The algorithm takes as input a message of arbitrary length and produces as output a bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest.
The MD4 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private secret key under a public-key cryptosystem such as RSA. The MD4 algorithm is designed to be quite fast on bit machines. In addition, the MD4 algorithm does not require any large substitution tables; the algorithm can be coded quite compactly. This document replaces the October RFC [ 2 ]. The main difference is that the reference implementation of MD4 in the appendix is more portable.
Terminology and Notation In this document a "word" is a bit quantity and a "byte" is an eight-bit quantity. A sequence of bits can be interpreted in a natural manner as a sequence of bytes, where each consecutive group of eight bits is interpreted as a byte with the high-order most significant bit of each byte listed first.
Similarly, a sequence of bytes can be interpreted as a sequence of bit words, where each consecutive group of four bytes is interpreted as a word with the low-order least significant byte given first. MD4 Algorithm Description We begin by supposing that we have a b-bit message as input, and that we wish to find its message digest.
Here b is an arbitrary nonnegative integer; b may be zero, it need not be a multiple of eight, and it may be arbitrarily large.
Append Padding Bits The message is "padded" extended so that its length in bits is congruent to , modulo That is, the message is extended so that it is just 64 bits shy of being a multiple of bits long. Padding is always performed, even if the length of the message is already congruent to , modulo Padding is performed as follows: a single "1" bit is appended to the message, and then "0" bits are appended so that the length in bits of the padded message becomes congruent to , modulo In all, at least one bit and at most bits are appended.
Message-digest size, as well as padding requirements, remain the same. More recent work by Dobbertin has extended the techniques used so effectively in the analysis of MD4 to find collisions for the compression function of MD5 [ DB96b ].
While stopping short of providing collisions for the hash function in its entirety this is clearly a significant step. For a comparison of these different techniques and their impact the reader is referred to [ Rob96 ]. The general techniques can be applied to other hash functions. Comments on the FAQ are encouraged. Email faq-editor rsa. Search SpringerLink Search. Download PDF.
Additional information Received 23 October and revised 31 August Rights and permissions Reprints and Permissions. About this article Cite this article Dobbertin, H. Copy to clipboard. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. Skip to main content Skip to sections.
This service is more advanced with JavaScript available. Advertisement Hide. Conference paper. This process is experimental and the keywords may be updated as the learning algorithm improves. Download to read the full conference paper text. Biham, E. In: Franklin, M.
0コメント