LLMpediaThe first transparent, open encyclopedia generated by LLMs

MD4

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: SHA-1 Hop 4
Expansion Funnel Raw 34 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted34
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
MD4
NameMD4
DesignersRonald Rivest
Publish date1990
TypeCryptographic hash function
Digest size128 bits
Block size512 bits
PredecessorMD2
SuccessorMD5

MD4 MD4 is a 128-bit cryptographic hash function published in 1990 by Ronald Rivest. It was designed for speed on 32-bit processors and influenced later designs in the Rivest family and the wider cryptographic community. Despite its historical importance and influence on standards and software, multiple cryptanalytic results have rendered it unsuitable for contemporary security uses.

Introduction

MD4 was released as part of a lineage of message-digest algorithms that includes earlier Ronald Rivest work and later successors such as MD5 and SHA-1. The algorithm targeted fast message digest computation for protocols and applications developed in the early 1990s, including implementations on systems from companies like IBM and Microsoft. Early adoption appeared in protocols and software stacks used by organizations such as IETF working groups and projects within MIT environments. Over time, published attacks from researchers at institutions including RSA Security and universities led standards bodies and vendors to deprecate its use.

Design and algorithm

The design uses a Merkle–Damgård construction built on a 512-bit block size and produces a 128-bit output. The internal state consists of four 32-bit words updated through three rounds of non-linear functions, modular addition, and left-rotation operations similar to those in MD5 and earlier work by Rivest. The compression function employs Boolean functions and constants arranged to provide diffusion across rounds; message padding follows the same convention as in many contemporaneous designs standardized by groups such as ISO procedures and practices discussed in IETF documents. The algorithm’s simplicity and low computational cost made it suitable for early software libraries developed at institutions like MIT and companies such as Qualcomm.

Security analysis and vulnerabilities

Cryptanalysis began to expose weaknesses within a few years of publication. Collisions were demonstrated using differential techniques by researchers affiliated with groups such as Crypto’95 contributors and academics at Technische Universität Darmstadt. Later, more efficient collision and preimage attacks were produced by teams including members from EPFL, CWI, and independent cryptanalysts who published at venues like Eurocrypt and CRYPTO. These attacks exploit insufficient non-linearity and a small state size, enabling practical collision generation orders of magnitude faster than brute force, undermining properties relied upon in protocols endorsed by IETF and implementers at Microsoft and Apple. As a result, standards organizations and vendors listed the function as deprecated in guidance from entities like NIST and various certification bodies.

Implementations and performance

Implementations appeared in many cryptographic libraries, including early releases from projects maintained at MIT and in proprietary stacks from companies such as Microsoft and Sun Microsystems. The plain implementation is compact and extremely fast on 32-bit architectures, with optimized assembly routines produced for processors by Intel and ARM licensees. Open-source projects hosted by communities around organizations such as The Apache Software Foundation and FreeBSD included MD4 support initially; later distributions removed or disabled it following security advisories from vendors like Red Hat and Debian. Performance benchmarks compared to contemporaries like MD5 and SHA-1 show MD4 to be markedly faster, a reason for its early adoption in resource-constrained environments.

Applications and historical use

Historically, MD4 served as the basis for password hashing and fingerprinting in protocols and applications produced by vendors such as Microsoft (notably in authentication protocols used in Windows NT era products) and was embedded in file formats and utilities from projects at MIT and Sun Microsystems. It influenced message authentication constructions and was an ingredient in derivations used by standards bodies such as IETF for experimental designs. Academic courses and textbooks from institutions like Stanford University and University of Cambridge used it as a teaching example of a Merkle–Damgård hash, while cryptanalytic work on MD4 informed research directions at conferences including CRYPTO and Eurocrypt.

Variants and extensions

Several variants and extensions built on MD4’s primitives or structure. Notable descendants include MD5, which increased rounds and modified constants, and other experimental functions proposed in cryptographic literature from groups at RSA Laboratories and universities such as ETH Zurich. Some research proposals involved truncated-output versions or increased-round variants intended to patch structural weaknesses; these were evaluated in academic publications and at conferences like RSA Conference and Financial Cryptography and Data Security. Tooling for automated cryptanalysis and symbolic evaluation from research teams at CWI and EPFL often used simplified or modified MD4 instances to demonstrate methods that later generalized to broader families.

Category:Cryptographic hash functions Category:Ronald Rivest