Editing RIPEMD (section)

== History ==

The original RIPEMD function was designed in the framework of the [[European Union|EU]] project RIPE ([[RACE (Europe)|RACE]]<!--RACE = Research and Development in Advanced Communications Technologies in Europe --> Integrity Primitives Evaluation) in 1992.<ref>{{cite conference|first1=Hans|last1=Dobbertin|author-link1=Hans Dobbertin|first2=Antoon|last2=Bosselaers|first3=Bart|last3=Preneel|author-link3=Bart Preneel|title=RIPEMD-160: A strengthened version of RIPEMD|conference=Fast Software Encryption. Third International Workshop|location=Cambridge, UK|date=21–23 February 1996|pages=71–82|url=https://homes.esat.kuleuven.be/~bosselae/ripemd160/pdf/AB-9601/AB-9601.pdf|doi=10.1007/3-540-60865-6_44|doi-access=free}}</ref><ref>{{cite book|editor-first1=Antoon|editor-last1=Bosselaers|editor-first2=Bart|editor-last2=Preneel|editor-link2=Bart Preneel|title=Integrity Primitives for Secure Information Systems. Final Report of RACE Integrity Primitives Evaluation (RIPE-RACE 1040)|volume=1007|year=1995|doi=10.1007/3-540-60640-8|series=Lecture Notes in Computer Science|isbn=978-3-540-60640-6|last1=Bosselaers|first1=Antoon|last2=Preneel|first2=Bart|s2cid=12895857}}</ref> Its design was based on the [[MD4]] hash function. In 1996, in response to security weaknesses found in the original RIPEMD,<ref>{{cite journal|first=Hans|last=Dobbertin|author-link=Hans Dobbertin|title=RIPEMD with two-round compress function is not collision-free|date=December 1997|journal=[[Journal of Cryptology]]|volume=10|issue=1|pages=51–69|doi=10.1007/s001459900019|s2cid=15662054|doi-access=free}}</ref> [[Hans Dobbertin]], [[Antoon Bosselaers]] and [[Bart Preneel]] at the [[COSIC]] research group at the [[Katholieke Universiteit Leuven]] in [[Leuven|Leuven, Belgium]] published four strengthened variants: RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320.<ref>{{cite web|url=https://homes.esat.kuleuven.be/~bosselae/ripemd160.html|title=The hash function RIPEMD-160|first=Antoon|last=Bosselaers}}</ref>

In August 2004, a collision was reported for the original RIPEMD.<ref>{{Cite journal |last1=Wang |first1=Xiaoyun |author-link=Xiaoyun Wang |last2=Feng |first2=Dengguo |last3=Lai |first3=Xuejia |author-link3=Xuejia Lai |last4=Yu |first4=Hongbo |date=2004-08-17 |title=Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD |url=https://eprint.iacr.org/2004/199 |journal=[[Cryptology ePrint Archive]] |access-date=2017-03-03}}</ref> This does not apply to RIPEMD-160.<ref>{{Cite book |last1=Mendel |first1=Florian |last2=Pramstaller |first2=Norbert |last3=Rechberger |first3=Christian |last4=Rijmen |first4=Vincent |title=Information Security |chapter=On the Collision Resistance of RIPEMD-160 |series=Lecture Notes in Computer Science |author-link4=Vincent Rijmen |date=2006 |url=https://online.tugraz.at/tug_online/voe_main2.getvolltext?pCurrPk=17675 |volume=4176 |pages=101–116 |doi=10.1007/11836810_8 |access-date=2017-03-03 |doi-access=free|isbn=978-3-540-38341-3 }}</ref>

In 2019, the best collision attack for RIPEMD-160 could reach 34 rounds out of 80 rounds, which was published at CRYPTO 2019.<ref>{{Cite conference |last1=Liu |first1=Fukang |last2=Dobraunig |first2=Christoph |last3=Mendel |first3=Florian |last4=Isobe |first4=Takanori |last5=Wang |first5=Gaoli |last6=Cao |first6=Zhenfu |title=Advances in Cryptology – CRYPTO 2019, Proceesings vol 2 |chapter=Efficient Collision Attack Frameworks for RIPEMD-160 |date=2019 |chapter-url=https://eprint.iacr.org/2018/652 |series=Lecture Notes in Computer Science |volume=11693 |pages=117–149 |doi=10.1007/978-3-030-26951-7_5 |isbn=978-3-030-26950-0 |s2cid=51860634 | conference =39th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2019 | editor1= Alexandra Boldyreva|editor2= Daniele Micciancio }}</ref>

In February 2023, a collision attack for RIPEMD-160 was published at EUROCRYPT 2023, which could reach 36 rounds out of 80 rounds with time complexity of 2<sup>64.5</sup>.<ref>{{cite conference  <!-- Citation bot no -->|last1=Liu |first1=Fukang |last2=Wang |first2=Gaoli |last3=Sarkar |first3=Santanu |last4=Anand |first4=Ravi |last5=Meier |first5=Willi |last6=Li |first6=Yingxin |last7=Isobe |first7=Takanori |title=Advances in Cryptology – EUROCRYPT 2023, Proceedings vol. 4|chapter=Analysis of RIPEMD-160: New Collision Attacks and Finding Characteristics with MILP |date=February 2023 |chapter-url=https://eprint.iacr.org/2023/277 |conference=42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23–27, 2023 |series=Lecture Notes in Computer Science |volume=14007 |pages=189–219 |doi=10.1007/978-3-031-30634-1_7 |isbn=978-3-031-30633-4 |s2cid=257235244 | editor1=  Carmit Hazay | editor2= Martijn Stam}}</ref>

In December 2023, an improved collision attack was found based on the technique from the previous best collision attack, this improved collision attack could reach 40 rounds out of 80 round with a theoretical time complexity of 2<sup>49.9</sup>.<ref name="Li Liu Wang 2023 pp. 112–142">{{cite journal | last=Li | first=Yingxin | last2=Liu | first2=Fukang | last3=Wang | first3=Gaoli | title=Automating Collision Attacks on RIPEMD-160 | journal=IACR Transactions on Symmetric Cryptology | volume=2023 | issue=4 | date=2023-12-08 | issn=2519-173X | doi=10.46586/tosc.v2023.i4.112-142 | pages=112–142| doi-access=free }}</ref>