Preimage Attack on Hash Function RIPEMD

  • Gaoli Wang
  • Shaohui Wang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5451)


RIPEMD is a cryptographic hash function devised in the framework of the RIPE project (RACE Integrity Primitives Evaluation, 1988-1992). It consists of two parallel lines, and each line is identical to MD4 except for some internal constants. It has been broken by the collision attack, but no preimage attack was given. In this paper, we give a preimage attack on the compression function of the 26-step reduced RIPEMD with complexity 2110 compression function computations, and we extend the attack on the compression function to an attack on the 26-step reduced RIPEMD with complexity 2115.2 instead of 2128. Then we extend the attack on 26 steps to the attack on 29 steps with the same complexity. Moreover, we can reduce the complexity of the preimage attack on the full RIPEMD without the padding rule by 1 bit compared with the brute-force attack.


hash function RIPEMD cryptanalysis preimage attack 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Rogaway, P.: Formalizing human ignorance. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 211–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Bosselaers, A., Preneel, B. (eds.): RIPE 1992. LNCS, vol. 1007. Springer, Heidelberg (1995)Google Scholar
  3. 3.
    Wang, X.Y., Lai, X.J., Feng, D.G., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Wang, X.Y., Yu, H.B.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Wang, X.Y., Yu, H.B., Lisa, Y.: Efficient collision search attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Wang, X.Y., Lisa, Y., Yu, H.B.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Wang, X.Y., Feng, F.D., Yu, X.: An attack on HAVAL function HAVAL-128, Science in China Ser. F Information Sciences 48(5), 1–12 (2005)Google Scholar
  8. 8.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Mendel, F., Rechberger, C., Rijmen, V.: Update on SHA-1. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622. Springer, Heidelberg (2007), Google Scholar
  10. 10.
    Dobbertin, H.: The first two rounds of MD4 are not one-way. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 284–292. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  11. 11.
    De, D., Kumarasubramanian, A., Venkatesan, R.: Inversion attacks on secure hash functions using SAT solvers. In: Marques-Silva, J., Sakallah, K.A. (eds.) SAT 2007. LNCS, vol. 4501, pp. 377–382. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Leurent, G.: MD4 is not one-way. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 412–428. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Muller, F.: The MD2 hash function is not one-way. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 214–229. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Knudsen, L.R., Mathiassen, J.E.: Preimage and collision attacks on MD2. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 255–267. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Aumasson1, J., Meier, W., Mendel, F.: Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5. In: SAC 2008 (accepted) (to appear 2008)Google Scholar
  16. 16.
    Vaudenay, S.: On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 286–297. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  17. 17.
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  18. 18.
    Lai, X., Massey, J.L.: Hash functions based on block ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  19. 19.
    Mendel, F., Rijmen, V.: Weaknesses in the HAS-V compression function. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 335–345. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Sasaki, Y., Aoki, K.: Preimage Attacks on 3, 4, and 5-pass HAVAL. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 253–271. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Gaoli Wang
    • 1
  • Shaohui Wang
    • 2
  1. 1.School of Computer Science and TechnologyDonghua UniversityShanghaiChina
  2. 2.Nanjing University of Posts and TelecommunicationsNanjingChina

Personalised recommendations