEMD-160: a strengthened version of RIPEMD. In: Gollmann D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71–82. Springer, Heidelberg (1996).

Dobbertin H.: RIPEMD with two-round compress function is not collision-free. J. Cryptol. 10(1), 51–69 (1997).CrossRef

10.

Dobraunig C., Eichlseder M., Mendel F.: Analysis of SHA-512/224 and SHA-512/256. In: Iwata T., Cheon J. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 612–630. Springer, Heidelberg (2015).CrossRef

11.

Fouque P.A., Leurent G., Nguyen P.: Automatic search of differential path in MD4. ECRYPT hash worshop-cryptology eprint archive, report, 2007/206 (2007).

12.

Lamberger M., Mendel F.: Higher-order differential attack on reduced SHA-256. Cryptology ePrint Archive, Report 2011/037, 2011. http://eprint.iacr.org/2011/037.

13.

Landelle F., Peyrin T.: Cryptanalysis of full RIPEMD-128. In: Johansson T., Nguyen P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 71–82. Springer, Heidelberg (2013).

14.

Leurent G.: Message freedom in MD4 and MD5 collisions: application to APOP. In: Biryukov A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 309–321. Springer, Heidelberg (2007).

15.

Liu F., Mendel F., Wang G.: Collisions and semi-free-start collisions for round-reduced RIPEMD-160. In: Takagi T., Peyrin T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 158–186. Springer, Cham (2017).CrossRef

16.

Liu F.: Efficient collision attack frameworks for RIPEMD-160. Cryptology ePrint Archive, Report 2018/652, 2018. https://eprint.iacr.org/2018/652.

17.

Mendel F., Nad T., Schläffer M.: Finding SHA-2 characteristics: searching through a minefield of conditions. In: Lee D.H., Wang X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 288–307. Springer, Heidelberg (2011).CrossRef

18.

Mendel F., Nad T., Schläffer M.: Collision attacks on the reduced dual-stream hash function RIPEMD-128. In: Canteaut A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 226–243. Springer, Heidelberg (2012).

19.

Mendel F., Nad T., Scherz S., Schläffer M.: Differential attacks on reduced RIPEMD-160. In: Gollmann D., Freiling F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 23–38. Springer, Heidelberg (2012).

20.

Mendel F., Nad T., Schläffer M.: Improving local collisions: new attacks on reduced SHA-256. In: Johanson T., Nguyen P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 262–278. Springer, Heidelberg (2013).CrossRef

21.

Mendel F., Peyrin T., Schläffer M., Wang L., Wu S.: Improved cryptanalysis of reduced RIPEMD-160. In: Kazue S., Palash S. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 484–503. Springer, Heidelberg (2013).CrossRef

22.

Merkle R.C.: One way hash functions and DES. In: Brassard G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990).

23.

Menezes A., Oorschot P., Vanstone S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997).MATH

24.

Ohtahara C., Sasaki Y., Shimoyama T.: Preimage attacks on step-reduced RIPEMD-128 and RIPEMD-160. In: Lai X., Yung M., Lin D. (eds.) INSCRYPT 2010. LNCS, vol. 435, pp. 428–466. Springer, Heidelberg (2011).

25.

Sasaki Y.: Boomerang distinguishers on MD4-family: first practical results on full 5-pass HAVAL. In: Miri A., Vaudenay S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 1–18. Springer, Heidelberg (2011).

26.

Sasaki Y., Wang L.: Distinguishers beyond three rounds of the RIPEMD-128/-160 compression functions. In: Bao F., Samarati P., Zhou J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 275–292. Springer, Heidelberg (2012).

27.

Stevens M.: Fast collision attack on MD5. Cryptology ePrint Archive: Report 2006/104. https://eprint.iacr.org/2006/104.

28.

Stevens M., Bursztein E., Karpman P., Albertini A., Markov Y.: The first collision for full SHA-1. In: Katz J., Shacham H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017).CrossRef

29.

Wagner D.: The boomerang attack. In: Knudsen L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999).

30.

Wang G., Wang M.: Cryptanalysis of reduced RIPEMD-128. J. Softw. 19(9), 2442–2448 (2008).MathSciNetCrossRef

31.

Wang G.: Collision attack on the full extended MD4 and pseudo-preimage attack on RIPEMD. J. Comput. Sci. Technol. 28(1), 129–143 (2013).MathSciNetCrossRef

32.

Wang G.: Practical collision attack on 40-step RIPEMD-128. In: Benaloh J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 444–460. Springer, Heidelberg (2014).

33.

Wang G., Shen Y.: (Pseudo-) preimage attacks on step-reduced HAS-160 and RIPEMD-160. In: Chow S.S.M., Camenisch J., Hui L.C.K., Yiu S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 90–103. Springer, Heidelberg (2014).

34.

Wang G., Yu H.: Improved cryptanalysis on RIPEMD-128. IET Inf. Secur. 9(6), 354–364 (2015).CrossRef

35.

Wang G., Shen Y., Liu F.: Cryptanalysis of 48-step RIPEMD-160. IACR Trans. Symmetric Cryptol. 2017(2), 177–202 (2017).

36.

Wang X., Lai X., Feng D., Chen H., Yu X.: Cryptanalysis for hash functions MD4 and RIPEMD. In: Cramer R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005).CrossRef

37.

Wang X., Yu H.: How to break MD5 and other hash functions. In: Cramer R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005).CrossRef

38.

Wang X., Yu H., Yin Y.L.: Efficient collision search attacks on SHA-0. In: Shoup V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005).CrossRef

39.

Wang X., Yin Y.L., Yu H.: Finding collisions in the full SHA-1. In: Shoup V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005).CrossRef

Titel: Improved (semi-free-start/near-) collision and distinguishing attacks on round-reduced RIPEMD-160
verfasst von: Gaoli Wang
Fukang Liu
Binbin Cui
Florian Mendel
Christoph Dobraunig
Publikationsdatum: 28.01.2020
Verlag: Springer US
Erschienen in: Designs, Codes and Cryptography / Ausgabe 5/2020
Print ISSN: 0925-1022
Elektronische ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-020-00718-x

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Weitere Artikel der Ausgabe 5/2020

On the smoothing parameter and last minimum of random orthogonal lattices

On equivalence of maximum additive symmetric rank-distance codes

The sizes of maximal optical orthogonal codes

Do non-free LCD codes over finite commutative Frobenius rings exist?

On a duality for codes over non-abelian groups

Full classification of permutation rational functions and complete rational functions of degree three over finite fields