An Attack on the Last Two Rounds of MD4

  • Bert den Boer
  • Antoon Bosselaers
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 576)


In [Rive90] the MD4 message digest algorithm was introduced taking an input message of arbitrary length and producing an output 128-bit message digest. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message. In this paper it is shown that if the three round MD4 algorithm is stripped of its first round, it is possible to find for a given (initial) input value two different messages hashing to the same output. A computer program implementing this attack takes about 1 millisecond on a 16 Mhz IBM PS/2 to find such a collision.


Elementary Operation Message Length Unknown Word Input Message Message Block 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [Rive90]
    R. L. Rivest, “The MD4 Message Digest Algorithm”, Abstracts Crypto’ 90, pp. 281–291.Google Scholar
  2. [Merk90]
    R. Merkle, personal communication.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1992

Authors and Affiliations

  • Bert den Boer
    • 1
  • Antoon Bosselaers
    • 2
  1. 1.Philips Crypto B.V.EindhovenThe Netherlands
  2. 2.ESAT LaboratoryK.U. LeuvenHeverleeBelgium

Personalised recommendations