The hash function RIPEMD-160

• What is RIPEMD-160?
• Where do I find a description of RIPEMD-160?
• And what about SHA-1?
• How fast is RIPEMD-160?
• What else should I know about RIPEMD-160?
• Optional extensions to 256 and 320 bit hash results.
• What about MDx-MAC for RIPEMD-160?
• Still more questions?

RIPEMD-160 is a 160-bit cryptographic hash function, designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. It is intended to be used as a secure replacement for the 128-bit hash functions MD4, MD5, and RIPEMD. MD4 and MD5 were developed by Ron Rivest for RSA Data Security, while RIPEMD was developed in the framework of the EU project RIPE (RACE Integrity Primitives Evaluation, 1988-1992). There are two good reasons to consider such a replacement:

• A 128-bit hash result does not offer sufficient protection anymore. A brute force collision search attack on a 128-bit hash result requires 2⁶⁴ or about 2.10¹⁹ evaluations of the function. In 1994 Paul van Oorschot and Mike Wiener showed that this brute-force job can be done in less than a month with a $10 million investment. This cost is expected to halve every 18 months.
• In the first half of 1995 Hans Dobbertin found collisions for a version of RIPEMD restricted to two out of three rounds. Using similar techniques Hans produced in the Fall of 1995 collisions for (all 3 rounds of) MD4. The attack on MD4 requires only a few seconds on a PC, and still leaves some freedom as to the choice of the message, clearly ruling out MD4 as a collision resistant hash function. Shortly afterwards, in the Spring of 1996, Hans also found collisions for the compression function of MD5. Although not yet extended to collisions for MD5 itself, this attack casts serious doubts on the strength of MD5 as a collision resistant hash function. RSA Data Security, for which Ron Rivest developed MD4 and MD5, recommend that MD4 should not longer be used, and that MD5 should not be used for future applications that require the hash function to be collision-resistant.

RIPEMD-160 is a strengthened version of RIPEMD with a 160-bit hash result, and is expected to be secure for the next ten years or more. The design philosophy is to build as much as possible on experience gained by evaluating MD4, MD5, and RIPEMD. Like its predecessors, RIPEMD-160 is tuned for 32-bit processors, which we feel will remain important in the coming decade.

RIPEMD-128 is a plug-in substitute for RIPEMD (or MD4 and MD5, for that matter) with a 128-bit result. In view of the result of Paul van Oorschot and Mike Wiener mentioned earlier, 128-bit hash results do not offer sufficient protection for the next ten years, and applications using 128-bit hash functions should consider upgrading to a 160-bit hash function.

RIPEMD-256 and RIPEMD-320 are optional extensions of, respectively, RIPEMD-128 and RIPEMD-160, and are intended for applications of hash functions that require a longer hash result without needing a larger security level.

Where do I find a description of RIPEMD-160?

A full description and reference C software for the RIPEMD-160 and RIPEMD-128 hash functions are available via anonymous ftp. The implementations are written for the sole purpose of documentation. No optimization whatsoever is performed: only readability and portability were kept in mind. See the README file for more information.

• H. Dobbertin, A. Bosselaers, B. Preneel, ``RIPEMD-160, a strengthened version of RIPEMD.'' This article contains a description of both RIPEMD-160 and RIPEMD-128. It is an updated and corrected version of the article published in Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 71-82.
• rmd160.c: source code for RIPEMD-160
• rmd160.h: include file for RIPEMD-160.
• rmd128.c: source code for RIPEMD-128
• rmd128.h: include file for RIPEMD-128.
• hashtest.c: driver for both RIPEMD-160 and RIPEMD-128.

This figure gives you a first idea of RIPEMD-160. Pseudocode for RIPEMD-160 and RIPEMD-128 are provided for, as well as test values, which are given in the table below. The messages are given in ASCII format, while the corresponding hash results are in hexadecimal format.

1. "abcdefghijklmnopqrstuvwxyz"
2. "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
3. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

And what about SHA-1?

An alternative to RIPEMD-160 is SHA-1. It also has a 160-bit hash result, and because of some of its properties it is quite likely that it is not vulnerable to the known attacks on the MD4-like hash functions. However, and in contrast to RIPEMD-160, both its design criteria and the attack on the first version are secret.

How fast is RIPEMD-160?

The following table gives an idea of the performance of the different MD4-like hash functions. The implementations are written in 80x86 assembly language and are optimized for the Pentium processor. It is assumed that both code and data resides in the on-chip caches. Under these conditions the cycle figures are independent of the clock speed, and the throughput figures scale with the clock speed.

Table 1: Performance of optimized assembly language implementations of MD4-like hash functions on a 90 MHz Pentium using a 32-bit flat memory model (i.e., running in native protected mode).

