Abstract
In 1990 Rivest introduced the cryptographic hash function MD4. The compress function of MD4 has three rounds. After partial attacks against MD4 were found, the stronger mode RIPEMD was designed as a European proposal in 1992 (RACE project). Its compress function consists of two parallel lines of modified versions of MD4-compress. RIPEMD is currently being considered to become an international standard (ISO/IEC Draft 10118-3). However, in this paper an attack against RIPEMD is described, which leads to comparable results with the previously known attacks against MD4: The reduced versions of RIPEMD, where the first or the last round of the compress function is omitted, are not collision-free. Moreover, it turns out that the methods developed in this note can be applied to find collisions for the full MD4.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
A. Bosselaers and B. Preneel (eds.),Integrity Primitives for Secure Information Systems, Final Report of RACE Integrity Primitives Evaluation (RIPE-RACE 1040), Chapter 3: RIPEMD, Lecture Notes in Computer Science, vol. 1007, Springer-Verlag, Berlin, 1995, pp. 69–111.
B. den Boer and A. Bosselaers, An attack on the last two rounds of MD4,Advances in Cryptology, CRYPTO '91, Lecture Notes in Computer Science, vol. 576, Springer-Verlag, Berlin, 1992, pp. 194–203.
H. Dobbertin, Cryptanalysis of MD4,Fast Software Encryption (Proceedings of the 1996 Cambridge Workshop on Cryptographic Algorithms), Lecture Notes in Computer Science, vol. 1039, Springer-Verlag, Berlin, 1996, pp. 53–69. (An extended version will appear in this journal.)
R. Rivest, The MD4 message-digest algorithm,Request for Comments (RFC) 1320, Internet Activities Board, Internet Privacy Task Force, April 1992.
R. Rivest, the MD5 message-digest algorithm,Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April 1992.
S. Vaudenay, On the need of multipermutations: Cryptanalysis of MD4 and SAFER,Fast Software Encryption (Proceedings of the 1994 Leuven Workshop on Cryptographic Algorithms), Lecture Notes in Computer Science, vol. 1008, Springer-Verlag, Berlin, 1995, pp. 286–297.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Ivan B. Damgård
Rights and permissions
About this article
Cite this article
Dobbertin, H. RIPEMD with two-round compress function is not collision-free. J. Cryptology 10, 51–69 (1997). https://doi.org/10.1007/s001459900019
Received:
Revised:
Issue Date:
DOI: https://doi.org/10.1007/s001459900019