RIPEMD

Last updated
RIPEMD
General
Designers Hans Dobbertin, Antoon Bosselaers and Bart Preneel
First published1992
CertificationRIPEMD-160: CRYPTREC (Monitored)
Detail
Digest sizes 128, 160, 256, 320 bits
A sub-block from the compression function of the RIPEMD-160 hash algorithm RIPEMD 160 2.png
A sub-block from the compression function of the RIPEMD-160 hash algorithm

RIPEMD (RIPE Message Digest) is a family of cryptographic hash functions developed in 1992 (the original RIPEMD) and 1996 (other variants). There are five functions in the family: RIPEMD, RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320, of which RIPEMD-160 is the most common.

Contents

The original RIPEMD, as well as RIPEMD-128, is not considered secure because 128-bit result is too small and also (for the original RIPEMD) because of design weaknesses. The 256- and 320-bit versions of RIPEMD provide the same level of security as RIPEMD-128 and RIPEMD-160, respectively; they are designed for applications where the security level is sufficient but longer hash result is necessary.

While RIPEMD functions are less popular than SHA-1 and SHA-2, they are used, among others, in Bitcoin and other cryptocurrencies based on Bitcoin.

History

The original RIPEMD function was designed in the framework of the EU project RIPE (RACE Integrity Primitives Evaluation) in 1992. [1] [2] Its design was based on the MD4 hash function. In 1996, in response to security weaknesses found in the original RIPEMD, [3] Hans Dobbertin, Antoon Bosselaers and Bart Preneel at the COSIC research group at the Katholieke Universiteit Leuven in Leuven, Belgium published four strengthened variants: RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320. [4]

In August 2004, a collision was reported for the original RIPEMD. [5] This does not apply to RIPEMD-160. [6]

In 2019, the best collision attack for RIPEMD-160 could reach 34 rounds out of 80 rounds, which was published at CRYPTO 2019. [7]

In February 2023, a collision attack for RIPEMD-160 was published at EUROCRYPT 2023, which could reach 36 rounds out of 80 rounds with time complexity of 264.5. [8]

In December 2023, an improved collision attack was found based on the technique from the previous best collision attack, this improved collision attack could reach 40 rounds out of 80 round with a theoretical time complexity of 249.9. [9]

RIPEMD-160 hashes

The 160-bit RIPEMD-160 hashes (also termed RIPE message digests) are typically represented as 40-digit hexadecimal numbers. The following demonstrates a 43-byte ASCII input and the corresponding RIPEMD-160 hash:

 RIPEMD-160("The quick brown fox jumps over the lazy dog") =  37f332f68db77bd9d7edd4969571ad671cf9dd3b

RIPEMD-160 behaves with the desired avalanche effect of cryptographic hash functions (small changes, e.g. changing d to c, result in a completely different hash):

 RIPEMD-160("The quick brown fox jumps over the lazy cog") =  132072df690933835eb8b6ad0b77e7b6f14acad7

The hash of a zero-length string is:

 RIPEMD-160("") =  9c1185a5c5e9fc54612808977ee8f548b2258d31

Implementations

Below is a list of cryptography libraries that support RIPEMD (specifically RIPEMD-160):

See also

Related Research Articles

<span class="mw-page-title-main">HMAC</span> Computer communications hash algorithm

In cryptography, an HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message. An HMAC is a type of keyed hash function that can also be used in a key derivation scheme or a key stretching scheme.

The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as RFC 1321.

In cryptography, SHA-1 is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard. The algorithm has been cryptographically broken but is still widely used.

Articles related to cryptography include:

<span class="mw-page-title-main">Cryptographic hash function</span> Hash function that is suitable for use in cryptography

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

In cryptography, Tiger is a cryptographic hash function designed by Ross Anderson and Eli Biham in 1995 for efficiency on 64-bit platforms. The size of a Tiger hash value is 192 bits. Truncated versions can be used for compatibility with protocols assuming a particular hash size. Unlike the SHA-2 family, no distinguishing initialization values are defined; they are simply prefixes of the full Tiger/192 hash value.

<span class="mw-page-title-main">MD4</span> Cryptographic hash function

The MD4 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1990. The digest length is 128 bits. The algorithm has influenced later designs, such as the MD5, SHA-1 and RIPEMD algorithms. The initialism "MD" stands for "Message Digest".

In cryptography, a collision attack on a cryptographic hash tries to find two inputs producing the same hash value, i.e. a hash collision. This is in contrast to a preimage attack where a specific target hash value is specified.

In cryptography, N-hash is a cryptographic hash function based on the FEAL round function, and is now considered insecure. It was proposed in 1990 in an article by Miyaguchi, Ohta, and Iwata; weaknesses were published the following year.

HAVAL is a cryptographic hash function. Unlike MD5, but like most modern cryptographic hash functions, HAVAL can produce hashes of different lengths – 128 bits, 160 bits, 192 bits, 224 bits, and 256 bits. HAVAL also allows users to specify the number of rounds to be used to generate the hash. HAVAL was broken in 2004.

Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group.

Hans Dobbertin was a German cryptographer who is best known for his work on cryptanalysis of the MD4, MD5, and original RIPEMD hash functions, and for his part in the design of the new version of the RIPEMD hash function. He was a member of the German Federal Office for Information Security and professor at the Ruhr University in Bochum.

