Better to know some... than all 


MD4MD4 is a 128bit hash function. The original MD4 design goals were that breaking it should require roughly bruteforce effort: finding distinct messages with the same hashvalue should take about 2^{64} operations, and finding a message yielding a prespecified hashvalue about 2^{128} operations. It is now known that MD4 fails to meet this goal. Nonetheless, a full description of MD4 is included as Algorithm for historical and cryptanalytic reference. It also serves as a convenient reference for describing, and allowing comparisons between, other hash functions in this family. MD4 collisions: Collisions have been found for MD4 in 2^{20} compression function computations. For this reason, MD4 is no longer recommended for use as a collisionresistant hash function. While its utility as a oneway function has not been studied in light of this result, it is prudent to expect a preimage attack on MD4 requiring fewer than 2^{128} operations will be found. MD5MD5 was designed as a strengthened version of MD4, prior to actual MD4 collisions being found. It has enjoyed widespread use in practice. It has also now been found to have weaknesses. The changes made to obtain MD5 from MD4 are as follows: 1. addition of a fourth round of 16 steps, and a Round 4 function 2. replacement of the Round 2 function by a new function 3. modification of the access order for message words in Rounds 2 and 3 4. modification of the shift amounts (such that shifts differ in distinct rounds) 5. use of unique additive constants in each of the 4*16 steps, based on the integer part of 2^{32} . sin(j) for step j (requiring overall, 256 bytes of storage) 6. addition of output from the previous step into each of the 64 steps. MD5 compression function collisions: While no collisions for MD5 have yet been found, collisions have been found for the MD5 compression function. More specifically, these are called collisions for random IV. 