Cryptanalysis of MD4

  • Hans Dobbertin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1039)


In 1990 Rivest introduced the hash function MD4. Two years later RIPEMD, a European proposal, was designed as a stronger mode of MD4. Recently we have found an attack against two of three rounds of RIPEMD. As we shall show in the present note, the methods developed to attack RIPEMD can be modified and supplemented such that it is possible to break the full MD4, while previously only partial attacks were known. An implementation of our attack allows to find collisions for MD4 in a few seconds on a PC. An example of a collision is given demonstrating that our attack is of practical relevance.


Boolean Function Hash Function Compress Function Differential Attack Strengthened Version 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    FIPS 180-1, Secure hash standard, Federal Information Processing Standard, NIST, US Department of Commerce, Washington D.C., April 1995.Google Scholar
  2. 2.
    RIPE, Integrity Primitives for Secure Information Systems. Final Report of RACE Integrity Primitives Evaluation (RIPE-RACE 1040), Lecture Notes in Computer Science, vol. 1007, Springer-Verlag, 1995.Google Scholar
  3. 3.
    den Boer, B., Bosselaers, A.: An attack on the last two rounds of MD4, Advances in Cryptology, CRYPTO '91, Lecture Notes in Computer Science, vol. 576, Springer-Verlag, 1992, pp. 194–203.Google Scholar
  4. 4.
    Dobbertin, H.: RIPEMD with two-round compress function is not collision-free, J. of Cryptology, to appear.Google Scholar
  5. 5.
    Dobbertin, H.: The compress function of extended MD4 is not collision-free, preprint.Google Scholar
  6. 6.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A strengthened version of RIPEMD, these proceedings.Google Scholar
  7. 7.
    Rivest, R.: The MD4 message-digest algorithm, Request for Comments (RFC) 1320, Internet Activities Board, Internet Privacy Task Force, April 1992.Google Scholar
  8. 8.
    Rivest, R.: The MD5 message-digest algorithm, Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April 1992.Google Scholar
  9. 9.
    Vaudenay, S.: On the need of multipermutations: Cryptanalysis of MD4 and SAFER, Fast Software Encryption (Proceedings of the 1994 Leuven Workshop on Cryptographic Algorithms), Lecture Notes in Computer Science, vol. 1008, Springer-Verlag, 1995, pp. 286–297.Google Scholar
  10. 10.
    Yuval, G.: How to swindle Rabin, Cryptologia, vol. 3, no. 3, 1979, pp. 187–189.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • Hans Dobbertin
    • 1
  1. 1.German Information Security AgencyBonn

Personalised recommendations