Abstract. MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL. 1

bart.preneel(AT)esat.kuleuven.be

With the advent of the Pentium processor parallelization finally became available to Intel based computer systems. One of the design principles of the MD4-family of hash functions (MD4, MD5, SHA-1, RIPEMD-160) is to be fast on the 32-bit Intel processors. This paper shows that carefully coded implementations of these hash functions are able to exploit the Pentium's superscalar architecture to its maximum e#ect: the performance with respect to execution on a non-parallel architecture increases by about 60%. This is an important result in view of the recent claims on the limited data bandwidth of these hash functions.

To enhance system performance computer architectures tend to incorporate an increasing number of parallel execution units. This paper shows that the new generation of MD4-based customized hash functions (RIPEMD-128, RIPEMD-160, SHA-1) contains much more software parallelism than any of these computer architectures is currently able to provide. It is conjectured that the parallelism found in SHA-1 is a design principle. The critical path of SHA-1 is twice as short as that of its closest contender RIPEMD-160, but realizing it would require a 7-way multiple-issue architecture. It will also be shown that, due to the organization of RIPEMD-160 in two independent lines, it will probably be easier for future architectures to exploit its software parallelism.

Cryptographic hash functions are an important building block for a wide range of applications such as the authentication of information, digital signatures and the protection of pass-phrases. The most popular hash functions are the custom designed iterative hash functions from the MD4 family. Over the years various results on the cryptanalysis of these functions have become available and this paper intends to summarize these results and their impact. We will describe attacks on MD4, MD5 and RIPEMD, and discuss the design and security of the hash functions SHA-1 and RIPEMD-160 which are included in the new standard ISO/IEC 10118-3. 1 Introduction Cryptographic hash functions or message-digest algorithms (see [Pre93] for a comprehensive treatment) are functions that map a string of arbitrary length into a fixed length result. Given h and an input x, computing h(x) must be easy and does not require any secret information. The cryptographic properties that are required depend on the appli...

this article particularly interesting. Perhaps the most remarkable cryptanalytic developments over the last year or two have been the advances made in the analysis of hash functions by Hans Dobbertin. The net result of this work has been a lack of options in the hash functions that are available for long-term use. In Europe, however, RIPEMD-160 has been gaining in popularity and the designers of this algorithm provide us with a summary of its features in this issue of the newsletter. Finally, at the 1997 Crypto conference attendees honored the work of Oded Goldreich. As one of the pioneers in establishing a theoretical framework to today's cryptography Oded's invited lecture was one of the highlights of the conference. In our lead article Oded provides us with his perspective on the foundations of modern cryptography. The future success of CryptoBytes depends on input from all sectors of the cryptographic community, and as usual we would like very much to thank the writers who have contributed to this second issue of the third volume. We encourage any readers with comments, opposite opinions, suggestions or proposals for future issues to contact the CryptoBytes editor at RSA Laboratories or by E-mail to bytes-ed@rsa.com. CRYPTOBYTES T H E T E C H N I C A L N E W S L E T T E R O F R S A L A B O R A T O R I E S --- A U T U M N 1 9 9 7 3

In this paper new `partial' key recovery attacks against the RMAC block cipher based Message Authentication Code scheme are described. That is we describe attacks that, in some cases, recover one of the two RMAC keys much more e#ciently than previously described attacks. Although all attacks, but one, are of no major threat in practice, in some cases there is reason for concern. In particular, the recovery of the second RMAC key (of k bits) may only require around 2 k/2 block cipher operations (encryptions or decryptions).

In this paper new ‘partial ’ key recovery attacks against the RMAC block cipher based Message Authentication Code scheme are described. That is we describe attacks that, in some cases, recover one of the two RMAC keys much more efficiently than previously described attacks. Although all attacks, but one, are of no major threat in practice, in some cases there is reason for concern. In particular, the recovery of the second RMAC key (of k bits) may only require around 2 k/2 block cipher operations (encryptions or decryptions). The RMAC implementation using triple DES proposed by NIST is shown to be very weak. Keywords. Message Authentication Codes. RMAC. AES. Triple DES. 1

In this paper we revisit the tequniques for collision attacks and study the relation between maximum differential characteristic probability and a limit of applicability of collision attack. We show that a cryptographic hash function is secure against collision attacks using a single message block based on differential attack if the unequality pD < (1 − e −1)2 −nm−1 is satisfied, where nm is an input length of a compression function and pD is the maximum differential characteristic probability.

RIPEMD-160 is a fast cryptographic hash function that is tuned towards software implementations on 32-bit architectures. It has evolved from the 256-bit extension of MD4, which was introduced in 1990 by Ron Rivest [20, 21]. Its main design feature are two different and independent parallel chains, the result of