[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MD4-derived hash functions


>Date: Tue, 24 Oct 1995 13:14:41 -0400
>From: [email protected]
>Subject: Re: MD5 weakness

>Ron has not mentioned such an event to me and if that were the case I would
>seriously doubt that he would not have been told about it. The only comment he
>generally makes is that he wrote MD5 because "MD4 was making me nervous".

In the MD5 RFC, I seem to recall the statement that MD4 was trading
off too much strength for additional speed.  However, sometime
around that time, it came out that there were attacks on two-round
variants of MD4, which is the stated reason for the development of
RIPE-MD.  Does anyone know whether Rivest was motivated to design
MD5 by the partial attacks on MD4, or whether those came later?
(This is totally idle curiousity.)

>NIST and the NSA trusted MD4 sufficiently to base SHA upon it. SHA is preferable
>in many ways to MD5, it has a different approach to extending the scheduling and
>resist differential cryptanalysis. There is a problem with the compressor
>function of MD5 which I dislike.

All of the well-known software hash functions seem to be based on
MD4 these days, but that doesn't mean much about the security of
MD4--3DES with three independent keys looks pretty strong, as does
3DES with two independent keys, but that doesn't mean that single
DES is a strong enough cipher for modern applications.

One issue that exists with MD5, but not with SHA or the longer hash
versions of Haval, is that MD5 has only a 128 bit hash function
output, which corresponds loosely to having a 64-bit key.  This
implies that a wealthy enough opponent could determine a pair of MD5
inputs that collide, and conceivably use this in an attack.  I think
we should stick to 160 bit or longer hashes for future designs.
(See P. van Oorschot and M. Weiner, "Parallel Collision Search with
Application to Hash Functions and Discrete Logarithms," in the
proceedings of the 1994 Fairfax Conference, for example).

As an aside, what hash functions are there out there that look
reasonably strong, have hash outputs of at least 160 bits, and
aren't based on MD4?  Some of the Snefru variants with many passes
(eight?) come to mind, and the GOST hash function fits all the
criteria, except I have a hard time convincing myself it's as strong
as it claims to be.  Is there a generic construction for
arbitrary-length hash functions from good block or stream ciphers?

>	Phill

   --John Kelsey, [email protected]
 PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36

Version: 2.6.2