About

MD4 is a 128-bit cryptographic hash function designed by Ronald Rivest in 1990, specified in RFC 1320. It processes input through three rounds of 16 operations on 512-bit blocks, producing a 32-character hexadecimal digest. While MD4 is cryptographically broken for security purposes (collision attacks exist with complexity < 2⁸ operations), it remains relevant in legacy protocol analysis, NTLM authentication research, and as a pedagogical reference for understanding Merkle - Damgård construction. This tool computes genuine MD4 digests from cryptographically random inputs via crypto.getRandomValues(). It does not simulate or truncate SHA-256. Each output is a valid MD4 hash verifiable against any RFC 1320 reference implementation.

Generating predictable or low-entropy hashes for test fixtures leads to false positives in collision detection tests and unreliable deduplication benchmarks. This generator ensures each input seed contains 128 bits of entropy (16 random bytes), guaranteeing uniform distribution across the 2¹²⁸ output space. Note: MD4 must not be used for password hashing, digital signatures, or any integrity-critical application. Use SHA-256 or BLAKE3 for those.

Formulas

MD4 initializes four 32-bit state registers and processes the padded message in 512-bit blocks. Each block undergoes three rounds with distinct auxiliary functions:

F(X, Y, Z) = (X ∧ Y) ∨ (¬X ∧ Z)

G(X, Y, Z) = (X ∧ Y) ∨ (X ∧ Z) ∨ (Y ∧ Z)

H(X, Y, Z) = X &xor; Y &xor; Z

The state registers are initialized to: A = 0x67452301, B = 0xEFCDAB89, C = 0x98BADCFE, D = 0x10325476. Round 1 uses F with additive constant 0x00000000. Round 2 uses G with constant 0x5A827999 (the square root of 2). Round 3 uses H with constant 0x6ED9EBA1 (the square root of 3). Message padding appends a 1 bit, then zeros, then the 64-bit message length in little-endian, ensuring total length ≡ 0 (mod 512). The final digest is the concatenation of registers A, B, C, D in little-endian byte order, yielding 128 bits (32 hex characters).

Where X, Y, Z = 32-bit words from the state registers. ∧ = bitwise AND. ∨ = bitwise OR. ¬ = bitwise NOT. &xor; = bitwise XOR. Each round applies circular left shifts by variable amounts (3, 7, 11, 19 in Round 1; 3, 5, 9, 13 in Round 2; 3, 9, 11, 15 in Round 3).

Reference Data

Hash Function	Digest Size	Block Size	Rounds	Year	Status	Designer	Operations/Round	Collision Resistance	Use Case Today
MD4	128 bit	512 bit	3	1990	Broken	Rivest	16	< 2⁸	NTLM research, legacy
MD5	128 bit	512 bit	4	1992	Broken	Rivest	16	2¹⁸	Checksums (non-security)
SHA-1	160 bit	512 bit	4	1995	Broken	NSA	20	2⁶³	Git (migrating away)
SHA-256	256 bit	512 bit	64	2001	Secure	NSA	1	2¹²⁸	TLS, Bitcoin, signatures
SHA-384	384 bit	1024 bit	80	2001	Secure	NSA	1	2¹⁹²	TLS certificates
SHA-512	512 bit	1024 bit	80	2001	Secure	NSA	1	2²⁵⁶	High-security hashing
SHA-3 (256)	256 bit	1088 bit	24	2015	Secure	Bertoni et al.	1	2¹²⁸	Post-quantum readiness
BLAKE2b	512 bit	1024 bit	12	2012	Secure	Aumasson et al.	1	2²⁵⁶	Fast secure hashing
BLAKE3	256 bit	512 bit	7	2020	Secure	O'Connor et al.	1	2¹²⁸	Fastest secure hash
RIPEMD-160	160 bit	512 bit	5	1996	Weakened	Dobbertin et al.	16	2⁸⁰	Bitcoin address derivation
Whirlpool	512 bit	512 bit	10	2000	Secure	Rijmen & Barreto	1	2²⁵⁶	ISO/IEC 10118-3
Tiger	192 bit	512 bit	24	1996	Weakened	Anderson & Biham	1	2⁹⁶	P2P file verification

Frequently Asked Questions

Dobbertin demonstrated collisions in MD4's compression function in 1996. Wang et al. later published a full collision attack in 2004 with complexity under 2⁸ MD4 operations - essentially instantaneous on modern hardware. This means two distinct inputs can produce identical MD4 digests trivially. For comparison, a secure hash like SHA-256 requires approximately 2¹²⁸ operations for collision, which exceeds the computational capacity of all existing hardware combined.

Each hash is computed from 16 bytes (128 bits) of entropy sourced from crypto.getRandomValues(), which draws from the operating system's CSPRNG (e.g., /dev/urandom on Linux, BCryptGenRandom on Windows). Since the input space (2¹²⁸ possible seeds) matches the output space (2¹²⁸ possible digests), and MD4's compression function is a surjective mapping for random inputs, the output distribution is effectively uniform. No two generated hashes will collide in practice.

MD4 persists in Microsoft's NTLM authentication protocol, where passwords are hashed with MD4 before transmission. It also appears in legacy Ed2k/eDonkey file-sharing checksums and certain older S/MIME implementations. The rsync algorithm historically used MD4 for rolling checksums (replaced by xxHash in rsync 3.2.3+). Understanding MD4 output format is necessary for security auditing of these legacy systems.

The random bytes are the 16-byte (128-bit) seed generated by the CSPRNG. This seed is then processed through the full MD4 algorithm: padded to 512 bits, split into sixteen 32-bit words, and run through 48 operations across 3 rounds. The resulting 128-bit digest bears no recognizable relationship to the input due to the avalanche effect - changing a single input bit flips approximately 50% of output bits.

Yes. This tool implements MD4 per RFC 1320 exactly. You can verify by hashing a known input. For example, MD4("") = 31d6cfe0d16ae931b73c59d7e0c089c0, and MD4("abc") = a448017aaf21d8525fc10ae87aa6729d. The generator uses random inputs, but if you capture both the hex-encoded input bytes and the output hash, any RFC 1320-compliant library (e.g., Python's hashlib with legacy providers, OpenSSL's md4 command) will produce the same digest.

MD5 added a fourth round (increasing from 48 to 64 total operations), introduced a per-step additive constant derived from the sine function (replacing MD4's fixed per-round constants), and changed the message word selection order. MD5 also uses different shift amounts. These changes improved diffusion but did not prevent eventual collision attacks. Both use the same Merkle - Damgård construction, identical initial register values, and identical padding schemes.