Collisions and semi-free-start collisions for round-reduced RIPEMD-160

Fukang Liu; Florian Mendel; Gaoli Wang

doi:10.1007/978-3-319-70694-8_6

Collisions and semi-free-start collisions for round-reduced RIPEMD-160

Fukang Liu
, Florian Mendel
, Gaoli Wang^*

^*Corresponding author for this work

Software Engineering Institute

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

9 Scopus citations

Abstract

In this paper, we propose an improved cryptanalysis of the double-branch hash function RIPEMD-160 standardized by ISO/IEC. Firstly, we show how to theoretically calculate the step differential probability of RIPEMD-160, which was stated as an open problem by Mendel et al. at ASIACRYPT 2013. Secondly, based on the method proposed by Mendel et al. to automatically find a differential path of RIPEMD-160, we construct a 30-step differential path where the left branch is sparse and the right branch is controlled as sparse as possible. To ensure the message modification techniques can be applied to RIPEMD-160, some extra bit conditions should be pre-deduced and well controlled. These extra bit conditions are used to ensure that the modular difference can be correctly propagated. This way, we can find a collision of 30-step RIPEMD-160 with complexity 2 ⁶⁷. This is the first collision attack on round-reduced RIPEMD-160. Moreover, by a different choice of the message words to merge two branches and adding some conditions to the starting point, the semi-free-start collision attack on the first 36-step RIPEMD-160 from ASIACRYPT 2013 can be improved. However, the previous way to pre-compute the equation T^⋘S₀⊞C₀=(T⊞C₁)^⋘S₁ costs too much. To overcome this obstacle, we are inspired by Daum’s et al. work on MD5 and describe a method to reduce the time complexity and memory complexity to pre-compute that equation. Combining all these techniques, the time complexity of the semi-free-start collision attack on the first 36-step RIPEMD-160 can be reduced by a factor of 2 ^15.3 to 2 ^55.1.

Original language	English
Title of host publication	Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings
Editors	Tsuyoshi Takagi, Thomas Peyrin
Publisher	Springer Verlag
Pages	158-186
Number of pages	29
ISBN (Print)	9783319706931
DOIs	https://doi.org/10.1007/978-3-319-70694-8_6
State	Published - 2017
Event	23rd Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2017 - Hong Kong, Hong Kong Duration: 3 Dec 2017 → 7 Dec 2017

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10624 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	23rd Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2017
Country/Territory	Hong Kong
City	Hong Kong
Period	3/12/17 → 7/12/17

Keywords

Collision
Compression function
Hash function
RIPEMD-160
Semi-free-start collision

Access to Document

10.1007/978-3-319-70694-8_6

Cite this

Liu, F., Mendel, F., & Wang, G. (2017). Collisions and semi-free-start collisions for round-reduced RIPEMD-160. In T. Takagi, & T. Peyrin (Eds.), Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings (pp. 158-186). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10624 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-70694-8_6

Liu, Fukang ; Mendel, Florian ; Wang, Gaoli. / Collisions and semi-free-start collisions for round-reduced RIPEMD-160. Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings. editor / Tsuyoshi Takagi ; Thomas Peyrin. Springer Verlag, 2017. pp. 158-186 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{a0bc301e7ea54cd19675dc8c7bbdf460,

title = "Collisions and semi-free-start collisions for round-reduced RIPEMD-160",

abstract = "In this paper, we propose an improved cryptanalysis of the double-branch hash function RIPEMD-160 standardized by ISO/IEC. Firstly, we show how to theoretically calculate the step differential probability of RIPEMD-160, which was stated as an open problem by Mendel et al. at ASIACRYPT 2013. Secondly, based on the method proposed by Mendel et al. to automatically find a differential path of RIPEMD-160, we construct a 30-step differential path where the left branch is sparse and the right branch is controlled as sparse as possible. To ensure the message modification techniques can be applied to RIPEMD-160, some extra bit conditions should be pre-deduced and well controlled. These extra bit conditions are used to ensure that the modular difference can be correctly propagated. This way, we can find a collision of 30-step RIPEMD-160 with complexity 2 67. This is the first collision attack on round-reduced RIPEMD-160. Moreover, by a different choice of the message words to merge two branches and adding some conditions to the starting point, the semi-free-start collision attack on the first 36-step RIPEMD-160 from ASIACRYPT 2013 can be improved. However, the previous way to pre-compute the equation T⋘S0⊞C0=(T⊞C1)⋘S1 costs too much. To overcome this obstacle, we are inspired by Daum{\textquoteright}s et al. work on MD5 and describe a method to reduce the time complexity and memory complexity to pre-compute that equation. Combining all these techniques, the time complexity of the semi-free-start collision attack on the first 36-step RIPEMD-160 can be reduced by a factor of 2 15.3 to 2 55.1.",

keywords = "Collision, Compression function, Hash function, RIPEMD-160, Semi-free-start collision",

author = "Fukang Liu and Florian Mendel and Gaoli Wang",

note = "Publisher Copyright: {\textcopyright} International Association for Cryptologic Research 2017.; 23rd Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2017 ; Conference date: 03-12-2017 Through 07-12-2017",

year = "2017",

doi = "10.1007/978-3-319-70694-8\_6",

language = "英语",

isbn = "9783319706931",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "158--186",

editor = "Tsuyoshi Takagi and Thomas Peyrin",

booktitle = "Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings",

address = "德国",

}

Liu, F, Mendel, F & Wang, G 2017, Collisions and semi-free-start collisions for round-reduced RIPEMD-160. in T Takagi & T Peyrin (eds), Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10624 LNCS, Springer Verlag, pp. 158-186, 23rd Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2017, Hong Kong, Hong Kong, 3/12/17. https://doi.org/10.1007/978-3-319-70694-8_6

