From: Bill Stewart <stewarts@ix.netcom.com>
Date: Tue, 12 Dec 1995 11:35:39 +0800
To: cypherpunks@toad.com
Subject: MD4 weaknesses (Was: Windows .PWL cracker implemented as a Word Basic virus)
Message-ID: <199512110901.BAA14965@ix2.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 06:20 PM 12/10/95 -0500, daw@quito.CS.Berkeley.EDU (David A Wagner) wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>In article <95Dec10.175318edt.1732@cannon.ecf.toronto.edu>,
>SINCLAIR  DOUGLAS N <sinclai@ecf.toronto.edu> wrote:
>> My understanding was that MD4 had been broken once, at the cost of 
>> much computer time.
>Not *that* much computer time...
>In my copy of Hans Dobbertin's paper, the abstract says 
>
>``An implementation of our 
>attack allows to find collisions for MD4 in less than a minute on a PC.''
>
>As far as I know, the difficulty of inverting MD4 is still an open
>problem -- but why would you want to use a broken algorithm like MD4
>when you can use MD2, MD5, or SHA?

Do you have a reference to Dobbertin's paper?

Schneier's discussion of MD4 says that DeBoor and Bosselaers cryptanalyzed
the last two of the three rounds of MD4 in 1991, Merkle did the first two,
and Biham discussed a differential attack on the first two, but nobody
had done the whole thing.  Does Dobbertin's attack take one of these
and use it to feed an otherwise-brute-force search?
#--
#				Thanks;  Bill
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0663 Pager/Voicemail 1-408-787-1281