An Efficient Message Digest Algorithm (MD)
For Data Security
Abdul Hamid M. Ragab, Nabil A. Ismail, Senior Member ZEEE, and Osama S. Farag Allah
Abstract--This paper presents a new proposed
message digest algorithm 0) .
Many of its characteristics
(applications domain, performance and implementation
structure) are similar to those of MDCfamily of hash
functions. The proposed algorithm takes as input a message
of arbitrary length and produces as output a 128/160-bit
fugerprint or message digest. New features of the proposed
algorithm include the heavy use of data-dependent rotations,
and the inclusion of integer multiplication as an additional
primitive operation. These proposed features are expected to
provide high security level with enhancement in throughput.
The proposed algorithm is intended for digital signature
applications, where a large fde must be compressed in a
secure manner before being signed (encrypted) with a private
secret key under a public-key cryptosystem. The proposed
algorithm is designed to be quite fast on 32-bit machines. In
addition, it does not require any large substitution tables, so
that the algorithm can be coded quite compactly. We describe
the general characteristics, architecture and implementation,
and give a complete specifcation for MD-160/128. Several
test vectors are used for inspecting the validity of the
proposed algorithm. Also, we compare the software
performance of several MDCbased algorithms, which is of
independent interest. Simulation results show that the
throughput of the proposed MD-128 is about 76.4 Mbitlsec
while in RIPEMD-128 is about 69.8 Mbitlsec.
Index Terms-Cryptographic Hash Functions, Cryptanalysis,
Software Performance.
I. INTRODUCTION
C RYPTOGWHIC hash functions are an important
tool in cryptography for applications such as digital
fingerprinting of messages, message authentication, and
key derivation. Hash functions can map bitstrings of
arbitrary finite length into strings of fvred length. A hash
value is generated by a b c t i o n H of the form h = H(M)
where M is a variable-length message and H(M) is the
fured-length hash value. The purpose of a hash function is
to produce a fingerprint of a file, message, or other block of
data. To be useful for message authentication, a hash
function must satisfy the following properties:
1- H can be applied to a block of data of any size.
2- H produces a fixed-length output.
This work was supposed by Department of Computer Sci. & Eng.in
Faculty of Electronic Engineering, Menouf-32952, Egypt.
Abdul Hamid M. Ragab is the head of Computer Sci. & Eng. Department,
Faculty of Electronic Engineering, Menouf-32952, Egypt, (e-mail:
ah m -r
ag awhot").
Nabil A. I d is with the Department of Computer Sci. & Eng., Faculty
of Electronic Engineering, Menouf-32952, Egypt, (e-mail: nabil_is@
hotmail.com).
Osama S. Farag AUah is with the Department of Computer Sci. & Eng.,
Faculty of Electronic Engineering Menouf-32952, Egypt, (e-mail:
osami-salah_faragallah@ hotmail.com).
IEEE Catalogue No. 01CH37239
0-7803-7IOI-I/OI/$IO.OO 0 2001 IEEE.
3- H(x) is relatively easy to compute for any given input x.
4- One-way: for any given code h, it is computationally
infeasible to find x such that H(x) = h.
5- Weak collision resistance: for any given block x, it is
computationally infeasible to find y f xwithH(y)=
H(x).
6- Strong collision resistance: it is computationally
infeasible to find any pair (x,y) such that H(y) = H(x).
The strength of a hash function against brute-force attacks
[l] depends only solely on the length of hash code produced
by the algorithm. Table I Summarizes the level of effort
required producing a birthday or square root attack (which
is referred to strength of hash code) for merent types of
hash functions, assuming m-bit result.
TABLEI. COMPARISONOF HASH-CODE STRENGTHBETWEEN DFFERENT
TYPES OF HASH FUNCTIONS
[ Type of hash function 1 Strength of hash function I
One-way 2"
I Strong collision resistance I 2mn
Almost all hash functions are iterative processes, which
hash inputs of arbitrary length by processing successive
fixed-size blocks of the input. The input Xis padded to a
multiple of the block length and subsequently divided into t
blocks x1 through x,. The overall structure of a typical
secure hash function is indicated in Fig. 1.
The hash function h can then be described as follows:
& = initial n-bit value
Hi = @&-,,Xi),1s i 5 t, h(X) = Ht
The first constructions for hash functions were based on
block ciphers (such as DES) [l]. Although some trust has
been built up in the security of these proposals, their
software performance is not very good, since they axe
typically from 2 to 4 times slower than the corresponding
block cipher.
The most popular hash functions, which are currently
used in a wide variety of applications, are the custom
designed hash functions from the --family. MD4 was
proposed by R Rivest [4,5]. It is a very fast hash function
tuned towards 32-bit processors. Because of unexpected
vulnerabilities identified in [6,7] (namely collisions for two
rounds out of three), a strengthenedversionofMD4was
designed which is called MD5 [8,9].
MD5 is slightly slower than MD4, but it is more
conservative in design. It was being implemented fast into
products. MD5 is probably the most widely used hash
function, in spite of the fact that the compression function
of MD5 is not collision resistant [lo].
This does not pose a threat for standard applicationsof
MD5, but still implies a violation of one of
191

