KI194-Tilborg May 24, 2005 14:37 RSA digital signature scheme 527 result and chaining variable of 256 bits (eight 32- et al. to RIPEMD-128 (as plug-in substitute for bit words) is used and that there are only 64 steps. RIPEMD) and RIPEMD-160 [2]. At the same time, Eight 32-bit chaining variables h0, h1, h2, h3, h4, the variants RIPEMD-256 and RIPEMD-320 were h5, h6, h7 are either initialized to the fixed values introduced as well. An additional reason for the IV0 through IV3 and IV5 through IV8 for the first introduction of RIPEMD-160 are brute force col- 512-bit message block or to the intermediate hash lision search attacks. In [4], van Oorschot and value for the following message blocks. Then the Wiener estimate that with a 10 million US$ ma- compression function works as follows: chine collisions of MD5 can be found in 21 days in 1994, which corresponds to 4 hours in 2004. ′ To counter such collision search attacks, hash val- A ← h0, A ← h4 ′ ues of at least 160 bits are required. RIPEMD- B ← h1, B ← h5 ′ 128 and RIPEMD-160 are included in ISO/IEC C ← h2, C ← h6 ′ 10118-3 [5]. D ← h3, D ← h7 for i = 0to63do Antoon Bosselaers ≪si (r(i)) T ← (A + f i (B, C, D) + Wr(i) + Ki ) ′ ′ ′ ′ ′ T ← (A + f 63−i (B , C , D ) + Wr ′(i) References ′ ′ ≪si (r (i)) +Ki ) A ← D, A′ ← D′ [1] RIPE (1995). “Integrity primitives for secure infor- D ← C, D′ ← C′ mation systems.” Final Report of RACE Integrity C ← B, C′ ← B′ Primitives Evaluation (RIPE-RACE 1040), Lecture B ← T, B′ ← T′ Notes in Computer Science, vol. 1007, eds. A. if i = 15 then Bosselaers, and B. Preneel. Springer-Verlag, Berlin. T ← A, A ← A′, A′ ← T [2] Dobbertin, H., A. Bosselaers, and B. Preneel (1996). “RIPEMD-160: A strengthened version of else if i = 31 then RIPEMD.” Fast Software Encryption, Lecture Notes ← ← ′ ′ ← T B, B B , B T in Computer Science, vol. 1039, ed. D. Goll- else if i = 47 then mann, Springer-Verlag, Berlin, 71–82. Final ver- ′ ′ T ← C, C ← C , C ← T sion available at http://www.esat.kuleuven.ac.be/ else if i = 63 then ∼cosicart/pdf/AB-9601/. More information on all T ← D, D ← D′, D′ ← T aspects of RIPEMD-xxx can be found at http:// ′ h0 ← h0 + A, h4 ← h4 + A www.esat.kuleuven.ac.be/∼bosselae/ripemd160/ ′ h1 ← h1 + B, h5 ← h5 + B [3] Dobbertin, H. (1992). “RIPEMD with two-round ′ compress function is not collisionfree.” Journal of h2 ← h2 + C, h6 ← h6 + C ′ Cryptology, 10 (1), 51–69. h3 ← h3 + D, h7 ← h7 + D [4] van Oorschot, P.C. and M. Wiener (1999). “Paral- lel collision search with cryptanalytic applications.” ′ where the ordering of message words r(i) and r (i), Journal of cryptology, 12 (1), 1–28. the non-linear functions f i , the shifts si , and the [5] ISO/IEC 10118-3 (2003). “Information technology— ′ constants Ki and Ki are defined as in RIPEMD- security techniques—hash-functions—Part 3: Ded- ′ 00000000 icated hash-functions.” 160, except that Ki = x for 48 ≤ i ≤ 63. RIPEMD: The original RIPEMD consists of es- sentially two parallel versions of MD4, with some RSA DIGITAL improvements to the shifts and the order of the SIGNATURE SCHEME message words; the two parallel instances differ only in the round constants. At the end of the In the basic formula for the RSA cryptosys- compression function, the words of left and right tem [30] (see also RSA Problem, RSA public-key halves are added to each other and to the initial encryption), a digital signature s is computed on a values of the chaining variable. message m according to the equation (see modular arithmetic) SECURITY CONSIDERATIONS: The RIPEMD d Family has been designed to provide collision s = m mod n, (1) resistance. RIPEMD was developed in 1992 in the where (n, d) is the signer’s RSA private key. The framework of the EC-RACE project RIPE [1]. In signature is verified by recovering the message m 1995, Dobbertin found collisions for reduced ver- with the signer’s RSA public key (n, e): sions of RIPEMD [3]. Due to these partial attacks, RIPEMD was upgraded in 1996 by Dobbertin m = se mod n. (2) KI194-Tilborg May 24, 2005 14:37 528 RSA digital signature scheme Though the meaning of the value m that is some way from the result of applying a hash signed with this formula has changed over the function to the actual message to be signed. years, the basic formula has remained the same r Nontrivial message representative: Message since it was introduced in 1977. The purpose representatives such as 0 and 1 should be of this entry is to survey the main approaches avoided, or