The hash function RIPEMD-160

What is RIPEMD-160?

RIPEMD-160 is a 160-bit cryptographic hash function, designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. It is intended to be used as a secure replacement for the 128-bit hash functions MD4, MD5, and RIPEMD. MD4 and MD5 were developed by Ron Rivest for RSA Data Security, while RIPEMD was developed in the framework of the EU project RIPE (RACE Integrity Primitives Evaluation, 1988-1992). There are two good reasons to consider such a replacement:

RIPEMD-160 is a strengthened version of RIPEMD with a 160-bit hash result, and is expected to be secure for the next ten years or more. The design philosophy is to build as much as possible on experience gained by evaluating MD4, MD5, and RIPEMD. Like its predecessors, RIPEMD-160 is tuned for 32-bit processors, which we feel will remain important in the coming decade.

RIPEMD-128 is a plug-in substitute for RIPEMD (or MD4 and MD5, for that matter) with a 128-bit result. In view of the result of Paul van Oorschot and Mike Wiener mentioned earlier, 128-bit hash results do not offer sufficient protection for the next ten years, and applications using 128-bit hash functions should consider upgrading to a 160-bit hash function.

RIPEMD-256 and RIPEMD-320 are optional extensions of, respectively, RIPEMD-128 and RIPEMD-160, and are intended for applications of hash functions that require a longer hash result without needing a larger security level.

Where do I find a description of RIPEMD-160?

A full description and reference C software for the RIPEMD-160 and RIPEMD-128 hash functions are available via anonymous ftp. The implementations are written for the sole purpose of documentation. No optimization whatsoever is performed: only readability and portability were kept in mind. See the README file for more information.

This figure gives you a first idea of RIPEMD-160. Pseudocode for RIPEMD-160 and RIPEMD-128 are provided for, as well as test values, which are given in the table below. The messages are given in ASCII format, while the corresponding hash results are in hexadecimal format.


Hash result using RIPEMD-160

Hash result using RIPEMD-128

"" (empty string) 9c1185a5c5e9fc54612808977ee8f548b2258d31 cdf26213a150dc3ecb610f18f6b38b46
"a" 0bdc9d2d256b3ee9daae347be6f4dc835a467ffe 86be7afa339d0fc7cfc785e72f578d33
"abc" 8eb208f7e05d987a9b044a8e98c6b087f15a0bfc c14a12199c66e4ba84636b0f69144c77
"message digest" 5d0689ef49d2fae572b881b123a85ffa21595f36 9e327b3d6e523062afc1132d7df9d1b8
"a...z"1 f71c27109c692c1b56bbdceb5b9d2865b3708dbc fd2aa607f71dc8f510714922b371834e
"abcdbcde...nopq"2 12a053384a9c0c88e405a06c27dcf49ada62eb2b a1aa0689d0fafa2ddc22e88b49133a06
"A...Za...z0...9"3 b0e20b6e3116640286ed3a87a5713079b21f5189 d1e959eb179c911faea4624c60c5c702
8 times "1234567890" 9b752e45573d4b39f4dbd3323cab82bf63326bfb 3f45ef194732c2dbb2c4a2c769795fa3
1 million times "a" 52783243c1697bdbe16d37f97f68f08325dc1528 4a7f5723f954eba1216c9d8f6320431f
  1. "abcdefghijklmnopqrstuvwxyz"
  2. "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
  3. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

And what about SHA-1?

An alternative to RIPEMD-160 is SHA-1. It also has a 160-bit hash result, and because of some of its properties it is quite likely that it is not vulnerable to the known attacks on the MD4-like hash functions. However, and in contrast to RIPEMD-160, both its design criteria and the attack on the first version are secret.

How fast is RIPEMD-160?

The following table gives an idea of the performance of the different MD4-like hash functions. The implementations are written in 80x86 assembly language and are optimized for the Pentium processor. It is assumed that both code and data resides in the on-chip caches. Under these conditions the cycle figures are independent of the clock speed, and the throughput figures scale with the clock speed.

Algorithm cycles Mbit/sec Mbyte/sec relative performance
MD4 241 191.2 23.90 1.00 UPDATED
MD5 337 136.7 17.09 0.72 UPDATED
RIPEMD 480 96.0 12.00 0.50 UPDATED
RIPEMD-128 592 77.8 9.73 0.41 UPDATED
SHA-1 837 55.1 6.88 0.29 UPDATED
RIPEMD-160 1013 45.5 5.68 0.24 UPDATED

Table 1: Performance of optimized assembly language implementations of MD4-like hash functions on a 90 MHz Pentium using a 32-bit flat memory model (i.e., running in native protected mode).

More information on these implementations can be found in: A. Bosselaers, R. Govaerts and J. Vandewalle, ``Fast hashing on the Pentium,'' Advances in Cryptology, Proceedings Crypto'96, LNCS 1109, N. Koblitz, Ed., Springer-Verlag, 1996, pp. 298-312, and in the short note ``Even faster hashing on the Pentium,'' presented at the rump session of Eurocrypt'97.

