Skip to main content
SpringerLink
Log in

Collision Attack on the Full Extended MD4 and Pseudo-Preimage Attack on RIPEMD

  • Regular Paper
  • Published:
Journal of Computer Science and Technology Aims and scope Submit manuscript

Abstract

The cryptographic hash functions Extended MD4 and RIPEMD are double-branch hash functions, which consist of two parallel branches. Extended MD4 was proposed by Rivest in 1990, and RIPEMD was devised in the framework of the RIPE project (RACE Integrity Primitives Evaluation, 1988 ~ 1992). On the basis of differential analysis and meet-in-the-middle attack principle, this paper proposes a collision attack on the full Extended MD4 and a pseudo-preimage attack on the full RIPEMD respectively. The collision attack on Extended MD4 holds with a complexity of 237, and a collision instance is presented. The pseudo-preimage attack on RIPEMD holds with a complexity of 2125:4, which optimizes the complexity order for brute-force attack. The results in this study will also be beneficial to the analysis of other double-branch hash functions such as RIPEMD-160.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Rivest R. The MD4 message digest algorithm. In Proc. the 10th Int. Cryptology Conference (CRYPTO), Aug. 1990, pp.303-311.

  2. Rivest R. The MD5 message-digest algorithm. 1992, http://www.ietf.org/rfc/rfc1321.txt.

  3. Zheng Y, Pieprzyk J, Seberry J. HAVAL---A one-way hashing algorithm with variable length of output. In Proc. Workshop on the Theory and Application of Gyptographic Techniques: Advances in Cryptology (AUSCRYPT), Dec. 1992, pp.81-104.

  4. Bosselaers A, Preneel B (eds.). Integrity Primitives for Secure Information Systems, Final Report of RACE Integrity Primitives Evalution, Springer-Verlag, 1995.

  5. Dobbertin H, Bosselaers A, Preneel B. RIPEMD-160: A strengthened version of RIPEMD. In Proc. the 3rd Int. Workshop on Fast Software Encryption, Feb. 1996, pp.71-82.

  6. National Institute of Standards and Technology of USA. Secure hash standard. Federal Information Processing Standard Publication, FIPS-180, May 1993, http://www.mavi-1.org/web_security/cryptography/applied-crypto/fips180.txt.

  7. National Institute of Standards and Technology of USA. Secure hash standard. Federal Information Processing Standards Publication, FIPS-180-1, April 17, 1995, http://www.itl.nist.gov/fipspubs/fip/189-1.htm.

  8. National Institute of Standards and Technology of USA. Secure hash standard. Federal Information Processing Standards Publication, FIPS-180-2, August, 26, 2002, http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf.

  9. Vaudenay S. On the need for multipermutations: Cryptanalysis of MD4 and SAFER. In Proc. the 2nd Int. Workshop on Fast Software Encryption, Dec. 1994, pp.286-297.

  10. den Boer B, Bosselaers A. Collisions for the compression function of MD5. In Proc. Workshop on the Theory and Application of Cryptographic Techniques (EUROCRYPT), May 1993, pp.293-304.

  11. Biham E, Chen R. Near-collisions of SHA-0. In Proc. Int. Cryptology Conf. (CRYPTO), Aug. 2004, pp.290-305.

  12. Biham E, Chen R, Joux A, Carribault P, Lemuet C, Jalby W. Collisions of SHA-0 and reduced SHA-1. In Proc. the 24th Int. Conf. Theory and Applications of Cryptographic Techniques (EUROCRYPT), May 2005, pp.36-57.

  13. Chabaud F, Joux A. Differential collisions in SHA-0. In Proc. the 18th Int. Cryptology Conf. (CRYPTO), Aug. 1998, pp.56-71.

  14. Dobbertin H. The first two rounds of MD4 are not one-way. In Proc. the 5th Int. Workshop on Fast Software Encryption, Mar. 1998, pp.284-292.

  15. Dobbertin H. Cryptanalysis of MD4. In Proc. the 3rd Int. Workshop on Fast Software Encryption, Feb. 1996, pp.53-69.

  16. Dobbertin H. Cryptanalysis of MD5 compress. In Proc. Int. Conf. Theory and Application of Cryptology and Information Security (Rump Session), May 1996, http://www.iacr.org/conferences/ec96/ec96rump.html.

  17. Dobbertin H. RIPEMD with two round compress function is not collision-free. Journal of Cryptology, 1997, 10(1): 51-70.

    Article  MathSciNet  MATH  Google Scholar 

  18. Joux A. Collisions for SHA-0. In Proc. of CRYPTO 2004 (Rump Session), Aug. 2004, http://www.iacr.org/conferences/crypto2004/rump.html.

  19. Mendel F, Rechberger C, Rijmen V. Update on SHA-1. In Proc. CRYPTO 2007 (Rump Session), Aug. 2007, http://rump2007.cr.yp.to.

