## MD4 is Not One-Way

### Cached

### Download Links

- [fse2008.epfl.ch]
- [www.iacr.org]
- [www.di.ens.fr]
- DBLP

### Other Repositories/Bibliography

Citations: | 12 - 1 self |

### BibTeX

@MISC{Leurent_md4is,

author = {Gaëtan Leurent and École Normale Supérieure Département},

title = {MD4 is Not One-Way},

year = {}

}

### OpenURL

### Abstract

Abstract. MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash function (MD5, SHA-1, SHA-2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a one-way function. In this paper we show a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 2 32 compression function computations (the remaining bits are randomly chosen by the preimage algorithm). This gives a preimage attack on the compression function of MD4 with complexity 2 96, and we extend it to an attack on the full MD4 with complexity 2 102. As far as we know this is the first preimage attack on a member of the MD4 family.

### Citations

370 |
The MD5 Message Digest Algorithm
- Rivest
- 1992
(Show Context)
Citation Context ...orb some differences, we fix many values of the internal state using some particularities of the message expansion. 1.2 Related work MD4 has been introduced as a cryptographic hash function by Rivest =-=[16]-=-, in 1990 and many cryptanalytic effort has been devoted to study its security. The design principles of MD4 are used in MD5 and the SHA family, which are the most widely used hash functionstoday. Any... |

199 | Available at rfc1760: The s/key one-time password system
- Haller
- 1995
(Show Context)
Citation Context ...but collision resistance is not important: – MD4 is used to “encrypt” passwords in Windows NT and later (as the NTLM hash); – MD4 is used for password derivation in the S/KEY one time password system =-=[8]-=-; – MD4 is used to compare file blocks in the incremental file transfer program rsync; – MD4 is used for file identification and integrity in the eDonkey peer-to-peer network. S/Key and rsync even use... |

169 | Finding Collisions in the Full SHA-1
- Wang, Yin, et al.
- 2005
(Show Context)
Citation Context ...em, see [17].sUnfortunately, many currently used hash functions have been broken by collision attacks: MD4 [5,20,18] (the best attack has complexity 2 1 ), MD5 [22,10] (best attack: 2 23 ), and SHA-1 =-=[21,13]-=- (best attack: 2 60 ). These functions are now considered unsafe but in practice very few constructions or protocols are really affected. In this paper we consider preimage resistance, which is a weak... |

59 |
Cryptanalysis of md4
- Dobbertin
(Show Context)
Citation Context ...lision attack. For a more formal definition of these properties, and the relations between them, see [17].sUnfortunately, many currently used hash functions have been broken by collision attacks: MD4 =-=[5,20,18]-=- (the best attack has complexity 2 1 ), MD5 [22,10] (best attack: 2 23 ), and SHA-1 [21,13] (best attack: 2 60 ). These functions are now considered unsafe but in practice very few constructions or pr... |

53 | Hash functions based on block ciphers
- Lai, Massey
(Show Context)
Citation Context ...or an example of a partial pseudo-preimage. 3 Preimage of the full MD4 To extend this attack to the full MD4, we will use an idea similar to the unbalanced meet-in-the-middle attack of Lai and Massey =-=[12]-=-. We compute many pseudo-preimages of H, we hash many random messages, and we use the birthday paradox to meet in the middle. If we have a pseudo-preimage attack with complexity 2 s , the generic atta... |

46 |
Formal Aspects of Mobile Code Security
- Dean
- 1999
(Show Context)
Citation Context ... size 2 32 after an expected workload of: 2 96 � 2 32 k=1 2 97 H1 1 k ≤ 296 (ln 2 32 + 1) ≤ 2 100.54 . In this case, we do not control the length of the preimage, so we will use an expendable message =-=[3,9]-=- in the forward step. Conclusion Our attack on MD4 is still theoretical due to the high complexity, but it shows that MD4 is even weaker than we thought. Our attack relies on the absorption property o... |

40 |
Preimages on n-Bit Hash Functions for Much Less than 2 n Work”, EUROCRYPT
- Kelsey, Schneier, et al.
- 2005
(Show Context)
Citation Context ...e search become negligible, and the average workload is just the time needed to test each block until a good one is found, so we expect it to be 2 56 . Another related work due to Kelsey and Schneier =-=[9]-=- introduced a generic secondpreimage attack against iterated hash functions using long messages. This is a nice result showing the limitations of the Merkle-Damgård paradigm, but an attack on messages... |

38 | An Attack on the Last Two Rounds of MD4
- Boer, Bosselaers
- 1992
(Show Context)
Citation Context ...ives some insight to the security level of the other members of the MD4 family. Shortly after the introduction of MD4, collision attacks were found on reduced variants of MD4: den Boer and Bosselaers =-=[4]-=- found an attack against the last two rounds, and Merkle had an unpublished attack against the first two rounds. Another attack against the first two rounds was later found by Vaudenay [19]. The first... |

38 | Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology ePrint Archive, Report 2006/105
- Klima
- 2006
(Show Context)
Citation Context ...properties, and the relations between them, see [17].sUnfortunately, many currently used hash functions have been broken by collision attacks: MD4 [5,20,18] (the best attack has complexity 2 1 ), MD5 =-=[22,10]-=- (best attack: 2 23 ), and SHA-1 [21,13] (best attack: 2 60 ). These functions are now considered unsafe but in practice very few constructions or protocols are really affected. In this paper we consi... |

33 | On the need of Multipermutations: Cryptanalysis of MD4 and SAFER
- Vaudenay
- 1994
(Show Context)
Citation Context ...y chosen by the preimage algorithm) and 32 bits of the input for the cost of 2 32 compression function (brute force would require 2 64 ). Our attack uses many ideas from previous cryptanalysis of MD4 =-=[5,19,6,20]-=-. We consider MD4 as a system of equation, we use some kind of differential path and use the Boolean functions to absorb some differences, we fix many values of the internal state using some particula... |