I-&-1
Fig. 1. General structure of secure hash function
the design principles. A second alternative for MD5 is the
Secure Hash Algorithm (SHA-l), which was designed by
NSA and published by MST [ll]. The two main
improvements are the increased size of the result (160 bits
compared to 128 bits for the other schemes), and the fact
that the message words in the different rounds are not
permuted but computed as the sum of previousmessage
words. This has main consequence that it is much harder to
make local changes confined to a few bits. The first version
of SHA had a weaker form of this property (no mixing was
done between bits at different positions in a word), and
apparently this can be exploited to produce collisions faster
than 2'' operations. However, no details have been made
available. This weakness was removed in the improved
version [ll].
Another proposal was RIPEMD, which was developed
in the framework of the EU project RIPE (Race Integrity
Primitives Evaluation). The RIPE consortium had a goal to
propose a portfolio of recommended integrity primitives
[12,22] based on its independent evaluation of MD4 and
MD5 [6,10]. It proposed a strengthened version of MD4,
which was called RIPEMD. RIPEMD consists of essentially
two parallel versions of MD4, With some improvements to
the shifts and the order of the message words; thetwo
parallel instances differ only in the round constants. At the
end of the compression function, the words of left and right
halves are added.
11. COMPARATIVEDESCRIP~ON
OF THE MD4-FAIVIILY
The six members of the --family are iterative hash
functions operating on 32-bit words. The different
compression functions take as input a 4 or 5-word chaining
variable and a 64-byte message block, and map this to a
new chaining variable. All operations are defined on 32-bit
words. First, the 64-byte message block is converted to a
block of 16 words. Next and depending on the algorithm, 3
to 5, possibly parallel, rounds are applied. Each of these
rounds consists of 16 individual steps, except for SHA-1,
where rounds of 20 steps are used. Finally,theprevious
value of the chaining variable is added to the newly
obtained value by means of a feed-forward. Every round
uses a particular non-linear function, and every step
modifies one word of the chaining variable and possibly
rotates another. Table 11gives definitions of a step function
for the MD4-family. All additions are modulo 232,and <e<
s indicates a rotation over s bits to the left. A, B, C, D, E
are chaining variable words, K and s are constants, and f0
is a non-linear function of three variables. Xi, is a message
word or, in case of SHA-1 and from step 17 onwards, an
EXOR combination of message words.
H =chaining variable
xi = ith input block
f = compressionfunction
t = number of input blocks
n = length of hash wle
b = length of input block
Algorithm step function
MD4 A = ( A + f(B,C.D) + xi+ k ) <<< s
MD5 A = B + (A+ f(B,C,D) +xi + k ) e<< s
FrOm Step 17 :X i = (Xi + Xitz + Xi+8 + Xiti3) <<< 1
A = A + B"'5 + @,C,D) + + k, C = C<<< 30
RIPEMD A = (A + f(B,C,D) f + k ) <e<s
RIPEMD-128 A = ( A + f(B,C,D) + x j + k ) s
RJPEMD-160 A = E+(A + f(B,C,D) + xi + k ) <<< S, C = C <<< 10
Each step in a round uses a different message word Xi, and
in each round the order in which they are used is different.
SHA-1 differs in this respect from the other hash functions
in that starting from step 17. A linear recursion is applied
to the array of 16 message words: every element of the
array is computed as the EXOR of four other elements. The
additive constants K are different per round, except for
MD5, where each step has a different K. The rotation
constants are different per round and per chaining variable
