MD4 is Not One-Way

9 years 7 months ago
MD4 is Not One-Way
MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash function (MD5, SHA-1, SHA-2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a one-way function. In this paper we show a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 232 compression function computations (the remaining bits are randomly chosen by the preimage algorithm). This gives a preimage attack on the compression function of MD4 with complexity 296 , and we extend it to an attack on the full MD4 with complexity 2102 . As far as we know this is the first preimage attack on a member of the MD4 family. Key words: MD4, hash function, cryptanalysis, preimage, one-way.
Gaëtan Leurent
Added 26 Oct 2010
Updated 26 Oct 2010
Type Conference
Year 2008
Where FSE
Authors Gaëtan Leurent
Comments (0)