Cryptanalysis of the Hash Functions MD4 and RIPEMD

  • Xiaoyun Wang
  • Xuejia Lai
  • Dengguo Feng
  • Hui Chen
  • Xiuyuan Yu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3494)


MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2− 2 to 2− 6, and the complexity of finding a collision doesn’t exceed 28 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2− 122.

The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations.


Boolean Function Hash Function Message Block Collision Attack Fast Software Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  2. 2.
    Biham, E., Chen, R.: Near collision for SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)Google Scholar
  3. 3.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1993)Google Scholar
  4. 4.
    Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 56. Springer, Heidelberg (1998)Google Scholar
  5. 5.
    Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039. Springer, Heidelberg (1996)Google Scholar
  6. 6.
    Dobbertin, H.: Cryptanaltysis of MD5 Compress. Presented at the Rump Session of Eurocrypt 1996Google Scholar
  7. 7.
    Dobbertin, H.: RIPEMD with Two Round Compress Function Is Not Collision-Free. Journal of Cryptology 10, 51–69 (1997)zbMATHCrossRefGoogle Scholar
  8. 8.
    Dobbertin, H.: The First Two Rounds of MD4 are Not One-Way. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, p. 284. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  9. 9.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPMEMD-160:A Strengthened Version of RIPMMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, Springer, Heidelberg (1996)Google Scholar
  10. 10.
    FIPS 180-1, Secure hash standard, NIST, Washington D.C, April 1995. US Department of Commerce. Springer, Heidelberg (1996)Google Scholar
  11. 11.
    FIPS 180-2, Secure Hash Standard (2002),
  12. 12.
    Joux, A.: Collisions for SHA-0. Rump Session of CRYPTO 2004 (2004)Google Scholar
  13. 13.
    Bosselaers, A., Preneel, B. (eds.): RIPE 1992. LNCS, vol. 1007. Springer, Heidelberg (1995)Google Scholar
  14. 14.
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  15. 15.
    Rivest, R.L.: The MD5 Message-Digest Algorithm, Request for Comments (RFC 1320), Internet Activities Board, Internet Privacy Task Force (April 1992)Google Scholar
  16. 16.
    Van Rompay, B., Biryukov, A., Preneel, B., Vandewalle, J.: Cryptanalysis of 3-pass HAVAL. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 228–245. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Wang, X.Y., Guo, F.D., Lai, X.J., Yu, H.B.: Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD. Rump Session of Crypto 2004, E-print (2004)Google Scholar
  18. 18.
    Zheng, Y., Pieprzyk, J., Seberry, J.: HAVAL–A One-way Hashing Algorithm with Variable Length of Output. In: Zheng, Y., Seberry, J. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 83–104. Springer, Heidelberg (1992)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Xiaoyun Wang
    • 1
  • Xuejia Lai
    • 2
  • Dengguo Feng
    • 3
  • Hui Chen
    • 1
  • Xiuyuan Yu
    • 4
  1. 1.Shandong UniversityJinanChina
  2. 2.Shanghai Jiaotong UniversityShanghaiChina
  3. 3.Chinese Academy of Science ChinaBeijingChina
  4. 4.Huangzhou Teacher CollegeHangzhouChina

Personalised recommendations