MD4 Message Digest Algorithm
RFC 1186
Document  Type 
RFC  Informational
(October 1990; No errata)
Obsoleted by RFC 1320



Last updated  20130302  
Stream  Legacy  
Formats  plain text html pdf htmlized bibtex  
Stream  Legacy state  (None)  
Consensus Boilerplate  Unknown  
RFC Editor Note  (None)  
IESG  IESG state  RFC 1186 (Informational)  
Telechat date  
Responsible AD  (None)  
Send notices to  (None) 
Network Working Group R. Rivest Request for Comments: 1186 MIT Laboratory for Computer Science October 1990 The MD4 Message Digest Algorithm Status of this Memo This RFC is the specification of the MD4 Digest Algorithm. If you are going to implement MD4, it is suggested you do it this way. This memo is for informational use and does not constitute a standard. Distribution of this memo is unlimited. Table of Contents 1. Abstract .................................................... 1 2. Terminology and Notation .................................... 2 3. MD4 Algorithm Description ................................... 2 4. Extensions .................................................. 6 5. Summary ..................................................... 7 6. Acknowledgements ............................................ 7 APPENDIX  Reference Implementation ............................. 7 Security Considerations.......................................... 18 Author's Address................................................. 18 1. Abstract This note describes the MD4 message digest algorithm. The algorithm takes as input an input message of arbitrary length and produces as output a 128bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD4 algorithm is thus ideal for digital signature applications, where a large file must be "compressed" in a secure manner before being signed with the RSA publickey cryptosystem. The MD4 algorithm is designed to be quite fast on 32bit machines. On a SUN Sparc station, MD4 runs at 1,450,000 bytes/second. On a DEC MicroVax II, MD4 runs at approximately 70,000 bytes/second. On a 20MHz 80286, MD4 runs at approximately 32,000 bytes/second. In addition, the MD4 algorithm does not require any large substitution tables; the algorithm can be coded quite compactly. The MD4 algorithm is being placed in the public domain for review and possible adoption as a standard. Rivest [Page 1] RFC 1186 MD4 Message Digest Algorithm October 1990 (Note: The document supersedes an earlier draft. The algorithm described here is a slight modification of the one described in the draft.) 2. Terminology and Notation In this note a "word" is a 32bit quantity and a byte is an 8bit quantity. A sequence of bits can be interpreted in a natural manner as a sequence of bytes, where each consecutive group of 8 bits is interpreted as a byte with the highorder (most significant) bit of each byte listed first. Similarly, a sequence of bytes can be interpreted as a sequence of 32bit words, where each consecutive group of 4 bytes is interpreted as a word with the loworder (least significant) byte given first. Let x_i denote "x sub i". If the subscript is an expression, we surround it in braces, as in x_{i+1}. Similarly, we use ^ for superscripts (exponentiation), so that x^i denotes x to the ith power. Let the symbol "+" denote addition of words (i.e., modulo 2^32 addition). Let X <<< s denote the 32bit value obtained by circularly shifting (rotating) X left by s bit positions. Let not(X) denote the bitwise complement of X, and let X v Y denote the bitwise OR of X and Y. Let X xor Y denote the bitwise XOR of X and Y, and let XY denote the bitwise AND of X and Y. 3. MD4 Algorithm Description We begin by supposing that we have a bbit message as input, and that we wish to find its message digest. Here b is an arbitrary nonnegative integer; b may be zero, it need not be a multiple of 8, and it may be arbitrarily large. We imagine the bits of the message written down as follows: m_0 m_1 ... m_{b1} . The following five steps are performed to compute the message digest of the message. Step 1. Append padding bits The message is "padded" (extended) so that its length (in bits) is congruent to 448, modulo 512. That is, the message is extended so that it is just 64 bits shy of being a multiple of 512 bits long. Padding is always performed, even if the length of the message is already congruent to 448, modulo 512 (in which case 512 bits of padding are added). Rivest [Page 2] RFC 1186 MD4 Message Digest Algorithm October 1990 Padding is performed as follows: a single "1" bit is appended to the message, and then enough zero bits are appended so thatShow full document text