MD4

MD4
General
DesignersRonald Rivest
First publishedOctober 1990[1]
SeriesMD2, MD4, MD5, MD6
Cipher detail
Digest sizes128 bits
Block sizes512 bits
Rounds3
Best public cryptanalysis
A collision attack published in 2007 can find collisions for full MD4 in less than two hash operations.[2]

The MD4 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1990.[3] The digest length is 128 bits. The algorithm has influenced later designs, such as the MD5, SHA-1 and RIPEMD algorithms. The initialism "MD" stands for "Message Digest".

One MD4 operation. MD4 consists of 48 of these operations, grouped in three rounds of 16 operations. F is a nonlinear function; one function is used in each round. Mi denotes a 32-bit block of the message input, and Ki denotes a 32-bit constant, different for each round.

The security of MD4 has been severely compromised. The first full collision attack against MD4 was published in 1995, and several newer attacks have been published since then. As of 2007, an attack can generate collisions in less than two MD4 hash operations.[2] A theoretical preimage attack also exists.

A variant of MD4 is used in the ed2k URI scheme to provide a unique identifier for a file in the popular eDonkey2000 / eMule P2P networks. MD4 was also used by the rsync protocol (prior to version 3.0.0).

MD4 is used to compute NTLM password-derived key digests on Microsoft Windows NT, XP, Vista, 7, 8, 10 and 11.[4]

  1. ^ Rivest, Ronald L. (October 1990). "The MD4 Message Digest Algorithm". Network Working Group. Retrieved 2011-04-29.
  2. ^ a b Yu Sasaki; et al. (2007). "New message difference for MD4" (PDF). {{cite journal}}: Cite journal requires |journal= (help)
  3. ^ "What are MD2, MD4, and MD5?". Public-Key Cryptography Standards (PKCS): PKCS #7: Cryptographic Message Syntax Standard: 3.6 Other Cryptographic Techniques: 3.6.6 What are MD2, MD4, and MD5?. RSA Laboratories. Archived from the original on 2011-09-01. Retrieved 2011-04-29.
  4. ^ "5.1 Security Considerations for Implementors". Retrieved 2011-07-21. Deriving a key from a password is as specified in [RFC1320] and [FIPS46-2].