SHA-1 rumors

Greg Rose ggr at
Mon Aug 16 16:20:34 PDT 2004

At 15:50 2004-08-16 -0400, Matt Curtin wrote:
>Eric Rescorla <ekr at> writes:
> > P.S. AFAIK, although Dobbertin was able to find preimages for
> > reduced MD4, there still isn't a complete break in MD4. Correct?
>Dobbertin's work on was reduced MD5.  I haven't heard anything about
>progress on that front for several years.

No, it was on the compression function, but not in any sense "reduced". But
you had to start with particular values of the chaining variables, and in
practice no-one knows how to do that, so MD5 (as a whole) isn't broken by
this, at least until tomorrow evening. The rumour here is that MD5, HAVAL,
and RIPE-MD are all goners. We know SHA-0 is toast too. There might also be
results against SHA-1. Hash functions are hard.

And the reason you haven't heard any progress from Dobbertin is because his
employers told him to either stop working on it, or stop talking about it,
depending which version of the story you've heard. Since he works for the
German NSA-equivalent, I guess he would take this seriously.


Greg Rose                                    INTERNET: ggr at
Qualcomm Australia       VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,   
Gladesville NSW 2111/232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

--- end forwarded text

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list