What else should I know about RIPEMD-160?

RIPEMD-160 and RIPEMD-128 are not patented (nor are the optional extensions). Naturally, if you do decide to use either of them, we would love to hear about it.

RIPEMD-160, RIPEMD-128 and the optional extension RIPEMD-256 have object identifiers defined by the ISO-identified organization TeleTrusT, both as hash algorithm and in combination with RSA.

ISO {1}
identified organization {1.3}
teletrust {1.3.36}
algorithm {}
   hashAlgorithm {}
      ripemd160 {}
      ripemd128 {}
      ripemd256 {}
   signatureAlgorithm {}
      rsaSignature {}
         rsaSignatureWithripemd160 {}
         rsaSignatureWithripemd128 {}
         rsaSignatureWithripemd256 {}

RIPEMD-160 is also part of the ISO draft standard ISO/IEC DIS 10118-3 on dedicated hash functions, together with RIPEMD-128 and SHA-1.

More information about RIPEMD-160 can, e.g., be found in the following publications:

  1. H. Dobbertin, A. Bosselaers, B. Preneel, ``RIPEMD-160, a strengthened version of RIPEMD,'' Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 71-82.
  2. H. Dobbertin, ``Digitale Fingerabdrücke; Sichere Hashfunktionen für digitale Signaturen,'' Datenschutz und Datensicherheit, Vol. 21, No. 2, 1997, pp. 82-87.
  3. ISO/IEC 10118-3, ``Information technology - Security techniques - Hash-functions - Part 3: Dedicated hash-functions,'' draft (DIS), 1997.
  4. A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC press, 1996, Section 9.4.2, pp. 349-351.
  5. A. Bosselaers, H. Dobbertin, B. Preneel, ``The RIPEMD-160 cryptographic hash function,'' Dr. Dobb's Journal, Vol. 22, No. 1, January 1997, pp. 24-28.
  6. B. Preneel, A. Bosselaers, H. Dobbertin, ``The cryptographic hash function RIPEMD-160,'' CryptoBytes, Vol. 3, No. 2, 1997, pp. 9-14.

Optional extensions to 256 and 320 hash results: RIPEMD-256 and RIPEMD-320

Some applications of hash functions require a longer hash result without needing a larger security level. To this end RIPEMD-256 and RIPEMD-320 are constructed from, respectively, RIPEMD-128 and RIPEMD-160 by initializing the two parallel lines with different initial values, omitting the combination of the two lines at the end of every application of the compression function, and exchanging a chaining variable between the 2 parallel lines after each round. Remark that the security level of the 320-bit extension of RIPEMD-160 is only guaranteed to be the same as that of RIPEMD-160 itself, and similarly for the 256-bit extension of RIPEMD-128 with respect to RIPEMD-128 itself.

Pseudocode for RIPEMD-256 and RIPEMD-320 are provided for, as well as test values, which are given in the tables below. The messages are given in ASCII format, while the corresponding hash results are in hexadecimal format.


Hash result using RIPEMD-256

"" (empty string) 02ba4c4e5f8ecd1877fc52d64d30e37a2d9774fb1e5d026380ae0168e3c5522d
"a" f9333e45d857f5d90a91bab70a1eba0cfb1be4b0783c9acfcd883a9134692925
"abc" afbd6e228b9d8cbbcef5ca2d03e6dba10ac0bc7dcbe4680e1e42d2e975459b65
"message digest" 87e971759a1ce47a514d5c914c392c9018c7c46bc14465554afcdf54a5070c0e
"a...z"1 649d3034751ea216776bf9a18acc81bc7896118a5197968782dd1fd97d8d5133
"abcdbcde...nopq"2 3843045583aac6c8c8d9128573e7a9809afb2a0f34ccc36ea9e72f16f6368e3f
"A...Za...z0...9"3 5740a408ac16b720b84424ae931cbb1fe363d1d0bf4017f1a89f7ea6de77a0b8
8 times "1234567890" 06fdcc7a409548aaf91368c06a6275b553e3f099bf0ea4edfd6778df89a890dd
1 million times "a" ac953744e10e31514c150d4d8d7b677342e33399788296e43ae4850ce4f97978


Hash result using RIPEMD-320

"" (empty string) 22d65d5661536cdc75c1fdf5c6de7b41b9f27325ebc61e8557177d705a0ec880151c3a32a00899b8
"a" ce78850638f92658a5a585097579926dda667a5716562cfcf6fbe77f63542f99b04705d6970dff5d
"abc" de4c01b3054f8930a79d09ae738e92301e5a17085beffdc1b8d116713e74f82fa942d64cdbc4682d
"message digest" 3a8e28502ed45d422f68844f9dd316e7b98533fa3f2a91d29f84d425c88d6b4eff727df66a7c0197
"a...z"1 cabdb1810b92470a2093aa6bce05952c28348cf43ff60841975166bb40ed234004b8824463e6b009
"abcdbcde...nopq"2 d034a7950cf722021ba4b84df769a5de2060e259df4c9bb4a4268c0e935bbc7470a969c9d072a1ac
"A...Za...z0...9"3 ed544940c86d67f250d232c30b7b3e5770e0c60c8cb9a4cafe3b11388af9920e1b99230b843c86a4
8 times "1234567890" 557888af5f6d8ed62ab66945c6d2a0a47ecd5341e915eb8fea1d0524955f825dc717e4a008ab2d42
1 million times "a" bdee37f4371e20646b8b0d862dda16292ae36f40965e8c8509e63d1dbddecc503e2b63eb9245bb66
  1. "abcdefghijklmnopqrstuvwxyz"
  2. "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
  3. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

What about MDx-MAC for RIPEMD-160?

