We currently live in an information society. As information and communication technologies develop at an ever growing pace, the number of people who take these technologies as daily needs is also increasing. This development has brought substantial benefits but also introduced novel threats and vulnerabilities related to leakage of confidential information, the theft of identities and the unauthorized modification of data. These threats and vulnerabilities show the need for the development of a reliable and trustworthy information infrastructure. This requires trustworthy systems and an essential building block for such systems is the main topic of cryptography.Cryptography [1] is the study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication. It is a synthetical discipline and makes extensive use of mathematics such as number theory, probability, statistics and combinatorics as well as of information theory, computational complexity and coding theory. There exist various cryptographic algorithms that provide confidentiality, data integrity and entity authentication services.Hash Function plays a very important role in modern cryptography. It compresses an input of arbitrary length to a result with a fixed length, and we name the result of hash functions as hash value. Because of theirs definitions and properties, hash functions can be used to data integrity and be guarantee the security of many cryptosystems and protocols such as digital signature, message authentication code, etc. There are several advantages to using hash functions for digital schemes: breaking the mathematical structure of some digital schemes; improving the implement speed of digital schemes; ignoring the message corresponding to signature; separating the signature and encryption.Currently, the standard hash functions are consist of two families: MDx family(MD4 [11], MD5 [2], HAVAL [12], RIPEMD [13], RIPEMD128 [6], RIPEMD160 [6]) and SHA family( SHA0 [14], SHA1 [3], SHA256, 384, 512 [15]). These hashing algorithms reveal the main deign methods and techniques of hash functions. MD4 is an earlyappeared hash function which is designed using basic arithmetic and boolean operations in terms of the conception of " iterated " and MerkleDamgard construction [30, 43]. After the publication of MD4, several hash functions have been designed, including MD5, HAVAL, RIPEMD, RIPEMD128, RIPEMD160, SHA0 and SHA1, etc., most of them are based on the design principles of MD4. RIPEMD was devised in the framework of the EU project RIPE [13]. RIPEMD128 was proposed in 1996 by Hans Dobbertin, Antoon Bosselaers and Bart Preneel as a substitute for RIPEMD with a 128bit result. RIPEMD128 has two different and independent parallel lines that we named left line and right line respectively, the results of which are combined at the end of every application of the compression function. Each line has four rounds, and every round employs a round function which has different properties used in our attack.Generally speaking, hash functions have three security properties, including preimage resistance, secondpreimage resistance, collision resistance. So there are many different attacks on hash functions. In the past ten years, the cryptanalysis for hash functions has made much great progress. The most important generic attack on the collision resistance is the birthday attack, whose name comes from the socalled " birthday paradox ". It can be used to all kinds of hash functions and the complexity depends on the length of hash value. In 1996, H. Dobbertin [16] gave a collision attack on MD4 which finds a collision with probability 2^{22} . He also showed how to find collisions of meaningful messages. In 1998, H. Dobbertin [17] showed that the first two (out of the total three) rounds of MD4 is not oneway, and this means that there is an efficient attack for finding a preimage and a secondpreimage. For RIPEMD, H. Dobbertin [18] gave an attack that finds a collision of RIPEMD reduced to two rounds with 2^{31} hash operations.Along with the development of the MDxfamily of hash functions, there are security analysis on these functions. For example, B. den Boer and A. Bosselaers [19] found pseudocollisions (same message with two different initial values) for MD5. In Eurocrypto ' 96, H. Dobbertin [20] presented a