At 06:20 PM 12/10/95 -0500, daw@quito.CS.Berkeley.EDU (David A Wagner) wrote:

-----BEGIN PGP SIGNED MESSAGE-----

In article <95Dec10.175318edt.1732@cannon.ecf.toronto.edu>, SINCLAIR DOUGLAS N <sinclai@ecf.toronto.edu> wrote:

...

My understanding was that MD4 had been broken once, at the cost of much computer time. Not *that* much computer time... In my copy of Hans Dobbertin's paper, the abstract says

``An implementation of our attack allows to find collisions for MD4 in less than a minute on a PC.''

As far as I know, the difficulty of inverting MD4 is still an open problem -- but why would you want to use a broken algorithm like MD4 when you can use MD2, MD5, or SHA?

Do you have a reference to Dobbertin's paper? Schneier's discussion of MD4 says that DeBoor and Bosselaers cryptanalyzed the last two of the three rounds of MD4 in 1991, Merkle did the first two, and Biham discussed a differential attack on the first two, but nobody had done the whole thing. Does Dobbertin's attack take one of these and use it to feed an otherwise-brute-force search? #-- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com # Phone +1-510-247-0663 Pager/Voicemail 1-408-787-1281