Differential Attacks on Reduced RIPEMD-160

Mendel, Florian; Nad, Tomislav; Scherz, Stefan; Schläffer, Martin

doi:10.1007/978-3-642-33383-5_2

Cited by 18 publications

(16 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…First the number of attacked steps is increased from 36 to 42, and secondly, for the same number of attacked steps, we propose an attack that starts from the first step. Moreover, our semi-free-start collision attacks give a positive answer to the open problem raised in [10], in which the authors were not able to find any non-linear differential path in the first step, due to the XOR function that makes the non-linear part search much harder. Our 42-step semi-free-start attack is obtained from a 48-step differential path.…”

Section: Resultsmentioning

confidence: 92%

“…To efficiently find non-linear differential paths and message pairs for a larger number of steps than in previous attacks [10], we had to improve the search in several ways. Especially finding a non-linear path for the XOR-round of RIPEMD-160 was quite challenging.…”

Section: Improvements For Ripemd-160mentioning

confidence: 99%

“…As of today, the best results on RIPEMD-160 are a very costly 31-step preimage attack [14], a practical 36-step semi-free-start collision attack [10] on the compression function (not starting from the first step), and a distinguisher on up to 51 steps of the compression function with a very high complexity [16].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Improved Cryptanalysis of Reduced RIPEMD-160

Mendel

Peyrin

Schläffer

et al. 2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. In this article, we propose an improved cryptanalysis of the double-branch hash function standard RIPEMD-160. Using a carefully designed non-linear path search tool, we study the potential differential paths that can be constructed from a difference in a single message word and show that some of these message words can lead to very good differential path candidates. Leveraging the recent freedom degree utilization technique from Landelle and Peyrin to merge two branch instances, we eventually manage to obtain a semi-free-start collision attack for 42 steps of the RIPEMD-160 compression function, while the previously best know result reached 36 steps. In addition, we also describe a 36-step semi-free-start collision attack which starts from the first step.

show abstract

Section: Resultsmentioning

confidence: 92%

Section: Improvements For Ripemd-160mentioning

confidence: 99%

See 1 more Smart Citation

Improved Cryptanalysis of Reduced RIPEMD-160

Mendel

Peyrin

Schläffer

et al. 2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…These approaches have then been refined in a number of publications. Recently, more sophisticated approaches have been proposed that enable attacks on more complex hash functions such as SHA-256 [27,29] among many others [20,22,26,28]. All these approaches (including the search by hand) follow the guess-and-determine strategy.…”

Section: The Search For Differential Characteristicsmentioning

confidence: 99%

Branching Heuristics in Differential Collision Search with Applications to SHA-512

Eichlseder

Mendel

Schläffer

2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. In this work, we present practical semi-free-start collisions for SHA-512 on up to 38 (out of 80) steps with complexity 2 40.5 . The best previously published result was on 24 steps. The attack is based on extending local collisions as proposed by Mendel et al. in their Eurocrypt 2013 attack on SHA-256. However, for SHA-512, the search space is too large for direct application of these techniques. We achieve our result by improving the branching heuristic of the guess-and-determine approach to find differential characteristics and conforming message pairs. Experiments show that for smaller problems like 27 steps of SHA-512, the heuristic can also speed up the collision search by a factor of 2 20 .

show abstract

“…Then, following the extensive work on preimage attacks for MD-SHA family, [21,19,25] describe high complexity preimage attacks on up to 36 steps of RIPEMD-128 and 31 steps of RIPEMD-160. Collision attacks were considered in [16] for RIPEMD-128 and in [15] for RIPEMD-160, with 48 and 36 steps broken respectively. Finally, distinguishers based on non-random properties such as second-order collisions are given in [16,22,15], reaching about 50 steps with a very high complexity.…”

Section: Introductionmentioning

confidence: 99%

Cryptanalysis of Full RIPEMD-128

Landelle

Peyrin

2015

J Cryptol

View full text Add to dashboard Cite

Abstract. In this article we propose a new cryptanalysis method for double-branch hash functions that we apply on the standard RIPEMD-128, greatly improving over know results. Namely, we were able to build a very good differential path by placing one non-linear differential part in each computation branch of the RIPEMD-128 compression function, but not necessarily in the early steps. In order to handle the low differential probability induced by the non-linear part located in later steps, we propose a new method for using the freedom degrees, by attacking each branch separately and then merging them with free message blocks. Overall, we present the first collision attack on the full RIPEMD-128 compression function as well as the first distinguisher on the full RIPEMD-128 hash function. Experiments on reduced number of rounds were conducted, confirming our reasoning and complexity analysis. Our results show that 16 years old RIPEMD-128, one of the last unbroken primitives belonging to the MD-SHA family, might not be as secure as originally thought.

show abstract

Differential Attacks on Reduced RIPEMD-160

Cited by 18 publications

References 15 publications

Improved Cryptanalysis of Reduced RIPEMD-160

Improved Cryptanalysis of Reduced RIPEMD-160

Branching Heuristics in Differential Collision Search with Applications to SHA-512

Cryptanalysis of Full RIPEMD-128

Contact Info

Product

Resources

About