collisions of MD5, under another initial value. In Crypto ' 98. F. Chabaud and A. Joux [21] presented a differential attack on SHA0 with probability 2^{61} . At Asiacrypt 2003. B.V. Rompay etc. [22] gave a collision attack on HAVAL128 with probability 2^{29}.Some powerful attacks on hash functions came out in 2004. Eli Biham and Rafi Chen [23] presented a nearcollision attack on SHA0. Then, A. Joux [25] presented a real collision of SHA0 with four message blocks. Especially, in Crypto' 2004, Xiaoyun Wang etc. [7, 8, 9, 10] announced real collisions of a series of hash functions including MD4, MD5, HAVAL128 and RIPEMD, which can be found collisions on MD4 and RIPEMD with complexity less than 2^{8} MD4 operations and 2^{18} RIPEMD operations respectively. Simultaneously, Wang etc. also introduce a set of new analytical techniques that are applicable to all the hash functions in the MDxfamily. More specifically, they show how to derive a set of the sufficient conditions on the chaining values to ensure the differential path to hold, and how to use message modification techniques to greatly improve the success probability of the attack. Subsequently, in 2005, Wang used these techniques to break MD5, SHA0 and SHA1. These techniques have proved to be very effective in cryptanalysis of dedicated hash functions. This attack also can be used to secondpreimage attack on MD4 [26] and forgery and key recovery attack on HMAC and NMAC [28].Differential cryptanalysis [34] introduced by Biham and Shamir in 1990. is one of the most powerful chosen plaintext (or chosen ciphertext) attacks in symmetric key cryptography (i.e., in block ciphers, stream ciphers, hash functions and MAC algorithms). The attack is a method which analyzes the effect of particular differences in plaintext pairs on the differences of the resultant ciphertext pairs. These differences can be used to assign probabilities to the possible keys and to locate the most probable key. Xiaoyun Wang uses the conception of differences that is different from the conventional differential analysis to attack MD4, RIPEMD, HAVAL, MD5, SHA0, SHA1[7, 8, 9, 10]. The differential definition in this attack is a kind of precise differential which uses the difference in term of integer modular subtraction, similarly as Dobbertin's method [16, 20, 18], also use modular characteristics, which describe for each round with both the differences in term of integer modular subtraction and the differences in term of XOR. The combination of both kinds of differences give attackers more information to find collisions.In this thesis, we detailedly introduce hash functions, including general definitions, properties, design principles, applications and several attacks on hash functions. The main contribution of this thesis include two parts. One is the study of collision attack on the last three rounds of RIPEMD128 in Chapter 4. Another is the cryptanalysis for HMACMD4 in Chapter 5. The two parts use the techniques proposed by Xiaoyun Wang.In Chapter 4. we define integer modular substraction difference as:â–³X = X'  X for two parameters X and X'. In this attack, the difference is marked as a positive or a negative integer (modulo 2^{32}) and also with the XORdifference. But then the XORdifference is marked by the list of active bits with their relative sign, i.e., in the list of bits, the bits whose value in X is zero are marked without a sign, and the values whose value in X is 1 are marked with a negative sign. For example, the difference 2^{23}, [24, 25, 26, 27, 28, 29] marks the integer modular subtraction difference X'X = 2^{23}, with many carries which start from bit 24 up to 29 bit . All bits of X from bit 24 to bit 28 are 0, and bit 29 is 1, while all bits of X' from bit 24 to bit 28 are 1, and bit 29 is 0. The XORdifference has many difference due to carries.The attack includes three parts:Step 1 Select a collision differential for the last three rounds of RIPEMD128Because RIPEMD128 has two different and independent parallel line, it is difficult to choose differences that suffice to the differential path of two lines simultaneously. After analyzing the order of the message words and the properties of round functions seriously, and considering implementation of message modification, we select a difference between two messages