MD4 Message Digest Algorithm
RFC 1186

Document Type RFC - Informational (October 1990; No errata)
Obsoleted by RFC 1320
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1186 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         R. Rivest
Request for Comments: 1186          MIT Laboratory for Computer Science
                                                           October 1990

                    The MD4 Message Digest Algorithm

Status of this Memo

   This RFC is the specification of the MD4 Digest Algorithm.  If you
   are going to implement MD4, it is suggested you do it this way.  This
   memo is for informational use and does not constitute a standard.
   Distribution of this memo is unlimited.

Table of Contents

   1.  Abstract ....................................................    1
   2.  Terminology and Notation ....................................    2
   3.  MD4 Algorithm Description ...................................    2
   4.  Extensions ..................................................    6
   5.  Summary .....................................................    7
   6.  Acknowledgements ............................................    7
   APPENDIX - Reference Implementation .............................    7
   Security Considerations..........................................   18
   Author's Address.................................................   18

1. Abstract

   This note describes the MD4 message digest algorithm.  The algorithm
   takes as input an input message of arbitrary length and produces as
   output a 128-bit "fingerprint" or "message digest" of the input.  It
   is conjectured that it is computationally infeasible to produce two
   messages having the same message digest, or to produce any message
   having a given prespecified target message digest.  The MD4 algorithm
   is thus ideal for digital signature applications, where a large file
   must be "compressed" in a secure manner before being signed with the
   RSA public-key cryptosystem.

   The MD4 algorithm is designed to be quite fast on 32-bit machines.
   On a SUN Sparc station, MD4 runs at 1,450,000 bytes/second.  On a DEC
   MicroVax II, MD4 runs at approximately 70,000 bytes/second.  On a
   20MHz 80286, MD4 runs at approximately 32,000 bytes/second.  In
   addition, the MD4 algorithm does not require any large substitution
   tables; the algorithm can be coded quite compactly.

   The MD4 algorithm is being placed in the public domain for review and
   possible adoption as a standard.

Rivest                                                          [Page 1]
RFC 1186              MD4 Message Digest Algorithm          October 1990

   (Note: The document supersedes an earlier draft.  The algorithm
   described here is a slight modification of the one described in the
   draft.)

2.  Terminology and Notation

   In this note a "word" is a 32-bit quantity and a byte is an 8-bit
   quantity.  A sequence of bits can be interpreted in a natural manner
   as a sequence of bytes, where each consecutive group of 8 bits is
   interpreted as a byte with the high-order (most significant) bit of
   each byte listed first.  Similarly, a sequence of bytes can be
   interpreted as a sequence of 32-bit words, where each consecutive
   group of 4 bytes is interpreted as a word with the low-order (least
   significant) byte given first.

   Let x_i denote "x sub i".  If the subscript is an expression, we
   surround it in braces, as in x_{i+1}.  Similarly, we use ^ for
   superscripts (exponentiation), so that x^i denotes x to the i-th
   power.

   Let the symbol "+" denote addition of words (i.e., modulo- 2^32
   addition). Let X <<< s denote the 32-bit value obtained by circularly
   shifting (rotating) X left by s bit positions.  Let not(X) denote the
   bit-wise complement of X, and let X v Y denote the bit-wise OR of X
   and Y.  Let X xor Y denote the bit-wise XOR of X and Y, and let XY
   denote the bit-wise AND of X and Y.

3.  MD4 Algorithm Description

   We begin by supposing that we have a b-bit message as input, and that
   we wish to find its message digest.  Here b is an arbitrary
   nonnegative integer; b may be zero, it need not be a multiple of 8,
   and it may be arbitrarily large.  We imagine the bits of the message
   written down as follows:

                m_0 m_1 ... m_{b-1} .

   The following five steps are performed to compute the message digest
   of the message.

      Step 1. Append padding bits

         The message is "padded" (extended) so that its length (in bits)
         is congruent to 448, modulo 512.  That is, the message is
         extended so that it is just 64 bits shy of being a multiple of
         512 bits long.  Padding is always performed, even if the length
         of the message is already congruent to 448, modulo 512 (in
         which case 512 bits of padding are added).

Rivest                                                          [Page 2]
RFC 1186              MD4 Message Digest Algorithm          October 1990

         Padding is performed as follows: a single "1" bit is appended
         to the message, and then enough zero bits are appended so that
Show full document text