## On the Security of Dedicated Hash Functions (1998)

Venue: | In 19th Symposium on Information Theory in the Benelux |

Citations: | 5 - 1 self |

### BibTeX

@INPROCEEDINGS{Rompay98onthe,

author = {Bart Van Rompay and Bart Preneel and Joos Vandewalle},

title = {On the Security of Dedicated Hash Functions},

booktitle = {In 19th Symposium on Information Theory in the Benelux},

year = {1998},

pages = {103--110}

}

### OpenURL

### Abstract

Cryptographic hash functions are an important building block for a wide range of applications such as the authentication of information, digital signatures and the protection of pass-phrases. The most popular hash functions are the custom designed iterative hash functions from the MD4 family. Over the years various results on the cryptanalysis of these functions have become available and this paper intends to summarize these results and their impact. We will describe attacks on MD4, MD5 and RIPEMD, and discuss the design and security of the hash functions SHA-1 and RIPEMD-160 which are included in the new standard ISO/IEC 10118-3. 1 Introduction Cryptographic hash functions or message-digest algorithms (see [Pre93] for a comprehensive treatment) are functions that map a string of arbitrary length into a fixed length result. Given h and an input x, computing h(x) must be easy and does not require any secret information. The cryptographic properties that are required depend on the appli...

### Citations

335 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...ues are compensated at the end. The attack has two main components. The first component deals with the solution of a set of non-linear equations. The second component deals with a differential attack =-=[BS93]-=- and the matching of initial values. Collisions are found for two message blocks X = (x j ) j=1:::16 and X 0 = (x 0 j ) j=1:::16 differing in only one message word: x 0 13 = x 13 + 1. The message word... |

111 |
Analysis and Design of Cryptographic Hash Functions
- Preneel
- 1993
(Show Context)
Citation Context ...he design and security of the hash functions SHA-1 and RIPEMD-160 which are included in the new standard ISO/IEC 10118-3. 1 Introduction Cryptographic hash functions or message-digest algorithms (see =-=[Pre93]-=- for a comprehensive treatment) are functions that map a string of arbitrary length into a fixed length result. Given h and an input x, computing h(x) must be easy and does not require any secret info... |

103 | RIPEMD160: A Strengthened Version of RIPEMD
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ...tacks known at the moment of their introduction: MD5 ('91, [Riv92b], which is still the most widely used hash function), SHA-1 ('95, [FIPS95]), RIPEMD ('92, [RIPE95]), RIPEMD-128 and RIPEMD-160 ('96, =-=[DBP96]-=-). The remaining of this paper is organized as follows. We briefly explain the structure of these hash functions in Section 2, concentrating on the historically important MD4 function. For full descri... |

75 |
The Status of MD5 After a Recent Attack
- Dobbertin
- 1996
(Show Context)
Citation Context ... there are some undesirable characteristics in the design of the compression function and that some changes with respect to MD4 were not well-considered. In 1996 the attack on MD4 was extended to MD5 =-=[Dob96b]-=-. It finds collisions for a random initial chaining variable and two message blocks differing in only one word; these are called collisions for the compression function. The attack can be seperated in... |

59 | Parallel collision search with applications to hash functions and discrete logarithms
- Oorschot, Wiener
(Show Context)
Citation Context ...A-1 is the length of the hash code: 160 bits instead of 128. This improves the resistance against a brute force collision search (ideally 2 80 computations would be required). Recent hardware designs =-=[vOW94]-=- and distributed computing efforts over the Internet show the importance of this. The compression function (which operates on five 32-bit chaining words) has four rounds (like MD5) and uses the Boolea... |

57 |
The MD5 Message-Digest Algorithm", RFC 1321
- Rivest
- 1992
(Show Context)
Citation Context ...gned for the explicit purpose of hashing (dedicated or customized hash functions). MD4 was introduced in 1990 by R. Rivest and was designed specifically for software implementation on 32-bit machines =-=[Riv92a]-=-. As a result of progress in cryptanalysis a whole family of MD4-like hash functions has been developed, with the goal of precluding the attacks known at the moment of their introduction: MD5 ('91, [R... |

55 | Collisions for the Compression function of MD5
- Boer, Bosselaers
- 1995
(Show Context)
Citation Context ...chaining word will propagate quickly to later calculations. However it is precisely this change that allows the first partial attack on MD5, which finds pseudo-collisions for the compression function =-=[dBB94]-=-. These are collisions for a certain 16-word message block and two different initial values for the chaining variable. This is of no practical importance for normal hashing but it shows that there are... |

38 | An Attack on the Last Two Rounds of MD4 - Boer, Bosselaers - 1992 |

33 | On the need of Multipermutations: Cryptanalysis of MD4 and SAFER - Vaudenay - 1994 |

23 |
RIPEMD with Two-Round Compress Function is Not CollisionFree
- Dobbertin
- 1997
(Show Context)
Citation Context ...ether with the previous chaining variable (feed-forward) at the end of the compression function. The recent evaluation techniques were however first used in attacks on reducedround versions of RIPEMD =-=[Dob97]-=-. If the first or the last round of the compression function is omitted then collisions can be found. So the security level of RIPEMD is at best only marginal (comparable to the status of MD4 before t... |

15 |
Integrity Primitives for Secure Information Systems
- RIPE
- 1995
(Show Context)
Citation Context ...veloped, with the goal of precluding the attacks known at the moment of their introduction: MD5 ('91, [Riv92b], which is still the most widely used hash function), SHA-1 ('95, [FIPS95]), RIPEMD ('92, =-=[RIPE95]-=-), RIPEMD-128 and RIPEMD-160 ('96, [DBP96]). The remaining of this paper is organized as follows. We briefly explain the structure of these hash functions in Section 2, concentrating on the historical... |

11 |
The First Two Rounds of MD4 are Not One-Way
- Dobbertin
(Show Context)
Citation Context ... 20 random bytes (5 random message words), took less than one hour to find on a PC. Inverting MD4 A recent result by H. Dobbertin showed that MD4 is not very secure with respect to one-wayness either =-=[Dob98]-=-. If the compression function is restricted to the first two rounds, the hash function can be inverted. The attack exploits the majority function used in the second round of the compression function. ... |

3 |
Cryptanalysis of MD4," Fast Software Encryption '96
- Dobbertin
- 1996
(Show Context)
Citation Context ... and the choice of rotation amounts. In 1995 H. Dobbertin found a new approach for analyzing this type of hash functions and developed an attack which finds collisions for the complete version of MD4 =-=[Dob96a]-=-. The attack requires only a few seconds on a PC and still leaves some freedom for the choice of `meaningful' messages. Hence it clearly rules out MD4 as a collision resistant hash function. Descripti... |