The hash function RIPEMD-160

What is RIPEMD-160?

Where do I find a description of RIPEMD-160?

How fast is RIPEMD-160?

Patents, Object Identifiers, Bibliography.

Optional extensions to 256 and 320 bit hash results.

MACs based on RIPEMD-160.

1. MDx-MAC for RIPEMD-160.
2. HMAC-RIPEMD-160: test vectors.

OAEP-encoding based on RIPEMD-160: test vectors

Still more questions?

---

What is RIPEMD-160?

RIPEMD-160 is a 160-bit cryptographic hash function, designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. It is intended to be used as a secure replacement for the 128-bit hash functions MD4, MD5, and RIPEMD. MD4 and MD5 were developed by Ron Rivest for RSA Data Security, while RIPEMD was developed in the framework of the EU project RIPE (RACE Integrity Primitives Evaluation, 1988-1992). There are three good reasons to consider such a replacement:

• A 128-bit hash result does not offer sufficient protection anymore. A brute force collision search attack on a 128-bit hash result requires 2⁶⁴ or about 2.10¹⁹ evaluations of the function. In 1994 Paul van Oorschot and Mike Wiener showed that this brute-force job can be done in less than a month with a $10 million investment (``Parallel collision search with applications to hash functions and discrete logarithms,'' 2nd ACM Conference on Computer and Communications Security, ACM Press, 1994, pp. 210-218). This cost is expected to halve every 18 months.
• In the first half of 1995 Hans Dobbertin found collisions for a version of RIPEMD restricted to two rounds out of three. Using similar techniques Hans produced in the Fall of 1995 collisions for (all 3 rounds of) MD4. The attack on MD4 requires only a few seconds on a PC, and still leaves some freedom as to the choice of the message, clearly ruling out MD4 as a collision resistant hash function. Shortly afterwards, in the Spring of 1996, Hans also found collisions for the compression function of MD5. Although not yet extended to collisions for MD5 itself, this attack casts serious doubts on the strength of MD5 as a collision resistant hash function. RSA Data Security, for which Ron Rivest developed MD4 and MD5, recommend that MD4 should not longer be used, and that MD5 should not be used for future applications that require the hash function to be collision-resistant.
• At the rump session of Crypto 2004 it was announced that Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu found collisions for MD4, MD5, RIPEMD, and the 128-bit version of HAVAL.

RIPEMD-128 is a plug-in substitute for RIPEMD (or MD4 and MD5, for that matter) with a 128-bit result. In view of the result of Paul van Oorschot and Mike Wiener mentioned earlier, 128-bit hash results do not offer sufficient protection for the next ten years, and applications using 128-bit hash functions should consider upgrading to a 160-bit hash function.

RIPEMD-256 and RIPEMD-320 are optional extensions of, respectively, RIPEMD-128 and RIPEMD-160, and are intended for applications of hash functions that require a longer hash result without needing a larger security level.

A full description and reference C software for the RIPEMD-160 and RIPEMD-128 hash functions are available: ps, pdf. The implementations are written for the sole purpose of documentation. No optimization whatsoever is performed: only readability and portability were kept in mind.

• H. Dobbertin, A. Bosselaers, B. Preneel, ``RIPEMD-160, a strengthened version of RIPEMD'' (ps, pdf). This article contains a description of both RIPEMD-160 and RIPEMD-128. It is an updated and corrected version of the article published in Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 71-82. See the bibliography section below for more descriptions.
• rmd160.c: source code for RIPEMD-160
• rmd160.h: include file for RIPEMD-160.
• rmd128.c: source code for RIPEMD-128
• rmd128.h: include file for RIPEMD-128.
• hashtest.c: driver for both RIPEMD-160 and RIPEMD-128.

1. "abcdefghijklmnopqrstuvwxyz"
2. "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
3. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

The following table gives an idea of the performance of the different MD4-like hash functions. The implementations are written in 80x86 assembly language and are optimized for the Pentium processor. It is assumed that both code and data resides in the on-chip caches. Under these conditions the cycle figures are independent of the clock speed, and the throughput figures scale with the clock speed.
 

More information on these implementations can be found in: A. Bosselaers, R. Govaerts and J. Vandewalle, ``Fast hashing on the Pentium,'' (ps, pdf) Advances in Cryptology, Proceedings Crypto'96, LNCS 1109, N. Koblitz, Ed., Springer-Verlag, 1996, pp. 298-312, and in the short note ``Even faster hashing on the Pentium,'' (ps, pdf) presented at the rump session of Eurocrypt'97.

The authors of RIPEMD-160 and RIPEMD-128 do not hold any patents on the algorithms (nor on the optional extensions), and are also not aware of any patents on these algorithms. Naturally, if you do decide to use either of them, we would love to hear about it.

RIPEMD-160, RIPEMD-128 and the optional extension RIPEMD-256 have object identifiers defined by the ISO-identified organization TeleTrusT, both as hash algorithm and in combination with RSA.
 

