Discuss MD5 algorithm in brief?

It was designed by Ronald Rivest (the R in RSA), latest in a series of MD2, MD4 . It produces a 128-bit hash value until recently was the most widely used hash algorithm. In recent times have both brute-force & cryptanalytic concerns, specified as Internet standard RFC1321.

MD5 Overview:

  1. pad message so its length is 448 mod 512
  2. append a 64-bit length value to message
  3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
  4. process message in 16-word (512-bit) blocks:
    • using 4 rounds of 16 bit operations on message block & buffer
    • add output to buffer input to form new buffer value
  5. output hash value is the final buffer value

Fig. Message Digest Generation using MD5

MD5 Compression Function:

  1. Each round has 16 steps of the form:a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
  2. a,b,c,d refer to the 4 words of the buffer, but used in varying permutations
    • note this updates 1 word only of the buffer
    • after 16 steps each word is updated 4 times
  3. where g(b,c,d) is a different nonlinear function in each round (F,G,H,I)
  4. T[i] is a constant value derived from sin


It precursor to MD5 also produces a 128-bit hash of message. It has 3 rounds of 16 steps vs 4 in MD5

  1. design goals:
    • collision resistant (hard to find collisions)
    • direct security (no dependence on “hard” problems)
    • fast, simple, compact
    • favours little-endian systems (eg PCs)

Strength of MD5:

  1. MD5 hash is dependent on all message bits
  2. Rivest claims security is good as can be
  3. known attacks are:
    • Berson 92 attacked any 1 round using differential cryptanalysis (but can’t extend)
    • Boer & Bosselaers 93 found a pseudo collision (again unable to extend)
    • Dobbertin 96 created collisions on MD compression function (but initial constants prevent exploit)
  4. conclusion is that MD5 looks vulnerable soon

Leave a Reply

Your email address will not be published. Required fields are marked *