At Crypto'95 Bart Preneel and Paul van Oorschot proposed a new generic construction (MDx-MAC) for transforming any secure hash function of the MD4-family into a secure MAC of equal or smaller bitlength and comparable speed. Reference C software for the MDx-MACs based on RIPEMD-160 and RIPEMD-128 is now available via anonymous ftp. Like for the corresponding hash functions the implementations are written for the sole purpose of documentation. No optimization whatsoever is performed: only readability and portability were kept in mind. See again the README file for more information.

The table below lists the constants T0, T1, and T2 for both RIPEMD160-MAC and RIPEMD128-MAC, all in hexadecimal format.




T0 1cc7086a046afa22353ae88f3d3daceb fd7ec18964c36d53fc18c31b72112aac
T1 e3fa02710e491d851151cc34e4718d41 2538b78ec0e273949ee4c4457a77525c
T2 93987557c07b8102ba592949eb638f37 f5c93ed85bd65f609a7eb182a85ba181

Test values for two different keys (both in hexadecimal format) are given in the table below. The messages are given in ASCII format, while the corresponding MAC results are in hexadecimal format (the full length result is given).


MAC result using RIPEMD160-MAC with key

MAC result using RIPEMD160-MAC with key

"" (empty string) b7f4508111eb8c3b5229c6aed406de9eca640133 b45d6ca84cfb9020e0d5aba2a7609d3d81f3f57f
"a" bc78f55933bceb1ee85a906f9e18374f23e310f9 8844375992037d1bcd0d118ee548d70c3f19cbbb
"abc" 6300dc20e97a5aa29db9c7d607d23d126fa36863 917c59b8ac7fc19dc25bef82766412fa16bbc6a7
"message digest" 3a2ac89b78eeab8759f5112bcad4cd405eeb5d35 e0737cc7976d8f424390cb8798d623d751afe15a
"a...z"1 16dc174925bbc27e0c93d426c346846f97f8bc69 d57fae836870718efa4bd4a5f2f322a179a8735e
"abcdbcde...nopq"2 e062210ba5c9c94737bf3a6e85b3b5664fbd1d4e 42b20d4c8fd5e8672760cf83c0478d7bf8021404
"A...Za...z0...9"3 9b462d5cbdae1485ffe10bc001ef9e3af6d128b5 63dea9dd7b52cc8c058b2d55b63e1874f8d85c96
8 times "1234567890" 88e73a01a1de36c92d6f9e41f7278d407b4a4ccd 10441df4f68ce8815818dc0fb370abf87bca4464
1 million times "a" e7b128e4a1842b750f1e61a486c867c4887a4b21 e06ad21d2af04dd4217ab03b1a578f036997d01a


MAC result using RIPEMD128-MAC with key

MAC result using RIPEMD128-MAC with key

"" (empty string) a47a64e9ede0741b3fdde33e5c1c6d78 35fa3ac39f50f2a4e3ffc7af5776b4eb
"a" 51355051852fdc79fb228eac905633ad a89e25e6796747b630a2a00b802ea53e
"abc" d83940daffbd4cbbe6ba30a6f9e63f5f 66339027a36608ebd932dd551616e7b2
"message digest" 1a7cfe2bb26e973e213c1cb96fa4c2ef 1f8779bad84b50373931211a2761ead3
"a...z"1 798aeac6046b31907c197bd68e59d376 31bf5b5b7abac2567dc0e02f1c3a25d7
"abcdbcde...nopq"2 0b8e1d4a571f32657189e22a1f2f4a53 b5b8ba3b8ea895fbc83cb7588fbd2656
"A...Za...z0...9"3 b814730f482300c6e474fd255a66d680 8d27bbec257c848d5cf375eb5eda4cc7
8 times "1234567890" 9060a30758ebe3368d939ac168f1a9fd b40b5bf6727de90b26f770850f059c89
1 million times "a" 20763fdedf01e56ff5756954302c7de0 76c7bc831b0bce593dfd44e8e054a373
  1. "abcdefghijklmnopqrstuvwxyz"
  2. "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
  3. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"

Still more questions?

Do not hesitate to contact us: Hans Dobbertin, Antoon Bosselaers, or Bart Preneel

Back to:

This page is maintained by Antoon Bosselaers.