
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

Distinguishers on DoubleBranch Compression Function and Applications to RoundReduced RIPEMD128 and RIPEMD160
Yu SASAKI Lei WANG
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E97A
No.1
pp.177190 Publication Date: 2014/01/01
Online ISSN: 17451337 Print ISSN: 09168508 Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security) Category: Symmetric Key Based Cryptography Keyword: RIPEMD128, RIPEMD160, doublebranch structure, 2dimension sum, qmultisecondorder collision,
Full Text: PDF(699.4KB) >>Buy this Article
Summary:
This paper presents differentialbased distinguishers against doublebranch compression functions and applies them to ISO standard hash functions RIPEMD128 and RIPEMD160. A doublebranch compression function computes two branch functions to update a chaining variable and then merges their outputs. For such a compression function, we observe that secondorder differential paths will be constructed by finding a subpath in each branch independently. This leads to 4sum attacks on 47 steps (out of 64 steps) of RIPEMD128 and 40 steps (out of 80 steps) of RIPEMD160. Then new properties called a (partial) 2dimension sum and a qmultisecondorder collision are considered. The partial 2dimension sum is generated on 48 steps of RIPEMD128 and 42 steps of RIPEMD160, with complexities of 2^{35} and 2^{36}, respectively. Theoretically, the 2dimension sum is generated faster than the brute force attack up to 52 steps of RIPEMD128 and 51 steps of RIPEMD160, with complexities of 2^{101} and 2^{158}, respectively. The results on RIPEMD128 can also be viewed as qmultisecondorder collision attacks. The practical attacks have been implemented and examples are presented. We stress that our results do not impact to the security of full RIPEMD128 and RIPEMD160 hash functions.