RIPEMD-160 is also part of the ISO/IEC international standard ISO/IEC 10118-3:2004 on dedicated hash functions, together with RIPEMD-128, SHA-1, SHA-256, SHA-512, SHA-384, and WHIRLPOOL. Therefore, RIPEMD-160 and RIPEMD-128 also have following object identifiers:
 

More information about RIPEMD-160 can, e.g., be found in the following publications:

1. H. Dobbertin, A. Bosselaers, B. Preneel, ``RIPEMD-160, a strengthened version of RIPEMD,'' (ps, pdf). Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 71-82.
2. H. Dobbertin, ``Digitale Fingerabdrücke; Sichere Hashfunktionen für digitale Signaturen,'' Datenschutz und Datensicherheit, Vol. 21, No. 2, 1997, pp. 82-87.
3. ISO/IEC 10118-3:2004, ``Information technology - Security techniques - Hash-functions - Part 3: Dedicated hash-functions,'' International Organization for Standardization, Geneva, Switzerland, 2004.
4. A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC press, 1996, Section 9.4.2, pp. 349-351 (ps, pdf).
5. A. Bosselaers, H. Dobbertin, B. Preneel, ``The RIPEMD-160 cryptographic hash function,'' Dr. Dobb's Journal, Vol. 22, No. 1, January 1997, pp. 24-28.
6. B. Preneel, A. Bosselaers, H. Dobbertin, ``The cryptographic hash function RIPEMD-160,'' CryptoBytes, Vol. 3, No. 2, 1997, pp. 9-14.

Some applications of hash functions require a longer hash result without needing a larger security level. To this end RIPEMD-256 and RIPEMD-320 are constructed from, respectively, RIPEMD-128 and RIPEMD-160 by initializing the two parallel lines with different initial values, omitting the combination of the two lines at the end of every application of the compression function, and exchanging a chaining variable between the 2 parallel lines after each round. Remark that the security level of the 320-bit extension of RIPEMD-160 is only guaranteed to be the same as that of RIPEMD-160 itself, and similarly for the 256-bit extension of RIPEMD-128 with respect to RIPEMD-128 itself.

Pseudocode for RIPEMD-256 and RIPEMD-320 are provided for, as well as test vectors, which are given in the tables below. The messages are given in ASCII format, while the corresponding hash results are in hexadecimal format.
 

1. "abcdefghijklmnopqrstuvwxyz"
2. "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
3. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

Two constructions of MACs based on a hash-function have been standardized within ISO/IEC ( ISO/IEC 9797-2:2011). A reference implementation and test vectors are given for MDx-MAC based on RIPEMD-160/128, as well as test vectors for HMAC based on RIPEMD-160/128.

1. MDx-MAC for RIPEMD-160.

At Crypto'95 Bart Preneel and Paul van Oorschot proposed a new generic construction (MDx-MAC) for transforming any secure hash function of the MD4-family into a secure MAC of equal or smaller bitlength and comparable speed. Reference C software for the MDx-MACs based on RIPEMD-160 and RIPEMD-128 is now available. Like for the corresponding hash functions the implementations are written for the sole purpose of documentation. No optimization whatsoever is performed: only readability and portability were kept in mind.

• B. Preneel and P.C. van Oorschot, ``MDx-MAX and building fast MACs from hash functions,'' Advances in Cryptology - Crypto'95, LNCS 963, D. Coppersmith, Ed., Springer-Verlag, 1995, pp. 1-14.
• B. Preneel and P.C. van Oorschot, ``Method of building fast MACs from hash functions,'' U.S. Patent # 5,664,016, 2 September 1997.
• rmd160mc.c: source code for RIPEMD160-MAC
• rmd160mc.h: include file for RIPEMD160-MAC.
• rmd128mc.c: source code for RIPEMD128-MAC
• rmd128mc.h: include file for RIPEMD128-MAC.
• mactest.c: driver for both RIPEMD160-MAC and RIPEMD128-MAC.

Test vectors for two different keys (both in hexadecimal format) are given in the table below. The messages are given in ASCII format, while the corresponding MAC results are in hexadecimal format (the full length result is given).
 

1. "abcdefghijklmnopqrstuvwxyz"
2. "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
3. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

The HMAC-construction was proposed by Mihit Bellare, Ran Canetti, and Hugo Krawczyck, ``Keying Hash Functions for Message Authentication,'' Advances in Cryptology - Crypto'96, LNCS 1109, N. Koblitz, Ed., Springer-Verlag, 1996, pp. 1-15. Test vectors for two different keys (both in hexadecimal format) are given in the table below. The messages are given in ASCII format, while the corresponding MAC results are in hexadecimal format (the full length result is given). Keys are required to be at least the size of the hash result. Another source for test vectors is RFC 2286, ``Test cases for HMAC-RIPEMD160 and HMAC-RIPEMD128,'' Internet Request for Comments 2286, J. Kapp, February 1998.
 

1. "abcdefghijklmnopqrstuvwxyz"
2. "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"

"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

The OAEP (Optimal Asymmetric Encryption Padding) encoding method is parametrized by the choice of the hash function and mask generation function. This section lists test vectors for OAEP based on RIPEMD-160 and the mask generation function MGF1 as defined in PKCS#1 v2.0 and IEEE P1363 with RIPEMD-160 as the hash function. Inputs to the OAEP encoding method are

• the message to be encoded
• a string detailing encoding parameters
• the intended length in bytes of the encoded message
• a random string of 20 bytes long

Do not hesitate to contact us: Antoon Bosselaers or Bart Preneel

Back to:

• Antoon's homepage
• Bart's homepage
• COSIC's homepage