Better to know some
... than all
MD4 is a 128-bit hash function. The original MD4 design goals were that breaking it should require roughly brute-force effort: finding distinct messages with the same hash-value should take about 264 operations, and finding a message yielding a pre-specified hash-value about 2128 operations. It is now known that MD4 fails to meet this goal. Nonetheless, a full description of MD4 is included as Algorithm for historical and cryptanalytic reference. It also serves as a convenient reference for describing, and allowing comparisons between, other hash functions in this family.
MD4 collisions: Collisions have been found for MD4 in 220 compression function computations. For this reason, MD4 is no longer recommended for use as a collision-resistant hash function. While its utility as a one-way function has not been studied in light of this result, it is prudent to expect a preimage attack on MD4 requiring fewer than 2128 operations will be found.
MD5 was designed as a strengthened version of MD4, prior to actual MD4 collisions being found. It has enjoyed widespread use in practice. It has also now been found to have weaknesses.
The changes made to obtain MD5 from MD4 are as follows:
1. addition of a fourth round of 16 steps, and a Round 4 function
2. replacement of the Round 2 function by a new function
3. modification of the access order for message words in Rounds 2 and 3
4. modification of the shift amounts (such that shifts differ in distinct rounds)
5. use of unique additive constants in each of the 4*16 steps, based on the integer
part of 232 . sin(j) for step j (requiring overall, 256 bytes of storage)
6. addition of output from the previous step into each of the 64 steps.
MD5 compression function collisions: While no collisions for MD5 have yet been found, collisions have been found for the MD5 compression function. More specifically, these are called collisions for random IV.