  20. Rompay B, Biryukov A, Preneel B, Vandewalle J. Cryptanalysis of 3-pass HAVAL. In Proc. the 9th Int. Conf. Theory and Application of Cryptology and Information Security (ASIACRYPT), Nov. 30-Dec. 4, 2003, pp.228-245.

  21. Wang X Y, Feng D G, Lai X J, Yu H B. Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD. In Proc. CRYPTO 2004 Rump Session, Aug. 2004, http://www.iacr.org/conferences/crypto2004/rump.html.

  22. Wang X Y, Lai X J, Feng D G, Chen H, Yu X Y. Cryptanalysis of the hash functions MD4 and RIPEMD. In Proc. the 24th Int. Conf. Theory and Applications of Cryptographic Techniques (EUROCRYPT), May 2005, pp.1-18.

  23. Wang G L, Wang M Q. Cryptanalysis of reduced RIPEMD-128. Journal of Software, 2008, 19(9): 2442-2448.

    Article  MathSciNet  Google Scholar 

  24. Wang X Y, Yu H B. How to break MD5 and other hash functions. In Proc. the 24th Int. Conf. Theory and Applications of Cryptographic Techniques (EUROCRYPT), May 2005, pp.19-35.

  25. Wang X Y, Yu H B, Yin L. Efficient collision search attacks on SHA-0. In Proc. the 25th Int. Cryptology Conf. (CRYPTO), Aug. 2005, pp.1-16.

  26. Wang X Y, Yin Y L, Yu H B. Finding collisions on the full SHA-1. In Proc. the 25th Int. Cryptology Conf. (CRYPTO), Aug. 2005, pp.17-36.

  27. Wang X Y, Feng D G, Yu X Y. An attack on hash function HAVAL-128. Science in China Ser. F: Information Sciences, 2005, 48(5): 545-556.

    Article  MathSciNet  MATH  Google Scholar 

  28. Yu H B, Wang X Y, Yun A, Park S. Cryptanalysis of the full HAVAL with 4 and 5 passes. In Proc. the 13th Int. Workshop on Fast Software Encryption, Mar. 2006, pp.89-110.

  29. Yu H B, Wang X Y. Cryptanalysis of the compression function of SIMD. In Proc. the 16th Australasian Conf. Information Security and Privacy, Jul. 2011, pp.157-171.

  30. Yu H B, Chen J Z, Jia K T, Wang X Y. Near-collision at- tack on the step-reduced compression function of Skein-256. IACR Cryptology ePrint Archive, Report 2011/148, 2011, http://eprint.iacr.org/.

  31. Biham E, Shamir A. Diffierential cryptanalysis of DES-like cryptosystems. Journal of Cryptology, 1991, 4(1): 3-72.

    Article  MathSciNet  MATH  Google Scholar 

  32. Yu H B, Wang G L, Zhang G Y, Wang X Y. The second-preimage attack on MD4. In Proc. the 4th Int. Conf. Cryptology and Network Security (CRYPTO), Dec. 2005, pp.1-12.

  33. De Cannière C, Rechberger C. Finding SHA-1 characteristics: General results and applications. In Proc. the 12th Int. Conf. Theory and Application of Cryptology and Information Security (ASIACRYPT), Dec. 2006, pp.1-20.

  34. De Canniμere C, Mendel F, Rechberger C. Collisions for 70-Step SHA-1: On the full cost of collision search. In Proc. the 14th Int. Workshop. Selected Area in Cryptolography, Aug. 2007, pp.56-73.

  35. Knudsen L R, Mathiassen J E. Preimage and collision attacks on MD2. In Proc. the 12th Int. Conf. Fast Software Encryption, Feb. 2005, pp.255-267.

  36. Muller F. The MD2 Hash function is not one-way. In Proc. the 10th Int. Conf. Theory and Application of Cryptology and Information Security (ASIACRYPT), Dec. 2004, pp.214-229.

  37. Aoki K, Sasaki Y. Preimage attacks on one-block MD4, 63-step MD5 and more. In Proc. the 15th Int. Workshop. Selected Area in Cryptolography, Aug. 2008, pp.103-119.

  38. De D, Kumarasubramanian A, Venkatesan R. Inversion attacks on secure Hash functions using SAT solvers. In Proc. the 10th Int. Conf. Theory and Applications of Satisfiability Testing, May 2007, pp.377-382.

  39. Guo J, Ling S, Rechberger C, Wang H. Advanced meet-in-the-middle preimage attacks: First results on full Tiger, and improved results on MD4 and SHA-2. In Proc. the 16th Int. Conf. Theory and Application of Cryptology and Information Security (ASIACRYPT), Dec. 2010, pp.56-75.

  40. Leurent G. MD4 is not one-way. In Proc. the 15th Int. Conf. Fast Software Encryption, Feb. 2008, pp.412-428.

  41. Zhong J M, Lai X J. Improved preimage attack on one-block MD4. Journal of Systems and Software, 2012, 85(4): 981-994.