for MD4 and MD5, fured for SHA-1, and are different per
round and per message word for the RIPEMD. The Boolean
functions f0 as shown in Table 111are different for each
round, but are chosen from a limited set of four.
TABLEm.BOOLEAN
FUNCI?ONSOF THE MD~-FAMILY OF HASHFUNCTIONS
III. MOTIVATION FOR MD
The main contribution of MD4 is that it is the first
cryptographic hash function that made optimal use of the
structure of current 32-bit processors. However, introducing
a new structure in cryptographic algorithms also involves
the risk of unexpected weaknesses. It becomes clearly that
existing techniques such as differential or linear
cryptanalysis were not applicable, and that any successll
cryptanalysis would require the development of new
techniques. The attacks on two (out of three) roundsof
MD4 [6] and on the compression function of MD5 [lo]
were the first indications that some structural properties of
the algorithms can be exploited, but did not seem a serious
threat to the overall algorithm. More recently, the attack on
MD4 was improved yielding two hash-results that differ
only in a few bits as reported in [13]. This was a clear
illustration that MD4 did not behave as one could expect
from a random function [14,15].
RIPEMD has Collisions for the last two out of three
(and later for the first two) rounds. While this is not an
immediate threat to RIPEMD with three rounds, the attack
192
L14
was quite surprising. Moreover, it introduced a new
technique to cryptanalyze this type of functions. These
techniques can be extended to produce collisions for MD4
[7], and for the compression function of the extended
version of MD4 [4]. The attack on MD4 requires only a
few seconds on a PC, and still leaves some freedom to the
message; it clearly d e s out the use of MD4 as a collision
resistant function.
It is expected that these techniques can be used to
produce collisions for MD5 and perhaps also for RIPEMD.
This will probably require an additional effort. An
independent reason to produce a new architecture of MD is
the limited resistance against a brute-force collision search
attack. Taking into account the fact that the cost of
computation and memory is divided by four everythree
years (this observation is known as Moore's law), one can
conclude that a 128-bit hash-result does not offer sufficient
protection for the next ten years. The current situation
brings us to the conclusion that it would be prudentto
upgrade current implementations, and to consider a more
secure scheme for standardization. SHA-1 has alreadya
160-bit result, and because of some of its properties it is
quite likely that SHA-1 is not vulnerable to the known
attacks. However, its design criteria and the attack on the
first version are secret.
IV. DESIGN PRINCIPLES AND
IMPLEMENTATION ISSUES OF MD
The main design principle of MD is to overcome the
problems raised ip the above section, to maximize on
confidence previously gained with RIPEMD and its
predecessors h4D4 and MD5. Also, it was decided to aim
for a rather conservative design, which offers a high
security level, rather than to push the limits of performance
with the risk of a redesign a few years from now. The two
main improvements are the heavy use of data-dependent
rotations and the inclusion of integer multiplication as an
additional primitive operation [17,181.
The basic design of MD was to have two parallel
iterations that are completely different. The operation for
MD-160 on the A register is related to that of MD4 (but
five words are involved). The amount of rotation is
determined by a quadratic function Kx) = x(2x + l)(mod
2 9 , here it is computed as a function of the E register.
Also, the rotate of the C register has been added to avoid
