The MD4 Message-Digest Algorithm
RFC 1320

Document Type RFC - Historic (April 1992; Errata)
Obsoleted by RFC 6150
Obsoletes RFC 1186
Author Ronald Rivest 
Last updated 2020-01-21
Stream Internent Engineering Task Force (IETF)
Formats plain text html pdf htmlized (tools) htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 1320 (Historic)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          R. Rivest
Request for Comments: 1320           MIT Laboratory for Computer Science
Obsoletes: RFC 1186                          and RSA Data Security, Inc.
                                                              April 1992

                    The MD4 Message-Digest Algorithm

Status of thie Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard.  Distribution of this memo is


   We would like to thank Don Coppersmith, Burt Kaliski, Ralph Merkle,
   and Noam Nisan for numerous helpful comments and suggestions.

Table of Contents

   1. Executive Summary                                                1
   2. Terminology and Notation                                         2
   3. MD4 Algorithm Description                                        2
   4. Summary                                                          6
   References                                                          6
   APPENDIX A - Reference Implementation                               6
   Security Considerations                                            20
   Author's Address                                                   20

1. Executive Summary

   This document describes the MD4 message-digest algorithm [1]. The
   algorithm takes as input a message of arbitrary length and produces
   as output a 128-bit "fingerprint" or "message digest" of the input.
   It is conjectured that it is computationally infeasible to produce
   two messages having the same message digest, or to produce any
   message having a given prespecified target message digest. The MD4
   algorithm is intended for digital signature applications, where a
   large file must be "compressed" in a secure manner before being
   encrypted with a private (secret) key under a public-key cryptosystem
   such as RSA.

   The MD4 algorithm is designed to be quite fast on 32-bit machines. In
   addition, the MD4 algorithm does not require any large substitution
   tables; the algorithm can be coded quite compactly.

Rivest                                                          [Page 1]
RFC 1320              MD4 Message-Digest Algorithm            April 1992

   The MD4 algorithm is being placed in the public domain for review and
   possible adoption as a standard.

   This document replaces the October 1990 RFC 1186 [2].  The main
   difference is that the reference implementation of MD4 in the
   appendix is more portable.

   For OSI-based applications, MD4's object identifier is

     {iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 4}

   In the X.509 type AlgorithmIdentifier [3], the parameters for MD4
   should have type NULL.

2. Terminology and Notation

   In this document a "word" is a 32-bit quantity and a "byte" is an
   eight-bit quantity. A sequence of bits can be interpreted in a
   natural manner as a sequence of bytes, where each consecutive group
   of eight bits is interpreted as a byte with the high-order (most
   significant) bit of each byte listed first. Similarly, a sequence of
   bytes can be interpreted as a sequence of 32-bit words, where each
   consecutive group of four bytes is interpreted as a word with the
   low-order (least significant) byte given first.

   Let x_i denote "x sub i". If the subscript is an expression, we
   surround it in braces, as in x_{i+1}. Similarly, we use ^ for
   superscripts (exponentiation), so that x^i denotes x to the i-th

   Let the symbol "+" denote addition of words (i.e., modulo-2^32
   addition). Let X <<< s denote the 32-bit value obtained by circularly
   shifting (rotating) X left by s bit positions. Let not(X) denote the
   bit-wise complement of X, and let X v Y denote the bit-wise OR of X
   and Y. Let X xor Y denote the bit-wise XOR of X and Y, and let XY
   denote the bit-wise AND of X and Y.

3. MD4 Algorithm Description

   We begin by supposing that we have a b-bit message as input, and that
   we wish to find its message digest. Here b is an arbitrary
   nonnegative integer; b may be zero, it need not be a multiple of
   eight, and it may be arbitrarily large. We imagine the bits of the
   message written down as follows:

                 m_0 m_1 ... m_{b-1}

Rivest                                                          [Page 2]
RFC 1320              MD4 Message-Digest Algorithm            April 1992

   The following five steps are performed to compute the message digest
   of the message.

3.1 Step 1. Append Padding Bits

   The message is "padded" (extended) so that its length (in bits) is
   congruent to 448, modulo 512. That is, the message is extended so
   that it is just 64 bits shy of being a multiple of 512 bits long.
   Padding is always performed, even if the length of the message is
   already congruent to 448, modulo 512.

   Padding is performed as follows: a single "1" bit is appended to the
Show full document text