    Article  Google Scholar 

  42. Sasaki Y, Aoki K. Finding preimages in full MD5 faster than exhaustive search. In Proc. the 28th Int. Conf. Theory and Applications of Gryptolographic Techniques (EUROCRYPT), Apr. 2009, pp.134-152.

  43. Sasaki Y, Aoki K. Preimage attacks on 3, 4, and 5-pass HAVAL. In Proc. the 14th Int. Conf. Theory and Application of Cryptology and Information Security (ASIACRYPT), Dec. 2008, pp.253-271.

  44. Sasaki Y, Aoki K. Meet-in-the-middle preimage attacks on double-branch hash functions: Application to RIPEMD and others. In Proc. the 14th Australasian Conf. Information Security and Privacy, Jul. 2009, pp.214-231.

  45. Wang G L, Wang S H. Preimage attack on Hash function RIPEMD. In Proc. the 5th Int. Conf. Information Security Practice and Experience, Apr. 2009, pp.274-284.

  46. Ohtahara C, Sasaki Y, Shimoyama T. Preimage attacks on step-reduced RIPEMD-128 and RIPEMD-160. In Proc. the 6th Int. Conf. Information Security and Cryptology (INSCRYPT), Oct. 2010, pp.169-186.

  47. Aoki K, Sasaki Y. Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1. In Proc. the 29th Int. Cryptology Conf. (CRYPTO), Aug. 2009, pp.70-89.

  48. Aoki K, Guo J, Matusiewicz K, Sasaki Y, Wang L. Preimages for step reduced SHA-2. In Proc. the 15th Int. Conf. Theory and Application of Cryptology and Information Security (ASIACRYPT), Dec. 2009, pp.578-597.

  49. Mendel F, Pramstaller N, Rechberger C. A (Second) preimage attack on the GOST Hash function. In Proc. the 15th Int. Conf. Fast Software Encryption, Feb. 2008, pp.224-234.

  50. Khovratovich D, Rechberger C, Savelieva A. Bicliques for preimages: Attacks on Skein-512 and the SHA-2 family. In Proc. the 19th Int. Conf. Fast Software Encryption, Mar. 2012, pp.244-263.

  51. Sasaki Y. Meet-in-the-middle preimage attacks on AES hashing modes and an application to Whirlpool. In Proc. the 18thInt. Conf. Fast Software Encryption, Feb. 2011, pp.378-396.

  52. Wu S, Feng D G, Wu W L, Guo J, Dong L, Zou J. (Pseudo) preimage attack on reduced-round Grøstl hash function and others. In Proc. the 19th Int. Conf. Fast Software Encryption, Mar. 2012, pp.127-145.

  53. Aoki K, Sasaki Y. Preimage attacks on one-block MD4, 63-step MD5 and more. In Proc. the 15th Int. Workshop. Selected Area in Cryptology, Aug. 2008, pp.103-119.

  54. Diffie W, Hellman M E. Exhaustive cryptanalysis of the NBS data encryption standard. Computer, 1977, 10(6): 74-84.

    Article  Google Scholar 

  55. Li J, Isobe T, Shibutani K. Converting meet-in-the-middle preimage attack into pseudo collision attack: Application to SHA-2. In Proc. the 19th Int. Conf. Fast Software Encryption, Mar. 2012, pp.264-286.

  56. Wang L, Sasaki Y, Komatsubara W, Ohta K, Sakiyama K. (Second) preimage attacks on step-reduced RIPEMD/RIPEMD-128 with a new local-collision approach. In Proc. the 11th Int. Conf. Topics in Cryptology, Feb. 2011, pp.197-212.

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and Technology, Donghua University, Shanghai, 201620, China

    Gao-Li Wang

  2. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China

    Gao-Li Wang

Authors
  1. Gao-Li Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gao-Li Wang.

Additional information

This work was supported by the National Natural Science Foundation of China under Grant No. 61103238, the “Chen Guang” project of Shanghai Municipal Education Commission and Shanghai Education Development Foundation of China under Grant No. 09CG29, and the Fundamental Research Funds for the Central Universities of China.

1Extended MD4 has two copies of (modified) MD4, and the hash value is obtained by concatenating the results of both copies of MD4. However, its security against collision attack is much stronger than that of MD4, so we classify it as a double-branch hash function.

2NIST. Cryptographic hash project, http://csrc.nist.gov/groups/ST/hash/index.html, September 2012.

Electronic Supplementary Material

Below is the link to the electronic supplementary material.

(DOC 62.0 KB)

Rights and permissions

Reprints and permissions

About this article

Cite this article

Wang, GL. Collision Attack on the Full Extended MD4 and Pseudo-Preimage Attack on RIPEMD. J. Comput. Sci. Technol. 28, 129–143 (2013). https://doi.org/10.1007/s11390-013-1317-5

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11390-013-1317-5

Keywords

Search

Navigation