Cryptographic
RIPEMD-160
A 160-bit hash function developed by Dobbertin, Bosselaers, and Preneel in 1996 as part of the EU’s RIPE project, as an alternative to MD4 / MD5 / SHA-1. Two parallel computation lines make it noticeably harder to attack than SHA-1 in practice. RIPEMD-160 holds up cryptanalytically much better than its contemporaries but is too small for modern designs.
At a glance
| Output | 160 bits (20 bytes, 40 hex chars) |
|---|---|
| Block size | 512 bits |
| Construction | Merkle-Damgård with two parallel branches |
| Rounds | 5×16 per branch (160 ops total) |
| Standard | ISO/IEC 10118-3 |
| Collision security | ~280 generic; no practical break known |
| Preimage security | ~2160 |
| Length extension | Yes |
| Status | Holds up cryptographically; output too small for new designs |
The RIPEMD family
- RIPEMD (1992) , 128-bit original. Broken.
- RIPEMD-128 , 128-bit successor. Comparable to MD5 in size and not recommended.
- RIPEMD-160 , the one in widespread use.
- RIPEMD-256 / RIPEMD-320 , larger variants; rarely used.
Where it is used
- Bitcoin address derivation ,
RIPEMD-160(SHA-256(pubkey))is the standard P2PKH address prefix. The 20-byte size is a Bitcoin design artifact from 2008. - Ethereum address derivation , technically not RIPEMD-160 (Ethereum uses last-20-bytes of Keccak-256), but the precompile
0x3exposes RIPEMD-160 for contract-side use. - GPG / PGP , one of the historically supported hash algorithms.
- TrueCrypt / VeraCrypt , an option among several hash choices.
Why it has held up
The signature feature is two parallel processing lines that recombine at the end. Differential attacks need to find a high-probability differential characteristic simultaneously in both lines, which is far harder than attacking a single chain. As a result, while SHA-1 fell in 2017, no comparable practical collision is known for full RIPEMD-160 as of writing. The best published results cover reduced rounds.
So why not use it for new designs?
160 bits gives only 80-bit collision security (birthday bound). NIST and most modern guidance recommend at least 128-bit collision security for new designs, which means 256-bit output minimum. RIPEMD-160 is a good legacy citizen, but for new content addressing, MACs, or signatures pick SHA-256, SHA-512/256, SHA3-256, BLAKE2b, or BLAKE3.
Try it
The multi-algorithm hasher includes RIPEMD-160. The output is recognizably short (40 hex chars) compared to SHA-256 or BLAKE2b.
References
- RIPEMD-160 home page (KU Leuven)
- Dobbertin, Bosselaers, Preneel , RIPEMD-160: A Strengthened Version of RIPEMD (FSE 1996)
- Bitcoin Wiki , Address (P2PKH uses RIPEMD-160)
Visualize
RIPEMD-160 on your input
11 bytes · 0-bit digest
Hex digest
Bit grid (0 bits, teal = 1, slate = 0)
Byte pixel art (0 bytes, hue = byte value mod 360°)
Avalanche , flipping the lowest bit of the first input byte changed 0 of 0 output bits
Quick quiz
Test yourself on ripemd-160
10 multiple-choice questions. Pick an answer for each, then submit to see explanations.
Q1.What is the output size of RIPEMD-160?
Q2.Who designed RIPEMD-160?
Q3.What's RIPEMD-160's distinctive structural feature?
Q4.Where is RIPEMD-160 most famously used?
Q5.Has full RIPEMD-160 been broken?
Q6.Why isn't RIPEMD-160 recommended for new designs?
Q7.Is RIPEMD-160 in any ISO standard?
Q8.Which is NOT a member of the RIPEMD family?
Q9.What is the block size of RIPEMD-160?
Q10.Is HMAC-RIPEMD-160 commonly used in modern protocols?