The Second-Preimage Attack on MD4

  • Hongbo Yu
  • Gaoli Wang
  • Guoyan Zhang
  • Xiaoyun Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3810)


In Eurocrypt’05, Wang et al. presented new techniques to find collisions of Hash function MD4. The techniques are not only efficient to search for collisions, but also applicable to explore the second- preimage of MD4. About the second-preimage attack, they showed that a random message was a weak message with probability 2− 122 and it only needed a one-time MD4 computation to find the second-preimage corresponding to the weak message. A weak message means that there exits a more efficient attack than the brute force attack to find its second-preimage. In this paper, we find another new collision differential path which can be used to find the second-preimage for more weak messages. For any random message, it is a weak message with probability 2− 56, and it can be converted into a weak message by message modification techniques with about 227 MD4 computations. Furthermore, the original message is close to the resulting message (weak message), i.e, the Hamming weight of the difference for two messages is about 44.


Hash function collision differential path second-preimage weak message 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Rivest, R.L.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  2. 2.
    Rivest, R.L.: The MD5 message-digest algorithm, Request for Comments (RFC 1320), Internet Activities Board, Internet Privacy Task Force (1992)Google Scholar
  3. 3.
    Zheng, Y.L., Pieprzyk, J., Seberry, J.: HAVAL–A One-way Hashing Algorithm with Variable Length of Output. In: Advances in Cryptology, AUSCRYPT 1992 Proceedings. Springer, Heidelberg (1992)Google Scholar
  4. 4.
    Bosselaers, A., Preneel, B. (eds.) RIPE 1992. LNCS, vol. 1007, Springer, Heidelberg (1995)Google Scholar
  5. 5.
    FIPS 180, Secure Hash standard, NiST (May 1993)Google Scholar
  6. 6.
    FIPS 180-1, Secure hash standard, NIST, US Department of Commerce, Washington D. C. Springer, Heidelberg (1996)Google Scholar
  7. 7.
    FIPS 180-2, Secure Hash Standard (2002),
  8. 8.
    Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039. Springer, Heidelberg (1996)Google Scholar
  9. 9.
    Dobbertin, H.: The First Two Rounds of MD4 are Not One-Way. Fast Software Encryption (1998)Google Scholar
  10. 10.
    Wang, X.Y., Yu, H.B.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Wang, X.Y., Lai, X.J., Feng, D.G., Chen, H., Yu, X.Y.: Cryptanalysis for Hash Functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Wang, X.Y., Yu, H.B., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005) (to appear)Google Scholar
  13. 13.
    Wang, X.Y., Yin, Y.L., Yu, H.B.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005) (to appear)Google Scholar
  14. 14.
    Wang, X.Y., Feng, D.G., Yu, X.Y.: An Attack on Hash Function HAVAL-128, Science in China Series E (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Hongbo Yu
    • 1
  • Gaoli Wang
    • 1
  • Guoyan Zhang
    • 1
  • Xiaoyun Wang
    • 1
  1. 1.School of Mathematics and System SciencesShandong UniversityJinanChina

Personalised recommendations