Why was the RIPEMD-160 hash algorithms chosen before SHA-1?

Bitcoin uses both SHA-256 and RIPEMD-160 hashes. Most often a double-round SHA-256 is used, but for address generating, RIPEMD-160 is used because it generates a shorter hash value. RIPEMD-160 has a 160-bit or 20-byte hash value while SHA-256 has a 256-bit or 32-byte.

So RIPEMD-160 is used for it's shorter hash. However, SHA-1 also produces a 160-bit hash. RIPEMD-160 is a less popular algorithm but in fact achieves exactly the same as SHA-1 does.

The only real difference I can find on the internet is in the following fragment from RIPEMD-160's Wikipedia page:

RIPEMD-160 was designed in the open academic community, in contrast to the NSA designed SHA-1 and SHA-2 algorithms. On the other hand, RIPEMD-160 appears to be used somewhat less frequently than SHA-1, which may have caused it to be less scrutinized than SHA. RIPEMD-160 is not known to be constrained by any patents.

Are patent issues the reason? Why is SHA-1 a problem but SHA-256 not? I know that SHA-1 and SHA-2 (of which SHA-256 is a part) are different iterations of the SHA initiative and so probably have very different legal implementation.

Does anyone really knows why RIPEMD-160 was chosen before the more popular SHA-1?

Steven Roose

Posted 2013-11-11T01:37:17.903

Reputation: 10 855

Answers

There are a multitude of reasons.

As @ThePiachu mentioned, there is a theoretical 2^60 bit attack that is possible on SHA-1, meaning that the algorithm is weaker than designed.
RIPEMD-160 was designed in the open academic community, in contrast to the NSA designed SHA-1 and SHA-2 algorithms.

It is worth noting that Satoshi could've used SHA2-256 twice and truncated the second digest to 160 bits as this is equally secure. The fact that he didn't is some evidence to show that his decision was a conscious decision to use RIPEMD-160 over the NSA suit of algorithms.
Lastly, I believe RIPEMD is based on a different design to the SHA1/SHA2 algorithms, and thus attacks that apply to one may not be transferable to the other (which is good).

liamzebedee

Posted 2013-11-11T01:37:17.903

Reputation: 133

Only the first is really an argument. The other two can be refuted by the fact that SHA-256 is used instead of another 256-bit hash. SHA-256 is probably chosen for it's popularity, so why wouldn't SHA-1 be chosen for the same reason? – Steven Roose – 2013-11-11T13:37:07.167

I don't quite agree. Just because one of the algorithms (SHA-256) is NSA-designed, doesn't mean that it still isn't a benefit to use an algorithm designed by another institution. – liamzebedee – 2013-11-11T23:16:30.417

It is worth noting that Satoshi could've used SHA2-256 twice and truncated the second digest to 160 bits. The fact that he didn't I think is some evidence to show that Satoshi's decision was a conscious decision to use RIPEMD-160 over the NSA suit of algorithms.

(http://crypto.stackexchange.com/questions/3153/sha-256-vs-any-256-bits-of-sha-512-which-is-more-secure)

– liamzebedee – 2013-11-11T23:22:10.393

I don't say that he should have used SHA-1 because it's NSA-designed. Just saying that it's weird that he uses SHA-256 for a 256-bit hash but RIPEMD-160 for a 160-bit hash while the same family of hashes that SHA-256 is in has a 16-bit variant as well. (I know that SHA-1 and SHA-2 are not entirely from the same family, but they share the same name..) – Steven Roose – 2013-11-12T02:08:29.323

It could be due to a theoretical 2^60 bit attack that is possible on SHA-1, meaning that the algorithm is weaker than designed. RIPEMD does not appear to have such weaknesses.

ThePiachu

Posted 2013-11-11T01:37:17.903

Reputation: 41 594

Hmm, I didn't know that. But still, chances are high that this theoretical flaw was found only because the algorithm is more popular than RIPEMD-160... – Steven Roose – 2013-11-11T12:34:37.913

I'm looking into this again. The use of RIPEMD-160 in Bitcoin is not for security. Finding a collision would only allow you to find the public key of the address, which won't grant you access to the coins. The security of the algorithm is not crucial for this case, so popularity would be the main deciding factor because it can strongly facilitate adoption. – Steven Roose – 2013-12-12T14:15:26.033

@StevenRoose Actually, if you can generate a RIPEMD collision for an Address with a different private key that you control, you could spend all of the money of that address. We would have to revert to "pay to public key" payment algorithm. – ThePiachu – 2013-12-12T18:41:06.487

Well, indeed. But collisions are generated by creating a specific input that will match a desired output. The inputs would be public keys. The public key from a private key is unpredictable and when you crack a hash function to generate collisions, I bet you want will do so with specific inputs, not random ones. – Steven Roose – 2013-12-13T11:10:29.750