FORK-256 is a hash algorithm designed in response to security issues discovered in the earlier SHA-1 and MD5 algorithms. After substantial cryptanalysis, the algorithm is considered broken.

<span class="mw-page-title-main">Merkle–Damgård construction</span> Method of building collision-resistant cryptographic hash functions

In cryptography, the Merkle–Damgård construction or Merkle–Damgård hash function is a method of building collision-resistant cryptographic hash functions from collision-resistant one-way compression functions. This construction was used in the design of many popular hash algorithms such as MD5, SHA-1 and SHA-2.

An MDS matrix is a matrix representing a function with certain diffusion properties that have useful applications in cryptography. Technically, an matrix over a finite field is an MDS matrix if it is the transformation matrix of a linear transformation from to such that no two different -tuples of the form coincide in or more components. Equivalently, the set of all -tuples is an MDS code, i.e., a linear code that reaches the Singleton bound.

Multivariate cryptography is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over a finite field . In certain cases those polynomials could be defined over both a ground and an extension field. If the polynomials have the degree two, we talk about multivariate quadratics. Solving systems of multivariate polynomial equations is proven to be NP-complete. That's why those schemes are often considered to be good candidates for post-quantum cryptography. Multivariate cryptography has been very productive in terms of design and cryptanalysis. Overall, the situation is now more stable and the strongest schemes have withstood the test of time. It is commonly admitted that Multivariate cryptography turned out to be more successful as an approach to build signature schemes primarily because multivariate schemes provide the shortest signature among post-quantum algorithms.

The following tables compare general and technical information for a number of cryptographic hash functions. See the individual functions' articles for further information. This article is not all-inclusive or necessarily up-to-date. An overview of hash function security/cryptanalysis can be found at hash function security summary.

This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.

The Message Authenticator Algorithm (MAA) was one of the first cryptographic functions for computing a message authentication code (MAC).

<span class="mw-page-title-main">Orr Dunkelman</span> Israeli cryptographer and cryptanalyst

Orr Dunkelman is an Israeli cryptographer and cryptanalyst, currently a professor at the University of Haifa Computer Science department. Dunkelman is a co-director of the Center for Cyber Law & Privacy at the University of Haifa and a co-founder of Privacy Israel, an Israeli NGO for promoting privacy in Israel.

References

  1. Dobbertin, Hans; Bosselaers, Antoon; Preneel, Bart (21–23 February 1996). RIPEMD-160: A strengthened version of RIPEMD (PDF). Fast Software Encryption. Third International Workshop. Cambridge, UK. pp. 71–82. doi: 10.1007/3-540-60865-6_44 .
  2. Bosselaers, Antoon; Preneel, Bart (1995). Bosselaers, Antoon; Preneel, Bart (eds.). Integrity Primitives for Secure Information Systems. Final Report of RACE Integrity Primitives Evaluation (RIPE-RACE 1040). Lecture Notes in Computer Science. Vol. 1007. doi:10.1007/3-540-60640-8. ISBN   978-3-540-60640-6. S2CID   12895857.
  3. Dobbertin, Hans (December 1997). "RIPEMD with two-round compress function is not collision-free". Journal of Cryptology . 10 (1): 51–69. doi: 10.1007/s001459900019 . S2CID   15662054.
  4. Bosselaers, Antoon. "The hash function RIPEMD-160".
  5. Wang, Xiaoyun; Feng, Dengguo; Lai, Xuejia; Yu, Hongbo (2004-08-17). "Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD". Cryptology ePrint Archive . Retrieved 2017-03-03.
  6. Mendel, Florian; Pramstaller, Norbert; Rechberger, Christian; Rijmen, Vincent (2006). "On the Collision Resistance of RIPEMD-160". Information Security. Lecture Notes in Computer Science. Vol. 4176. pp. 101–116. doi: 10.1007/11836810_8 . ISBN   978-3-540-38341-3 . Retrieved 2017-03-03.
  7. Liu, Fukang; Dobraunig, Christoph; Mendel, Florian; Isobe, Takanori; Wang, Gaoli; Cao, Zhenfu (2019). "Efficient Collision Attack Frameworks for RIPEMD-160". Advances in Cryptology – CRYPTO 2019. Lecture Notes in Computer Science. Vol. 11693. pp. 117–149. doi:10.1007/978-3-030-26951-7_5. ISBN   978-3-030-26950-0. S2CID   51860634.{{cite book}}: |journal= ignored (help)
  8. Liu, Fukang; Wang, Gaoli; Sarkar, Santanu; Anand, Ravi; Meier, Willi; Li, Yingxin; Isobe, Takanori (February 2023). "Analysis of RIPEMD-160: New Collision Attacks and Finding Characteristics with MILP". Advances in Cryptology – EUROCRYPT 2023. Lecture Notes in Computer Science. Vol. 14007. pp. 189–219. doi:10.1007/978-3-031-30634-1_7. ISBN   978-3-031-30633-4. S2CID   257235244.{{cite book}}: |journal= ignored (help)
  9. Li, Yingxin; Liu, Fukang; Wang, Gaoli (2023-12-08). "Automating Collision Attacks on RIPEMD-160". IACR Transactions on Symmetric Cryptology. 2023 (4): 112–142. doi: 10.46586/tosc.v2023.i4.112-142 . ISSN   2519-173X.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.