for cur attack as follows, which is a twobit difference.such thatThe output differences are:We can get the collision differential path of Left Line and Right Line, respectively. All the characteristics in the collision differential can be found in Table 4.1 and Table 4.2 in Chapter 4.Step 2. Deriving Conditions on Chaining ValueIn light of properties of round functions and differential characteristics, we derive sufficient conditions corresponding to Left line and Right line respectively which ensure the collision differential to hold. It is also an important process in our attack. If there are some conflicts among those conditions or can not satisfy differential characteristics, it shows that the differential path is error and we can not find a collision.We give two examples how to derive sufficient conditions as follows:1. The differential characteristic in step 19 in Left line is: (c_{5}[11, 12,13,32], d_{5}, a_{5}[31], b_{4}(4,25,31]),For F_{3}{X, Y, Z) = (Xâˆ¨(?)Y) (?) Z, according to Proposition 33(a) in Chapter 3. F_{3}(x,y,0) = 0 and F_{3}(x,y,1) = 1 if and only if x = 0 and y = 1, the conditions d_{5,25} 0,a_{5,25}= 1, and b_{4,25}= 0 result in F_{3}(d_{5,25}, a_{5,25}, b_{4,25}) = 0 and F_{3}(d_{5,25},a_{5,25} ,(?)b_{4,25}) = 1. Soâ–³f_{19}[25] = 2^{24}. Thenâ–³c_{5}[32] = ((â–³c_{4}[24] +â–³m_{14} +â–³f_{19}[25]) mod 2^{32}) <<< 6 = ((2^{23} + 2^{23} + 2^{24}) mod 2^{32}) <<< 6 = 2^{31}.2. The differential characteristic in step 18 in Right Line is:(a_{5}[5, 6], b_{4}[5,16, 17, 24], c_{4}[13, 26, 27, 28,29], d_{4})â†’(d_{5}[13, 24, 25. 26, 31, 32], a_{5}[5, 6], b_{4}[5,16, 17, 24], c_{4}[13, 26, 27, 28, 29]),For F_{2}(X,Y,Z) = (Xâˆ§Y)âˆ¨((?)Xâˆ§Z) , according to Proposition 22(b), F_{2}(x,0,z) = 0 and F_{2}(x, 1,z) = 1 if and only if x = 1, the conditions a_{5,17}= 1 and b_{4,17} = 1 result in F_{2}(a_{5,17},b_{4,17},c_{4,17}) = 1 and F_{2}(a_{5,17},(?)b_{4,17},c_{4,17}) = 0. Soâ–³d_{5}[24,25, 26] = 2^{23}. The conditions d_{5,24}= 0,d_{5,25}=0,d_{5,26} = 1 ensure that d'_{5}=d_{5}[24,25,26].Table 4.3 and 4.4 show how to derive a set of sufficient conditions using the approaches described above. At last, all sufficient conditions for two lines of the last three rounds of RIPEMD128 are listed in Table 4.5 and 4.6.It is clear that the collision differential consists of two internal collisions respectively from 433 steps and 936 steps.Step 3. Message ModificationFor any random message M, we use singlestep modification to decrease the conditions in the first round and use multistep modification to decrease more conditions. These modifications must satisfy the differential path and can not produce contradictions. At last, we can derive the corresponding 19 and 36 conditions respectively, totaled 55 conditions.We can find a collision on the last three rounds of RIPEMD128 with probability 2^{55}, and it is lower than the birthday attack probability 2^{64}. Because RIPEMD128 has two different and independent parallel lines, and its round functions are different from others standards hash, functions, it is difficult to find efficient collision differential paths and sufficient conditions. The result of the attack in this thesis is the first cryptanalytic result for the last three rounds of RIPEMD128 now.In Chapter 5. our cryptanalysis is based on the collision attack on MD4. Firstly, we show the differential path used in our attacks. Define two messages asThe difference between two messages isWe select the difference in our attack as follows:We can get a differential path in Table 5.1.Secondly, in light of the properties of round functions, we derive a set of sufficient conditions given in Table 5.2 that ensure differential characteristics to Isold. It is clear that we find a near collision with the probability 2^{54}.Finally, we use the near collision for MD4 to attack the inner function of HMACMD4. Our attack is applied to distinguishing attack and partial key recovery attack on the inner function of HMACMD4. We can mount a distinguishing attack on the inner function of HMACMD4 that requires 2^{54} message pairs and works with the probability of 0.63. From Table 5.2, (d_{4}[7] , a_{4}, b_{3}[28. 29., 30, 31. 32]. c_{3}) result in 22 conditions. This means we can recover the inner key that know 22bit key and the others 106bit with brute force attack.