the MD5 attack, which focuses on the most significant bit
[lo]. The step operation for MD-128 is identical to that of
MD-160, but the amount of rotation is determined as a
function of D register.
The number of rounds is four (three for MD-128), and
that the two parallel rounds are made more different. From
the attack on RIPEMD we conclude that having only
different additive constants in the two lines is not sufficient.
The order of the message blocks in the two iterations is
completely Merent. In addition, the order of the Boolean
functions is reversed.
The philosophy of MD is to exploit operations such as
rotations that are efficiently implemented on modem
processors. Also, takes advantage of the fact that 32-bit
integer multiplication is now efficiently implemented on
most processors. Integer multiplication is a very effective
diffusion primitive, and is used in MD to compute rotation
amounts, so that the rotation amounts are dependent on all
of the bits of another register. As a result the proposed MD
has much faster diffusion. This allows MD to run with
fewer rounds at increased security and with increased
throughput.
The permutation of the message words of MD (likewise
RIPMED) was designed such that two words that are 'close'
in round 1-2 are far apart in round 2-3 (andvice versa).
The permutation p was chosen such that two message
words, which are close in the left half, will always be at
least seven positions apart in the right haK For Boolean
functions, it was decided to eliminate the majority function
because of its symmetry properties and a performance
disadvantage. The Boolean functions are now the same as
those used in MD5. As mentioned above, the Boolean
functions in the left and right half are used in a different
order.
Our security goals are that the data-dependent rotation
amount that will be derived from the output of
transformation function fix) should depend on all bits of
the input word and that the transformation should provide
good mixing within the word. The particular choice of this
transformation for MD is the quadratic function f(x). This
transformation appears to meet our security goals while
taking advantage of simple primitives that are efficiently
implemented on most modem processors. qx) is one-to-one
modulo 2w, and that the high-order bits of f(x), which
determine the rotation amount used, depend heavily on all
the bits of x. The quadratic function is aimed at providing
a faster rate of diffusion thereby playing a simple yet
important role in complicatingboth linear and differential
cryptanalysis. The quadratically transformed values of x is
increasing the nonlinearly of the scheme while not losing
any entropy [23].
V. DESCRIPTION OF THE PROPOSED MD-128/160
MD-128/160 is a hash function based on MD4, taking
into account knowledge gained in the analysis ofMD4,
MD5, RIPEMD, and RIPEMD-128/160. The MD-128/160
compression function differs from MD4 in the number of
words of chaining variable, the number of rounds, the
round functions themselves, the order in which the input
words are accessed, and the amounts by which results are
rotated. The left and right computation lines differ from
each other in these last two items, in their additive
constants, and in the order in which the round functions are
applied. This design is intended to improve resistance
against known attack strategies.
A. MD-128/160 Primitive Operations
The proposed algorithm uses primitive operations as
shown in Table IV.
TABLE N.NOTATION
FORMD-128/160
Notation
Two's c lement addition of words
Bit-wise exclusive-OR of words,
A B The clic mtation of word A left B bits
Ink. er multi lication modulo 2"
1's complement of word A
AAB Bit-wise AND of words
AvB Bit-wise OR of words
193
214

