MD4 weaknesses (Was: Windows .PWL cracker implemented as a Word Basic virus)
Bill Stewart
stewarts at ix.netcom.com
Mon Dec 11 19:35:39 PST 1995
At 06:20 PM 12/10/95 -0500, daw at quito.CS.Berkeley.EDU (David A Wagner) wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>In article <95Dec10.175318edt.1732 at cannon.ecf.toronto.edu>,
>SINCLAIR DOUGLAS N <sinclai at ecf.toronto.edu> wrote:
>> My understanding was that MD4 had been broken once, at the cost of
>> much computer time.
>Not *that* much computer time...
>In my copy of Hans Dobbertin's paper, the abstract says
>
>``An implementation of our
>attack allows to find collisions for MD4 in less than a minute on a PC.''
>
>As far as I know, the difficulty of inverting MD4 is still an open
>problem -- but why would you want to use a broken algorithm like MD4
>when you can use MD2, MD5, or SHA?
Do you have a reference to Dobbertin's paper?
Schneier's discussion of MD4 says that DeBoor and Bosselaers cryptanalyzed
the last two of the three rounds of MD4 in 1991, Merkle did the first two,
and Biham discussed a differential attack on the first two, but nobody
had done the whole thing. Does Dobbertin's attack take one of these
and use it to feed an otherwise-brute-force search?
#--
# Thanks; Bill
# Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com
# Phone +1-510-247-0663 Pager/Voicemail 1-408-787-1281
More information about the cypherpunks-legacy
mailing list