Algorithm	cycles	Mbit/sec	Mbyte/sec	relative performance
MD4	241	191.2	23.90	1.00
MD5	337	136.7	17.09	0.72
RIPEMD	480	96.0	12.00	0.50
RIPEMD-128	592	77.8	9.73	0.41
SHA-1	837	55.1	6.88	0.29
RIPEMD-160	1013	45.5	5.68	0.24

More information on these implementations can be found in: A. Bosselaers, R. Govaerts and J. Vandewalle, ``Fast hashing on the Pentium,'' Advances in Cryptology, Proceedings Crypto'96, LNCS 1109, N. Koblitz, Ed., Springer-Verlag, 1996, pp. 298-312, and in the short note ``Even faster hashing on the Pentium,'' presented at the rump session of Eurocrypt'97.

What else should I know about RIPEMD-160?

RIPEMD-160 and RIPEMD-128 are not patented (nor are the optional extensions). Naturally, if you do decide to use either of them, we would love to hear about it.

RIPEMD-160, RIPEMD-128 and the optional extension RIPEMD-256 have object identifiers defined by the ISO-identified organization TeleTrusT, both as hash algorithm and in combination with RSA.

RIPEMD-160 is also part of the ISO draft standard ISO/IEC DIS 10118-3 on dedicated hash functions, together with RIPEMD-128 and SHA-1.

More information about RIPEMD-160 can, e.g., be found in the following publications:

1. H. Dobbertin, A. Bosselaers, B. Preneel, ``RIPEMD-160, a strengthened version of RIPEMD,'' Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 71-82.
2. H. Dobbertin, ``Digitale Fingerabdrücke; Sichere Hashfunktionen für digitale Signaturen,'' Datenschutz und Datensicherheit, Vol. 21, No. 2, 1997, pp. 82-87.
3. ISO/IEC 10118-3, ``Information technology - Security techniques - Hash-functions - Part 3: Dedicated hash-functions,'' draft (DIS), 1997.
4. A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC press, 1996, Section 9.4.2, pp. 349-351.
5. A. Bosselaers, H. Dobbertin, B. Preneel, ``The RIPEMD-160 cryptographic hash function,'' Dr. Dobb's Journal, Vol. 22, No. 1, January 1997, pp. 24-28.
6. B. Preneel, A. Bosselaers, H. Dobbertin, ``The cryptographic hash function RIPEMD-160,'' CryptoBytes, Vol. 3, No. 2, 1997, pp. 9-14.

Optional extensions to 256 and 320 hash results: RIPEMD-256 and RIPEMD-320

Some applications of hash functions require a longer hash result without needing a larger security level. To this end RIPEMD-256 and RIPEMD-320 are constructed from, respectively, RIPEMD-128 and RIPEMD-160 by initializing the two parallel lines with different initial values, omitting the combination of the two lines at the end of every application of the compression function, and exchanging a chaining variable between the 2 parallel lines after each round. Remark that the security level of the 320-bit extension of RIPEMD-160 is only guaranteed to be the same as that of RIPEMD-160 itself, and similarly for the 256-bit extension of RIPEMD-128 with respect to RIPEMD-128 itself.

Pseudocode for RIPEMD-256 and RIPEMD-320 are provided for, as well as test values, which are given in the tables below. The messages are given in ASCII format, while the corresponding hash results are in hexadecimal format.

1. "abcdefghijklmnopqrstuvwxyz"
2. "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
3. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

What about MDx-MAC for RIPEMD-160?

At Crypto'95 Bart Preneel and Paul van Oorschot proposed a new generic construction (MDx-MAC) for transforming any secure hash function of the MD4-family into a secure MAC of equal or smaller bitlength and comparable speed. Reference C software for the MDx-MACs based on RIPEMD-160 and RIPEMD-128 is now available via anonymous ftp. Like for the corresponding hash functions the implementations are written for the sole purpose of documentation. No optimization whatsoever is performed: only readability and portability were kept in mind. See again the README file for more information.

• B. Preneel and P.C. van Oorschot, ``MDx-MAX and building fast MACs from hash functions,'' Advances in Cryptology - Crypto'95, LNCS 963, D. Coppersmith, Ed., Springer-Verlag, 1995, pp. 1-14.
• rmd160mc.c: source code for RIPEMD160-MAC
• rmd160mc.h: include file for RIPEMD160-MAC.
• rmd128mc.c: source code for RIPEMD128-MAC
• rmd128mc.h: include file for RIPEMD128-MAC.
• mactest.c: driver for both RIPEMD160-MAC and RIPEMD128-MAC.

The table below lists the constants T0, T1, and T2 for both RIPEMD160-MAC and RIPEMD128-MAC, all in hexadecimal format.

Test values for two different keys (both in hexadecimal format) are given in the table below. The messages are given in ASCII format, while the corresponding MAC results are in hexadecimal format (the full length result is given).

1. "abcdefghijklmnopqrstuvwxyz"
2. "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
3. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

Still more questions?

Do not hesitate to contact us: Hans Dobbertin, Antoon Bosselaers, or Bart Preneel

Back to:

• Antoon's homepage
• Bart's homepage
• COSIC's homepage