B. MD-160
The overall MD-160 compression function maps 21-
word inputs (5-word chaining variable plus 16-word
message block, with 32-bit words) to 5-word outputs. Each
input block is processed in parallel by distinct versions (the
left line and right line) of the compression function. The
160-bit outputs of the separate lines are combined to give a
single 160-bit output. Fig. 2 shows an elementary operation
Xi
of h4D-160 as the following. An outline of the compression
function is given in Fig. 3.

A B C xd?
I I \ I I

%?

%?

hikbbhs

L
A
I
B
I
C D
I
E I
I
Fig. 3. Outline ofthe compresskmfunction ofMD-160

Fig. 2. Elementary MD-160operation (single step)
C. Algorithm MD-160 Hash Function
INPUT:bitstring x of bitlength b 1 0.
OUTPUT: 160-bit hash-code of x.
1. Notation. Primitive operations are shown in Table IV.
Round functions are defined in Table VI, and order by
which round functions are applied is given in Table
VII.
2. Constants. Define five 32-bit initial chaining values:
hi = 0x67452301, h2 = OxEFCDAB89, h3 =
Ox98BADCFE, h4 = 0x10325476, hS= OxC3D2ElFO. In
addition:
(a) Define four new additive constants for the left line
(sequare roots of 0,2,3,5): K L ~=] 00000000, (0 5 j
5 15); KLb] = 5A82799, (16 1 j 131); K L ~ = ] words: xarl ...xl6m-I.
6ED9EBA1, (32 5 j 547); KLG]= 8FlBBCDC,
(48 5 j 5 63).
(b) Define four new additive constants for the right line
(cube roots of 0,2,3,5): = 50A28BE6, (0 5 j
. 515); KRG] = 5C4DD124, (16 5 j 531);KRb]=
6D703EF3, (32 5j 547); KRb]= 00000000, (48 5 j
563). These constants for both leftandright line
appear in Table VIII.
(c) Ordering of the message words. Take the
permutation p as shown in Table V.
Further define the permutation v by setting v(i) = 9i+5
(mod 16). Table IX gives access order for source words.
Table X specifies the selection of message words in the left
and right lines.
(d) Amount for rotate left (rol) is determinedby the
quadratic function f(x)=x(2x+l)(mod 2”). This tends
to E*(2*E+1) since f(x) is a function of E register.
(e) Compression function (Step function):
A = (A+f(B,C,D)+X+K ) <<< E*(2*E + l), C <<< 10.
3. Preprocessing. Pad x such that its bitlength is a multiple
of 512-bit, as follows. Append a single 1-bit, then
append r - 1 0) 0-bits for the smallest r resulting in a
bitlength 64 less than a multiple of 5 12. Finally append
the 64-bit representation of b mod 2@, astwo32-bit
words with least significant word first. (Regarding
converting between streams of bytes and 32-bit words,
the convention is little-endian). Let m be the number of
512-bit blocks in the resulting string (b + r + 64 = 512m
= 32*16m). The formatted input consists of 16m 32-bit
4. Processing. For each i from 0 to m - 1, copy the ithblock
of sixteen 32-bit words into temporary storage: Xu]=
xi6iCj,0 5 j 5 15. Then:
(a) Execute four 16-step rounds of the left line as
follows:
(AL,BL,CL,DL, EL)= (hi, h2, h3, h4, h5)-
(Left Round 1) For j from 0 to 15 do the following:
T = (AL+~~(BL, ] &U]) <<< E*(2*E+1),
CL, DL)+X [ S L ~ ] +
(AL,BL,CL,DL,EL)= (EL,T, BL, CL<<<~O, DL).
(Left Round 2) For j from 16 to 3 1 do the following:
T = (AL+Q(BL, CL,DL)+X [SL~]]+ &E]) <<< E*(2*E+1),
(AL,BL, CL,DL,EL)= (EL,T, BL,CL<<<~O, DL).
@.,eft Round 3) For j from 32 to 47 do the following:
T = (AL+B(BL,CL, DLPX [ S ~ f i ] ]+ K ~ f i ] )<<< E*(2*E+1),