should be very unlikely. In some based on that formula, each of which can be re- schemes, this is accomplished by giving m a ferred to as an RSA digital signature scheme “random” appearance; in others, just by some (see also digital signature schemes for general padding. definitions). r Sparse message representative space: Only a In the definition just given, the value m is itself small fraction of values of m should be valid the message. This is helpful for illustration, but message representatives; this makes it un- introduces a few challenges: likely for that a random signature s will cor- 1. The set of messages that can be signed with the respond to a valid m. For this reason, the value basic formula is limited to the set of integers in m generally has some structure that can be ver- the range [0, n − 1]. A larger value of m could be ified, and which is unlikely to occur at random. signed, but the value m mod n is all that would Alternatively, if many values of m are valid, be protected. then it should be difficult to find a message with 2. Some messages are quite easy to sign: for in- a given message representative. stance, m = 0 always has the signature 0 re- r Non-multiplicativity: Multiplicative relation- gardless of the signer’s private key, and simi- ships between signatures should be avoided. larly for m = 1 and m = n − 1. Randomness or padding, and structure, both 3. Every signature value s corresponds to some help in this regard. message m by Equation (2). It is easy there- One of the earliest and simplest improvements fore to construct valid message-signature pairs over the basic formula is to define the message given only the signer’s public key by starting representative m as the hash of the message M with the signature value s (though the mes- being signed, m = Hash(M). This meets the first sages so obtained might not be anything mean- three design goals: messages of any length can be ingful). signed; hash values such as 0 and 1 are very un- 4. Finally, the signer’s willingness to provide sig- likely; and, assuming the hash values are suffi- natures on some messages can be exploited by ciently shorter than the modulus n, only a small an opponent to obtain signatures on additional fraction of values of m will be valid hash values. messages. As one example, if the opponent However, multiplicative relationships are still a wants a signature on a message m but does not potential problem. In particular, if the hash output want the signer to see m, the opponent can in- is significantly shorter than the modulus (e.g., 160 stead ask to have the message m′ = mr e mod n bits vs. 1024 bits with today’s parameter sizes), signed, where r is a random value. Let s′ be the then it is possible to attack the signature scheme signature on m′, and let s = s′r −1 mod n. Then s by methods from index calculus. Although the op- is the signature on m. Though this property has ponent cannot factor the modulus, the attacker the benefit of enabling blind signatures, it also can readily factor the much shorter hash values. presents an avenue for attack. More generally, From a sufficiently large set of signatures, the at- RSA signatures have a multiplicative property tacker can thereby solve for the signatures on all that can be an advantage or a disadvantage de- values m in a factor base by index calculus—and pending on the situation: given signatures on from those construct the signature on any message messages m1 and m2, it is straightforward to M for which Hash(M) is smooth with respect to determine the signatures on any combination that factor base (see smoothness). (This approach, i j observed in the design of the PKCS #1 specification of products of the form m1m2. Due to the various concerns just described, RSA [14] discussed below, is an extension of an early digital signature schemes in practice are typically attack on the RSA cryptosystem by Desmedt and constructed so that the value m is not the mes- Odlyzko [7].) sage itself, but rather a message representative de- On the other hand, if the hash value is as long as rived from the message. This approach employs the modulus n, then factoring the hash value is as four design principles that address the concerns hard as factoring the modulus, so the attack just just noted: described is not a concern. This is the basis for the r Large message space: The set of messages that Full Domain Hash (FDH) scheme of Bellare and can be signed should be as large as possible.