Cryptography Reference
In-Depth Information
Algorithm 8.2
Round 1 of the MD4 hash function.
1.
A ←
(
A
+
f
(
B, C, D
)+
X
[0])
←
3
2.
D ←
(
D
+
f
(
A, B, C
)+
X
[1])
←
7
3.
C ←
(
C
+
f
(
D, A, B
)+
X
[2])
←
11
4.
B ←
(
B
+
f
(
C, D, A
)+
X
[3])
←
19
5.
A ←
(
A
+
f
(
B, C, D
)+
X
[4])
←
3
6.
D ←
(
D
+
f
(
A, B, C
)+
X
[5])
←
7
7.
C ←
(
C
+
f
(
D, A, B
)+
X
[6])
←
11
8.
B ←
(
B
+
f
(
C, D, A
)+
X
[7])
←
19
9.
A ←
(
A
+
f
(
B, C, D
)+
X
[8])
←
3
10.
D
←
(
D
+
f
(
A, B, C
)+
X
[9])
←
7
11.
C
←
(
C
+
f
(
D, A, B
)+
X
[10])
←
11
12.
B
←
(
B
+
f
(
C, D, A
)+
X
[11])
←
19
13.
A
←
(
A
+
f
(
B, C, D
)+
X
[12])
←
3
14.
D
7
15.
C ←
(
C
+
f
(
D, A, B
)+
X
[14])
←
11
16.
B ←
(
B
+
f
(
C, D, A
)+
X
[15])
←
19
←
(
D
+
f
(
A, B, C
)+
X
[13])
←
Let
m
=
m
0
m
1
...m
s−
1
be an
s
-bit message that is to be hashed with MD4.
In a first step, an array
M
=
M
[0]
M
[1]
...M
[
N
−
1]
is constructed, where each
M
[
i
] represents a 32-bit word and
N
≡
0mod16.
Consequently, the length of
M
equals a multiple of 32
·
16 = 512 bits. It is
constructed in two steps:
•
First, the message
m
is padded so that its bit length is congruent to 448 modulo
512. Therefore, a single one is appended, and then zero bits are appended so
that the bit length of the padded message becomes congruent to 448 modulo
512 (i.e., at least one bit and at most 512 bits must be appended). Note that
padding is always performed, even if the length of the message is already
congruent to 448 modulo 512. Also note that the padded message is 64 bits
short of being a multiple of 512 bits.
•
Second, a 64-bit binary representation of
s
(i.e., the length of the original
message before the padding bits were added) is appended to the result of the
first step. In the unlikely case that
s
is greater than 2
64
, then only the low-order
64 bits of
s
are used (i.e.,
s
is computed modulo 2
64
). In either case, the 64
bits fill up the last message block from 448 to 512 bits.
