Paper 2013/607

Cryptanalysis of Full RIPEMD-128

Franck Landelle and Thomas Peyrin

Abstract

In this article we propose a new cryptanalysis method for double-branch hash functions that we apply on the standard RIPEMD-128, greatly improving over know results. Namely, we were able to build a very good differential path by placing one non-linear differential part in each computation branch of the RIPEMD-128 compression function, but not necessarily in the early steps. In order to handle the low differential probability induced by the non-linear part located in later steps, we propose a new method for using the freedom degrees, by attacking each branch separately and then merging them with free message blocks. Overall, we present the first collision attack on the full RIPEMD-128 compression function as well as the first distinguisher on the full RIPEMD-128 hash function. Experiments on reduced number of rounds were conducted, confirming our reasoning and complexity analysis. Our results show that 16 years old RIPEMD-128, one of the last unbroken primitives belonging to the MD-SHA family, might not be as secure as originally thought.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A minor revision of an IACR publication in EUROCRYPT 2013
Keywords
RIPEMD-128collisiondistinguishercompression functionhash function.
Contact author(s)
thomas peyrin @ gmail com
History
2013-09-23: received
Short URL
https://ia.cr/2013/607
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/607,
      author = {Franck Landelle and Thomas Peyrin},
      title = {Cryptanalysis of Full RIPEMD-128},
      howpublished = {Cryptology ePrint Archive, Paper 2013/607},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/607}},
      url = {https://eprint.iacr.org/2013/607}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.