194
L14

(AL,BL,CL,DL,EL)= (EL,T, BL, CL<<<~O, DL).
(Left Round 4) For j from 48 to 63 do the following:
T = (AL+~~(BL, CL,D&X [SLG]]+ ku]) <<< E*(2*E+1),
(AL,BL,CL,DL,EL)= (EL,TyBL, CL<<<~O, DL).
(b) Execute in parallel with the above four rounds an
analogous right line with (Ab BR,CR,DR,ER),
&ti], K R ~ ] replacing the corresponding
quantities with subscript L, and the order of the
round functions reversed so that their order is:
f4, f3, f2, and fl. Start by initializing the right
line working VariableS:(AR, BR, Cb &ER)=
(hl, hz, h3, h4, h5).
(c) After executing both the left and right lines above,
update the chaining values as follows: T = h2 +
CL + DR, h2 = ~ ~ + D L + E R , ~ ~ = ~ + E L + A ~
h4= h5 + AL + BR, h5= hi + BL + C b hi = T.
5. Completion. The final hash-value is the concatenation:
( h i 11 h2 11 h3 11 h4 11 h5) (with first and last bytes the low-
and high-order bytes of H1, H5, respectively).

i 0 1 1 2 1 3 4 1 5 1 6 7 8 1 9 10 11112 13 14 15
P(i) 7 1 4 1 3 1 1 1016115 3 1210 9 5 1 2 14 11 8

TABLEW.MD-128/160 ROUND FUNCTION DEFINITIONS. W. OPTIONAL EXTENSIONS

TO 256 AND 320 BIT
Some applications of hash functions require alonger
hash-result, without needing a larger security level. A
straightforward way to achieve this would be tousetwo
parallel instances of the same hash function with different
TABLEw. ORDER BY WHICH BOOLEAN FUNCTIONSARE APPLLED initial values; however, this might result in unwanted
Line I Round1 I Round2 I Round3 I Round4 dependencies between the two chains. Therefore it is
Left I f l l f 2 I f 3 I f4 advisable to have a stronger interaction between the two
instances. In [13] an extension of MD4 was proposed which
yields a 256-bit hash-result by running two parallel
Line Round1 Round2 Round3 Round 4 instances of MD4 which differ only in the initial values and
Left 00000000 5A82799 6ED9EBA1 8FlBBCDC in the constants in the second and third round. After every
Right 50A28BE6 5C4DD124 6D703EF3 00000000
application of the compression function, the value of the
register A is interchanged between the two chains. MD-
Line Round1 Round2 Round3 Round4 128 and MD-160 have already two parallel lines, hence a
Left Id P pz P double length extension can be constructed without the
Right V Pv PZV P" need for two parallel instances: it is sufficient to omit the
combination of the two lines at the end of every application
Variable Value of the compression function. We propose to introduce
S~(0..15) J interaction between the lines by swapping after round 1 the
S~(16..31) 7,4,13,1,10,6, 15,3, 12,0,9,5,2,14, 11,8 ,

S~(32.47) 3, 10,14,4,9,15,8, 1 , 2 , 7 , 0 , 6 , 13, 11,5, 12

contents of registers A and A', after round 2 the contents of
S~(48..63) 1,9, 11, 10,0,8, 12,4,13,3,7, 15, 14,5,6,2 registers B and B'.
S~(0..15) 5,14,7, 0,9,2, 11,4, 13,6, 15,8, 1,10,3,12
S~(16..31) 6, 11,3,7,0,13,5,10,14, 15,8, 12,4,9, 1 , 2 VI. &'PLICATIONS OF THE PROPOSED MD-128/160
S~(32..47) 15,5, 1,3,7, 14,6,9, 11,8, 12,2, 10,0,4, 13
S~(48..63) 8 , 6 , 4 , 1 , 3 , 11, 15,0,5, 12,2, 13,9,7,10,14 Collision resistant hash functions were first used in the
context of practical digital signature schemes: in order to
D. 5.4MD-I28 improve the efficiency and the security of these schemes,
The main difference with MD-160 is that we keep a messages are hashed, and the slow digital signature is only
hash-result and chaining variable of 128-bits (four 32-bit applied to the short hash-result. Other applications include
words); only three rounds are used. the protection of passwords, the construction of message
authentication codes or MACS, and the derivation of key
1. Operation in one step. variants. MD may be used with (DSA) digital signature
A=(A +f@,C,D) + X + K) <<< D*(2*D + l), C -=<< 10. algorithm in electronic funds transfer, software distribution,
2. Boolean functions. Applied as shown in Table XI. data storage, and other applications, which require data
integrity assurance and data origin authentication.
Line Round1 Round2 Round3
WI.PERFORMANCE EVALUATION
OF MD- 1281160 AND
Left fl fz t3
fl MD4-BASED HASH FUNCTIONS
Right fz fl
Comparative analysis among the proposed MD-
3. Constants: Take the following hexadecimal valuesas 160/128, RIPEMD-160, RIPEMD-128, RIPEMD, SHA-1,
shown in Table XI. MD5, and MD4 is performed to provide some
measurements on the performance. Implementations were
Line Round1 Round 2 Round 3 written in Borland C++ Development Suite 5.0.
Left 0 5A82799 6ED9EBAl Performance was measured on a 333 MI& Pentium I1 with
Right 50A28BE6 5C4DD124 0
32 Mbytes of RAM running Windows 95/98. Note that the

