Difference between revisions of "MD4"

 author    = {Martin Schläffer and Elisabeth Oswald},
 title     = {Searching for Differential Paths in MD4},
 pages     = {242-261},
 url        = {http://dx.doi.org/10.1007/11799313_16},
 booktitle = {FSE},
 publisher = {Springer},
 series    = {LNCS},
 volume    = {4047},
 year      = {2006},
 isbn      = {3-540-36597-4},
 abstract  = {The ground-breaking results of Wang et al.

have attracted a lot of attention to the collision resistance of hash functions. In their articles, Wang et al. give input differences, differential paths and the corresponding conditions that allow to find collisions with a high probability. However, Wang et al. do not explain how these paths were found. The common assumption is that they were found by hand with a great deal of intuition. In this article, we present an algorithm that allows to find paths in an automated way. Our algorithm is successful for MD4. We have found over 1000 differential paths so far. Amongst them, there are paths that have fewer conditions in the second round than the path of Wang et al. for MD4. This makes them better suited for the message modification techniques that were also introduced by Wang et al.} }

@@ Line 233: / Line 233: @@
 === Preimage Attacks ===
+<bibtex>
+@inproceedings{fseLeurent08,
+  author    = {Ga{\"e}tan Leurent},
+  title     = {MD4 is Not One-Way},
+  booktitle = {FSE},
+  year      = {2008},
+  pages     = {412-428},
+  abstract  = {MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash functions (MD5, SHA-1, SHA-2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a one-way function. In this paper we show a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 2^32 compression function computations (the remaining bits are randomly chosen by the preimage algorithm). This gives a preimage attack on the compression function of MD4 with complexity 2^96, and we extend it to an attack on the full MD4 with complexity 2^102. As far as we know this is the first preimage attack on a member of the MD4 family. },
+  url        = {http://dx.doi.org/10.1007/978-3-540-71039-4_26},
+  editor    = {Kaisa Nyberg},
+  publisher = {Springer},
+  series    = {LNCS},
+  volume    = {5086},
+  isbn      = {978-3-540-71038-7},
+}
+</bibtex>
 <bibtex>

Difference between revisions of "MD4"

Latest revision as of 11:32, 10 November 2008

Contents

1 Specification

2 Cryptanalysis

2.1 Best Known Results

2.2 Generic Attacks

2.3 Collision Attacks

2.4 Second Preimage Attacks

2.5 Preimage Attacks

2.6 Others

Navigation menu

Views

Personal tools

Navigation

Search

Tools