Questions tagged [md4]

RFC 1320 — the MD4 message-digest algorithm — is a cryptographic hash function with a digest length is 128 bits, developed by Ronald Rivest in 1990.

RFC 1320 — the MD4 message-digest algorithm — is a cryptographic hash function with a digest length is 128 bits, developed by Ronald Rivest in 1990. The algorithm has influenced later designs, such as the MD5, SHA-1 and RIPEMD algorithms. The security of MD4 has been severely compromised. The first full collision attack against MD4 was published in 1995 and several newer attacks have been published since then. As of 2007, an attack can generate collisions in less than 2 MD4 hash operations. A theoretical preimage attack also exists.

14 questions

votes

1 answer

Why does a broken hash function undermine an HMAC?

For instance, what makes MD4 a bad choice for an HMAC? In this case I am asking about MD4 because its less than ideal. I know that a preimage attack can be used to undermine the system, but why? What is the attacker calculating?

hmac md4

asked Apr 10 '12 at 04:58

Rook

1,506
1
13
22

votes

1 answer

What's the state of the art attack to get the first pre-image on MD4?

What's the state of the art attack to get the first pre-image on MD4? Is it still $2^{102}$ as described by Gaëtan Leurent in "MD4 is Not One-Way" ?

hash cryptanalysis reference-request md4

asked Apr 09 '13 at 17:10

user1636717

votes

1 answer

Why did MD4 replace MD2?

MD2 was a hash function based on swapping bytes in a state array permutation, much like the RC4 stream cipher, whereas MD4 was a novel construction. MD4 replaced MD2 despite the fact that MD4 is more badly broken. Even MD5, an improvement upon MD4,…

hash history md4 md2

asked Feb 18 '19 at 23:19

forest

15,626
2
49
103

votes

1 answer

How were the constants chosen in round 2 and 3 in MD4?

Just reading Ron Rivest's explanation of MD4 the hash uses two round constants one $ \text{5A827999}$ on round $2$ and the other $\text{6ED9EBA1}$ on round $3$. I think they are supposed to be hex representation of square root of $2$ and $3$. But…

hash md4

asked Mar 01 '19 at 06:56

Aven Desta

votes

1 answer

Cryptanalysis of MD4 (Wang et al) -- how did the authors come up with the collision differential?

Edit: ok, after I re-read the paper a couple of times it is clear that Table 6 is easily derived from Table 5, which describes the collision differential. So the real question is: how did the authors come up with the collision…

collision-resistance differential-analysis md4

asked Jul 12 '18 at 15:58

0x00

votes

3 answers

Is the quality of hash function essential in HKDF?

Hash functions have a number of properties needed, including the property that no collisions must be able to be found. Generally, if we can find collisions for hash functions, we consider the hash function broken. However, not all uses of hash…

hmac sha-256 sha-512 hkdf md4

asked Jul 18 '24 at 15:10

juhist

1,643
1
13
18

votes

1 answer

The Collision Differential for MD4 - a question on notation (Wang, et al)

In the paper "Cryptanalysis of the Hash Functions MD4 and RIPEMD" the authors introduce the following notation (paragraph 4.1): $\Delta$$H_0$ = 0 $\xrightarrow{(M_,M')}$ $\Delta$$H$ = 0 What exactly does this mean? I understand that $\Delta$$H$ is…

collision-resistance terminology differential-analysis md4

asked Jul 08 '18 at 10:33

0x00

votes

1 answer

Secret IV MAC with weak hash function

Assume there is a secret-IV (hash-based) MAC scheme, i.e. $MAC_k(m) = H_k(m)$, where $H$ is a hash function, $k$ the secret key that initializes the hash function, and $m$ the message to protect with the MAC. When using a Merkle-Damgård…

hash mac initialization-vector md4

asked Nov 24 '16 at 15:52

firefexx

votes

1 answer

Why does FIPS 180-4 require the final padding block start with a 1?

From FIPS 180-4 § 5.1.1, the padding used for the SHA family of hashes begins with a binary 1, followed by a number of 0s, and finally a 64-bit representation of the message length: Suppose that the length of the message, M, is bits. Append the…

sha-1 padding sha-2 merkle-damgaard md4

asked Feb 14 '18 at 02:31

forest

15,626
2
49
103

votes

1 answer

Can I use HKDF to improve security of HMAC used with weak hash function?

I am writing a framework which encrypts/decrypts files (or streams, in general) with symmetric key using block cipher (for example, AES). To authenticate encrypted file, I use HMAC, which is initialized with a key derived from supplied password…

hmac sha-256 md5 hkdf md4

asked Jun 27 '15 at 23:50

Acetylator

vote

0 answers

Finding second-preimage to this use of weak hash

$h'(x) := h(a_1 \parallel x \parallel b_1) \parallel h(a_2 \parallel x \parallel b_2) \parallel h(a_3 \parallel x \parallel b_3) \parallel \dots \parallel h(a_k \parallel x \parallel b_k)$ $a_i$ and $b_i$ are known prefixes and suffixes. If $h$ is…

hash 2nd-preimage-resistance md4

asked Jul 13 '21 at 19:16

ashidc

vote

1 answer

Why the data length is shifted 3-bit in MD4 Java implementation?

In RFC 1320, It is stated that "A 64-bit representation of b (the length of the message before the padding bits were added) is appended to the result of the previous step. In the unlikely event that b is greater than 2^64, then only the low-order 64…

implementation md4

asked Jan 22 '15 at 06:46

Bunyamin

votes

0 answers

Is md5(x) xor md4(x) collision proof?

Suppose I have the following hash function: $\newcommand{\md}[1]{\text{md#1}} \newcommand{\H}{\text{H}}$ $$\H(x, y) = \md{5}(x) \oplus \md{4}(y)$$ How can I prove it's collision proof? I tried to say "lets assume we have an oracle which know how to…

collision-resistance md4

asked Dec 11 '19 at 15:07

MyNick

votes

0 answers

Cryptographically secure PRNG from a hash function

Is it possible to get a secure random number generator from a secure hash function this way First choose a natural number $n$ as seed, then if we are looking to generate random numbers from $0$ to $F$ (in hex), the first in the sequence is the last…

hash md4

asked Mar 01 '19 at 07:53

user10842694