Difference between revisions of "MD4"

From The ECRYPT Hash Function Website
(Specification)
(Collision Attacks)
Line 39: Line 39:
  
 
=== Collision Attacks ===
 
=== Collision Attacks ===
 +
 +
<bibtex>
 +
@inproceedings{eurocryptWangLFCY05,
 +
  author = {Xiaoyun Wang and Xuejia Lai and Dengguo Feng and Hui Chen and Xiuyuan Yu},
 +
  title = {Cryptanalysis of the Hash Functions MD4 and RIPEMD},
 +
  booktitle = {EUROCRYPT},
 +
  year = {2005},
 +
  pages = {1-18},
 +
  abstract = {MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2–2 to 2–6, and the complexity of finding a collision doesnrsquot exceed 28 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2–122. The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations.},
 +
  editor = {Ronald Cramer},
 +
  volume = {3494},
 +
  series = {LNCS},
 +
  publisher = {Springer},
 +
  isbn = {3-540-25910-4},
 +
  url = {http://dx.doi.org/10.1007/11426639_1},
 +
}
 +
</bibtex>
  
 
<bibtex>
 
<bibtex>

Revision as of 11:05, 11 March 2008

1 Specification

  • digest size: 128 bits
  • max. message length: < 264 bits
  • compression function: 512-bit message block, 128-bit chaining variable
  • Specification:

Ronald L. Rivest - The MD4 Message Digest Algorithm

CRYPTO 537:303-311,1990
http://link.springer.de/link/service/series/0558/bibs/0537/05370303.htm
Bibtex
Author : Ronald L. Rivest
Title : The MD4 Message Digest Algorithm
In : CRYPTO -
Address :
Date : 1990

2 Cryptanalysis

2.1 Best Known Results


2.2 Generic Attacks


2.3 Collision Attacks

Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu - Cryptanalysis of the Hash Functions MD4 and RIPEMD

EUROCRYPT 3494:1-18,2005
http://dx.doi.org/10.1007/11426639_1
Bibtex
Author : Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu
Title : Cryptanalysis of the Hash Functions MD4 and RIPEMD
In : EUROCRYPT -
Address :
Date : 2005

Hans Dobbertin - Cryptanalysis of MD4

J. Cryptology 11(4):253-271,1998
http://link.springer.de/link/service/journals/00145/bibs/11n4p253.html
Bibtex
Author : Hans Dobbertin
Title : Cryptanalysis of MD4
In : J. Cryptology -
Address :
Date : 1998

Hans Dobbertin - Cryptanalysis of MD4

FSE 1039:53-69,1996
http://dx.doi.org/10.1007/s001459900047
Bibtex
Author : Hans Dobbertin
Title : Cryptanalysis of MD4
In : FSE -
Address :
Date : 1996

Serge Vaudenay - On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER

FSE 1008:286-297,1995
http://dx.doi.org/10.1007/3-540-60590-8_22
Bibtex
Author : Serge Vaudenay
Title : On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER
In : FSE -
Address :
Date : 1995

2.4 Second Preimage Attacks


2.5 Preimage Attacks

Hans Dobbertin - The First Two Rounds of MD4 are Not One-Way

FSE 1372:284-292,1998
http://dx.doi.org/10.1007/3-540-69710-1_19
Bibtex
Author : Hans Dobbertin
Title : The First Two Rounds of MD4 are Not One-Way
In : FSE -
Address :
Date : 1998

2.6 Others

<bibtex> @inproceedings{fseSchlafferO06,

 author    = {Martin Schläffer and Elisabeth Oswald},
 title     = {Searching for Differential Paths in MD4},
 pages     = {242-261},
 url        = {http://dx.doi.org/10.1007/11799313_16},
 booktitle = {FSE},
 publisher = {Springer},
 series    = {LNCS},
 volume    = {4047},
 year      = {2006},
 isbn      = {3-540-36597-4},
 abstract  = {The ground-breaking results of Wang et al. 

have attracted a lot of attention to the collision resistance of hash functions. In their articles, Wang et al. give input differences, differential paths and the corresponding conditions that allow to find collisions with a high probability. However, Wang et al. do not explain how these paths were found. The common assumption is that they were found by hand with a great deal of intuition. In this article, we present an algorithm that allows to find paths in an automated way. Our algorithm is successful for MD4. We have found over 1000 differential paths so far. Amongst them, there are paths that have fewer conditions in the second round than the path of Wang et al. for MD4. This makes them better suited for the message modification techniques that were also introduced by Wang et al.} }