195
214

numbers are for realistic inputs, i.e., 256 Megabyte of data
are hashed using an 8 K buf€er. In addition, to improve the
accuracy of our measurements, the throughput tests were
executed 10 times, and we report the average of the
throughput thereby obtained. Table XIII summarizes the
comparative analysis between the proposed message digest
algorithm (MD-128/160) and 6 hash algorithms considered
for different design parameters such as digest length,
number of steps, maximum message size. From Table XIII,
we can note that MD-128/160 has the following new
features:
1- The number of used primitive operations are seven
(7), while other MD4-hash function uses less
number of primitive operations (6).
2- Use of 32-bit integer multiplication that is now
efficiently implemented on most processors.
Integer multiplication is a very effective &ion
primitive. As a result the proposedMD-128/160
has much faster diffusion. This allows the proposed
MD-128/160 to run with fewer rounds at increased
security and with increased throughput.
3- The heavy use of data-dependent rotations.
4- The quadratic function is aimed at providing a
faster rate of diffusion thereby complicating both
linear and differential cryptanalysis.
The proposed MD-128/160 makes utilization from the new
features that contribute to provide high security level with
increased throughput.
Also, Table XJY Summarizes the performance comparison
of proposed MD-128/160 and several MD4-based hash
functions at fixed 256 Megabytes of data. The relative
throughputs coincide more or less with predictions based
on a simple count of the number of operations. MD-160
has an increment in throughput by % 0.54 than RIPMED-
160, and about yo15 slower than SHA-l.Also,MD-128
has an increment in throughput by %9.46 than RIPMED-
128, about %14 slower than RIPEMD, and nearly two
times slower than MD4.