11 |
The First Two Rounds of MD4 are Not One-Way
- Dobbertin
(Show Context)
Citation Context ...y chosen by the preimage algorithm) and 32 bits of the input for the cost of 2 32 compression function (brute force would require 2 64 ). Our attack uses many ideas from previous cryptanalysis of MD4 =-=[5,19,6,20]-=-. We consider MD4 as a system of equation, we use some kind of differential path and use the Boolean functions to absorb some differences, we fix many values of the internal state using some particula... |

10 |
Formalizing human ignorance
- Rogaway
- 2006
(Show Context)
Citation Context ...n, so most constructions use a collision resistant hash function, and most cryptanalysis target collision attack. For a more formal definition of these properties, and the relations between them, see =-=[17]-=-.sUnfortunately, many currently used hash functions have been broken by collision attacks: MD4 [5,20,18] (the best attack has complexity 2 1 ), MD5 [22,10] (best attack: 2 23 ), and SHA-1 [21,13] (bes... |

10 |
X.: The Second-Preimage Attack on MD4
- Yu, Wang, et al.
(Show Context)
Citation Context ... 2 rounds and 7 steps of MD4. To the best of our knowledge, no preimage attack has been found on the full MD4 with three rounds. More recently, Yu et al. found a kind of second-preimage attack on MD4 =-=[23]-=-. However this kind of attack is not what we usually call a second-preimage attack because it only works for a small subset of the message space. This attack has a complexity of one compression functi... |

4 |
Weaknesses in the HAS-V Compression Function
- Mendel, Rijmen
- 2007
(Show Context)
Citation Context ... 2. In the end, we will find a preimage in time 2(n − s)2 s +2 s , using a memory of size O(2 n−s ). A similar idea based on multi-target pseudo-preimage was used by Mendel and Rijmen to attack HAS-V =-=[14]-=-. In that attack, they could run a multi-target pseudo-preimage attack on a set of size 2 s (this is not possible in our case), and this result in an attack with time complexity 2 s+1 and a memory req... |

4 |
The MD2 hash function is not one-way
- Muller
- 2004
(Show Context)
Citation Context ...ted MD4 and rely on the partial one-wayness of MD4. Preimage attacks are rather rare in the world of hash function cryptanalysis; the most notable example is the preimage attack against MD2 by Muller =-=[15]-=-, later improved by Knudsen and Mathiassen [11] which has a complexity of 2 97 . A preimage attack has much more impact than a collision attack: it can be used to fool integrity checks, to forge signa... |

3 |
Automatic search of differential path
- Fouque, Leurent, et al.
(Show Context)
Citation Context ... Q−2 by equation (3’). This gives us Q46 = H2 − Q−2. Q44 =(Q40 ⊞ XOR(Q43, Q42, Q41) ⊞ m3 ⊞ K2) ≪ 3 (5) Q45 =(Q41 ⊞ XOR(Q44, Q43, Q42) ⊞ m11 ⊞ K2) ≪ 9 (6) Q46 =(Q42 ⊞ XOR(Q45,Q44, Q43) ⊞ m7 ⊞ K2) ≪ 11 =-=(7)-=- Q47 =(Q43 ⊞ XOR(Q46,Q45,Q44) ⊞ m15 ⊞ K2) ≪ 15 (8) Here we see that (7) gives the value Q44 ⊕ Q45. Moreover, we will ask that Q41 ⊞ m11 ⊞ K2 = so as to simplify (6). We let V be Q42 ⊕ Q43 ⊕ Q44 ⊕ Q45,... |

3 | Preimage and Collision Attacks on MD2
- Knudsen, Mathiassen
- 2005
(Show Context)
Citation Context ...MD4. Preimage attacks are rather rare in the world of hash function cryptanalysis; the most notable example is the preimage attack against MD2 by Muller [15], later improved by Knudsen and Mathiassen =-=[11]-=- which has a complexity of 2 97 . A preimage attack has much more impact than a collision attack: it can be used to fool integrity checks, to forge signatures using only known messages, to break “encr... |

1 |
V.: Update on SHA-1. Presented at the rump session of CRYPTO ’07
- Mendel, Rechberger, et al.
(Show Context)
Citation Context ...em, see [17].sUnfortunately, many currently used hash functions have been broken by collision attacks: MD4 [5,20,18] (the best attack has complexity 2 1 ), MD5 [22,10] (best attack: 2 23 ), and SHA-1 =-=[21,13]-=- (best attack: 2 60 ). These functions are now considered unsafe but in practice very few constructions or protocols are really affected. In this paper we consider preimage resistance, which is a weak... |

1 |
Message Difference for MD4
- Sasaki, Wang, et al.
- 2007
(Show Context)
Citation Context ...lision attack. For a more formal definition of these properties, and the relations between them, see [17].sUnfortunately, many currently used hash functions have been broken by collision attacks: MD4 =-=[5,20,18]-=- (the best attack has complexity 2 1 ), MD5 [22,10] (best attack: 2 23 ), and SHA-1 [21,13] (best attack: 2 60 ). These functions are now considered unsafe but in practice very few constructions or pr... |

1 |
H.: How to Break MD5 and Other Hash Functions. [1
- Wang, Yu
(Show Context)
Citation Context ...properties, and the relations between them, see [17].sUnfortunately, many currently used hash functions have been broken by collision attacks: MD4 [5,20,18] (the best attack has complexity 2 1 ), MD5 =-=[22,10]-=- (best attack: 2 23 ), and SHA-1 [21,13] (best attack: 2 60 ). These functions are now considered unsafe but in practice very few constructions or protocols are really affected. In this paper we consi... |