Collisions and semi-free-start collisions for round-reduced RIPEMD-160. / Liu, Fukang; Mendel, Florian; Wang, Gaoli.
Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings. ed. / Tsuyoshi Takagi; Thomas Peyrin. Springer Verlag, 2017. p. 158-186 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10624 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Collisions and semi-free-start collisions for round-reduced RIPEMD-160

AU - Liu, Fukang

AU - Mendel, Florian

AU - Wang, Gaoli

N1 - Publisher Copyright: © International Association for Cryptologic Research 2017.

PY - 2017

Y1 - 2017

N2 - In this paper, we propose an improved cryptanalysis of the double-branch hash function RIPEMD-160 standardized by ISO/IEC. Firstly, we show how to theoretically calculate the step differential probability of RIPEMD-160, which was stated as an open problem by Mendel et al. at ASIACRYPT 2013. Secondly, based on the method proposed by Mendel et al. to automatically find a differential path of RIPEMD-160, we construct a 30-step differential path where the left branch is sparse and the right branch is controlled as sparse as possible. To ensure the message modification techniques can be applied to RIPEMD-160, some extra bit conditions should be pre-deduced and well controlled. These extra bit conditions are used to ensure that the modular difference can be correctly propagated. This way, we can find a collision of 30-step RIPEMD-160 with complexity 2 67. This is the first collision attack on round-reduced RIPEMD-160. Moreover, by a different choice of the message words to merge two branches and adding some conditions to the starting point, the semi-free-start collision attack on the first 36-step RIPEMD-160 from ASIACRYPT 2013 can be improved. However, the previous way to pre-compute the equation T⋘S0⊞C0=(T⊞C1)⋘S1 costs too much. To overcome this obstacle, we are inspired by Daum’s et al. work on MD5 and describe a method to reduce the time complexity and memory complexity to pre-compute that equation. Combining all these techniques, the time complexity of the semi-free-start collision attack on the first 36-step RIPEMD-160 can be reduced by a factor of 2 15.3 to 2 55.1.

AB - In this paper, we propose an improved cryptanalysis of the double-branch hash function RIPEMD-160 standardized by ISO/IEC. Firstly, we show how to theoretically calculate the step differential probability of RIPEMD-160, which was stated as an open problem by Mendel et al. at ASIACRYPT 2013. Secondly, based on the method proposed by Mendel et al. to automatically find a differential path of RIPEMD-160, we construct a 30-step differential path where the left branch is sparse and the right branch is controlled as sparse as possible. To ensure the message modification techniques can be applied to RIPEMD-160, some extra bit conditions should be pre-deduced and well controlled. These extra bit conditions are used to ensure that the modular difference can be correctly propagated. This way, we can find a collision of 30-step RIPEMD-160 with complexity 2 67. This is the first collision attack on round-reduced RIPEMD-160. Moreover, by a different choice of the message words to merge two branches and adding some conditions to the starting point, the semi-free-start collision attack on the first 36-step RIPEMD-160 from ASIACRYPT 2013 can be improved. However, the previous way to pre-compute the equation T⋘S0⊞C0=(T⊞C1)⋘S1 costs too much. To overcome this obstacle, we are inspired by Daum’s et al. work on MD5 and describe a method to reduce the time complexity and memory complexity to pre-compute that equation. Combining all these techniques, the time complexity of the semi-free-start collision attack on the first 36-step RIPEMD-160 can be reduced by a factor of 2 15.3 to 2 55.1.

KW - Collision

KW - Compression function

KW - Hash function

KW - RIPEMD-160

KW - Semi-free-start collision

UR - https://www.scopus.com/pages/publications/85037827842

U2 - 10.1007/978-3-319-70694-8_6

DO - 10.1007/978-3-319-70694-8_6

M3 - 会议稿件

AN - SCOPUS:85037827842

SN - 9783319706931

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 158

EP - 186

BT - Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings

A2 - Takagi, Tsuyoshi

A2 - Peyrin, Thomas

PB - Springer Verlag

T2 - 23rd Annual International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT 2017

Y2 - 3 December 2017 through 7 December 2017

ER -

Liu F, Mendel F, Wang G. Collisions and semi-free-start collisions for round-reduced RIPEMD-160. In Takagi T, Peyrin T, editors, Advances in Cryptology – ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Proceedings. Springer Verlag. 2017. p. 158-186. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-70694-8_6

Collisions and semi-free-start collisions for round-reduced RIPEMD-160

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this