TABLEm.
COMPARISONBETWEENDIFFERENT HASHINGALGORITHMS

TABLE m. P€3WORMANcE OF PROPOSEDMD-128/160 AND SEVERAL

m - B A S W HASH FUNCTIONSAT FIXED 256 MEGABYTES OF DATA

196
214

REFERENCES
[l] R. Merkle, "One Way Hash Functions and DES," Advances in
Cry~tol~gy, Roc. Crypto"89, LNCS 435, G. BrassaKi, Ed.,Springer-
Verlag, 1990, pp. 4 2 8 4 6 .
[2] B. Preneel, R Govaerls, J. Vandewde, "Hash Functions Based on
Block Ciphers: A Synthetic Approach," Advances in Cryptology, Roc.
Crypto'93, LNCS 77S, D. StinSon, Ed., SPringer-Verlag, 1994, pp. 368-
378.
[3] C.H. Meyer, M. Schilling, "Secure program load WithManipUlation
DetectionCode,"Roc.Securicom 1988,pp. 111-130.
[4] RL. Rivest, "The MD4 Message Digest Algorithm," Advances in
Cryptology, Roc. Crypto'90, LNCS 537, S. Vanstone, Ed, Spriager-
Verlag, 1991,pp. 303-311.
[5] RL. Rivest, "The MD4 Message-Digest Algorithm," Request for
Comments (RFC) 1320, Internet Activities Board, Internet Privacy Task
Force, April 1992.
[6] B. den Boer, A. Bosselaers, "An Attack on the Last Two Rounds of
MD4," Advances in Cryptology, proc. Crypto'91, LNCS 876, J.
Feigenbaum, Ed, Spriager-Verlag, 1992, pp. 194-203.
[7] H. Dobbertin, "Cryptanalysis of MD4," Fast Software Encryption,
LNCS 1039, D. Gollmann, Ed., Springer- Verlag, 1996.
[8] RL. Rivest, "The MD5 Message-Digest Algorithm," Request far
Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task
Force, Apnll992.
[9] J. Touch, "Report on MD5 Performance," Request for Comments (RFC)
1810, Internet Activities Board, Internet Privacy Task Force, June
1995.
[lo] B. den Boer, A. Bosselaers, "Collisions for The Compression Function
of MD5," Advances in Cryptology, proc. Encrypt 93, LNCS 765, T.
Helleseth, Ed, Springer-Verlag, 1994,pp. 293-304.
[ll] FIPS 180-1, Secure Hash Standard, NIST, US Department of
Commerce, Washington D.C., A@ 1995.
[U] RIPE, "Integrity Primitives for Secure Information Systems. Final
Report of RACE Integrity Primitives Evaluation (RIPE-RACE 1040),"
LNCS 1007, SPringer-Verhg, 1995.
[13] S. Vaudenay, "On the need for multipermutations: Cryptanalysisof
MD4 and SAFER," Fast Software Encryption, LNCS 1008, B. Preneel,
Ed., Springer-Verlag, 1995, pp. 286-297.
[141 R Anderaon, "The Classificationof Hash Functions," Proc. of the JMA
Conference on Cryptography and Coding, Cirencester, December 1995,
o x f o r d University Press, 1995, pp. 83-95.
[ 151 LB. Damgard, "A Design Principle for Hash Functions," Advances in
Cryptol~g~, pro^. Crypto'89, LNCS 4SS, G. Bra~sard,Ed, Springer-
Veda& 1990, pp. 416-127.
[16] H. Dobbertin, A. Bosselaera, B. m e e l , "RIPEMD-160: A
Strengthened Version of RIPEMD," Fast Sofhvare Encryption,LNCS
1039, D. Gollmann, Ed, Springer-Verlag, 1996, pp. 71-82.
[17] RL. Rivest, "RC5 Encryption Algorithm", In Dr. Dobbs Joumal,
nmber226, pages 146-148, January 1995.
[18] B.S. Kaliski and Y.L.Yin. "On the Security of RC5 Encryption
Algorithm", RSA Laboratories Technical Report TR-602, Version 1.O,
September 1998.
[19] R.L. Rivest', M.J.B. Robshaw' , RSidneJ , and Y.L. Yin', "The
RC6?MBlock cipher", M.1.T Laboratory for Computer Science,545
Technology Square, Cambridge, MA 02139,USA,2 RSA
Laboratories,2955 Campus Drive ,Suite 400, San Mateo, Ca 98.
[ZO] Schneier, Bruce., "Applied Cryptography" , Second Edition, John
Wiley and Sons,New York,1996.
[21] W. Stahgs., "Network and Internetwork Security: Principles and
Practice", Rentice-Hall, New Jersey, 1995.
[22] W. Stahgs., "Cryptography and Network Security: Principles and
Practice", Rentice-Hall, New Jersey, 1999.
[23] Abdd Hamid M. Ragab, Nabil A. Ismail,, and Osama S. Farag Allah,
"Enhancements and Implementation of RC6?M Block Cipher for Data
Security", to be appear in IEEE TENCON 2001, Singapore, august 19-
22 2001.

197