Unkeyed cryptographic · broken
MD4
Designed by Ronald Rivest in 1990 (RFC 1320). MD4 is the structural ancestor of MD5, SHA-1, SHA-2, and RIPEMD , the prototype that established the “four-round, three-message-block operations per round” pattern those families inherited. Comprehensively broken since Dobbertin’s 1996 collision attack; still encountered in legacy NTLM and rsync.
At a glance
| Output | 128 bits (16 bytes, 32 hex chars) |
|---|---|
| Block size | 512 bits |
| Rounds | 48 (3 × 16) |
| Construction | Merkle-Damgård |
| Standard | RFC 1320 (1992); RFC 6150 (deprecation) |
| Status | Broken , do not use |
Where it still shows up
- NTLM , MD4 of the UTF-16 password is the NT hash. Still in use across legacy Windows authentication.
- rsync , default file-content rolling hash + checksum, in MD4 mode for backward compatibility.
- S/KEY one-time passwords (RFC 1760) , iterated MD4.
- WebDAV ETag systems , some legacy servers.
How it broke
Hans Dobbertin in 1996 demonstrated practical MD4 collisions (seconds on contemporary hardware) by finding a high-probability differential through the compression function. Wang et al. later produced collisions in microseconds. Modifying-an-existing-message attacks took only a few seconds even on 1990s hardware , MD4 was truly out of cryptographic service by the late 1990s.
Why it’s historically important
Almost every modern hash before SHA-3 traces its lineage to MD4: the four-round nonlinear Boolean function structure, the message-schedule idea, the chaining-variable concept. Studying MD4’s failure modes was foundational for differential cryptanalysis of hash functions, and the attacks shipped on it have direct analogues in the Wang-Yu attacks on MD5 and SHA-1.
References
- RFC 1320 , The MD4 Message-Digest Algorithm
- RFC 6150 , MD4 to Historic Status
- Dobbertin, “The status of MD5 after a recent attack,” CryptoBytes, 1996.
- MD5
Visualize
MD4 on your input
11 bytes · 0-bit digest
Hex digest
Bit grid (0 bits, teal = 1, slate = 0)
Byte pixel art (0 bytes, hue = byte value mod 360°)
Avalanche , flipping the lowest bit of the first input byte changed 0 of 0 output bits
Quick quiz
Test yourself on md4
10 multiple-choice questions. Pick an answer for each, then submit to see explanations.
Q1.Year MD4 was published:
Q2.MD4 output size:
Q3.Who broke MD4 first?
Q4.Which is still based on MD4?
Q5.rsync's default content checksum (legacy mode):
Q6.MD4 has how many rounds?
Q7.Which construction does MD4 use?
Q8.Length-extension on MD4?
Q9.RFC that formally moves MD4 to historic:
Q10.Why is MD4 historically important?