MD4 is Not One-Way

MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash functions (MD5, Sha1, Sha2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a one-way function. In this paper we show a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 232compression function computations (the remaining bits are randomly chosen by the preimage algorithm). This gives a preimage attack on the compression function of MD4 with complexity 296, and we extend it to an attack on the full MD4 with complexity 2102. As far as we know this is the first preimage attack on a member of the MD4 family.

[1]  Frédéric Muller,et al.  The MD2 Hash Function Is Not One-Way , 2004, ASIACRYPT.

[2]  Ramarathnam Venkatesan,et al.  Inversion Attacks on Secure Hash Functions Using satSolvers , 2007, SAT.

[3]  Hans Dobbertin,et al.  The First Two Rounds of MD4 are Not One-Way , 1998, FSE.

[4]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[5]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[6]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[7]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[8]  Joao Marques-Silva,et al.  Theory and Applications of Satisfiability Testing - SAT 2007, 10th International Conference, Lisbon, Portugal, May 28-31, 2007, Proceedings , 2007, SAT.

[9]  Antoon Bosselaers,et al.  An Attack on the Last Two Rounds of MD4 , 1991, CRYPTO.

[10]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[11]  Serge Vaudenay,et al.  On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER , 1994, FSE.

[12]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[13]  Vincent Rijmen,et al.  Weaknesses in the HAS-V Compression Function , 2007, ICISC.

[14]  Yu Sasaki,et al.  New Message Difference for MD4 , 2007, FSE.

[15]  Xuejia Lai,et al.  Hash Function Based on Block Ciphers , 1992, EUROCRYPT.

[16]  Kil-Hyun Nam,et al.  Information Security and Cryptology - ICISC 2007, 10th International Conference, Seoul, Korea, November 29-30, 2007, Proceedings , 2007, ICISC.

[17]  Lars R. Knudsen,et al.  Preimage and Collision Attacks on MD2 , 2005, FSE.

[18]  Vincent Rijmen,et al.  Update on SHA-1 , 2005, CT-RSA.

[19]  Hans Dobbertin,et al.  Cryptanalysis of MD4 , 1996, Journal of Cryptology.

[20]  Vlastimil Klíma,et al.  Tunnels in Hash Functions: MD5 Collisions Within a Minute , 2006, IACR Cryptol. ePrint Arch..

[21]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[22]  Phong Q. Nguyen Progress in Cryptology - VIETCRYPT 2006 , 2007 .

[23]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[24]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[25]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[26]  Neil Haller,et al.  The S/KEY One-Time Password System , 1995, RFC.

[27]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[28]  Phillip Rogaway,et al.  Formalizing Human Ignorance , 2006, VIETCRYPT.

[29]  Gaëtan Leurent,et al.  Automatic Search of Differential Path in MD4 , 2007, IACR Cryptol. ePrint Arch..

[30]  Xiaoyun Wang,et al.  The Second-Preimage Attack on MD4 , 2005, CANS.

[31]  Joan Feigenbaum,et al.  Advances in Cryptology-Crypto 91 , 1992 .

[32]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[33]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[34]  Pil Joong Lee,et al.  Advances in Cryptology — ASIACRYPT 2001 , 2001, Lecture Notes in Computer Science.

[35]  Rainer A. Rueppel Advances in Cryptology — EUROCRYPT’ 92 , 2001, Lecture Notes in Computer Science.